Transcend Tools Customer Data Processing Addendum
This Data Processing Addendum (this “DPA“) supplements and forms part of the Subscription Services Agreement or other agreement between Customer and Transcend Tools about the provision of Services by Transcend Tools to Customer (“Agreement“) when Data Protection Law applies to Customer’s access and use of the Services to process Customer Personal Data (defined below).
Customer enters into this DPA on behalf of itself and, to the extent required under applicable law, in the name of and on behalf of its Data Controller Affiliates (defined below) (“Customer“). For the purposes of this DPA only, and except as otherwise indicated, the term “Customer” shall include Customer and Data Controller Affiliates.
- Data Processing
- Scope and Roles. This DPA applies when Customer Personal Data is processed by Transcend Tools under applicable Data Protection Law. In this context, where the law provides for the roles of “controller” and “processor,” Customer is the Controller of the Customer Personal Data covered by this DPA, and Transcend Tools shall be a Processor Processing Customer Personal Data on behalf of Customer and this DPA shall apply accordingly.
- Details of Data Processing.
- Subject matter. The subject matter of the data processing under this DPA is Customer Personal Data.
- Duration. The duration of the Processing under this DPA is determined by the Agreement. Regardless of whether the Agreement has terminated or expired, this DPA will remain in effect until, and automatically expire when Transcend Tools deletes or anonymizes all Customer Personal Data as described in the Agreement.
- Purpose. The purpose of the processing under the DPA is the provision of the Services by Transcend Tools to Customer as specified in the Agreement.
- Nature of the Processing. Customer Personal data is processed by Transcend Tools in connection with the Services under the Agreement and/or any applicable Order.
- Categories of Data Subjects. The Data Subjects of Customer which may include Customers’ Authorized Users, employees, contractors, suppliers, or other third parties whose Personal Data is uploaded by Customer for use in connection with the Services.
- Categories of data. Identifiers (contact detail including name, email, phone number and addresses); Employment Data (professional data, contact details, hours worked, site access) IT Data (IP addresses, browser type, language preferences, cookies data);and other Personal Data that Customer or its Authorized Users elect to submit to the Services.
- Special categories of data (if appropriate). Transcend Tools and/or its Subprocessors do not intentionally collect or process any special categories of data in connection with the provision of the Services under the Agreements. However, Customer or its Affiliates may choose to include this type of data within content that the Customer instructs Transcend Tools to process on its behalf.
- Compliance with the laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA.
- Jurisdiction Specific Terms. Certain jurisdictions require other specific terms. Where required under applicable Data Protection Law, this DPA fully incorporates the applicable Jurisdiction Specific Terms available at http://18.189.229.135/legal.
- Documented Instructions.
- Customer Instructions. Customer shall, in its use of the Services, at all times provide documented instructions to Transcend Tools for the Processing of Customer Personal Data, in compliance with applicable Data Protection Law. The Parties agree that this DPA and the Agreement constitute Customer’s documented instructions regarding Transcend Tools Processing of Customer Personal Data (“Documented Instructions”). Transcend Tools will Process Customer Personal Data in accordance with Customer’s Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Transcend Tools and Customer, including agreement on any additional fees payable by Customer to Transcend Tools for carrying out such instructions.
- Obligations and Indemnity. Customer shall ensure that its Documented Instructions comply with all laws, rules and regulations applicable to the Customer Personal Data, and that the Processing of Customer Personal Data per Customer’s Documented Instructions will not cause Transcend Tools to be in breach of applicable Data Protection Law. Customer is solely responsible for the accuracy, quality, and legality of (a) the Customer Personal Data provided to Transcend Tools by or on behalf of Customer; (b) how Customer acquired any such Customer Personal Data; and (c) the Documented Instructions it provides to Transcend Tools regarding the Processing of such Personal Data. Customer shall not provide or make available to Transcend Tools any Personal Data in violation of the Agreement, this DPA, or otherwise inappropriate for the nature of the Services and shall indemnify Transcend Tools from all claims and losses in connection therewith.
- Confidentiality of Customer Personal Data. Transcend Tools will not access or use, or disclose to any third party, any Customer Personal Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law, a Public Authority Request and/or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Transcend Tools a demand for Customer Personal Data, Transcend Tools will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Transcend Tools may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Personal Data to a governmental body, then Transcend Tools will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Transcend Tools is legally prohibited from doing so.
- Authorized persons. Transcend Tools shall ensure that all persons authorized to Process Customer Personal Data on behalf of Transcend Tools are made aware of the confidential nature of the Customer Personal Data, and have committed themselves to confidentiality (e.g., by confidentiality agreements) or are under an appropriate statutory obligation of confidentiality.
- Authorized Subprocessors.Customer hereby generally authorizes Transcend Tools to engage Subprocessors in accordance with this Section 5. Customer approves the Subprocessors currently listed below as Appendix A.If Customer transfers Customer Personal Data to Transcend Tools under the SCCs, the above authorization will constitute Customer’s prior written consent to the subcontracting by Transcend Tools of the Processing of Customer Personal Data if such consent is required under the SCCs. Transcend Tools may remove, replace or appoint suitable and reliable further Subprocessors, provided that Transcend Tools shall notify Customer, update the list of Subprocessors and provide Customer with an opportunity to object where required under applicable Data Protection Law.
- Objections. If the Customer reasonably objects to the engagement of a new Subprocessor, Transcend Tools shall have the right to cure the objection through one of the following options (to be selected at Transcend Tools sole discretion): (a) Transcend Tools cancels its plans to use the Subprocessor with regard to Customer Personal Data; (b) Transcend Tools will take the corrective steps requested by Customer in its objection (which removes Customer’s objection) and proceed to use the Subprocessor with regard to Customer Personal Data; (c) Transcend Tools may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Service that would involve the use of such Subprocessor with regard to Customer Personal Data; and (d) Transcend Tools provides Customer with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If Transcend Tools, in its sole discretion, cannot provide any such alternative(s), or if Customer does not agree to any such alternative(s) if provided, Transcend Tools and Customer may terminate this DPA with prior written notice, or suspend the affected Services. Termination shall not relieve Customer of any fees or charges owed to Transcend Tools for Services provided up to the effective date of the termination under the Agreement. In the event that Transcend Tools elects to suspend Customer’s access to and use of affected Services, such suspension shall relieve Customer of any fees or charges owed to Transcend Tools for such Services after the effective date of the suspension. If Customer does not object to a new Subprocessor’s engagement within ten (10) days of notice by Transcend Tools, that new Subprocessor shall be deemed accepted.
- Subprocessor Obligations.Where Transcend Tools authorizes a Subprocessor as described in Section 5.1:
- Transcend Tools will restrict the Subprocessor’s access to Customer Personal Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and Transcend Tools will prohibit the Subprocessor from accessing Customer Personal Data for any other purpose;
- Transcend Tools will enter into a written agreement with the Subprocessor and, to the extent that the Subprocessor performs the same data processing services provided by Transcend Tools under this DPA, Transcend Tools will impose on the Subprocessor the same contractual obligations that Transcend Tools has under this DPA; and
- Transcend Tools will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Transcend Tools to breach any of Transcend Tools obligations under this DPA.
- Security; Audits; Personal Data Breach; Impact Assessments.
- Security. Transcend Tools provision of the Services will be consistent with the measures described in Appendix B.
- Updates to Transcend Tools Security Controls. Customer is responsible for reviewing the information made available by Transcend Tools relating to data security and making an independent determination as to whether the Security Controls set forth in Section 6.1, above, meet Customer’s requirements and legal obligations under applicable law. Customer acknowledges that the Security Controls are subject to technical progress and development and that Transcend Tools may update or modify the Security Controls from time to time provided that such updates and modifications do not materially degrade the overall security of the Services during the Subscription Term
- Confidential Security Reports and Audits. Transcend Tools does and will maintain compliance with SSAE 18 (SOC 1 & 2), or appropriate and comparable equivalents of those audit standards, for the duration of its processing of Customer Personal Data. Upon request, Transcend Tools shall, no more than once per calendar year make available for Customer’s review, a summary copy of an audit report(s) (“Report”) that reflects such compliance, a request may be made by emailing operations@transcendtools.com. Customer acknowledges and agrees that such Reports are Transcend Tools Confidential Information. Transcend Tools shall also provide a requesting Customer with a Report and/or confirmation of Transcend Tools own audits and/or a report of third party auditors’ audits of its Subprocessors that have been provided by those Subprocessors to Transcend Tools, to the extent such reports or evidence may be shared with Customer (“Third-party Subprocessor Audit Reports”). Customer acknowledges that (a) Reports and Third-party Subprocessor Audit Reports shall be considered Confidential Information as well as confidential information of the third-party Subprocessor and (b) certain third-party Subprocessors to Transcend Tools may require Customer to execute a non-disclosure agreement with them in order to view a Third-party Subprocessor Audit Report.
- Personal Data Breach. In the event of a Personal Data Breach, Transcend Tools shall notify Customer without undue delay and otherwise respond as described in 6.3.1 below. In addition, Transcend Tools shall, taking into account the nature of the Processing and the information available to Transcend Tools assist Customer in ensuring compliance with its obligations under applicable Data Protection Law to conduct a data protection impact assessment and, with prior notice, to assist with consultations with the Competent Supervisory Authority (defined below), where required.
- Practices. Transcend Tools does and will (a) maintain and follow a documented incident response plan and associated procedures consistent with industry standards for Personal Data Breach handling; (b) investigate Personal Data Breach of which Transcend Tools becomes aware, and, within the scope of the Services, and take such steps as Transcend Tools in its sole discretion deems necessary and reasonable to remediate such Personal Data Breach; and (c) notify Customer without undue delay upon confirmation of a Personal Data Breach that is known or reasonably suspected by Transcend Tools to affect Customer Personal Data, and provide Customer with reasonably requested information about such Personal Data Breach and the status of the remediation and restoration activities. The obligations herein shall not apply to a Personal Data Breach caused by Customer, Customer’s Authorized Users or misuse of Customer’s Access Credentials. Transcend Tools obligation to report or respond to a Personal Data Breach under this Section 6 is not and will not be construed as an acknowledgement by Transcend Tools of any fault or liability of Transcend Tools with respect to the Personal Data Breach.
- Transcend Tools Assistance with Data Subject Requests. Transcend Tools will inform Customer of requests from Data Subjects exercising their Data Subject rights under applicable Data Protection Law (e.g., including but not limited to rectification, deletion and blocking of data) addressed directly to Transcend Tools regarding Customer Personal Data. Customer shall be responsible for handling such requests of Data Subjects. Upon a written request for assistance by Customer, Transcend Tools will reasonably assist Customer with handling such Data Subject request. Transcend Tools may charge Customer no more than a reasonable charge to perform such assistance, and such charges will be set forth in a quote and agreed in writing by the Parties, or as set forth in the Agreement. If Customer does not agree to the quote, the Parties agree to reasonably cooperate to find a feasible solution.
- International Transfers of Personal Data
- U.S. Based Processing; Notification of Changes. Customer acknowledges and agrees that Transcend Tools may transfer and process Customer Personal Data to and in the United States and anywhere else in the world where Transcend Tools, its Affiliates, or its Subprocessors maintain data processing operations. Transcend Tools shall ensure that such transfers are made in compliance with applicable Data Protection Law and this DPA.
- Application of SCCs. The applicable SCC Controller-to-Processor Clauses, currently available through Transcend Tools Jurisdiction Specific Terms located at http://18.189.229.135/legal will apply to Customer Personal Data that is transferred via the Services from Europe (defined below) and/or the United Kingdom, either directly or via onward transfer, to any country not recognized by the European Commission, the Swiss Federal Data Protection and Information Commissioner and/or a competent United Kingdom regulatory authority or governmental body as providing an adequate level of protection for Customer Personal Data. This DPA fully incorporates the applicable SCCs by reference. If Customer submits Customer Personal Data to the Services for Processing by Transcend Tools, Customer and Transcend Tools will be deemed to have entered into the SCCs, where applicable, and the submission of such Customer Personal Data to the Services will constitute Customer’s prior written consent to the transfer and Processing by Transcend Tools if such consent is required under the SCCs. The SCCs, will not apply where the Customer Personal Data is transferred in accordance with an Alternative Transfer Mechanism (defined below), such as when necessary for the performance of Services pursuant to the Agreement or on Customer’s Documented Instructions.
- Explicit Consent and Notice. Customer shall bear sole responsibility for obtaining its Authorized User’s and/or Data Subjects’ informed and explicit consent prior to the transfer of any Customer Personal Data to Transcend Tools in a manner consistent with the applicable Data Protection Law. If, at any time, an Authorized User and/or Data Subject withdraws any consent given pursuant to this Subsection, Customer shall immediately inform Transcend Tools in writing at operations@transcendtools.com and cease use and collection of Customer Personal Data related to such objecting Authorized User and/or Data Subject. Customer shall keep an electronic record of all consents given, and any consents withdrawn, by Authorized Users and/or Data Subjects and shall make such records available to Transcend Tools upon request.
- Return or Deletion of Customer Data.
- Upon termination or expiration of the Agreement, Transcend Tools shall (at Customer’s written request) anonymize all Customer Personal Data in its possession or control. This requirement shall not apply to the extent Transcend Tools is required by applicable law to retain some or all of the Customer Personal Data.
- Customer acknowledges that the Services are used as a system of record and that data uploaded to the Services is required to be retained under applicable laws for the establishment, exercise or defense of legal claims. As an equivalent to deletion, Transcend Tools shall permanently and securely anonymize Customer Personal Data to the extent no individual could be identified.
- Indemnification by Customer. To the maximum extent permitted by applicable law and in addition to any other remedy that is available, including the indemnities provided in the Agreement, Customer agrees to defend, indemnify and hold harmless Transcend Tools, its Affiliates and Transcend Tools Subprocessors, including their respective officers, directors, employees, agents, successors, representatives, agents, resellers and assigns (each, a “Transcend Tools Indemnitee“) from and against any and all Losses resulting Customer’s violation of this DPA and/or the infringement or violation by Customer, its Authorized Users or any other user of Customer’s Access Credentials, of any privacy or other right of any person under applicable Data Protection Law.
- Limitation of Liability
- Exclusion of Damages.UNDER NO CIRCUMSTANCES AND REGARDLESS OF THE NATURE OF ANY ACTION SHALL THE TRANSCEND TOOLS INDEMNITEES BE LIABLE, DIRECTLY OR INDIRECTLY, IN WHOLE OR IN PART, TO CUSTOMER OR TO ANY OTHER PERSON OR ENTITY FOR ANY LOSSES OR LOSS, DAMAGE, CORRUPTION OR RECOVERY OF CUSTOMER PERSONAL DATA ARISING FROM OR RELATING TO CUSTOMER’S BREACH OF ITS OBLIGATIONS IN THIS DPA.
- Limitation of Liability.Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Customer and its Data Controller Affiliates and Transcend Tools, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement and the applicable cap (maximum) for the relevant party set forth in the Agreement. Any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, the Transcend Tools Indemnitees’ total liability for all Actions by Customer and all of Customers Affiliates (including Data Controller Affiliates) arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Customer Affiliate that is a contractual party to any such DPA. To the extent required by applicable law, (a) this section is not intended to modify or limit the Parties’ liability for Data Subject claims made against a Party where there is joint and several liability under Data Protection Law, or (b) limit either Party’s responsibility to pay penalties imposed on such Party by a regulatory authority.
- Termination of the DPA. This DPA will continue in force until the termination of the Agreement (the “Termination Date“), provided that the data protection obligations of this DPA and the SCCs shall continue to apply for so long as Transcend Tools processes Customer Personal Data.
- Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
- Entire Agreement; Order of Precedence. Except as supplemented by this DPA, the Agreement will remain in full force and effect. Any conflict between the terms of the Agreement and this DPA related to the processing of Customer Personal Data are resolved in the following order of priority: (1) the Standard Contractual Clauses, where applicable; (2) the DPA; and (3) the Agreement.
- Definitions.Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below:
- “Access Credentials” means any user name, identification number, password, license or security key, security token, PIN, or other security code, method, technology, or device used, alone or incombination, to verify an individual’s identity and auuthorization to access and use the Services.
- “Action” means any claim, action, cause of action, demand, lawsuit, arbitration, inquiry, audit, notice of violation, proceeding, litigation, citation, summons, subpoena, or investigation of any nature, civil, criminal, administrative, regulatory, or other, whether at law, in equity, or otherwise.
- “Affiliates“, “Customer Data“, “Transcend Tools“, and “Services” shall each have the meaning ascribed to it in the Agreement.
- “Alternative Transfer Mechanism” means a mechanism, other than SCCs that enables the lawful transfer of Personal Data from Europe or the U.K. to a third country in accordance with applicable Data Protection Law.
- “Competent Supervisory Authority” means, in accordance with Clause 13 of the EU SCCs, (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter’s EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioners Office (the “ICO”). With respect to Personal Data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
- “Controller” means the entity that determines as a legal person alone or jointly with others the purposes and means of the Processing of Personal Data. Unless otherwise specified, Controller or “data exporter” refers to Customer.
- “Customer“, as used on this DPA, shall include Customer (as defined in the Agreement) and its Data Controller Affiliates.
- “Customer Personal Data” means Customer Data submitted to Transcend Tools for Processing in connection with the Services pursuant to the Agreement, which contains Personal Data.
- “Data Controller Affiliates” means any of Customer’s Affiliates that have not signed or otherwise accepted their own Order with Transcend Tools and therefore would not be a “customer” as defined under the Agreement but is an entity which is: (i) subject to Data Protection Law; and (ii) permitted to use the Transcend Tools Services pursuant to the Agreement between Customer and Transcend Tools. For the avoidance of doubt, no third-party beneficiaries are intended.
- “Data Protection Law” means any data protection and privacy laws and regulations that are applicable to the processing of Customer Personal Data by Transcend Tools, including, where applicable, the laws listed in Transcend Tools Jurisdiction Specific Terms available at http://18.189.229.135/legal, as may be amended, superseded or replaced from time to time.
- “Data Subject” means the identified or identifiable person to whom Customer Personal Data relates.
- “Documented Instructions” has the meaning ascribed in Subsection 2.1 of this DPA.
- “Europe” means the European Economic Area and Switzerland.
- “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing of Directive 95/46/EC (General Data Protection Regulation)
- “including” and its derivatives mean “including but not limited to.”
- “Losses” means any and all losses, damages, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, expert witness fees, settlement amounts, and the costs of enforcing any right to indemnification hereunder and the cost of pursuing any insurance providers.
- “Personal Data” means any data that relates to an identified or identifiable natural person, to the extent that such information is protected under applicable Data Protection Law.
- “Personal Data Breach” means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by Transcend Tools or Transcend Tools Subprocessors.
- “Transcend Tools Indemnitee” shall have the meaning ascribed to it in Section 11, above.
- “Processing” (unless defined differently under applicable Data Protection Law) means any operation or set of operations which is performed upon Personal Data, manually or automatically, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- “Processor” means an entity which Processes Personal Data on behalf of the Controller pursuant to the Agreement. Processor or “data importer” in this DPA refers to Transcend Tools.
- “Public Authority Request” means a government agency or law enforcement authority, including a judicial authority request for information.
- “Services” means Transcend Tools Services as set forth in the Agreement.
- “Standard Contractual Clauses” or “SCCs” means : (i) where the GDPR applies the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs“); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the “UK SCCs”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC“)(the “Swiss SCCs“).
- “Subprocessor” means any Processor engaged by Transcend Tools to assist in processing Customer Personal Data in connection with the Services per Customer’s Documented Instructions under the terms of the Agreement and this DPA. Subprocessors may include Transcend Tools Affiliates, but shall exclude Transcend Tools employees, contractors, and consultants.
- “UK GDPR” means the UK General Data Protection Regulation, as retained in UK law by the European Union (Withdrawal) Act 2018 and renamed by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2020 and the UK’s Data Protection Act 2018.
Appendix A – List of Transcend Tools Subprocessors
Subprocessor Name
|
Nature/Description of Processing
|
Subject of Processing/Customer Personal Data
|
Country of Storage/Processing
|
Amazon Web Services |
Infrastructure
Cloud Hosting |
i.e.: Authorized User Identifiers, Employment Data, IT Data |
United States
S3 Buckets for storage are based on region of Customer and include the following regions as applicable:
United States (default)
Australia & New Zealand
Brazil
Canada
France
Germany
Hong Kong
Ireland
Italy
Korea
Singapore
South Africa
Sweden
United Arab Emirates (UAE)
United Kingdom |
Microsoft Azure |
Infrastructure
Cloud Hosting |
i.e.: Authorized User Identifiers, Employment Data, IT Data |
United States |
Amplitude Inc |
Product Analytics |
i.e.: Authorized User Identifiers, Employment Data, IT Data |
United States |
Ecrion Software |
PDF Template Processing |
i.e.: Authorized User Identifiers |
United States |
Fullstory |
Digital experience intelligence (DXI) platform |
i.e.: Authorized User Identifiers and video content upon consent. |
United States |
Google Analytics |
Product Analytics |
i.e.: Authorized User Identifiers, Employment Data, IT Data |
Global |
LaunchDarkly |
Transcend Tools Feature Management |
i.e.: Authorized User Identifiers, Employment Data, IT Data |
United States |
Looker |
Data Analytics |
i.e.: Authorized User Identifiers such as email or user ID, IT Data for requests management |
United States |
New Relic |
Application, Database, and Machine monitoring |
i.e.: Authorized User Email Identifiers |
United States |
Pendo |
Usage Data Collection
Communication |
i.e.: Authorized User Identifiers, Employment Data, IT Data |
United States |
SalesForce |
Customer Account Management |
Customer Identifiers and Account Information |
United States |
Sendgrid |
Transactional and Marketing Email |
i.e.: Authorized Users Email Identifiers |
United States |
Snowflake |
Data Warehouse |
i.e.: Authorized User Identifiers, IT Data, Employment Data |
United States |
Sumo Logic |
Application and System log aggregation |
i.e.: Authorized User Identifiers |
United States |
Tableau |
Data Visualization Reporting, SQL |
i.e.: Authorized User Identifiers, IT Data, Employment Data |
United States |
BugSnag |
Error Message Logging |
i.e.: Authorized User IT Data and Identifiers based on error |
United States |
Additional Subprocessors for Transcend Tools Estimating Services (“Estimating”)
Application Name
|
Nature/Description of Processing
|
Subject of Processing/Customer Personal Data
|
Country of Storage/Processing
|
Microsoft Azure |
Infrastructure / Cloud Hosting |
i.e.: Authorized User Identifiers, Employment Data, IT Data |
United States |
Stripe |
Payment processor |
i.e.: Authorized User Identifiers, IT Data, credit card processing as processed by Stripe |
United States |
Baremetrics |
Reporting for stripe |
i.e.: Authorized User Identifiers, IT Data, proof of payment |
United States |
Hubspot |
CRM |
i.e.: Authorized User Identifiers, Employment Data, IT Data |
United States |
Fullstory |
Application playback for support |
i.e.: Authorized User Identifiers, IT Data and Screen capture |
United States |
Appendix B – Technical and Organizational Security Measures
At all times while Transcend Tools Processes Customer Personal Data, Transcend Tools will: (a) maintain and follow a written information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Customer secure Customer Personal Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to Customer Personal Data and unauthorized access to the Services, and (c) minimize Customer Personal Data risks, including through risk assessment and regular testing. Transcend Tools will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include the following Security Measures (as updated from time to time):
- Physical Access Controls: Transcend Tools takes measures, such as security personnel and secured buildings, designed to (i) prevent unauthorized persons from gaining access to Customer Data, (ii) manage, monitor and log movement of persons into and out of Transcend Tools facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage.
- System Access Controls: Transcend Tools takes measures designed to prevent unauthorized use of Customer Data. These controls may vary based on the nature of the Processing undertaken and may include, among other controls, authentication via passwords and two-factor authentication, documented authorization processes, documented change management processes, logging of access on several levels, system audit or event logging, and related monitoring procedures to proactively record user access and system activity for routine review.
- Data Access Controls: Transcend Tools takes measures designed to ensure that Customer Data is accessible and manageable only by properly authorized staff, direct database query access is restricted, and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Personal Data to which they have privilege of access, and that Customer Data cannot be read, copied, modified, or removed without authorization in the course of Processing.
- Access Policy: In addition to the access control rules set forth in Subsections 1.1–1.3 above, Transcend Tools implements an access policy under which access to its system environment, to Personal Data, and to other Customer Data is restricted to authorized personnel only.
- Input Controls: Transcend Tools takes measures to ensure that: (i) the Customer Data source is under the control of Customer; and (ii) Personal Data integrated into Transcend Tools systems is managed by secured file transfer from Customer and the Authorized User subject.
- Data Backup: Transcend Tools ensures that backups are made on a regular basis, are secured, and are encrypted when storing data to protect against accidental destruction or loss when hosted by Transcend Tools.
- Organizational Management: Transcend Tools maintains a dedicated staff responsible for the development, implementation, and maintenance of Transcend Tools data privacy and information security programs.
- Audit: Transcend Tools maintains audit and risk assessment procedures for the purposes of periodic review and assessment of risks to the organization, monitoring and maintaining compliance, and reporting the condition of its information security and compliance to senior internal management.
- Policies: Transcend Tools maintains data protection and information security policies and makes sure that policies and measures are regularly reviewed and where necessary, improve them.
- Integration: Transcend Tools communicates with Customer applications utilizing cryptographic protocols such as TLS 1.2 or above to protect information in transit over public networks. At the network edge, stateful firewalls, web application firewalls, and DDoS protection are used to filter attacks. Within the internal network, applications follow a multi-tiered model which provides the ability to apply security controls between each layer.
- Operations: Transcend Tools maintains operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal. or release from Controller possession.
- Incident Response: Transcend Tools maintains incident procedures designed to investigate, respond to, mitigate and notify of events related to Customer’s data. or information assets. A dedicated network operations and security operations staff performs rapid monitoring and response capabilities to address alerts.
- Network Security: Transcend Tools engages in network security controls such as providing for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
- Risk Management: Transcend Tools utilizes vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
- Business Continuity: Transcend Tools maintains business resiliency/continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters. Testing is performed to evaluate the plans and recovery capabilities.