Data Protection Addendum
This Data Protection addendum (“DPA”) is made by and between Source Defense Ltd. and Source Defense Inc. (together, “Source Defense”) and the legal entity that has entered into an agreement with Source Defense for the provision of Source Defense’s services (“Customer”) (each a “Party” and together the “Parties”).
This DPA forms an integral part of the applicable terms and conditions of sale, master service agreements, or other contractual arrangements between Source Defense and the Customer, including any purchase orders or other written agreements executed by the Parties (collectively referred to as the “Service Agreement”), regardless of whether such agreements are executed with Source Defense Ltd. or Source Defense Inc. This DPA governs matters of data protection between the Parties, supplementing the Service Agreement with respect to such matters, and will remain in effect for the duration of the processing of Personal Data by the Parties.
1. Interpretation and Definitions
1.1 Words used in the singular include the plural and vice versa, as the context may require.
1.2 Capitalized terms not otherwise defined herein, as well as the terms “data subject”, “processing”, “controller” and “processor” shall take the meaning ascribed to them by GDPR.
1.3 The terms of this DPA will apply only to the extent that they are required under Data Protection Laws.
1.4 Definitions:
(i) “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (“EU GDPR”) and the UK Data Protection Law 2018 (“UK GDPR”) (together “GDPR”), the Federal Act on Data Protection of June 19, 1992 of Switzerland (as revised September 1, 2023) and its implementing ordinances (“Swiss FADP”), the California Consumer Privacy Act of 2018 together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 and any regulations promulgated thereunder (“CCPA”) and any other data protection or privacy laws, all as applicable.
(ii) “Personal Data” means any information relating to an identified or identifiable natural person, including without limitation any data which is defined under the Data Protection Laws as personal or private.
(iii) “Customer Personal Data” means Personal Data provided by or on behalf of the Customer as part of the Services, and which is processed by Source Defense as a data processor (or data sub-processor, as relevant) on behalf of the Customer.
(iv) “Source Defense Personal Data” means Personal Data that is collected, stored, or processed by Source Defense in connection with the Services, in its capacity as a data controller for its own purposes.
(v) “Services” means the services provided by Source Defense to the Customer, as specified in the applicable Service Agreement. For the avoidance of doubt, this definition shall include circumstances where the Customer acts as a distributor of Source Defense’s services or otherwise resells such services to its own customers.
(vi) “Restricted Transfer” means (i) where the EU GDPR applies, a transfer of Personal Data from the European Economic Area to a third party outside of the European Economic Area which does not benefit from an adequacy determination by the European Commission;
(ii) where the UK GDPR applies, a transfer of Personal Data from the UK to a third party outside the UK which does not benefit from adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss FADP applies, a transfer of Personal Data from Switzerland to a third party outside of Switzerland which does not benefit from an adequacy determination by Switzerland.
(vii) “EU SCCs” means the standard contractual clauses published by the EU Commission on June 4, 2021 (https://ec.europa.eu/info/sites/default/files/sccs_word.zip).
(viii) “UK SCCs” means the EU SCCs as amended by the United Kingdom’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses dated March 21, 2022 (https://ico.org.uk/media/for-organisations/documents/4019539/international- data-transfer-addendum.pdf).
2. Roles of the Parties
2.1 Source Defense as Processor:
2.1.1 The Parties hereby acknowledge and agree that, in relation to the processing of Customer Personal Data, the Customer shall be deemed the data controller, and Source Defense shall be deemed the data processor.
2.1.2 In instances where the Customer is acting as a data processor on behalf of a third-party data controller (the “Third-Party Controller“), Source Defense shall assume the role of sub- processor (an “other processor” under GDPR Article 28(4)) and the following shall apply:
a. Any references in this DPA to the Customer’s obligations or rights as the data controller shall be interpreted as applying to the Third-Party Controller, including but not limited to the determination of the purposes and means of the processing of Customer Personal Data.
b. Source Defense shall process Customer Personal Data in accordance with the Customer’s documented instructions, which must be consistent with the instructions of the Third- Party Controller.
c. For the sake of convenience, this DPA will continue to refer to the Customer as the “data controller” and Source Defense as the “data processor,” with necessary adjustments made to reflect these roles as processor and sub-processor, respectively.
2.2 Source Defense as Controller:
2.2.1 The Parties acknowledge and agree that Source Defense may process Personal Data of Customer’s authorized representatives as an independent data controller for its own purposes, including Personal Data necessary for the following purposes:
a. billing and invoicing;
b. administration and management of the business relationship with the Customer.
For the sake of convenience, such Personal Data shall be referred to as “Source Defense Data.”
2.2.2 In relation to the processing of Source Defense Data, Source Defense shall comply with its obligations as a Data Controller under applicable Data Protection Laws. This includes, but is not limited to, ensuring the lawful basis for processing and implementing appropriate security measures.
3. Customer Obligations
3.1 The Customer represents and warrants that:
a. It has obtained all necessary consents, permissions, authorizations, or other valid legal bases under Data Protection Laws to allow for the lawful collection, processing, and transfer of Personal Data to Source Defense (or any sub-processors) in accordance with this DPA and the Service Agreement.
b. The processing instructions provided to Source Defense under this DPA, including any instructions related to a Restricted Transfer, comply with Data Protection Laws.
c. It has provided the relevant data subjects with all required notices and information regarding the processing of their Personal Data as required under Data Protection Laws.
3.2 In instances where the Customer is acting as a data processor on behalf of a Third-Party Controller, the Customer represents and warrants that it is authorized by the Third-Party Controller to instruct Source Defense in the processing of Personal Data as specified in this DPA and to enter into this DPA on the Third-Party Controller’s behalf.
4. Processing Instructions
4.1 Customer hereby instructs Source Defense to process Customer Personal Data for the purpose of providing the Services as described in the Service Agreement. Source Defense shall process Customer Personal Data only pursuant to Customer’s lawful documented instructions, including the Service Agreement and other instructions communicated in writing directly to Source Defense and in accordance with the Description of Processing, attached hereto as Exhibit A.
4.2 Source Defense may also Process Customer Personal Data where required by applicable laws to which Source Defense is subject, in which case Source Defense shall inform Customer of that legal requirement before the relevant Processing of that Personal Data, unless prohibited from doing so by law.
5. Security and Confidentiality:
5.1 Source Defense’s personnel engaged in Processing Customer Personal Data are and will remain committed to confidentiality. Taking into account the nature, scope, context, purpose and risk of processing of Customer Personal Data under this DPA, Source Defense shall take not less than reasonable industry-appropriate technical and organizational measures to ensure the security of its processing of Customer Personal Data, in accordance with Data Protection Laws.
5.2 Without derogating from the foregoing, Source Defense shall implement appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure, as detailed in Exhibit C of this DPA. Such measures shall include, as appropriate:
a. the encryption of Personal Data;
b. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
c. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
d. regular re-evaluation of Source Defense’s technical and organizational measures for ensuring the security of the processing.
6. Sub-processors:
6.1 Source Defense has Customer’s general authorization for the engagement of sub-processors. Source Defense’s current list of approved sub-processors is attached as Exhibit D of this DPA, and is hereby approved by Customer.
6.2 To the extent required under Data Protection Laws, Source Defense will provide written notification to Customer of any intended changes concerning the addition or replacement of other sub-processors, at least seven (7) days prior to such changes. Customer must subscribe to receive such notifications by entering their email address to the form on https://share.hsforms.com/1TkKtuZLcQQCnmlZ9ud4l_A3mgu3. If Customer objects to Source Defense’s intended appointment of a new sub-processor on reasonable grounds related to data protection, then the Parties will make a good faith effort to resolve Customer’s objection.
6.3 Source Defense shall ensure that its arrangement with each sub-processor is governed by a written contract including terms which offer at least substantially similar level of protection of the Customer Personal Data as those set out in this DPA. As between Source Defense and Customer, Source Defense will remain responsible for ensuring that its sub-processors comply with such contractual obligations and with applicable Data Protection Laws. For the avoidance of doubt, this responsibility is limited to data protection compliance obligations and shall not expand or override the liability exclusions and limitations set out in this DPA and the Service Agreement, including with respect to third-party providers.
7. Cooperation:
7.1 Source Defense shall reasonably assist the Customer in responding to data subject requests for exercising their rights under Data Protection Laws. Source Defense shall promptly inform the Customer upon receiving any such request. Additionally, Source Defense shall provide reasonable assistance to the Customer in fulfilling its obligations under Data Protection Laws, including but not limited to data security measures, conducting data protection impact assessments, and managing breach notifications. The Customer shall bear the costs of such assistance to the extent that it exceeds ordinary expenses incurred by Source Defense in the regular course of business.
7.2 If Source Defense is required by applicable law, court order, or governmental authority to disclose or provide access to Customer Personal Data, Source Defense shall promptly notify the Customer and provide a copy of the request, unless prohibited by law from doing so. Source Defense will reasonably cooperate with the Customer to allow it to respond to or contest the request where applicable.
8. Personal Data Breach:
8.1 In the event of a Personal Data Breach (as this term is defined and used in Data Protection Laws or regulatory guidelines) affecting Customer Personal Data, Source Defense shall, without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, notify the Customer. The notification shall include, to the extent available:
(i) A description of the nature of the breach, including the categories and approximate number of data subjects and data records concerned.
(ii) The likely consequences of the breach.
(iii) Measures taken or proposed to be taken by Source Defense to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
8.2 Source Defense shall promptly take all necessary steps to contain, investigate, and mitigate the effects of the Personal Data Breach and to remedy the breach as soon as reasonably possible. Source Defense shall further cooperate with the Customer in fulfilling its obligations regarding notifications to relevant supervisory authorities and affected data subjects under Data Protection Laws.
8.3 Source Defense will document the facts relating to the Personal Data Breach, its effects, and any remedial action taken and will provide such documentation to the Customer upon request.
8.4 Each Party shall bear its own costs related to managing and remediating a Personal Data Breach unless the breach was caused by a violation of this DPA or Data Protection Laws by one Party, in which case the violating Party shall bear the costs of any necessary remediation and regulatory notifications.
9. Audits:
9.1 Source Defense will make available all information necessary to demonstrate compliance with Data Protection Laws. Source Defense will allow for and contribute to audits and inspections in this regard.
9.2 Customer (or its designated auditor, subject to a confidentiality agreement) is entitled to verify Source Defense’s compliance with this DPA. Such audits shall be conducted no more than once annually, unless a Personal Data Breach occurs or there is a reasonably suspected breach of Data Protection Laws or this DPA by Source Defense, then Customer may conduct more than one audit, subject to Source Defense’s approval. Audits shall take place during normal business hours, with reasonable prior notice of at least 30 days. Customer will make sure such audits will not unreasonably interfere with or damage Source Defense’s business activities and information and network systems.
9.3 Audits may include an inspection of Source Defense’s data processing facilities, procedures, systems, and documentation, relevant to the processing of Customer Personal Data. The audit will be limited to ensuring compliance with Data Protection Laws and Source Defense’s obligations under this DPA.
9.4 Any information obtained during an audit shall be treated as confidential by the Customer and used solely for the purpose of assessing Source Defense’s compliance with this DPA and Data Protection Laws.
9.5 Customer shall bear the costs and expenses of audits. If an audit demonstrates that Source Defense has experienced a Personal Data Breach (as this term is defined and used in Data Protection Laws or regulatory guidelines) affecting Customer Personal Data in violation of Source Defense’s obligations under this DPA, Source Defense shall bear the reasonable and documented costs of that specific audit, provided that (i) such costs are proportionate and directly related to verifying the Personal Data Breach and remediating the breach; (ii) Source Defense is given the opportunity to conduct its own internal audit at its own expense before the Customer initiates a third-party audit; and (iii) Source Defense is not required to bear the costs of multiple audits addressing the same or substantially similar issues.
9.6 As an alternative to conducting an on-site audit, Source Defense may provide the Customer with audit reports from independent third-party auditors, such as ISO certifications, which attest to Source Defense’s compliance with its data protection obligations. If such reports are provided, they shall be deemed sufficient for the purposes of fulfilling the Customer’s audit rights, unless the Customer has reasonable grounds to request a further audit.
10. Deletion:
10.1 Upon the Customer’s request and/or upon expiration or termination of the Service Agreement, Source Defense shall, within thirty (30) calendar days of receiving such request or upon expiration or termination, securely destroy or, if instructed in writing by the Customer, return all Customer Personal Data in its possession or control.
10.2 Notwithstanding the above, Source Defense may retain archived copies of Customer Personal Data solely for backup and/or log purposes, as required in the ordinary course of business. Such archived data will remain subject to the ongoing obligations of this DPA and shall be securely deleted upon the expiration of the standard retention period for backup or log files, in accordance with Source Defense’s data retention policies. Any returned Customer Personal Data shall be provided in the format and media reasonably specified by the Customer, along with sufficient information to enable interpretation. Upon the Customer’s request, Source Defense shall certify in writing the destruction of the Customer Personal Data.
10.3 If applicable laws, regulations, or a governmental or regulatory authority require Source Defense to retain any Customer Personal Data that would otherwise need to be returned or destroyed, Source Defense will notify the Customer in writing of such a retention requirement, where legally permissible. Source Defense shall retain such data only as necessary and in full compliance with all Data Protection Laws.
10.4 Notwithstanding the provisions above, Source Defense may retain data based on extracts of Customer Personal Data in aggregated and non-identifiable forms for its own legitimate business purposes at its own discretion, provided that it implements appropriate technical and organizational measures to ensure that such data: (i) does not identify and cannot reasonably be associated with any particular individual; and (ii) is maintained and used without any attempt to re-identify it.
11. International Transfers:
11.1 If, and to the extent, the processing of Customer Personal Data and/or Source Defense Data by Source Defense involves Restricted Transfers protected by the GDPR or the Swiss FADP, the Parties agree that such transfers shall be undertaken on the basis of the applicable standard contractual clauses which are incorporated herein by reference and construed in accordance with Exhibit B below, unless another mechanism provided for in the Data Protection Laws of the applicable country applies.
11.2 Onward Transfers. To the extent that Source Defense’s use of sub-processors involves a Restricted Transfer, Source Defense will ensure that such Restricted Transfer complies with Data Protection Laws relating to the Restricted Transfer including, but not limited to, subscribing to a transfer mechanism permitted under Data Protection Laws.
12. CCPA:
12.1 As used in this section, “Sell, “Share”, “Service Provider” and “Personal Information” shall have the meaning assigned to them in the CCPA.
12.1 To the extent the CCPA applies, Source Defense shall be considered a Service Provider processing personal information on behalf of Customer, who shall be considered a Service Provider or Business, as applicable. Customer and Source Defense shall comply with the obligations required of Businesses and Service Providers, as applicable, pursuant to the CCPA.
12.2 The purposes of processing set forth in the Service Agreement are considered Business Purposes.
12.3 Source Defense is prohibited from:
(ii) Selling or Sharing Personal Information.
(iii) Retaining, using or disclosing Personal Information for any purpose other than for the business purposes specified in the Service Agreement, including retaining, using or disclosing Personal Information for a commercial purpose other than the business purposes specified in the Service Agreement or as otherwise permitted by the CCPA.
(iv) Retaining, using or disclosing the Personal Information outside of the direct business relationship between Customer and Source Defense.
(i) Combining the Personal Information, it receives from Customer with Personal Information it receives from or on behalf of another person or entity, or that it collects from its own interactions with individuals, unless expressly permitted by the CCPA.
13. General Provisions:
13.1 The terms of this DPA will prevail over any conflicting terms in other agreements between the Parties including any Service Agreement. Any alteration or modification of this DPA is not valid unless made in writing and executed by duly authorized personnel of both Parties.
13.2 Notwithstanding anything to the contrary in the Service Agreement and to the maximum extent permitted by law:
13.2.1 Source Defense’s entire, total and aggregate liability, related to Personal Data or information, privacy, security, or for breach of, this DPA, and/or Data Protection Laws, including, without limitation, if any, any indemnification obligation under the Service Agreement or Data Protection Laws, shall be limited to the lower of: (a) the amounts paid to Source Defense under the Agreement within twelve (12) months preceding the event that gave rise to the claim; or (b) if the Service Agreement specifies a lower limitation of liability cap, such lower cap shall apply.;
13.2.2 in no event will Source Defense and/or its third-party providers, be liable under, or otherwise in connection with this DPA for: (i) any indirect, exemplary, special, consequential, incidental or punitive damages; (ii) any loss of profits, business, or anticipated savings; (iii) any loss of, or damage to data, reputation, revenue or goodwill; and/or (iv) the cost of procuring any substitute goods or services; and
13.2.3 For the avoidance of doubt, the liability cap set forth above and in the Service Agreement shall apply jointly and in the aggregate to both the Service Agreement and this Data Processing Agreement, and shall not be construed as providing separate or additional liability caps.
13.2.4 the foregoing exclusions and limitations on liability set forth in this Section shall apply: (a) even if Source Defense or third-party providers, have been advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy in this DPA fails of its essential purpose; and (iii) regardless of the form, theory or basis of liability (such as, but not limited to, breach of contract or tort).
13.3 Source Defense may assign its respective rights and obligations hereunder without the prior written consent of Customer, only where such assignment is by way of merger or acquisition of all or substantially all Source Defense’s equity or assets, or change of control, and where Customer is notified at least 14 days in advance, unless the Service Agreement prohibits such assignment or places additional conditions which will prevail.
13.4 Invalidation of one or more of the provisions under this DPA will not affect the remaining provisions. Invalid provisions will be replaced, to the extent possible, by such valid provisions which achieve essentially the same objectives.
13.5 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Service Agreement, unless required otherwise by Data Protection Laws.
13.6 Source Defense data protection personnel may be contacted at sddpo@sourcedefense.com.
13.7 This DPA forms an integral part of the Service Agreement between the Parties and is effective and binding upon execution of the Services Agreement. Signature of this DPA is not mandatory for its validity.
* * * * *
LIST OF EXHIBITS
I. Exhibit A – Description of Processing
II. Exhibit B – Standard Contractual Clauses
III. Exhibit C – Technical and Organizational Measures
IV. Exhibit D – Approved Sub-processors
Exhibit A
Description of Processing
| Subject Matter | Source Defense will Process Customer Personal Data as necessary to perform the Services pursuant to the Service Agreement, or as further instructed by Customer in its use of the Services. |
| Nature of the
Processing of Personal Data |
Collection, storage, transmission, analysis, pseudonymization, anonymization and deletion. |
| Purpose of the Processing | Performing the Service Agreement and this DPA, including, but not limited to:
Provision of Platform Access and Management: Processing personal data to create, manage, and secure customer accounts, including setting up login credentials, managing user permissions, and providing authorized users with secure access to the Source Defense platform and its security features. This includes ensuring authorized and authenticated access to dashboards, security reports, and tools available within the platform. Security Monitoring and Threat Detection: Processing data to monitor and detect potential security threats on Customer websites, such as unauthorized access or script injections, which helps in real-time protection against client-side attacks. Compliance with Security Standards: Collecting and processing data to ensure Customer compliance with relevant security standards and regulations (e.g., ISO ) by identifying and mitigating risks associated with third-party scripts on Customer websites. Analytics and Reporting for Security Insights: Processing data to generate analytical reports on website performance, user behavior, and security incidents. This data helps customers gain insights into potential security risks and improve their security posture. Testing and Improvement of Security Solutions: Using data to enhance Source Defense’s security solutions by conducting testing, research, and analysis aimed at improving threat detection algorithms and security measures. Customer Support and Incident Response: Processing personal data as needed for customer support, technical troubleshooting, and incident response. This includes addressing security incidents and ensuring quick remediation to protect end-users’ data. |
| The Categories of Data Subjects | Customer Employees and Authorized Users: Individuals employed by Customer or by Customer’s customers who are granted access to the Source Defense platform. This includes security analysts, IT staff, and other authorized personnel who use the platform for monitoring and managing security risks.
Website Visitors and End-Users: Individuals who visit or interact with Customer’s websites which are protected by Source Defense. This could involve minimal personal data processed as part of security monitoring or threat detection (e.g., IP addresses or device identifiers related to malicious activity). |
| Types of Personal Data to be Processed | Platform Data (Customer Employees and Authorized Users)
When processing data related to customer employees and authorized users, Source Defense may handle: Account Data: Usernames (first name only), business email address. Authentication Data: passwords (or tokens) for accessing the platform, including data associated with Single Sign-On (SSO) if utilized, such as SSO provider details, security questions, and two-factor authentication codes. User Role and Permissions: Information regarding the role of the user within the platform (e.g., admin, standard user) and associated permissions. Technical and Usage Data: Logs of user activities on the platform, including access logs, IP addresses, and device and browser information. Support and Communication Logs: Information from interactions with customer support such as support tickets that may include personal data related to the user. Website Visitor Data (Website Visitors and End-Users) For website visitors and end-users, the personal data processed may include: IP Addresses: IP addresses are accessed momentarily for security monitoring purposes and are automatically truncated before storage by removing the last segment. This process helps enhance privacy by reducing the granularity of the data while still allowing for effective security analysis. Technical Information: Information about the user accessing the website, such as device type, operating system, browser type, screen resolution, language setting and time zone. |
| Geolocation Data: data derived from IP addresses to determine the general geographic location of visitors, typically at city level.
Behavioral Data: This encompasses information on user interactions with the website, including pages visited, time spent on site, click patterns, navigation paths, and other engagement metrics. Such data is processed solely in aggregated form to protect individual user privacy. |
|
| Special Category Data | Not applicable to the Services. |
EU SCCs:
Exhibit B
Standard Contractual Clauses
The Parties agree that where data is transferred outside of the EEA to a recipient that is not located in a jurisdiction deemed adequate by the EU Commission, the EU SCCs are hereby incorporated by reference and shall apply to such transfers. Module 1 (Controller to Controller), Module 2 (Controller to Processor), Module 3 (Processor to Processor) and/or Module 4 (Processor to Controller) shall apply, as applicable. In Clause 7 of the EU SCCs, the optional docking clause shall apply. For the purposes of Clause 9: option 2 (General Authorization) shall apply, authorization period will be 7 days. In Clause 11 the optional language will not apply. For the purposes of Clause 13(a) and Annex I.C, the competent supervisory authority shall be the supervisory authority of the Member State where the Data Exporter is established or has a representative or, if the exporter is not established in any EU member state, then the law of Ireland; for the purposes of Clause 17: option 2 applies, and the governing law will be Ireland; for the purposes of Clause 18: disputes shall be resolved by the courts of Ireland.
For the purposes of Annex I: Customer is the ‘Data exporter’, Source Defense is the ‘Data importer’ or vice versa, as applicable; the ‘contact details of the data exporter and data importer’, ‘Data Subjects’, ‘Categories of data’, ‘Frequency of the transfer’, ‘Nature of processing’, ‘Purpose’, ‘Retention period’, ‘Subject matter, nature and duration of the processing’, ‘sensitive data transferred’ and ‘restrictions and safeguards that apply to sensitive data’ are as described in the Service Agreement, this DPA or other applicable agreements and documented instructions by and between the Parties. ‘Signature and Date’: By entering into the Service Agreement each Party is deemed to have signed these EU SCCs incorporated herein, including their exhibits.
For the purposes of Annex II: ‘technical and organizational measures” are as described in Section 5 and Exhibit C of this DPA, in addition to the following measures: Source Defense maintains industry standard measures to protect the Personal Data from interception (including in transit from Exporter to Source Defense and between different systems and services). This includes maintaining the Personal Data Protection Measures (including encryption of Personal Data whilst in transit and at rest), detailed in Sections 4-6 below.
Source Defense will make reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under the GDPR or the UK GDPR, including (if applicable) under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”).
If Source Defense becomes aware of any law enforcement agency or other governmental authority (“Authority”) attempt or demand to gain access to or a copy of the Personal Data (or part thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, Source Defense shall:
To the extent the Personal Data is Customer Personal Data, Inform the relevant Authority that it is a Processor or Sub-processor (as applicable) of the Personal Data and that Exporter, as the Controller or Processor (as applicable) has not authorized Customer to disclose the Personal Data to the Authority;
Inform the relevant Authority that any and all requests or demands for access to the Personal Data should be directed to or served upon Exporter in writing;
Use reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Source Defense’s control. Notwithstanding the above, if, taking into account the nature, scope, context and purposes of the related Authority’s intended access to Personal Data, Source Defense has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection shall not apply. In such event, Source Defense shall notify
Customer, as soon as possible, following the access by the Authority, and provide Customer with relevant details, unless and to the extent legally prohibited to do so.
Source Defense will inform Customer, at its written request (and not more than once a year), of the types of binding legal demands for Customer Personal Data Source Defense has received and complied with, including demands under national security orders and directives, specifically including any process under Section 702 of FISA.
For the purposes of Annex III: the authorized sub-processors are as listed in Exhibit D of this DPA.
UK SCCs:
To the extent that Personal Data transfers are governed by the UK GDPR, the UK SCCs shall be incorporated by reference and form an integral part of this DPA. Where this is the case, the relevant annexes, appendices or tables shall be deemed populated with the information set out in this DPA, and the following modifications will apply: any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the UK GDPR; references to specific Articles of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK GDPR; references to “EU”, “Union” and “Member State law” are all replaced with “UK”; Clause 13(a) and Part C of Annex I of the EU SCCs are not used; references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Information Commissioner and the courts of England and Wales; and Clause 17 of the EU SCCs is replaced to state that “The Clauses are governed by the laws of England and Wales” and Clause 18 of the EU SCCs is replaced to state “Any dispute arising from these Clauses shall be resolved by the courts in England. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts”.
SWISS SCCS:
In relation to transfers of Personal Data protected by the FADP, the EU SCCs shall be incorporated by reference and form an integral part of this DPA, with the following modifications:
any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss FADP;
references to “EU,” “Union,” “Member State,” and “Member State law,” shall be interpreted as references to Switzerland and Swiss law, as the case may be; and
references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland.
Exhibit C
Technical and Organizational Measures
Source Defense takes considerable measures to protect the personal data processed on behalf of customers. These include, but are not limited to, the following steps:
Information Security Program:
An established, implemented, maintained, and compliant information security program.
ISO Certification:
The Company maintains ISO 27001 certification to ensure adherence to internationally recognized information security management standards, demonstrating a commitment to effective data protection practices and continuous improvement in security controls.
Access Control:
Rights are assigned on a need-to-know and need-to-access basis, with regular reviews to ensure that access levels remain appropriate.
Secure Database Access:
Access to databases is conducted through secure VPNs, with two-factor authentication (2FA) required for all access.
Data Encryption:
Personal data is encrypted both in transit and at rest using industry-standard encryption protocols to safeguard against unauthorized access. Data in transit is encrypted using the latest SSL TLS protocols (TLSv1.2_2021and TLS13-1-2-2021-06).
SSE-S3 is employed for S3 systems and rds-ca-rsa2048-g1 for DB data encryption in storage
Confidentiality Obligations:
All employees and contract personnel are bound by contractual confidentiality obligations to ensure protection of personal data.
Resilience and Continuity:
Implementation of resilience and continuity tools and mechanisms to achieve high availability and resilience, including regular testing of backup processes.
Third-Party Vendor Management:
Conduct due diligence and maintain oversight of third-party vendors to ensure they adhere to appropriate security and data protection standards when processing personal data.
Data Segregation:
Use of firewall-restricted network access between production hosts, allowing only authorized services to interact in the production network.
Incident Response Team:
A trained incident response team is in place to quickly address and mitigate data breaches or security incidents.
Audit Logging:
Comprehensive audit logging of all access and modifications to personal data to facilitate monitoring and accountability.
Security Awareness and Training:
Regular security awareness and privacy training for all employees to promote a culture of data protection and compliance.
Platform Security:
The platform incorporates a range of security measures to protect personal data, such as:
Multi-Factor Authentication: Option to enable MFA, per customer choice.
Automatic Session Expiration: Sessions automatically expire after a defined period of inactivity.
Limited Login Attempts: Restrictions on the number of consecutive failed login attempts.
Strong Password Requirements: Enforcement of strong industry standard password policies requiring a minimum of 8 characters and a maximum of 20 characters, including at least one uppercase letter and one lowercase letter.
Exhibit D Approved Sub-processors
| Sub-processor Name | Location | Data Processed | Purpose of Processing |
| AWS | Virginia, USA | Website Visitor Data, Platform Data | Cloud services for hosting and data storage |
| Upsolver | Israel | Platform Data | Data integration and processing |
| Google Analytics | USA | Platform Data | General user data analytics |
| Productfruit | USA | Platform Data | Interactive guides for users |
| ZenDesk | Ireland | Platform Data | Support and ticketing |
| Hotjar | Malta | Platform | User interaction tracking (session recording, excluding IP) and heatmaps |
| Tableau | USA | Platform Data | Database analysis |
| Spot.io | Israel | Platform Data | Spot instance management |
| Feel IT Services | Moldova | Platform Data | Technical support |
| Directeam | Israel | Platform Data | Operational and technical services |
| Source Defense Ltd. | Israel | Website Visitor Data, Platform Data | Support, development, product design, statistic. Source Defense affiliate |
| Gini-Apps | Israel | Website Visitor Data, Platform Data | Outsource DevOps engineer |
* * * * *