Data Processing Addendum
We are committed to keeping you informed and protecting your privacy online.
If you qualify as a data controller under applicable law, you may need a data processing addendum in place with Agolix if we process personal data on your behalf.
For the avoidance of doubt, the Data Processing Addendum applies when Agolix is acting in the capacity of a data processor.
Because Agolix’s Terms and Conditions already incorporate the Data Processing Addendum, you do not need to sign a separate copy.
TABLE OF CONTENTS
Agolix Data Processing Addendum (DPA)
Annex 1 – Details of Processing
Annex 2 – Technical and Organizational Security Measures of the Processor
Annex 3 – Subprocessors
INTRODUCTION
Last updated: 18 July 2024
This Data Processing Addendum (“DPA”) is between Assessment Generator Inc. DBA Agolix (“Agolix”), including its affiliates and the Client identified in the Main Agreement. Agolix and Client are each referred to herein as a “Party” and collectively as the “Parties.”
BACKGROUND
A. Agolix provides the Services (defined below) to Client pursuant to Agolix’s Terms and Conditions and/or any other written or electronic agreement for Agolix to provide Services to Client (“Main Agreement”).
B. In providing the Services, Agolix may need to Process Personal Data on behalf of Client.
C. By entering into the Main Agreement with Agolix, or by providing Personal Data to Agolix, Client instructs Agolix to Process such Personal Data.
D. This DPA sets forth the terms on which Agolix Processes such Personal Data. This DPA forms an integral part of the Main Agreement and becomes effective and binding upon entering into the Main Agreement. The DPA is hereby incorporated into the Main Agreement by reference.
E. If there is a conflict between this DPA, any previously executed data processing agreement, and the terms of the Main Agreement, this DPA will govern.
The Parties agree as follows:
1. DEFINITIONS
Any capitalized term not defined below will have the meaning provided to it in the Main Agreement. In this DPA, the following terms have the meanings set out below:
1.1 “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq.;
1.2 “Client” or “you” means the person or entity placing an order for or accessing the Services under the Main Agreement.
1.3 “Data” or “Personal Data” means the personal data or personal information (as such terms are defined under Data Protection Laws of any Data Subject (including but not limited to Client Personal Data and Respondent Data) Processed by Agolix on behalf of Client pursuant to or in connection with the provision of the Services.
1.4 “Data Controller” or “Controller” means Client who collects Personal Data and uses the Services of Agolix either free or under a paid subscription model and determines the purposes and means of the Processing of Personal Data.
1.5 “Data Processor” or “Processor” means Agolix, which processes Personal Data on behalf of Client under its instructions.
1.6 “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
1.7 “Data Protection Laws” means all privacy and data protection laws and regulations applicable to the Processing of Personal Data under the Main Agreement, including, where applicable:
- the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”);
- the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act (“UK GDPR”);
- the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”);
- the Swiss Federal Data Protection Act (“Swiss FDPA”); and
- the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); and
- in each case as amended, repealed, consolidated, or replaced from time to time.
1.8 “EEA” means the European Economic Area.
1.9 “EU Personal Data” means Personal Data that is subject to the protection of the GDPR.
1.10 “EU Standard Contractual Clauses” means where the GDPR applies, the contractual terms approved under the European Commission’s decision of 4 June 2021 on Standard Contractual Clauses (Commission Decision (EU) 2021/914) for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679. The EU Standard Contractual Clauses are available for download at the EUR-Lex website.
1.11 “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data on systems managed or otherwise controlled by Agolix. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
1.12 “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.13 “Services” means the services Agolix is obligated to provide pursuant to the Main Agreement in relation to the proprietary online assessment generator owned by Agolix.
1.14 “Subprocessor” means any Agolix Affiliate or third-party service providers engaged by Agolix to Process Personal Data to assist Agolix in fulfilling its obligations with respect to providing the Services as per the Main Agreement.
1.15 “Swiss Personal Data” means Personal Data subject to the protection of the Swiss FDPA.
1.16 “UK Addendum” means where the UK GDPR applies, the “International Data Transfer Addendum” to the EU Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022 (“UK Addendum”). The UK Addendum is available for download at the UK Information Commissioner’s Website.
1.17 “UK Personal Data” means Personal Data subject to the protection of the UK GDPR.
2. RELATIONSHIP OF PARTIES AND SCOPE OF DATA PROCESSING
2.1 AGOLIX AS PROCESSOR
To the extent that Agolix Processes Personal Data in the course of providing the Services, each Party acknowledges:
Agolix is a Processor of Personal Data under Data Protection Laws;
Client is a Controller or Processor, as applicable, of Personal Data under Data Protection Laws; and
For purposes of the CCPA, Agolix is a Service Provider and Client is a Business (as those terms are defined in the CCPA).
2.2 DETAILS OF DATA PROCESSING
Agolix will Process Personal Data in order to provide the Services in accordance with the Main Agreement. Annex 1 – (Details of Processing) of this DPA further specifies the subject matter, the nature and purpose of the processing, the duration and frequency of the processing, the types of personal data, and the categories of data subjects.
3. PROCESSING REQUIREMENTS
3.1 CLIENT INSTRUCTIONS FOR PROCESSING
a. Client Instructions. Client, as the Controller, determines the purposes and means of Processing Personal Data. As such, Agolix shall process Personal Data only on the documented written instructions of Client, which include this DPA and the Main Agreement, unless Agolix is required by applicable laws to otherwise process Personal Data.
b. Conflict of Laws. If Agolix has actual knowledge that a Client instruction may be a potential violation or is a breach of Data Protection Laws, Agolix will inform Client promptly if, in Agolix’s opinion, such instruction from Client infringes (or, if acted upon, might cause an infringement of) Data Protection Laws. If necessary, Agolix may cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as Client issues new instructions with which Agolix is able to comply. If this provision is invoked, Agolix will not be liable to Client under the Main Agreement for any failure to perform the Services until such time as Client issues new lawful instructions with regard to the Processing.
3.2 COMPLIANCE
a. Compliance with Laws. Both Parties will comply with all applicable requirements of Data Protection Laws.
b. Client-Specific Compliance. Without limiting its responsibilities under the Main Agreement, Client will be solely responsible for:
- the accuracy, quality, and legality of Personal Data and the means by which Client acquired Personal Data;
- complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including by obtaining any consents and providing any notices required under Data Protection Laws for Agolix to provide the Services;
- ensuring that Client has the right to transfer, or provide access to so that Agolix and its Subprocessors may lawfully Process the Personal Data in accordance with this DPA; and
- ensuring that Client’s instructions to Agolix regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws.
Client shall inform Agolix without undue delay if Client is not able to comply with its responsibilities under this Compliance section or Data Protection Laws.
3.3 NO SELLING OF PERSONAL DATA
Agolix will not sell Personal Data or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein. For purposes of this paragraph, “sell” will have the meaning set forth in the CCPA.
3.4 CONFIDENTIALITY OF PROCESSING
Agolix will ensure that its personnel (including its staff, agents, and subcontractors) authorized to Process Personal Data are informed of the confidential nature of the Personal Data and subject to a duty of confidentiality.
4. COOPERATION WITH CLIENT
4.1 DATA SUBJECT REQUESTS
If Agolix receives a request from a Data Subject to exercise its rights under Data Protection Laws then, to the extent legally permissible, Agolix will advise the Data Subject to submit their request to the Client, and Client shall be responsible for responding to any such request. Notwithstanding the foregoing, Client hereby agrees that Agolix may delete Personal Data subject to a Data Subject request for deletion or erasure, and Agolix may confirm to a Data Subject that such Personal Data in Agolix’s possession or control has been removed.
If Client is unable to respond to a Data Subject request without the aid and support of Agolix, upon written request of Client, Agolix will support Client to fulfill requests by Data Subjects to exercise their rights under Data Protection Laws in a manner consistent with the functionality of the assessment platform and Agolix’s role as a Processor.
4.2 SUPERVISORY AND OTHER REGULATORY AUTHORITIES REQUESTS
Agolix shall provide reasonable assistance to and cooperation with Client for Client’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Agolix under Data Protection Laws to consult with a regulatory authority in relation to Agolix’s Processing or proposed Processing of Personal Data.
4.3 DATA PROTECTION IMPACT ASSESSMENT
Taking into account the nature of the Processing and the information available to Agolix, Agolix will provide reasonable assistance to and cooperation needed to fulfill Client’s obligation under Data Protection Laws to carry out a data protection impact assessment related to Client’s use of the Services, to the extent Client does not otherwise have access to the relevant information, and to the extent such information is available to Agolix.
4.4 COSTS
Agolix may charge additional fees or require reimbursement in order to comply with its cooperation duties referred to in Section 4.
5. SECURITY
5.1 DATA PROTECTION OFFICER
Agolix has appointed its Chief Technical Officer as the “Data Protection Officer.” The Data Protection Officer will be in charge of data security and any queries relating to Data Subjects. The appointed person may be reached at witt@agolix.com.
5.2 SECURITY MEASURES
Agolix shall take the appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, as described under Annex 2 – Technical and Organizational Security Measures of the Processor.
5.3 UPDATES TO SECURITY MEASURES
Client acknowledges that the Security Measures are subject to technical progress and development and that Agolix may modify or update the security it implements so long as the overall security of Personal Data is not reduced.
5.4 SECURITY INCIDENT RESPONSE
Agolix will promptly, and without any undue delay, notify Client within 72 hours after becoming aware of a Security Incident, so long as applicable law allows this notice. Agolix, to the extent permitted and required by Data Protection Laws, shall provide timely information relating to the Security Incident involving the Personal Data.
5.5 NO ACKNOWLEDGEMENT OF FAULT BY AGOLIX
Agolix’s notification of or response to a Security Incident under this section will not be construed as an acknowledgment by Agolix of any fault or liability with respect to the Security Incident.
5.6 CLIENT’S SECURITY RESPONSIBILITIES
Client is solely responsible for its use of the Services, including the following:
- making appropriate use of the Service to ensure a level of security appropriate to the risk in respect of Personal Data;
- securing the account authentication credentials, systems and devices Client uses to access the Service; backing up Personal Data; and
- reviewing the information made available by Agolix relating to security of Personal Data and making an independent determination as to whether the Services meet Client’s requirements and legal obligations under Data Protection Laws.
6. AUDIT RIGHTS
If required by Data Protection Laws, Agolix will allow Client or an independent auditor appointed by Client to conduct audits (including inspections) to verify Agolix’s compliance with its obligations under this DPA in accordance with the following:
- The audit will be pre-scheduled in writing with Agolix, at least 30 days in advance and will be performed not more than once a year.
- The scope of an audit will be limited to Agolix systems, processes, and documentation relevant to Processing Personal Data.
- The auditor will execute a non-disclosure agreement with Agolix.
- Client shall bear the cost of any such audit.
- Client shall provide Agolix audit reports generated in connection with any audit under this section unless prohibited by law.
- Client may use the audit reports only to meet its regulatory audit requirements and to confirm compliance with the requirements of Data Protection Laws necessitating the audit.
- Agolix may object in writing to an auditor appointed by Client if the auditor is, in Agolix’s reasonable opinion, (1) not suitably qualified or independent, (2) a competitor of Agolix, or (3) otherwise reasonably unsuitable. Any such objection by Agolix will require Client to appoint another auditor or conduct the audit itself.
7. SUBPROCESSORS
7.1 CONSENT TO SUBPROCESSOR ENGAGEMENT
By entering this DPA, Client authorizes Agolix to use Subprocessors for the provision of Services as agreed under the Main Agreement. The current list of Subprocessors engaged by Agolix to help Process Personal Data is available here.
Agolix will impose contractual obligations on any Subprocessor appointed by Agolix, requiring it to protect Personal Data to standards that are substantially the same as those set out in this DPA. Agolix remains liable for its Subprocessors’ performance under this DPA to the same extent Agolix is liable for its own performance.
7.2 NOTIFICATION OF NEW SUBPROCESSORS
Agolix may engage with new Subprocessors to Process Personal Data. If Agolix seeks to add any Subprocessors and update the Subprocessor List, Agolix will provide notice of such additions to Client (which may be via email, a posting, or notification on an online portal for the Services, or other reasonable means).
7.3 RIGHT TO OBJECT
If Client does not wish to consent to the use of new Subprocessors, Client may notify Agolix within fifteen (15) days based on reasonable data protection concerns. In such case, the Parties will discuss such concerns in good faith. If the Parties are unable to reach a mutually agreeable resolution to Client’s objection to a new Subprocessor, Agolix may, as its sole remedy, terminate the subscription for the affected Service without penalty, and no prepaid amounts will be refunded by Agolix to Client.
8. DATA TRANSFER AUTHORIZATION
Client acknowledges that Agolix and its Subprocessors may transfer and Process Personal Data to and in the United States and internationally as necessary for Agolix to provide the Services under the Main Agreement. In connection with the Services, the Parties anticipate that Agolix and its Subprocessors may Process EU Personal Data outside of the EEA, Swiss Personal Data outside of Switzerland, and UK Personal Data outside of the United Kingdom.
9. INTERNATIONAL DATA TRANSFER MECHANISMS
9.1 GENERALLY
Some jurisdictions require that an entity transferring Personal Data to, or accessing Personal Data from, a foreign jurisdiction (a cross-border data transfer) take measures to ensure that the Personal Data transfer has an adequate level of protection. The Parties will comply with any cross-border data transfer mechanism that may be required by Data Protection Laws, including the EU Standard Contractual Clauses and UK Addendum.
9.2 EEA TRANSFERS
For transfers of EU Personal Data to Agolix for Processing by Agolix in any country or territory outside the EEA that does not benefit from an adequacy decision from the European Commission, each Party agrees it will use the EU Standard Contractual Clauses.
By entering into this DPA, the EU Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
a. Module 2 (Controller to Processor) will apply where Client is a Controller and Agolix is Client’s Processor of EU Personal Data.
b. Module 3 (Processor to Processor) will apply where Client is a Processor and Agolix is Client’s subprocessor of EU Personal Data.
c. For each Module, with respect to the elements that require the Parties’ input the following terms apply, where applicable:
-
- in Clause 7, the optional docking clause will apply;
- in Clause 9 (General Written Authorization), Option 2 will apply and the time period for prior written notice of Subprocessor changes will be as set forth in Section 7 of the DPA;
- in Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body will not apply;
- in Clause 17 (Governing law), Option 1 will apply (the law of an EU Member State that allows for third-party beneficiary rights) and the Parties select the law of Ireland;
- in Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
- Annex I of the EU Standard Contractual Clauses are set forth in Annex 1 of the DPA;
- Annex II of the EU Standard Contractual Clauses are set forth in Annex 2 of the DPA; and
- Annex III of the EU Standard Contractual Clauses are set forth in Annex 3 of the DPA.
9.3 SWISS TRANSFERS
For transfers of Swiss Personal Data to Agolix for Processing by Agolix in any country or territory outside Switzerland that does not benefit from an adequacy decision from the Swiss Government, each Party agrees it will use the Standard Contractual Clauses in accordance with Section 9.2, with the following modifications:
any references to the GDPR will be interpreted as references to the Swiss FDPA;
any references to “EU,” “Union,” and “Member State law” will be interpreted as references to Switzerland and Swiss law;
the concept of supervisory authority will include the Swiss FDPA or Information Commissioner and relevant courts in Switzerland;
Clause 17 will be replaced to state “The Clauses are governed by the laws of Switzerland”; and
Clause 18 will be replaced to state “Any dispute arising from these Clauses shall be resolved by the applicable courts of Switzerland.”
9.4 UK TRANSFERS
For transfers of UK Personal Data to Agolix for Processing by Agolix in any country or territory outside the United Kingdom that does not benefit from an adequacy decision from the UK Government, each Party agrees it will use the UK Addendum.
By entering into this DPA, the UK Addendum will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
Table 1 of the UK Addendum: (1) the Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Annex 1; and (2) the Key Contact shall be the contacts set forth in Annex 1.
Table 2 of the UK Addendum: The Approved EU Standard Contractual Clauses referenced in Table 2 shall be the EU Standard Contractual Clauses as executed by the Parties.
Table 3 of the UK Addendum: Annex 1A, 1B, II, and III shall be set forth in Annex 1.
Table 4 of the UK Addendum: Either Party may end this DPA as set out in Section 19 of the UK Addendum.
By entering into this DPA, the Parties are deemed to be signing the UK Addendum and its applicable Tables and Appendix Information.
10. TERM
This DPA will remain in force until such time as the Main Agreement is terminated or expires (in accordance with its terms).
11. RETURN AND DELETION OF PERSONAL DATA
On termination or expiration of the Main Agreement, Agolix will no later than 30 days, at the request of Client, return or delete all Personal Data Processed on behalf of Client that is in Agolix’s possession or control, except that this requirement will not apply to the extent Agolix is required by applicable law to retain some or all of the Personal Data.
12. GENERAL PROVISIONS
12.1 LIABILITY FOR DATA PROCESSING
Each Party’s aggregate liability for any and all claims, whether in contract, tort (including negligence), breach of statutory duty, or otherwise arising out of or in connection with this DPA shall be as set out in the Main Agreement, unless otherwise agreed in writing by the Parties.
12.2 INDEPENDENT PROCESSING
Client remains exclusively liable for its own compliance with Data Protection Laws with respect to any independent collection and processing of personal data unrelated to the Services.
12.3 INDEPENDENT CONTRACTOR
Nothing in this DPA is intended to or will be deemed to, establish any partnership or joint venture between any of the Parties, nor authorize any Party to enter into any commitments for or on behalf of any other Party except as expressly provided herein.
12.4 SEVERABILITY
If any provision of this DPA is determined to be unenforceable by a court of competent jurisdiction, that provision will be severed and the remainder of terms will remain in full effect.
12.5 GOVERNING LAW
This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Main Agreement, unless required otherwise by applicable Data Protection Laws.
12.6 CHANGES TO THIS DPA
Agolix retains the rights to update and improve this DPA. In case such updates take place and only if changes have meaningful major impact on terms of this DPA:
- Agolix will inform Client by sending an email to email address associated with Client’s account with Agolix;
- Agolix will provide a summary of the recent changes to make it easier for Client to follow and take adequate steps if required.
- Changes will be active no sooner than 7 calendar days from the day they are publicly posted.
- By continuing to use the services Client indicates their agreement to be obligated by the updated terms.
12.7 ELECTRONIC COPY
The DPA is delivered as an electronic document.
Annex 1
Details of Processing
A. LIST OF PARTIES
Data exporter:
Name of Data exporter: | Client, a user of the Agolix Services |
Address: | As set forth in the Main Agreement |
Contact person’s name, position, and contact details: | As set forth in the Main Agreement |
Activities relevant to the data transferred under these Clauses: | As described in Section B below |
Signature and date: | This Annex I will automatically be deemed executed when the Main Agreement is executed by Client |
Role (controller/processor): | Controller and/or Processor |
Data importer:
Name of Data importer: | Assessment Generator Inc. DBA Agolix (“Agolix”) |
Address: | As set forth in the Main Agreement |
Contact person’s name, position, and contact details: |
Witt Sparks, CTO |
Activities relevant to the data transferred under these Clauses: | Data importer will process the data in order to provide the Services pursuant to the Main Agreement. |
Signature and date: | This Annex I will automatically be deemed executed when the Main Agreement is executed by Agolix |
Role (controller/processor): | Processor |
B. DESCRIPTION OF PROCESSING/TRANSFER
Subject-Matter
Processing of Personal Data to provide the Services in accordance with the Main Agreement.
Nature and Purpose
Processing of Personal Data to provide the Services in accordance with the Main Agreement.
Duration and Frequency
The Term of the Main Agreement or for as long as Agolix is permitted by law or otherwise to retain the Personal Data. Personal data will be transferred continuously where necessary to provide the Services to Client.
Categories of Data Subjects
Data Subjects include the following:
- The identified or identifiable person who submit personal data to Agolix via use of the Services (including via online surveys and forms hosted by Agolix on behalf of Client);
- The identified or identifiable person whose personal data may be submitted to Client by Respondents via use of the Services;
- The identified or identifiable person who are employees, representatives, or other business contacts of Client;
- Client’s users who are authorized by Client to access and use the Services.
Types of Personal Data
Client may submit Personal Data to the Services and may request for Client’s respondents to submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, without limitation:
- Contact Information such as contact and billing details of Client’s employees, authorized end users, and other business contacts. For example: name, title, employer, contact information, (company, email, phone, address, etc.), payment information, and other account-related data;
- Respondent Information such as Personal Data of all types that may be submitted by Client’s respondents to Client via users of the Services (such as via assessments or other feedback tools). For example: name, geographic location, age, contact details, IP address, profession, gender, financial status, personal preferences, personal shopping or consumer habits, and other preferences and other personal details that Client solicits or desires to collect from its respondents; and
- Assessment or Form Information such as Personal data of all types that may be included in assessment or forms hosted on the Services for Client (such as may be included in assessment questions).
Sensitive Data or Special Categories of Data
Client’s respondents may submit special categories of Personal Data to Client via the Services, the extent of which is determined and controlled by Client. Client is responsible for applying restrictions or safeguards that fully take into consideration the nature of the data and the risks involved prior to transmitting or processing any Sensitive Data via the Services. For clarity, these special categories of Personal Data may include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
Subprocessors
For transfers to Subprocessors, the purpose of the processing is set forth in Annex 3 – Subprocessors.
Annex 2
Technical and Organizational Security Measures to Ensure the Security of the Data
1. DATA PROTECTION OFFICER
Each Party will designate a person who will be in charge of communication between the Parties via email so as to execute any specific instructions. These designed persons will serve as the primary point of contact at either Party’s end.2. AUDIT AND RISK ASSESSMENT
Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Agolix’s organization, monitoring and maintaining compliance with Agolix’s policies and procedures, and reporting the condition of Agolix’s information security and compliance to internal management.3. SECURITY CONTROLS
Data security controls which include, at a minimum, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of encryption technologies for Personal Data that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly or at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).4. ACCESS CONTROLS
Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).5. PASSWORD SECURITY
Password controls designed to manage and control password strength, expiration and usage..6. SYSTEM EVENT LOGGING
System audit or event logging and related monitoring procedures to proactively record user access and system activity.7. PHYSICAL SECURITY
Physical and environmental security of areas containing Personal Data managed by Agolix that are designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log the movement of persons into and out of Agolix’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.8. OPERATIONAL PROCEDURES
Operational procedures and controls designed to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media designed to render data contained therein as undecipherable or unrecoverable prior to final disposal or release from Agolix’s possession.9. CHANGE MANAGEMENT
Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to Agolix’s technology and information assets.10. SECURITY INCIDENT RESPONSE
Security Incident response management procedures designed to allow Agolix to investigate, respond to, mitigate and notify of events related to Agolix’s technology and information assets.11. NETWORK SECURITY
Network security controls that use firewalls, segregated access, and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.12. VULNERABILITY MANAGEMENT PROCESSES
Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code. Third-party vulnerability assessments are conducted periodically, and vulnerabilities are remediated as appropriate in accordance with Agolix’s internal risk assessment policies.13. BUSINESS CONTINUITY/DISASTER RECOVERY
Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters. Agolix Business Continuity and Disaster Recovery procedures (including restoration from backups) are reviewed and tested annually.14. POLICY REVIEW
Agolix’s security and privacy policies are reviewed and approved annually for Agolix’s business operations.Annex 3 Subprocessors
To help Agolix deliver the Services, we engage Subprocessors to assist with our data processing activities.Subprocessor | Purpose | Location |
Amazon Web Services (AWS) | Application Infrastructure | USA |
Sparkpost Mail | Transactional Email | USA |
Gitlab | Source code repository | USA |
Slack | Internal communication | USA |
Trello | Issue and feature management | USA |
Active Campaign | Customer Relationship Management | USA |
Stripe | Payment processor | USA |