Data Security Standards Schedule

The following are the Data Security Standards in respect of the Cloud Service provided by Varicent to Customer pursuant to the Varicent Cloud Services Agreement at https://www.varicent.com/legal_terms (the “Agreement”). Capitalized terms shall have the meanings set forth in the Agreement or elsewhere herein.

Varicent shall implement the following technical and organizational measures (“TOMs”) in its provision of the Cloud Service, including any underlying applications, platforms, and infrastructure components operated and managed by Varicent in providing the Cloud Service (“Components”).

1. DEFINITIONS

Capitalized terms shall have the meanings set forth in this Schedule or elsewhere in the Agreement. The terms “Data Subjects”, “Processing”, “Personal Data Breach”, “Data Protection Impact Assessment”, “Processor” and “Controller” shall have the meanings given to them in the GDPR. The term “Supervisory Authority” shall mean a regulatory or other governmental body or authority with jurisdiction or oversight over Data Protection Laws. The term “C2P SCCs” shall mean the Standard Contractual Clauses between Controllers and Processors (Module Two) as approved by the European Commission Implementing Decision 2021/914 of June 4, 2021 (“Decision”). The term “P2P SCCs” shall mean the Standard Contractual Clauses between Processors (Module Three) as approved by the Decision. The P2P SCCs together with the C2P SCCs shall be referred to as the “EU SCCs”. The EU Standard Contractual Clauses (2010/87/EU) shall be referred to as the “2010 SCCs”. The “UK Addendum” shall refer to the template issued by the UK Information Commissioner and approved by the UK Parliament and came into force on March 21, 2022. Unless otherwise indicated, references in this Schedule to Sections or Attachments means the Sections of, and Attachments to, this Schedule.

2. DATA PROTECTION

2.1. The security and privacy measures for the Cloud Service are designed to protect Customer Data input therein and to maintain the availability of such Customer Data pursuant to the Agreement. Varicent shall treat all Customer Data as confidential by not using, maintaining, or disclosing Customer Data except for purposes of providing the Cloud Service pursuant to the Agreement or as otherwise required by applicable Law, and specifically shall not disclose Customer Data except to Varicent Personnel, and only to the extent necessary to deliver the Cloud Service, unless otherwise specified in the Agreement.

2.2. Varicent shall securely sanitize physical media intended for reuse prior to such reuse and shall destroy physical media not intended for reuse.

2.3. The TOMs set forth in this Schedule shall be subject to audits as set forth in the applicable Software Schedule for the Software ordered by Customer in an Order. Upon request, Varicent shall provide evidence of stated compliance and accreditation, such as certificates, attestations, or reports resulting from accredited independent Third-Party audits, and other industry standards as specified in the Agreement.

2.4. Additional security and privacy information specific to the Cloud Service may be available elsewhere in the Agreement or the Documentation to aide in Customer’s initial and ongoing assessment of the Cloud Service’s suitability for use. Varicent shall direct Customer to available standard Documentation and/or audit reports/certifications if asked to complete Customer-preferred questionnaires or forms and Customer agrees such Documentation shall be used in lieu of any such request. Varicent may charge an additional fee to complete any Customer-preferred questionnaires or forms or to provide consultation to Customer for such purposes.

3. SECURITY POLICIES

3.1. Varicent shall maintain and follow IT security policies and practices that are integral to Varicent’s business and mandatory for all Varicent employees. Varicent’s management shall maintain responsibility and executive oversight for such policies, including formal governance and revision management, employee education, and compliance enforcement.

3.2. Varicent shall review its IT security policies at least annually and amend such policies as Varicent deems reasonable to maintain protection of the Cloud Service and Customer Data processed therein.

3.3. Varicent shall maintain and follow its standard mandatory employment verification requirements for all new hires. In accordance with Varicent internal processes and procedures, these requirements shall be periodically reviewed and include criminal background checks, proof of identity validation, and additional checks as deemed necessary by Varicent and permitted under applicable Law.

3.4. Varicent employees shall complete security and privacy education annually and certify each year that they shall comply with Varicent security and privacy policies. Additional policy and process training may be provided to individuals depending on their role in supporting the business and as required to maintain compliance and certifications stated in the Agreement.

4. SECURITY INCIDENTS

4.1. Varicent shall maintain and follow documented incident response policies for computer Security Incident handling and shall comply with the data breach notification terms of the Agreement.

4.2. Varicent shall investigate unauthorized access and unauthorized use of Customer Data in connection with or through the Cloud Service of which Varicent becomes aware (a “Security Incident”) and Varicent shall define and execute an appropriate response plan. Customer may notify Varicent of a suspected vulnerability or Security Incident by submitting a support ticket.

4.3. Varicent shall notify Customer without undue delay upon confirmation of a Security Incident that is known or reasonably suspected by Varicent to affect the Customer Data, as may be required by applicable Law or the terms of the Agreement. Varicent shall provide Customer with reasonably requested information about such Security Incident and the status of any Varicent remediation and restoration activities.

4.4. Varicent shall notify Customer without undue delay after becoming aware of a Personal Data Breach with respect to the Cloud Service. Varicent shall promptly investigate the Personal Data Breach if it occurred on Varicent infrastructure or in another area for which Varicent is responsible and shall assist Customer as set forth in Section 9.

5. ACCESS, INTERVENTION, TRANSFER, AND SEPARATION CONTROL

5.1. Varicent shall maintain documented security architecture of networks managed by Varicent in its operation of the Cloud Service. Varicent shall separately review such network architecture, including measures designed to prevent unauthorized network connections to systems, applications and network devices, for compliance with its secure segmentation, isolation, and defense-in-depth standards prior to implementation.

5.2. Varicent shall maintain measures for the Cloud Service that are designed to logically separate and prevent Customer Data from being exposed to or accessed by unauthorized Persons. Varicent shall maintain appropriate isolation of its production and non-production environments, and, if Customer Data is transferred to a non-production environment (for example, in order to reproduce an error at Customer's request), security and privacy protections in the non-production environment shall be equivalent to those in production.

5.3. Varicent shall encrypt Customer Data in transit using industry accepted cryptographic algorithms when transferring Customer Data over public networks and enable use of a cryptographic protocol, such as HTTPS, SFTP, and FTPS, for Customer’s secure transfer of Customer Data to and from the Cloud Service over public networks.

5.4. Varicent shall encrypt Customer Data at rest using industry accepted cryptographic algorithms. Varicent manages the cryptographic keys and shall maintain documented procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use.

5.5. If Varicent requires access to Customer Data, it shall restrict such access to the minimum level required. Such access, including administrative access to any underlying Components (“Privileged Access”), shall be individual, role-based, and subject to approval and regular validation by authorized Varicent Personnel following the principles of segregation of duties. Varicent shall maintain measures to identify and remove redundant and dormant accounts with Privileged Access and shall promptly revoke such access upon the account owner’s separation or the request of authorized Varicent Personnel, such as the account owner’s manager.

5.6. Consistent with industry standard practices, and to the extent natively supported by each Component managed by Varicent within the Cloud Service, Varicent shall maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, and measures requiring secure transfer and storage of such passwords and passphrases.

5.7. Varicent shall monitor use of Privileged Access and maintain security information and event management measures designed to: (a) identify unauthorized access and activity; (b) facilitate a timely and appropriate response; and (c) enable internal and independent Third Party audits of compliance with documented Varicent policy.

5.8. Logs in which Privileged Access and activity are recorded shall be retained in compliance with Varicent’s records management plan. Varicent shall maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of such logs.

5.9. To the extent supported by native device or operating system functionality, Varicent shall maintain computing protections for its end-user systems that include endpoint firewalls, encryption, signature-based malware detection and removal, time-based screen locks, and endpoint management solutions that enforce security configuration and patching requirements.

6. SERVICE INTEGRITY AND AVAILABILITY CONTROL

6.1. Varicent shall: (a) perform security and privacy risk assessments of the Cloud Service at least annually; (b) perform penetration testing and vulnerability assessments, including automated system and application security scanning and manual ethical hacking, annually; (c) enlist a qualified independent Third Party to perform penetration testing at least annually; (d) perform automated management and routine verification of underlying Components’ compliance with security configuration requirements; and (e) remediate identified vulnerabilities or noncompliance with its security configuration requirements based on associated risk, exploitability, and impact. Varicent shall take reasonable steps to avoid Cloud Service disruption when performing its tests, assessments, scans, and execution of remediation activities.

6.2. Varicent shall maintain policies and procedures reasonably designed to manage risks associated with the application of changes to the Cloud Service. Prior to implementation, changes to the Cloud Service, including its systems, networks, and underlying Components, shall be documented in a registered change request that includes a description and reason for the change, implementation details and schedule, and documented approval by authorized Varicent Personnel.

6.3. Varicent shall maintain a reasonably up to date inventory of all information technology assets used in its operation of the Cloud Service. Varicent shall monitor and manage the health, including capacity, and availability of the Cloud Service and its underlying Components.

Varicent shall implement, test, and maintain business continuity and disaster recovery plans consistent with industry standard practices and as described in the Agreement.

6.4. Varicent shall maintain measures designed to assess, test, and apply security advisory patches to the Cloud Service and its associated systems, networks, applications, and underlying Components. Upon determining that a security advisory patch is applicable and appropriate, Varicent shall implement the patch pursuant to documented severity and risk assessment guidelines. Implementation of security advisory patches shall be subject to Varicent change management policy.

6.5. Data Back-Up. Varicent shall back up the Cloud Service and Customer Data stored therein daily and copy such back-ups to an off-site location. Back-ups shall be encrypted at rest and during transmission to the offsite location.

6.6. Disaster Recovery. If a Force Majeure Event occurs that causes the Cloud Service to be unavailable, Varicent shall work to restore Customer’s access to the Cloud Service with a recovery time objective within fourteen (14) days. The environment shall be restored using the most recent data backup, with no more than twenty-four (24) hours of Customer Data loss of the restored Customer Data set.

7. PROCESSING OF CUSTOMER PERSONAL DATA

7.1. Processing.

7.1.1. Customer is (a) a Controller and exporter of any Personal Data that Varicent Processes on behalf of Customer (“Customer Personal Data”) or (b) acting as a Processor and exporter on behalf of other Controllers and has been instructed by and obtained the authorization of the relevant Controller(s) to agree to the Processing of Customer Personal Data by Varicent as importer and Customer’s Subprocessor as set out in the Agreement. Customer appoints Varicent as a Processor to Process Customer Personal Data. If there are other Controllers, Customer shall identify and inform Varicent of any such other Controllers prior to providing their Personal Data, in accordance with this Schedule.

7.1.2. Customer shall comply with all applicable requirements of the Data Protections Laws and Customer will ensure that it has a lawful basis and all necessary appropriate consents and notice in place to enable the lawful transfer of Personal Data to Varicent for the duration and purposes of the Agreement.

7.1.3. A list of categories of Data Subjects, types of Customer Personal Data, Special Categories of Personal Data and the Processing activities is set out in Attachment A (Personal Data Processing Attachment). The duration of the Processing corresponds to the applicable Subscription Term, unless otherwise stated in Attachment A. The purpose and subject matter of the Processing is the provision of the Cloud Service as described in the Agreement.

7.1.4. Varicent shall Process Customer Personal Data according to Customer’s instructions set forth in the Agreement, and, if applicable, Customer’s and its Authorized Users’ use and configuration of the features of the Cloud Service. Customer may provide further legally required instructions regarding the Processing of Customer Personal Data (“Additional Instructions”) as described in Section 9.2. If Varicent notifies Customer that an Additional Instruction is not feasible, the Parties shall work together to find an alternative. If Varicent notifies Customer that neither the Additional Instruction nor an alternative is feasible, Customer may terminate its use of the Cloud Service which cannot be accommodated by Varicent within 14 days of Varicent’s notification to the Customer. If Varicent believes an instruction violates the Data Protection Laws, Varicent shall immediately inform Customer, and may suspend the performance of such instruction until Customer has modified or confirmed its lawfulness in documented form. As of the Effective Date, Varicent does not believe that the laws and practices in any third country of destination applicable to its Processing of the Customer Personal Data prevent Varicent from fulfilling its obligations herein.

7.1.5. Customer shall serve as a single point of contact for Varicent. As other Controllers may have certain direct rights against Varicent, Customer undertakes to exercise all such rights on their behalf and to obtain all necessary permissions from the other Controllers. Varicent shall be discharged of its obligation to inform or notify another Controller when Varicent has provided such information or notice to Customer. Similarly, Varicent shall serve as a single point of contact for Customer with respect to its obligations as a Processor under the Agreement.

7.1.6. Varicent shall comply with all Data Protection Laws in respect of the Cloud Service applicable to Varicent as Processor. Varicent is not responsible for determining the requirements of Laws applicable to Customer’s business or that the Cloud Service meets the requirements of any such applicable Laws. As between the Parties, Customer is responsible for the lawfulness of the Processing of Customer Personal Data. Customer shall not use the Cloud Service in a manner that would violate applicable Data Protection Laws.

7.2. Data Subject Rights and Requests.

7.2.1. Varicent shall inform Customer of requests from Data Subjects exercising their Data Subject rights (including access, rectification, deletion, and blocking of data) addressed directly to Varicent regarding Customer Personal Data. Customer shall be responsible for handling such requests of Data Subjects. Varicent shall reasonably assist Customer in handling such Data Subject requests in accordance with Section 9.2.

7.2.2. If a Data Subject brings a claim directly against Varicent for a violation of their Data Subject rights, Customer shall reimburse Varicent for any cost, charge, damages, expenses, or loss arising from such claim, to the extent that Varicent has notified Customer about the claim and given Customer the opportunity to cooperate with Varicent in the defense and settlement of the claim. Subject to the terms of the Agreement, Customer may claim from Varicent damages resulting from Data Subject claims for a violation of their Data Subject rights caused by Varicent’s breach of its obligations under Section 7.1 of the Agreement or this Schedule.

7.3. Third Party Requests and Confidentiality.

7.3.1. Varicent shall not disclose Customer Personal Data to any Third Party unless authorized by Customer or required by applicable Law. If a government or Supervisory Authority demands access to Customer Personal Data, Varicent shall notify Customer prior to disclosure, unless such notification is prohibited by applicable Law.

7.3.2. Varicent requires all of its Personnel authorized to Process Customer Personal Data to commit themselves to confidentiality and not Process such Customer Personal Data for any other purposes, except on instructions from Customer or unless required by applicable Law.

7.4. Return or Deletion of Customer Personal Data. Upon termination or expiration of the Agreement, Varicent shall delete Customer Personal Data in its possession as set out in the Agreement, unless otherwise required by applicable Law.

7.5. Subprocessors.

7.5.1. Customer authorizes the engagement of other Processors to Process Customer Personal Data (“Subprocessors”), including all Varicent Affiliates who may provide Professional and Support Services from their respective jurisdictions. A list of current Third Party Subprocessors is set out in in the applicable Software Schedule for the Software ordered by Customer in an Order. Additional Subprocessors and processing locations with respect to Professional Services may be outlined in a SOW or agreed-upon in writing to Customer. Varicent shall notify Customer in advance of any addition or replacement of such Subprocessors. Within thirty (30) days after Varicent’s notification of the intended change, Customer can object to the addition of a Subprocessor on the basis that such addition would cause Customer to violate applicable Law. Customer’s objection shall be in writing and include Customer's specific reasons for its objection and options to mitigate, if any. If Customer does not object within such period, the respective Subprocessor may be commissioned to Process Customer Personal Data. Varicent shall impose similar but no less protective data protection obligations as set out in this Schedule on any approved Subprocessor prior to the Subprocessor initiating any Processing of Customer Personal Data, as appropriate taking into account factors such as the nature, scope, context, purposes of the Processing, and access to Personal Data.

7.5.2. If Customer legitimately objects to the addition of a Subprocessor and Varicent cannot reasonably accommodate Customer’s objection, Varicent shall notify Customer and Customer may terminate the Cloud Service within 14 days of Varicent’s notification to the Customer; otherwise, the Parties shall cooperate to find a feasible solution in accordance with the dispute resolution process.

7.6. Transborder Data Processing.

7.6.1. In the case of a transfer of Customer Personal Data to a country not providing an adequate level of protection pursuant to the Data Protection Laws (a “Non-Adequate Country”), the Parties shall cooperate to ensure compliance with the applicable Data Protection Laws as set out in this Section 7.6. If either Party believes the measures set out below are not sufficient to satisfy applicable Law, they shall notify the other Party and the Parties shall work together to find an alternative.

7.6.2 By entering into the Agreement, Customer is entering into the following with (i) each Subprocessor that is a Varicent Affiliate located in a Non-Adequate Country (“Varicent Data Importers”) and (ii) Varicent, if located in a Non-Adequate Country:

a. if Customer is a Controller of all or part of the Customer Personal Data, Customer is entering into the C2P SCC in respect to such Customer Personal Data; and

b. if Customer is acting as Processor on behalf of other Controllers of all or part of the Customer Personal Data, then Customer is entering into the P2P SCCs, provided that, Customer has entered into separate EU Standard Contractual Clauses with the Controllers or on behalf of the other Controller(s).

Customer agrees in advance that any new Varicent Data Importer engaged by Varicent in accordance with Section 7.5 shall become an additional data importer under the applicable SCCs.

7.6.3. If a Subprocessor located in a Non-Adequate Country is not a Varicent Data Importer (a “Third Party Data Importer”) then, Varicent or a Varicent Data Importer shall enter into P2P SCCs with such Third Party Data Importer.

7.6.4. The following specifications shall also apply to EU SCC clauses between Customer and Varicent:

a. Docking Clause. The option under clause 7 shall not apply;
b. Instructions. For the purposes of clause 8.1(a), the instructions by Customer to Process Personal Data are set out in Section 7.1 of this Schedule;
c. Certification of Deletion. The certification of deletion of Personal Data described in clauses 8.5 and 16(d) shall be provided by Varicent only upon Customer's written request;
d. Security of Processing. For the purpose of clause 8.6(a), Customer agrees that the TOMs set forth in this Schedule provide a level of security appropriate to the risk with respect to its Personal Data. For the purpose of clause 8.6(c), Personal Data breaches will be handled in accordance with Section 4 of this Schedule; with respect to P2P SCC clauses 8.6(c) and (d), Varicent shall provide breach notifications only to Customer;
e. Audits. The audits described in clause 8.9 shall be carried out in accordance with Section 8 of this Schedule; with respect to P2P SCCs, all inquiries from other Controllers shall be provided to Varicent by Customer;
f. Use of Sub-processors. Option 2 under clause 9 shall apply; Varicent shall be entitled to engage Subprocessors in accordance with Section 7.5 of this Schedule;
g. Data Subject Rights. For the purpose of clause 10, Data Subject requests and related assistance shall be handled in accordance with Sections 7.2 and 9 of this Schedule, respectively; with respect to P2P SCCs, Varicent shall be required to communicate requests only to Customer;
h. Liability. For the avoidance of doubt, Varicent liability under clause 12(b) shall be limited as specified in Article 82 of the GDPR;
i. Supervision. For the purpose of clause 13, data exporter’s competent supervisory authority will be determined in accordance with the GDPR;
j. Notification of Government Access Requests. For the purpose of clause 15(1), Varicent shall provide notification to Customer only and not individual Data Subjects;
k. Governing Law and Choice of Forum. For the purpose of clauses 17 and 18, governing law and jurisdiction shall be that which is outlined in the Agreement. If the Agreement is not governed by EU law, the SCCs will be governed by the laws and courts of Ireland; or (ii) where the Agreement is governed by the laws and courts of the United Kingdom, the laws of the England and Wales;
l. Appendices. With respect to the SCC Annexes, the contents of Attachment A to this Schedule shall form Annex 1B; the contents of Annex 1C shall be determined in accordance with the GDPR; The TOMs herein shall form Annex 2.

7.6.5 To the extent Personal Data subject to the GDPR as implemented under United Kingdom (“UK”) laws (“UK GDPR”), data protection laws of Switzerland (“Swiss Data Protection Laws”), is transferred to a Non-Adequate Country: (A) the subclauses above in this Section shall apply if the EU SCCs are a legally valid data protection mechanism; or (B) where the UK Addendum is the legally valid data protection mechanism, Parties are deemed to enter into the UK Addendum, with Table 1 of the UK Addendum being populated with Parties’ details outlined in the applicable Order, Table 2 of the UK Addendum being populated with the EU SCC details outlined in this Section herein, Table 3 Annex 1A being populated with the Party details outlined in the applicable Order, Table 3 Annex 1B being populated as outlined in the subsection (k) above, Table 3 Annex 2 being populated with the TOMs outlined herein as appropriate to the Services and processing performed, and Table Annex 3 being populated as described in Section 7.5; neither party may end the Addendum without the other written permission. Varicent will enter into back-to-back SCCs or UK Addenda with third party data importers as legally required and applicable to their Services. The following shall apply to the foregoing options: (i) references and obligations in the EU SCCs shall have the same meaning as the equivalent reference and obligation in the UK GDPR or Swiss Data Protection Laws, as applicable; (ii) references to the EU or member states in the EU SCCs shall be amended to refer to the United Kingdom and Switzerland, as applicable; and (iii) references to supervisory authorities in the EU SCCs shall be amended to refer to the UK Information Commissioner's Office and the Swiss Federal Data Protection and Information Commissioner, respectively

7.6.6. If Customer is unable to agree to C2P SCCs or the 2010 SCCs on behalf of another Controller, as set out in Section 7.6, Customer shall procure the agreement of such other Controller to enter into those agreements directly with the applicable Varicent Data Importer. Customer agrees on behalf of itself and all other Controllers that the EU SCCs and 2010 SCCs, including any claims arising from them, are subject to the terms set forth in the Agreement including the exclusions and limitations of liability. In case of conflict with the Agreement, the EU SCCs and 2010 SCCs, as applicable, shall prevail.

8. AUDIT

8.1. Varicent shall allow for, and contribute to, audits, including inspections, conducted by Customer or another auditor mandated by Customer solely in order for Customer to determine that Varicent is processing Personal Data in accordance with the Agreement, in accordance with the following procedures:

8.1.1. Upon Customer's written request, Varicent shall provide Customer or its mandated auditor with the most recent certifications and/or summary audit report(s) which Varicent has procured to regularly test, assess, and evaluate the effectiveness of Varicent’s TOMs.

8.1.2. Varicent shall reasonably cooperate with Customer by providing available additional information concerning the TOMs reasonably required by Customer to help Customer better understand them.

8.1.3. If further information is needed by Customer (acting reasonably) to comply with its own or other Controllers’ audit obligations or a competent Supervisory Authority’s request, Customer shall inform Varicent in writing to enable Varicent to provide such information or to grant access to it. For the avoidance of doubt, Varicent shall be under no obligation to disclose confidential or commercially sensitive information as part of such audits.

8.1.4. To the extent it is not possible to otherwise satisfy an audit right mandated by applicable Law or expressly agreed by the Parties in writing, only legally mandated entities (such as a governmental regulatory agency having oversight of Customer’s operations), Customer, or its mandated auditor may (on no less than 14 days prior written notice to Varicent) conduct an onsite visit of the Varicent facilities used to provide the Cloud Service, during normal business hours and only in a manner that causes minimal disruption to Varicent’s business.

8.2. All such audits shall be subject to the auditing party’s execution of a confidentiality agreement acceptable to Varicent and shall be conducted at Customer’s expense.

8.3. Any auditor mandated by the Customer shall not be a direct competitor of Varicent with regard to the Services and shall be bound to an obligation of confidentiality.

8.4. Each Party shall bear its own costs in respect of Section 8.1.1 and Section 8.1.2; otherwise, Section 9.2 applies.

9. ASSISTANCE

9.1. Varicent shall assist Customer by TOMs for the fulfillment of Customer’s obligation to comply with the rights of Data Subjects and in ensuring compliance with Customer’s obligations relating to the security of Processing, the notification and communication of a Personal Data Breach, and the Data Protection Impact Assessment, including prior consultation with the responsible Supervisory Authority, if required, taking into account the nature of the Processing and the information available to Varicent.

9.2. Customer shall make a written request for any assistance referred to in this Schedule. Varicent may charge Customer no more than a reasonable charge to perform such assistance or an Additional Instruction, such charges to be set forth in a Change Order and agreed in writing by the Parties. If Customer does not agree to the Change Order, the Parties agree to reasonably cooperate to find a feasible solution in accordance with the dispute resolution process set forth in the Agreement.

ATTACHMENT A: PERSONAL DATA PROCESSING ATTACHMENT

1. CATEGORIES OF DATA SUBJECTS

Data Subjects of any Customer Personal Data that generally can be processed in the Cloud Service may include Customer’s and its Affiliates’ employees, contractors, business partners, or customers, and, to the extent required by applicable Law, any other Persons whose Personal Data is processed by the Cloud Service. Varicent shall process Personal Data of all Data Subjects listed above in accordance with the Agreement. Given the nature of the Cloud Service, Customer acknowledges that Varicent is not able to verify or maintain the above list of Categories of Data Subjects. Therefore, if Customer shall not use the Cloud Service with all the Data Subjects set out above, Customer is responsible for providing complete, accurate, and up-to-date information to Varicent on the actual Data Subjects from within the above list that Customer shall process in the Cloud Service via Additional Instructions to Varicent as set forth in the Data Security Standards.

2. PERSONAL DATA

The lists as set out below are the Types of Personal Data and Special Categories of Personal Data that generally can be processed within the Cloud Service. Varicent shall process all Types of Personal Data and Special Categories of Personal Data listed below in accordance with the Agreement. Given the nature of the Cloud Service, Customer acknowledges that Varicent is not able to verify or maintain the below lists of Types of Personal Data and Special Categories of Personal Data. Therefore, if Customer shall not use the Cloud Service for all the Types of Personal Data and Special Categories of Personal Data set out below, then Customer is responsible for providing complete, accurate, and up-to-date information to Varicent on the actual Types of Personal Data and Special Categories of Personal Data from within the below list that Customer shall process in the Cloud Service via Additional Instructions to Varicent as set forth in the Data Security Standards. Customer acknowledges that health information, social security numbers, government identification numbers, payment card data, and similarly sensitive information are not required for use of the Service and Customer agrees not to provide Varicent with any such information.

2.1. Types of Personal Data.

a. Basic Personal Data (such as name, email, electronic signature etc.);
b. Role related Personal Data such as job title, unit/department, location, supervisor/subordinates, employee identification number, employment type, compensation information such as but not limited to sales commission rates and eligibility, quotas, and target information, etc;
c. Technically Identifiable Personal Data (such as device IDs, usage-based identifiers, static IP address, etc. - when linked to an individual).

Customer should not include Personal Data in text fields that are not intended for or do not request Personal Data.

2.2. Special Categories of Personal Data. The Cloud Service was not designed to process any Special Categories of Personal Data.

3. PROCESSING ACTIVITIES
The Processing activities with regard to Customer Data (including Customer Personal Data) within the Cloud Service include:

a. Receipt of Customer Data from Data Subjects and/or third parties;
b. Computer processing of Customer Data, including data transmission, data retrieval, data access, and network access to allow data transfer if required;
c. Technical customer support involving Customer Data at Customer request, including monitoring, problem determination, and problem resolution;
d. Transformation and transition of Customer Data as necessary to deliver the Cloud Service;
e. Storage and associated deletion of Customer Data; and
f. Backup of Customer Data.

4. DURATION OF PROCESSING
The duration of Processing within the Cloud Service corresponds to the duration of the applicable Subscription Term. Varicent shall remove Customer Data (including any Customer Personal Data) that is stored or persisted within the Cloud Service at the time of termination or expiration of the applicable Subscription Term.

5. TECHNICAL AND ORGANIZATIONAL MEASURES
The TOMs set forth in the Data Security Standards apply to all Customer Data processed by Varicent within the Cloud Service, including Customer Personal Data.

6. DELETION AND RETURN OF DATA

6.1. During the term of the Agreement, so long as Customer’s access to the Cloud Service is not suspended pursuant to Section 2.5 of the Agreement, Customer may download from the Cloud Service a copy of the Customer Data.

6.2. Customer may also request removal of Customer Data (including Customer Personal Data) at any time prior to termination or expiration of the Agreement Term.

7. VARICENT HOSTING AND PROCESSING LOCATIONS
The Varicent data hosting and processing locations used for the Cloud Service are set forth in the Software Schedule for the Software ordered by Customer in an Order. Customer may be able to request that Varicent use a subset of these locations. Varicent may add additional hosting and processing locations in accordance with the Data Security Standards.

8. THIRD PARTY SUBPROCESSORS
The Cloud Service involves third party Subprocessors in the Processing of Customer Data, including Customer Personal Data, as set forth in the Software Schedule for the Software ordered by Customer in an Order.

9. PRIVACY CONTACT AND CUSTOMER NOTIFICATIONS
The general privacy contact for the Cloud Service is privacy@varicent.com.

10. DATA PRIVACY OFFICER AND OTHER CONTROLLERS
Customer is responsible for providing to Varicent complete, accurate, and up-to-date information about its data privacy officer and any other Controllers (including their data privacy officer).

DSS_New_Feb 2023