Last Updated: August 2022
Data Processing Addendum
Data Processing Addendum
This Data Processing Addendum (“Addendum”) forms part of the Evisort Terms and Conditions, available at www.evisort.com/terms (“Agreement”) between Evisort Inc. (“Evisort”) acting on its own behalf and as agent for each Evisort Affiliate (as defined below) and the Customer identified in the Order Form (“Customer”) acting on its own behalf and as agent for each Customer Affiliate.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
The parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. The following obligations shall only apply to the extent required by Data Protection Laws (as defined below) with regard to the relevant Customer Personal Data (as defined below), if applicable.
1.1. “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Customer or Evisort respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
1.2. “Controller,” “Processor,” “Data Subject,” “Processing,” “Supervisory Authority,” “Personal Data Breach,” and “Special Categories of Personal Data” shall have the same meaning as in the applicable Data Protection Law.
1.3. “Customer Personal Data” means Personal Data received from or on behalf of Customer that is covered by a Data Protection Law.
1.4. “Data Protection Laws” means all applicable laws relating to the privacy or security of Personal Data, including without limitation: (a) the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq.,and its implementing regulations (as amended from time to time, the “CCPA”); (b) European Data Protection Laws; and (c) UK Data Protection Laws.
1.5. “European Data Protection Laws” means all laws relating to data protection, the Processing of Personal Data, privacy or electronic communications in force from time to time in the European Economic Area or Switzerland, including the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), and the Swiss Federal Act on Data Protection (“FADP”).
1.6. “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.
1.7. “Standard Contractual Clauses” means the European Commission’s decision (C(2021)3972) of 4 June 2021 on Standard Contractual Clauses (Module Two: Controller to Processor or Module Three: Processor to Processor, as applicable) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/678 (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en), which are incorporated into this Addendum by reference. The parties agree that the details of Exhibit 1 shall be used to complete the Annexes of the Standard Contractual Clauses.
1.8. “Subprocessor” means any Processor (including any third party and any Evisort Affiliate) appointed by Evisort to Process Customer Personal Data on behalf of Customer or any Customer Affiliate.
1.9. “UK Data Protection Laws” means all laws relating to data protection, the Processing of Personal Data, privacy or electronic communications in force from time to time in the United Kingdom, including the United Kingdom General Data Protection Regulation, as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018.
2. Data Processing Terms. While providing the Services to Customer and Customer Affiliates pursuant to the Agreement, Evisort and Evisort Affiliates may Process Customer Personal Data on behalf of Customer or any Customer Affiliate as per the terms of this Addendum. Evisort agrees to comply with the following provisions with respect to any Customer Personal Data submitted by or for Customer or any Customer Affiliate to the Services or otherwise collected and Processed by or for Customer or any Customer Affiliate by Evisort or any Evisort Affiliate. Evisort shall only retain, use, or disclose Customer Personal Data as necessary for Evisort’s performance of its obligations under the Agreement and only in accordance with Customer’s instructions. Evisort shall not sell any Customer Personal Data as the term “selling” is defined in the CCPA. Evisort shall not take any action that would cause any transfers of Customer Personal Data to or from Evisort to qualify as “selling personal information” under the CCPA.
3. Processing of Customer Personal Data. Evisort shall not Process Customer Personal Data other than on Customer’s documented instructions unless Processing is required by Data Protection Laws to which Evisort is subject, in which case Evisort shall to the extent permitted by Data Protection Laws inform Customer of that legal requirement before Processing Customer Personal Data. For the avoidance of doubt, the Agreement and any related SOW entered into by Customer shall constitute documented instructions for the purposes of this Addendum. Customer is solely responsible for the accuracy of Customer Personal Data and the legality of the means by which Customer acquires Customer Personal Data. Customer shall be responsible for: (1) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Customer’s use and disclosure and Evisort’s Processing of Customer Personal Data; and (2) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Customer Personal Data to Evisort and to permit the processing of such Customer Personal Data by Evisort for the purposes of performing Evisort’s obligations under the Agreement or as may be required by Data Protection Laws. Customer shall notify Evisort of any changes in, or revocation of, the permission to use, disclose, or otherwise process Customer Personal Data that would impact Evisort’s ability to comply with the Agreement, or applicable Data Protection Laws.
4. Confidentiality. Evisort shall take reasonable steps to ensure that individuals that process Customer Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Evisort shall in relation to Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, at a minimum, those security practices described in Exhibit 2. Customer acknowledges that, through its users, Customer:(1) controls the type and substance of Customer Personal Data; and (b) sets user permissions to access Customer Personal Data; and therefore, Customer is responsible for reviewing and evaluating whether the documented functionality of the Services meets Customer’s required security obligations relating to Customer Personal Data under Data Protection Laws.
6. Subprocessing. Evisort may engage Subprocessors in connection with the provision of the Services, provided that: (1) Evisort has entered into a written agreement with each Subprocessor containing data protection obligations not less protective than those in this Addendum with respect to the protection of Customer Personal Data to the extent applicable to the nature of the Services provided by such Subprocessor; and (2) Evisort shall be liable for the acts and omissions of its Subprocessors to the same extent Evisort would be liable if performing the Services of each Subprocessor directly under the terms of this Addendum. Evisortcurrent list of Subprocessors for the Services is available at https://evisort.com/subprocessors (“Subprocessor List”), which Customer hereby approves and authorizes. Evisort may engage additional Subprocessorsas Evisort considers reasonably appropriate for the Processing of Customer Personal Data in accordance with this Addendum, provided that Evisort shall notify Customer of the addition or replacement of Subprocessors through a mechanism,accessible within the Subprocessor List, by which Customer may subscribe to notifications of new Subprocessors (the “Subprocessor Notification Mechanism”). If Customer does not subscribe to receive notifications through the Subprocessor Notification Mechanism, Customer shall be deemed to have waived its right to receive notification of new Subprocessors and Customer shall be responsible for periodically checking the Subprocessor List to remain informed of Evisort’scurrent list of Subprocessors. Customer may, on reasonable grounds, object to a new Subprocessor by notifying Evisort in writing within 10days of Evisort updating the Subprocessor List, giving reasons for Customer's objection. Customer’s failure to object within such 10 day period shall be deemed Customer’s waiver of its right to object to Evisort’s use of a new Subprocessor added to the Subprocessor List. In the event Customer objects to anew Subprocessor, Evisort will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Customer Personal Data by the objected to new Subprocessor without unreasonably burdening Customer. If Evisort is unable to make available such change within a reasonable period of time, which shall not exceed 30 days, Customer may terminate, as Customer’s sole and exclusive remedy, the portion of the Agreement with respect only to those Services which cannot be provided by Evisort without the use of the objected to new Subprocessor by providing written notice to Evisort.
7. Data Subject Rights. Evisort shall promptly notify Customer if it receives a request from a Data Subject under any Data Protection Laws in respect to Customer Personal Data. In the event that anyData Subject exercises any of its rights under the Data Protection Laws in relation to Customer Personal Data and to the extent that Customer is unable to act on such request on its own, Evisort will shall use reasonable commercial efforts to assist Customer in fulfilling its obligations as Controller following written request from Customer, provided that Evisort may charge Customer on a time and materials basis in the event that Evisort considers, in its reasonable discretion, that such assistance is onerous, complex, frequent,or time consuming.
8. Personal Data Breach. In the event of a Personal Data Breach, Evisort will notify Customer without undue delay after becoming aware of the Personal Data Breach. Such notification may be delivered to an email address provided by Customer or by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the appropriate notification contact details are current and valid. Evisort will take reasonable steps to provide Customer with information available to Evisort that Customer may reasonably require to comply with its obligations as Controller to notify impacted Data Subjects or Supervisory Authorities.
9. Data Protection Impact Assessment and Prior Consultation. In the event that Customer considers that the Processing of Customer Personal Data requires a privacy impact assessment to be undertaken or requires assistance with any prior consultations to any Supervisory Authority of Customer, following written request from Customer, Evisort shall use reasonable commercial efforts to provide relevant information and assistance to Customer to fulfil such request, provided that Evisort may charge Customer on a time and materials basis in the event that Evisortconsiders, in its reasonable discretion, that such assistance is onerous,complex, frequent, or time consuming.
10. Deletion or Return of Customer Personal Data. Unless otherwise required by applicable Data Protection Laws, following termination or expiration of the Agreement Evisort shall, at Customer’s option, delete or return all Customer Personal Data and all copies to Customer. Any data deleted may remain in an immutable electronic backups maintained by Evisort used purely for backup, disaster recovery and data protection purposes for up to an additional 90 days beyond any such deletion or certification.
11. Relevant Records and Audit Rights. Evisort will use external auditors to annually audit and verify the adequacy of its security measures and controls (“Audit”).The Audit will be performed by independent third party security professionals and include testing of the security measures and controls, performed according to AICPA SOC2 standards or such other alternative standards substantially equal to AICPA SOC2, that results in the generation of, at a minimum, a SOC2 report or the substantive equivalent. The reports generated by the Audit (“Reports”) will be made available to Customer upon written request no more than annually subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. To the extent required by Data Protection Laws and if Customer requires information in addition to the Reports, Evisort shall make available to Customer on request all information reasonably necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections by Customer or an auditor mandated by Customer,not being competitors of Evisort (“Mandated Auditor”) of any premises where the Processing of Customer Personal Data takes place in order to assess compliance with this Addendum (a “Customer Audit”). Evisort shall provide reasonable cooperation to Customer with respect to a Customer Audit. Evisort shall promptly inform Customer if, in its opinion, a Customer Audit infringes the Data Protection Laws or any other confidentially obligations with Evisort’s other customers. Customer agrees that: (1) a Customer Audit may only occur during normal business hours, andwhere possible only after reasonable notice to Evisort (not less than 20 days’ advance written notice); (2) a Customer Audit will be conducted in a manner that does not have any adverse impact on Evisort’s normal business operations;(3) Customer and any Mandated Auditor will comply with Evisort’s standard safety, confidentiality, and security procedures in conducting any Customer Audit; and (4) any records, data, or information accessed by Customer or any Mandated Auditor in the performance of any Customer Audit will be deemed to be the Confidential Information of Evisort. To the extent any Customer Audit incurs in excess of 10 hours of Evisort personnel time, Evisort may charge Customer on a time and materials basis for any such excess hours.
12. International Data Transfer. With respect to any transfers of Customer Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland to Evisort in any country or territory not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable Data Protection Laws), and such transfer is not subject to an alternative adequate transfer mechanism under Data Protection Laws, the parties agree to comply with the relevant terms of the Standard Contractual Clauses. In accordance with Clause 2of the Standard Contractual Clauses, the parties wish to supplement the Standard Contractual Clauses with additional commercial clauses, which shall neither be interpreted nor applied in such a way as to contradict the Standard Contractual Clauses (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of data subjects. Evisort (as “data importer”) and Customer (as “data exporter”) therefore agree that the applicable terms of the Agreement and this Addendum shall apply if, and to the extent that, they are permitted under the Standard Contractual Clauses, including without limitation the following:
12.1. Instructions. The instructions described in Clause 8.1(a) of the Standard Contractual Clauses are as set forth in Section 3 of this Addendum.
12.2. Copies of Clauses. In the event a data subject requests a copy of the Standard Contractual Clauses or this Addendum in accordance with Clause 8.3 of the Standard Contractual Clauses, data exporter shall make all redactions reasonably necessary to protect business secrets or other confidential information of data importer.
12.3. Certification of Deletion. Certification of deletion of personal data under Clause 8.5 and Clause 16(d) ofthe Standard Contractual Clauses shall be provided upon the written request of data exporter.
12.4. Onward Transfer Implementation. Data importer shall be deemed in compliance with Clause8.8 of the Standard Contractual Clauses to the extent such onward transfers occur in accordance with Article 4 of the Commission Implementing Decision (EU)2021/914 of 4 June 2021.
12.5. Audits and Certifications. Any information requests or audits provided for in Clause 8.9 of the Standard Contractual Clauses shall be fulfilled in accordance with Section 11 of this Addendum.
12.6. Engagement of New Subprocessors. Pursuant to Clause 9(a) Option 2 of the Standard Contractual Clauses,data exporter agrees that data importer may engage new subprocessors as described in Section 6 of this Addendum. With respect to Clause 9 of the Standard Contractual Clauses, the parties select the time period set forth in Section 6of this Addendum.
12.7. Liability. The relevant sections of the Agreement, which govern indemnification and limitation of liability, shall apply to data importer’s liability under Clause 12(a), 12(d), and 12(f) of the Standard Contractual Clauses.
12.8. Supervisor Authority. For purposes of Clause 13 of the Standard Contractual Clauses, the parties agree that the supervisory authority shall be the Netherlands, unless otherwise agreed by the parties as mandated by the established rules of selection of the relevant supervisory authority.
12.9. Governing Law. With respect to Clause 17 of the Standard Contractual Clauses, the parties select the law of the Netherlands.
12.10. Choice of Forum and Jurisdiction. With respect to Clause 18 of the Standard Contractual Clauses, the parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Netherlands.
12.11. Transfers from the United Kingdom. With respect to transfers of personal data originating from the United Kingdom the parties acknowledge and agree that the Standard Contractual Clauses as modified by this Section shall be read and interpreted in light of the provisions of UK Data Protection Laws,and so that this Section provides the appropriate safeguards as required by Article46 of the UK GDPR: (a) Clause 6 is replaced with: “The details of the transfers and in particular the categories of personal data that are transferred and the purposes for which they are transferred are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer”; (b) references to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK Data Protection Laws” and references to specific Articles of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of the UK Data Protection Laws; (c) references toRegulation (EU) 2018/1725 are removed; (d) references to the “Union”, “EU” and“EU Member State” are all replaced with the “UK”; (e) Clause 13(a) and Annex I.C are not used; (f) the “competent supervisory authority” is the Information Commissioner’s Office (ICO) of the United Kingdom; (g) Clause17 is replaced to state “These Clauses are governed by the laws of England and Wales”; (h) Clause 18 is replaced to state “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The parties agree to submit themselves to the jurisdiction of such courts.”; and (i) the footnotes to the Clauses shall not apply to the Standard Contractual Clauses as modified by this Section.
12.12. Transfers from Switzerland. With respect to transfers of personal data originating from Switzerland: (a) the term “member state” as used in the Standard Contractual Clauses shall not be interpreted in such a way as to exclude data subjects in Switzerland of suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the Standard Contractual Clauses; (b) the Standard Contractual Clauses shall also protect the data of legal entities until the entry into force of the revised Swiss FADP on or about 1 January2023; (c) references to the GDPR or other governing law contained in the Standard Contractual Clauses shall also be interpreted to include the FADP; and (d) the parties agree that the competent supervisory authority as indicated in AnnexI.C shall be the Federal Data Protection and Information Commissioner (FDPIC)of Switzerland
13. General Terms. Any obligation imposed on Evisortunder this Addendum in relation to the Processing of Personal Data shall survive any termination or expiration of this Addendum. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either: (1) amended as necessary to ensure its validity and enforceability,while preserving the intent of the provision as closely as possible or, if this is not possible, (2) construed in a manner as if the invalid or unenforceable part had never been contained therein. With regard to the subject matter of this Addendum, the provisions of this Addendum shall prevail over the Agreement with regard to data protection obligations for Personal Data of a Data Subject under Data Protection Laws. As between the parties to this Addendum, each party’s liability and remedies under this Addendum are subject to the aggregate liability limitations and damages exclusions set forth in the Agreement. Unless prohibited by Data Protection Laws, this Addendum is governed by the laws stipulated in the Agreement and the parties to this Addendum hereby submit to the choice of jurisdiction and venue stipulated in the Agreement, if any, with respect to any dispute arising under this Addendum.
IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Agreement with effect from the Addendum Effective Date first set out above.
Date Signed: Date Signed:
Exhibit 1: Standard Contractual Clauses and Annexes
A. LIST OF PARTIES
Address: As specified in the Agreement or Order Form.
Contact person’s name, position and contact details: Contact details for the data exporter are specified in the Agreement or the Order Form.
Activities relevant to the data transferred under these Clauses: Receipt of data importer’s Services under the Agreement or the Order Form.
Signature and Date: The parties agree that execution of the Agreement or Order Form by the data exporter shall constitute execution of the Standard Contractual Clauses by Customer as of the Effective Date.
Role (controller/processor): Controller
Name: Evisort Inc.
Address: 130 Sutter Street, Floor 2, San Francisco, California 94104
Contact person’s name, position and contact details: Jonathan Price, Principal Security Engineer
Activities relevant to the data transferred under these Clauses: Performance of the Services for data exporter under the Agreement or Order Form.
Signature and Date: The parties agree that execution of the Agreement or Order Form by the data importer shall constitute execution of the Standard Contractual Clauses by Evisort as of the Effective Date.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Data subjects include the individuals about whom personal data is provided to the data importer via by (or at the direction of) the data exporter. This may include, for example:
- Employees of Customer
- Customer’s users authorized by Customer to use the Services
Categories of personal data transferred: Personal data including information relating to individuals provided to the data importer via the Services by (or at the direction of) the data exporter. This may include, for example:
- First and last name
- Contact information (email, phone, physical business address)
- ID data
- Professional life data
- Education data
- Demographic data, including but not limited to, race, gender, disability status, and veteran status
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous basis for the term of the Agreement.
Nature of the processing: Data importer’s provision of the Services described in the Agreement or Order Form.
Purpose(s) of the data transfer and further processing: Data importer’s provision of the Services to data exporter
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As set forth in the Agreement or Order Form.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
For the same purposes as set forth above, or as described in the Subprocessor List.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel. +31 70 888 8500
Fax +31 70 888 8501
The above supervisory authority shall apply unless otherwise agreed by the parties as mandated by the established rules of selection of the relevant supervisory authority, or Sections 12.11 or 12.12 of the Addendum apply.
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The technical and organisational measures to be taken by the data importer and subprocessors is described in Exhibit 2 of the Addendum.
EXHIBIT 2: SECURITY PRACTICES AT EVISORT
1. Security Protocols
1.1 Information Security Program. Evisort shall maintain a comprehensive written information security program, including policies, standards, procedures, and related documents that establish criteria, means, methods, and measures governing the processing and security of Customer Content and the Evisort systems or networks used to process or secure Customer Content in connection with providing the Services (“Evisort Information Systems”). Subcontractors engaged by Evisort in accordance with this agreement will maintain (at a minimum) substantially similar levels of security as applicable and required by these Security Practices.
1.2 Security Controls. In accordance with its information security program, Evisort shall implement appropriate physical, organizational, and technical controls designed to (a) ensure the security, integrity, and confidentiality of Customer Content accessed, collected, used, stored, or transmitted to or by Evisort, and (b) protect Customer Content from known or reasonably anticipated threats or hazards to its security, integrity, accidental loss, alteration, disclosure, and other unlawful forms of processing. Without limiting the foregoing, Evisort will, as appropriate, utilize the following controls:
(a) Firewalls. Evisort will install and maintain firewall(s) to protect data accessible via the Internet.
(b) Updates. Evisort will maintain programs and routines to keep the Evisort information systems up to date with the latest upgrades, updates, bug fixes, new versions, and other modifications
(c) Anti-malware. Evisort will deploy and use anti-malware software and will keep the anti-malware software up to date.Evisort will use such software to mitigate threats from all viruses, spyware, and other malicious code that are or should reasonably be detected.
(d) Testing. Evisort will regularly test its security programs, processes, and controls to ensure they meet the requirements of these Security Practices.
(e) Access Controls. Evisort will secure data in production Evisort Information Systems by complying with the following:
(i) Evisort will assign a unique ID to each individual with access to systems processing Customer Content.
(ii) Evisort will restrict access to systems with Customer Content to only those individuals necessary to perform a specified obligation as permitted by this Agreement.
(iii) Evisort will regularly review the list of individuals and services with access to systems processing Customer Content and remove accounts that no longer require access.
(iv) Evisort will not use manufacturer supplied defaults for system passwords on any operating systems, software, or other systems, and will mandate the use of system-enforced “strong passwords” in accordance with or exceeding the best practices (described below) on all systems processing Customer Content.
(v) At a minimum, Evisort production passwords will (i) contain at least eight (8) characters; include at least one capitalized and one lowercase letter, at least one number, and one special symbol; and (ii); be changed whenever an account compromise is suspected or assumed.
(vi) Evisort will enforce account lockout by requiring additional validation or disabling access to Customer Content when an account exceeds a designated number of incorrect password attempts in a certain period of time.
(f) Policies. Evisort will maintain and enforce appropriate information security, confidentiality, and acceptable use policies for employees, subcontractors, agents and suppliers that meet the standards set forth in these Security Practices, including methods to detect and log policy violations.
(g) Development. Development and testing environments for Evisort Information Systems will be separate from production environments.
(h) Encryption. Evisort will utilize cryptographic standards mandating authorized algorithms, key length requirements, and key management processes that are consistent with or exceed then-current industry standards, including NIST recommendations, and utilize hardening and configuration requirements consistent in approach with then-current industry standards, including SANS Institute, NIST, or Center for Internet Security (CIS) recommendations. Pursuant to such standards, Evisortwill encrypt Customer Content at rest within the online Services and only allow encrypted connections to the online Service for the transfer of Customer Content.
(i) Remote Access. Evisort will ensure that any access from outside of its protected corporate or production environments to a system or systems processing Customer Content or to Evisort’s corporate or development workstation networks will require appropriate connection controls,such as VPN or multi-factor authentication.
2. System Availability. Evisort will maintain (or, with respect to systems controlled by its subcontractors, ensure that such subcontractors maintain) a disaster recovery (“DR”) program designed to recover the Service’s availability following a disaster. At a minimum, such DR program will include the following elements: (a) routine validation of procedures to regularly and programmatically create retention copies of Customer Content for the purpose of recovering lost or corrupted data; (b) inventories, updated at minimum annually, that list all critical Evisort Information Systems; (c)annual review and update of the DR program; and (d) annual testing of the DR program designed to validate the DR procedures and recoverability of the service detailed there
3. Security Incidents.
3.1 Procedure. If Evisort becomes aware of confirmed unauthorized or unlawful access to any Customer Content processed by Evisort Information Systems (a “Security Incident”), Evisort will promptly (a) notify Customer of the Security incident; and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
3.2 Unsuccessful Attempts. An unsuccessful attack or intrusion is not a Security Incident subject to this Section 3. An“unsuccessful attack or intrusion” is one that does not result in unauthorized or unlawful access to Customer Content and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or TCP/UDP headers), or similar incidents.
3.3 User Involvement. Unauthorized or unlawful access to Customer Content that results from the compromise of a User’s login credentials or from the intentional or inadvertent disclosure of Customer Content by a User is not a Security Incident.
3.4 Notifications. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s Admin users by any reasonable means Evisort selects, including email, as time is typically of the essence. Customers are solely responsible for maintaining accurate contact information in the online Service at all times.
3.5 Disclaimer. Evisort’s obligation to report or respond to a Security Incident under this Section 3 is not an acknowledgement by Evisort of any fault or liability of Evisort with respect to the Security Incident.
4. Auditing and Reporting.
4.1 Monitoring. Evisort monitors the effectiveness of its information security program on an ongoing basis by conducting various audits, risk assessments, and other monitoring activities to ensure the effectiveness of its security measures and controls.
4.2 Audit Reports. Evisort uses external auditors to verify the adequacy of its security measures and controls for certain Services, including the Services provided under the Agreement. Theresulting audit will: (a) include testing of the entire measurement period since the previous measurement period ended; (b) be performed according to AICPA SOC2 standards or such other alternative standards that are substantially equivalent to AICPA SOC2; (c) be performed by independent third party security professionals at Evisort’s selection and expense; and (d) result in the generation of a SOC2or SOC3 report (“Audit Report”), which will be Evisort’s Confidential Information. The Audit Report will be made available to Customer upon written request no more than annually, subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. Customer may also request a SOC 3 report, which, if available from Evisort, will not be subject to such confidentiality obligations but shall attest to the external auditor's verification and findings. For the avoidance of doubt, each Audit Report will only discuss Services in existence at the time the Audit Report was issued; subsequently released Services, if within the scope of the Audit Report, will be in the next annual iteration of the Audit Report.
4.3 Penetration Testing. Evisort uses external security experts to conduct penetration testing of certain onlineServices, including the Services. Such testing will: (a) be performed at least annually; (b) be performed by independent third party security professionals at Evisort’s selection and expense; and (c) result in the generation of a penetration test report (“Pen Test Report”), which will be Evisort’s Confidential Information. Pen Test Summary Reports or attestation letters attesting to the same will be made available to Customer upon written request no more than annually subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement.
4.4 Worldwide Bug Bounty Program.Evisort shall maintain a bug bounty program to proactively detect bugs and vulnerabilities on a proactive basis. The program will operate such that external security experts shall have access to a production-like version of the software by which the Services are provided, with such experts incentivized and rewarded for finding vulnerabilities with monetary rewards. This program will be run on a continuous basis with rewards available at all time to the security experts participating in the program.