Effective: 01.01.2024

Last Reviewed on: 07.01.2024

WHEN YOU CLICK A BOX INDICATING ACCEPTANCE OF THIS AGREEMENT OR WHEN YOU EXECUTE AN ORDER FORM THAT REFERENCES THIS AGREEMENT, YOU, THE COMPANY ENTERING THIS AGREEMENT (“CUSTOMER”), AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ACCEPT THIS AGREEMENT ON BEHALF OF YOUR COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY TO THIS AGREEMENT.

THIS DATA PROCESSING AGREEMENT, including the selected modules of the Model Clauses and Annexes (“DPA”) forms part of and is subject to the Concord Technologies SaaS Agreement or other written or electronic agreement (together with any Order Forms issued thereunder, the “Main Agreement”) between the customer identified on the applicable Order Form (“Customer”) and Concord Technologies, Inc. (“Concord”). Customer and Concord may be referred to as a “party” and together as the “parties.” In the event of a conflict between the terms and conditions of this DPA and the Main Agreement, the terms and conditions of this DPA will supersede and control to the extent of such conflict. This DPA incorporates the following Annexes:

Annex 1 - Details of Processing

Annex 2 - Security Measures

‍1. Definitions

Any capitalized terms not defined herein will have the meanings ascribed to them in the Main Agreement.

“Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common Control with an entity, where control means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests (as measured on a fully-diluted basis) then outstanding of the entity in question.

“Authorized User” means an individual user who uses the Service including to manage their data privacy preferences (referred to as a User in the Main Agreement).

“Business Purpose” has the meaning attributed to in Section 1798.140(d) of the CCPA.

“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any regulations promulgated thereunder.

“Customer Personal Data” means personally identifiable information that: (i) relates to an identified or identifiable natural person; or (ii) that is otherwise protected as “personal data” or “personal information,” pursuant to applicable Data Protection Laws, that is provided by an Authorized User.

“Data Protection Laws” means the data protection and privacy laws regulations applicable to the processing of Customer Personal Data, including, where applicable, E.U. Data Protection Laws, and U.S. Data Protection Laws, in each case, as may be amended, superseded, or replaced.

“EEA” means the European Economic Area, United Kingdom, and Switzerland.

“E.U. Data Protection Laws” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons regarding the processing of personally identifiable information and on the free movement of such data (“E.U. GDPR”); (ii) in respect of the United Kingdom the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) the Swiss Federal Data Protection Act (“Swiss DPA”).

“Model Clauses” (i) where the E.U. GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK SCCs”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the “Swiss SCCs”)

“Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.

“Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise processed by Concord or its Subprocessors.  A “Security Incident” does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful login attempts, pings, port scans, denial of services attacks, and other network attacks on firewalls or networked systems.

“Services” or “Service” means the services that are provided by Concord to Customer, as described in the Main Agreement.

“Subprocessor” means a processor engaged by Concord that accesses, stores, or processes Customer Personal Data. Subprocessors exclude employees, consultants, or independent contractors of Concord where such individual performs services equivalent to those performed by an employee.

“U.S. Data Protection Laws” means the state data protection or privacy laws and regulations applicable to the processing of Personal Data in force within the United States, including, but not limited to, (i) the CCPA, (ii) the Virginia Consumer Data Protection Act (“VCDPA”), (iii) to the extent in effect, the Colorado Privacy Act, Connecticut Act Concerning Personal Data Privacy and Online Monitoring, Utah Privacy Act, and (iv) any rules or regulations implementing any of the foregoing.

“Controller”, “processor”, “processing” and “personal data” will have the meanings given to them under Data Protection Laws.

‍2. Roles & Scope of Processing

2.1 Processing Description

The type of Customer Personal Data processed, the subject matter, duration, nature and purpose of the processing, and the categories of data subjects, are as described in Annex 1 (Details of Processing). The parties agree that the description of the processing may be updated by Concord from time to time to reflect new products, features, or functionality comprising the Services.

2.2 Data Processing Roles

2.2.1. In respect of the parties’ roles under this DPA, the parties acknowledge and agree that, with respect to Customer Personal Data, Customer is the “controller” with respect to EU Data Protection Law and a “business” with respect to CCPA, and Concord is a “processor” with respect to EU Data Protection Law and a “service provider” with respect to CCPA. Concord will process Customer Personal Data in accordance with the Main Agreement, this DPA, and/or with Customer’s written instructions and only for the following purposes:

• 2.2.1.1. To provide the Services;
• 2.2.1.2. To perform any steps necessary for the performance of the Main Agreement;
• 2.2.1.3. Processing initiated by Authorized User in their use of the Service; and
• 2.2.1.4. To comply with other reasonable, lawful instructions or requests provided by Customer (e.g., via email, phone, support tickets, or online tool).

2.2.2 Concord may process certain personal data, including Customer Personal Data for its own legitimate business purposes, as an independent controller, as follows:

• 2.2.2.1. Billing, account and customer relationship management (including sales and marketing communications), support, and related correspondence;
• 2.2.2.2. Complying with and resolving legal obligations, tax requirements, and in connection with any disputes;
• 2.2.2.3. Monitoring and protecting the confidentiality, privacy, and security of the Services;
• 2.2.2.4. Internal reporting, financial reporting, revenue planning, and forecast modeling;
• 2.2.2.5. Receiving feedback regarding the Services and incorporating feedback into product development; and
• 2.2.2.6. other uses permitted by Customer in the Main Agreement or other terms entered into between Concord and Customer.

2.2.3. Concord’s use of cookies and similar technologies shall be in compliance with the Concord Privacy Policy.

2.3 Compliance With Laws

Concord will process Customer Personal Data in accordance with this DPA and Data Protection Laws applicable to its role under this DPA. Concord is not responsible for complying with Data Protection Laws that are uniquely applicable to Customer by virtue of its business or industry. Concord will promptly inform Customer if it becomes aware that Customer’s processing instructions infringe Data Protection Laws.

2.4 U.S. Data Protection Laws

With respect to the U.S. Data Protection Laws, Concord will (i) with respect to Customer Personal Data, comply with sections applicable to service providers or processors, as such terms may be defined under applicable U.S. Data Protection Laws; (ii) process Customer Personal Data solely for the purpose of providing the Services to Customer, consistent with U.S. Data Protection Laws; and (iii) not sell Customer Personal Data, or share Customer Personal Data in connection with cross-contextual behavioral advertising.

2.5 Customer Responsibilities

With respect to Customer Personal Data, Customer (as a “controller” or “business” as described in Section 2.2.1) is responsible for: (i) the accuracy, quality, and legality of the Customer Personal Data; (ii) the means by which Customer acquired Customer Personal Data; (iii) the instructions Customer provides to Concord regarding the processing of Customer Personal Data; (iv) providing all legally required notices to individuals and obtaining all legally required consents which may be necessary for Concord to process Customer Personal Data; (v) ensuring that Customer’s processing instructions are lawful and do not violate applicable Data Protection Laws; and (vi) ensuring that Customer Personal Data is provided to Concord for a valid “Business Purpose,” as defined in the CCPA. Customer will not provide or make available to Concord any Customer Personal Data in violation of the Main Agreement or provide any Customer Personal Data that is inappropriate for the nature of the Services.

‍3. International Data Transfer Mechanism

3.1 Restricted Transfer; Transfer Mechanism

Where the transfer of Customer Personal Data is a Restricted Transfer, such transfer will be subject to the Model Clauses (subject to Section 3.2, 3.3, or 3.4, as applicable) which are incorporated into and form an integral part of this DPA. For the purposes of the Model Clauses, the parties agree that: (i) with respect to Customer Personal Data, Concord is a “data importer” and Customer is the “data exporter”; and (ii) it is not the intention of either party to contradict or restrict any of the provisions set forth in the Model Clauses and, accordingly, if and to the extent the Model Clauses conflict with any provision of the Main Agreement (including this DPA) the Model Clauses will prevail to the extent of such conflict.

3.2 Model Clauses; EU GDPR

3.2.1. For purposes of the Model Clauses, with respect to Customer Personal Data processed by Concord as a processor, Module 2 will apply and: (i) in Clause 7, the optional docking clause will apply; (ii) in Clause 9 of Module Two, Option 2 will apply and the time period for prior notice of Subprocessor changes is identified in Section 4.1 of this DPA; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law; (v) in Clause 18(b), disputes will be resolved before the courts of Ireland; (vi) Annex 1 will be deemed completed with the information set out in Annex 1 (Details of Processing) of this DPA; and (vii) Annex 2 (Security Measures) will be deemed completed with the information set out in Annex 2 of this DPA.

3.2.2. For purposes of the Model Clauses, with respect to Customer Personal Data processed by Concord as a controller, Module 1 will apply, and (i) in Clause 7, the optional docking clause will apply; (ii) in Clause 11, the optional language will not apply; (iii) in Clause 17, the Standard Contractual Clauses will be governed by Irish law; (iv) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (v) Annex 1 will be deemed completed with the information set out in Annex A (Details of Processing) of this DPA; and (vi) Annex 2 (Security Measures) will be deemed completed with the information set out in Annex 2 of this DPA.

3.3 Model Clauses; UK GDPR

In relation to transfers of Customer Personal Data protected by the UK GDPR, the UK SCCs will apply and Table 1 to 3 of the UK SCCs will be populated using the information contained Annex 1 and Annex 2, as applicable, and the option “neither party” shall be deemed checked in Table 4. The start date of the UK SCCs (as set out in Table 1) shall be the effective date of the Order Form to which this Addendum applies.

3.4 Restricted Transfer; Swiss DPA

In relation to transfers of Customer Personal Data protected by the Swiss DPA, the EU SCCs will also apply with the following modifications: (i) any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA; (ii) references to “EU”, “Union”, “Member State” and “Member State law” will be interpreted as references to Switzerland and Swiss law, as the case may be; and (iii) references to the “competent supervisory authority” and “competent courts” will be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland. Where the EU SCCs cannot be used to lawfully transfer such Customer Personal Data in compliance with the Swiss DPA in which case the Swiss SCCs will instead be incorporated by reference and form an integral part of this DPA and will apply to such transfers. Where the Swiss SCCs apply, the relevant Annexes or Appendices of will be populated using the information contained Annex 1 and Annex 2, as applicable.

3.5 Alternative Data Transfer Arrangements

To the extent Concord adopts an alternative data export mechanism (including any new version of or successor to the Model Clauses adopted pursuant to Data Protection Laws) for the transfer of personal data (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism will automatically apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Data Protection Laws applicable to the EEA and extends to territories to which Customer Personal Data is transferred).

‍4. Subprocessing

4.1 Notification of New Subprocessors

Customer hereby provides its general authorization for Concord to engage the Subprocessors listed at concord.tech/legal/sub-processors (and such URL may be updated from time to time). You may subscribe to receive notifications by email if we add or replace any Sub-Processors  by emailing us at privacy@concord.tech and asking to be added to the notification list. At least fourteen (14) days before allowing a new Subprocessor to process Customer Personal Data, Concord will add the Subprocessor to the list and notify notification subscribed Customers of the update. Customer may object in writing to the appointment of a new Subprocessor within ten (10) calendar days of Concord’s notice thereof, provided that such objection is based on reasonable grounds relating to data protection or data privacy. In such event, the parties will discuss Customer’s concerns in good faith with a view to achieving resolution. If the parties are not able to achieve resolution, Customer, as its sole and exclusive remedy, may terminate the Main Agreement (including this DPA) for convenience.

‍

4.1 Subprocessor Obligations

Concord will enter into a written agreement with each Subprocessor imposing such data protection obligations as are required under applicable Data Protection Laws. To the extent the CCPA applies, each written agreement with a Subprocessor will comply with the CCPA, designate the Subprocessor as a “service provider,” and prohibit the Subprocessor from selling Customer Personal Data, sharing Customer Personal Data for cross contextual behavioral advertising, or using Customer Personal Data in a manner not authorized by the CCPA. Concord will be responsible for any Subprocessor’s breach of the terms of this DPA.

‍5. Security Measures & Security Incident Response

5.1 Security Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Concord will implement and maintain technical and organizational measures that are designed to protect Customer Personal Data from unauthorized or unlawful destruction, loss, alteration, disclosure of or to access and will implement those measures specified in Annex 2 (“Security Measures”). Concord may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer.

5.2 Customer Responsibilities

Customer is responsible for its secure use of the Service, including securing its account authentication credentials, and protecting the security of Customer Personal Data transmitted via the systems Customer administers and maintains (i.e., email encryption).

5.3 Security Incident Response

Concord will notify Customer without undue delay (and in any case within seventy-two (72) hours) after becoming aware of a Security Incident. Concord will provide information relating to the Security Incident to Customer promptly as it becomes known or as is reasonably requested by Customer. Concord will take appropriate and reasonable steps to contain, investigate, and mitigate any Security Incident.

‍6. Responding to Customer Requests

Concord will provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Data Protection Laws (including its rights of access, correction, objection, erasure, and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party, in each case in respect of Customer Personal Data that Concord processes on Customer’s If any request, correspondence, enquiry or complaint is made directly to Concord, Concord will not respond without Customer’s prior authorization, unless legally compelled to do so, except that Concord will inform the individual that the individual should submit the request directly to Customer. Concord will provide a copy of the request to Customer. If Concord is legally required to respond to such a request, Concord will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

‍7. Audit & Records

7.1 Reports; Security Assessments

Upon request, Concord will (i) make available to Customer a summary copy of any available audit reports regarding the audit of Concord information security controls, systems, and documentation so that Customer may assess Concord’s compliance with this DPA; and (ii) provide written responses to reasonable requests for information made by Customer related to its processing of Customer Personal Data, including responses to information security and audit questionnaires, that are necessary to confirm Concord’s compliance with this DPA; provided that Customer will not exercise this right more than once per calendar year.

7.2 Audit Rights & Procedures

Where Customer cannot reasonably satisfy Concord’s compliance with this DPA pursuant to the exercise of its rights under Section 7.1, and where required under Data Protection Laws or by a data protection authority under Data Protection Laws, Customer may, on giving at least thirty (30 days) prior written notice, request that Customer’s personnel or a third party (at Customer’s expense) conduct an audit of Concord’s facilities, equipment, documents and electronic data relating to the processing of Customer Personal Data solely to the extent necessary to inspect and/or audit Concord’s compliance with this DPA, provided that: (i) Customer will not exercise this right more than once per calendar year; (ii) such additional audit enquiries will not unreasonably or adversely impact in Concord’s regular operations; (iii) will not be incompatible with Data Protection Laws or with the instructions of the relevant data protection authority; (iv) the parties will mutually agree upon the scope, timing, and duration of the audit; and (v) at all times during the scope of the audit, Customer and any appointed third party will comply with Concord’s policies, procedures, and reasonable instructions governing access to its systems and facilities, including limiting or prohibiting access to information that is confidential information. No such audit will require Concord to provide Customer with access to internal accounting or financial records, trade secrets, or information that could reasonably compromise the security of Concord systems.

‍8. Return or Deletion of Data

Promptly upon Customer’s request after the termination or expiration of the Main Agreement, Concord will delete or return Customer Personal Data in its possession or control. This requirement will not apply to the extent Concord is required by applicable law to retain Customer Personal Data, to Customer Personal Data that is archived on back-up systems (which will be securely isolated and not subject to further processing, except to the extent required by law), or to any information where Concord’s role is that of the data controller or business.

‍9. Cooperation

Concord does not voluntarily provide government agencies, authorities, or law enforcement with access to Customer Personal Data. If a law enforcement agency sends Concord a demand for Customer Personal Data (e.g., a subpoena, court order, search warrant, or other valid legal process), Concord will attempt to redirect the law enforcement agency to request that data directly from Customer. If compelled to disclose Customer Personal Data to a law enforcement agency, Concord will give Customer reasonable notice to allow Customer to seek a protective order or other appropriate remedy, to the extent Concord is legally permitted to do so.

‍10. Limitation of Liability

Notwithstanding anything to the contrary in the Main Agreement or this DPA, the total aggregate liability of Concord for all claims under the Main Agreement and DPA (including Affiliate claims) will be subject to the exclusions and limitations of liability set out in the Main Agreement, and such exclusions and limitations will apply to any claims, losses, costs or other damages arising from or related to (i) a breach of this DPA; (ii) fines (administrative, regulatory or otherwise) imposed upon Customer; (iii) violation of Data Protection Laws, including any claims relating to damages paid to a data subject; or (iv) breach of its obligations under the Model Clauses. Nothing in this DPA or the Agreement limits a party’s liability with respect to any individual’s direct exercise of its data protection rights against a party.

‍11. General

As between Customer and Concord, this DPA is incorporated into and subject to the terms of the Main Agreement and will be effective and remain in force for the term of the Main Agreement. Each party acknowledges that the other party may disclose the Model Clauses, this DPA, and any privacy related provisions in the Main Agreement to any regulator or supervisory authority upon request. This DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the parties hereto, respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person. Other than as required by the Model Clauses, the dispute mechanisms, including those related to venue and jurisdiction, set forth in the Main Agreement govern any dispute pertaining to this DPA.

Annex 1: Details of Processing

‍A. List of Parties

Data exporter:

Name:

The entity listed as “Customer” in the signature block to this DPA.

Address:

The address listed in the Main Agreement

Contact Person’s Name, Position, & contact Details:

The point of contact listed on in the Main Agreement.

Activities Relevant to the Data Transferred Under These Clauses:

As described in the Main Agreement.

Role (Controller/Processor):

Controller.

Data importer(s):

Name:

Concord Technologies, Inc.

Address:

9450 SW Gemini Drive, Suite 26582, Beaverton, Oregon 97008-7105

Activities Relevant to the Data Transferred Under These Clauses:

Provide privacy and data software solutions to Customer as specified in the Main Agreement.

Role (Controller/Processor):

Processor with respect to Customer Personal Data; Controller with respect to information described in Clause 2.2.2 of the DPA.

‍B. Description of Transfer

Categories of data subjects whose personal data is transferred.

• Customer, Authorized Users and individuals who access and use the Services which are made available by Customer.

Categories of personal data transferred.

• Name, email address and IP address of individuals Authorized Users.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

• N/A.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

• Continuous during the term of the Main Agreement.

Nature of the processing.

• To enable individuals to manage their privacy settings and personal data on online properties used by Customer.

Purpose(s) of the data transfer and further processing.

• To provide the Services to Customer to enable Customer to provide privacy and data solutions to individuals.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.

• From the Effective Date of the Main Agreement until its termination.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing.

• From the Effective Date of the Main Agreement until its termination.

‍B. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13

• The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located will act as competent supervisory authority.

Annex 2: Security Measures

The technical and organizational measures implemented by Concord (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are as follows.  Such measures may be updated from time to time by Concord, provided that any update will not decrease or reduce the protections provided by the measures set forth below.

• Encryption of personal data
  • Data at rest and in transit encrypted using AES-256 algorithm.
  • Employee laptops are encrypted using full disk AES-256 encryption.
  • HTTPS encryption on every web login interface, using industry standard algorithms and certificates.
  • Secure transmission of credentials using by default TLS 1.2 or 1.3.
  • Access to operational environments requires use of secure protocols such as HTTPS.
• Measures for limiting the access to personal data and the availability to restore personal data in a timely manner in the event of a physical or technical incident
  • Strong access controls based on the use of the ‘Principle of Least Privilege’.
  • Differentiated rights system based on security groups and access control lists.
  • Employee is granted only amount of access necessary to perform job functions.
  • Unique accounts and role-based access within operational and corporate environments.
  • Access to systems restricted by security groups and access-control lists which are approved by management.
  • All access to the IaaS environments (e.g., Development and Production accounts) require authentication through a secure connection via an approved method and MFA.
  • Concord corporate offices including LAN and Wi-Fi networks are considered to be untrusted.
  • Authorization requests are tracked, logged and audited on a regular basis.
  • Removal of access for employee upon termination or change of employment.
  • Enforcement of Multi-factor Authentication (MFA) for access to critical and production resources.
  • Strong and complex passwords required Minimum time between password changes and maximum lifetime of passwords is limited by policy.
  • Passwords are never stored in clear-text and are encrypted in transit and at rest.
  • Account provisioning and de-provisioning processes.
  • Segregation of responsibilities and duties to reduce opportunities for unauthorized or unintentional modification or misuse.
  • Confidentiality requirements imposed on employees and all personnel acknowledge they are responsible for reporting actual or suspected security incidents or concerns, thefts, breaches, losses, or unauthorized disclosures of information, and to whom to report them.
  • Mandatory security trainings for employees on a quarterly basis.
  • Non-disclosure agreements with third parties.
  • Separation of networks based on trust levels.
• Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
  • User activity including logins, configuration changes, deletions and updates are written automatically to audit logs in operational systems.
  • All logs can be accessed only by authorized Concord employees and access controls are in place to prevent unauthorized access.
  • Write access to logging data is strictly prohibited. Logging facilities and log information are protected against tampering and unauthorized access through use of access controls and security measures.
  • Network segmentation and interconnections protected by firewalls.
  • Vulnerability scans are automatically performed quarterly on systems required to operate and manage the Service. The vulnerability database is updated regularly.
  • Penetration testing is conducted at least annually.
• Measures for user identification and authorization
  • Access to operational and production environments is protected by use of unique user accounts, strong passwords, use of Multi-Factor Authentication (MFA), role-based access, and least privilege principle.
  • Authorization requests and provisioning is logged, tracked, and audited.
  • User activity in operational environments including access, modification or deletion of data is being logged.
• Encryption and Key Management
  • Encryption algorithms or methods must be consistent with NIST guidelines.
  • Concord manages encryption keys on behalf of customers.
  • Encryption keys are rotated regularly.
• Measures for the protection of data during storage
  • Concord customer instances are logically separated and attempts to access data outside allowed domain boundaries are prevented and logged.
  • Endpoint security software
  • System inputs recorded via log files
  • Access Control Lists (ACL)
  • Multi-factor Authentication (MFA)
• Measures for ensuring system configuration, including default configuration
  • Concord has in place a Change Management Policy and a Code Review Policy.
  • Concord monitors changes to in-scope systems to ensure that changes follow the process and to mitigate the risk of un-detected changes to production. Changes are tracked.
  • Concord has in place Access Control Policy and Procedures
• Measures for ensuring data minimization
  • Data collection is limited to the purposes of processing.
  • Security measures are in place to provide only the minimum amount of access necessary to perform required functions.
• Third Party / Vendor Security Assessment
  • Concord conducts security assessments of IaaS providers no less frequently than annually.
  • Open issues are documented, prioritized, and tracked to closure in JIRA.
  • Concord conducts security assessments of its third-party SaaS vendors in accordance with its Vendor Security Assessment Program.
• Measures for ensuring limited data retention
  • After termination of all subscriptions associated with an environment, customer data submitted to the Services is retained in inactive status within the Services, upon request customer data is deleted.