Schedules

SUBSCRIPTION SERVICE AGREEMENT SCHEDULES This Subscription Service Agreement (including the Subscription Service Guide, attached hereto) (“Agreement”) is made between the Report Zero entity (“Report Zero”) and the customer entity (“Customer”) on the ordering document and becomes effective on the last signature date of the ordering document issued by Report Zero (“Effective Date”). The Agreement is deemed to include the General Terms and Conditions below, the Subscription Service Guide attached as Exhibit A.1 (which includes Exhibit A.2 – Customer Support Policy, Exhibit A.3 – Upgrades and Updates, Exhibit A.4 – Data Processing Addendum, and Exhibit A.5 – Data Security Guide), and any other terms expressly referenced herein or in other incorporated documents, all of which are expressly deemed incorporated in the Agreement by this reference. The Subscription Service Guide is posted on https://reportzero.net/schedules and incorporated herein by reference. Pursuant to a separate transaction between Customer and Report Zero’s authorized reseller (“Reseller”), Customer has purchased from Reseller certain services to be delivered by Report Zero. This Agreement specifies the terms and conditions under which those services will be provided, apart from price, payment and other terms specified in the separate agreement between Customer and Reseller. EXHIBIT A.1 – SUBSCRIPTION SERVICE GUIDE
  1. SUPPORT
Report Zero will provide support for the Subscription Service as set forth in the Customer Support Policy attached to this Subscription Service Guide as Exhibit A.2 and incorporated herein by reference. The Customer Support Policy may be updated periodically.
  1. UPGRADES AND UPDATES
Report Zero will provide upgrades and updates to the Subscription Service as described in Exhibit A.3 Upgrades and Updates attached to this Subscription Service Guide and incorporated herein by reference. The Upgrade and Update exhibit may be updated periodically.
  1. DATA PROCESSING ADDENDUM
The parties’ agreement with respect to the processing of personal information submitted to the Subscription Service is described in the Data Processing Addendum attached to this Subscription Service Guide as Exhibit A.4 and incorporated herein by reference. The Data Processing Addendum may be updated periodically.
  1. DATA SECURITY GUIDE
Report Zero will implement and maintain security procedures and practices appropriate to information technology service providers designed to protect Customer Data from unauthorized access, destruction, use, modification, or disclosure, as described in the Data Security Guide attached to this Subscription Service Guide as Exhibit A.5 and incorporated herein by reference. The Data Security Guide may be updated periodically.
  1. INSURANCE
Report Zero agrees to maintain in effect during the Subscription Term, at Report Zero’s expense, the following minimum insurance coverage: 5.1 Workers’ Compensation Insurance, in accordance with applicable statutory, federal, and other legal requirements; 5.2 Employers’ Liability Insurance covering Report Zero’s employees in an amount of not less than UK£1,000,000 for bodily injury by accident and UK£1,000,000 each employee for bodily injury by disease; 5.3 Commercial General Liability Insurance written on an occurrence form and including coverage for bodily injury, property damage, products and completed operations, personal injury, and advertising injury arising out of the products or services provided by Report Zero under this Agreement, with minimum limits of UK£1,000,000 per occurrence/UK£2,000,000 aggregate; 5.4 Commercial Automobile Liability Insurance providing coverage for hired and non-owned automobiles used in connection with this Agreement in an amount of not less than UK£1,000,000 per accident, combined single limit for bodily injury and property damage; 5.5 Combined Technology Errors’ & Omissions Policy with a UK£1,000,000 per claim limit, including: (a) Professional Liability Insurance providing coverage for the services and software in this Agreement (which coverage will be maintained for at least two years after termination of this Agreement); and (b) Privacy, Security, and Media Liability Insurance providing liability coverage for unauthorized access or disclosure, security breaches, and system attacks, as well as infringements of copyright and trademark that might result from this Agreement; and 5.6 Excess Liability over Employers’ Liability, Commercial General Liability, and Commercial Automobile Liability, with a UK£1,000,000 aggregate limit. For the purpose of this Section 5, a “claim” means a written demand for money or a civil proceeding which is commenced by service of a complaint or similar pleading.
  1. AVAILABILITY SERVICE LEVEL
6.1 DEFINITIONS. 6.1.1 “Available” means that the Subscription Service can be accessed by authorized users in accordance with their rights of access. 6.1.2. “Excused Downtime” means: (a) Maintenance Time of up to eight hours per month; and (b) any time the Subscription Service is not Available due to circumstances beyond Report Zero’s control, including modifications of the Subscription Service by any person other than Report Zero or a person acting at Report Zero’s direction, a Force Majeure Event, general Internet outages, failure of Customer’s infrastructure or connectivity (including direct connectivity and virtual private network (“VPN”) connectivity to the Subscription Service), computer and telecommunications failures and delays, and network intrusions or denial-of-service or other criminal attacks. 6.1.3. “Infrastructure Modification” means any repairs, maintenance, improvements, or changes to the cloud infrastructure used by Report Zero to operate and deliver the Subscription Service. 6.1.4. “Maintenance Time” means the time the Subscription Service is not Available due to an Infrastructure Modification, Upgrade, and Update. 6.1.5. “Availability SLA” means that the production instances of the Subscription Service will be Available at least 90% of the time during a calendar month, excluding Excused Downtime. 6.2 . AVAILABILITY. If Customer’s production instances of the Subscription Service fall below the Availability SLA during a calendar month, Customer’s exclusive remedy for failure of the Subscription Service to meet the Availability SLA is to request that either: (a) the affected Subscription Term be extended for the number of minutes the Subscription Service was not Available in the month in accordance with the Availability SLA; or (b) Report Zero issue a service credit to Customer for the dollar value of the number of minutes the Subscription Service was not Available in the month in accordance with the Availability SLA (determined at the deemed per minute rate Report Zero charges to Customer for Customer’s use of the affected Subscription Service), which Customer may request Report Zero apply to the next invoice for subscription fees. 6.3 REQUESTS. Customer must request all service credits or extensions in writing to Reseller within 30 days of the end of the month in which the Availability SLA was not met, identifying the support requests relating to the period Customer’s production instances of the Subscription Service was not Available. The total amount of service credits for any month may not exceed the subscription fee for the affected Subscription Service for that month and has no cash value. Report Zero may delay issuing service credits until such amounts reach $1,000 USD or equivalent currency specified in the applicable Order Form. 6.4 NOTICE. Report Zero will give Customer 10 days’ prior notice of an Infrastructure Modification if Report Zero, in its reasonable judgment, believes that the Infrastructure Modification will impact Customer’s use of its production instances of the Subscription Service, unless, in the reasonable judgment of Report Zero, the Infrastructure Modification is necessary to: (a) maintain the availability, security, or performance of the Subscription Service; (b) comply with Law; or (c) avoid infringement or misappropriation of third-party Intellectual Property Rights. EXHIBIT A.2 – CUSTOMER SUPPORT POLICY This Customer Support Policy governs the support that Report Zero will provide for its Subscription Service (“Customer Support”).
  1. SCOPE
The purpose of Customer Support is to resolve defects that cause a nonconformity in the Subscription Service as compared to the Product Overview. A resolution to a defect may consist of a fix, workaround, or other relief, as Report Zero deems reasonable. Customer Support does not include performing the following services:
  • implementation services;
  • configuration services;
  • integration services;
  • customization services or other custom software development;
  • training; or
  • assistance with administrative functions.
Customer Support is not required to provide resolutions for immaterial defects or defects due to modifications of the Subscription Service made by any person other than Report Zero or a person acting at Report Zero’s direction, or defects on any instance of the Subscription Service not in conformance with Exhibit A.3 – Upgrades and Updates.
  1. BUSINESS HOURS
Customer Support is available 8 hours a day, 5 days a week, including all holidays.
  1. ACCESS CONTACTS
Report Zero’s Customer Support portal (“Support Portal”) is located at https://reportzero.net/. Customer may get login access to the Support Portal by contacting its Report Zero administrator. Report Zero’s Customer Support may be reached by emails using support@reportzero.net.
  1. INCIDENT PRIORITY
Incident priority for a defect is determined using the guidelines below.
Priority Definition
P1 Any defect that causes an instance not to be Available.
P2 Any defect that causes a critical function to fail.
P3 Any defect that significantly impedes work or progress.
P4 Any defect that does not significantly impede work or progress.
  1. RESPONSE TIMES AND LEVEL OF EFFORT
Customer may submit an incident with Report Zero via the Support Portal or phone. Response times are not affected by the manner of contact. All support requests are tracked in the Support Portal and can be viewed by Customer’s authorized contacts. Report Zero will use reasonable efforts to meet the target response times and target level of effort stated in the table below.
Priority Target Response Times Target Level of Effort
P1 3 hours 8 hours per day, 5 days per week (normal UK business hours)
P2 7 hours 8 hours per day, 5 days per week (normal UK business hours)
P3 2 business day’s As appropriate during normal business hours
P4 N/A Varies
  1. CUSTOMER RESPONSIBILITIES
Customer’s obligations with respect to Customer Support are as follows: 6.1 Customer will receive from Report Zero communications via email, phone, or through the Support Portal regarding the Subscription Service. 6.2 Customer will appoint no more than 10 contacts (“Customer Authorized Contacts”) to engage Customer Support for questions and technical issues. 6.2.1. Customer must maintain the following Customer Authorized Contacts:
  • Primary Business Contact;
  • Secondary Business Contact;
  • Technical Contact;
  • Support Contact;
  • Primary Customer Administrator; and Security Contact.
6.2.2. Customer will maintain current information for all Customer Authorized Contacts in the Support Portal. 6.2.3. Only Customer Authorized Contacts will contact Customer Support. 6.2.4. Customer will train all Customer Authorized Contacts on the use and administration of the Subscription Service. 6.3 Customer will cooperate to enable Report Zero to deliver the Subscription Service and Customer Support. 6.4 Customer is solely responsible for the use of the Subscription Service by its users. EXHIBIT A.3 – UPGRADES AND UPDATES
  1. DEFINITIONS
1.1 “Upgrades” are Report Zero’s releases of the Subscription Service for enhancements or new features (including a new Release Family) applied by Report Zero to Customer’s instances of the Subscription Service at no additional fee during the Subscription Term. 1.2 “Updates” are Report Zero’s releases (including patches and hotfixes) of the Subscription Service applied by Report Zero to Customer’s instances of the Subscription Service at no additional fee during the Subscription Term that provide problem fixes, but do not generally include new functionality, and are released as needed. 1.3 “Release Family” is an Upgrade that is a complete solution with new features or enhancements, including previously released Updates if applicable to the features included in the Upgrade. For example, Report Zero’s “Scotland” Upgrade established the “Scotland Release Family”. 1.4 “Critical Upgrade” is an Upgrade that in Report Zero’s reasonable judgment is critical to maintaining the availability, security or performance of the Subscription Service; comply with applicable laws or to avoid infringement or misappropriation of a third-party Intellectual Property Right. 1.5 “Critical Update” is an Update that in Report Zero’s reasonable judgment is critical to maintaining the availability, security or performance of the Subscription Service; comply with applicable laws or to avoid infringement or misappropriation of a third-party Intellectual Property Right. 1.6 “Supported Release Family” at a particular time means the then-current Release Family and the prior 2 Release Families.
  1. UPGRADES AND UPDATES
Report Zero shall determine, in its sole discretion: (a) whether and when to develop, release and apply any Update or Upgrade to Customer’s instances of the Subscription Service; and (b) whether a particular release is an Update, Upgrade or new service offering that is available separately for purchase.
  1. NOTICE
Report Zero shall: (a) give Customer 10 days’ notice of any Upgrade to the Subscription Service; and (b) use reasonable efforts to give Customer 2 days’ notice of any Update to the Subscription Service. Notwithstanding the foregoing, Report Zero may provide Customer with shorter notice or no notice before the application of a Critical Upgrade or a Critical Update.
  1. SUPPORTED AND NON-SUPPORTED RELEASE FAMILIES
Customer acknowledges that the current Release Family is the version of the Subscription Service containing the most current features, availability, performance and security. Within a Supported Release Family, the most recent Update is the version of the Subscription Service for that Release Family that contains the most current problem fixes, availability, performance and security. A Customer using a Supported Release Family may be required to apply a Critical Update within the Supported Release Family. A Customer that has not Upgraded to a Supported Release Family may experience defects, for which Customer hereby agrees that Report Zero is not responsible, including without limitation those that affect the features, availability, performance and security of the Subscription Service, that are fixed in the most current version of the Subscription Service. A Customer who is not using a Supported Release Family may be required to apply an Upgrade to a Supported Release Family. EXHIBIT A.4 – DATA PROCESSING ADDENDUM This Data Processing Addendum (“DPA”) is deemed to include Sections 1 through 9 below, including the attached Appendix 1, and the Data Security Guide, all of which are expressly deemed incorporated in the Agreement by this reference. In the event of any conflict between the terms of this DPA and the terms of the Agreement with respect to the subject matter herein, this DPA shall control. Any data processing agreements that may already exist between parties as well as any earlier version of the Data Security Guide to which the parties may have agreed are superseded and replaced by this DPA in their entirety. All capitalized terms not defined in this DPA will have the meaning given to them in other parts of the Agreement.
  1. DEFINITIONS
1.1 “Affiliates” means any person or entity directly or indirectly Controlling, Controlled by or under common Control with a party to the Agreement, where “Control” means the legal power to direct or cause the direction of the general management of the company, partnership, or other legal entity. 1.2 “Agreement” means the Order Form or Use Authorization or other signed ordering document, as applicable, between Report Zero and Customer and the signed master agreement (if any) for the purchase of the Subscription Service. 1.3 “Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data. For purposes of this DPA, Data Controller is Customer and, where applicable, its Affiliates either permitted by Customer to submit Personal Data to the Subscription Service or whose Personal Data is Processed in the Subscription Service. 1.4 “Data Processor” means the natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Data Controller. For purposes of this DPA, Data Processor is the Report Zero entity that is a party to the Agreement. 1.5 “Data Protection Laws” means all applicable laws and regulations regarding the Processing of Personal Data and includes GDPR. 1.6 “Data Subject” means an identified or identifiable natural person. 1.7 “GDPR” means the European Union’s General Data Protection Regulation (2016/679) and UK’s General Data Protection Regulation. 1.8 “Instructions” means Data Controller’s documented data Processing instructions issued to Data Processor in compliance with this DPA. 1.9 “Personal Data” means any information relating to a Data Subject uploaded by or for Customer or Customer’s agents, employees, or contractors to the Subscription Service as Customer Data. 1.10 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction. 1.11 “Professional Services” means any consulting or development services provided by or on behalf of Report Zero pursuant to an agreed Statement of Work or Service Description described or referenced in a signed ordering document. 1.12 “Sub-Processor” means any legal person or entity engaged in the Processing of Personal Data by Data Processor. 1.13 “Subscription Service” means the Report Zero software-as-a-service offering ordered by Customer under a Use Authorization, Use Authorization or other signed ordering document between Report Zero and Customer. 1.14 “Subscription Term” means the term of authorized use of the Subscription Service as set forth in the Order Form, Use Authorization, or other ordering document signed by Customer and Report Zero.
  1. SCOPE OF THE PROCESSING
2.1 COMMISSIONED PROCESSOR. Data Controller appoints Data Processor to Process Personal Data on behalf of Data Controller to the extent necessary to provide the Subscription Service described in the Agreement and in accordance with the Instructions. 2.2 INSTRUCTIONS. The Agreement constitutes Data Controller’s written Instructions to Data Processor for Processing of Personal Data. Data Controller may issue additional or alternate Instructions provided that such Instructions are: (a) consistent with the purpose and the scope of the Agreement; and (b) confirmed in writing by Data Controller. For the avoidance of doubt, Data Controller shall not use additional or alternate Instructions to alter the scope of the Agreement. Data Controller is responsible for ensuring its Instructions to Data Processor comply with Data Protection Laws. 2.3 NATURE, SCOPE AND PURPOSE OF THE PROCESSING. Data Processor shall only Process Personal Data in accordance with Data Controller’s Instructions and to the extent necessary for providing the Subscription Service and the Professional Services, each as described in the Agreement. Data Controller acknowledges that all Personal Data it instructs Data Processor to Process for the purpose of providing the Professional Services must be limited to the Customer Data Processed within the Subscription Service. 2.4 CATEGORIES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS. Data Controller may submit Personal Data to the Subscription Service as Customer Data, the extent of which is determined and controlled by Data Controller in its sole discretion and is further described in Appendix 1.
  1. DATA CONTROLLER
3.1 COMPLIANCE WITH DATA PROTECTION LAWS. Data Controller shall comply with all of its obligations under Data Protection Laws when Processing Personal Data. 3.2 SECURITY RISK ASSESSMENT. Data Controller agrees that in accordance with Data Protection Laws and before submitting any Personal Data to the Subscription Service, Data Controller will perform an appropriate risk assessment to determine whether the security measures within the Subscription Service provide an adequate level of security, taking into account the nature, scope, context and purposes of the processing, the risks associated with the Personal Data and the applicable Data Protection Laws. Data Processor shall provide Data Controller reasonable assistance by providing Data Controller with information requested by Data Controller to conduct Data Controller’s security risk assessment. Data Controller is solely responsible for determining the adequacy of the security measures within the Subscription Service in relation to the Personal Data Processed. As further described in Section 7.1 (Product Capabilities) of the Data Security Guide, the Subscription Service includes, without limitation, column level encryption functionality and role-based access control, which Data Controller may use in its sole discretion to ensure a level of security appropriate to the risk of the Personal Data. For clarity, Data Controller may influence the scope and the manner of Processing of its Personal Data by its own implementation, configuration (i.e., different types of encryption) and use of the Subscription Service, including any other products or services offered by Report Zero and third-party integrations. 3.3 CUSTOMER’S AFFILIATES. The obligations of Data Processor set forth herein will extend to Customer’s Data Controller Affiliates to which Customer provides access to the Subscription Service or whose Personal Data is Processed within the Subscription Service, subject to the following conditions: 3.3.1. COMPLIANCE. Customer shall at all times be liable for its Affiliates’ compliance with this DPA and all acts and omissions by a Data Controller Affiliate are considered acts and omissions of Customer; and 3.3.2. CLAIMS. Customer’s Data Controller Affiliates will not bring a claim directly against Data Processor. In the event a Data Controller Affiliate wishes to assert a valid legal action, suit, claim or proceeding against Data Processor (a “Data Controller Affiliate Claim”): (i) Customer must bring such Data Controller Affiliate Claim directly against Data Processor on behalf of such Data Controller Affiliate, unless Data Protection Laws require that Data Controller Affiliate be party to such Data Controller Affiliate Claim; and (ii) all Data Controller Affiliate Claims will be considered claims made by Customer and are at all times subject to any aggregate limitation of liability set forth in the Agreement. 3.3.3. DATA CONTROLLER AFFILIATE ORDERING. If a Data Controller Affiliate purchased a separate instance of the Subscription Service under the terms of the signed master agreement between Report Zero and Customer, then such Data Controller Affiliate will be deemed a party to this DPA and shall be treated as Customer under the terms of this DPA. 3.4 COMMUNICATION. Unless otherwise provided in this DPA, all requests, notices, cooperation, and communication, including Instructions issued or required under this DPA (collectively, “Communication”), must be in writing and between Customer and Report Zero only and Customer shall inform the applicable Data Controller Affiliate of any Communication from Report Zero pursuant to this DPA. Customer shall be solely responsible for ensuring that any Communications (including Instructions) it provides to Report Zero relating to Personal Data for which a Customer Affiliate is Data Controller reflect the relevant Customer Affiliate’s intentions.
  1. DATA PROCESSOR
4.1 DATA CONTROLLER’S INSTRUCTIONS. Data Processor will have no liability for any harm or damages resulting from Data Processor’s compliance with Instructions received from Data Controller. Where Data Processor believes that compliance with Data Controller’s Instructions could result in a violation of Data Protection Laws or is not in the ordinary course of Data Processor’s obligations in operating the Subscription Service or delivering Professional Services, Data Processor shall promptly notify Data Controller thereof. Data Controller acknowledges that Data Processor is reliant on Data Controller’s representations regarding the extent to which Data Controller is entitled to Process Personal Data. 4.2 DATA PROCESSOR PERSONNEL. Access to Personal Data by Data Processor will be limited to personnel who require such access to perform Data Processor’s obligations under the Agreement and who are bound by obligations to maintain the confidentiality of such Personal Data at least as protective as those set forth herein and in the Agreement. 4.3 DATA SECURITY MEASURES. Without prejudice to Data Controller’s security risk assessment obligations under Section 3.2 (Security Risk Assessment) above, Data Processor shall maintain appropriate technical and organizational safeguards to protect the security, confidentiality, and integrity of Customer Data, including any Personal Data contained therein, as described in Section 2 (Physical, Technical, and Administrative Security Measures) of the Data Security Guide. Such measures are designed to protect Customer Data from loss, alteration, unauthorized access, acquisition, use, disclosure, or accidental or unlawful destruction, and include: 4.3.1. SERVICE ACCESS CONTROL. The Subscription Service provides user and role-based access controls. Data Controller is responsible for configuring such access controls within its instance. 4.3.2. LOGGING AND MONITORING. The production infrastructure log activities are centrally collected and are secured in an effort to prevent tampering and are monitored for anomalies by a trained security team. 4.3.3. DATA SEPARATION. Customer Data shall be maintained within a logical single-tenant architecture on multi-tenant cloud infrastructure that is logically and physically separate from Report Zero’s corporate infrastructure. 4.3.4. SERVICE CONTINUITY. The production database servers are replicated in near real time to a mirrored data center in a different geographic region. 4.3.5. TESTING. Data Processor regularly tests, assess and evaluates the effectiveness of its information security program and may periodically review and update such program to address new and evolving security technologies, changes to industry standard practices, and changing security threats. 4.4 DELETION OF PERSONAL DATA. Upon termination or expiration of the Agreement, Data Processor shall return and delete Customer Data, including Personal Data contained therein, as described in the Agreement. 4.5 DATA CENTERS. Data Processor will host Data Controller’s instances of the Subscription Service in public cloud provider data centers located in the geographic regions specified on the Order Form, Use Authorization, or other signed ordering document between Report Zero and Customer. 4.6 DATA PROTECTION IMPACT ASSESSMENTS (DPIA). Data Processor will, on request, provide Data Controller with reasonable information required to fulfil Data Controller’s obligations under GDPR to carry out data protection impact assessments, if any, for Processing of Personal Data within the Subscription Service. 4.7 PRIOR CONSULTATION. Data Processor shall provide reasonable assistance (at Data Controller’s expense) in connection with any prior consultation Data Controller is required to undertake with a supervisory authority under Data Protection Laws with respect to Processing of Personal Data in the Subscription Service. 4.8 DATA PROCESSOR ASSISTANCE. Data Processor will assist Data Controller in ensuring compliance with Data Controller’s obligations pursuant to Articles 32 to 36 of GDPR taking into account the nature of Processing by providing Data Controller with reasonable information requested pursuant to the terms of this DPA, including information required to conduct Data Controller’s security risk assessment and respond to Data Subject Requests (defined below). For clarity, Data Controller is solely responsible for carrying out its obligations under GDPR and this DPA. Data Processor shall not undertake any task that can be performed by Data Controller. 4.9 DATA PROTECTION CONTACT. Report Zero and its Sub-Processor Affiliates (defined below) will maintain a dedicated data protection team to respond to data protection inquiries throughout the duration of this DPA and can be contacted at privacy@ReportZero.net.
  1. REQUESTS MADE FROM DATA SUBJECTS AND AUTHORITIES
5.1 REQUESTS FROM DATA SUBJECTS. During the Subscription Term, Data Processor shall provide Data Controller with the ability to access, correct, rectify, erase, or block Personal Data, or to transfer or port such Personal Data, within the Subscription Service, as may be required under Data Protection Laws (collectively, “Data Subject Requests”). 5.2 RESPONSES. Data Controller will be solely responsible for responding to any Data Subject Requests, provided that Data Processor shall reasonably cooperate with the Data Controller to respond to Data Subject Requests to the extent Data Controller is unable to fulfill such Data Subject Requests using the functionality in the Subscription Service. Data Processor will instruct the Data Subject to contact the Customer in the event Data Processor receives a Data Subject Request directly. 5.3 REQUESTS FROM AUTHORITIES. In the case of a notice, audit, inquiry, or investigation by a government body, data protection authority, or law enforcement agency regarding the Processing of Personal Data, Data Processor shall promptly notify Data Controller unless prohibited by applicable law. Data Controller shall keep records of the Personal Data Processed by Data Processor and shall cooperate and provide all necessary information to Data Processor in the event Data Processor is required to produce such information to a data protection authority. 5.2 COOPERATION WITH SUPERVISORY AUTHORITIES. In accordance with Data Protection Laws, Data Controller and Data Processor shall cooperate, on request, with a supervisory authority in the performance of such supervisory authority’s task.
  1. BREACH NOTIFICATION
6.1 NOTIFICATION. Data Processor will report to Data Controller any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data (“Breach”) that it becomes aware of without undue delay following determination by Report Zero that a Breach has occurred. 6.2 REPORT. The initial report will be made to Data Controller’s security or privacy contact(s) designated in Report Zero’s customer support portal (or if no such contact(s) are designated, to the primary contact designated by Customer). As information is collected or otherwise becomes available, Data Processor shall provide without undue delay any further information regarding the nature and consequences of the Breach to allow Data Controller to notify relevant parties, including affected Data Subjects, government agencies and data protection authorities in accordance with Data Protection Laws. The report will include the name and contact information of the Data Processor contact from whom additional information may be obtained. Data Processor shall inform Customer of the measures that it will adopt to mitigate the cause of the Breach and to prevent future Breaches. 6.3 DATA CONTROLLER OBLIGATIONS. Data Controller will cooperate with Data Processor in maintaining accurate contact information in the customer support portal and by providing any information that is reasonably requested to resolve any security incident, including any Breaches, identify its root cause(s), and prevent a recurrence. Data Controller is solely responsible for determining whether to notify the relevant supervisory or regulatory authorities and impacted Data Subjects and for providing such notice.
  1. CUSTOMER MONITORING RIGHTS
7.1 REMOTE SELF-ASSESSMENTS. Data Processor shall enable remote self-serve assessments of its Security Program (as defined in the Data Security Guide) by granting Data Controller, at all times and at no additional costs, access to the Data Processor self-access documentation portal (“Report Zero CORE”). The information available on Report Zero CORE will include documentation evidencing Data Processor’s policies, procedures and security measures, as well as copies of the certifications and attestations listed in Section 7.2 (Audit) below. 7.2 AUDIT. No more than once per year and upon written request by Data Controller, Customer shall have the right directly or through its representative(s) (provided however, that such representative(s) shall enter into written obligations of confidentiality directly with Data Processor), to access all reasonable and industry recognized documentation evidencing Data Processor’s policies and procedures governing the security of Customer Data (“Audit”). Such Audit shall include a written summary report of any assessment performed by an independent third-party of Data Processor’s information security management system supporting the Subscription Service against the objectives stated in ISO 27001, ISO 27018, SSAE 18 / SOC 1 and SOC 2 Type 2 (or equivalent or successor standards). Data Processor reserves the right to refuse to provide Customer (or its representatives) with any information which would pose a security risk to Data Processor or its customers, or which Data Processor is prohibited to provide or disclose under applicable law or contractual obligation. 7.3 OUTPUT. Upon completion of the Audit, Data Processor and Customer may schedule a mutually convenient time to discuss the output of the Audit. Data Processor may in its sole discretion, consistent with industry and Data Processor’s standards and practices, make commercially reasonable efforts to implement Customer’s suggested improvements noted in the Audit to improve Data Processor’s Security Program. The Audit and the results derived therefrom are Confidential Information of Data Processor. 7.4 DATA CONTROLLER EXPENSES. Any expenses incurred by Data Controller in connection with the Audit shall be borne exclusively by Data Controller.
  1. SUB-PROCESSORS
8.1 USE OF SUB-PROCESSORS. Data Controller authorizes Data Processor to engage Sub-Processors appointed in accordance with this Section 8 to support the provision of the Subscription Service and to deliver Professional Services as described in the Agreement. 8.1.1. REPORT ZERO AFFILIATES. As of the Effective Date, Data Processor engages, as applicable, the following Report Zero Affiliates as Sub-Processors: Report Zero Ltd. (United Kingdom) (collectively, “Sub-Processor Affiliates”). Data Processor will notify Data Controller of changes regarding such Sub-Processor Affiliates through Data Processor’s customer support portal (or other mechanism used to notify its general customer base). Each Sub-Processor Affiliate shall comply with the obligations of the Agreement in the Processing of the Personal Data. 8.1.2. NEW SUB-PROCESSORS. Prior to Data Processor or a Data Processor Affiliate engaging a Sub-Processor, Data Processor shall: (a) notify Data Controller by email to Customer’s designated contact(s) or by notification within the customer support portal (or other mechanism used to notify its customer base); and (b) ensure that such Sub-Processor has entered into a written agreement with Data Processor (or the relevant Data Processor Affiliate) requiring that the Sub-Processor abide by terms no less protective than those provided in this DPA. Upon written request by Data Controller, Data Processor shall make a summary of the data processing terms available to Data Controller. Data Controller may request in writing reasonable additional information with respect to SubProcessor’s ability to perform the relevant Processing activities in accordance with this DPA. 8.2 RIGHT TO OBJECT. Data Controller may object to Data Processor’s proposed use of a new SubProcessor by notifying Data Processor within 10 days after receipt of Data Processor’s notice if Data Controller reasonably determines that such Sub-Processor is unable to Process Personal Data in accordance with the terms of this DPA (“Controller Objection Notice”). Data Processor shall notify Data Controller within 30 days from receipt of the Controller Objection Notice if Data Processor intends to provide the applicable Professional Service or Subscription Service with the use of the Sub-Processor at issue, and Customer may terminate the applicable Order Form(s), Use Authorization(s) or other signed ordering document between Report Zero and Customer with respect to the Professional Service or Subscription Service that require use of the Sub-Processor at issue upon written notice to Report Zero within 45 days of the date of Controller Objection Notice and, as Customer’s sole and exclusive remedy, Report Zero will refund to Customer any unused prepaid fees. 8.3 LIABILITY. Use of a Sub-Processor will not relieve, waive, or diminish any obligation Data Processor has under the Agreement, and Data Processor is liable for the acts and omissions of any Sub-Processor to the same extent as if the acts or omissions were performed by Data Processor.
  1. INTERNATIONAL DATA TRANSFERS
9.1 STANDARD CONTRACTUAL CLAUSES AND ADEQUACY. Where required under Data Protection Laws, Data Processor or Data Processor’s Affiliates shall require Sub-Processors to abide by (a) the Standard Contractual Clauses for Data Processors established in third countries; or (b) another lawful mechanism for the transfer of Personal Data as approved by the European Commission. 9.2 PRIVACY SHIELD. Report Zero, Inc. shall comply with the EU-U.S. and Swiss-U.S. Privacy Shield Framework set forth by the United States Department of Commerce with respect to the Processing of Personal Data transferred from the European Economic Area and Switzerland to the United States.   APPENDIX 1 DETAILS OF PROCESSING Nature and Purpose of Processing Data Processor will Process Personal Data as required to provide the Subscription Service and Professional Services and in accordance with the Agreement. Duration of Processing  Data Processor will Process Personal Data for the duration of the Agreement and in accordance with Section 4 (Data Processor) of this DPA. Data Subjects Data Controller may submit Personal Data to the Subscription Service, the extent of which is solely determined by Data Controller, and may include Personal Data relating to the following categories of Data Subjects:
  • clients and other business contacts;
  • employees and contractors;
  • subcontractors and agents; and
  • consultants and partners.
Categories of Personal Data Data Controller may submit Personal Data to the Subscription Service, the extent of which is solely determined by Data Controller, and may include the following categories:
  • communication data (e.g. telephone, email);
  • business and personal contact details; and
  • other Personal Data submitted to the Subscription Service.
Special Categories of Personal Data Data Controller may submit Special Categories of Personal Data to the Subscription Service, the extent of which is solely determined by Data Controller in compliance with Data Protection Law, and may include the following categories, if any:
  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data or biometric data;
  • health information; and
  • sex life or sexual orientation.
Processing Operations The personal data transferred will be subject to the following basic processing activities:
  • All activities necessary for the performance of the Agreement.
EXHIBIT A.5 – DATA SECURITY GUIDE This Data Security Guide forms a part of the Agreement and describes the measures Report Zero takes to protect Customer Data. In the event of any conflict between the terms of this Data Security Guide and the terms of the Agreement with respect to the subject matter herein, this Data Security Guide shall control. All capitalized terms not defined in this Data Security Guide will have the meaning given to them in other parts of the Agreement.
  1. SECURITY PROGRAM
While providing the Subscription Service, Report Zero will maintain a written information security program of policies, procedures and controls governing the processing, storage, transmission and security of Customer Data (the “Security Program”). The Security Program includes industry-standard practices designed to protect Customer Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Report Zero regularly tests, assesses, and evaluates the effectiveness of the Security Program and may periodically review and update the Security Program to address new and evolving security technologies, changes to industry standard practices, and changing security threats, although no such update will materially reduce the commitments, protections or overall level of service provided to Customer as described herein.
  1. PHYSICAL, TECHNICAL, AND ADMINISTRATIVE SECURITY MEASURES
2.1 PHYSICAL SECURITY MEASURES. 2.1.1. Data Centre Facilities. (a) Physical access restrictions and monitoring that will be provided by the public cloud provider and in accordance with the public cloud providers standards. 2.1.2. SYSTEMS, MACHINES AND DEVICES. (a) Physical protection mechanisms; and (b) entry controls to limit physical access that will be provided by the public cloud provider and in accordance with the public cloud providers standards. 2.1.3. MEDIA. (a) Industry standard destruction of sensitive materials before disposition of media; (b) secure safe for storing damaged hard disks prior to physical destruction; and (c) physical destruction of all decommissioned hard disks storing Customer Data. These services will be provided by the public cloud provider and in accordance with the public cloud providers standards. 2.2 TECHNICAL SECURITY MEASURES. 2.2.1. ACCESS ADMINISTRATION. Access to the Subscription Service by Report Zero employees and contractors is protected by authentication and authorization mechanisms. User authentication is required to gain access to production and sub-production instances. Access privileges are based on job requirements and are revoked upon termination of employment or consulting relationships. Production infrastructure includes appropriate user account and password controls (e.g., the required use of VPN connections, complex passwords with expiration dates, and a two-factored authenticated connection) and is accessible for administration. 2.2.2. SERVICE ACCESS CONTROL. The Subscription Service provides user and role-based access controls. Customer is responsible for configuring such access controls within its instance. 2.2.3. LOGGING AND MONITORING. The production infrastructure log activities are centrally collected and are secured in an effort to prevent tampering and are monitored for anomalies by a trained security team. 2.2.4. FIREWALL SYSTEM. An industry-standard firewall is installed and managed to protect Report Zero systems by residing on the network to inspect all ingress connections routed to the Report Zero environment. 2.2.5. VULNERABILITY MANAGEMENT. Report Zero conducts periodic independent security risk evaluations to identify critical information assets, assess threats to such assets, determine potential vulnerabilities, and provide for remediation. When software vulnerabilities are revealed and addressed by a vendor patch, Report Zero will obtain the patch from the applicable vendor and apply it within an appropriate timeframe in accordance with Report Zero’s then-current vulnerability management and security patch management standard operating procedure and only after such patch is tested and determined to be safe for installation in all production systems. These services will be provided by the public cloud provider and in accordance with the public cloud providers standards. 2.2.6. ANTIVIRUS. Report Zero updates antivirus, anti-malware, and anti-spyware software on regular intervals and centrally logs events for effectiveness of such software. These services will be provided by the public cloud provider and in accordance with the public cloud providers standards. 2.2.7. CHANGE CONTROL. Report Zero ensures that changes to platform, applications, and production infrastructure are evaluated to minimize risk and are implemented following Report Zero’s standard operating procedure. 2.2.8. DATA SEPARATION. Customer Data shall be maintained within a logical single-tenant architecture on multi-tenant public cloud infrastructure that is logically separate from Report Zero’s corporate infrastructure. 2.3 ADMINISTRATIVE SECURITY MEASURES. 2.3.1. SECURITY AWARENESS AND TRAINING. Report Zero maintains a security awareness program that includes appropriate training of Report Zero personnel on the Security Program. Training is conducted at time of hire and periodically throughout employment at Report Zero. 2.3.2. VENDOR RISK MANAGEMENT. Report Zero maintains a vendor risk management program that assesses all vendors that access, store, process, or transmit Customer Data for appropriate security controls and business disciplines.
  1. SERVICE CONTINUITY
3.1 DATA MANAGEMENT; DATA BACKUP. Report Zero will host Customer’s access to and use of purchased instances of the Subscription Service in the public cloud in a redundant architecture. Report Zero backs up all Customer Data in accordance with Report Zero’s standard operating procedure.
  1. MONITORING AND INCIDENT MANAGEMENT
4.1 MONITORING, MANAGEMENT AND NOTIFICATION. 4.1.1. INCIDENT MONITORING AND MANAGEMENT. Report Zero will monitor, analyse, and respond to security incidents in a timely manner in accordance with Report Zero’s standard operating procedure. Report Zero’s security group will escalate and engage response teams as may be necessary to address an incident. 4.1.2. BREACH NOTIFICATION. Report Zero will report to Customer any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data (a “Breach”) without undue delay following determination by Report Zero that a Breach has occurred. 4.1.3. REPORT. The initial report will be made to Customer security or privacy contact(s) designated in Report Zero’s customer support portal (or if no such contact(s) are designated, to the primary contact designated by Customer). As information is collected or otherwise becomes available, Report Zero shall provide without undue delay any further information regarding the nature and consequences of the Breach to allow Customer to notify relevant parties, including affected Data Subjects, government agencies, and data protection authorities in accordance with Data Protection Laws. The report will include the name and contact information of the Report Zero contact from whom additional information may be obtained. Report Zero shall inform Customer of the measures that it will adopt to mitigate the cause of the Breach and to prevent future Breaches. 4.1.4. CUSTOMER OBLIGATIONS. Customer will cooperate with Report Zero in maintaining accurate contact information in the customer support portal and by providing any information that is reasonably requested to resolve any security incident, including any Breaches, identify its root cause(s), and prevent a recurrence. Customer is solely responsible for determining whether to notify the relevant supervisory or regulatory authorities and impacted Data Subjects and for providing such notice.
  1. USE OF AGGREGATE DATA. Report Zero may collect, use, and disclose quantitative data derived from Customer’s use of the Subscription Service for industry analysis, benchmarking, analytics, marketing, and other business purposes in support of the provision of the Subscription Service. Any such data will be in aggregate form only and will not contain Customer Data.
  2. COOKIES. When providing the Subscription Service, Report Zero uses cookies to: (a) track session state; (b) route a browser request to a specific node when multiple nodes are assigned; and (c) recognize a user upon returning to the Subscription Service. Customer shall be responsible for providing notice to, and collecting any necessary consents from, its authorized users of the Subscription Service for Report Zero’s use of cookies.
  1. PENETRATION TESTS
7.1 BY A THIRD-PARTY. Report Zero contracts with third-party vendors to perform a penetration test on the Report Zero application per family release to identify risks and remediation that help increase security. 7.2 BY CUSTOMER. No more than once per calendar year Customer may request to perform, at its own expense, an application penetration test of a sub-production instance of the Subscription Service. Customer shall notify Report Zero in advance of any test by submitting a request to schedule an application penetration test using Report Zero’s customer support portal per Report Zero’s then-current penetration testing policy and procedure, including entering into Report Zero’s penetration test agreement. Report Zero and Customer must agree on a mutually acceptable time for the test; and Customer shall not perform a penetration test without Report Zero’s express written authorization. The test must be of reasonable duration, but in no event longer than 14 days and must not interfere with Report Zero’s day-to-day operations. Promptly on completion of the penetration test, Customer shall provide Report Zero with the test results including any detected vulnerability. Upon such notice, Report Zero shall, consistent with industry-standard practices, use all commercially reasonable efforts to promptly make any necessary changes to improve the security of the Subscription Service. Customer shall treat the test results as Confidential Information of Report Zero subject to the confidentiality requirements in the Agreement.
  1. SHARING THE SECURITY RESPONSIBILITY
8.1 PRODUCT CAPABILITIES. The Subscription Service has the capabilities to: (a) authenticate users before access; (b) encrypt passwords; (c) allow users to manage passwords; and (d) prevent access by users with an inactive account. Customer manages each user’s access to and use of the Subscription Service by assigning to each user a credential and user type that controls the level of access to the Subscription Service. Customer shall be responsible for implementing encryption and access control functionalities available within the Subscription Service for protecting all Customer Data containing sensitive data, including credit card numbers, social security and other government-issued identification numbers, financial and health information, Personal Data, and any Personal Data deemed sensitive or “special categories of personal data” under Data Protection Laws. Customer is solely responsible for its decision not to encrypt such data and Report Zero will have no liability to the extent that damages would have been mitigated by Customer’s use of such encryption measures. Customer is responsible for protecting the confidentiality of each user’s login and password and managing each user’s access to the Subscription Service. 8.2 CUSTOMER COOPERATION. Customer shall promptly apply any Upgrade or Update that Report Zero determines is necessary to maintain the security, performance, or availability of the Subscription Service. 8.3 LIMITATIONS. Notwithstanding anything to the contrary in this Data Security Guide or other parts of the Agreement, Report Zero’s obligations extend only to those systems, networks, network devices, facilities, and components over which Report Zero exercises control. This Data Security Guide does not apply to: (a) information shared with Report Zero that is not Customer Data; (b) data in Customer’s VPN or a third-party network; (c) any data processed by Customer or its users in violation of the Agreement or this Data Security Guide; or (d) Integrated Products. For the purposes of this Data Security Guide, “Integrated Products” shall mean Report Zero-provided integrations to third-party products or any other third-party products that are used by Customer in connection with the Subscription Service. Customer agrees that its use of such Integrated Products will be: (i) in compliance with all Laws, including but not limited to, Data Protection Laws; and (ii) in accordance with its contractual agreement with the provider of such Integrated Products. Any Personal Data populated from the Integrated Products to the Subscription Service must be collected, used, disclosed and, if applicable, internationally transferred in accordance with Customer’s privacy policy, which will adhere to Data Protection Laws.