Data Processing Addendum

This Data Processing Addendum, including its Exhibits (this “Addendum”), forms part of the Master Subscription Agreement, Terms of Service, Terms of Use, or any other agreement about the delivery of the contracted services between Journey.ai, Inc. (“Journey”) and the Customer (the “Agreement”) named in such Agreement or identified below to reflect the parties’ agreement about the Processing of Customer Personal Data (as those terms are defined below).

In the event of a conflict between the terms and conditions of this Addendum, the Agreement, an Order Form, or any other documentation, the terms and conditions of this Addendum govern and control with respect to the subject matter of Processing of Customer Personal Data. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

 

1. Definitions

1.1 “Affiliate” means, with respect to a party, any entity that directly or indirectly controls, is controlled by, or is under common control with that party. For purposes of this Addendum, “control” means an economic or voting interest of at least fifty percent(50%) or, in the absence of such economic or voting interest, the power to direct or cause the direction of the management and set the policies of such an entity.

1.2 “Anonymised Data” means, having regard to the guidance published by the European Data Protection Board, Personal Data which does not relate to an identified or identifiable natural person or rendered anonymous in such a manner that the data subject is not or no longer identifiable.

1.3 “Applicable Data Protection Law” means any applicable legislative or regulatory regime enacted by a recognized government, or governmental or administrative entity with the purpose of protecting the privacy rights of natural persons or households consisting of natural persons, in particular the General Data Protection Regulation 2016/679 (“GDPR”) and supplementing data protection law of the European Union Member States, the United Kingdom’s Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union(Withdrawal) Act 2018 (“UK GDPR”), the Swiss Federal Data Protection Act (“Swiss DPA”), Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) S.C. 2000, ch. 5, and any provincial legislation deemed substantially similar to PIPEDA under the procedures set forth therein, theBrazilian Law No. 13,709/2018 – Brazilian General Data Protection Law (“LGPD”), the ePrivacy Directive 2002/58/EC (the “Directive”), together with any European Union Member national implementing the Directive.

1.4 “Authorized Subprocessor” means a subprocessor engaged by Journey to Process Customer Personal Data on behalf of the Customer per the Customer’s Instructions under the terms of the Agreement and this Addendum. Authorized Subprocessors may include Journey Affiliates but shall exclude Journey employees, contractors and consultants.

1.5 “Controller” means the entity that determines as a legal person alone or jointly with others the purposes and means of the Processing of Personal Data.

1.6 “Customer Personal Data” means Personal Data, including but not limited to: (a) Content Data: All text, video, or image files that are part of an End User information exchanged between End Users and Journey’s customer via the Services;

(b) Account Data (name and email address);

(c) Support Data;

(d) Website access Data (including cookies); and

(e) Diagnostic Data, including but not limited to: Data from applications (including browsers) installed on End User devices (“Telemetry Data”), Service generated server logs (for example meeting metadata and End User settings) and internal security logs that are generated by or provided to Journey by, or on behalf of, Customer through use of the Services.

1.7 “Data Subject” means the identified or identifiable person to whom Personal Data relates.

1.8 “Legitimate Business Purposes” means the exhaustive list of specific purposes for which Journey is allowed to process some Personal Data as a Controller as specified in Section 2.4.

1.9 “Personal Data” means any information relating to a Data Subject; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number (unique ID). This includes any special categories of Personal Data defined in Art. 9 of the UK GDPR, data relating to criminal convictions and offences or related security measures defined in Art. 10 of the UK GDPR and national security numbers defined in Art. 87 of the GDPR and national supplementing law.

1.10 “Processor” means the entity that processes Personal Data on behalf of the Controller.

1.11 “Personal Data Breach” means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by Journey or Journey’s Authorized Subprocessor.

1.12 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. For the avoidance of doubt: This includes processing of Personal Data to disclose, aggregate, pseudonymise, de-identify or anonymize Personal Data, and to combine Personal Data with other Personal Data, or to derive any data or information from such Personal Data.

1.13 “Services” means the Journey Services as set forth in the Agreement or associated Journey order form.

1.14 “Specific US State Data Protection Law” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any regulations promulgated thereunder (“CCPA”); the Colorado Privacy Act of 2021; the Virginia Consumer Data Protection Act of 2021; the Utah Consumer Privacy Act of 2022, as amended; and any other US state law that may be enacted that adheres to the same or substantially the same requirements of the aforementioned laws in this definition.

1.15 “Standard Contractual Clauses” means: (i) where the GDPR applies the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation(EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”); (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) (the “Swiss SCCs”).

1.16 “Supervisory Authority” means an independent public authority responsible for monitoring the application of Applicable Data Protection Law, including the Processing of Personal Data covered by this Addendum.

 

2.1 Processing of Personal Data: Roles, Scope and Responsibility. The parties acknowledge and agree to the following: Customer is the Controller of Customer Personal Data. Journey is the Processor of Customer Personal Data, except where Journey or a Journey Affiliate acts as a Controller processing Customer Personal Data in accordance with the exhaustive list of Legitimate Business Purposes in Section 2.4.

2.2 Only to the extent necessary and proportionate, Customer as Controller instructs Journey to perform the following activities as Processor on behalf of Customer:

(a) Provide and update the Services as configured, and used by Customer and its users, (for example, through Customer’s use of Journey settings or administrator controls) including to make ongoing product improvements and provide personalised experiences and recommendations;

(b) Secure and real-time monitor the Services;

(c) Resolve issues, bugs, and errors;

(d) Provide Customer requested support, including applying knowledge gained from individual customer support requests to benefit all Journey customers but only to the extent such knowledge is anonymized; and

(e) Process Customer Personal Data as set out in the Agreement (subject matter, nature, purpose, and duration ofPersonal Data Processing in the controller to processor capacity and any other documented instruction provided by Customer and acknowledged by Journey as constituting instructions for purposes of this Addendum.

(collectively, the “Instructions”).

2.3 Journey shall immediately notify the Customer, if, in Journey’s opinion, an Instruction of the Customer infringes Applicable Data Protection Law and request that Customer withdraw, amend, or confirm the relevant Instruction. Pending the decision on the withdrawal, amendment, or confirmation of the relevant Instruction, Journey shall be entitled to suspend the implementation of the relevant Instruction.

2.4 Journey may Process certain Customer Personal Data for its own Legitimate Business Purposes, as an independent Controller, solely when the Processing is strictly necessary and proportionate, and if the Processing is for one of the following exhaustive list of purposes:

(a) Directly identifiable data (name and email address and all Customer Personal Data directly connected to such directly identifiable data) may be Processed for:

(i) billing, account, and Customer relationship management (marketing communications to procurement, sales, and other Customer personnel that requests such communication), and related Customer correspondence (mailings about for example necessary updates);

(ii) complying with and resolving legal obligations, including responding to Data Subject Requests for Personal Data processed by Journey as data Controller (for example website data), tax requirements, agreements and disputes;

(iii) abuse detection, prevention, and protection (such as automatic scanning for matches with identifiers of known Child Sexual Abuse Material (“CSAM”)), virus scanning and scanning to detect violations of terms of service (such as copyright infringement, SPAM, and actions not permitted under Journey’s Acceptable Use Guidelines;

(b) Pseudonymized and/or aggregated data (Journey will pseudonymise and/or aggregate as much as possible and pseudonymized and/or aggregated data will not be processed on a per-Customer level), for:

(i) improving and optimizing the performance and core functionalities of accessibility, privacy, security, and the IT infrastructure efficiency of the Services, including Journeyid.com, Journeyid.io, JourneyID.dev and support.Journeyid.com;

(ii) internal reporting, financial reporting, revenue planning, capacity planning, and forecast modeling (including product strategy); and

(iii) receiving and using Feedback for Journey’s overall service improvement. When acting as an independent Controller, Journey will not process Customer Personal Data for any purposes other than the above list of Legitimate Business Purposes.

2.5 Journey will not Process Customer Personal Data for third-party advertising, direct marketing, profiling, research or analytics purposes except where such processing is (i) necessary to comply with Customer’s instructions as set out in Section 2.2 of this Addendum, or (ii) for the Legitimate Business Purposes described in Section 2.4 or (iii) part of Journey’s free Services, early access program, or beta program.

2.6 Journey shall only process Customer Personal Data for the purposes specified in this Addendum; provided, however, Journey may process Customer Personal Data for “further” or “compatible” purposes (within the meaning of Articles 5(l)(b) and 6(4) GDPR, where applicable), or seek consent from End Users for new types of data processing, where permitted by the Journey account administrator and Applicable Data Protection Law.

2.7 With regard to content scanning for CSAM and reporting ‘hits’ to The National Center for Missing & Exploited Children (“NCMEC”), Journey will conduct human review of matched content before it is reported. Journey may immediately suspend the account of the End User and if legally allowed to do so, notify the End User thereafter of the suspension and the option to appeal the suspension if applicable.

2.8 Regardless of its role as Processor or Controller, Journey shall process all Customer Personal Data in compliance with Applicable Data Protection Laws, the “Security Measures” referenced in Section 6 of this Addendum.

2.9 Customer shall ensure that its Instructions to Journey comply with all laws, rules, and regulations applicable to Customer Personal Data, and that the Processing of Customer Personal Data per Customer’s Instructions will not cause Journey to be in breach of Applicable Data Protection Law. Customer is solely responsible for the accuracy, quality, and legality of(i) the Customer Personal Data provided to Journey by or on behalf of Customer; (ii) how Customer acquired any such Customer Personal Data; and (iii) the Instructions Customer provides to Journey regarding the Processing of such Customer Personal Data. Customer shall not provide or make available to Journey any Customer Personal Data in violation of the Agreement, this Addendum, or otherwise in violation of Journey’s Acceptable Use Guidelines, and shall indemnify Journey from all claims and losses in connection therewith.

2.10 Following the completion of the Services, at Customer’s choice, to the extent that Journey is a Processor, Journey shall either enable Customer to delete some of Customer’s Personal Data (for example an End User’s Personal Data) or all of Customer’s Personal Data, shall return to Customer the specified Customer Personal Data, or shall delete the specified Customer Personal Data, and delete any existing copies in compliance with its data retention and deletion policy. If return or destruction is impracticable or incidentally prohibited by a valid legal order law, Journey shall take measures to inform the Customer and block such Customer Personal Data from any further Processing (except to the extent necessary for its continued hosting or Processing required by applicable law) and shall continue to appropriately protect the Customer Personal Data remaining in its possession, custody, or control and, where any Authorized Subprocessor continues to possess Customer Personal Data, require the Authorized Subprocessor to take the same measures that would be required of Journey.

 

3. Privacy by design and by default

3.1 Journey agrees to minimize Processing to the extent necessary to provide the Services and for the purposes permitted in this Addendum, the Agreement, or as otherwise agreed upon by Customer and Journey. This includes minimization of Telemetry Data, Support Data, and feedback functionality; minimization of data retention periods; collection of pseudonymised identifiers when necessary, but immediate effective (irreversible) anonymization when the Service can be performed without Personal Data; and the implementation and control of strict access controls to the Customer Personal Data.

3.2 Journey shall maintain a process whereby when Journey collects new types of Diagnostic Data, such new collection shall be supervised by a privacy officer. Journey will perform regular checks on the contents of collected Telemetry Data to verify that neither directly identifying data are collected nor Customer Content Data.

3.3 Regarding Journey’s use of cookies or similar tracking technology, Journey shall ensure that only those cookies which are strictly necessary shall be set by default for European Enterprise and Education Customers on Journeyid.com, support.Journeyid.com, and, App.Journeyid.com, including visits to these pages when the End User or system administrator has signed into the Journey account.

3.4 When Journey plans to introduce new features, or related software and services (“New Service”), which will result in new types of Processing (i.e., new Personal Data and/or new purposes), Journey will:

(a) perform a data protection impact assessment;

(b) determine if the new types of Processing following a New Service are allowed within the scope of this Addendum; and

(c) ensure that the new Processing occurs with the necessary Customer notice or consents.

 

4. Authorized Persons

Journey shall ensure that all persons authorized to Process Customer Personal Data and Customer Content are made aware of the confidential nature of Customer Personal Data and Customer Content and have committed themselves to confidentiality (e.g., by confidentiality agreements) or are under an appropriate legal obligation of confidentiality.

 

5. Authorized Subprocessors

To the extent that Journey is a Processor:

5.1 Customer hereby generally authorizes Journey to engage subprocessors in accordance with this Section 5.

5.2 Customer approves the Authorized Subprocessors listed at https://www.journeyid.com/subprocessor-list/

5.3 Journey may remove, replace, or appoint suitable and reliable further subprocessors in

accordance with this Section 5.3:

(a) Journey shall at least thirty(30) business days before the new subprocessor starts processing any Customer Personal Data notify Customer of the intended engagement (including the name and location of the relevant subprocessor, and the activities it will perform and a description of the Personal Data it will process). To enable such notifications, Customer shall visit https://www.Journeyid.com/subproccessor-list and enter its desired and valid email address into the submission field at the bottom of the webpage, and Journey shall send such notifications to the email address entered into the submission field. In an emergency concerning Service availability or security, Journey is not required to provide prior notification to Customer but shall provide notification within seven(7) business days following the change in subprocessor. In either case, Customer may object to such an engagement in writing within fifteen(15) business days of receipt of the aforementioned notice by Journey.

5.4 If Customer objects to the engagement of a new subprocessor, Journey shall have the right to cure the objection through one of the following options (to be selected at Journey’s sole discretion):

(a) Journey cancels its plans to use the subprocessor with regard to Customer Personal Data.

(b) Journey will take the corrective steps requested by Customer in its objection (which remove Customer’s objection) and proceed to use the subprocessor with regard to Customer Personal Data.

(c) Journey may cease to provide, or Customer may agree not to use (temporarily or permanently), the particular aspect of the Service that would involve the use of such a subprocessor with regard to Customer Personal Data.

(d) Journey provides Customer with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If Journey, in its sole discretion, cannot provide any such alternative(s), or if Customer does not agree to any such alternative(s), if provided, Journey and Customer, within thirty days(30) days of being provided an alternative, may terminate the affected portion(s) of the Agreement with prior written notice. Termination shall not relieve Customer of any fees or charges owed to Journey for Services provided up to the effective date of the termination under the Agreement. If Customer does not object to a new subprocessor’s engagement within fifteen(15) business days of notice issuance from Journey, that new subprocessor shall be deemed accepted.

5.5 Journey shall ensure that Authorized Subprocessors have executed confidentiality agreements that prevent them from unauthorized Processing of Customer Personal Data and Customer Content both during and after their engagement by Journey.

5.6 Journey shall, by way of contract or other legal act, impose on the Authorized Subprocessor data protection obligations consistent with the obligations set out in this Addendum and in accordance with GDPR requirements. The parties acknowledge and agree that notice periods shall be deemed equivalent regardless of disparate notification periods. If Personal Data are transferred to an Authorized Subprocessor in a third country that does not ensure an adequate level of protection according to the European Commission, the FDIPC, or UK Information Commissioner’s Office, Journey will ensure the transferred data are processed with the same GDPR transfer guarantees as agreed with Customer (such as Standard Contractual Clauses and BCRs). Journey will also perform a case-by-case assessment if supplementary measures are required in cases of onward transfers to third countries to bring the level of protection of the transferred data up to the EU standard of essential equivalence.

5.7 Journey shall be fully liable to Customer where that Authorized Subprocessor fails to fulfill its  data protection obligations for the performance of that Authorized Subprocessor’s obligations to the same extent that Journey would itself be liable under this Addendum had it conducted such acts or omissions.

 

6. Security of Personal Data

6.1 Journey may not update the Services in a way that would remove Customer’s choice to apply end to end encryption, introduce any functionality that would purposefully allow anyone not authorized by Customer to gain access to Customer encryption keys or Customer content.

6.2 Journey certifies that it has not purposefully created any “back doors” or similar programming in the Services that could be used by third parties to access the system and/or Personal Data. Journey has not purposefully created or changed its business processes in a manner that facilitates such third-party access to Personal Data or systems. Journey certifies there is no applicable law or government policy that requires Journey as importer to create or maintain back doors or to facilitate access to Personal Data or systems or for the importer to be in possession of or to hand over the encryption key.

6.3 Taking into account the state of the art, the costs of implementation, and the nature, scope,context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Journey shall maintain appropriate technical and organizational measures with regard to Customer Personal Data and to ensure a level of security appropriate to the risk, including, but not limited to, the “Security Measures” set out in Annex II to the Standard Contractual Clauses (attached here as EXHIBIT B). Customer acknowledges that the Security Measures are subject to technical progress and development and that Journey may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Services.

 

7 International Transfers of Personal Data

7.1 Journey may not update the Services in a way that would remove Customer’s ability to choose to store certain Personal Data at rest within the European Economic Area (“EEA”).

7.2 Customer acknowledges and agrees that Journey may transfer and process Customer Personal Data to and in the United States. Journey may transfer Customer Personal Data to third countries (including those outside the EEA without an adequacy statement from the European Commission) to Affiliates, its professional advisors, or its Authorized Subprocessors, including when a Journey End User knowingly connects to data processing operations supporting the Services from such locations (for example, when the End user travels outside of the territory of the EU). Journey shall ensure that such transfers are made in compliance with Applicable Data Protection Law and this Addendum.

7.3 Any transfer of Customer’s Personal Data made subject to this Addendum from member states of the European Union, the EEA, Switzerland or the United Kingdom to any country that does not ensure an adequate level of protection according to the European Commission, the FDIPC, or UK Information Commissioner’s Office (as applicable), shall be undertaken through the Standard Contractual Clauses, in connection with which the parties agree to the following:

(a) EU SCCs(Controller to Controller Transfers). In relation to Personal Data that is protected by the EU GDPR and processed in accordance with Section 2.4 of this Addendum, the EU SCCs shall apply, completed as follows:

(i) Module One will apply;

(ii) in Clause 7, the optional docking clause will apply;

(iii) in Clause 11, the optional language will not apply;

(iv) in Clause 17, Option 1 will apply, and the New EU SCCs will be governed by Irish law;

(v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; Annex I of the EU SCCs shall be deemed completed with the information set out in EXHIBIT A of this Addendum; and

(vii) Subject to Section 6.3 of this Addendum, Annex II of the EU SCCs shall be deemed completed with the information set out in EXHIBIT B to this Addendum.

(b) EU SCCs(Controller to Processor/Processor to Processor Transfers). In relation to Personal Data that is protected by the EU GDPR and processed in accordance with Sections 2.2 of this Addendum, the EU SCCs shall apply, completed as follows:

(i) Module Two or Module Three will apply (as applicable);

(ii) in Clause 7, the optional docking clause will apply;

(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 5.3 of this Addendum;

(iv) in Clause 11, the optional language will not apply;

(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;

(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in EXHIBIT A to this Addendum; and

(viii) Subject to Section 6.3 of this Addendum, Annex II of the EU SCCs shall be deemed completed with the information set out in EXHIBIT B to this Addendum.

(c) Transfers from the UK. In relation to Personal Data that is protected by the UK GDPR, the UK Addendum will apply, completed as follows:

(i) The EU SCCs shall also apply to transfers of such Personal Data, subject to sub-Section (ii) below;

(ii) Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above in Section 7.3

(a)-(b) of this Addendum, and the option “neither party” shall be deemed checked in Table 4. The start date of the UK Addendum (as set out in Table

1) shall be the date of this Addendum.

(d) Transfers from Switzerland. In relation to Personal Data that is protected by the Swiss DPA, the EU SCCs will apply in accordance with Sections 7.3 (a)-(b), with the following modifications:

(i) any references in the EU SCCs to “Directive 95/46/EC” or “Regulation(EU) 2016/679” shall be interpreted as references to the Swiss DPA;

(ii) references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be; and

(iii) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the FDIPC and competent courts in Switzerland, unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the Swiss DPA, in which event the Swiss SCCS shall instead be incorporated by reference and form an integral part of this Addendum and shall apply to such transfers.Where this is the case, the relevant Annexes of the Swiss SCCs shall be populated using the information contained in EXHIBIT A and EXHIBIT B to this Addendum.

7.4 It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this Addendum) the Standard Contractual Clauses shall prevail to the extent of such conflict.

7.5 Journey may adopt a replacement data export mechanism (including any new version of or successor to the Standard Contractual Clauses or alternative mechanisms adopted pursuant to Applicable Data Protection Law) (“Alternative Transfer Mechanism”). So long as the Alternative Transfer Mechanism complies with Applicable Data Protection Law and extends to the territories to which Customer Personal Data is transferred on behalf of the Customer, Customer agrees to execute documents and take other reasonably necessary actions to give legal effect to such Alternative Transfer Mechanism.

7.6 Journey will follow European Data Protection Board requirements and Applicable Data Protection Law requirements concerning the completion of a data transfer impact assessment (“DTIA”).

 

8. Rights of Data Subjects

To the extent that Journey is a Processor:

8.1 Journey shall promptly notify Customer upon receipt of a request by a Data Subject to exercise Data Subject rights under Applicable Data Protection Law. Journey will advise the Data Subject to submit his or her request to Customer, and Customer will be responsible for responding to such request.

8.2 Journey shall, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising the Data Subject’s rights (regarding information, access, rectification and erasure, restriction of Processing, notification, data portability, objection and automated decision-making) under Applicable Data Protection Law.

 

9. Disclosure of Personal Data

9.1 Journey will not disclose or provide access to any Customer Personal Data except:

(a) as Customer directs;

(b) as described in this Addendum; or

(c) as required by law.

9.2 If a court, law enforcement authority or intelligence agency contacts Journey with a demand for Customer Personal Data, Journey will first assess if it is a legitimate order consistent with Journey’s Government Requests Guide. If so, Journey will attempt to redirect this third party to request those data directly from Customer. If compelled to disclose or provide access to any Customer Personal Data to law enforcement, Journey will promptly notify Customer and provide a copy of the demand unless legally prohibited from doing so, for example, through a so-called gagging order . If Journey is prohibited by law from fulfilling its obligations under this

Section 9.2, Journey shall represent the reasonable interests of Customer. This is in all cases understood to mean:

(a) Journey shall document a legal assessment of the extent to which: (i) Journey is legally obliged to comply with the request or order; and (ii) Journey is effectively prohibited from complying with its obligations in respect of Customer under this Addendum.

(b) Journey shall only cooperate with the US issued request or order if legally obliged to do so and, where possible, Journey shall judicially object to the request or order or the prohibition to inform Customer about this or to follow the instructions of Customer.

(c) Journey shall not provide more Customer Personal Data than is strictly necessary for complying with the request or order.

(d) If Journey becomes aware of a situation where it has reason to believe that the laws and practices in the third country of destination applicable to the processing of the Personal Data by Journey, its Affiliates and Authorized Subprocessors, including any requirements to disclose Personal Data or measures authorizing access by public authorities, will prevent Journey from fulfilling its obligations under this Addendum, Journey will inform Customer without undue delay after Journey becomes aware of such a situation.

 

10. Compliance Auditing

10.1 Journey will conduct third-party audits to attest to the ISO 27001 and SOC 2 Type I & II frameworks as follows:

(a) Journey will conduct at least one audit annually. Starting in 2021, Journey will audit the Security, Availability and Privacy Criteria in the SOC-2 audit.

(b) Audits will be performed according to the standards and rules of the regulatory or accreditation body for the applicable control standard or framework.

(c) Audits will be performed by qualified, independent, third-party security auditors at Journey’s selection and expense.

10.2 Each audit will result in the generation of an audit report (“Journey Audit Report”), which Journey will make available to Customer upon request. The Journey Audit Report will be Journey’s Confidential Information. Journey will promptly remediate issues raised in any Journey Audit Report to the satisfaction of the auditor.

10.3 At its request and cost, Customer is entitled to have an audit carried out by a mutually agreed upon auditor to demonstrate that Journey complies with the provisions of this Addendum and Clause 8.9 “Documentation and compliance”(EU SCCs) for the processing of Personal Data. Customer may exercise the right no more than once a year, except in respect of an additional audit following (i) a Journey data breach or (ii) if specifically ordered by Customer’s national Supervisory Authority.

10.4 Following receipt by Journey of a request for an audit under this Section 10.4, Journey and Customer will discuss and agree in advance on

(a) the identity of an independent and suitably qualified third-party auditor to conduct the audit;

(b) the reasonable start date and duration (not to exceed two weeks in respect of any on premise audits) of any such audit;

(c) the scope, process and normative framework of the audit, including: (i) the data processing outcomes, information, and control requirements to be in scope of the audit evidence requirements; and (ii) the nature and process for satisfactory audit evidence; and

(d) the security and confidentiality controls applicable to any such audit. All audits must be conducted in accordance with recognized international auditing standards.

10.5 Nothing in this Addendum will require Journey to provide Personal Data of other Journey customers or access to any Journey systems or facilities that are not involved in the provision of the contracted Services.

 

11. Cooperation

Journey shall provide Customer with all required assistance and cooperation in enforcing the obligations of the parties under Applicable Data Protection Law. To the extent that such assistance relates to the Processing of Customer Personal Data for the purpose of the performance of the Agreement, Journey shall in any event provide Customer with such assistance relating to:

(a) The security of Customer Personal Data;

(b) Performing checks and audits;

(c) Performing Data Protection Impact Assessments (“DPIA”);

(d) Prior consultation with the Supervisory Authority;

(e) Responding to requests from the Supervisory Authority or another government body;

(f) Responding to requests from Data Subjects;

(g) Reporting Customer Personal Data Breaches.

 

12. Security incidents and data breaches

12.1 In the event of a confirmed Personal Data Breach (at Journey or at a subprocessor of Journey), Journey shall, without undue delay, inform Customer of the Personal Data Breach and take such steps as Journey in its sole discretion deems necessary and reasonable to remediate such violation. In the event of such a Personal Data Breach, Journey shall, taking into account the nature of the Processing and the information available to Journey, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under Applicable Data Protection Law with respect to notifying(I) the relevant Supervisory Authority and/or (ii) Data Subjects affected by such Personal Data Breach without undue Delay.

12.2 In the event of a large scale, as determined by Journey, confirmed Personal Data Breach (with Journey or an Authorized Subprocessor of Journey), Customer allows Journey to independently alert and consult the relevant Supervisory Authorities in order to better inform Customer what steps the Supervisory Authorities expect.

12.3 The obligations described in Sections 12.1 and 12.2 shall not apply if a Personal Data Breach results from the actions or omissions of Customer, except where required by Applicable DataProtection Law. Journey’s obligation to report or respond to a Personal Data Breach under Sections 12.1 and 12.2 will not be construed as an acknowledgement by Journey of any fault or liability with respect to the Personal Data Breach.

 

13. US State Law Privacy Exhibit

13.1 To the extent that Customer (i) is a “business” and Journey processes “personal information” (as those terms are defined by the CCPA) on Customer’s behalf, or (ii) is a “controller” and Journey processes “personal data” (as each of those terms are defined by the applicable Specific US State Data Protection Laws) on Customer’s behalf, or (iii) meets both criteria set out in (i) and (ii), then the Journey US State Law Privacy Exhibit, attached hereto as EXHIBIT C to this Addendum, shall apply to Journey’s “processing” of Customer’s “personal information” and “personal data” (as each of those terms are defined under the applicable Specific US State Data Protection Laws).

13.2 In the event of a conflict between EXHIBIT C and any other parts of this Addendum with respect to Journey’s “processing” of “personal information” and “personal data” (as each of those terms are defined under the Specific US State Data Protection Laws), the terms of EXHIBIT C control and govern over other parts of this Addendum with respect to the parties’ obligations under the applicable Specific US State Data Protection Laws.

 

14. General

14.1 This Addendum may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.

14.2 Customer and Journey acknowledge that the other party may disclose the Standard Contractual Clauses, this Addendum, and any privacy-related provisions in the Agreement to any Supervisory Authority upon request.

14.3 Except for the changes made by this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and the Agreement, an Order Form, or any other documentation, with regard to the subject matter of this Addendum, this Addendum shall prevail to the extent of that conflict.

14.4 If there is a change in (i) Specific US State Data Protection Law, (ii) Applicable Data Protection Law, or (iii) a determination, decision, or order by a Supervisory Authority or competent court affecting this Addendum or the lawfulness of any Processing activitiesunder this Addendum, then Journey may propose supplements and modifications to this Addendum. If the Customer objects to the supplement or modification, then Customer must object to the supplement or modification within thirty(30) days or the right to object is waived. If Customer timely objects to the appropriateness of the supplement or modification, then the parties will work to resolve their differences, and if resolution cannot occur within thirty(30) days of Customer’s notice of objection, then either party may terminate this Addendum and any affected portion(s) of the Agreement. All supplements and modifications will be in writing and signed by the parties, unless the terms of the Agreement provide otherwise.

14.5 The provisions of this Addendum are severable. If any phrase, clause or provision or Exhibit (including the Standard Contractual Clauses) is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the Rest of this Addendum or the remainder of the Exhibit, shall remain in full force and effect.

14.6 This Addendum shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Law.

 

Customer “Customer” Signature:	Journey.ai, Inc. “Journey” Signature:
Print Name:	Print Name: Todd Parenteau
Title:	Title: VP of Operations
Date:	Date:
Customer Address:

 

EXHIBIT A

 

Annex I: Description of the Processing/Transfer

Controller to Controller

(A) List of Parties:

Data Exporter	Data Importer
Name:	Name: Journey.ai Inc.
Address:	Address: 1001 Bannock St., #522 Denver, CO 80204
Contact Person’s Name, position and contact details: Name: Position: Email:	Contact Person’s Name, position and contact details: Name: Todd Parenteau  Position: VP of Operations  Officer e-mail Address: Todd@journeyid.com With a copy to e-mail: support@journeyid.com
Activities relevant to the transfer: As described in SectionՄBՅ below	Activities relevant to the transfer: As described in Section (B) below
Role: Controller	Role: Controller

 

(B) Description of Transfer

Categories Data Subjects
The personal data transferred concern the following categories of data subjects:	End Users
Purposes of the transfer(s)
The transfer is made for the following purposes:	In accordance with Section 2.4 of this Addendum, Journey may Process certain Customer Personal Data for its own Legitimate Business Purposes, as an independent Controller, solely when the Processing is strictly necessary and proportionate, and if the Processing is for one of the following exhaustive list of purposes: (a) Directly identifiable data (name, email address, phone number and all Customer Personal Data directly connected to such directly identifiable data) may be Processed for: (i) billing, account, and Customer relationship management (marketing communications to procurement, sales, and other Customer personnel that requests such communication), and related Customer correspondence (mailings about for example necessary updates); complying with and resolving legal obligations, including responding to Data Subject Requests for Personal Data processed by Journey as data Controller (for example website data), tax requirements, agreements and disputes; (iii) abuse detection, prevention, and protection (such as automatic scanning for matches with identifiers of known CSAM, virus scanning and scanning to detect violations of terms of service (such as copyright infringement, SPAM, and actions not permitted under Journey´s Acceptable Use Guidelines; (b) Pseudonymized and/or aggregated data (Journey will pseudonymise and/or aggregate as much as possible and pseudonymized and/or aggregated data will not be processed on a per-Customer level), for: (i) improving and optimizing the performance and core functionalities of accessibility, privacy, security, and the IT infrastructure efficiency of the Services, including Journeyid.com, support.journeid.com, app.journey.io and app.journeyid.com; (ii) internal reporting, financial reporting, revenue planning, capacity planning, and forecast modeling (including product strategy); and (iii) receiving and using Feedback for Journey’s overall service improvement.
Categories of Personal Data
The personal data transferred concern the following categories of data:	Customer Content Data: Journey Account Profile Info: Data associated with the End User account, password, company name, and preferences. This includes: ● Journey unique user ID, ● agent profile picture (optional) Diagnostic Data: Meeting metadata: Metrics about Service usage, including when and how sessions were conducted). This includes: ● event logs (including action taken, event type and subtype, timestamp, client user ID, phone number ● performance, troubleshooting and diagnostics information Telemetry data: Data collected from locally installed software (applications and browser information about the deployment of Journey Services and related systems environment / technical information. This includes: ● camera ● domain ● event logs (including action taken, event type and subtype, in-app event notification, timestamp, client Unique ID, Session ID ● user ID and actions requested ● service logs (information on systems events and states) Other Service Generated Data:
Frequency of Transfer
Whether continuous or one-off.	The transfer of account information is one off, otherwise continuous when using the Service.
Duration of processing:	In accordance with the retention period detailed below.
Nature and Subject Matter of the Processing:	Journey will process Customer Personal Data for its own exhaustive list of Legitimate Business Purposes when strictly necessary and proportionate, in accordance with this Addendum.
Retention period (or, if not possible to determine, the criteria used to determine that period):	Journey retains Customer Personal Data for as long as required for its own exhaustive list of Legitimate Business Purposes, in accordance with this Addendum. The criteria used to determine Journey’s retention periods include the following: ● The length of time o Journey’s relationship with Service users (for example, theduration of a Journey account)  ● Whether account owners modify or their users delete information through their accounts ● Whether Journey has a legal obligation to keep the data (for example, certain laws require Journey to keep records for a certain period of time) ● Whether retention is required by Journey’s legal position (such as in regard to the enforcement of agreements, the resolution of disputes, and applicable statutes of limitations, litigation, or regulatory investigation).

 

(C): Competent supervisory authority

The competent supervisory authority, in accordance with Clause 13 of the EU SCCs, must be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter’s EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to Personal Data to which the UK GDPR applies, the competent supervisory authority isthe Information Commissioner’s Office (the “ICO”). With respect to Personal Data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

 

Controller to Processor

(A) List of Parties:

Data Exporter	Data Importer
Name:	Name: Journey.ai, Inc.
Address:	Address: 1001 Bannock St., #522 Denver, CO 80204
Contact Person’s Name, position and contact details: Name: Position: Email:	Contact Person’s Name, position and contact details: Name: Todd Parenteau Position: VP of Operations Email:Todd Parenteau With a copy to e-mail: Journey Support
Activities relevant to the transfer: As described in Section(B) below	Activities relevant to the transfer: As described in Section(B) below
Role: Controller	Role: Processor

 

(B) Description of Transfer

Categories Data Subjects
The personal data transferred concern the following categories of data subjects:	Individuals about whom Personal Data is provided to Journey via the Services by (or at the direction of) Customer or End Users, which may include without limitation Customer’s or its Affiliates’ employees, contractors, and End Users.
Purposes of transfer(s)	In accordance with Section 2.2 of the DPA, Journey will only to the extent necessary and proportionate, Customer as Controller instructs Journey to perform the following activities as Processor on behalf of Customer: Categories of Personal Data The personal data transferred concern the following categories of data: ● Provide and update the Services as configured, and used by Customer and its users, (for example, through Customer’s use of Journey settings or administrator controls) including to make ongoing product improvements and provide personalized experiences and recommendations; ● Secure and real-time monitor the Services; ● Resolve issues, bugs, and errors; ● Provide Customer requested support, including applying knowledge gained from individual customer support requests to benefit all Journey customers but only to the extent such knowledge is anonymized; and ● Process Customer Personal Data as set out in the Agreement (subject matter, nature, purpose, and duration of Personal Data Processing in the controller to processor capacity and any other documented instruction provided by Customer and acknowledged by Journey as constituting instructions for purposes of this Addendum.
Categories of Personal Data
The personal data transferred concern the following categories of Data:	Customer Content Data: Journey Account Profile Info: Data associated with the End User’s Journey account, profile picture, password, company name, and Customer’s info. This includes: ● customer unique ID, Diagnostic Data: Session metadata: Metrics about Service usage, including when and how actions were conducted). This category includes: ● event logs (including: action taken, event type and subtype, in-app event location, timestamp, client UniqueID, user ID, and Session ID ● service logs (information on systems events and states)
Frequency of the Transfer
Whether continuous or one off.	Continuous
Special Categories of personal data (if appropriate)
The personal data transferred concern the following categories of sensitive data:	Special categories of data are not required to use the service. The Customer / data exporter can prevent the processing of these data by using end to end encryption in the Service and preventing End Users from uploading profile information that contains such special categories of data. Such special categories ofdata include, but may not be limited to, Personal Data with information revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning an individual’s health or sex life.
Duration of processing:	The term of the Agreement plus the period until Journey deletes all Customer Personal Data processed on behalf of Customer in accordance with the Agreement.
Nature and Subject Matter of the Processing:	Journey will process Customer Personal Data for the purposes of providing the Services to Customer in accordance with this Addendum.
Retention period (or, if not possible to determine, the criteria used to determine that period):	Journey retains Customer Personal Data for as long as required for its own exhaustive list of Legitimate Business Purposes, in accordance with this Addendum. The criteria used to determine Journey’s retention periods include the following: ● The length of time of Journey’s relationship with Service users (for example, the duration of a Journey account) ● Whether account owners modify or their users delete information through their accounts ● Whether Journey has a legal obligation to keep the data (for example, certain laws require Journey to keep records for a certain period of time) ● Whether retention is required by Journey’s legal position (such as in regard to the enforcement of agreements, the resolution of disputes, and applicable statutes of limitations, litigation, or regulatory investigation).

(C) Competent supervisory authority

The competent supervisory authority, in accordance with Clause 13 of the EU SCCs, must be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter’s EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located.With respect to Personal Data to which the UK GDPR applies, the competent supervisory authority is ICO. With respect to Personal Data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

 

EXHIBIT B

 

Technical and Organizational Security Measures

Journey’s technical and organizational security measures for Processing Customer Personal Data will meet the Minimum-Security Control Requirements set out in this EXHIBIT B (“Security Measures”). Customer recognizes that there may be multiple acceptable approaches to accomplish a particular minimum control requirement. Journey must document in reasonable detail how a particular control meets the stated minimum control requirement. Journey may revise the Security Measures from time to time. The term “should” in these Security Measures means that Journey will use commercially reasonable efforts to accomplish the stated minimum control requirement and will document those efforts in reasonable detail, including the rationale, if any, for deviation. As used in these Security Measures, (i) “including” and its derivatives mean “including but not limited to”; and (ii) any capitalized terms not defined in this EXHIBIT B shall have the same meaning as set forth in this Addendum.

1. Definitions

1.1 “Systems” means Journey’s production systems.

1.2 “Assets” means Journey’s production assets.

1.3 “Facilities” means Journey’s production facilities, whether owned or leased by Journey (e.g., AWS, data centers).

 

2. Risk Management

2.1 Risk Assessment Program. The effectiveness of controls must be regularly validated through a documented risk assessment program and appropriately managed remediation efforts.

2.2 Risk Assessment. A risk assessment must be performed annually to verify the implementation

of controls that protect business operations and Customer Content.

 

3. Security Policy

3.1 A documented set of rules and procedures must regulate the Processing of information and associated services.

3.2 Security Policies and Exception Process. Security policies must be documented, reviewed, and approved, with management oversight, on a periodic basis, following industry best Practices.

3.3 A risk-based exception management process must be in place for prioritization, approval, and remediation or risk acceptance of controls that have not been adopted or implemented.

3.4 Awareness and Education Program. Security policies and responsibilities must becommunicated and socialized within the organization to Journey personnel. Journey personne must receive security awareness training on an annual basis.

 

4. Organizational Security

4.1 A personnel security policy must be in place to establish organizational requirements to ensure proper training, competent performance, and an appropriate and accountable security organization.

4.2 Organization. Current organizational charts representing key management responsibilities for services provided must be maintained.

4.3 Background Checks. Where legally permissible, background checks (including criminal) mustbe performed on applicable Journey personnel.

4.4 Confidentiality Agreements. Journey personnel must be subject to written non-disclosure or confidentiality obligations.

 

5. Technology Asset Management

5.1 Controls must be in place to protect Journey production assets, including mechanisms to maintain an accurate inventory of assets and handling standards for introduction and transfer, removal and disposal of assets.

5.2 Accountability. A process for maintaining an inventory of hardware and software assets and other information resources, such as databases and file structures, must be documented. Process for periodic asset inventory reviews must be documented. Identification of unauthorized or unsupported hardware/software must be performed.

5.3 Asset Disposal or Reuse. If applicable, Journey will use industry standards to wipe or carry out physical destruction as the minimum standard for disposing of assets. Journey must have documented procedures for disposal or reuse of assets.

5.4 Procedures must be in place to remove data from production systems in which Customer’s Personal Data are stored, processed, or transmitted.

 

6. Physical and Environmental

6.1 Controls must be in place to protect systems against physical penetration by malicious or unauthorized people, damage from environmental contaminants and electronic penetration through active or passive electronic emissions.

6.2 Physical and Environmental Security Policy. Physical and environmental security plans must exist for facilities and scenarios involving access or storage of Customer’s Personal Data. Additional physical and environmental controls must be required and enforced for applicable facilities, including servers and datacenter locations.

6.3 Physical Access. Physical access, to include visitor access to facilities, must be restricted and all access periodically reviewed.

6.4 Policies must be in place to ensure that information is accessed on a need-to-know basis.

6.5 Environmental Control. Facilities, including data and processing centers, must maintainappropriate environmental controls, including fire detection and suppression, climate control and monitoring, power and back-up power solutions, and water damage detection. Environmental control components must be monitored and periodically tested.

 

7 . Communication and Connectivity

7.1 Journey must implement controls over its communication network to safeguard data. Controls must include securing the production network and implementation of encryption, logging and monitoring, and disabling communications where no business need exists.

7.2 Network Identification. A production network diagram, to include production devices, must be kept current to facilitate analysis and incident response.

7.3 Data Flow Diagram. A current data flow diagram must depict data from origination to endpoint (including data which may be shared with subprocessors).

7.4 Data Storage. All of Customer’s Personal Data, including Customer’s Personal Data shared with subprocessors, must be stored and maintained in a manner that allows for its return or secure destruction upon request from Customer.

7.5 Firewalls. Firewalls must be used for the isolation of all environments, to include physical, virtual, network devices, production and non-production, and application/presentation layers. Firewall management must follow a process that includes restriction of administrative access, and that is documented, reviewed, and approved, with management oversight, on a periodic basis.

7.6 The production network must be either firewalled or physically isolated from the development and test environments. Multi-tier security architectures that segment application tiers (e.g., presentation layer, application and data) must be used. Periodic network vulnerability scans must be performed, and any critical vulnerabilities identified must be remediated within a defined and reasonable timeframe.

7.7 Clock Synchronization. Production network devices must have internal clocks synchronized to reliable time sources.

7.8 Remote Access. The data flow in the remote connection must be encrypted and multi-factor authentication must be utilized during the login process.

7.9 Remote connection settings must limit the ability of remote users to access both initiating network and remote network simultaneously (i.e., no split tunneling).

7.10 Subprocessors’ remote access, if any, must adhere to the same controls and must have a valid business justification.

7.11 Wireless Access. Wireless access to the Journey corporate network must be configured torequire authentication and be encrypted.

 

8. Change Management

8.1 Changes to the production systems, production network, applications, data files structures, other system components, and physical/environmental changes must be monitored and controlled through a formal change control process. Changes must be reviewed, approved, and monitored during post implementation to ensure that expected changes and their desired result are accurate.

8.2 Change Policy and Procedure. A change management policy, including application, operating system, network infrastructure, and firewall changes must be documented, reviewed, and approved, with management oversight, on a periodic basis.

8.3 The change management policy must include clearly identified roles and responsibilities so as to support separation of duties (e.g., request, approve, implement). The approval process must include pre- and post-evaluation of change. Journey provides service status and scheduled maintenance to customers in writing and via direct contact (scheduled meetings.)

 

9. Operations

9.1 Documented operational procedures must ensure the correct and secure operation of Journey’s assets. Operational procedures must be documented and include monitoring of capacity, performance, service level agreements and key performance indicators.

 

10. Access Control

10.1 Authentication and authorization controls must be appropriately robust for the risk of thesystem, data, application, and platform; access rights must be granted based on the principleof least privilege and monitored to log access and security events, using tools that enable rapid analysis of user activities.
10.2 Logical Access Control Policy. Documented logical access policies and procedures must support role-based, “need-to-know” access (e.g., interdepartmental transfers, terminations) and ensure separation of duties during the approval and provisioning process. Each account provisioned must be uniquely identified. User access reviews must be conducted on a periodic basis.

10.3 Privileged Access. Management of privileged user accounts (e.g., those accounts that have the ability to override system controls), to include service accounts, must follow a documented process and be restricted. A periodic review and governance process must be maintained to ensure appropriate provisioning of privileged access.

10.4 Authentication and Authorization. A documented authentication and authorization policy must cover all applicable systems. That policy must include password provisioning requirements, password complexity requirements, password resets, thresholds for lockout attempts, thresholds for inactivity, and assurance that no shared accounts are utilized.

10.5 Authentication credentials must be encrypted, including in transit to and from subprocessors’environments or when stored by subprocessors.

 

11. Data Integrity

11.1 Controls must ensure that any data stored, received, controlled, or otherwise accessed is accurate and reliable. Procedures must be in place to validate data integrity.

11.2 Data Transmission Controls. Processes, procedures, and controls must be documented, reviewed, and approved, with management oversight, on a periodic basis, to ensure data integrity during transmission and to validate that the data transmitted is the same as data received.

11.3 Data Transaction Controls. Controls must be in place to protect the integrity of data transactions at rest and in transit.

11.4 Encryption. Data must be protected and should be encrypted, both in transit and at rest, including when shared with subprocessors.

11.5 Data Policies. A policy must be in place to cover data classifications, encryption use, key and certificate lifecycle management, cryptographic algorithms and associated key lengths. This policy must be documented, reviewed, and approved with management oversight, on a periodic basis.

11.6 Encryption Uses. Customer Personal Data must be protected, and should be encrypted, while in transit and at rest. Customer Content must be protected, and should be encrypted when stored and while in transit over any network; authentication credentials must be encrypted at all times, in transit or in storage.

 

12. Incident Response

12.1 A documented plan and associated procedures, to include the responsibilities of Journey personnel and identification of parties to be notified in case of an information security incident, must be in place.

12.2 Incident Response Process. The information security incident management program must be documented, tested, updated as needed, reviewed, and approved, with management oversight, on a periodic basis. The incident management policy and procedures must include prioritization, roles and responsibilities, procedures for escalation (internal) and notification, tracking and reporting, containment and remediation, and preservation of data to maintain forensic integrity.

 

13 Business Continuity and Disaster Recovery

13.1 Journey must have formal documented recovery plans to identify the resources and specify actions required to help minimize losses in the event of a disruption to the business unit, support group unit, application, or infrastructure component. Plans assure timely and orderly recovery of business, support processes, operations, and technology components within an agreed upon time frame and include orderly restoration of business activities when the primary work environment is unavailable.

13.2 Business Recovery Plans. Comprehensive business resiliency plans addressing business interruptions of key resources supporting services, including those provided by subprocessors, must be documented, tested, reviewed, and approved, with management oversight, on a periodic basis. The business resiliency plan must have an acceptable alternative work location in place to ensure service level commitments are met.

13.3 Technology Recovery. Technology recovery plans to minimize service interruptions and ensure recovery of systems, infrastructure, databases, applications, etc. Must be documented, tested, reviewed, and approved with management oversight, on a periodic basis.

 

14. Back-ups

14.1 Journey must have policies and procedures for back-ups of Customer’s Personal Data. Backups must be protected using industry best practices.

14.2 Back-up and Redundancy Processes. Processes enabling full restoration of production systems, applications, and data must be documented, reviewed, and approved, with management oversight, on a periodic basis.

 

15. Third-Party Relationships

15.1 Subprocessors must be identified, assessed, managed, and monitored. Subprocessors that provide material services, or that support Journey’s provision of material services to Customers, must comply with control requirements no less stringent than those outlined in this document.

15.2 Selection and Oversight. Journey must have a process to identify subprocessors providing services to Journey; these subprocessors must be disclosed to Customer and approved to the extent required by this Agreement.

15.3 Lifecycle Management. Journey must establish contracts with subprocessors providing material services; these contracts should incorporate security control requirements, including data protection controls and notification of security and privacy breaches must be included. Review processes must be in place to ensure subprocessors’ fulfillment of contract terms and conditions.

16. Standard Builds

16.1 Production systems must be deployed with appropriate security configurations and reviewed periodically for compliance with Journey’s security policies and standards.

16.2 Secure Configuration Availability. Standard security configurations must be established and security hardening demonstrated. Process documentation must be developed, maintained, and under revision control, with management oversight, on a periodic basis. Configurations must include security patches, vulnerability management, default passwords, registry settings, file directory rights and permissions.

16.3 System Patches. Security patch process and procedures, to include requirements for timely patch application, must be documented. Operating System. Versions of operating systems in use must be supported and respective security baselines documented. Desktop Controls. Systems must be configured to provide only essential capabilities. The ability to write to removable media must be limited to documented exceptions.

 

17 . Application Security

17.1 Journey must have an established software development lifecycle for the purpose of defining, acquiring, developing, enhancing, modifying, testing, or implementing information systems. Journey must ensure that web-based and mobile applications used to store, receive, send, control, or access Customer Personal Data are monitored, controlled, and protected.

17.2 Functional Requirements. Applications must implement controls that protect against known vulnerabilities and threats, including Open Web Application Security Project (“OWASP”) Top 10 Risks and denial of service(DDOS) attacks.

17.3 Application layer controls must provide the ability to filter the source of malicious traffic.

17.4 Restrictions must also be placed on or in front of web server resources to limit denial of service(DoS) attacks.

17.5 Journey must monitor uptime on a hosted web or mobile application.

17.6 Software Development Life Cycle. A Software Development Life Cycle(SDLC) methodology, including release management procedures, must be documented, reviewed, approved, and version-controlled, with management oversight, on a periodic basis. These must include activities that foster the development of secure software.

17.7 Testing and Remediation. Software executables related to client/server architecture that are involved in handling Customer Personal Data must undergo vulnerability assessments (both the client and server components) prior to release and on an on-going basis, either internally or using external experts, and any gaps identified must be remediated in a timely manner. (c) Testing must be based on, at a minimum, the OWASP Top 10 risks (or the OWASP Mobile Top 10 risks, where applicable), or comparable replacement. (d) Journey must conduct penetration testing on an annual basis.

 

18. Vulnerability Monitoring

18.1 Journey must continuously gather information and analyse vulnerabilities in light of existing and emerging threats and actual attacks. Processes must include vulnerability scans, anti-malware, Intrusion Detection Systems (“IDS”)/Intrusion Prevention Systems(IPS), logging and security information and event management analysis and correlation.

18.2 Vulnerability Scanning and Issue Resolution. Vulnerability scans (authenticated and unauthenticated) and penetration tests must be performed against internal and external networks and applications periodically and prior to system provisioning for production systems that process, store or transmit Customer Content.

18.3 Malware. In production, Journey must employ tools to detect, log, and disposition malware.

18.4 Intrusion Detection/Advanced Threat Protection. Network and host-based intrusiondetection/advanced threat protection must be deployed with events generated fed into centralized systems for analysis. These systems must accommodate routine updates and real-time alerting. IDS/advanced threat protection signatures must be kept up to date to respond to threats.

18.5 Logging and Event Correlation. Monitoring and logging must support the centralization of security events for analysis and correlation. Organizational responsibility for responding to events must be defined. Retention schedule for various logs must be defined and followed.

18.6 Journey publishes a vulnerability disclosure policy at the customer’s request.

 

19. Cloud Technology

19.1 Adequate safeguards must ensure the confidentiality, integrity, and availability of Customer Personal Data stored, processed or transmitted using cloud technology (either as a cloud customer or cloud provider, to include subprocessors), using industry standards.

19.2 Audit Assurance and Compliance. The cloud environment in which data is stored, processed or transmitted must be compliant with relevant industry standards and regulatory restrictions.

19.3 Application and Interface Security. Threat modeling should be conducted throughout the software development lifecycle, including vulnerability assessments, including Static/Dynamic scanning and code review, to identify defects and complete remediations before hosting in cloud environments.

19.4 Business Continuity Management and Operational Resiliency. Business continuity plans to meet recovery time objectives(RTO) and recovery point objectives(RPO) must be in place.

19.5 Data Security and Information Lifecycle Management. Proper segmentation of data environments and segregation must be employed; segmentation/segregation must enable proper sanitization, per industry requirements

19.6 Encryption and Key Management. All communications must be encrypted in-transit between environments.

19.7 Governance and Risk Management. Comprehensive risk assessment processes and centralized monitoring that enables incident response and forensic investigation must be used to ensure proper governance and oversight.

19.8 Identity and Access Management. Management of accounts, including accounts with privileged access, must prevent unauthorized access and mitigate the impacts thereof.

19.9 Infrastructure and Virtualization Security. Controls defending against cyberattacks, including the principle of least privilege, baseline management, intrusion detection, host/network-based firewalls, segmentation, isolation, perimeter security, access management, detailed data flow information, network, time, and a SIEM solution must be Implemented.

19.10 Supply Chain Management, Transparency and Accountability. Journey must be accountable for the confidentiality, availability and integrity of production data, to include data processed in cloud environments by subprocessors.

19.11 Threat and Vulnerability Management. Vulnerability scans (authenticated and unauthenticated) must be performed, both internally and externally, for production systems. Processes must be in place to ensure tracking and remediation.

 

20. Audits

20.1 At least annually, Journey will conduct an independent third-party review of its security policies, standards, operations, and procedures related to the Services provided to Customer. Such review will be conducted in accordance with the AICPA’s Statements on Standards for Attestation Engagements(SSAE), and Journey will be issued a SOC 2 Type II report. Upon Customer’s request, Journey will provide Customer with a copy of the SOC 2 Type II report within thirty(30) days. If applicable, Journey will provide a bridge letter to cover time frames not covered by the SOC 2 Type II audit period scope within 30 days, upon request byCustomer. If exceptions are noted in the SOC 2 Type II audit, Journey will document a plan to promptly address such exceptions and shall implement corrective measures within a reasonable and specific period. Upon Customer’s reasonable request, Journey will keep Customer informed of progress and completion of corrective measures.

20.2 Customer shall rely on the third-party audit SOC 2 Type II report for validation of proper information security practices and shall not have the right to audit, unless such right is granted under applicable law, except in the case of a Security Breach resulting in a material business impact to Customer. If Customer exercises the right to audit as a result of a Security Breach, such audit shall be within the scope of the Services. Customer will provide Journey a minimum of thirty(30) days of notice prior to the audit. Journey shall have the right to approve any third-party Customer may choose to conduct or be involved in the audit.

 

21. Specific Measures

 

Measure	Description
Measures of pseudonymisation and encryption of personal data	End-to-End Encryption of interaction: All interactions have End-to-End encryption for Journey initiated data transfer.  This provides a high level of security since no third party – Including Journey – has access to the session’s private keys.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	Journey utilizes security measures to ensure the ongoing confidentiality, integrity, availability, and resilience of our processing systems and services.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of physical or technical incident.	Journey takes measures to facilitate the restoration of availability and access to our processing systems andservices promptly in the event of a physical or technical incident.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing.	Journey implements a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of the data we process.
Measures for ensuring physical security of locations at which personal data are processed	Controls are in place to protect systems against physical penetration by malicious or unauthorized people, damage from environmental contaminants and electronic penetration through active or passive electronic emissions.
Measures for ensuring events logging	Journey implements a standard requiring all systems to log relevant security access events.
Measures for internal IT and IT security governance and management	Journey implements policies and standards governinginternal IT and IT security governance and management.
Measures for certification/assurance of processes and products	Journey implements a Security Audit and Accountability policy.
Measures for ensuring limited data retention	We retain personal data for as long as required to engage in the uses described in our Privacy Statement, unless a longer retention period is required by applicable law. The criteria used to determine our retention periods include the following ● The length of time we have an ongoing customer relationship; ● Whether account owners modify or their users delete information through their accounts; • Whether we have a legal obligation to keep the data (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them); or • Whether retention is advisable in light of our legal position (such as in regard to the enforcement of our agreements, the resolution of disputes, and applicable statutes of limitations, litigation, or regulatory investigation.)
Measures for ensuring accountability	Journey implements a Security Audit and Accountability policy.

 

EXHIBIT C

 

US State Law Privacy Exhibit

This US State Law Privacy Exhibit (“State Law Exhibit”) supplements the terms of this Addendum to which it is attached and sets forth certain data privacy rights and obligations in connection with Specific US State Data Protection Laws. Capitalized terms used in this EXHIBIT C but not otherwise defined herein have the meaning ascribed to them in this Addendum or the Agreement.

 

Section A – General Provisions. This Section A of the State Law Exhibit applies to Journey’s provision of and Customer’s use of the Services to the extent that Customer is a Business or a Controller and Journey Processes or is Processing Customer’s Personal Information or Personal Data pursuant to CCPA or other Specific US State Data Protection Laws.

1. Definitions. As used throughout this State Law Exhibit, “Customer” means a Business or Controller that subscribes to Journey Services. Capitalized terms used in this Section A, but not otherwise defined, have the meaning ascribed to them in Sections B 1. and C 1. Below.
2. Audits and Assessments. Journey will conduct third-party audits and assessments in accordance with Section 10.1 and 10.2 of this Addendum.
3. Restrictions on Receipt of Information. Nothing under this State Law Exhibit shall requireJourney to disclose: (a) any data or information of any other customer of Journey, or any third party; (b) any internal accounting or financial information; (c) any trade secret of Journey; or (d) any information that, in Journey’s reasonable opinion could: (i) compromise the security ofJourney’s networks, systems, or premises; (ii) cause Journey to breach its security or privacyobligations to any third party; or (iii) any information sought for any reason other than the reasons outlined in this State Law Exhibit. Journey may require Customer’s agreement to reasonable Journey (or its third-party auditor or assessor’s) terms and conditions prior to providing the Journey Audit Report to Customer.
4. Deletion of Data. Journey will (a) as required by Specific US State Data Protection Laws applicable to Customer and at Customer’s direction, delete or return all Personal Data to the Customer at the end of the provision of Services or (b) as required by the CCPA, not retain, use, or disclose Personal Information upon termination or expiration of the relationship between the Customer and Journey. Nothing in this Section A 4. will require Journey to (i) delete or return data that it must retain pursuant to applicable Laws or (ii) return instead of destroying Personal Data to the extent that return is not technically feasible, or return would impose substantial burdens, costs, or both upon Journey.

Section B – California. This Section B of the State Law Exhibit applies to Journey’s provision of and Customer’s use of the Services to the extent that Customer is a Business and Journey is Processing Personal Information on Customer’s behalf pursuant to CCPA.

1. Definitions. As used in this Section B of the State Law Exhibit: (a) “Business”, “Business Purpose”, “Commercial Purpose”, “Consumer”, “Processing” “Sell”, “Service Provider” and “Share” have the respective meanings given in the CCPA; and (b) “Personal Information” means “personal information” as defined in the CCPA, but only to the extent the personal information is collected, accessed, obtained, received, used, disclosed, or otherwise processed by Journey as a result of Journey’s provision of Services to Customer in its capacity as a Business under the Agreement.
2. Acknowledgments and Obligations. Journey (a) acknowledges that Personal Information is disclosed by Customer only for the limited and specified purposes of providing the Services described in an Order Form and for the purposes described in the Agreement; (b) shall comply with obligations applicable to Service Providers under the CCPA and shall provide the samelevel of privacy protection to Personal Information as is required by the CCPA, including the same privacy protection required to be provided by Businesses; (c) agrees that Customer may take reasonable and appropriate steps consistent with Section A 2. of this State Law Exhibit to help to ensure that Journey’s use of Personal Information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer promptly of any determination made by Journey that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information, consistent with and in accordance with applicable regulations, by requesting reasonable documentation from Journey that verifies Journey no longer retains or uses Personal Information that is subject to a valid deletion request.
3. Restrictions. Journey shall not (a) Sell or Share Personal Information; (b) retain, use, or disclose any Personal Information for any purpose other than for the purpose(s) described in Section B 2. (a) of this State Law Exhibit, or as otherwise permitted by the CCPA, including retaining, using, or disclosing Personal Information for a Commercial Purpose other than such purpose(s) or the servicing of a different Business; (c) retain, use or disclose Personal Information outside of the direct business relationship between Journey and Customer, except to the extent permitted by CCPA; or (d) combine the Personal Information received pursuant to the Agreement with Personal Information received from another party, or Journey’s own interactions with the Consumer to whom the Personal Information pertains, except to the extent a Service Provider is permitted to do so under the CCPA. Journey hereby certifies that it understands its obligations under this State Law Exhibit and will comply with them.
4. Audits, Reviews, and Assessments. Customer, subject to reasonable requirements and written agreements as required by Journey and consistent with the CCPA, and at Customer’s sole cost and expense, may audit, review, or assess Journey not more than once every twelve (12) months, in accordance with Section A 2. of this State Law Exhibit.
5. Consumer Requests. Customer will promptly notify Journey and provide all necessary information to Journey after receiving and verifying a Consumer request, and Journey shall promptly take such actions and provide such information as Customer may reasonably request pertaining to a Consumer’s Personal Information in order to help Customer fulfill requests of individuals to exercise their rights under the CCPA, including, without limitation, requests to access, correct, delete, opt out of the Sale or Sharing of, or receive information about Personal Information pertaining to them. If Journey receives any request directly from Customer’s Consumer(s), then Journey may either (i) advise the Consumer to contact Customer directly with such request or (ii) contact Customer to respond directly to the Consumer.

 

Section C – Virginia, Colorado, Utah & Other States. This Section C of the State Law Exhibit applies to Journey’s provision of and Customer’s use of the Services to the extent that Customer is a Controller of Personal Data and Journey Processes Customer’s Personal Data under Specific US State Data

Protection Laws.

3. Definitions. As used in this Section C of the State Law Exhibit: (a) “Controller”,“Personal Data”, “Process” and “Processor” shall have the respective meanings given to them in the Specific US State Data Protection Laws; and (b) “Instructions” has the meaning given below.
4. Processing of Personal Data: Roles, Scope, and Responsibility.
   1. For the purposes of this State Law Exhibit, the parties acknowledge and agree to the following: (i) Customer is the Controller of Customer Personal Data and (ii) Journey is the Processor of Customer Personal Data.
   2. Only to the extent necessary and proportionate, Customer as Controller instructs Journey to perform the activities as Processor on behalf of Customer in accordance with the Instructions set forth in Section 2.2 of this Addendum.
   3. To the extent that Journey acts as a Processor of Customer Personal Data, Journey shall Process Customer Personal Data only in accordance with Customer’s Instructions. Customer shall ensure that its Instructions to Journey comply with all Laws, rules, and regulations applicable to the Customer Personal Data, and that the Processing of Customer Personal Data per Customer’s Instructions will not cause Journey to be in breach of Specific US State Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Customer Personal Data provided to Journey by or on behalf of Customer; (ii) how Customer acquired any such Customer Personal Data; and (iii) the Instructions it provides to Journey regarding the Processing of such Customer Personal Data. Customer shall not provide or make available to Journey any Customer Personal Data in violation of the Agreement, this Addendum, or this State Law Exhibit.
   4. Customer authorizes Journey to conduct scanning and reporting of Personal Data in limited circumstances (e.g., to detect and report Child Sexual Abuse Material; to comply with other applicable Laws; to ensure compliance with Journey’s Acceptable Use Guidelines).
   5. With regard to Personal Data, the “EXHIBIT A Controller to Processor” portion of this Addendum further describes the nature and purposes of the Processing, the types of Personal Data to be Processed, and the duration of the Processing.
5. Authorized Persons. Journey shall ensure that all persons authorized to Process Customer Personal Data are made aware of the confidential nature of Customer Personal Data and are subject to a duty of confidentiality with respect to the data.
6. Subcontractors and Subprocessors. To the extent that Journey is a Processor, Customer hereby generally authorizes Journey to engage subcontractors and subprocessors in accordance with this Section C 4.

1. 1. Customer approves Journey’s use of the providers located at https://Journeyid.com/en/subprocessors/ to Process Customer’s Personal Data.
   2. Journey may remove, replace or appoint additional providers. Provided Customer subscribes to updates at https://Journeyid.com/en/subprocessors/, Journey shall notify Customer of any changes to these provider engagements. Where required by Specific US State Data Protection Laws, Journey shall also provide an opportunity for Customer to object to the engagement in accordance with Sections C 4. (d) and C 4.(e) herein.In an emergency concerning availability or security of the Services, Journey is not required to provide prior notification to Customer of the removal, replacement, or appointment of subcontractors, but shall provide notification within seven(7) business days following the change in a subcontractor.
   3. In either case, the Customer may object to such an engagement of a subcontractor in writing within fifteen(15) business days of receipt of the aforementioned notice by Journey.
   4. If the Customer objects to the engagement of a new subcontractor, Journey shall have the right to cure the objection through one of the following options (to be selected at Journey’s sole discretion):
   5. Journey may cancel its plans to use the subcontractor with regard to Customer Personal Data.
   6. Journey may take the corrective steps requested by Customer in its objection (which remove Customer’s objection) and proceed to use the subcontractor with regard to Customer Personal Data.

iii. Journey may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Service that would involve the use of such a subcontractor with regard to Customer Personal Data. Journey shall provide Customer with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If Journey, in its sole discretion, cannot provide any such alternative(s), or if Customer does not agree to any such alternative(s), if provided, Journey and Customer may terminate the affected portion(s) of the Agreement with thirty(30) days prior written notice. Termination shall not relieve Customer of any fees or charges owed to Journey for Services provided up to the effective date of the termination under the Agreement.

• • If Customer does not object to a new subcontractor’s engagement within fifteen(15) business days of notice issuance from Journey, that new subcontractor shall be deemed accepted.
  • Journey shall engage any subcontractor that Processes Customer’s Personal Data only pursuant to a written contract and require the subcontractor to meet any obligations of Journey that are subcontracted with respect to such Personal Data. Journey remains liable to Customer where that subcontractor fails to fulfill its data protection obligations for the performance of that subcontractor’s obligations to the same extent that Journey would itself be liable under this State Law Exhibit had it conducted such acts or omissions.
    5. Information Security. Taking into account the context of Processing, Journey shall maintain appropriate technical and organizational measures with regard to Customer Personal Data toensure a level of security appropriate to the risk in accordance with this State Law Exhibit and as otherwise expressly stated in the Agreement.
  • 6. Compliance Information. Upon the reasonable request of Customer, Journey shall make available to Customer reasonable information, consistent with and in accordance with applicable Laws, in Journey’s possession necessary to demonstrate Journey’s compliance with Journey’s obligations in this State Law Exhibit.