Data Processing Agreement

Last updated: November 28, 2022

CorralData Inc. (“us”, “we”, “our” or “company”) has adopted in full an industry standard Data Processing Agreement (DPA) from oneDPA.

The oneDPA contract was created collaboratively by a group of leading law firms and in-house teams with input from the wider legal community. The terms of oneDPA have been discussed extensively to not only ensure it meets legal requirements, but also to make it balanced, fair and easy to understand.

This page will outline the specific stipulations of CorralData Inc.’s DPA as a processor to our customers.

Parties’ Relationship

Processor (Company) to Controller (Customer).

Parties’ roles

The customer will act as the Controller (as defined in Section 1 of the Terms).

Corral Data Inc. will act as the Processor (as defined in Section 1 of the Terms).

Term

Our DPA will commence on the final date of signature and will continue for 30 days after the end of the Main Agreement.

Breach Notification Period

Without undue delay after becoming aware of a personal data breach.

Sub-processor Notification Period

30 days before the new sub-processor is granted access to Personal Data.

Liability Cap

Each party’s aggregate liability under this DPA will not exceed the liability caps as per the Main Agreement.

Governing Law and Jurisdiction

As per the Main Agreement.

Data Protection Laws

All laws, regulations and court orders which apply to the processing of Personal Data, including in the United States of America (USA).

This includes the:

• California Consumer Privacy Act of 2018 (CCPA)/California Privacy Rights Act of 2020 (CPRA)

… each as amended from time to time.

Services Related to Processing

The provision of a data analysis tool and ongoing support services provided by Company to Business.

Duration of Processing

For the Term of the DPA.

Nature and Purpose of Processing

Personal data processing activities include the ingestion, storage and management of Personal Data, in instances when hashed or aggregated data use is not possible, for Company to provide its services as described in the Main Agreement.

Personal Data

The types of personal data processed are customer email addresses, shipping, billing address, and other personal data which may be provided and are dependent on the platforms integrated by Company and data within those platforms.

Data Subjects

The individuals whose Personal Data will be processed are Customer’s Customers and Prospects.

Transfer Mechanism

Not applicable.

Terms

1. What is this agreement about?
   • 1.1 Purpose. The parties are entering into this Data Processing Agreement (DPA) for the purpose of processing Personal Data (as defined above).
   • 1.2 Definitions. Under this DPA:
     • (a) adequate country means a country or territory that is recognised under Data Protection Laws from time to time as providing adequate protection for processing Personal Data,
     • (b) Controller, data subject, personal data breach, process/processing, Processor and supervisory authority have the same meanings as in the Data Protection Laws,
     • (c) Business and Service Provider have the same meanings as in the CCPA/CPRA, and
     • (d) Sub-Processor means another processor engaged by the Processor to carry out specific processing activities with Personal Data.
2. What are each party’s obligations?
   • 2.1 Controller obligations. Controller instructs Processor to process Personal Data in accordance with this DPA, and is responsible for providing all notices and obtaining all consents, licences and legal bases required to allow Processor to process Personal Data.
   • 2.2 Processor obligations. Processor will:
     • (a) only process Personal Data in accordance with this DPA and Controller’s instructions (unless legally required to do otherwise),
     • (b) not sell, retain or use any Personal Data for any purpose other than as permitted by this DPA and the Main Agreement,
     • (c) inform Controller immediately if (in its opinion) any instructions infringe Data Protection Laws,
     • (d) use the technical and organisational measures described in Annex 1 when processing Personal Data to ensure a level of security appropriate to the risk involved,
     • (e) notify Controller of a personal data breach within the Breach Notification Period and provide assistance to Controller as required under Data Protection Laws in responding to it,
     • (f) ensure that anyone authorised to process Personal Data is committed to confidentiality obligations,
     • (g) without undue delay, provide Controller with reasonable assistance with:
       • (i) data protection impact assessments,
       • (ii) responses to data subjects’ requests to exercise their rights under Data Protection Laws, and
       • (iii) engagement with supervisory authorities,
     • (h) if requested, provide Controller with information necessary to demonstrate its compliance with obligations under Data Protection Laws and this DPA,
     • (i) allow for audits at Controller’s reasonable request, provided that audits are limited to once a year and during business hours except in the event of a personal data breach, and
     • (j) return Personal Data upon Controller’s written request or delete Personal Data by the end of the Term, unless retention is legally required.
   • 2.3 Warranties. The parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the Term.
3. Sub-processing
   • 3.1 Use of sub-processors. Controller authorises Processor to engage other processors (referred to in this section as sub-processors) when processing Personal Data. Processor’s existing sub-processors are listed in Annex 2.
   • 3.2 Sub-processor requirements. Processor will:
     • (a) require its sub-processors to comply with equivalent terms as Processor’s obligations in this DPA,
     • (b) ensure appropriate safeguards are in place before internationally transferring Personal Data to its sub-processor, and
     • (c) be liable for any acts, errors or omissions of its sub-processors as if they were a party to this DPA.
   • 3.3 Approvals. Processor may appoint new sub-processors provided that they notify Controller in writing in accordance with the Sub-processor Notification Period.
   • 3.4 Objections. Controller may reasonably object in writing to any future sub-processor. If the parties cannot agree on a solution within a reasonable time, either party may terminate this DPA.
4. International personal data transfers
   • 4.1 Instructions. Processor will transfer Personal Data outside the UK, the EEA or an adequate country only on documented instructions from Controller, unless otherwise required by law.
   • 4.2 Transfer mechanism. Where a party is located outside the UK, the EEA or an adequate country and receives Personal Data:
     • (a) that party will act as the data importer,
     • (b) the other party is the data exporter, and
     • (c) the relevant Transfer Mechanism will apply.
   • 4.3 Additional measures. If the Transfer Mechanism is insufficient to safeguard the transferred Personal Data, the data importer will promptly implement supplementary measures to ensure Personal Data is protected to the same standard as required under Data Protection Laws.
   • 4.4 Disclosures. Subject to terms of the relevant Transfer Mechanism, if the data importer receives a request from a public authority to access Personal Data, it will (if legally allowed):
     • (a) challenge the request and promptly notify the data exporter about it, and
     • (b) only disclose to the public authority the minimum amount of Personal Data required and keep a record of the disclosure.
5. Other important information
   • 5.1 Survival. Any provision of this DPA which is intended to survive the Term will remain in full force.
   • 5.2 Order of precedence. In case of a conflict between this DPA and other relevant agreements, they will take priority in this order:
     • (a) Transfer Mechanism,
     • (b) DPA,
     • (c) Main Agreement.
   • 5.3 Notices. Formal notices under this DPA must be in writing and sent to the Contact on the DPA’s front page as may be updated by a party to the other in writing.
   • 5.4 Third parties. Except for affiliates, no one other than a party to this DPA has the right to enforce any of its terms.
   • 5.5 Entire agreement. This DPA supersedes all prior discussions and agreements and constitutes the entire agreement between the parties with respect to its subject matter and neither party has relied on any statement or representation of any person in entering into this DPA.
   • 5.6 Amendments. Any amendments to this DPA must be agreed in writing.
   • 5.7 Assignment. Neither party can assign this DPA to anyone else without the other party’s consent.
   • 5.8 Waiver. If a party fails to enforce a right under this DPA, that is not a waiver of that right at any time.
   • 5.9 Governing law and jurisdiction. The Governing Law applies to this DPA and all disputes will only be litigated in the courts of the Jurisdiction.

ANNEX 1

Security Measures

Technical and organisational measures to ensure the security of Personal Data.

a) Access Control

i) Preventing Unauthorized Product Access

Outsourced processing: We host our Service on Amazon Web Services (AWS). Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.

Physical and environmental security: We host our product infrastructure on AWS. We do not own or maintain hardware located at AWS data centers. Production servers and client-facing applications are logically and physically secured from our internal corporate information systems, and each other. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.

Authentication: We implement a uniform password policy for our customer products. Furthermore, Customers who have access to PII data within their CorralData interface are required to use Microsoft or Google Sign-in with two factor authentication to view any PII data.
Authorization: Customer Data is stored in storage systems accessible to Customers via only application user. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

ii) Preventing Unauthorized Product Use

We implement industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
Static code analysis: Code stored in our source code repositories is checked for best practices and identifiable software flaws using automated tooling.

Penetration testing: We maintain relationships with industry recognized penetration testing service providers for our penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios. Penetration tests are performed against the application layers and infrastructure layers of the CorralData technology stack.

iii) Limitations of Privilege & Authorization Requirements

Product access: A subset of our employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, product development and research, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” (JITA) requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Administrative or high risk access permissions are reviewed at least once every six months.

Background checks: Where permitted by applicable law, CorralData employees undergo a third-party background or reference check. In the United States, employment offers are contingent upon the results of a third-party background check. All CorralData employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

b) Transmission Control

In-transit: We require HTTPS encryption (also referred to as SSL or TLS) on all login interfaces and for free on every customer site hosted on the CorralData products. Our HTTPS implementation uses industry standard algorithms and certificates.

At-rest: We store user passwords following policies that follow industry standard practices for security. For Customers that have access to PII data, passwords are not stored since we rely on Google or Microsoft sign-in for two factor authentication. We have implemented technologies to ensure that stored data is encrypted at rest.

c) Input Control

Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.

Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by our team; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Agreement.

d) Availability Control

Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and heating, ventilation and air conditioning (HVAC) services.

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.

Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.

Disaster Recovery Plans: We maintain and regularly test disaster recovery plans to help ensure availability of information following interruption to, or failure of, critical business processes. Our platform is designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.

ANNEX 2

Sub-processors

Current sub-processors.

CorralData uses services of certain vendors for processing of customer data while providing services to its customers (”sub-processors”). Prior to engaging any third party sub-processor, CorralData thoroughly analyzes and evaluates the impact of such engagement on privacy aspects in the context of processing within CorralData products.

Current list of Company sub-processors providing services which might impact CorralData’s customers may be found here: https://corraldata.com/sub-processors/