Data Processing Addendum

This Data Processing Addendum (“Addendum”) forms part of the Terms of Service entered into between Gravity Digital Pte. Ltd. (“BlueTally”) and you (“You”, “Customer”) that incorporates this Addendum by reference (the “Agreement”) and governs the Processing of Personal Information by BlueTally in providing its asset management platform (the “Service”) pursuant to the Agreement.

‍

1. Definitions

1.1. “Adequacy Decision” means:

‍

a. for data processed subject to the GDPR: the EEA, or a country or territory that is the subject of an adequacy decision issued by the European Commission under Article 45(1) of the GDPR; and

‍

b. for data processed subject to the UK GDPR: the UK or a country or territory that is the subject of the adequacy regulations under Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act 2018.

‍

1.2. “CCPA” means Cal. Civ. Code §§ 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (the California Consumer Privacy Act).

‍

1.3. “Controller to Processor SCCs” means the Module Two (transfer controller to processor) of the European Commission Implementing Decision (EU) 2021/914.

‍

1.4. “CPA” means Colo. Rev. Stat. §§ 6-1-1301 et seq. (the Colorado Privacy Act).

‍

1.5. “CTDPA” means Connecticut’s Data Privacy Act.

‍

1.6. “Data Subject” means any individual whose Personal Information may be Processed under this Addendum.

‍

1.7. “Data Protection Legislation” means applicable law governing the use, access to, deletion of, or Processing of Personal Information under this Addendum, including, but not limited to, the CCPA, the CPA, the CTDPA, the UCPA, the VCDPA, the GDPR, and UK GDPR, together with any national or subordinate legislation and regulations implementing, in each case as amended, repealed, consolidated, or replaced from time to time.

‍

1.8. “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

‍

1.9.“Personal Information” means personal data or personal information (as defined under the applicable Data Protection Legislation) that is subject to the Data Protection Legislation and that you authorize BlueTally to collect and process on your behalf in connection with BlueTally’s provision of the Service under the Agreement.

‍

1.10. “Process” or “Processing” means any operation or set of operations performed on Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

‍

1.11. “Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Information on behalf of the controller (as such term is defined under the GDPR).

‍

1.12. “Processor to Processor SCCs” means the Module Three (transfer processor to processor) of the European Commission Implementing Decision (EU) 2021/914.

‍

1.13. “Security Incident” means a breach of security of the Service or BlueTally’s systems used to Process Personal Information leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information Processed by BlueTally. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Information, including unsuccessful login attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

‍

1.14. “Sensitive Information” means the types of sensitive Personal information set forth in Article 9, Section 1 of the GDPR.

‍

1.15. “Service Provider” means an entity that receives Personal Information and is prohibited from retaining, using, selling, or disclosing such information other than in connection with providing the Service pursuant to the Agreement.

‍

1.16. “Standard Contractual Clauses” means Standard Contractual Clauses forthe transfer of Personal Data to third countries pursuant to Regulation (EU)2016/679 of the European Parliament and the Council approved by EuropeanCommission Implementing Decision (EU) 2021/914 of 4 June 2021, as currentlyset out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj

‍

1.17. “Subprocessor List” means BlueTally’s Subprocessors as identified in Section 7.

‍

1.18. “UCPA” means Utah Code Ann. §§ 13-61-101 et seq. (the Utah Consumer Privacy Act).

‍

1.19. “UK Addendum” means the template Addendum B.1.0 issued by the UK's Information Commissioner's Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 of the UK on 2 February 2022, and in force from 21 March 2022, available here: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf as updated and/or replaced from time to time. For the purposes of the UK Addendum, (a) the information required for Table 1 is contained in Schedule 1 of this Addendum, and the start date shall be the commencement of the Service, (b) in relation to Table 2, the version of the EU Clauses to which the UK Approved Addendum applies is Module Two for Controller to Processor where BlueTally is acting as your Processor and Module Three for Processor to Processor where BlueTally is acting as your Subprocessor, (c) in relation to Table 3, the list of parties and description of the transfer are as set out in Schedule 1 of this Addendum, BlueTally's technical and organizational measures are set out in Schedule 1 of this Addendum, and the list of BlueTally's Subprocessors is as provided in Section 8 of this Addendum, and (d) in relation to Table 4, neither party will be entitled to terminate the UK Addendum in accordance with clause 19 of Part 2 of the UK Addendum.

‍

1.20. “UK GDPR” means the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.

‍

1.21. “U.S. Privacy Laws” collectively mean the CCPA, the CPA, the CTDPA, the UCPA, and the VCDPA.

‍

1.22. “VCDPA” means VA Code Ann. §§ 59.1-575 et seq. (the Virginia Consumer Data Protection Act).

‍

2. Details of the Processing

2.1. Categories of Data Subjects. As set out in Schedule 1.

‍

2.2. Types of Personal Information. As set out in Schedule 1.

‍

2.3. Subject-Matter and Nature of the Processing. The subject-matter of Processing of Personal Information by BlueTally is the provision of the Service to you that involves the Processing of Personal Information. Personal Information will be subject to those Processing activities which BlueTally needs to perform in order to provide the Service pursuant to the Agreement.

‍

2.4. Purpose of the Processing. Personal Information will be Processed by BlueTally for purposes of providing the Service set out into the Agreement.

‍

2.5. Duration of the Processing. Personal Information will be Processed for the duration of the Agreement, subject to Section 11 of this Addendum.

‍

3. Processing Requirements

3.1. BlueTally will Process Personal Information solely as a Processor or Service Provider on your behalf and in accordance with the Agreement, this Addendum, and any other documented instructions from you (whether in written or electronic form), or as otherwise required by applicable law.

‍

3.2. Notwithstanding anything to the contrary in the Agreement, BlueTally shall not (a) retain, use or disclose Personal Information other than as provided for in the Agreement or as needed to perform the Service, (b) “sell” (as such term is defined by U.S. Privacy Laws), “share,” (as such term is defined by the CCPA). BlueTally is hereby instructed to Process Personal Information to the extent necessary to enable BlueTally to provide the Service in accordance with the Agreement and this Addendum, or (c) Process Personal Information except as necessary for the business purposes specified in the Agreement or this Addendum.

‍

3.3. In case BlueTally cannot process Personal Information in accordance with your instructions due to a legal requirement under any applicable law to which BlueTally is subject, BlueTally shall (a) promptly notify you in writing (including by e-mail) of such legal requirement before carrying out the relevant Processing, to the extent permitted by the applicable law, and (b) cease all Processing (other than merely storing and maintaining the security of the affected Personal Information) until you provide BlueTally with new instructions.

‍

3.4. You will be responsible for providing or making Personal Information available to BlueTally in compliance with all applicable Data Protection Legislation, including providing any necessary notices to, and obtaining and maintaining any necessary rights, consents, and authorizations from, Data Subjects whose Personal Information is provided by you to BlueTally for Processing pursuant to this Addendum. Each of BlueTally and you acknowledge and agree that you have not “sold” (as such term is defined by the CCPA) Personal Information to BlueTally.

‍

3.5. You acknowledge and agree that you, rather than BlueTally, are responsible for certain configurations and design decisions for the Service and that you, and not BlueTally, are responsible for implementing those configurations and design decisions in a secure manner that complies with applicable Data Protection Legislation. Without limiting the foregoing, you represent, warrant, and covenant that you shall only transfer Personal Information to BlueTally using secure, reasonable, and appropriate mechanisms.

‍

3.6. You acknowledge that the Service is not intended or designed for the Processing of Sensitive Information, and you agree not to provide any Sensitive Information through the Service. The parties agree that you provide Personal Information to BlueTally as a condition precedent to BlueTally’s performance of the Service and that Personal Information is not exchanged for monetary or other valuable consideration.

‍

4. Security

BlueTally shall implement and maintain throughout the term of the Addendum reasonable and appropriate technical and organizational measures designed to protect Personal Information against unauthorized or accidental access, loss, alteration, disclosure, or destruction, including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, and encryption.

‍

BlueTally will also provide reasonable assistance to you with conducting any legally required data protection impact assessments with respect to the Processing of Personal Information by BlueTally (including, where necessary, subsequent consultation with a supervisory authority with jurisdiction over such Processing), if so required by the Data Protection Legislation, taking into account the nature of Processing and the information available to BlueTally.

‍

5. Security Incident

If BlueTally becomes aware of a Security Incident, BlueTally will (a) notify you without undue delay, and not later than 48 hours after BlueTally discovers the Security Incident, and (b) make reasonable efforts to identify the cause of the Security Incident, mitigate the effects, and remediate the cause to the extent within BlueTally’s reasonable control.

‍

Upon your request and considering the nature of the applicable Processing, BlueTally will assist by providing, when available, information reasonably necessary for you to meet your Security Incident notification obligations under Data Protection Laws. You acknowledge that BlueTally providing notification of a Security Incident is not an acknowledgment of fault or liability.

‍

6. Confidentiality

BlueTally will ensure that its personnel authorized to process Personal Information are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

‍

7. Data Subject Requests

You are responsible for handling any requests or complaints from Data Subjects with respect to their Personal Information Processed by BlueTally under this Addendum. If BlueTally receives a request from your Data Subject in relation to the Data Subject’s Personal Information Processed under your Service account, BlueTally will notify you and advise the Data Subject to submit the request to you, and you will be responsible for responding to any such request.

‍

8. Subprocessors

In providing the Service, you agree that:

‍

8.1. BlueTally engages the organizations listed on the Subprocessor List (each a “Subprocessor”) to help Process Personal Information on the Service.

‍

8.2. BlueTally will enter into a written agreement with each Subprocessor imposing data processing and protection obligations substantially the same as those set out in this Addendum.

‍

8.3. BlueTally will maintain a current list of its Subprocessors, including their functions and locations, as specified in the Subprocessor List.

‍

8.4. BlueTally may update the Subprocessor List from time to time. In the event that BlueTally seeks to add any Subprocessors and update the Subprocessor List, BlueTally will provide notice of such additions to you (which may be via email, a posting, or notification on an online portal for our services, or other reasonable means).

‍

8.5. In the event that you do not wish to consent to the use of such additional Subprocessor, you may notify BlueTally that you do not consent within fifteen (15) days based on reasonable data protection concerns. In such case, the parties will discuss such concerns in good faith.

‍

8.6. If the parties are unable to reach a mutually agreeable resolution to your objection to a new Subprocessor, you, as your sole and exclusive remedy, may terminate the Order for the affected Service for convenience, and BlueTally will refund any prepaid, unused fees for the terminated portion of the applicable Term.

‍

9. Data Transfers

In connection with the performance of the Agreement, you authorize BlueTally to transfer Personal Information internationally, and in particular, to locations outside of the United Kingdom and European Economic Area, such as the United States.

‍

If Personal Information is Processed in a country that has not received an Adequacy Decision, you and BlueTally hereby enter into:

‍

9.1. the Controller to Processor SCCs if the restricted transfer is subject to the GDPR and BlueTally is acting as your Processor;

‍

9.2. the Processor to Processor SCCs if the restricted transfer is subject to the GDPR and BlueTally is acting as your Subprocessor;

‍

9.3. the Swiss Amendments if the restricted transfer consists of Personal Information originating from Switzerland; and

‍

9.4. the UK Addendum if the restricted transfer is subject to the UK GDPR.

‍

10. Standard Contractual Clauses

‍

10.1. Reference to the Standard Contractual Clauses. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this Addendum. The information required for the purposes of the Appendix to the Standard Contractual Clauses are set out in Schedule 1.

‍

10.2. Docking clause. The option under clause 7 shall not apply.

‍
10.3. Instructions. This Addendum and the Agreement are customer’s complete and final documented instructions at the time of signature of the Agreement to BlueTally for the processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this Addendum and the Agreement. For the purposes of clause 8.1(a), the instructions by Customer to process personal data are set out in section 2 and 3 of this Addendum and include onward transfers to a third party located outside Europe for the purpose of the performance of the Services.

‍
10.4. Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by BlueTally to customer only upon customer's written request.

‍
10.5. Security of Processing. For the purposes of clause 8.6(a), customer is solely responsible for making an independent determination as to whether the technical and organizational measures set forth in Schedule 2 meet customer’s requirements and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of its personal data as well as the risks to individuals) the security measures and policies implemented and maintained by BlueTally provide a level of security appropriate to the risk with respect to its personal data. For the purposes of clause 8.6(c), personal data breaches will be handled in accordance with section 5 of this Addendum.

‍
10.6. Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with section 11.3 of this Addendum.

‍
10.7. General authorization for use of Sub-processors. Option 2 under clause 9 shall apply. For the purposes of clause 9(a), BlueTally has customer’s general authorization to engage Sub-processors in accordance with section 8 of this Addendum. BlueTally shall make available to Customer the current list of Sub- processors in accordance with section 8.3 of this Addendum.

‍
10.8. Notification of New Sub-processors and Objection Right for new Sub- processors. Pursuant to clause 9(a), Customer acknowledges and expressly agrees that BlueTally may engage new Sub-processors as described in sections 8.5 and 8.6 of this Addendum. BlueTally shall inform customer of any changes to Sub- processors following the procedure provided for in section 8.4 of this Addendum.

‍
10.9 Redress. For the purposes of clause 11, and subject to section 7 of this Addendum, BlueTally shall inform data subjects on its website of a contact point authorized to handle complaints. BlueTally shall inform customer if it receives a complaint by, or a dispute from, a data subject with respect to Personal Data and shall without undue delay communicate the complaint or dispute to customer. BlueTally shall not otherwise have any obligation to handle the request (unless otherwise agreed with customer). The option under clause 11 shall not apply.

‍

10.10. Liability. BlueTally's liability under clause 12(b) shall be limited to any damage caused by its processing where BlueTally has not complied with its obligations under the GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Customer, as specified in Article 82 GDPR.

‍
10.11. Supervision. Clause 13 shall apply as follows:

‍
(a) Where Customer is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Customer with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

‍
(b) Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.

‍
(c) Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, The Irish Supervisory Authority - The Data Protection Commission shall act as competent supervisory authority.

‍
(d) Where Customer is established in the United Kingdom or falls within the territorial scope of application of the Data Protection Laws and Regulations of the United Kingdom (“UK Data Protection Laws and Regulations”), the Information Commissioner's Office (“ICO”) shall act as competent supervisory authority.

‍
(e) Where Customer is established in Switzerland or falls within the territorial scope of application of the Data Protection Laws and Regulations of Switzerland (“Swiss Data Protection Laws and Regulations”), the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations.

‍
10.12. Notification of Government Access Requests. For the purposes of clause 15(1)(a), BlueTally shall notify Customer (only) and not the Data Subject(s) in case of government access requests. Customer shall be solely responsible for promptly notifying the Data Subject as necessary.

‍
10.13. Governing Law. The parties choose option 1 and agree the governing law for the purposes of clause 17 shall be the laws of Ireland.

‍
10.14. Choice of Forum and Jurisdiction. The courts under clause 18 shall be the courts of Ireland.

‍
10.15. Appendix. The Appendix shall be completed as follows:

‍
(a) The contents of section 1 of Schedule 1 shall form Annex I.A to the Standard Contractual Clauses

‍

(b) The contents of sections 2 to 9 of Schedule 1 shall form Annex I.B to the Standard Contractual Clauses

‍
(c) The contents of section 10 of Schedule 1 shall form Annex I.C to the Standard Contractual Clauses

‍
(d) The contents of section 11 of Schedule 2 shall form Annex II to the Standard Contractual Clauses.

‍
10.16 Data Exports from the United Kingdom under the Standard Contractual Clauses. For data transfers governed by UK Data Protection Laws and Regulations, the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of those Mandatory Clauses ("Approved Addendum") shall apply. The information required for Tables 1 to 3 of Part One of the Approved Addendum is set out in Schedule 2 of this Addendum (as applicable). For the purposes of Table 4 of Part One of the Approved Addendum, neither party may end the Approved Addendum when it changes.

‍
10.17 Data Exports from Switzerland under the Standard Contractual Clauses. For data transfers governed by Swiss Data Protection Laws, the Standard Contractual Clauses also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity. In such circumstances, general and specific references in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in Swiss Data Protection Laws.

‍
10.18. Conflict. The Standard Contractual Clauses are subject to this Addendum and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this Addendum, unless stated otherwise. In the event of any conflict or inconsistency between the body of this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

‍

11. Information and Audit

11.1. BlueTally shall make available its privacy and security policies and other such information necessary to demonstrate compliance with the obligations set forth in this Addendum.

‍

11.2. Upon reasonable notice and appropriate confidentiality agreements, and taking into account the nature of the applicable Processing, BlueTally will assist you in fulfilling your obligations under applicable Data Protection Laws to carry out a data protection impact or similar risk assessment related to your use of the Service, including, if required by Data Protection Laws, by assisting you in consultations with relevant government authorities.

‍

11.3 BlueTally shall maintain an audit program to help ensure compliance with the obligations set out in this Addendum and shall make available to customer information to demonstrate compliance with the obligations set out in this Addendum, including those obligations required by applicable Data Protection Laws.

‍

12. Return or Disposal

Promptly following termination of the Agreement and this Addendum for any reason, BlueTally will destroy the Personal Information it was Processing on your behalf pursuant to BlueTally’s provision of the Service unless Data Protection Legislation prevents BlueTally from destroying all or part of the Personal Information.

‍

13. Modification

Notwithstanding anything to the contrary in the Agreement, BlueTally may periodically modify this Addendum as required to comply with Data Protection Legislation.

2. Categories of data subjects whose personal data is transferred.

‍

Data exporter may submit Personal Information to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Information relating to the following categories of data subjects:

‍

Data exporter’s employees, contractors, representatives, agents, and other individuals whom data exporter permits to use the Service, as well as Personal Information relating to the data exporter’s customers, partners, users, and vendors.

‍

3. Categories of personal data transferred.

Data exporter may submit Personal Information to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following Personal Information:

‍

First and Last Name, Billing Address, Credit Card Information, IP Address, API Key, Access Token, User Identifiers, Password, Cookies.

‍

4. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

‍

None, and the data exporter is prohibited from using the Service to process any such data under the terms of the Agreement.

‍

5. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous basis.

‍

6. Nature of the processing

The performance of the Service pursuant to the Agreement.

‍

7. Purpose(s) of the data transfer and further processing

The performance of the Service pursuant to the Agreement.

‍

8. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the duration of the Agreement.

‍

9. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Located in Section 7 of this document.

‍

10. Competent Supervisory Board

‍

Identify the competent supervisory authority/ies in accordance with clause 13: the supervisory authority specified in section 10.11 of this Addendum shall act as the competent supervisory authority.

‍

11. Technical and Organizational Measures

‍

Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in Schedule 2. Data Subject Requests shall be handled in accordance with section 7 of the Addendum.

‍

‍

SCHEDULE 2: TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

BlueTally will maintain administrative, physical, and technical safeguards designed for protection of the security, confidentiality, and integrity of Personal Information uploaded to the Service, as described in this Schedule. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Addendum.

‍

1. Security Governance

1.1. BlueTally maintains an information security program (including the adoption and enforcement of internal policies and procedures) designed to: (a) help our customers secure their data processed using BlueTally’s online product against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access to the BlueTally online product, and (c) minimize security risks, including through risk assessment and regular testing.

‍

1.2. BlueTally covers the following core functions:

‍

a. Application security (secure development, security feature design)

‍

b. Infrastructure security (revision of data center security)

‍

c. Monitoring and incident response

‍

d. Vulnerability management (vulnerability scanning and resolution)

‍

e. Compliance and technical privacy

‍

2. Access Control

2.1. Preventing Unauthorized Product Access

‍

a. Third party data hosting and processing: We host our Service with third party cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with the Addendum. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.

‍

b. Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls of such providers have the industry required certifications.

‍

c. Authentication: Customers who interact with the products via the user interface are required to authenticate before they are able to access their non-public data. BlueTally supports Single-Sign On for some of our paid accounts.

‍

d. Authorization: Customer Content (data originated by customers that a customer transmits through BlueTally online service) is stored in multi-tenant storage systems which are only accessible to Customers via application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

‍

e. Application Programming Interface (API) access: Product APIs may be accessed using an API key. Authorization credentials are stored encrypted. API access is only available in some of our subscription plans. Users are responsible for API key safe keeping.

‍

2.2. Preventing Unauthorized Product Use. We implement industry-standard access controls and detection capabilities for the internal networks that support our products.

‍

a. Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

‍

2.3. Limitations of Privilege & Authorization Requirements

‍

a. Product access: A subset of our personnel have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of personnel is to provide effective customer support, troubleshoot potential problems, detect, and respond to security incidents, and implement data security.

‍

b. Personnel Security: BlueTally personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.

‍

c. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, BlueTally’s confidentiality and security policies.

‍

3. Encryption Technologies

3.1. In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available on all our login interfaces and for free on every customer site hosted on the BlueTally products. Our HTTPS implementation uses industry-standard algorithms and certificates.

‍

3.2. At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest. We also offer two factor authentication to our clients.

‍

4. Input Controls

4.1. Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate personnel of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.

‍

4.2. Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, and/or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and customer damage or unauthorized disclosure. Notifications will be in accordance with the terms of the Agreement.

‍

5. Data Deletion and Portability

BlueTally enables customers to delete their account and delete or export their account data in a manner consistent with the functionality of the BlueTally product. Instructions and related details are provided within the applicable functionality within the BlueTally product.

‍

6. Availability Controls

Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.

‍

6.1. Redundancy: The infrastructure providers use designs to eliminate single points of failure and minimize the impact of anticipated environmental risks. BlueTally’s product is designed to allow the company to perform certain types of preventative and corrective maintenance without interruption.

‍

6.2. Business Continuity: BlueTally has designed and regularly plans and tests its business continuity planning/disaster recovery programs.

‍

7. List of Subprocessors

BlueTally uses certain sub-processors and third parties to assist it in providing the BlueTally Services.

‍

A sub-processor is a third-party data processor engaged by BlueTally, who has or potentially will have access to or process Content (which may contain Personal Data). BlueTally engages different types of sub-processors to perform various functions as explained in the tables below.

‍

This information is provided to illustrate BlueTally´s engagement process for sub-processors and does not create a binding agreement. This list may change without prior notice.

‍

Before entering into any third-party relationships, we take deliberate steps to conduct an assessment of risk arising from the vendor relationship.

‍

Any sub-processor who has access to BlueTally Personal Data are expected to demonstrate their security policies, processes, and procedures and prove that they are able to provide adequate protection of such data, including against misuse or compromise.