Data Protection Agreement

This Data Protection Agreement (“DPA”) is a schedule to the Master Terms and is hereby incorporated into the Master Terms for all purposes. In the event of any conflict between any terms of this DPA and the remainder of Agreement, the terms of this DPA will take precedence.

1. Definitions. Capitalized terms have the meanings set out below. Other capitalized terms are defined in the remainder of the Agreement.
   
   1. “Subscriber Personal Information” means Subscriber Content that is Personal Information. For avoidance of doubt, Subscriber Personal Information does not include any statistical data or business contact information collected by HiddenLayer for the purpose of establishing and maintaining the Subscriber relationship. 
   2. “Personal Information” means any information that identifies, relates to, describes, or can be reasonably linked to a person, a household, or a person’s device.
   3. “Privacy Laws” means all applicable privacy, data security, and data protection laws, rules, regulations, jurisprudence, orders, ordinances, and regulatory guidance. 
   4. “Privacy Rights Request” means a request from a person to exercise control or choice over their Personal Information, pursuant to Privacy Laws. 
   5. “Sell” means disclosing, transferring, or otherwise making available Personal Information to an external party for monetary or other valuable consideration.
   6. “Share” means disclosing, transferring, or otherwise making available Personal Information to an external party for cross-contextual behavioral advertising, whether or not for monetary or other valuable consideration.
   7. “Subprocessor” means any and all persons or entities (excluding an employee of HiddenLayer) appointed by HiddenLayer to process Subscriber Personal Information to assist HiddenLayer in fulfilling its obligations under the Agreement.
2. Roles. HiddenLayer agrees that, with regard to all Subscriber Personal Information processed pursuant to the Agreement and this DPA, Subscriber is the controller and HiddenLayer is a processor.
3. Subscriber Compliance. Subscriber represents and warrants that it complies, and will continue to comply, with all applicable laws, including Privacy Laws, in its processing of Subscriber Personal Information and related instructions it provides to HiddenLayer, and that it has provided all required notices and obtained all necessary consents and rights for such processing. Subscriber is solely responsible for the accuracy, quality, and legality of Subscriber Personal Information and how it is collected.
4. Description of Processing.
   
   1. HiddenLayer shall process Subscriber Personal Information solely to perform the Services for Subscriber as expressly set forth in the Agreement and the related schedules. HiddenLayer shall not: (i) Sell or Share Subscriber Personal Information; (ii) retain, use, or disclose Subscriber Personal Information for any purpose other than performing the Services specified in the Agreement; (iii) use Subscriber Personal Information outside the direct business relationship between the Parties; or (iv) combine Subscriber Personal Information with any Personal Information HiddenLayer receives from another entity or collects on its own. Specific details of HiddenLayer’s processing are set forth in Appendix A.
   2. Subscriber directs HiddenLayer to use such Subscriber Personal Information on behalf of Subscriber as necessary and proportionate to provide the Products and/or Services, which may include: (i) verifying or maintaining the quality or safety of the Products and/or Services; (ii) undertaking activities to improve, upgrade, or enhance the Products and/or Services; (iii) detecting data security incidents or protecting against malicious, fraudulent, or illegal activity; and (iv) complying with Privacy Laws. 
   3. HiddenLayer shall ensure that each person processing Subscriber Personal Information is subject to a duty of confidentiality.
5. Privacy Rights. HiddenLayer will provide reasonable assistance to Subscriber to enable Subscriber to respond to Privacy Rights Requests. In the event HiddenLayer receives a request directly from a person, HiddenLayer shall direct the person to submit the request to Subscriber. HiddenLayer will not otherwise respond to the request except on instruction from Subscriber or as required by Privacy Laws, in which case HiddenLayer shall, to the extent permitted, inform Subscriber of the legal requirement before HiddenLayer responds to the request.  
6. Retention, Deletion, and Return. Upon termination or expiration of the Agreement, HiddenLayer shall, within sixty (60) calendar days, and at Subscriber’s election, delete or return all Subscriber Personal Information, except to the extent retention is required by applicable law or industry rules, or for data stored on back‑up systems, which shall be securely isolated and deleted in accordance with HiddenLayer’s deletion policies.
7. Cooperation. HiddenLayer shall provide reasonable assistance, at Subscriber’s expense, as required to support Subscriber’s completion of any legally required data protection impact assessments or to respond to any government or regulatory investigation relating to the processing of Subscriber Personal Information.
8. Subprocessors.
   
   1. Authorized Subprocessors. Subscriber authorizes HiddenLayer to engage Subprocessors to assist HiddenLayer in fulfilling its obligations under the Agreement. Subscriber approves of the Subprocessors currently engaged by HiddenLayer as of the date of the Agreement. HiddenLayer shall notify Subscriber (which notice may be by electronic mail and/or posting notice on a portal to which Subscriber has access) if it adds or replaces a Subprocessor. If within five (5) calendar days of receipt of that notice, Subscriber notifies HiddenLayer in writing of any objection (on reasonable grounds related to data protection), HiddenLayer will use commercially reasonable efforts to resolve the objection. If Subscriber does not provide written objection within such five (5) calendar day period, the Subprocessor shall be deemed approved by Subscriber.
   2. Obligations. HiddenLayer will remain responsible for such Subprocessors’ compliance with the obligations of this DPA and for any acts or omissions that cause HiddenLayer to breach any of its obligations under this DPA. HiddenLayer shall enter into a written agreement with each Subprocessor containing data protection obligations that provide at least the same level of protection for Subscriber Personal Information as those in this DPA, to the extent applicable to the nature of the service provided by such Subprocessor.
9. Security.
   
   1. Security Standards. HiddenLayer shall implement and maintain reasonable security procedures and practices appropriate to the nature of Subscriber Personal Information, including but not limited to the measures described in Appendix B, Information Security Requirements.
   2. Updates to Security Measures. Subscriber acknowledges that the security measures identified in Appendix B are subject to technical progress and development and that HiddenLayer may update or modify the security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services provided to Subscriber.
   3. Subscriber Responsibility. Subscriber is responsible for reviewing the information made available by HiddenLayer relating to data security and making an independent determination as to whether the Services meets Subscriber’s requirements and legal obligations. Notwithstanding the above, Subscriber agrees that except as provided by this DPA, Subscriber is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Subscriber Personal Information when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Subscriber Personal Information uploaded to the Services.
10. Audit and Compliance. 
    
    1. Audits. HiddenLayer shall satisfy its audit obligations under this DPA by providing Subscriber, upon written request, with: (a) a summary copy of HiddenLayer’s most recent SOC 2 audit report; and (b) responses to reasonable due diligence questionnaires regarding HiddenLayer’s compliance with this DPA and its information security program. Subscriber shall not exercise this right more than once per calendar year. Any information provided by HiddenLayer pursuant to this Section shall be treated as HiddenLayer’s Confidential Information and shall be subject to the confidentiality obligations set forth in the Agreement. Notwithstanding anything to the contrary in this DPA, HiddenLayer shall not be required to disclose any information that would: (i) breach any applicable law, regulation, or binding obligation of confidentiality owed to a third party; (ii) compromise attorney-client privilege or other legal privilege; or (iii) create a security risk to HiddenLayer or its systems.
    2. Compliance. HiddenLayer grants Subscriber the right, upon written notice, to direct HiddenLayer to take reasonable and appropriate steps to promptly remediate any unauthorized use of Subscriber Personal Information. Notwithstanding the foregoing, HiddenLayer shall maintain exclusive control of any technical steps to be taken.   
11. Survival. The obligations in this DPA shall survive for as long as HiddenLayer processes Subscriber Personal Information.
12. Liability. HiddenLayer’s liability taken together in the aggregate arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set forth in the Agreement.

‍

Appendix A: Description of Processing

Categories of Persons: Employees, end users, contractors, agents, and other authorized users of the Subscriber, as well as any individuals whose personal information is submitted by or on behalf of the Subscriber through use of the Products and Services (e.g., the Subscriber’s customers or end users, where applicable).

Categories of Personal Information: Name, email address, job title, company or employer, work contact information (e.g., work address and telephone number), user identifiers (e.g., username or user ID), authentication and identity/access management (IAM) data (e.g., roles and permissions), and login credentials used to access the Services. Technical and device information, including IP address, browser type, device identifiers, operating system, and internet service provider. User activity data captured in system access logs, audit logs, and product usage data, as well as any Personal Information submitted by the Subscriber through use of the Products and Services. 

Purposes of Processing: HiddenLayer processes Subscriber Personal Information to provide and support the Products and Services. 

Duration of Processing: For the term of the Agreement and as necessary to complete the return or deletion of Subscriber Personal Information in accordance with Section 5 of the DPA.

Appendix B: Information Security Requirements

These Information Security Requirements (these “ISRs”) set forth commercially reasonable standards for protection of Subscriber Personal Information by HiddenLayer, taking into account the nature, scope, and sensitivity of Subscriber Personal Information processed.

1. Definitions. Capitalized terms have the meanings set out below. Other capitalized terms are defined in the remainder of the Agreement.
   
   1. “Subscriber Systems” means all applications, operating systems, databases, devices, and servers controlled by Subscriber and used in connection with a Product. 
   2. “Security Incident” means the actual loss, misuse, unauthorized access, unauthorized acquisition, or unauthorized disclosure of Subscriber Personal Information. 
   3. “HiddenLayer Systems” means all applications, operating systems, databases, devices, and servers controlled by HiddenLayer and used in connection with the Products or Services.
2. Security Program.
   
   1. HiddenLayer shall employ commercially reasonable physical, administrative, and technical security controls designed to protect Subscriber Personal Information. Such controls shall be consistent with HiddenLayer's standard security practices for information of similar sensitivity and shall be designed to conform to generally accepted industry standards and applicable Privacy Laws.
   2. HiddenLayer shall maintain a written information security program that is designed to meet the requirements of applicable Privacy Laws and the requirements set forth in these ISRs. HiddenLayer shall review and, if needed, update, the written information security program at least annually or whenever there is a change that materially affects the security of Subscriber Personal Information.
3. Access to Subscriber Systems.
   
   1. Where HiddenLayer is granted access privileges to Subscriber Systems, HiddenLayer will ensure that only HiddenLayer personnel that are authorized by HiddenLayer to provide the Products and Services (“Authorized HiddenLayer Personnel”) have access to the Subscriber Systems. HiddenLayer will protect and keep confidential Subscriber Systems access credentials (“Credentials”), including by ensuring that such Credentials are not stored or transmitted in an unsecure manner. HiddenLayer will have and enforce a policy prohibiting its Authorized HiddenLayer Personnel from sharing any Credentials with any other person, including with any other individual (whether authorized or not). HiddenLayer will ensure that the Subscriber Systems, including all Credentials, will be used by Authorized HiddenLayer Personnel solely for the limited purpose authorized by Subscriber in the Agreement, and not for any personal use or any other purposes.
4. Access Controls. With respect to HiddenLayer personnel that access Subscriber Personal Information, HiddenLayer shall:
   
   1. Enforce a ‘least privilege’ model consistent with industry best practices.
   2. Restrict access on a need-to-know basis and only grant access to information that personnel need to perform their tasks.
   3. Assign unique user IDs and require that personnel keep authentication information confidential and ensure it is not disclosed to anyone.
   4. Promptly revoke access upon the end of employment with HiddenLayer or when such access is no longer necessary to provide the Products and Services.
   5. Conduct periodic reviews of personnel access to confirm that the requirements of this Section 4 are being met.
   6. Provide personnel with appropriate security awareness education and training, including periodic updates to organizational policies, procedures, and standards, as is relevant to their job function.
   7. Ensure personnel have signed appropriate non-disclosure or confidentiality agreements. 
   8. Require successful completion of multi-factor authentication (MFA) to systems that store Subscriber Personal Information. 
5. Monitoring. With respect to HiddenLayer Systems that store Subscriber Personal Information, HiddenLayer shall:
   
   1. Implement appropriate firewall technologies consistent with generally accepted industry standards. HiddenLayer shall maintain such firewall technologies with updates consistent with industry practices and shall configure firewalls to permit only necessary services and ports.
   2. Maintain current anti-virus/anti-malware software, consistent with generally accepted industry standards.
   3. Apply security patches and updates in accordance with a risk-based schedule that considers the criticality of each patch and the operational impact of its deployment.
   4. Implement reasonable monitoring and logging controls consistent with industry standards.
   5. Document a hardened configuration, relative to risk, industry standard practices, and applicable legal requirements. 
   6. Conduct network and host scans on a periodic basis and remediate identified vulnerabilities in accordance with its standard risk-based policies.
6. Storage and Transmission. With respect to the storage and transmission of Subscriber Personal Information, HiddenLayer shall:
   
   1. Use appropriate, up-to-date, and secure key management procedures consistent with generally accepted industry standards.
   2. Implement appropriate logical segregation of Subscriber Personal Information from other customer data in multi-tenant environments.
   3. Maintain policies designed to prevent unauthorized transfer of Subscriber Personal Information to devices not owned or controlled by HiddenLayer.
   4. If HiddenLayer stores any Subscriber Personal Information on portable storage devices, encrypt such Subscriber Personal Information using industry-standard encryption (such as 256-bit encryption) and take reasonable steps to protect such stored Subscriber Personal Information from unauthorized use, loss, or disclosure. Such storage will only be used when reasonably necessary to provide the Products and Services. 
   5. Restrict access to, control, and monitor physical areas in HiddenLayer’s control that store Subscriber Personal Information, including through the use of appropriate physical access controls.
   6. Ensure all printed records that contain Subscriber Personal Information are securely destroyed by shredding. 
   7. Provide Subscriber with an encrypted mechanism to transfer Subscriber Personal Information to HiddenLayer. 
   8. Encrypt all Subscriber Personal Information at rest and in transit using industry-standard encryption. 
7. Asset Management. With respect to asset management, HiddenLayer shall:
   
   1. If HiddenLayer uses removable media for Subscriber Personal Information, maintain an inventory system for such media.
   2. When disposing of media that contained Subscriber Personal Information, sanitize the media in accordance with industry standards. If sanitization is not possible, HiddenLayer shall securely destroy the media.
8. Security Incident Management. 
   
   1. In the event of a Security Incident, HiddenLayer shall notify Subscriber without undue delay after confirming the occurrence of such Security Incident, and in any event within seventy-two (72) hours. This notification will be made in writing to Subscriber at the contact information provided by Subscriber pursuant to the Agreement (and/or such other Subscriber contact(s) as may be designated by Subscriber in writing from time to time). HiddenLayer shall take appropriate steps to identify the cause of the Security Incident and minimize and secure the Subscriber Personal Information, to the extent remediation is within HiddenLayer’s reasonable control. 
   2. In its notification to Subscriber, HiddenLayer will include available details of the Security Incident to enable Subscriber to comply with its obligations under Privacy Laws, to the extent such information is known and can be disclosed without compromising HiddenLayer's investigation or response efforts. In no event shall HiddenLayer be required to divulge information that would result in a breach of any of its legal or contractual obligations, or which would result in a waiver of legal privilege. HiddenLayer’s notification of or response to a Security Incident under this Agreement shall not be construed as an acknowledgment by HiddenLayer of any fault or liability with respect to the Security Incident.
   3. HiddenLayer will provide reasonable assistance to enable Subscriber to meet its obligations under applicable law with respect to a Security Incident. HiddenLayer will not assess the contents of Subscriber Personal Information to identify any specific reporting or other legal obligations that are applicable to Subscriber. Any and all regulatory and/or individual reporting obligations related to the Security Incident are the responsibility of Subscriber.