���ߺ���

This Data Security Guidelines (“DSG” or “Security Guidelines”) document sets forth the duties and obligations of ���ߺ��� (defined below) with respect to the security of Personal Information (defined below).  In the event of any inconsistencies between the DSG and the Agreement (defined below), the parties agree that the DSG will supersede and prevail.  Capitalized terms not defined herein shall have the meaning ascribed to them in the Agreement.

1. Definitions.
   1. "Agreement" means the Agreement for the Services between the ���ߺ��� LLC entity (“���ߺ���”) and Subscriber incorporating the Privacy Notice to which these Security Guidelines are referenced and made a part thereof.
   2. "Applicable Laws" means federal, state and international privacy, data protection and information security-related laws, rules and regulations applicable to the Services and to Personal Information.
   3. "End User Data" means the data provided to or collected by ���ߺ��� in connection with ���ߺ���’s obligations to provide the Services under the Agreement.
   4. "Personal Information" means information provided to ���ߺ��� in connection with ���ߺ���’s obligations to provide the Services under the Agreement that (i) could reasonably identify the individual to whom such information pertains, such as name, address and/or telephone number or (ii) can be used to authenticate that individual, such as passwords, unique identification numbers or answers to security questions or (iii) is protected under Applicable Laws. For the avoidance of doubt, Personal Information does not include aggregate, anonymized data derived from an identified or identifiable individual.
   5. "Processing of Personal Information" means any operation or set of operations which is performed upon Personal Information, such as collection, recording, organization, storage, use, retrieval, transmission, erasure or destruction.
   6. "Third Party" means any entity (including, without limitation, any affiliate, subsidiary and parent of ���ߺ���) that is acting on behalf of, and is authorized by, ���ߺ��� to receive and use Personal Information in connection with ���ߺ���’s obligations to provide the Services.
   7. "Security Incident" means a confirmed, unsecured, unlawful access to, acquisition of, disclosure of, loss, or use of Personal Information which poses a significant risk of financial, reputational or other harm to the affected End User or Subscriber.
   8. "Services" means any services and/or products provided by ���ߺ��� in accordance with the Agreement.
2. Confidentiality and Non-Use; Consents.
   1. ���ߺ��� agrees that the Personal Information is the Confidential Information of Subscriber and, unless authorized in writing by Subscriber or as otherwise specified in the Agreement or this DPSG, ���ߺ��� shall not Process Personal Information for any purpose other than as reasonably necessary to provide the Services, to exercise any rights granted to it under the Agreement, or as required by Applicable Laws.
   2. ���ߺ��� shall maintain Personal Information confidential, in accordance with the terms set forth in this Security Guidelines and Applicable Laws.  ���ߺ��� shall require all of its employees authorized by ���ߺ��� to access Personal Information and all Third Parties to comply with (i) limitations consistent with the foregoing, and (ii) all Applicable Laws.
   3. Subscriber represents and warrants that in connection with any Personal Information provided directly by Subscriber to ���ߺ���, Subscriber shall be solely responsible for (i) notifying End Users that ���ߺ��� will Process their Personal Information in order to provide the Services and (ii) obtaining all consents and/or approvals required by Applicable Laws.  
3. Data Security: ���ߺ��� shall use commercially reasonable administrative, technical and physical safeguards designed to protect the security, integrity, and confidentiality of Personal Information.  ���ߺ���'s security measures include the following: 
   1. Access to Personal Information is restricted solely to ���ߺ���’s staff who need such access to carry out the responsibilities of ���ߺ��� under the Agreement.
   2. Access to computer applications and Personal Information are managed through appropriate user ID/password procedures.
   3. Access to Personal Information is restricted solely to Subscriber personnel based on the user role they are assigned in the system (provided, however, that it is the Subscriber’s responsibility to ensure that user roles match the level of access allowed for personnel and that their personnel comply with Applicable Law in connection with use of such Personal Information).
   4. Data is encrypted in transmission (including via web interface) and at rest at no less than 256-bit level encryption.
   5. ���ߺ��� or a ���ߺ��� authorized party performs a security scan of the application, computer systems and network housing Personal Information using a commercially available security scanning system on a periodic basis.
4. Security Incident.
   1. In the event of a Security Incident, ���ߺ��� shall (i) investigate the Security Incident, identify the impact of the Security Incident and take commercially reasonable actions to mitigate the effects of any such Security Incident, (ii) timely provide any notifications to Subscriber or individuals affected by the Security Incident that ���ߺ��� is required by law, subject to applicable confidentiality obligations and to the extent allowed and/or required by and not prohibited by Applicable Laws or law enforcement.
   2. Except to the extent prohibited by Applicable Laws or law enforcement, ���ߺ��� shall, upon Subscriber’s written request and to the extent available, provide Subscriber with a description of the Security Incident and the type of data that was the subject of the Security Incident.
   3. ���ߺ���’s obligation to report or respond to a Security Incident is not and will not be construed as an acknowledgement by ���ߺ��� of any fault or liability with respect to the Security Incident.
5. Security Questionnaire.
   1. Upon written request by Subscriber, which request shall be no more frequently than once per twelve (12) month period, ���ߺ��� shall respond to security questionnaires provided by Subscriber, with regard to ���ߺ���'s information security program applicable to the Services, provided that such information is available in the ordinary course of business for ���ߺ��� and it is not subject to any restrictions pursuant to ���ߺ���’s privacy or data protection or information security-related policies or standards.  Disclosure of any such information shall not compromise ���ߺ���’s confidentiality obligations and/or legal obligations or privileges. Additionally, in no event shall ���ߺ��� be required to make any disclosures prohibited by Applicable Laws. All the information provided to Subscriber under this section shall be Confidential Information of ���ߺ��� and shall be treated as such by the Subscriber. 
6. Security Audit.
   1. Upon written request by Subscriber, which request shall be no more frequently than once per twelve (12) month period, ���ߺ���'s data security measures may be reviewed by Subscriber through an informal audit of policies and procedures or through an independent auditor’s inspection of security methods used within ���ߺ���'s infrastructure, storage, and other physical security, any such audit to be at Subscriber’s sole expense and subject to a mutually agreeable confidentiality agreement and at mutually agreeable timing, or, alternatively, ���ߺ��� may provide Subscriber with a copy of any third party audit that ���ߺ��� may have commissioned.  
7. Records Retention and Disposal.
   1. Subscriber may access, correct, and delete any Personal Information in ���ߺ���’s possession by submitting ���ߺ���’s Personal Information Request Form: .
   2. ���ߺ��� will use commercially reasonable efforts to retain End User Data in accordance with ���ߺ���’s End User Data retention policies.  

updated 1/30/26