Online DPA

Last Updated: May 29, 2025

This Data Processing Agreement (“DPA”) forms part of, and is governed by, the Subscription Agreement or any other agreement (“Agreement”) executed by and between Bugsec Ltd. and its affiliates (“Bugsec”) and a Customer (“Customer”). Bugsec and Customer shall each be referred to as “party” and collectively as “parties”.

All capitalized terms not otherwise defined herein shall have the meaning ascribed to them in the Agreement or applicable Data Protection Laws.

WHEREAS, Bugsec is the developer and operator of a cloud-based software-as-a-service platform (“Platform”) that proactively detects, investigates, and neutralizes threats across various cloud environments services utilized by Customers, all as agreed by the parties in the applicable Order Form or other ordering documents that are referencing the Agreement (collectively the “Services”);

WHEREAS, the Services may require Bugsec to Process Personal Data (as such terms are defined below) on Customer’s behalf, subject to the terms and conditions of this DPA; and

WHEREAS, the parties desire to achieve compliance with the UK, EU, Swiss, United States and other data protection laws and agree on the following:

1. DEFINITIONS:
   • “Adequate Country” is a country that received an adequacy decision from the European Commission or other applicable data protection authority.
   • “Customer Data” means Personal Data (or the equivalent term) Processed by Bugsec on behalf of Customer in the course of providing the Services to the Customer, all as detailed in Annex Iattached hereto.
   • The terms“Business”, “Business Purpose”, “Consumer”, “Controller”, “Data Subject”, “Personal Data”, “Personal Information”, “Personal Data Breach”, “Processing” (and “Process”), “Processor”, “Holder”, “Sensitive Data”, “Service Provider”, “Sale” (or “Sell”) and“Share”, “Special Categories of Personal Data” and “Supervisory Authority”, shall all have the same meanings as ascribed to them under applicable Data Protection Laws. Further, under this DPA: “Controller” shall also mean and refer a “Business”; “Processor” shall also mean and refer to a “Services Provider” and a “Holder”; “Data Subject” shall also mean and refer to a “Consumer”, “Personal Data” shall also mean and refer to “Personal Information”, and “Special Categories of Data” or “Highly Sensitive Data” shall also mean and refer to “Sensitive Data”.
   • “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, European Data Protection Laws, Israeli Data Protection Laws and the U.S. Data Protection Laws) as may be amended or superseded from time to time.
   • “EEA” means the European Economic Area.
   • “European Data Protection Laws” means collectively the laws and regulations of the European Union, the EEA, their member states, and the United Kingdom, applicable to the Processing of Personal Data, including (where applicable): (i) “EU Data Protection Laws“- the EU General Data Protection Regulation (Regulation 2016/679) (“EU GDPR”); Regulation 2018/1725; the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (ii) “UK Data Protection Laws” – the Data Protection Act 2018 (DPA 2018), as amended, and EU GDPR as incorporated into UK law as amended (“UK GDPR” and collectively with the EU GDPR shall be referred to herein as the ”GDPR”); (iii) “Swiss Data Protection Laws” or “FADP” – the Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) (“FDPA”) and the Ordinance on the Federal Act on Data Protection (“FODP“); (iv) any national data protection laws made under, pursuant to, replacing or succeeding the EU GDPR or the e-Privacy Law; (v) any legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding judicial or administrative interpretation of any of the above, or approved certification mechanisms issued by any relevant Supervisory Authority.
   • “Instructions” means the written, documented instructions issued by the Customer to Bugsec directing Bugsec to perform a specific or general action with regard to Customer Data (including, but not limited to, instructions to provide the Services under the Agreement and instructions under this DPA).
   • “Israeli Data Protection Laws” means collectively, the: (i) Israeli Protection of Privacy Law, 5741-1981 (as amended under Amendment 13); (ii) the regulations promulgated pursuant thereto, including the Israeli Protection of Privacy Regulations (Data Security), 5777-2017 and the Israeli Protection of Privacy (Transfer of Data to Databases Abroad) Regulations, 5761-2001; (iii) any amendments or legislation replacing or updating any of the foregoing, and; (iv) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or certification mechanisms approved by the Israeli Privacy Protection Authority.
   • “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data. Any Personal Data Breach will comprise a Security Incident.
   • “Standard Contractual Clauses” or “SCCs” mean (i) the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, which may be found at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en and incorporated  herein by reference (“EU SCC”); (ii) the UK “International Data Transfer Addendum to The European Commission Standard Contractual Clauses” available at  https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdfand incorporated herein by reference; or (iii) the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (“Swiss SCC”). 
   • “US Data Protection Laws” means any U.S. federal and state privacy laws and regulations effective as of the Effective Date of this DPA and applies to Bugsec Processing of Customer Data, and any implementing regulations and amendment thereto, including without limitation, the (i) California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018 including as modified by the California Privacy Rights Act as well as all regulations promulgated thereunder from time to time (“CCPA”), (ii) Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq. (“CPA”), (iii) Connecticut Data Privacy Act, Conn. Gen. Stat. § 42-515 et seq. (“CTDPA”), (iv) Delaware Personal Data Privacy Act (HB 154) (“DPDPA”), (v) Florida Digital Bill of Rights (“FDBR”), (vi) Indiana Consumer Data Protection Act, Ind. Code § 24-15 et seq. (“ICDPA”), (vii) Iowa Consumer Data Protection Act, Iowa Code § 715D.1 et seq. (“ICDPA”), (viii) Kentucky Consumer Data Protection Act (“KCDPA”), (ix) Maryland Online Data Privacy Act (“MODPA”), (x) Minnesota Consumer Data Privacy Act (“MNDPA”), (xi) Montana Consumer Data Privacy Act (“MCDPA”), (xii) Nebraska Data Privacy Act (“NDPA”), (xiii) New Hampshire Data Privacy Act (“NHDPA”), (xiv) New Jersey Data Protection Act (“NJDPA”), (xv) Oregon Consumer Privacy Act, Or. Rev. Stat. § 646A.800 et seq. (“OCPA”), (xvi) Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”), (xvii) Texas Data Privacy and Security Act, Tex. Bus. & Com. Code Ann. § 541.001 et seq. (“TDPSA”), (xviii) Tennessee Information Protection Act, Tenn. Code Ann. § 47-18-3201 et seq. (“TIPA”), (xix) Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq. (“UCPA”), (xx) the Washington “My Health My Data” Act, Wash. Rev. Code § 19.373.005 et seq., and Nev. Rev. Stat. § 603A, as amended by Nevada S.B. 370 (together, the “Washington and Nevada Consumer Health Data Laws”), and (xxi) the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392) (“VCDPA”). All as amended or superseded from time to time and including any implementing regulations and amendments thereto.

Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Data Protection Laws. A reference to any term or section of the Data Protection Laws means the version as amended. Any references to the GDPR in this DPA shall mean the GDPR or UK GDPR depending on the applicable Law.

2. ROLES AND DETAILS OF PROCESSING
   • The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, with respect to the Processing of Customer Data, and according to the applicable Data Protection Laws, Bugsec is acting as a Data Processor, or Service Provider and Customer is acting as a Data Controller or Business.
   • Each party shall be individually and separately responsible for complying with the obligations that apply to such party under applicable Data Protection Law. The Customer shall be exclusively responsible to ensure its Instructions are compliant with applicable Data Protection Laws and enable a lawful Processing of Customer Data, including by obtaining any required consent and providing any required disclosures under applicable Data Protection Laws.
   • The subject matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex I attached hereto.
   • If any Sensitive Data or Special Categories of Personal Data or Highly Sensitive Data is processed (as those terms are defined under Data Protection Laws), including, any information that constitutes “consumer health data” under the CTDPA or the Washington and Nevada Consumer Health Data Laws or any information that constitutes “protected health information” under the Health Insurance Portability and Accountability Act of 1996, 5 U.S.C. § 553 et seq., together with any amending legislation and any regulations promulgated thereunder or any Personal Data that is deemed by US regulatory authorities as meriting sensitive treatment under US Data Protection Laws or U.S. state or federal consumer protection laws such as financial information, demographic information, credit scores, etc., it is Customer’s responsibility to inform Bugsec of such processing, and ensure additional contractual obligations are met, if needed and applicable. For avoidance of doubt, Bugsec does not monitor, and review Customer Data processed according to this DPA, and may not be aware of any sensitivity within Customer Data.
3. PROCESSING OF PERSONAL DATA
4.  
5.  
6. • Bugsec represents and warrants that it shall Process Customer Data, on behalf of the Customer, solely for the purpose of providing the Service, all in accordance with Customer’s Instructions under the Agreement and this DPA. Notwithstanding the above, in the event Bugsec is required under applicable laws, including Data Protection Law or any union or member state regulation, to Process Customer Data other than as instructed by Customer, Bugsec shall make reasonable efforts to inform the Customer of such requirement prior to Processing such Customer Data, unless prohibited under applicable law.
   • Bugsec hereby certifies it understands the rules, requirements and definitions under applicable Data Protection Laws, and shall not: (i) Sell or Share the Customer Data; (ii) retain, use or disclose the Customer Data for any purpose other than for a Business Purpose specified in the Agreement; (iii) receive or Process any Personal Information as consideration for any Services it provides to the Customer; or (iv) combine the Customer Data with other Personal Data that it receives from, or on behalf of another customer.
   • Bugsec shall comply with the requirements set forth under applicable Data Protection Laws with regards to processing of de-identified data.
   • Bugsec shall inform Customer without undue delay in the event that, according to Bugsec’s reasonable discretion, any of Customer’s Instructions infringes applicable laws, and Bugsec shall have the right to immediately cease and suspend any such Processing activity related to the infringing Instruction.
   • Bugsec shall notify the Customer if it determines that it can no longer meet its obligations under this DPA or applicable Data Protection Laws.
   • Bugsec shall provide reasonable cooperation and assistance to the Customer in ensuring compliance with its obligation to carry out data protection impact assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities to the extent required under applicable Data Protection Laws (including data protection impact assessments and consultations with regulatory authorities), provided that Bugsec shall only be required to assist as for information which is directly related to Customer.
   • Where applicable, Bugsec shall assist the Customer in ensuring that Customer Data Processed is accurate and up to date, by informing the Customer without delay if it becomes aware of the fact that the Customer Data it is processing is inaccurate or has become outdated.
   • Bugsec shall ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Customer Data; and (ii) that persons authorized to Process the Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
   • Notwithstanding the above, in any event that the Israeli Law applies, the parties hereby undertake that they comply with the aforesaid regulations as well as comply with the DPA.
7. DATA SUBJECTS RIGHTS AND LEGAL REQUEST
8. • It is agreed that where Bugsec receives a request from a Data Subject for exercising a data subject’s rights or an applicable authority in respect of Customer Data, where applicable, Bugsec will notify the Customer of such request promptly and direct the Data Subject or the applicable authority to the Customer in order to enable the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws.
   • Parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of and responding to Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law. Bugsec shall provide Customer with cooperation and assistance mentioned above provided that the Customer cannot reasonably fulfill such obligations independently with the help of information available in the documentation, the website or any other self-service feature provided by Bugsec.
9. SUB-PROCESSING
10. • The Customer provides general authorization for Bugsec to engage third party data Processors (“Sub-Processor”) to Process Customer Data. The Customer specifically authorizes Bugsec to engage and appoint such Sub-Processors as listed in Annex III, to Process Customer Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf.
    • Bugsec may engage an additional or replace an existing Sub-Processors to Process Customer Data, subject to the provision of a fourteen (14) days prior notice of its intention to do so to the Customer (such notice can be provided through the Customer account or through an email correspondence) (“Notice” and “Notice Period” respectively). In case the Customer has not objected to the adding or replacing of a Sub-Processor within Notice Period, such Sub-Processor shall be deemed approved by the Customer. In the event the Customer objects to the adding or replacing of a Sub-Processor, within Notice Period, Bugsec may, under its sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise enable the Customer to terminate the Agreement where the Services cannot be reasonably provided under such circumstances, without liability to Customer. 
    • Bugsec shall, where it engages any Sub-Processor, impose, through a legally binding contract between Bugsec and the Sub-Processor, data protection obligations that are no less onerous than, and provide at least the same level of protection as, those set out in this DPA. Bugsec shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Laws. Sub-processors shall be obligated, contractually, to reasonably cooperate with Bugsec, the Customer or an applicable regulatory authority in the event of an investigation or Security Incident.
    • Bugsec shall remain responsible to the Customer for the performance of the Sub-Processor’s obligations in accordance with this DPA.
11. TECHNICAL AND ORGANIZATIONAL MEASURES
12. • Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, Bugsec shall protect the security, confidentiality, integrity and availability of Customer Data and protect it against Security Incident.
    • Current technical and organizational measures implemented and maintained by Bugsec are further detailed in Annex II to this DPA, as updated from time to time (provided that any such amendments will not have a material negative effect on the level of protection provided to Customer Data).
13. SECURITY INCIDENT
14. • Bugsec will notify the Customer without undue delay, no later than 72 hours, upon becoming aware of any Security Incident involving the Customer Data. The notification regarding or response to a Security Incident under this Section 7 shall not be construed as an acknowledgment by Bugsec of any fault or liability with respect to the Security Incident.
    • Bugsec will: (i) take reasonably necessary steps to remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) upon Customer request, co-operate with the Customer and provide the Customer with such reasonable assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident, if applicable, obligation to notify the affected Data Subjects. Upon Customer’s request and taking into account the nature of the Processing and the information available to Bugsec, Bugsec will provide a report or written notice detailing the Security Incident, the affected Personal Data and Data Subjects.
15. AUDIT RIGHTS
16. • Bugsec shall maintain accurate written records of any and all the Processing activities of any Customer Data carried out under this DPA and shall make such records available to the Customer upon Customer’s thirty (30) days prior written request, however no more than once per twelve (12) months of engagement (“Audit Reports”). A summary of the ISO27001/ISO27701 certification, SOCII report or recent penetration tests, as well as information provided through Customer’s questionnaire shall be defined as a sufficient Audit Report. The Audit Report provided shall be considered Bugsec’s Confidential Information and shall be subject to the corresponding confidentiality obligations under the Agreement or require signed a non-disclosure agreement.
    • In the event the Audit Report is reasonably determined as not sufficient for the purpose of demonstrating compliance, Bugsec shall make available, solely upon prior reasonable written notice and no more than once per calendar year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA or where required by Applicable Data Protection Law or an applicable authority, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to standard confidentiality obligations (including towards third parties). Bugsec may object to an auditor appointed by the Customer in the event Bugsec reasonably believes the auditor is not suitably qualified or independent, or is a competitor of Bugsec. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, ensure that the Audit is conducted during regular business hours, and avoid causing any damage, injury or disruption to Bugsec’ premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Bugsec shall agree to an Audit solely under the following terms: (i) a thirty (30) day prior written notice was provided; and (ii) restrict its findings to only to information relevant to Customer Data or an applicable Security Incident.
    • Nothing in this DPA will require Bugsec to either disclose to Customer or its third-party auditor, or to allow Customer or its third-party auditor to access: (i) any data of any other Bugsec’s customer or Bugsec’s internal data including without limitation data processed in Bugsec’s role as a Controller; (ii) Bugsec’s internal accounting or financial information; (iii) any trade secret of a Bugsec or its Affiliates; (iv) any information that, in Bugsec’s reasonable opinion, could compromise the security of any Bugsec’s systems or cause any breach of its obligations under applicable law or its security or privacy or confidentiality obligations to any third party; or (v) any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws. No access to any part of Bugsec’s IT systems or infrastructure (including, without limitation, any hands-on or intrusive testing) will be permitted.
17. CROSS BORDER PERSONAL DATA TRANSFERS
18. • Customer acknowledges and agrees that for the provisions of the Services, Bugsec may Process, including transfer, Customer Data to various jurisdictions where Bugsec, its affiliates or Sub-Processors operate. Bugsec will ensure that transfers are made in compliance with Data Protection Laws.
    • Where European Data Protection Laws apply:
      • Bugsec will not transfer Customer Data originating from the EEA, the UK or Switzerland, to any country or recipient not recognized as providing an adequate level of protection for such Personal Data (within the meaning of the European Data Protection Law), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws. Such measures may include (without limitation) (i) transferring such Customer Data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including to an Adequate Country or data privacy and transfer frameworks; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with applicable Data Protection Law; or (iii) to a recipient that has executed the Standard Contractual Clauses.
      • When Customer and Bugsec, or Bugsec and its Sub-Processor rely on the Standard Contractual Clauses to facilitate a transfer to a third country, the following shall apply:
        • For transfer of Customer Data from the EEA the EU SCC shall apply and completed as follows: (1) Module II (Controller to Processors) will apply; (2) In Clause 7 the optional docking clause will not apply; (3) In Clause 9, option 2 (general written authorization) shall apply for the Sub-Processors listed under Annex III and the method for appointing Sub-Processor shall be as set forth in the Sub-Processing Section of the DPA; (4) In Clause 11, the optional language will not apply, and Data Subjects shall not be able to lodge a complaint with an independent dispute resolution body; (5) In Clause 17, option 1 shall apply, and the EU SCC shall be governed by the law of the Republic of Ireland; (6) In Clause 18(b) the parties choose the competent courts of the Republic of Ireland, as their choice of forum and jurisdiction; (7) Annex I(A) of the EU SCC is completed as follows: Customer is the Data Exporter, Bugsec is the Data Importer, the parties’ contact details are as completed under the Agreement; Annex I(B) of the EU SCC is completed as set out in Annex I of this DPA; Annex I(C) of the EU SCC shall identify the competent supervisory authority/ies as the supervisory authority Republic of Ireland; (8) Annex II of the EU SCC is deemed completed with the information set out in Annex II of this DPA; (9) Annex III of the EU SCC shall be completed with the list of Sub-Processors set out in Annex III of this DPA.
        • For transfer of Customer Data from the UK, the UK SCC shall apply and completed as follows: (1) Table 1 shall be completed as set forth in section ‎3.2.1(7) above; (2) Table 2 shall be completed as set forth in Section ‎9.3.2.1(1) – ‎9.3.2.1(4) above; (3) Tables 3 shall be completed as follows: Annex 1A shall be completed with relevant information as set out in Section ‎9.3.2.1(7) above; Annex 1B  shall be completed with relevant information as set out in Annex I of this DPA; Annex II shall be completed with relevant information as set out in Annex II of this DPA; Annex III shall be completed with the list of sub-processors set out in Annex III of this DPA; (4) Table 4 shall be completed with the “neither party” option; and (5) Any conflict between the terms of the EU SCC and the UK SCC will be resolved in accordance with Section 10 and Section 11 of the UK SCC
        • For transfer of Customer Data from Switzerland, the Swiss SCC shall apply in with following modifications (i) references to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA; (ii) references to “EU”, “Union” and “Member State law” will be interpreted as references to Swiss law; and (iii) references to the “competent supervisory authority” and “competent courts” will be replaced with the “the Swiss Federal Data Protection and Information Commissioner ” and the “relevant courts in Switzerland”.

10. TERM, TERMINATION AND CONFLICT
11. • This DPA shall be effective as of the Effective Date (as defined in the Agreement) and shall remain in force until the Agreement terminates or as long as Bugsec Processes Customer Data.
    • Bugsec shall be entitled to terminate this DPA or cease the Processing of Customer Data in the event that Processing of Customer Data under the Customer’s Instructions or this DPA infringe applicable legal requirements, provided Customer did not provide updated Instructions to cure such infringement within ten (10) days from receiving applicable notice from Bugsec. Alternately, Bugsec may, in its sole discretion, suspend the Processing of the Customer Data until such infringement is cured without liability to the Customer and without prejudice to any fees incurred by Customer prior to suspension date.
    • Following the termination or expiration of this DPA, Bugsec shall, at the choice of the Customer, delete all Customer Data Processed on behalf of the Customer and certify to the Customer that it has done so, or return all Customer Data to the Customer and delete existing copies. Until the Customer Data is deleted or returned, the parties shall continue to ensure compliance with this DPA. Customer’s choice shall be provided in writing to Bugsec, following effect of termination. Notwithstanding the foregoing, Bugsec may retain Customer Data (i) as required by applicable laws; or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, Bugsec will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to retained Customer Data and not further Process it except as required by applicable law or regulatory requirements.
    • In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA.

ANNEX I

DETAILS OF PROCESSING

This Annex I include certain details of the Processing of Personal Data as required under the Data Protection Laws.

Categories of Data Subjects:

As uploaded by Customer while using the Services.

Categories of Personal Data Processed:

As uploaded by Customer while using the Services

Special Categories of Personal Data:

None. Customer is specifically prohibited from providing Bugsec any Sensitive Data or Special Categories of Data, unless agreed in writing by Bugsec

Nature of the Processing:

Collection, storage, organization, communication, transfer, host and other types of Processing for the purpose of providing the Services as set out in the Agreement.

Purpose(s) of Processing:

To provide the Services.

Retention Period:

For as long as it is necessary to provide the Service by Bugsec; provided there is no legal obligation to retain the Customer Data post termination or unless otherwise requested by the Customer.

Process Frequency:

Continuous basis.

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES

Bugsec’s Security Overview

The following description reviews the technical and organizational measures implemented by Bugsec as a Processor of Customer Data, to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons.

Bugsec’s Platform is built on Amazon Web Services (AWS).

The security objectives of Bugsec are identified and managed to maintain a high level of security and consists of the following (concerning all data assets and systems):

• Availability – information and associated assets should be accessible to authorized users when required. The computer network must be resilient. Bugsec will detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems, and information.
• Confidentiality – ensuring that information is only accessible to those authorized to access it, on a need-to-know-basis.
• Integrity – safeguarding the accuracy and completeness of information and processing methods and therefore requires preventing deliberate or accidental, partial or complete, destruction, or unauthorized modification, of electronic data.

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons, can be found in the Bugsec CYCL Security Whitepaper.

ANNEX III

List of Sub-Processors