DPA

DPA Definitions

DPA Terms

Security Measures

Appendix 1

Appendix 2

Appendix 3

Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms of Service (or other such titled written or electronic agreement addressing the same subject matter) (the “Agreement”) between Traitify and Client for the purchase of SaaS products and services from Traitify (the “Services”). This DPA reflects the parties’ agreement with regard to the Processing of Personal Data pursuant to the Agreement. Client enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent Traitify processes Personal Data for which such Authorized Affiliates qualify as the Controller. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. In providing the Services to Client pursuant to the Agreement, Traitify may Process Personal Data on behalf of Client, and the parties agree to comply with the following provisions with respect to any Personal Data.

DPA Definitions

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the Client entity signing this Agreement, or with Woofound, Inc. d/b/a Traitify, as the case may be. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Authorized Affiliate” means any of Client's Affiliate(s) which (i) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom and (ii) is permitted to use the Service pursuant to the Agreement between Client and Traitify, but has not signed its own Order Form with Traitify and is not a "Client" as defined under the Agreement.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Client Personal Data” means all Personal Data submitted by or on behalf of Client, or an Authorized Affiliate, to the Service.

“Data Protection Laws” or “Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the UK Data Protection Laws, and the US Data Protection Laws, and other jurisdictions applicable to the Processing of Personal Data under the Agreement.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” means any information relating to (i) an identified or identifiable natural person and (ii) “personal information”, “personal data”, “special categories of personal data”, “sensitive personal data” and similar terms shall have the meanings and otherwise be interpreted in accordance with the applicable Data Protection Laws and Regulations.

“Processing” (including its root word, “Process”) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Controller.

“Restricted Transfer” means a Transfer of Personal Data to a country other than the country of origin which is not subject to an adequacy determination by the authorities competent for the country of origin.

“Standard Contractual Clauses” the Standard Contractual Clauses (MODULE TWO: Transfer controller to processor), dated 4 June 2021, for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as described in Article 46 of the GDPR and approved by European Commission Implementing Decision (EU) 2021/91.

“Sub-processor” means any Processor engaged by Traitify or a member of the Traitify Group.

“Sub-processor List” means the list of Traitify Sub-processors attached hereto as Appendix 3, which may be updated by Traitify from time-to-time.

“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.

“Traitify” means Woofound, Inc. d/b/a Traitify, a company incorporated in Delaware with its primary address being 6330 E. Thomas Rd., Scottsdale, Arizona 85251, or an Affiliate of Traitify, as applicable.

“Traitify Group” means Traitify and its Affiliates, as applicable, engaged in the Processing of Personal Data.

"UK Data Protection Laws" means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR"), together with the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) and other data protection or privacy legislation in force from time to time in the United Kingdom.

“UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018;

"UK Restricted Transfer” means a transfer of Client Personal Data by Client or any Client Affiliate to Traitify or any Traitify Affiliate (or any onward transfer), in each case, where such transfer would be prohibited by UK Data Protection Laws in the absence of the protection for the transferred Client Personal Data provided by the UK IDTA.

“US Data Protection Laws” means all applicable national, federal, state, or local privacy, cybersecurity and data protection laws, together with any implementing or supplemental rules and regulations, applicable to the processing of Personal Data under this DPA, as amended or replaced from time to time, including but not limited to, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and as may be further amended or replaced from time to time including applicable regulations (“CCPA”), Virginia Consumer Data Protection Act (“VCDPA”), Colorado Privacy Act (“CPA”), Connecticut Data Privacy Act (“CDPA”), and Utah Consumer Privacy Act (“UCPA”).

The terms “Business”, “Business Purpose”, “Commercial Purpose”, “Contractor”, "Process", "Processing", “Sell”, “Service Provider” and “Share” shall have the meanings and otherwise be interpreted in accordance with the applicable Data Protection Laws and Regulations, and any cognate terms shall be construed accordingly.

DPA Terms

Traitify and Client hereby enter into this DPA effective as of the last signature date below. This DPA is incorporated into and forms part of the Agreement.

Provision of the Service. Traitify provides the Services to Client under the Agreement. In connection with the Services, the parties anticipate that Traitify may Process Client Data that contains Personal Data relating to Data Subjects.
The Parties’ Roles. The parties agree that with regard to the Processing of Client Personal Data, Client is the Controller, Traitify is the Processor, and that Traitify or members of the Traitify Group will engage Sub-processors pursuant to the requirements of this DPA.
Client Responsibilities. Client shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations, including any applicable requirements to provide notice, obtain consent, and/or respond to Data Subjects regarding the use of Traitify Services. For the avoidance of doubt, Client’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Client acquired Personal Data. Client specifically acknowledges that its use of the Service will not violate the rights of any Data Subject that has opted-out from sales, sharing or other disclosures of Personal Data, to the extent applicable under the Data Protection Laws and Regulations.
Processing Purposes. Traitify shall keep Client Personal Data confidential and shall only Process Client Personal Data on behalf of and in accordance with Client’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented, reasonable instructions provided by Client (for example, via email) where such instructions are consistent with the terms of the Agreement. Traitify shall notify Client if it believes that Client’s instructions would violate Data Protection Laws and Regulations.
Scope of Processing. The subject-matter of Processing of Personal Data by Traitify is the performance of the Services pursuant to the Agreement as more fully described in Appendices. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Appendix 1 to this DPA.
Data Subject Requests. Client may respond to requests from Data Subjects to exercise the Data Subject's privacy rights (“Data Subject Request”), via the Services in the manner configured by Client. Factoring into account the nature of the Processing, Traitify shall assist Client by appropriate organizational and technical measures, insofar as this is possible, for the fulfilment of Client’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Client, in its use of the Services, does not have the ability to address a Data Subject Request, Traitify shall, upon Client’s request, provide commercially-reasonable efforts to assist Client in responding to such Data Subject Request, to the extent that Traitify is legally authorized to do so, and the response to such Data Subject Request is required under Data Protection Laws and Regulations.
Traitify Personnel. Traitify shall ensure that its personnel engaged in the Processing of Personal Data are subject to obligations to maintain the confidential nature of the Personal Data and have received appropriate training regarding their responsibilities.
Data Protection Officer. Members of the Traitify Group have appointed a data protection officer. The appointed person may be reached at legal@traitify.com.
Traitify’s Sub-processors. Client has instructed and authorized the use of Sub-processors to assist Traitify in the performance of its obligations under the Agreement and a current list of Traitify Sub-processors is available at the Sub-processor List. The parties agree that copies of the Sub-processor agreements that must be provided by Traitify pursuant to the Standard Contractual Clauses may have all commercial information or clauses unrelated to the Standard Contractual Clauses or their equivalent removed by Traitify beforehand; and, that such copies will be provided by Traitify, in a manner to be determined in its discretion, only upon request by Client.
Liability for Sub-processors. Traitify shall be liable for the acts and omissions of its Sub-processors to the same extent Traitify would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
Security Measures. Traitify shall maintain appropriate organizational and technical measures for protection of the security (including protection against unauthorized or unlawful Processing, and against unlawful or accidental destruction, alteration or damage or loss, unauthorized disclosure of, or access to, Client Data), confidentiality, and integrity of Client Personal Data, as set forth in Schedule 1. Traitify regularly monitors compliance with these measures. Traitify will not materially decrease the overall security of the Services during a subscription term.
Reserved.
Notifications Regarding Personal Data Incidents. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each party agrees to have in place reasonable and appropriate security incident management policies and procedures and shall notify the other party without undue delay after becoming aware of the unlawful or accidental destruction, alteration or damage or loss, unauthorized disclosure of, or access to, Client Personal Data, transmitted, stored or otherwise provided to and/or Processed by Traitify or its Sub-processors of which a party becomes aware (hereinafter, a “Personal Data Incident”). The notifying party shall provide the other party with sufficient information which allows the notifying party to meet any obligations to report a Personal Data Incident under the Data Protection Laws. Such notification shall as a minimum: (i) describe the nature of the Personal Data Incident, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate numbers of Personal Data records concerned; (ii) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (iii) describe the likely consequences of the Personal Data Incident; and (iv) describe the measures taken or proposed to be taken to address the Personal Data Incident, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. Each party shall co-operate with the other party and take such reasonable commercial steps to assist in the investigation and mitigation of each Personal Data Incident.
Return of Client Data. At the Client's direction, Traitify shall securely delete or return all Client Personal Data to the Client as requested or at the end of the provision of Services, unless retention of such Personal Data is required by law, and Traitify notifies Client of such requirement, if permitted by applicable law. In such case, Traitify may retain Client Personal Data only to the extent and for such period of time as required by law; provided that, Traitify shall ensure the confidentiality of all such Personal Data and that such Personal Data is only Processed for the purpose(s) permitted by such laws.
Authorized Affiliates. The parties agree that, by executing the DPA, the Client enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliate(s), thereby establishing a separate DPA between Traitify and each such Authorized Affiliate, subject to the provisions of the Agreement. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. An Authorized Affiliate is not and does not become a party to the Agreement and is only a party to the DPA. All access to and use of the Service by Authorized Affiliate(s) must comply with the terms and conditions of the Agreement and any violation thereof by an Authorized Affiliate shall be deemed a violation by Client.
Communications. The Client that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Traitify under this DPA, and shall be entitled to transmit and receive any communication in relation to this DPA on behalf of its Authorized Affiliate(s).
Exercise of Rights. Where an Authorized Affiliate becomes a party to the DPA, it shall to the extent required under applicable Data Protection Laws and Regulations be entitled to exercise the rights and seek remedies under this DPA, except where applicable Data Protection Laws and Regulations require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against Traitify directly by itself, the parties agree that (i) solely the Client that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Client that is the contracting party to the Agreement shall exercise any such rights under this DPA in a combined manner for all of its Authorized Affiliates together, instead of doing so separately for each Authorized Affiliate.
Liability. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Traitify, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. Traitify's and its Affiliates’ total liability for all claims from the Client and all of its Authorized Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement, including by Client and all Authorized Affiliates, and shall not be understood to apply individually and severally to Client and/or to any Authorized Affiliate that is a contractual party to any such DPA. Each reference to the DPA herein means this DPA including its Appendices.
US Data Protection Law. To the extent that Traitify Processes any Client Personal Data subject to US Data Protection Laws, Traitify agrees to the following:
- All Client Personal Data disclosed by Client to Traitify, or that Traitify receives or Processes on Client’s behalf, is disclosed or received only for limited and specified purposes, including for one or more Business Purposes as that term is defined under the US Data Protection Laws.
- Traitify will comply with US Data Protection Laws and other applicable data protection laws to the extent applicable to its Processing of Client Personal Data and provide the same level of privacy protection as is required of Businesses by the CCPA and other applicable US Data Protection Laws.
- To the extent that Client discloses to Traitify any Client Personal Data for a Business Purpose and except as provided under applicable US Data Protection Laws, Traitify is prohibited from (a) Selling and Sharing Client Personal Data; (b) retaining, using, or disclosing the Client Personal Data for any purpose other than for the specific purpose of performing the Services specified in the Agreement and this DPA, including retaining, using, or disclosing the Client Personal Data for a commercial purpose other than providing the services specified in or pursuant to the Agreement and this DPA; (c) retaining, using, or disclosing the Client Personal Data outside of the direct business relationship between the parties; and (d) combining Client Personal Data that Traitify receives from or on behalf of Client with Personal Data that it receives from or on behalf of another person or collects from its own interaction with an individual.
- If Client provides Traitify with deidentified Client Personal Data, or if Traitify Deidentifies Client Personal Data previously provided by Client, Traitify agrees to (a) take reasonable measures to ensure that the Client Personal Data cannot be associated with a consumer or under the CCPA, household, (b) publicly commit to maintaining such Client Personal Data in its deidentified form, (c) not attempt to reidentify the Client Personal Data, and (d) contractually obligate any recipients of the deidentified Client Personal Data to comply with equivalent requirements.
- To the extent Traitify is considered a Contractor under the CCPA, Traitify certifies it understands the restrictions and conditions in this Section 19(iii) and (iv) and will comply with them.
- If Traitify believes it will be unable to comply with the terms of the Agreement, this DPA or US Data Protection Laws, Traitify will promptly notify Client upon making such determination. Without limiting the foregoing, Traitify grants Client the right to take reasonable and appropriate steps: (a) to ensure that Traitify uses or Processes the Client Personal Data in a manner consistent with Client’s obligations under US Data Protection Laws; and (b) upon notice, to stop and remediate any unauthorized use or processing of Client Personal Data.
- Traitify shall allow and cooperate with reasonable assessments by Client or Client's designated assessor; alternatively, Traitify may arrange for a qualified and independent assessor to conduct an assessment of Traitify's policies and technical and organizational measures in support of the obligations under US Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Traitify shall provide a report of such assessment to Client upon request.
GDPR. Traitify will Process Personal Data in accordance with the GDPR requirements to the extent directly applicable to Traitify's provision of the Services.
Data Protection Impact Assessment. Upon Client’s request, Traitify shall provide Client with reasonable cooperation and assistance needed to fulfil Client’s obligation under Data Protection Laws and Regulations to carry out a data protection impact assessment related to Client’s use of the Services, to the extent Client does not otherwise have access to the relevant information, and to the extent such information is available to Traitify. Traitify shall provide reasonable assistance to Client in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to Section 21 of this DPA, to the extent required under the GDPR and other applicable Data Protection Laws and Regulations.
Restricted Transfers.
- EEA Restricted Transfers. With respect to Restricted Transfers from the EEA, Switzerland, or similar countries, effective from the commencement of the relevant Restricted Transfer, Client and Traitify hereby enter into, and incorporate into this DPA by reference, the Standard Contractual Clauses in respect of any Restricted Transfer (or onward transfer) or Personal Data by or on behalf of the Client to Traitify from: (1) the EEA, (2) Switzerland, or (3) any country in which the competent authorities have approved the use of the Standard Contractual Clauses and where such Restricted Transfer (or onward transfer) would otherwise be prohibited by Data Protection Laws and Regulations (or by the terms of data transfer agreements put in place to address Data Protection Laws and Regulations). In respect of any such Restricted Transfer (or onward transfer), the Standard Contractual Clauses shall be deemed complete as follows:
  
  In Clause 7, the optional docking clause will not apply;
  ‍
  In Clause 9(a), Option 2 will apply and the period for prior notice of additions or replacements of Traitify Sub-Processors shall be thirty (30) days. The Parties agree that Traitify may provide notice of a new Sub-processor by adding such a new Sub-processor to the Sub-processor List at least thirty (30) days prior to sharing any Client Personal Data with such Sub-processor. Client may: (i) subscribe to receive email updates of any new Sub-processor at the web page where the Sub-processor list is located; and (ii) object on reasonable grounds to a new Sub-processor by emailing Traitify at legal@traitify.com within thirty (30) days of the new Sub-processor being added to the Sub-processor List. If Traitify and Client are unable to resolve Client's concerns within thirty (30) days after receipt of such email, then Traitify or Client may terminate the relevant processing of any Client Personal Data occurring under the Standard Contractual Clauses;
  
  In Clause 11, the optional language will not apply;
  
  In Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by the law of Ireland;
  
  As per Clause 18(b), disputes shall be resolved before the courts of Ireland;
  
  Annex 1 to Standard Contractual Clauses shall be deemed to be pre-populated with the Processing Details in Appendix 1 hereto;
  
  Annex 2 to the Standard Contractual Clauses shall be deemed to be pre-populated with the security measures set forth in Schedule 1 hereto.
  
  For the avoidance of doubt, if Standard Contractual Clauses are incorporated into this DPA, then Client’s signature to this DPA shall be deemed such Client and Authorized Affiliates signature as a data exporters under Standard Contractual Clauses (including the relevant Appendices or Annexes), and Traitify’s signature to this DPA shall be deemed Traitify's signature as a data importer under the Standard Contractual Clauses (including the relevant Appendices or Annexes).
- UK Restricted Transfers. With respect to Restricted Transfers from the United Kingdom, effective from the commencement of the relevant Restricted Transfer, Client and Traitify hereby enter into, and incorporate into this DPA by reference, the Standard Contractual Clauses in respect of any Restricted Transfer (or onward transfer) of Personal Data by or on behalf of Client to Traitify from the United Kingdom ("UK"). In respect of any such Restricted Transfer (or onward transfer), the Standard Contractual Clauses shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK IDTA, and the parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in this DPA.
- In the event of a conflict between (a) the Agreement, and (b) the Standard Contractual Clauses, the latter shall prevail.
- If, at any point during the term of this DPA, changes in Data Protection Laws and Regulations require amendments to this DPA in order to ensure the lawful transfer of Personal Data, Client and Traitify will cooperate in good faith to implement such amendments without undue delay.
For the avoidance of doubt, if UK IDTA is incorporated into this DPA, then Client’s signature to this DPA shall be deemed such Client and Authorized Affiliates signature as a data exporter under UK IDTA (including the relevant Appendices or Annexes), and Traitify’s signature to this DPA shall be deemed Traitify's signature as a data importer under the UK IDTA (including the relevant Appendices or Annexes).
Client’s Processing Instructions. This DPA and the Agreement are Client’s complete and final instructions at the time of signature of the Agreement to Traitify for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately. For the purposes of Clause 8.1(a) of the Standard Contractual Clauses, the following is deemed an instruction by the Client to process Personal Data: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services and (iii) Processing to comply with other reasonable instructions provided by Client (e.g., via email) where such instructions are consistent with the terms of the Agreement.
Audits. The parties agree that the audits described in the Standard Contractual Clauses shall be carried out in accordance with the following specifications: following Client’s written request, and subject to the confidentiality obligations set forth in the Agreement, Traitify shall make available to Client information regarding the Traitify Group’s compliance with the obligations set forth in this DPA in the form of the third-party certifications and audits set forth in Section 12 of this DPA, to the extent that Traitify makes them generally available to its clients. Client may contact Traitify in accordance with the “Notices” Section of the Agreement to request an on-site audit of the procedures relevant to the protection of Personal Data. Before the commencement of any such on-site audit, Client and Traitify shall mutually agree upon the scope, timing, and duration of the audit and Client shall promptly notify Traitify and provide information about any actual or suspected non-compliance discovered during an audit. Notwithstanding anything else herein, at no time shall Client connect or have access to Traitify’s systems, restricted areas, or be given access to any confidential information of Traitify’s other customers. The language in this section shall by no means limit Client’s audit rights in the Standard Contractual Clauses.
Data Deletion. The parties agree that the certification of deletion of Personal Data that is described in the Standard Contractual Clauses shall be provided by Traitify to Client only upon Client’s request.
Order of Precedence. This DPA is incorporated into and forms part of the Agreement. For matters not addressed under this DPA, the terms of the Agreement apply. With respect to the rights and obligation of the parties vis-à-vis each other, in the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA will control. In the event of a conflict between the terms of the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

Security Measures

Asset Management
- Traitify maintains an inventory of material IT assets supporting the Services including internal and external systems.
Governance
- Traitify maintains an Information Security Program (ISP) based on commercially reasonable industry standards.
- Traitify’s Security & Compliance Director and Information Security Committee are responsible for information security.
Risk Management
- Traitify maintains risk management processes to identify, assess and manage risks to Client Data and IT systems supporting the Services.
- Traitify conducts an information security risk assessment at least once annually and manages risks to Client Data and IT systems supporting the Services in accordance with documented risk management procedures.
- Traitify conducts vulnerability scans against infrastructure and applications in accordance with their risk to Client, to help identify vulnerabilities and promptly remediates any security vulnerabilities and misconfiguration in accordance with Traitify’s ISP.
- Traitify conducts penetration testing of its applications at least one time per year using independent testing professionals.
Awareness and Training
1. Traitify ensures that its personnel complete information security awareness training and are made aware of their responsibilities with regards to information security and the handling of Client Data.
2. Traitify provides its personnel with instructions and awareness for using Client Data and IT systems, including but not limited to, the following requirements
  ‍
  i - Keep Confidential Information and IT equipment secure at all times, including when travelling or working out of the office or from home;
  ‍
  ii - Keep User ids, passwords and PINs for IT systems and devices, confidential and protect them from unauthorized access;
  
  iii - Do not connect untrusted removable media devices to IT systems or laptops;
  
  iv - Keep devices used to access Client Data and IT systems up-to-date with security updates;
  
  v - Handle Client Data in accordance with Traitify’s classification and documented handling procedures;
  
  vi - Only share Client Data with authorized individuals on a need-to-know basis;
  
  vii - Be aware of phishing and do not click on links in emails or documents or provide any Client Data over the phone without verifying the caller;
  
  viii - Maintain a clear desk and a clear screen so that Client Data cannot be viewed or accessed by unauthorized individuals;
  
  ix - Securely dispose of paper and other media using correct procedures; and
  
  x - Report security events and non-compliance to security policies promptly and without delay.
  ‍
Access Control
- Traitify restricts physical and logical access to IT systems supporting the Services to only the minimum levels of access and privileges required to perform a function or role.
- New access to network, systems, and data are approved and documented.
- Traitify assigns Users a unique ID; shared accounts are prohibited.
- Traitify implements identity and access management processes to control access and authenticate Users prior to granting access.
- Traitify reviews User accounts and their privileges on a regular basis, to verify that access to IT systems supporting the Services is correct.
- Traitify ensures that remote access to IT systems and networks supporting the Services is restricted to only authorized individuals using secure entry-points and approved devices.
Data Center Security
- Data centers used by Traitify use a card-key access control system. Only appropriate personnel are issued card-keys.
- Data centers used by Traitify require visitors to sign a log and visitors are escorted by data center personnel.
- Data centers used by Traitify employ security surveillance cameras, installed to record activity at the data center.
Data Security
- Traitify maintains procedures and controls designed to protect the security of Client Personal Data.
- Traitify maintains the security of systems and employee laptops using standardized builds that include a hardened operating system, malware protection, and host-based security software.
- Configuration changes are limited to authorized individuals, in accordance with documented change management procedures and using approved systems and tools.
- On request, Traitify will securely delete Client Data from IT systems in accordance with current industry standards.
Application Security
- Traitify only uses Client Data for testing as necessary to deliver the Services to Client as prescribed in the applicable agreement.
Operational Security
- Traitify maintains IT systems in a timely manner, in accordance with change management procedures.
- A 24-hour on-call procedure is implemented to provide support for production systems.
- Commercial anti-virus software is loaded on production servers to mitigate the risk of virus threats.
Security Monitoring & Detection
- Traitify’s security department is responsible for security monitoring and detection activities.
- Traitify maintains content filtering technologies to monitor connections to the internet.
- Traitify monitors CERT notifications that may affect any element of its IT systems and patch systems in accordance with a documented procedure that prioritizes the remediation of vulnerabilities based on risk.
Incident Response
- Traitify maintains security incident response plans to manage response to security events, and these are tested on at least an annual basis.
- Traitify assesses security events and suspected incidents against defined criteria and responds to incidents in such a way that takes into consideration their potential impact to the Client and the Client’s Affiliates.
- Traitify will contain and mitigate incidents in accordance with documented incident management procedures and response plans.
- Traitify will conduct post incident reviews to identify root-causes and identify actions required to minimize the risk of similar incidents re-occurring. Response strategies and plans will be updated in response to any lessons learned.
Third Party Risk Management
- Traitify’s security department maintains a third-party risk management program to ensure that third parties maintain security controls at least as stringent as Traitify’s security controls and continually assess the third party on a regular basis in accordance with its risk level as defined by Traitify.
- Third parties are obligated, by contractual agreement, to maintain security controls at least as stringent as Traitify’s security policies dictate.
- Third parties are obligated, by contract, to securely delete data at the end of contract.

Appendix 1 To The Standard Contractual Clauses

This Appendix forms part of the Standard Contractual Clauses (together the “Clauses”) and must be completed and signed by the parties.The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data Exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

Data exporter is the legal entity that has executed the DPA based on the Clauses as a Data Exporter established within the European Economic area and Switzerland that have purchased the Service on the basis of one or more Order Form(s).

Data Importer

The data importer is (please specify briefly activities relevant to the transfer):

‍Data importer, Woofound, Inc. d/b/a Traitify, is a provider of SaaS software for human capital management and recruiting purposes.

Data Subjects

The personal data transferred concern the following categories of data subjects (please specify):

Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include Personal Data relating to the following categories of data subjects:

Past and present employees, consultants, independent contractors, agents, and non-employee workers;
Data exporter’s Users;
Job applicants and candidates;
Students and interns.

Categories of Data

The Personal Data transferred concern the following categories of data (please specify):

Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include the following categories of personal data:

Email addresses;
Phone numbers;
Name (first and last);
Title;
Candidate inquiries;
IP Address;
Personality and assessment data.

Special Categories of Data (If Appropriate)

The Personal Data transferred concern the following special categories of data (please specify):

None.

Processing Operations

The Personal Data transferred will be subject to the following basic processing activities (please specify):Processing activities may include:

Collecting, recording, storing, organizing, disclosing, amending and erasing/deletion.

Appendix 2 To The Standard Contractual Clauses

Data importer has implemented and will maintain appropriate technical and organisational measures to protect Client Data (as defined in the DPA) against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The measures described in Schedule 1 of the DPA are hereby incorporated into this Appendix 2 by this reference and are binding on the data importer as if they were set forth in this Appendix 2 in their entirety.

Appendix 3 To The Standard Contractual Clauses

Sub-Processor List

The list of Sub-processors that Traitify has contracted with that may process client personal data in connection with Traitify’s provision of its products and services is below:

Hosting and other third-party Sub-processors:

Data Processing Addendum

About Us

Support