DPA

GOODCOURSE DATA PROCESSING ADDENDUM

This Data Processing Addendum (including all Schedules attached hereto, the “DPA”) is incorporated into, and is subject to the GoodCourse Terms and Conditions and any applicable Order Form, or other written or electronic agreement (“Agreement”) between GoodCourse and the entity identified as “Client”in the Agreement (“Client”). This DPA applies to the extent GoodCourse’s Processing of Client PersonalData is subject to the Data Protection Laws. This DPA shall be effective for the term of the Agreement.

1. Definitions

1.1. For this DPA:

1.1.1. “CCPA” means the California Consumer Privacy Act, including as modified by the California Privacy Rights Act (“CPRA”) once the CPRA takes effect, together with any implementing regulations;

1.1.2. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data;

1.1.3. “Client Personal Data” means the Personal Data described under Schedule 1 to this DPA;

1.1.4. “Data Protection Laws” means all laws relating to data protection and privacy applicable to GoodCourse’s Processing of Client Personal Data, including without limitation, the CCPA, the GDPR and member state or United Kingdom laws implementing the GDPR, the United Kingdom’s Data Protection Act 2018, and applicable privacy and data protection laws of any other jurisdiction, each as amended, repealed, consolidated or replaced from time to time;

1.1.5. “Data Subjects” means the individuals identified in Schedule 1;

1.1.6. “EU SCCs” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time;

1.1.7. “GDPR” means the General Data Protection Regulation (EU) 2016/679 together with any national implementing laws in any member state of the EEA (“EU GDPR”) and the EU GDPR as incorporated into the laws of the United Kingdom (“UK GDPR”);

1.1.8. “Personal Data”, “Personal Data Breach” and “Processing” will each have the meaning given to them in the Data Protection Laws. The term “Personal Data” includes “personal information,” “personally identifiable information,” and equivalent terms as such terms maybe defined by the Data Protection Laws. The term “Personal Data Breach” includes equivalent terms as defined by the Data Protection Laws;

1.1.9. “Processor” means the entity which Processes Personal Data on behalf of the Controller;

1.1.10. “Sell” has the meaning given in the Data Protection Laws; and

1.1.11. “UK Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses issued by the UK Information Commissioner’s Office, in force as of 21 March 2022, available at international-data-transfer-addendum.pdf (ico.org.uk).

1.2. Capitalized terms not otherwise defined herein shall have the meaning given to them in theAgreement.

2. Processing of Client Personal Data

2.1. The parties acknowledge and agree that Client is the Controller of Client Personal Data and GoodCourse is a Processor of Client Personal Data. GoodCourse will only Process Client Personal Data as a Processor on behalf of and in accordance with Client’s prior written instructions, including any instructions provided through Client’s use of the Service. GoodCourse is hereby instructed to Process Client Personal Data to the extent necessary to provide the Service as set forth in the Agreement and this DPA. GoodCourse shall not (1) retain, use, or disclose Client Personal Data other than as provided for in the Agreement, as needed to provide the Service, or as otherwise permitted by Data Protection Laws; (2) combine Client Personal Data with Personal Data GoodCourse receives from other customers or individuals (except as permitted by the CCPA); or (3) Sell Client Personal Data. GoodCourse shall notify Client if it determines that it cannot meet its obligations under the CPRA. Upon receiving written notice fromClient that GoodCourse has Processed Client Personal Data without authorization, GoodCourse will stop and remediate such Processing.

2.2. GoodCourse will immediately inform Client if, in its opinion, an instruction from Client infringes the Data Protection Laws.

2.3. The details of GoodCourse’s Processing of Client Personal Data are described in Schedule 1.

2.4. If applicable laws preclude GoodCourse from complying with Client’s instructions, GoodCourse will inform Client of its inability to comply with the instructions, to the extent permitted by law.

2.5. Each of Client and GoodCourse will comply with their respective obligations under the Data Protection Laws.

3. Cross-Border Transfers of Personal Data

3.1. With respect to Client Personal Data originating from the European Economic Area (“EEA”) or Switzerland that is transferred from Client to GoodCourse, the parties agree to comply with the general clauses and with “Module Two” (Controller to Processor) of the EU SCCs, which are incorporated herein by reference, with Client as the “data exporter” and GoodCourse as the “data importer.”

3.2. For purposes of the EU SCCs the parties agree that:

3.2.1. In Clause 7, the optional docking clause will not apply;

3.2.2. In Clause 9, Option 2 will apply and the time period for prior notice of Sub-Processor changes will be as set forth in Section 5.1 of this DPA;

3.2.3. In Clause 11, the optional language will not apply;

3.2.4. For the purposes of Clause 15(1)(a), GoodCourse shall notify Client (only) and not the DataSubject(s) in case of government access requests and Client shall be solely responsible for promptly notifying the affected Data Subjects as necessary;

3.2.5. In Clause 17, the EU SCCs shall be governed by the laws of Ireland;

3.2.6. In Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland;

3.2.7. In Annex I, Section A (List of Parties), (i) the data exporter’s and the data importer’s identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Client is a Controller or Processor, and GoodCourse is a Processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Services pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party’s signature ofAnnex I, Section A, as of the effective date of this DPA;

3.2.8. In Annex I, Section B (Description of Transfer): (i) Schedule 1 to this DPA describes GoodCourse’s Processing of Client Personal Data; (ii) the frequency of the transfer is continuous (for as long as Client uses the Services); (iii) Client Personal Data will be retained in accordance with Clause 8.5 of the EU SCCs and this DPA; (iv) GoodCourse uses sub-Processors to support the provision of the Services.

3.2.9. In Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Client to GoodCourse. Unless and until Client communicates a competent supervisory authority to GoodCourse, the competent supervisory authority shall be the Irish Data Protection Commission.

3.2.10. In Annex II, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Client Personal Data as described in Schedule 2.

3.3. If the transfer of Client Personal Data is subject to the Swiss Federal Act on Data Protection, the parties agree to rely on the EU SCCs with the following modifications: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the EU SCCs; (ii) the parties agree to abide by the GDPR standard in relation to all Processing of Client Personal Data that is governed by the Swiss Federal Act on Data Protection; (iii) the term ‘Member State’ in the EU SCCs will not be interpreted in such away as to exclude Data Subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the EU SCCs; and (iv) references to the ‘GDPR’ in the EU SCCs will be understood as references to the Swiss Federal Act on Data Protection insofar as the transfer of Client Personal Data is subject to the Swiss Federal Act on Data Protection.

3.4. With respect to transfers from Client to GoodCourse of Client Personal Data originating from theUnited Kingdom, the parties agree to comply with the UK Addendum, which is incorporated herein by reference. The parties agree that the UK Addendum will complement the EU SCCs and Part 1 of the UK Addendum is completed as follows:

3.4.1. Table 1: the start date is the effective date of this DPA; the exporter is Client and the importer is GoodCourse; the table is deemed to be completed with the information set out in Schedule 1 to this DPA; the parties are deemed to have signed the UK Addendum;

3.4.2. Table 2: the “Approved EU SCCs” which the UK Addendum is appended to are the EU SCCs incorporated into this DPA and completed as set out in Section 3.2. of this DPA;

3.4.3. Table 3: the information requested in Annex 1 and 2 of the EU SCCs is provided in Schedule 1 and 2 to this DPA respectively;

3.4.4. Table 4: the importer may end the UK Addendum as set out in Section 19 of the UK Addendum.

3.5. Where required under Data Protection Laws, the parties shall work together, in good faith, to enter into an updated version of the EU SCCs or UK Addendum or negotiate an alternative solution to enable transfers of Client Personal Data in compliance with Data Protection Laws.

4. Confidentiality and Security

4.1. GoodCourse will require GoodCourse’s personnel who access Client Personal Data to commit to protect the confidentiality of Client Personal Data.

4.2. GoodCourse will implement commercially reasonable technical and organisational measures, as further described in Schedule 2, that are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data.

4.3. To the extent required by Data Protection Laws, GoodCourse will provide Client with reasonable assistance as necessary for the fulfilment of Client’s obligations under Data Protection Laws to maintain the security of Client Personal Data.

5. Sub-Processing

5.1. Client agrees that GoodCourse may engage Sub-Processors to Process Client Personal Data on Client's behalf. GoodCourse will inform Client of any intended changes concerning the addition or replacement of Sub-Processors and Client will have an opportunity to object to such changes on reasonable grounds within seven days after being notified. If the parties are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party.

5.2. GoodCourse will impose on its Sub-Processors substantially the same obligations that apply to GoodCourse under this DPA. GoodCourse will be liable to Client for breaches of its Sub-Processors’ obligations as it would be for its own.

5.3. The parties agree that the copies of the Authorized Sub-Processor agreements that must be provided by GoodCourse to Client pursuant to Clause 9(c) of the EU SCCs and Clause 5 of the UK Addendum, if applicable, may have commercial information or clauses unrelated to the EU or UK Addendum removed by GoodCourse beforehand; and, that such copies will be provided by GoodCourse, in a manner to be determined in its discretion, only upon Client’s written request.

6. Data Subject Rights

Client is responsible for responding to any Data Subject requests relating to Client Personal Data (“Requests”). If GoodCourse receives any Requests during the term, GoodCourse will advise the Data Subject to submit the request directly to Client or the appropriate Controller. GoodCourse will provide Client with self-service functionality or other reasonable assistance to permit Client to respond to Requests.

7. Personal Data Breaches

Upon becoming aware of a Personal Data Breach affecting Client Personal Data, GoodCourse will (i) promptly take measures designed to remediate the Personal Data Breach and (ii) notify Client without undue delay. Client is solely responsible for complying with Personal Data Breach notification requirements applicable to Client. At Client’s request, GoodCourse will reasonably assist Client’s efforts to notify Personal Data Breaches to the competent data protection authorities and/or affected Data Subjects, if Client is required to do so under the Data ProtectionLaws. GoodCourse’s notice of or response to a Personal Data Breach under this Section 7 will not be an acknowledgement or admission by GoodCourse of any fault or liability with respect to the Personal Data Breach.

8. Data Protection Impact Assessment; Prior Consultation

Taking into account the nature of the Processing and the information available to GoodCourse, GoodCourse will reasonably assist Client in conducting data protection impact assessments and consultation with data protection authorities if Client is required to engage in such activities under applicable Data Protection Laws and such assistance is necessary and relates to the Processing by GoodCourse of Client Personal Data.

9. Deletion of Client Personal Data

Client instructs GoodCourse to delete Client Personal Data within 90 days of the termination of the Agreement and delete existing copies unless applicable law requires otherwise. The parties agree that the certification of deletion described in Clause 8.5 of the EU SCCs and Clause 12 of the UK Addendum, if applicable, shall be provided only upon Client’s written request. Notwithstanding the foregoing, GoodCourse may retain Client Personal Data to the extent and for the period required by applicable laws provided that GoodCourse maintains the confidentiality of all such Client Personal Data and Processes such Client Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage.

10. Audits

10.1. Client may audit GoodCourse’s compliance with its obligations under this DPA up to once per year. In addition, Client may perform more frequent audits (including inspections) in the event: (1) GoodCourse suffers a Personal Data Breach affecting Client Personal Data; (2) Client has genuine, documented concerns regarding GoodCourse’s compliance with this DPA or the Data Protection Laws; or (3) where required by the Data Protection Laws, including where mandated by regulatory or governmental authorities with jurisdiction over Client Personal Data. GoodCourse will contribute to such audits by providing Client or Client’s regulatory or governmental authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Service, as described below.

10.2. To request an audit, Client must submit a detailed proposed audit plan to legal@goodcourse.co at least one month in advance of the proposed audit start date. The proposed audit plan must describe the proposed scope, duration, start date of the audit, and the identity of any third party Client intends to appoint to perform the audit. GoodCourse will review the proposed audit plan and provide Client with any concerns or questions (for example,GoodCourse may object to the third party auditor as described in Section 10.3, provide an AuditReport as described in Section 10.4, or identify any requests for information that could compromise GoodCourse confidentiality obligations or security, privacy, employment or other relevant policies). The parties will negotiate in good faith to agree on a final audit plan at least two weeks in advance of the proposed audit start date. Nothing in this Section 10 shall require GoodCourse to breach any duties of confidentiality.

10.3. GoodCourse may object to third party auditors that are, in GoodCourse’ reasonable opinion, not suitably qualified or independent, a competitor of GoodCourse, or otherwise manifestly unsuitable. Client will appoint another auditor or conduct the audit itself if the parties cannot resolve the objection after negotiating in good faith.

10.4. If the requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor on GoodCourse’s systems that Process Client Personal Data (“Audit Reports”) within twelve (12) months of Client’s audit request and GoodCourse confirms there are no known material changes in the controls audited, Client agrees to accept the Audit Report in lieu of requesting an audit of the controls covered by the Audit Report.
‍
10.5. The audit must be conducted at a mutually agreeable time during regular business hours at the applicable facility, subject to the agreed final audit plan and GoodCourse’s health and safety or other relevant policies and may not unreasonably interfere with GoodCourse business activities.

10.6. Any audits are at Client’s expense and Client will promptly disclose to GoodCourse any perceived non-compliance or security concerns discovered during the audit, together with all relevant details.

10.7. The parties agree that the audits described in Clause 8.9 of the EU SCCs and Clause 5(f) of the UK Addendum, if applicable, shall be performed in accordance with this Section 10.

11. Analytics Data

Client acknowledges and agrees that GoodCourse may create and derive from Processing related to the Service anonymized and/or aggregated data that does not identify or relate to Client or any Data Subject (“Analytics Data”), and use, publicize or share with third parties such Analytics Data to improve the Service and for GoodCourse’s other legitimate business purposes.

12. Liability

12.1. Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.

12.2. Client acknowledges that GoodCourse is reliant on Client for direction as to the extent to which GoodCourse is entitled to Process Client Personal Data on behalf of Client in performance of the Service. Consequently, GoodCourse will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by GoodCourse in compliance with Client’s instructions or (b) from Client’s failure to comply with its obligations under the DataProtection Laws.

13. General Provisions

With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. In the event of inconsistencies between the DPA and the EU or UK Addendum, the EU OR UK Addendum will prevail.


SCHEDULE 1

Details of Processing

1. Categories of Data Subjects. This DPA applies to GoodCourse’s Processing of Client PersonalData relating to Client’s employees, contractors, and other authorized users of the Service (“DataSubjects”).

2. Types of Personal Data. The extent of Client Personal Data Processed by GoodCourse is determined and controlled by Client in its sole discretion and includes names, email addresses, telephone numbers, and any other Personal Data that may be transmitted through the Service byData Subjects.

3. Subject-Matter and Nature of the Processing. Client Personal Data will be subject to theProcessing activities that GoodCourse needs to perform in order to provide the Service pursuant to the Agreement.

4. Purpose of the Processing. GoodCourse will Process Client Personal Data for purposes of providing the Service as set out in the Agreement.

5. Duration of the Processing. Client Personal Data will be Processed for the duration of the Agreement, subject to Section 9 of the DPA.
‍

SCHEDULE 2

Security Measures

The data importer (“GoodCourse”, herein referred to as "Company") has implemented and will maintain commercially reasonable technical and organizational measures designed to protect the security, confidentiality and integrity of personal data as described below in data importer’s “Security Overview.”

Security Overview

1. Purpose. Company is committed to maintaining customer trust. The purpose of this Security Overview is to describe the security program for the Company Services. This Security Overview describes the minimum security standards that Company maintains in order to protect Client Personal Data from un authorized use, access, disclosure, theft, or manipulation. As security threats shift and evolve,Company continues to update its security program and strategy to help protect Client Personal Data.Company reserves the right to update this Security Overview from time to time; provided, however, any update will not materially reduce the overall protections set forth in this Security Overview. Any capitalized term not defined in this Security Overview will have the meaning given in the Agreement or the DPA.

2. Services Covered. This Security Overview describes the architecture, administrative, technical and physical controls as well as third party security audit certifications that are applicable to the Services.

3. Security Organization & Program. Company maintains a risk-based assessment security program. The framework for Company’s security program includes administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Client Personal Data. Company’s security program is intended to be appropriate to the nature of Company Services and the size and complexity of Company’s business operations. Company’s security framework includes programs covering: Policies and Procedures, Asset Management, Access Management, Cryptography,Physical Security, Operations Security, Communications Security, Business Continuity Security, PeopleSecurity, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-PartySecurity, Vulnerability Management, as well as Security Monitoring and Incident Response. Information security policies and standards are reviewed and approved by management at least annually and are made available to all Company employees for their reference.

4. Confidentiality. Company has controls in place to maintain the confidentiality of Client Personal Data that Client makes available to the Services, in accordance with the Agreement. All Company employees and contract personnel are bound by Company’s internal policies regarding maintaining confidentiality ofClient Personal Data and contractually commit to these obligations.

5. People Security.

5.1 Employee Background Checks. Company carries out background checks on individuals joining Company in accordance with applicable local laws. Company currently verifies the individual’s education and previous employment, and also carries out reference checks. Where local labor law or statutory regulations permit, and dependent on the role or position of the prospective employee, Company may also conduct criminal, credit, immigration, and security checks.

5.2 Employee Training. At least once a year, all Company employees must complete the Company security and privacy training which covers Company’s security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. Company has established an anonymous hotline for employees to report any unethical behavior where anonymous reporting is legally permitted.

6. Third Party Vendor Management.

6.1 Vendor Assessment. Company may use third party vendors to provide Services. Company carries out a security risk-based assessment of prospective vendors before working with those vendors to validate that prospective vendors meet Company’s security requirements. Company periodically reviews each vendor in light of Company’s security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal/regulatory requirements. Company ensures that Client Personal Data is returned and/or deleted at the end of a vendor relationship. For the avoidance of doubt, third-party services that Client chooses to integrate via Company Services are not considered subcontractors of Company.

6.2. Vendor Agreements. Company enters into written agreements with all of its Vendors which include confidentiality, privacy and security obligations that provide an appropriate level of protection for the personal data contained within the Client Personal Data that these Vendors may process.

7. Security Certificates.

7.1 Company Certificates. Company has obtained security-related certifications from Cyber Essentials and ISO 27001.

7.2 AWS Certifications. In addition, the Services use and leverage AWS data centers. Company uses and leverages AWS data centers, with a reputation of being highly scalable, secure, and reliable. Information about AWS audit certifications are available at AWS Security website https://aws.amazon.com/security and AWS Compliance website https://aws.amazon.com/compliance.

8. Architecture and Data Segregation. The cloud communication platform for the Company Services is hosted by Amazon Web Services (“AWS”). Further information about security provided by AWS is available from the AWS security webpage available at https://docs.aws.amazon.com/whitepapers/latest/aws-overview/security-and-compliance.html. Company separates Client Personal Data using logical identifiers tagging all communications data with the associated Client ID to clearly identify ownership. Company’s APIs are designed and built to designed and built to identify and allow access only to and from these tags and enforce access controls to ensure the confidentiality and integrity requirements for each Client are appropriately addressed. These controls are in place so one customer's communications cannot be accessed by another customer.

9. Physical Security. AWS data centers that host Company Services are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. In addition, Company headquarters and office spaces have a physical security program that manages visitors, building entrances, CCTVs (closed circuit television), and overall office security. All contractors and visitors are required to wear identification badges.

10. Security by Design. The Company’s Software Development Lifecycle (SDLC) standard defines the process by which Company creates secure products and the activities that the product teams must perform at different stages of development (requirements, design, implementation, and deployment).Company engineers perform numerous security activities for the Services including:

● internal security reviews before products are launched;
● periodic penetration tests performed by independent third-party contractors; and
● conduct threat models for the Company Services including documenting any detection of attacks.

11. Access Controls.
11.1 Provisioning Access. To minimize the risk of data exposure, Company follows the principles of least privilege when provisioning system access. Company personnel are authorized to access Client PersonalData based on their job function, role and responsibilities, and such access requires approval of the employee’s manager. Access rights to production environments are reviewed at least semi-annually. An employee’s access to Client Personal Data is promptly removed upon termination of their employment. Before an engineer is granted access to the production environment, access must be approved by management and the engineer is required to complete internal trainings for such access including trainings on the relevant team’s systems. Company logs high risk actions and changes in the production environment. Company leverages automation to identify any deviation from internal technical standards that could indicate anomalous/unauthorized activity to raise an alert within minutes of a configuration change.

11.2 Password Controls. Company’s current policy for employee password management follows the NIST800-63B guidance, and as such, our policy is to use longer passwords, with multi-factor authentication but not require special characters or frequent changes. Company does not store Client passwords in any form.

12. Change Management. Company has a formal change management process to manage changes to software, applications and system software that will be deployed within the production environment.Change requests are documented using a formal, auditable, system of record. Prior to a high-risk change being made, an assessment is carried out to consider the impact and risk of a requested change, evidence acknowledging applicable testing for the change, approval of deployment into production by appropriate approvers(s) and roll back procedures. A change is reviewed and tested before being deployed to production.

13. Encryption. For the Company Services, Company’s cloud platform supports TLS 1.2 to encrypt network traffic transmitted between a Client application and Company’s cloud infrastructure. When supported by integrations selected by Client, Company’s cloud platform will also encrypt network traffic between Company’s cloud infrastructure and the integration provider. All Client Personal Data is stored encrypted using 256-bit Advanced Encryption Standard (AES-256).

14. Vulnerability Management. Company maintains controls and policies to mitigate the risk from security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements. Company uses a third-party tool to conduct vulnerability scans regularly to assess vulnerabilities inCompany’s cloud infrastructure and corporate systems. Critical software patches are evaluated, tested and applied proactively.

15. Penetration Testing. Company performs penetration tests and engages independent third-party entities to conduct application-level penetration tests. Results of penetration tests are prioritized, triaged and remediated promptly by Company’s engineering team.

16. Security Incident Management. Company maintains security incident management policies and procedures. Company assesses the threat of all relevant vulnerabilities or security incidents and establishes remediation and mitigation actions for all events. Company utilizes AWS platforms and third-party tools to detect, mitigate, and to help prevent Distributed Denial of Service attacks (DDoS) attacks.

17. Discovery, Investigation and Notification of a Security Incident. Upon discovery or notification of anySecurity Incident, Company will:
‍
● promptly investigate such Security Incident;
● to the extent that is permitted by applicable law, promptly notify Client.

18. Resilience and Service Continuity. Company infrastructure for the Company Services uses a variety of tools and mechanisms to achieve high availability and resiliency. For the Company Services, Company’s infrastructure spans multiple fault-independent AWS availability zones. For the Company Services, there are manual or automatic capabilities to re-route and regenerate hosts within Company’s infrastructure. Company leverages specialized tools that monitor server performance, data, and traffic load capacity within each availability zone. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone, then these specialized tools will increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. Company will also be notified immediately and have the ability to take prompt action to correct the cause(s) behind these issues if the specialized tools are unable to do so.

19. Backups and Recovery. Company performs regular backups of Company Services account information, message templates, message logs and other critical data using Amazon cloud storage.Backup data are retained redundantly across availability zones and are encrypted in transit and at rest using 256-bit Advanced Encryption Standard (AES-256) server-side encryption.