{"id":34576,"date":"2026-05-29T16:56:36","date_gmt":"2026-05-29T16:56:36","guid":{"rendered":"https:\/\/certn.co\/data-processing-addendum\/"},"modified":"2026-06-09T16:57:42","modified_gmt":"2026-06-09T16:57:42","slug":"data-processing-addendum","status":"publish","type":"page","link":"https:\/\/certn.co\/us\/data-processing-addendum\/","title":{"rendered":"Data Processing Addendum"},"content":{"rendered":"<section id=\"\" class=\"container colour-theme-light-green text-left default-padding small-padding-bottom\" >\n    <div class=\"content-wrapper\">\n        <div class=\"content-wrapper-inner\">\n            <p class=\"legal-centre-breadcrumb\"><a href=\"https:\/\/certn.co\/legal-centre\/\">Legal Centre<\/a> \/ Data Processing Addendum<\/p><h1 class=\"wp-block-heading\">Data Processing Addendum<\/h1><p>Version 1.5 \/ Effective August 15th 2025<\/p><div class=\"wp-block-buttons legal-centre-pdf-download is-layout-flex wp-block-buttons-is-layout-flex\"><div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/certn.co\/wp-content\/uploads\/2026\/05\/legal-centre\/data-processing-addendum-1-5%20%285%29.pdf\" target=\"_blank\" rel=\"noopener\">Download PDF<\/a><\/div><\/div>        <\/div>\n    <\/div>\n<\/section><section id=\"\" class=\"container colour-theme-white text-left default-padding default-padding\" >\n    <div class=\"content-wrapper\">\n        <div class=\"content-wrapper-inner\">\n            <style>\n.legal-centre-breadcrumb,\n.legal-centre-breadcrumb *,\n.legal-centre-layout,\n.legal-centre-layout *{font-family:Geist,Arial,sans-serif!important;letter-spacing:0!important}\n.legal-centre-breadcrumb{font-size:14px!important;line-height:1.45!important;margin:0 0 18px!important}\n.legal-centre-breadcrumb a{font-weight:600!important}\n.legal-centre-layout{display:grid;grid-template-columns:minmax(220px,280px) minmax(0,1fr);gap:48px;align-items:start}\n.legal-centre-sidebar{position:sticky;top:120px}\n.legal-centre-sidebar h2{font-size:18px!important;line-height:1.3!important;margin:0 0 16px!important;font-weight:700!important}\n.legal-centre-sidebar ul{list-style:none!important;margin:0!important;padding:0!important}\n.legal-centre-sidebar li{font-size:15px!important;line-height:1.35!important;margin:0 0 10px!important;padding:0!important}\n.legal-centre-sidebar a{display:block;line-height:1.35!important;text-decoration:none}\n.legal-centre-sidebar a[aria-current=\"page\"]{font-weight:700!important;text-decoration:underline}\n.legal-document-content{min-width:0;font-size:16px!important;line-height:1.65!important;color:inherit}\n.legal-document-body,\n.legal-document-body p,\n.legal-document-body li,\n.legal-document-body div,\n.legal-document-body span,\n.legal-document-body a,\n.legal-document-body td,\n.legal-document-body th{font-size:16px!important;line-height:1.65!important}\n.legal-document-body h1{font-size:32px!important;line-height:1.15!important;margin:0 0 24px!important;font-weight:700!important}\n.legal-document-body h2{font-size:24px!important;line-height:1.25!important;margin:36px 0 16px!important;font-weight:700!important}\n.legal-document-body h3{font-size:20px!important;line-height:1.3!important;margin:28px 0 12px!important;font-weight:700!important}\n.legal-document-body h4,\n.legal-document-body h5,\n.legal-document-body h6{font-size:18px!important;line-height:1.35!important;margin:24px 0 10px!important;font-weight:700!important}\n.legal-document-body p,\n.legal-document-body ul,\n.legal-document-body ol{margin-top:0!important;margin-bottom:16px!important}\n.legal-document-body ol,\n.legal-document-body ul{padding-left:24px!important}\n.legal-document-body strong,\n.legal-document-body b{font-weight:700!important}\n.legal-document-body [style*=\"font-family\"],\n.legal-document-body [style*=\"font-size\"]{font-family:Geist,Arial,sans-serif!important}\n@media (max-width:900px){.legal-centre-layout{grid-template-columns:1fr;gap:28px}.legal-centre-sidebar{position:static}.legal-centre-sidebar ul{columns:1}}\n<\/style><div class=\"legal-centre-layout\"><aside class=\"legal-centre-sidebar\" aria-label=\"Legal documents\"><h2>Legal Centre<\/h2><ul><li><a href=\"https:\/\/certn.co\/terms-of-use\/\">Website Terms<\/a><\/li><li><a href=\"https:\/\/certn.co\/privacy-policy\/\">Privacy Policy<\/a><\/li><li><a href=\"https:\/\/certn.co\/politique-de-confidentialite\/\">Politique de confidentialit\u00e9<\/a><\/li><li><a href=\"https:\/\/certn.co\/service-agreement\/\">Service Agreement<\/a><\/li><li><a href=\"https:\/\/certn.co\/data-processing-addendum\/\" aria-current=\"page\">Data Processing Addendum<\/a><\/li><li><a href=\"https:\/\/certn.co\/addenda-sur-le-traitement-de-donnees\/\">Addenda sur le traitement de donn\u00e9es<\/a><\/li><li><a href=\"https:\/\/certn.co\/conditions-de-service\/\">Conditions de service<\/a><\/li><li><a href=\"https:\/\/certn.co\/conditions-dutilisation-du-site-web\/\">Conditions d\u2019utilisation du site Web<\/a><\/li><li><a href=\"https:\/\/certn.co\/biometric-notice\/\">Biometric Notice<\/a><\/li><li><a href=\"https:\/\/certn.co\/avis-biometrique-fr\/\">Avis biom\u00e9trique<\/a><\/li><li><a href=\"https:\/\/certn.co\/applicant-terms-of-use\/\">Applicant Terms of Use<\/a><\/li><li><a href=\"https:\/\/certn.co\/conditions-dutilisation-du-demandeur\/\">Conditions d\u2019utilisation du demandeur<\/a><\/li><\/ul><\/aside><main class=\"legal-document-content\"><div class=\"legal-document-body\">\n                        <h1>Data Processing Addendum<\/h1><div><br\/><\/div><div style=\"text-align: justify;\">This Data Processing Addendum (\u201c<strong>DPA<\/strong>\u201d) forms part of and is incorporated into the Agreement between Company and you (the \u201c<strong>Client<\/strong>\u201d) (collectively the \u201cParties\u201d and individually the \u201c<strong>Party<\/strong>\u201d) when you created your account. In the event of any conflict between this DPA and the Agreement, this DPA shall control solely with respect to the Processing of Personal Information. This DPA shall be effective as of the Effective Date of the Agreement and shall be effective until the later of, the termination of the Agreement or until deletion or return of all Personal Data as instructed by either Party under this DPA.<\/div><div style=\"text-align: justify;\"><br\/><strong>1.<\/strong><strong> DEFINITIONS<\/strong><br\/>Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. In the event Data Protection Legislation exists in a jurisdiction, the definitions set forth therein will supersede those herein when such Data Protection Legislation contemplates the terminology.<\/div><div style=\"text-align: justify; margin-left: 20px; line-height: 1.15;\"><br\/>1.1 \u201c<strong>Agreement<\/strong>\u201d means any agreement between Company and Client for the Services. Such an agreement may have various titles, such as \u201cOrder Form\u201d, \u201cTerms of Service\u201d, \u201cService Agreement\u201d or similar titles.<\/div><div style=\"text-align: justify; margin-left: 20px; line-height: 1.15;\"><br\/><\/div><div style=\"text-align: justify; margin-left: 20px; line-height: 1.15;\">1.2 &#8220;<strong>Business Contact Information&#8221; <\/strong>means business related contact details (email, phone, email address, names, job titles, business address).<\/div><div style=\"text-align: justify; margin-left: 20px; line-height: 1.15;\"><br\/>1.3 \u201c<strong>Client<\/strong>\u201d means the customer of Company, either through an Agreement with a customer of Company or an Agreement with an individual person.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>1.4 \u201c<strong>Client Account and Usage Data<\/strong>\u201d means information about Client that Client provides to Company in connection with the creation and administration of an account, such as first and last name, username, email address, and billing and payment information of individuals associated with an account. For avoidance of doubt, statistical data, analytical data, individual session data, and anonymized data is not included in this definition.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>1.5 \u201c<strong>Company<\/strong>\u201d means Certn Holdings Inc. and its wholly owned subsidiaries and affiliates including Certn (Canada) Inc., Certn (USA) Inc., Certn (UK) Ltd., InterCheck Global Pty. Ltd., Trustmatic s.r.o., and any affiliates identified in the Sub-Processor List available in Company\u2019s Trust Center, (<a href=\"https:\/\/trust.certn.co\/\">https:\/\/trust.certn.co\/<\/a>).<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>1.6 &#8220;<strong>Controller<\/strong>\u201d means a legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of Processing Personal Data and gives instructions regarding Processing activities.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>1.7 \u201c<strong>Corporate Clients<\/strong>\u201d means Clients of Company that are a registered business entity.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>1.8 \u201c<strong>Data Subject Request<\/strong>\u201d means any request by a natural person (the \u201cData Subject\u201d) to access, update, revise, correct, delete, object to Processing Personal, or any similar request, made pursuant to the applicable Data Protection Legislation.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>1.9 \u201c<strong>Data Protection Legislation<\/strong>\u201d means all laws, rules or regulations applicable to the Agreement, the Services, Company or Client, and applicable industry standards concerning privacy, data protection, confidentiality, information security, availability and integrity, or the handling or Processing (including retention and disclosure) of Personal Data, as may be amended, restated or replaced from time to time.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>1.10 \u201c<strong>Personal Data<\/strong>\u201d or \u201c<strong>Personal Information<\/strong>\u201d means all information obtained by Company from or on behalf of Client, or Company\u2019s Sub-Processors, in any form or format, that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to, an identified or identifiable natural person.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>1.11 &#8220;<strong>Process(es)<\/strong>\u201d, \u201c<strong>Processing<\/strong>\u201d or \u201c<strong>Processed<\/strong>\u201d means any operation or set of operations that is performed upon any Personal Data, whether or not by automatic means, including, but not limited to, collection, recording, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deletion, erasure, or destruction.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>1.12 \u201c<strong>Processor<\/strong>\u201d means the Party to this Agreement, or under an agreement with substantially the same requirements as this DPA, that Processes Personal Data subject to the direction of the Controller and applicable Data Protection Legislation.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>1.13 \u201c<strong>Sell<\/strong>\u201d means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party for monetary or other valuable consideration.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>1.14 \u201c<strong>Services<\/strong>\u201d means those services that Company performs pursuant to the Agreement.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>1.15 \u201c<strong>Standard Contractual Clauses<\/strong>\u201d or \u201c<strong>SCCs<\/strong>\u201d means (a) where the GDPR applies, the standard contractual clauses annexed to the European Commission\u2019s Implementing Decision 2021\/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016\/679 of the European Parliament and of the Council (\u201cEU SCCs\u201d); (b) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022 (\u201cUK SCCs\u201d); and (c) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the \u201cSwiss SCCs\u201d), each as may be updated from time to time.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>1.16 \u201c<strong>S<\/strong><strong>ub-Processor<\/strong>\u201d or \u201c<strong>Service Provider<\/strong>\u201d means a third-party engaged and supervised by a Party to this Agreement, who agrees to receive and Process Personal Data under the terms of this DPA, or under an agreement with the same requirements as this DPA, solely for the purposes of Processing or delivering Personal Data necessary for the fulfillment of this Agreement. Company Sub-Processor List can be found in Company\u2019s Trust Center, (<a href=\"https:\/\/trust.certn.co\/\">https:\/\/trust.certn.co\/<\/a>).<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>1.17 &#8220;<strong>System<\/strong>\u201d means any system, network, platform, database, computer, or telecommunications or information system owned, controlled, or operated by or on behalf of either Party or any of its affiliates for the purpose of Processing Personal Data pursuant to the Agreement.<\/div><div style=\"text-align: justify;\"><br\/><strong>2. ROLES OF THE PARTIES<\/strong><\/div><div style=\"text-align: justify; margin-left: 20px;\">2.1 To the extent that Client\u2019s Personal Data is Processed by Company, the Parties agree that Client is the Controller, Company is the Processor.<\/div><div style=\"text-align: justify; margin-left: 20px;\">2.2 To the extent that Company\u2019s Personal Data is Processed by Client, the Parties agree that Company is the Controller and Client is the Processor.<\/div><div style=\"text-align: justify; margin-left: 20px;\">2.3  Notwithstanding the preceding, each Party agrees that it is the Controller of the other Party&#8217;s Business Contact Information that the Party Processes in relation to the Agreement.<\/div><div style=\"text-align: justify;\"><br\/><strong>3. PROCESSING OF PERSONAL DATA<\/strong><br\/><br\/>Company agrees to:<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>3.1. Process Personal Data solely as necessary to provide the Services to Client, and in accordance with Data Protection Legislation, the Agreement, this DPA including Annex I and Annex II, and any additional written instructions provided by Client;<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>3.2. refrain from (i) selling or sharing Personal Data (ii) retaining, using or disclosing the Personal Data for any purpose other than for the purpose specified in the Agreement, (iii) retaining, using or disclosing the Personal Data outside of the direct relationship between Company and Client, and (iv) combining Personal Data from different sources unless necessary for the provision of Services under this Agreement.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>3.3. maintain the confidentiality of all Personal Data and ensure that its personnel, including employees, interns, temporary workers, and agency workers, have executed confidentiality agreements that prevent them from unauthorized Processing of Personal Data for the duration of their engagement with Client.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>3.4. not disclose Personal Data to third parties, including government agencies unless required by law, and Sub-processors except for the provision of Services under this Agreement.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>3.5. when required by Data Protection Legislation promptly notify (email acceptable) Client of:<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>3.5.1 any request, inquiry, complaint, notice, or communication received from any third party, including a Data Subject or a supervisory authority, with respect to any Personal Data and comply with instructions of Client in responding to such request, inquiry, complaint, notice, or communication. Client agrees to respond to Company\u2019s notification within ten (10) business days. Client agrees that if it fails to respond to Company\u2019s notification, Company may, in its reasonable judgment, determine how to processed with the Data Subject or supervisory authority\u2019s request;<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>3.5.2. any request for the provision of Personal Data to a government body or authority or court, whether through legal means or otherwise, including specific details of the data provided, unless prohibited by law or legal order;<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>3.5.3. any instruction by Client that Company believes to be in violation of Data Protection Legislation prior to engaging in the relevant Processing; and<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>3.5.4. any substantial changes to the Company\u2019s notices, policies, or procedures that would impede Company\u2019s ability to fulfill the terms of this DPA regarding protection of Personal Data.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>3.6. as is allowed by Data Protection Legislation and limited to Corporate Clients, upon written request, submit the databases, tools, office space (if applicable), and other similar cloud based or on premises environments or locations used by Company to Process Personal Data for audit in accordance with any audit provision that may be available under the Agreement and <em>Section 9. Information Requests<\/em> below. For avoidance of doubt, any audit rights available to Client is limited in scope to the Services directly provided to Client under this Agreement.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>3.7. keep records that demonstrate its compliance with its obligations under this DPA, and reasonably make them available to Client upon request and\/or in connection with any audit referred to in Section 3.6 above and Section 9. Information Requests below.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>3.8. reasonably assist and cooperate with Client, including by providing information requested by Client, to allow Client to comply with its obligations under Data Protection Legislation, including the certification of Company&#8217;s completion of transfer impact assessments, privacy impact assessments, and data protection impact assessments; and<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>3.9. retain Personal Data in accordance with Section 6. Data Retention of the Agreement and <em>Section 8. Deletion or Return of Personal Data<\/em> of this DPA, but in no event longer than necessary to perform the Services.<\/div><div style=\"text-align: justify;\"><br\/><strong>4. INFORMATION SECURITY MEASURES<\/strong><br\/><br\/>Company represents and warrants that it has established, maintains and complies with:<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>4.1. administrative, technical, and physical safeguards designed to ensure the security, confidentiality, reliability, and integrity of Personal Data, as well as any Systems, facilities, or software that Company accesses or supports in connection with the Agreement. Such safeguards are:<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>4.1.1. commensurate with the type and volume of Personal Data Processed by Company, having regard to the state of the art and industry standards, and should, at minimum, protect Personal Data and Systems against reasonably anticipated threats or hazards, including from unauthorized access, loss, theft, destruction, use, modification, collection, attack, or disclosure;<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>4.1.2. in accordance with globally recognized security control standards such as ISO; and<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>4.1.3. compliant with applicable specific industry standards as may apply to the Personal Data being Processed by Company.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>4.2. a written security program and policies that meet or exceed the requirements imposed under Data Protection Legislation and align with established industry practices. Such security program and policies address, at a minimum, the following:<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>4.2.1. identification of appropriately defined organizational roles related to information security;<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>4.2.2. controls with respect to employment of and access given to Personal Data by employees, agents and subcontractors of Company including background checks, training regarding the handling of Personal Data, and when applicable, security clearances that assign specific access privileges to individuals;<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>4.2.3. an appropriate network security program that includes, without limitation, encryption and network and application partitioning;<br\/><br\/>4.2.4. access identification and authentication;<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>4.2.5. maintenance and media disposal;<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>4.2.6. audit and accountability;<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>4.2.7. physical and environmental protections;<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>4.2.8. system and communication security;<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>4.2.9. incident response and planning; and<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>4.2.10. the integrity and reliability of facilities, systems and services, including critical asset identification, configuration and change management for software systems, and contingency planning\/redundancy.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>4.3. If Personal Data being Processed includes sensitive or biometric data for purposes of uniquely identifying a natural person, or data relating to criminal convictions and offenses, Company shall apply specific restrictions and\/or additional safeguards in compliance with Data Protection Legislation. Client agrees that Company may implement adequate alternative security measures from time to time, provided the security level of the alternative measures is not materially decreased.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>4.4. Company shall limit access to Personal Data to those individuals who require access to the Personal Data to meet Company obligations with respect to the delivery of the Services to Client. Company shall ensure that those individuals are informed in writing of the confidential or sensitive nature of the Personal Data.<\/div><div style=\"text-align: justify;\"><br\/><strong>5. DATA SECURITY INCIDENT<\/strong><\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>5.1. Data Security Incident means (i) the loss or misuse (by any means) of Personal Data; (ii) the inadvertent, unauthorized, and\/or unlawful disclosure, access, alteration, corruption, transfer, sale, rental, destruction, or use of Personal Data; or (iii) any other act or omission that compromises or may compromise the security, confidentiality, or integrity of Personal Data or a System.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>5.2. If Company suspects or becomes aware of a Data Security Incident, Company will:<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>5.2.1. Notify client without undue delay, and in any case within seventy-two (72) hours, after it becomes aware of any confirmed Data Security Incident;<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/><\/div><div style=\"text-align: justify; margin-left: 40px;\">5.2.2. Undertake an investigation of such Data Security Incident and respond to Client\u2019s reasonable requests for information relating to the Data Security Incident as may be necessary;<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>5.2.3. Reasonably assist Client, its regulators and law enforcement agencies, with notification obligations under the applicable Data Protection Legislation. Unless otherwise required in accordance with applicable laws, Client and shall be solely responsible for complying with any Data Protection Legislation data breach notification requirements applicable to Client and fulfilling any third-party notification obligations related to any Data Security Incident; and<br\/><br\/>5.2.4. Take all reasonable corrective action in a timely manner, at the expense of Company, to remediate and prevent a recurrence of such Data Security Incident.<\/div><div style=\"text-align: justify;\"><br\/><strong>6. SUB-PROCESSORS<\/strong><\/div><div style=\"text-align: justify; margin-left: 20px;\">6.1. Client hereby grants general written authorization to Company to appoint Sub-Processors to perform specific Processing activities on its behalf. A list of Sub-Processors currently engaged by Company in connection with the Services is available in Company\u2019s Trust Center, (<a href=\"https:\/\/trust.certn.co\/\">https:\/\/trust.certn.co\/<\/a>).<br\/><br\/>6.2. Company will provide notice on its website of a new Sub-Processor via (<a href=\"https:\/\/trust.certn.co\/\">https:\/\/trust.certn.co\/<\/a>). Client should review the Sub-Processor List from time to time to stay up to date regarding Company\u2019s Sub-processors.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>6.3. When required by Data Protection Legislation, and limited to Corporate Clients, Company will provide written notice (email sufficient) of a new Sub-Processor. Business Client has a right to reasonably object to Company&#8217;s use of Sub-processor. Instructions for the objection of Sub-Processor\u2019s is available in Company\u2019s Trust Center, (<a href=\"https:\/\/trust.certn.co\/\">https:\/\/trust.certn.co\/<\/a>). If, as a business Client, an objection is raised, Company will use reasonable efforts to find an alternative Sub-Processor to perform the specific Processing activities. If a suitable alternative Sub-Processor or other solution cannot be found, then Client may terminate the relevant part of the Agreement to which the Sub-Processors services relate.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>6.4. Company warrants that any Sub-Processor engaged by Company to Process Personal Data under this Agreement has:<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>6.4.1. provided appropriate safeguards and maintains adequate level of protection in relation to the processing and transfer of Personal Data;<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>6.4.2. entered into a written agreement with Company, which encompasses substantially similar terms to this Agreement, particularly containing the same data protection obligations as set out in this Agreement; and<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>6.4.3. established the appropriate mechanisms to ensure any Data Subject has enforceable rights and effective legal remedies.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>6.5. Company acknowledges that as a Processor, it is liable to Corporate Clients for Company\u2019s Sub-Processor\u2019s compliance with its data protection obligations as they apply to processing of Personal Data Processed under the Agreement and this DPA.<\/div><div style=\"text-align: justify;\"><strong>7. INTERNATIONAL DATA TRANSFERS<\/strong><\/div><div style=\"text-align: justify; margin-left: 20px;\">7.1. <strong>General<\/strong>. The Parties agree that in the event a jurisdiction does not currently have Data Protection Legislation that contemplates data transfers outside of the country, such transfers will be subject to the standards and expectations imposed by the General Data Protection Regulation (Regulation (EU) 2016\/679) (\u201cEU GDPR\u201d) and thereby subject to the EU Standard Contractual Clauses (\u201cEU SCCs\u201d), including transfers between Company and its Sub-Processors. By signing this DPA, Client hereby authorizes Company to enter into the EU SCCs for and on Client\u2019s behalf (as exporters) with Company&#8217;s own affiliates and Sub-Processors, in order to ensure an adequate level of protection to Personal Data as required by Data Protection Legislation. In case of any conflict between this DPA and such EU Standard Contractual Clauses, the EU Standard Contractual Clauses shall prevail to the extent necessary to comply with Data Protection Legislation.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>7.2.<strong> Processing in and Data Transfers to Sanctioned Jurisdictions.<\/strong> In connection with the performance of this DPA and the Agreement, Client authorizes Company to Process and transfer Personal Data from Company\u2019s jurisdiction, if necessary, to any jurisdiction in which Company or its Sub-Processors are located, so long as those receiving jurisdictions are not currently sanctioned by the Office of Foreign Assets Control (OFAC) or similar country sanction lists in Canada, United Kingdom, or Australia, and to any other country that is recognized by the European Commission as providing an adequate level of protection for Personal Data.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>7.3. <strong>Data Transfers from the European Economic Area Subject to the EU Standard Contractual Clauses.<\/strong> Where the transfer of Personal Data is made subject to the EU GDPR and thereby subject to the EU SCCs, the \u201cdata importer\u201d thereunder shall be either the Processor or its Sub-Processor, as the case may be and as determined by Processor, and the \u201cdata exporter\u201d shall be the Controller or Controller-Processor of such Personal Data. The Processor shall ensure that the relevant Sub-Processor shall (where applicable) comply with the data importer\u2019s obligations, and the Controller shall comply with the data exporter obligations, in each case under the applicable SCCs.<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>7.3.1. Company will be a Processor of Personal Data;<br\/><br\/>7.3.2. Client will be a Controller of Personal Data;<br\/><br\/>7.3.3. Module 2 (Controller to Processor) shall apply;<br\/><br\/>7.3.4. Clause 7 (Docking Clause) shall apply;<br\/><br\/>7.3.5. The parties choose Option 2 of Clause 9;<br\/><br\/>7.3.6. The option in Clause 11(a) (Redress) Module 2 shall apply;<br\/><br\/>7.3.7. The parties choose Option 1 of Clause 17, the law of Ireland shall apply; and<br\/><br\/>7.3.8. For purposes of the Standard Contractual Clauses, Annex I and Annex II shall be incorporated and meet the standards as set forth in the EU GDPR.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>7.4. <strong>Data Transfers from and to countries that offer adequate levels of data protections. <\/strong>Personal Information may be transferred from EU Member States and the EEA member countries (Norway, Liechtenstein, and Iceland) (collectively, \u201cEEA\u201d) to countries that offer an adequate level of data protection (including Canada) under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA or the European Commission (\u201cAdequacy Decisions\u201d), as relevant and applicable, without any further safeguard being necessary.<br\/><br\/>7.5. <strong>Data Transfers from Switzerland<\/strong>. Company adheres to Switzerland\u2019s revised Federal Data Protection Act (revFADP). To the extent that the Swiss Supervisory Authority considers the SCCs to provide appropriate safeguards for the purposes of transferring Personal Information and the data of legal entities, the following amendments shall apply in relation to Swiss transfers: (i) the Parties adopt the GDPR standard for all data transfers; (ii) in relation to Clause 13a, the EU Supervisory Authority shall be competent insofar as the data transfer is governed by the GDPR and the Swiss Supervisory Authority (FDPIC) shall conduct parallel supervision as applicable; and (iii) in relation to Clause 18 c, the term \u2019member state\u2019 shall be interpreted in such a way as to allow data subjects in Switzerland with the possibility of suing for their rights in their place of habitual residence (Switzerland).<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>7.6. <strong>Data Transfers from the United Kingdom<\/strong>. To the extent that the UK Supervisory Authority (the Information Commissioner) considers the SCCs to provide appropriate safeguards for the purposes of transferring Personal Information to a third country or an international organization in reliance on Articles 46 of the UK GDPR and, with respect to data transfers from controllers to processors and\/or processors to processors, the following amendments shall apply in relation to UK transfers:<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>7.6.1. The details of the transfers(s) and in particular the categories of Personal Information that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I Section B where UK Data Protection Laws apply to the data exporter\u2019s processing when making that transfer.<\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>7.6.2. References to \u201cRegulation (EU) 2016\/679\u201d or \u201cthat Regulation\u201d are replaced by \u201cUK Data Protection Laws\u201d and references to specific Article(s) of \u201cRegulation (EU) 2016\/679\u201d are replaced with the equivalent Article or Section of UK Data Protection Laws. In particular:<\/div><div style=\"text-align: justify; margin-left: 60px;\"><br\/>7.6.2.1. References to Regulation (EU) 2018\/1725 are removed;<\/div><div style=\"text-align: justify; margin-left: 60px;\"><br\/>7.6.2.2. References to the \u201cUnion\u201d, \u201cEU\u201d and \u201cEU Member State\u201d are all replaced with the \u201cUK\u201d;<br\/><br\/>7.6.2.3. Clause 13(a) is not used and the \u201ccompetent supervisory authority\u201d is the Information Commissioner;<br\/><br\/>7.6.2.4. Clause 17 is replaced to state \u201cThese SCCs are governed by the laws of England and Wales\u201d;<br\/><br\/>7.6.2.5. Clause 18 is replaced to state: \u201cAny dispute arising from these SCCs shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and\/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.\u201d; and<br\/><br\/>7.6.2.6. The footnotes to the SCCs do not apply to UK transfers.<br\/><br\/>7.6.2.7. Company will be a Processor of Personal Data;<br\/><br\/>7.6.2.8. Client will be a Controller of Personal Data;<br\/><br\/>7.6.2.9. Module 2 (Controller to Processor) shall apply; 7.6.2.10.Clause 7 (Docking Clause) shall apply;<\/div><div style=\"text-align: justify; margin-left: 60px;\"><br\/>7.6.2.11. The parties choose Option 2 of Clause 9.<br\/><br\/>7.6.2.12. The option in Clause 11(a) (Redress) model 2 shall apply;<br\/><br\/>7.6.2.13.The parties choose Option 1 of Clause 17, the law of England and Wales shall apply; and<br\/><br\/>7.6.2.14.For purposes of the UK Addendum, Annex I and Annex II shall suffice and meet the necessary requirements under UK Data Protection Laws.<\/div><div style=\"text-align: justify; margin-left: 20px;\">7.7.<strong> Data Transfer from the EEA, UK, or Switzerland to the United States<\/strong>. Data transfer from the EEA, UK or Switzerland may be deemed adequate when done so under the EU-U.S. Data Privacy Framework or Swiss-U.S. Data Privacy Framework. These frameworks between the United States Department of Commerce, European Commission, UK government, and Swiss Federal Administration solely apply to commercial entities who are actively registered with the U.S. Department of Commerce\u2019s Data Privacy Framework Program, to allow Personal Data to be transferred from the European Union under the European Commission\u2019s adequacy decision.<br\/><br\/>7.8. <strong>Data Transfer from the Canadian Province of Quebec<\/strong>. Where the transfer of Personal Data relating to a resident of the Canadian Province of Quebec and thereby made subject to the Act respecting the protection of personal information in the private sector (the &#8220;Private Sector Act&#8221;), Company conducts a transfer impact assessment in accordance with the Private Sector act to determine that such transfer to its Sub-Processor, shall have adequate levels of protection commensurate to the nature and volume of the Personal Data, including but not limited to those standards and expectations set forth in this Agreement.<\/div><div style=\"text-align: justify;\"><br\/><strong>8. DELETION OR RETURN OF PERSONAL DATA<\/strong><\/div><div style=\"text-align: justify; margin-left: 20px;\">8.1. Upon the expiration or earlier termination of the Agreement, and upon Client\u2019s request, Company will delete or return, at Client\u2019s election, all Personal Data in the possession or control of Company and Company&#8217;s Sub-Processors, unless the continued retention of such Personal Data is required by applicable law.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>8.2. Without limitation to the generality of the foregoing, and upon written request, Company and Company\u2019s Sub-Processors shall, within thirty (30) days of a written request from Client, or as a result of a suspension of transfer of Personal Data, provide a copy of the Personal Data in a portable and readily useable format.<\/div><div style=\"text-align: justify;\"><br\/><strong>9. INFORMATION REQUESTS<\/strong><\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>9.1. In accordance with the Agreement, Company agrees to reasonably cooperate with Corporate Clients to provide Corporate Clients with such information that is reasonably necessary to enable Corporate Clients to demonstrate compliance with the obligations set forth in this DPA and allow for and contribute to audits, including inspections, conducted by Corporate Client or a qualified independent third-party assessor who is reasonably acceptable to Company and bound by confidentiality obligations satisfactory to Company, to the extent that such information is within Company\u2019s control and Company is not precluded from disclosing it by applicable law, a duty of confidentiality, a legal privilege or protection, or any other obligation owed to a third party. Audits and inspections are subject to a thirty-day (30) written notice, shall be conducted at the Client\u2019s expense, and no more than once per every twelve (12) months during the term of the Agreement, and during regular business hours.<\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>9.2. Company agrees to, taking into account the nature of the processing and the information available to Company, reasonable assist Corporate Clients in meeting its obligations described by appliable Data Protection Legislation to keep Personal Data secure by maintaining reasonable security standards as set forth in this DPA; reasonably assist Corporate Clients in notifying the applicable regulatory or supervisory authority, including the Information Commissioner\u2019s Office (\u201cICO\u201d), of Personal Data breaches; reasonably assist in notifying Data Subjects of Personal Data breaches; reasonably assist Corporate Clients in carrying out data protection impact assessments (DPIAs) when required, and at Corporate Client\u2019s expense reasonably consult ICO where a DPIA indicates there is a high risk that cannot be mitigated.<\/div><div style=\"text-align: justify;\"><br\/><strong>10. ASSIGNMENT AND SUCCESSORS<\/strong><\/div><div style=\"text-align: justify;\">Client may not assign any of its rights or obligations under this DPA without the prior written consent of Company, such consent will not be unreasonably withheld. Subject to the foregoing, the rights and obligations under this Agreement shall ensure to the benefit of and are binding on Client and their permitted assignees, transferees and successors. Any attempted assignment in violation of this clause is void. Notwithstanding the foregoing, Company shall have the right to assign any of its right or obligations under this DPA.<\/div><div style=\"text-align: justify;\"><br\/><strong>11. COMPANY NOTICE CONTACT INFORMATION<\/strong><\/div><div style=\"text-align: justify; margin-left: 20px;\">11.1. Notice relating to Data Security Incidents must be sent to the following: <\/div><div style=\"text-align: justify; margin-left: 40px;\">To:Security<br\/><br\/>CC: <a href=\"mailto:Privacy@certn.co\">Privacy@certn.co<\/a> and <a href=\"mailto:Legal@certn.co\">Legal@certn.co<\/a><\/div><div style=\"text-align: justify; margin-left: 20px;\"><br\/>11.2. Notice relating to Data Subject Rights Requests and Sub-Processor updates must be sent to the following:<\/div><div style=\"text-align: justify; margin-left: 40px;\">To: <a href=\"mailto:Privacy@certn.co\">Privacy@certn.co<\/a><\/div><div style=\"text-align: justify; margin-left: 20px;\">11.3. Notices relating to Government Agencies or Regulatory Bodies Disclosure Requests:<\/div><div style=\"text-align: justify; margin-left: 40px;\">To: <a href=\"mailto:Legal@certn.co\">Legal@certn.co<\/a><br\/><br\/>CC: <a href=\"mailto:Privacy@certn.co\">Privacy@certn.co<\/a><\/div><div style=\"text-align: justify; margin-left: 20px;\">11.4. All other notices relating to this DPA must be sent to the following: <\/div><div style=\"text-align: justify; margin-left: 40px;\">To: <a href=\"mailto:Privacy@certn.co\">Privacy@certn.co<\/a><\/div><div style=\"text-align: justify; margin-left: 40px;\"><br\/>CC: <a href=\"mailto:Legal@certn.co\">Legal@certn.co<\/a><\/div><div style=\"text-align: justify;\"><br\/><strong>ANNEX I<\/strong><br\/><strong>Section A: List of Parties<\/strong><br\/><br\/><\/div><table style=\"width: 100%;\"><tbody><tr><td style=\"width: 17.326%;\"><strong>The Data Exporter<\/strong><\/td><td style=\"width: 82.6007%;\">The data exporter is identified as the Client or the \u201cController\u201d in the DPA.<\/td><\/tr><tr><td style=\"width: 17.326%;\"><strong>The Data Importer<\/strong><\/td><td style=\"width: 82.6007%;\">The data importer is Certn, a provider of data verification and background screening services.<\/td><\/tr><\/tbody><\/table><div style=\"text-align: justify;\"><br\/><br\/><strong><u>Section B: Description of Processing and Transfer<\/u><\/strong><\/div><div style=\"text-align: justify;\"><br\/><strong>1. Categories of data subjects whose personal data is transferred<\/strong><br\/>Those individuals and applicants subject to the background verification services for the purposes of employment, tenancy or any other lawful and permissible purpose as instructed by the Controller.<br\/><br\/><strong>2. Categories of Personal Data Transferred<\/strong><br\/><u>Business Contact Information<\/u>: Has the meaning provided in section 1.2 of the DPA.<\/div><div style=\"text-align: justify;\"><br\/><u>Data Subject Personal Data<\/u>: The exact Data Subject Personal Data will vary depending on the requested background verification service, but may include the following, as required: Email addresses, names, contact details, job titles, residential or business address; photograph; personal identification numbers; academic title and qualifications; career history; driving license; attendance records; job title; gender; professional telephone number (including mobile telephone number) and fax number; personal email address; personal telephone number (including mobile telephone number); credit score or limit, risk, failure and delinquency score; payment information; criminal history; records for associated claims and judgments; public records such as directorships, insolvencies, bankruptcies, financial standing, IP address; cookie data; login credentials (username and password); traffic data; images and sounds; biometric data.<br\/><br\/><strong>3<\/strong>. <strong>Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures<\/strong>. <\/div><div style=\"text-align: justify;\">The contents of the Personal Data are varied and under the Data Exporter\u2019s control, but may, depending on the particular Services, include sensitive data as defined under the relevant Data Protection Legislation. Sensitive Personal Data will be protected in accordance with the measures set out in the DPA.<br\/><br\/><strong>4. The Frequency of Transfers<\/strong><br\/>Transfers will be processed on an ad hoc basis and for the duration necessary for the performance of the Services; any other purposes stipulated in the Agreement; and complying with applicable laws and regulations.<br\/><br\/><strong>5. Nature of the Processing<\/strong><br\/>The nature and purpose of processing means any operation such as collection, recording, organization, structuring, storage, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction of data (whether or not by automated means).<br\/><br\/><strong>6. Purpose(s) of the Data Transfer and Further Processing<\/strong><\/div><div style=\"text-align: justify;\">Providing the Services to the Client as set out with the Agreement; performing the Agreement, this DPA and\/or other contracts executed by the Parties; providing support and technical maintenance, if agreed in the Agreement; preventing, mitigating and investigating the risks of data security incidents, fraud, error or any illegal or prohibited activity; complying with applicable laws and regulations; all tasks related with any of the above.<\/div><div style=\"text-align: justify; line-height: 1.15;\"><strong>7. The Period for Which the Personal Data Will Be Retained, or, If That Is Not Possible, the Criteria Used to Determine that Period<\/strong><\/div><div style=\"text-align: justify; line-height: 1.15;\"><br\/>The Parties agree to erase Personal Data from any computers, storage devices and storage media as soon as practicable after it has ceased to be necessary for such Party to retain the Personal Data under applicable Data Protection Legislation or as otherwise required by the Agreement. Notwithstanding the foregoing, unless otherwise agreed between the Parties, or required under applicable Data Protection Legislation, the Parties agree that Client records will be retained by Company in accordance with Company\u2019s Retention Policy which may be updated from time to time.<\/div><div style=\"text-align: justify; line-height: 1.15;\">Personal Data collected and processed as part of a Disclosure and Barring Service (\u201cDBS\u201d) check is retained for a minimum period of two (2) years in accordance with applicable guidelines.<br\/><br\/><strong>8. For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing<\/strong><\/div><div style=\"text-align: justify;\">All authorized sub-processors are required to implement and maintain the same or substantially similar technical and organizational measures, responsibilities, and obligations as those required of Provider under this DPA.<\/div><div style=\"text-align: justify;\"><br\/><strong><u>Section C: Competent Supervisory Authority<\/u><\/strong><br\/><br\/>1. Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016\/679 as regards the data transfer shall act as a competent supervisory authority.<br\/><br\/>2. Where the data exporter is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016\/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016\/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016\/679 is established will act as the competent supervisory authority.<br\/><br\/>3. Where the data exporter is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016\/679 in accordance with its Article 3(2) without, however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016\/679: Data Protection Commission (DPC) \u2013 21 Fitzwilliam Square, South Dublin 2, D02 RD28 Ireland will act as the competent supervisory authority.<br\/><br\/>4. Where the data exporter is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws and Regulations, the Information Commissioner&#8217;s Office will act as the competent supervisory authority.<\/div><div style=\"text-align: justify;\"><br\/>5. Where the data exporter is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner will act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations.<br\/><br\/>6. Where the data exporter is established in the Canadian Province of Quebec or falls within the territorial scope of application of Quebec Data Protection Laws, the Commission d&#8217;acc\u00e8s \u00e0 l&#8217;information du Quebec will act as the competent supervisory authority.<\/div><div style=\"text-align: justify;\"><br\/><strong><br\/>ANNEX II<\/strong><br\/>Below are the technical, physical and administrative measures used by Company to ensure the security of Personal Data.<br\/><br\/>1. <strong>Program<\/strong>. Company maintains a written information security program (\u201cInformation Security Program\u201d), which contains reasonably appropriate administrative, technical, and organizational safeguards that comply with this Annex II. Company maintains conducts internal security training during the onboarding phase and annually thereafter.<br\/><br\/>2.<strong> Security Certifications<\/strong>. Company maintains ISO 27001, SOC2 and SOC3 certifications on a continuous basis. ISO 27001 and SOC2 compliance report is available upon request. SOC 3 compliance report is publicly available. Visit Company\u2019s Trust Center for additional information (<a href=\"https:\/\/trust.certn.co\/\">https:\/\/trust.certn.co\/<\/a>).<br\/><br\/>3. <strong>Access Controls<\/strong>. An access control system applicable to all users accessing the IT system has been implemented. The system allows Company to create, approve, review, and delete user accounts. <\/div><div style=\"text-align: justify; margin-left: 20px;\">a. Company implements multi-factor authentication for all accounts that have access to Personal Data. Where authentication mechanisms are based on passwords, the data processor requires the password to be at least eight characters long and conform to very strong password control parameters including length, character complexity, and non-repeatability.<br\/><br\/>b. Role-based authorizations in alignment to an established Authorization Control Policy. When granting access or assigning user roles, the \u201cneed- to-know principle\u201d is observed in order to limit the number of users having access to Personal Information only to those who require it for achieving the Processor\u2019s Processing Purposes.<br\/><br\/>c. Company maintains an Asset Management Policy which defines the Configuration standards and any applicable variables. A system access control policy has been defined, documented and implemented to allow for evaluation of controls and access to Company\u2019s assets.<\/div><div style=\"text-align: justify;\"><br\/>4. <strong>Account Management<\/strong>. Company manages the creation, use, and deletion of all account credentials used to access the Company\u2019s key infrastructure, including by requiring multi-factor authentication in all critical systems. Any processed Personal Information is limited to the strictly necessary matching identifiers defined by the data sources we operate with. To ensure that Personal Information Is accurate, relevant, complete and up-to-date, the Company processes data verifications in real time, with the consent of the Data Subject and only within the limits of the defined Permissible Purpose. Any potentially incomplete data is reconfirmed with the Data Subject and\/or the relevant data source.<br\/><br\/>5. <strong>Vulnerability Management.<\/strong> Company engages in vulnerability management, risk evaluation, asset management, IDS and IPS, patch management, endpoint monitoring, SIEM tools vendor management. SIEM collects events and policies and alerts are created for analysis and investigations. Endpoint protections and monitoring, intrusion detection and prevention with monitoring and evaluation.<br\/><br\/>6.<strong> Security Segmentation.<\/strong> Company will monitor, detect and restrict the flow of information on a multilayered basis using tools such as firewalls, proxies, and network-based intrusion detection systems.<br\/><br\/>7.<strong> Data Loss Prevention.<\/strong> Company uses loss prevention measures to identify, monitor, and protect Personal Data in use, in transit, and at rest. Such data loss prevention processes and tools will include: (a) automated tools designed to identify attempts of data exfiltration; and (b) the use of encryption certificate-based security. Backup and data restore procedures are defined and documented as Company policies, available upon request at Company\u2019s Trust Center (<a href=\"https:\/\/trust.certn.co\/\">https:\/\/trust.certn.co\/<\/a>). Execution of backups is monitored to ensure completeness. Company stores data on AWS cloud which has automatic backups configured and encrypted. In addition, there are multiple zones for redundancy and recovery purposes.<br\/><br\/>8. <strong>Encryption<\/strong>. Company will encrypt, using industry-standard encryption tools, all Personal Data that Provider transmits across public networks. Company deploys encryption of data at rest and in transit using AES 256 encryption and \u2265TLS v1.2.<br\/><br\/>9.<strong> Pseudonymization<\/strong>. Company, where possible and consistent with the Services, uses pseudonymization techniques to protect Personal Data.<br\/><br\/>10. <strong>Product Development Safeguards<\/strong>. Company utilizes a privacy and security by design approach and is regularly and independently audited for the purposes of maintaining the highest industry standards for internal controls for security, availability, processing integrity and confidentiality and privacy.<br\/><br\/>11. <strong>Physical Safeguards.<\/strong> Company maintains physical access controls to secure the Company-owned physical premises where the relevant Company computing environment used to Process any Personal Data is located, including an access control system that enables Company to control physical access to each Company facility. Company maintains a Physical Security Policy which covers provisions for physical office access with key fobs, security alarms, security surveillance, and visitor limited access. The physical perimeter of the IT system infrastructure is not accessible by non-authorized personnel. Appropriate technical measures and organizational measures are set in place to protect security areas and their access points against entry by unauthorized persons. Company stores its data on AWS cloud following the best practices and requirements. Data is segmented, encrypted and backed up with the inclusion of multi zonal availability.<br\/><br\/>12. <strong>Administrative Safeguards.<\/strong> Prior to providing access to Client Personal Data to any of its personnel, Company will use commercially reasonable measures to: (a) verify the reliability of such personnel; and (b) provide appropriate security training to such personnel. Company has an established policy for Data Retention which defines different purging schedules for separate categories of data.<br\/><br\/><\/div>\n                    <\/div><\/main><\/div>        <\/div>\n    <\/div>\n<\/section>","protected":false},"excerpt":{"rendered":"","protected":false},"author":0,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-34576","page","type-page","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/certn.co\/us\/wp-json\/wp\/v2\/pages\/34576","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/certn.co\/us\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/certn.co\/us\/wp-json\/wp\/v2\/types\/page"}],"replies":[{"embeddable":true,"href":"https:\/\/certn.co\/us\/wp-json\/wp\/v2\/comments?post=34576"}],"version-history":[{"count":1,"href":"https:\/\/certn.co\/us\/wp-json\/wp\/v2\/pages\/34576\/revisions"}],"predecessor-version":[{"id":34586,"href":"https:\/\/certn.co\/us\/wp-json\/wp\/v2\/pages\/34576\/revisions\/34586"}],"wp:attachment":[{"href":"https:\/\/certn.co\/us\/wp-json\/wp\/v2\/media?parent=34576"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}