Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Agreement between the parties, and consists of the terms and conditions set forth below that define the agreement between Skysnag Inc. (“Skysnag”) and Customer with respect to processing Customer Personal Data (as defined below).

1. DEFINITIONS

a. “Agreement” means, as applicable, the master services agreement, or similar commercial agreement by and between Skysnag and Customer with respect to the use of the Service.

b. “Applicable Privacy Laws” means all applicable laws concerning privacy, data protection and the cross-border transfer of data, including, where applicable: (i) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); (ii) in respect of the United Kingdom, any applicable national legislation that replaces or converts into domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union (“UK GDPR”); and (iii) the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. as modified by the California Privacy Rights Act (together, the “CCPA”), in each case as such laws are amended, superseded, or replaced. The term “Applicable Privacy Laws” excludes any laws of the Russian Federation or the People’s Republic of China.

c. “Business Purpose” has the meaning assigned to it under the CCPA.

d. “CCPA Consumer” means a “consumer” as such term is defined in the CCPA.

e. “Controller” has the meaning assigned to it under the GDPR and other Applicable Privacy Laws using such terminology, and also means “business” as defined in the CCPA or other Applicable Privacy Laws using such terminology.

f. “Customer Data” means any data, information, or other material provided, uploaded, submitted, or made available by Customer to the Service in the course of using the Service.

g. “IDTA” means the then-current International Data Transfer Addendum to the EU Commission Standard Contractual Clauses that was issued by the UK Information Commissioner’s Office, a current version found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

h. “Data Subject” means an identifiable natural person who can be identified, directly or indirectly, including without limitation a CCPA Consumer.

i. “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.

j. “Personal Data” means (a) any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier; or (b) is defined as “Personal Information” or “Personal Data” by Applicable Privacy Laws (e.g., CCPA § 1798.140(o) or GDPR Art. 4).

k. “Processor” and “Subprocessor” have the meaning set forth in the GDPR and other Applicable Privacy Laws using such terminology, and also mean “service provider” to the relevant party as defined in the CCPA or other Applicable Privacy Laws using such terminology.

l. “Processing” or “Process” shall have the meaning as set forth in the Applicable Privacy Laws.

m. “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Personal Data on systems managed or otherwise controlled by Skysnag.

n. “Selling” or “Sell” have the meaning assigned to them in the CCPA.

o. “Sensitive Data” means data revealing a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation, or other data that is subject to heightened restrictions relating to the transmission or processing of data for the jurisdictions in which Skysnag and Customer operate, such as (by way of example only) the Health Insurance Portability and Accountability Act, the Children’s Online Privacy Protection Act, any personal data regarding children under 16, and the standards promulgated by the PCI Security Standards Council.

p. “Service” means the Skysnag Subscription Service received by Customer under the Agreement as set forth in the corresponding ordering document agreed to in writing by Skysnag.

q. “Standard Contractual Clauses” or “SCCs” means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries (“EU SCCs”); and (ii) where the UK GDPR applies, the EU SCCs as amended by the IDTA (“UK SCCs”) incorporated into this Addendum as described in Exhibit A.

2. SCOPE AND APPLICATION

a. Role of the Parties. To the extent Skysnag processes Personal Data on behalf of Customer in connection with the Agreement, the parties agree to comply with the provisions set forth in this DPA. In this context, Customer may act as “Controller” and Skysnag may act as “Processor” respectively with respect to the Personal Data. Customer shall act as the “Data Exporter” and Skysnag shall act as the “Data Importer” for the purposes of the Standard Contractual Clauses. Skysnag shall be prohibited from Selling, retaining, using, or disclosing Personal Data for any purpose other than to perform the Service in accordance with the Agreement and this DPA and shall further refrain from collecting, Selling, or using any Personal Data except as necessary to perform its Business Purpose. For avoidance of doubt, Skysnag does not receive any Personal Data as consideration for any Service or other items provided or performed by Skysnag. For the purposes of the CCPA, the parties acknowledge and agree that Skysnag will act as a “Service Provider” and not as a “Third Party,” as such terms are defined in the CCPA, in its performance of its obligations pursuant to the Agreement.

3. DATA PROCESSING

a. Instructions for Data Processing. Skysnag will process Personal Data only in accordance with Customer’s lawful instructions and in compliance with the Agreement, unless otherwise required by applicable law to which Skysnag is subject. Customer hereby instructs Skysnag to process Personal Data to provide, maintain, and improve the Service in accordance with the Agreement and this DPA, as such processing is initiated by Customer and its users in the use of the Service. Processing outside of the scope of the Agreement will require the prior written agreement of the parties on the additional instructions for processing. Upon notice, Skysnag will take reasonable and appropriate steps to stop and remediate unauthorized processing of Personal Data. Notwithstanding anything to the contrary, Customer agrees that it shall not provide, or make available to Skysnag any Personal Data except as strictly necessary for Skysnag to provide the Services under the Agreement. Notwithstanding anything to the contrary, Skysnag shall have no liability or obligation under the Agreement, this DPA, or otherwise, in connection with any Personal Data provided to, disclosed to, or otherwise made available to Skysnag in breach of the foregoing.

b. Compliance with Laws. Each party will comply with all applicable laws, rules, and regulations (including Applicable Privacy Laws) in its performance of this DPA. Customer shall be responsible for the accuracy, quality, integrity, and legality of the Personal Data. Skysnag certifies that it understands the requirements under this DPA, including without limitation requirements under the CCPA, and that it will abide by it. For the avoidance of doubt, Skysnag expressly disclaims any compliance with any laws of the Russian Federation or the People’s Republic of China.

c. Consents. Customer represents and warrants that it has first obtained all necessary consents under Applicable Privacy Laws with respect to the processing or transfer of Personal Data.

d. Processing Details. The categories and type of data, as well as the description of the processing procedures, are specified in Annex I to the Standard Contractual Clauses, attached to Exhibit A hereto. Customer shall not provide (or cause to be provided) any Sensitive Data to Skysnag for processing under the Agreement, and Skysnag will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise.

4. TRANSFER

a. Data Transfers. Skysnag will not transfer Personal Data originating from the EEA, the United Kingdom, and/or Switzerland, as applicable, and/or relating to natural persons of the EEA, the United Kingdom, and/or Switzerland, as applicable, except in accordance with the following: (i) between States of the EEA, the United Kingdom, and/or Switzerland, as applicable; or (ii) to the United States as governed by the Standard Contractual Clauses as incorporated by reference into this Agreement. Notwithstanding anything herein to the contrary, the Standard Contractual Clauses and the IDTA shall only apply to transfers of personal data expressly governed by the GDPR or UK GDPR, respectively, or another applicable law or regulation that expressly requires the application of the Standard Contractual Clauses.

5. SECURITY

a. Security Measures. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for impact on the individuals to whom the Personal Data relates, Skysnag shall implement and maintain appropriate technical and organizational security measures designed to protect and preserve the security, integrity, and confidentiality of the Personal Data, as set forth in Annex II to the Standard Contractual Clauses, attached to Exhibit A hereto.

b. Skysnag Personnel. Skysnag shall restrict access by its personnel to Personal Data (i) to only those personnel who need to access the Personal Data in order to provide the Service; and (ii) to those personnel who have committed themselves to, or are otherwise under, an obligation of confidentiality concerning the Personal Data.

c. Records; Audit Standards. Skysnag shall maintain relevant records with respect to its information security practices. Upon Customer’s request, Skysnag will make available to Customer, up to once per year, a copy of a third-party audit or assessment reports, such as a Service Organization Controls Type 2 or 3 (“SOC”) in accordance with auditing standards in the Statements on Standards for Attestation Engagements No. 16 (SSAE16), or such other alternative standards that are substantially equivalent to ISO 27001 (“Assessments”); or (b) if Skysnag is not able to provide such Assessments, Skysnag shall provide responses to any questions that Customer may reasonably submit for purposes of verifying Skysnag’s compliance with this DPA (“Questionnaires”). For avoidance of doubt, any such Assessments and completed Questionnaires will constitute Confidential Information and may not be disclosed to a third party without Skysnag’s written consent, except as otherwise required by law.

d. Security Incident Notification. If Skysnag becomes aware of any Security Incident, then Skysnag shall, without undue delay but in any event in no more than 72 hours, notify Customer of such access, and provide to Customer timely information and cooperation, as Customer may be required to address Customer’s reporting obligations under the Applicable Privacy Laws. Any such notification shall not be construed as an acknowledgment by Skysnag of any fault or liability with respect to the unauthorized access.

6. SUBPROCESSORS

a. Authorized Subprocessors. Customer agrees that Skysnag may use subprocessors to fulfill its obligations under the Agreement. The current list of subprocessors for the Service who process Personal Data is available upon request. Before authorizing any new subprocessor, Skysnag will provide notification to Customer. Customer may object to the change by notifying Skysnag within 10 days after the notice and describing the rationale for the objection. Such objection notice shall explain the reasonable grounds for the objection. Upon receipt of such notice, Skysnag will use reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable change to Customer’s configuration or use of the Service to avoid processing of Personal Data by the objected-to new subprocessor without unreasonably burdening Customer.

b. Subprocessor Obligations. Where Skysnag authorizes a subprocessor to process Personal Data as described in this DPA, Skysnag will enter into a written agreement with each such subprocessor consistent with Applicable Privacy Laws. For avoidance of any doubt, Skysnag shall be liable for the acts and omissions of its subprocessors to the same extent it would be liable if performing the services of each subprocessor directly under the terms of this DPA and the Agreement.

7. COOPERATION

a. Data Subject Requests. Skysnag shall notify Customer of any requests received directly by Skysnag from Data Subjects and shall provide to Customer such reasonable assistance as is required for Customer to comply with such Data Subject requests. Skysnag shall only respond directly to such Data Subject requests upon receiving Customer’s written request and consent, provided that (to the extent permitted by Applicable Privacy Laws) Customer shall be responsible for all reasonable costs arising from Skysnag’s provision of such assistance, and the requests do not disrupt Skysnag’s business operations.

b. Assistance with Compliance. To the extent required under Article 28(3) GDPR, Skysnag will assist Customer to comply with Articles 35 and 36 of the GDPR; in particular, Skysnag will promptly notify Customer if it believes that its processing of Customer Personal Data is likely to result in a high risk to the privacy rights of Data Subjects, and upon reasonable request, will assist Customer to carry out data protection impact assessments and to consult where necessary with data protection authorities.

c. Data Deletion. Following Customer’s request, Skysnag shall destroy all Personal Data in its possession. This requirement shall not apply to the extent that Skysnag is required by any applicable law to retain some or all of the Personal Data, in which case, Skysnag shall use reasonable efforts to isolate and protect the Personal Data from any further processing except to the extent required by such law.

8. GENERAL

a. Liability. Each party’s liability arising out of or in relation to this DPA (whether in contract, tort, or under any other theory of liability) is subject to the limitations of liability set forth in the Agreement.

b. Compensation. To the extent legally permitted, Customer shall be responsible for any costs arising from Skysnag’s provision of any assistance and cooperation required to be provided by Skysnag hereunder, including any fees associated with the provision of additional functionality.

c. Termination. This DPA will terminate automatically upon the later of (i) termination of the Agreement; or (ii) Skysnag ceasing to process Personal Data.

d. Conflict. In the event of a conflict between the Agreement and this DPA, the terms of this DPA will take precedence to the extent of the conflict.

e. Severability. If any part of this DPA is invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

f. Modification. This DPA may not be modified except by a subsequent written instrument signed by both parties.

Exhibit A

Applicable Standard Contract Clauses and Supplemental Terms

1. Incorporation of SCCs. The Parties agree that the SCCs are hereby incorporated by reference into this Addendum as follows: Module 2: Transfer controller to processor, as to Customer Personal Data originating in the EEA, UK, or Switzerland.
2. Cross-Border Transfer Mechanisms – EU and Switzerland. If the Agreement requires the transfer of personal data of Data Subjects who reside in or are based out of the EU or Switzerland to countries that are not recognized by the European Commission as providing an adequate level of protection of Personal Data, then such transfers will be made pursuant to the transfer mechanisms outlined in Module Two (Transfer controller to processor) of the EU SCCs. Where the EU SCCs identify optional provisions (or provisions with multiple options), the following shall apply:

a. Clause 7 (Docking Clause): The optional provision shall apply.

b. Clause 9(a) (Use of Subprocessors): Option 2 shall apply with the specified time period being 10 days.

c. Clause 11(a) (Redress): The optional provision shall NOT apply.

d. Clause 17 (Governing Law): Option 1 shall apply with the laws of Ireland governing.

e. Clause 18 (Choice of Forum and Jurisdiction): The courts of Ireland shall have jurisdiction.

3. Cross-Border Transfer Mechanisms – UK. If the Agreement requires the transfer of personal data of Data Subjects who reside in the UK to countries that are not recognized by the UK ICO as providing an adequate level of protection of personal data, then such transfers will be made pursuant to the EU SCCs detailed in Sections 1 and 2 of this Exhibit and as amended by the IDTA. With respect to the IDTA:

a. Table 1: The “Exporter” is the Data Exporter and the “Importer” is the Data Importer, as both are identified in Annex I of the SCC (below). By entering and signing the Agreement, Addendum, or Order Form, Importer and Exporter are deemed to have signed the IDTA.

b. Table 2:

i. Clause 7 (Docking Clause): The optional provision shall apply.

ii. Clause 9(a) (Use of Subprocessors): Option 2 shall apply with the specified time period being 10 business days.

iii. Clause 11(a) (Redress): The optional provision shall NOT apply.

c. Table 3: The information is provided in Section 2 of this Exhibit.

d. Table 4: Only Exporter (i.e., Customer) may end the IDTA as detailed in Section 19 of the IDTA if the UK ICO issues new changes to the IDTA.

4. Annex 1 to the SCCs is appended to this Exhibit A.
5. Technical and Organizational Measures. Data Importer will at a minimum institute the technical and organizational measures set forth in Annex II to the SCCs, attached hereto.
6. Supplementary Terms:

a. Instructions for Processing. This Addendum and the Agreement are Customer’s complete and final instructions for the processing of Customer Personal Data as of the date of entry into the current version of the Agreement and the current version of this Addendum. Any different instructions must be consistent with the current version of the Agreement and the current version of this Addendum. For the purposes of Clause 8.1(a) of the SCCs, the instructions for the processing of personal data include onward transfers to third parties located outside of Europe for the provision of the Services.

b. Security Measures Responsibility. For the purposes of Clause 8.6(a) of the SCCs, Customer is solely responsible for determining whether the technical and organizational measures set forth in Annex II to the SCCs, attached hereto, and as otherwise described to Customer by Skysnag meet Customer’s requirements, and agrees that such technical and organizational measures provide an appropriate level of security, taking due account of the state of the art, the costs of implementation, the nature, scope, context, and purpose(s) of processing the Customer Personal Data and the risks to individuals.

c. Deletion of Data. For the purposes of Clause 8.6 of the SCCs, Skysnag shall delete Customer Personal Data in accordance with the respective data deletion and certification of deletion provisions set out in the Agreement. For the avoidance of doubt, if no such provisions are set out in the Agreement, Skysnag shall delete all Customer Personal Data within 30 days of termination of the Agreement. Any certification of deletion of Customer Personal Data from Skysnag as described in the SCCs shall be provided only upon Customer’s written request.

d. Personal Data Breaches. For the purposes of Clause 8.6(c) of the SCCs, personal data breaches will be addressed in accordance with Section 5(d) of this Addendum.

e. Audits. The audits permitted to be carried out under Clause 8.9 of the SCCs shall be conducted in accordance with, and satisfied by, the procedures set forth in Section 5(c) of this Addendum.

f. Use of Subprocessors. For the purposes of Clause 9 of the SCCs, Customer grants Skysnag a general authorization to engage subprocessors, subject to the procedures set forth in Section 6 of this Addendum, and further grants such subprocessors a general authorization to engage further subprocessors, and the authority to add or replace such further subprocessors.

g. Complaints Handling. For the purposes of Clause 11 of the SCCs, Skysnag will without undue delay inform Customer if it receives a complaint by or on behalf of an individual concerning Customer Personal Data and shall not otherwise have any obligation to address such request except as agreed between Skysnag and Customer.

h. Liability under SCCs. Skysnag’s liability under the SCCs under Clause 12 shall be limited to any damage caused by its processing of Customer Personal Data only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to Customer’s lawful instructions, and to the extent permitted under the SCCs, each party’s liability under the SCCs shall be subject to the provisions of the Agreement concerning limitation of liability.

i. Notifications. For notices required under Clause 15.1(a), Skysnag will provide notice only to Customer, and Customer shall be responsible for notifying any affected individuals.

j. Supervisory Authority Notifications. The Parties acknowledge and agree that where Skysnag is required by the SCCs to notify the competent Supervisory Authority, Skysnag shall first provide Customer with the details of the notification, permitting Customer to have prior written input into the relevant notification, where Customer so desires and is able to do so without delaying the timing of the notification unduly.

k. Enforcement of SCCs. The Data Exporter may enforce the terms of the SCCs against the Data Importer (and vice versa).

l. Signatories. Notwithstanding the fact that the SCCs are incorporated herein by reference without the signature page of the SCCs actually being signed by the parties, it is agreed that the execution of the Agreement is deemed to constitute each party’s execution of the SCCs as Data Exporter or Data Importer (as applicable), and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly.

m. Other Transfer Mechanisms. The provisions in this Addendum shall be without prejudice to the parties’ ability to rely on any other legally valid international data transfer mechanism for the transfer of data out of the EEA.

ANNEX 1

A. LIST OF PARTIES

Data Exporter(s):

• Name: As set forth in the Order Form or the Agreement between Customer and Skysnag.
• Address: As set forth in the Order Form or the Agreement between Customer and Skysnag.
• Contact person’s address: [email protected].
• Activities relevant to the data transferred under these Clauses: Data Exporter is a customer of Data Importer and is exporting data related to Data Exporter’s use of Data Importer’s products and services under the Agreement, as more fully described below and as specified in the applicable Order Form.
• Signature and date: As set forth in the Order Form or the Agreement between Customer and Skysnag.
• Role: Controller

Data Importer(s):

• Name: Skysnag Inc.
• Address: 548 Market St, PMB 97188, San Francisco, CA 94104-5401, USA
• Contact person’s name, position, and contact details: [Insert appropriate contact at Skysnag], [email protected]
• Activities relevant to the data transferred under these Clauses: As set forth in the Agreement and the applicable Order Form.
• Signature and date: As set forth in the Order Form or the Agreement between Customer and Skysnag.
• Role: Processor

B. DESCRIPTION OF TRANSFER

1. Categories of Data Subjects whose personal data is transferred:

• Employees or consultants of Customer
• Recipients of emails sent by employees or consultants of Customer
• Third parties identified in email content or attachments in emails sent by employees or consultants of Customer and rejected by destination email gateway

1. Categories of Personal Data transferred:

• Name
• Email address
• Technical email header information
• Subject line of emails (accessible but not routinely accessed or transferred)
• Information concerning third parties (if any) identified in email content or attachments in emails sent by employees or consultants of Customer and rejected by destination email gateway

1. Sensitive Data transferred (if applicable):

• None

1. The frequency of the transfer:

• Continuous – as needed to access the Services described in the Agreement.

1. Nature of the processing:

Skysnag provides automated service identification, configuration, and management of authentication controls enabling our customers to send authenticated email to reach DMARC enforcement. The nature of the processing varies depending on the specific services selected by customers.

Skysnag’s Email Authentication Service:

• Skysnag does not require access to Customer’s systems and has no access to email content or other personally identifiable information, except for limited use cases.
• Skysnag has access to Account Administrator user contact information (e.g., names and corporate email addresses), which is used only for license validation.
• Skysnag may have access to IP addresses provided in DMARC aggregate reports. These IP addresses are not from individual senders but from the sending service attempting to deliver the email.
• Skysnag logs this information and uses it for operational and analytics purposes.

Skysnag’s Mailbox Connector Service:

• Requires API access to Customer’s cloud mail system (e.g., Microsoft 365 or Google Workspace).
• The connector parses email headers of inbound messages to identify services sending into the cloud mail system on behalf of the organization.
• Accesses the list of mailbox users in the customer cloud mail system, which includes the user’s email address.
• For each mailbox user, Skysnag accesses the emails in the mailbox to retrieve email addresses of senders and recipients, various elements of technical data in the email header. The subject line is accessible but not retrieved.

Skysnag’s RUF+ Service:

• Collects and delivers to the customer the DMARC failure reports excluded from Skysnag’s standard service.
• DMARC failure reports may contain header information or content from the affected email message, including sender and recipient names and emails, the subject line, technical header information, and potentially some or all of the body of the email or attachments.
• For “false positive” reports, which are emails actually sent by or on behalf of a customer, that information is customer personal data.

1. Purpose(s) of the data transfer and further processing:

• As needed to perform the Agreement and Service under an Order Form between the parties.

1. The period for which the personal data will be retained:

• Skysnag shall possess personal data for as long as necessary to carry out its obligations under the terms of the Agreement.

1. For transfers to subprocessors, specify subject matter, nature, and duration of the processing:

• Skysnag uses cloud infrastructure providers as subprocessors to provide its service and process all personal data under the Agreement. These subprocessors will retain the personal data, under Skysnag’s control, for as long as necessary to enable Skysnag to carry out its obligations under the terms of the Agreement.
• Skysnag may engage subprocessors to assist with support services. Such subprocessors may have access to the name and contact information (e.g., email address) of the person(s) initiating the support request.

C. COMPETENT SUPERVISORY AUTHORITY

• Identify the competent supervisory authority(ies) in accordance with Clause 13:
• The Data Protection Commission of Ireland

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

1. Third-Party Attestations

• Skysnag maintains and renews independent, third-party audits which attest to the effectiveness of its security controls. Upon request, Skysnag may provide such certification or audit results to Customer.
• Examples of Certifications:
  • SOC 2 Type II and SOC 3 Reports (“SOC”)
  • Other relevant security certifications

1. Policies and Procedures

• Skysnag maintains a formal security program materially in accordance with industry standards designed to:
• Ensure the security and integrity of the services.
• Protect against threats or hazards to the security or integrity of confidential information.
• Prevent unauthorized access to confidential information.
• Written security management policies and procedures include:
• Assignment of specific data security responsibilities and accountabilities.
• A formal risk management program, including periodic risk assessments.
• An adequate framework of controls that safeguard the security of offerings.

1. Access Controls

• Skysnag ensures that all authorized personnel having access to the network and/or systems are authenticated using unique identifiers, strong passwords, and multi-factor authentication (MFA).
• Practices role-based access control based on the principle of least privilege.
• Assigns unique user accounts to all system users.
• Administrative access is granted only following approval from IT and/or Engineering leadership.
• Controls are in place to limit access to information systems and facilities to properly authorized persons.

1. Network-Level Requirements; Penetration Testing

• Uses firewalls to protect its infrastructure, capable of stateful inspection, logging, supporting IPSec standards, strong encryption, SNMP-based monitoring, and anti-spoofing.
• Conducts third-party network penetration tests at least annually.
• Engages in continuous monitoring and scanning as required to meet security standards.

1. Physical and Environmental Security

• Skysnag operates primarily through cloud services.
• Physical and environmental controls protecting customer data and production environments are managed by cloud service providers (e.g., AWS, Microsoft Azure).
• Reviews cloud hosting providers’ SOC 2 Type II reports annually to ensure compliance with physical and environmental security best practices.

1. IT Change and Configuration Management

• Employs reasonable processes for change management, code inspection, repeatable builds, separation of development and production environments, and testing plans.
• Code inspections include processes to identify vulnerabilities and malicious code.

1. Systems and Services Acquisition

• Develops, disseminates, and periodically reviews/updates a formal, documented system and services acquisition policy that includes information security considerations.

1. Encryption

• Customer Data is encrypted in transit using TLS v1.2 or higher.
• Key management procedures ensure the confidentiality, integrity, and availability of cryptographic key material.
• Uses AES 256-bit encryption for data at rest.

1. Training and Personnel

• Provides annual Security Awareness training to all personnel, addressing topics that educate users about information security and safeguards against data loss, misuse, or breach.
• Performs background checks on employees and candidates where applicable prior to employment.
• Requires employees, consultants, and contractors to sign a non-disclosure or confidentiality agreement prior to accessing protected information.

1. Disaster Recovery Plan (DRP)

• Skysnag maintains a DRP designed to be used in the event of a disaster affecting Skysnag email operations.
• The plan includes specific team responsibilities and procedures to be followed.
• The decision to initiate disaster recovery procedures will be taken by designated personnel after assessing the situation.

1. Business Continuity Plan (BCP)

• Maintains a BCP for essential business functions, including strategies to achieve recovery timelines determined in the associated business impact analysis.
• Reviews recovery strategies annually or when changes occur.

1. Data Retention Policy

• Retains data for the length of time reasonably needed to fulfill the purposes outlined in the privacy policy and as required or permitted by law.
• Anonymous and aggregated information may be stored indefinitely.

1. Security Incident Response

• Maintains a security incident response plan that includes procedures to be followed in the event of any Security Incident affecting Customer Confidential Information or any application or system directly associated with the accessing, processing, storage, communication, and/or transmission of Customer Confidential Information.

1. Password Policy

• Maintains a documented password policy based on NIST standards covering applicable systems, applications, and databases.
• Implements password best practices to protect against unauthorized use of passwords.
• Salts and hashes user account passwords using industry-standard encryption algorithms before storage.

By accepting this Data Processing Addendum, the parties agree to its terms and conditions as part of the Agreement between Skysnag and Customer.