Data Processing Addendum

Last Updated: March 24, 2025

This Resilinc Data Processing Addendum (together with its attachments, the “DPA”) is incorporated by ‎reference into the Resilinc Enterprise Services Terms and Conditions (the “Terms”) by and between Resilinc and Customer and the Resilinc Customer Data Policy.

This DPA applies to Resilinc’s access, use, and other Processing of Personal Data (defined below). Resilinc Processes account data, such as billing data, usage logs, and analytics, in accordance with the Resilinc Privacy Statement. Capitalized terms not defined in this DPA are defined in the Terms.

This DPA is governed by the governing law specified in the Terms unless otherwise required by ‎Data Protection Laws. Regardless of whether the Terms have terminated or expired, this DPA will remain in effect until, and automatically expire when, Resilinc deletes all Customer Data as described in this Addendum.

In the event of any conflict or inconsistency between the DPA and the Terms, or other ‎applicable agreements in connection with the Enterprise Services, the DPA Terms shall prevail. The provisions of the ‎DPA supersede any conflicting provisions of the Resilinc Privacy Statement that otherwise may apply to processing of Customer Data.

Customer and Resilinc agree as follows: 

  1. DEFINITIONS. The following terms, including any derivatives thereof, will have the meanings set forth below.

‎“CCPA” means the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020, together with all implementing regulations.

Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, ‎determines the purposes and means of Processing of Personal Data.‎

Data Protection Laws” means, as applicable to the processing of Personal Data, any national, federal, European Union, state, provincial or other privacy, data security, or data protection law or regulation.

Data Subject” means any living identified or identifiable natural person to which Personal Data relates or identifies.

European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR“); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR“); and (iv) Swiss Federal Data Protection Act and its Ordinance (“Swiss DPA“); in each case, as may be amended, superseded or replaced.  

Personal Data” is a subset of Customer Data and means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be ‎identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier. ‎

Process” or “Processing” means any operation or set of operations performed on Customer Data or Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, sale, analysis, alignment or combination, restriction, erasure, or destruction.

‎“Subprocessor” means a third party subcontractor or vendor engaged by Resilinc to process Personal Data on Resilinc’s behalf and authorized as another processor under this DPA to Process Personal Data in order to provide parts of the Enterprise Services.

Security Incident” means any confirmed accidental, unauthorized, unintended, or unlawful processing, access to, exfiltration, theft, disclosure, destruction, loss, alteration, compromise, and/or malicious infection of Customer Data Processed by Resilinc or any of its Subprocessors.

Sell” and “Share” have the meanings given in the CCPA.

Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914, as may be amended, superseded or replaced.

UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as may be amended, superseded, or replaced.

2. DATA PROCESSING. 

2.1 Role of the Parties.

    • Resilinc will Process Personal Data pursuant to the Agreement for the business purpose of providing Customer with supply chain related cloud-based tools and related advisory services (defined as the Enterprise Services in the Terms) as may be further specified in an Order. Resilinc is a Processor of Personal Data and Customer is the Controller.‎

 2.2 Subject Matter and Details of Data Processing.

The subject matter and details of the Personal Data Processing are described in Attachment 1 (Subject Matter and Details of Data Processing).

2.3 Customer Instructions.

    Customer instructs Resilinc to Process Personal Data in accordance with the Terms, including to provide the Enterprise Services. For purposes of this DPA, “providing” the Enterprise Services consists of:
      • Providing the Enterprise Services’ features and functionality as described in the Documentation and as licensed, configured, and used by Customer and its Authorized Users.
      • Processing Personal Data on Customer’s behalf and as further specified via any other written instructions given by Customer and acknowledged by Resilinc as constituting instructions under this DPA; and ‎
      • Securing, monitoring, and improving the Enterprise Services, including by enhancing (i) Customers’ and Authorized Users’ productivity and (ii) the Service’s reliability, performance, quality, and value.

Resilinc will not (1) Sell or Share Personal Data, (2) Process Personal Data for purposes other than the business purpose set forth herein, or (3) Process Personal Data outside its direct relationship with Customer.

Resilinc will notify Customer if it receives an instruction that Resilinc reasonably determines infringes Data ‎Protection Laws (but Resilinc has no obligation to actively monitor Customer’s compliance with Data ‎Protection Laws).‎

2.4 Confidentiality.

    Resilinc will ensure personnel who are authorized to Process Personal Data either enter into written confidentiality ‎agreements or are subject to statutory obligations of confidentiality.‎

2.5 Compliance.

      • Each party will comply with its obligations related to the processing of Personal Data under Data Protection Laws.
      • During the Term, Resilinc will enable Customer to access, update, rectify, or restrict Processing of Personal Data via the functionality provided by Resilinc or through other process Resilinc specifies if required by Applicable Privacy Law.
      • The obligations contained in this DPA, including the Attachments, shall not restrict ‎Resilinc in its rights and/or obligations to: (a) comply with federal, state, or local laws, or to comply with a court ‎order or subpoena to provide information or legal holds, or (b) to comply with a civil, criminal, or regulatory ‎inquiry, investigation, subpoena, or summons by federal, state, or local authorities.‎ Resilinc may Process Customer Data to meet its obligations under applicable laws, subject to any notice requirements under Data ‎Protection Laws.‎

2.6 Changes to Data Protection Laws and Updates.

    The Parties will work together in good faith to amend this DPA as necessary to address the requirements of Data Protection Laws.‎ Resilinc may modify or terminate the Enterprise Services in any country or jurisdiction where there is a new or updated ‎government requirement or obligation that (1) subjects Resilinc to any regulation or requirement, (2) presents a hardship for Resilinc to continue operating the Enterprise Services without modification, ‎or (3) causes Resilinc to believe the DPA or the Enterprise Services may conflict with any such requirement or obligation.‎

3.  SUBPROCESSORS. 

 3.1 Use of Subprocessors. Resilinc may hire Subprocessors to provide certain services on its behalf who have access to Customer Data. Customer authorizes Resilinc to engage such Subprocessors to Process Personal Data. This authorization constitutes Customer’s prior written consent to the subprocessing by Resilinc for the Processing of Personal Data if such consent is required under Data Protection Law or the Standard Contractual Clauses.‎ Resilinc is responsible for the performance of its Subprocessors in meeting Resilinc’s obligations under this DPA and shall be responsible to Customer for its Subprocessors’ Processing of Personal Data.

3.2  Terms with Subprocessors. Resilinc will enter into a written agreement with each Subprocessor that (1) requires the Subprocessor to Process Personal Data in a manner that provides the same or greater data protections, including restrictions on use, as those set out in this DPA; and (2) prohibits the Subprocessor from Processing Personal Data for purposes other than delivering the services Resilinc has retained them to provide.

3.3  List of Subprocessors. Resilinc makes available information about Subprocessors at  https://www.resilinc.com/subprocessors/ (the “Subprocessor List”). Resilinc may update the Subprocessor List from time to time. At least 30 days before any new Subprocessor Processes any Personal Data, Resilinc will add such Subprocessor to the Subprocessor List and notify Customer through email or other means specified.

3.4 Objection to New Subprocessors.

    • If, within 15 days after notice of a new Subprocessor, Customer notifies Resilinc in writing that Customer objects to Resilinc’s appointment of such new Subprocessor based on reasonable data protection concerns, the Parties will discuss such concerns in good faith.
    • If the Parties are unable to reach a mutually agreeable resolution to Customer’s objection to a new Subprocessor, Customer, as its sole and exclusive remedy, may terminate the Order for the affected Enterprise Service for convenience and Resilinc will refund any prepaid, unused fees for the terminated portion of the Subscription Term.

4. DATA SECURITY MEASURES & SECURITY INCIDENTS.

4.1 Resilinc Security Measures.

Resilinc will implement and maintain technical, organizational, and physical measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access as described in Attachment 2 (Security Measures) (the “Security Measures”). The Security Measures include policies, practices, and procedures to help ensure the ongoing confidentiality, integrity, availability, and resilience of the Resilinc systems involved in the Processing of Customer Data. Resilinc may evaluate and update the Security Measures from time to time provided that such updates do not result in a material reduction in the security of the Enterprise Services.

4.2 Compliance Certifications.

    • Resilinc will maintain the following certificates to verify the continued effectiveness of the Security Measures:
    • Certificates for ISO 27001; and
    • SOC 2 report produced by Resilinc’s third-party auditor and updated annually based on an audit performed at least once every 12 months (together, the “Audit Program”).

Resilinc may add standards or compliance certifications or replace a standard or compliance certification with an equivalent or enhanced alternative, at any time.

4.3 Customer Assessment.

    Customer agrees that the Enterprise Services and Security Measures, and Resilinc’s commitments under this DPA, provide a level of security appropriate to the risk to Customer Data (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Data as well as the risks to individuals).

4.4 Access and Compliance.

    • Resilinc will authorize its employees, contractors and Subprocessors to Process Customer Data only as strictly necessary to comply with Customer’s instructions and provide the Enterprise Services. Resilinc will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors, and Subprocessors in their Processing of Customer Data.
    • During the Term, Resilinc will enable Customer to access, update, rectify, or restrict the Processing of Customer Data via the functionality provided by Resilinc or through another process Resilinc specifies, if required by Applicable Privacy Law.

4.5 Security Incident Notice and Response.

    • Resilinc will implement and follow procedures to detect and respond to Security Incidents.
    • Resilinc will: (i) notify Customer promptly and without undue delay after becoming aware of a Security Incident and (ii) promptly make reasonable efforts to minimize harm and secure Customer Data. Resilinc’s Security Incident notification will describe:
    • the nature of the Security Incident, including how Customer Data or other Customer related materials are impacted;
    • Resilinc’s response and the measures Resilinc recommends Customer take, if any, to address the Security Incident; and
    • Point of contact information for Resilinc who Customer can contact for more information.
    • If it is not possible to provide all information at the same time, Resilinc’s initial notification will contain the information then available and further information will be provided without undue delay as it becomes available.
    • Upon Customer’s request, taking into account the nature of the applicable Processing, Resilinc will assist Customer by providing, when available, information reasonably necessary for Customer to meet its notification obligations under Data Protection Laws.

4.6 Customer Responsibilities.

    • Customer is responsible for (1) reviewing the information made available by Resilinc relating to the security of the Enterprise Services and making an independent determination as to whether the Enterprise Services meet Customer’s requirements and legal obligations under Data Protection Laws, (2) securing its Resilinc authentication credentials, as well as the devices and software Customer chooses to use to access the Enterprise Services, and (3) backing up or retaining copies of its Customer Data, as appropriate.
    • Customer must notify Resilinc promptly about any possible misuse of its Resilinc accounts or authentication credentials or any security incident related to the Enterprise Services.
    • Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any obligations to give notices to government authorities, affected individuals, or others relating to any Security Incidents.

4.7 Cooperation.

    • To the extent the Data Protection Laws requires Resilinc to collect and maintain records of certain information relating to Customer, Customer will, where ‎requested, supply such information to Resilinc and keep it accurate and up to date. Resilinc may make any such information available to the ‎supervisory authority, state attorney general, or other authority if required by Data Protection Laws.‎
    • Resilinc will keep records of its Processing of Personal Data in compliance with Data Protection Laws and, upon Customer’s request, make available to Customer any records reasonably necessary to demonstrate compliance with Resilinc’s obligations under this DPA and Data Protection Laws.
    • Resilinc agrees to provide all reasonable assistance to Customer in completing any data protection impact assessments or consultations with government authorities pursuant to Data Protection Laws.
    • Resilinc will notify Customer if Resilinc determines it or its Subprocessors cannot meet its obligations under the Data Protection Laws, in which case Customer may, upon thirty (30) days’ notice, take reasonable and appropriate steps to stop and remediate unauthorized Processing of Customer Data.
    • Both Parties will assist the other in communicating and cooperating with any regulators relating to Personal Data processed under this DPA. The Parties shall notify each other of all inquiries from an authority that relate to the Processing of Personal Data under this DPA, unless prohibited from doing so by law or by the regulator.

5. DATA SUBJECT REQUESTS.

5.1 Assisting Customer Upon Customer’s request and taking into account the nature of the applicable Processing, Resilinc will assist Customer by appropriate technical and organizational measures, insofar as possible, in complying with Customer’s obligations under Data Protection Laws to respond to requests from individuals to exercise their rights under Data Protection Laws, provided that Customer cannot reasonably fulfill such requests independently (including through use of the Enterprise Service features and functionality).

5.2 Data Subject Requests. If Resilinc receives a request from a Data Subject in relation to the Data Subject’s Personal Data, Resilinc will advise the Data Subject to submit the request to Customer (but not otherwise communicate with the Data Subject regarding the request except as may be required by Data Protection Laws), and Customer will be responsible for responding to any such request.

6. DATA EXPORT OR DELETION.

6.1 During Subscription Term. During the Term, Customer may, through the features of the Enterprise Service or such other means specified by Resilinc, access, export, return to itself, or delete Customer Data.

6.2 Post Termination.

    • Following termination or expiration of the Terms, Resilinc will, in accordance with its obligations under the Terms, delete all Customer Data from Resilinc’s systems and instruct its Subprocessors to do the same.
    • Deletion will be in accordance with industry-standard secure deletion practices. Resilinc will issue a certificate of deletion upon Customer’s written request.
    • Notwithstanding the foregoing, Resilinc may retain Customer Data: (i) as required by Data Protection Laws or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, Resilinc will (a) maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to, retained Customer Data and (b) not further Process retained Customer Data except for such purpose(s) and duration specified in such applicable Data Protection Laws.

7. AUDITS.

7.1 Third-Party Compliance Program. Resilinc will make summary copies of audit reports and related artifacts (“Audit Reports”) that it produces as part of its Audit Program available to Customer upon Customer’s written request at reasonable intervals. The Audit Reports shall constitute Confidential Information of ‎the Parties under the Terms.‎ Customer may use the Audit Reports only for the purposes of meeting its obligations ‎under Data Protection Laws and monitoring Resilinc’s compliance with the ‎requirements of this DPA.

  • Customer may share a copy of the Audit Reports with relevant government authorities as required upon their request.
  • Customer agrees that any audit rights granted by Data Protection Laws will be satisfied by the Audit Reports and the procedures described below.

7.2 Customer Audit.

  • Subject to the terms of this Section 7, Customer has the right, at Customer’s expense, to conduct an audit of reasonable scope and duration pursuant to a mutually agreed-upon audit plan with Resilinc that is consistent with the Audit Parameters (an “Audit”).
  • Customer may conduct an Audit: (i) only to the extent Resilinc’s provision of the Audit Reports to Customer does not provide sufficient information for Customer to verify Resilinc’s compliance with this DPA or the Parties’ compliance with Data Protection Laws, (ii) as necessary for Customer to respond to a government authority audit, or (iii) in connection with a Security Incident.
  • Each Audit must conform to the following parameters (“Audit Parameters”): (i) be conducted by an independent third party that will enter into a confidentiality agreement with Resilinc, (ii) be limited in scope to matters reasonably required for Customer to assess Resilinc’s compliance with this DPA and the Parties’ compliance with Data Protection Laws, (iii) occur at a mutually agreed date and time and only during Resilinc’s regular business hours, (iv) occur no more than once annually (unless required under Data Protection Laws or in connection with a Security Incident), (v) cover only facilities controlled by Resilinc, (vi) restrict findings to Customer Data only, and (vii) treat any results as Resilinc Confidential Information under the Terms to the fullest extent permitted by Data Protection Laws. Nothing in this Section 7 shall require Resilinc to breach any duties of confidentiality owed to ‎any of its customers or employees.

8. LOCATION OF PERSONAL DATA AND DATA TRANSFERS. 

8.1 Location of Personal Data. Resilinc and its Subprocessors Process Personal Data in the United States and other countries where we operate as necessary to provide the Enterprise Services. Resilinc does not control or limit the regions from which Customer or Authorized Users may access or move Personal Data.

8.2 Data Transfers.

  • Resilinc will not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) (i) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for European Data; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws; or (iii) to a recipient that has executed the Standard Contractual Clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.
  • You acknowledge that in connection with the providing the Enterprise Services, Resilinc is a recipient of European Data in the United States or other countries that European data protection authorities deem ‘inadequate’ in terms of data protection rights and standards. To the extent that Resilinc receives European Data in the United States or other such countries, Resilinc will comply with the following:
      • Data Privacy Framework. Resilinc will use the EU-U.S. and Swiss-U.S. Data Privacy Frameworks, as well as the UK Extension to the EU-U.S. Data Privacy Framework, to lawfully receive such European Data in the United States; ensure that it provides at least the same level of protection to such European Data as is required by the Data Privacy Frameworks; and let Customer know if it is unable to comply with this requirement
      • Standard Contractual Clauses. If European Data Protection Laws require that other safeguards are put in place (for example, if the Data Privacy Framework does not cover the transfer of European Data to Resilinc to the U.S., the Data Privacy Framework is invalidated, or the transfer of European Data is to another country), the Standard Contractual Clauses will be incorporated by reference and form part of the Terms as follows:
          1. In relation to European Data subject to the GDPR (i) Customer is the “data exporter” and Resilinc is the “data importer”; (ii) the Module Two terms apply as the Customer is a Controller of European Data; (iii) in Clause 7, the optional docking clause applies; (iv) in Clause 9, Option 2 applies and changes to Subprocessors will be notified in accordance with the Subprocessors Section of this DPA; (v) in Clause 11, the optional language is deleted; (vi) in Clauses 17 and 18, the Parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be the Republic of Ireland (without reference to conflicts of law principles); (vii) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; (viii) the supervisory authority that will act as competent supervisory authority will be determined in accordance with GDPR; and (ix) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses will prevail to the extent of such conflict.
          2. In relation to European Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with subsection above and the following modifications (i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Terms; (ii) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of this DPA and Table 4 will be deemed completed by selecting “neither party”; and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
          3. In relation to European Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with the subsection related to the EU GDPR just above and the following modifications (i) references to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA; (ii) references to “EU”, “Union” and “Member State law” will be interpreted as references to Swiss law; and (iii) references to the “competent supervisory authority” and “competent courts” will be replaced with the “the Swiss Federal Data Protection and Information Commissioner ” and the “relevant courts in Switzerland”.
          4. You agree that by complying with our obligations under the Subprocessors’ Section of this DPA, Resilinc fulfills its obligations under Section 9 of the Standard Contractual Clauses. For the purposes of Clause 9(c) of the Standard Contractual Clauses, you acknowledge that we may be restricted from disclosing Subprocessor agreements but we will use reasonable efforts to require any Subprocessor we appoint to permit it to disclose the Subprocessor agreement to you and will provide (on a confidential basis) all information we reasonably can. You also acknowledge and agree that you will exercise your audit rights under Clause 8.9 of the Standard Contractual Clauses by instructing us to comply with the measures described in the Audits section of this DPA.
      1.  

8.3 Alternative Transfer Mechanism. In the event that Resilinc is required to adopt an alternative transfer mechanism for European Data, in addition to or other than the mechanisms described in the sub-sections just above, such alternative transfer mechanism will apply automatically instead of the mechanisms described in this DPA (but only to the extent such alternative transfer mechanism complies with European Data Protection Laws), and you agree to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.

ANNEX 1

SUBJECT MATTER AND DETAILS OF DATA PROCESSING

The subject matter and details of the Processing of Personal Data to be carried out under the Terms are as follows:

Types of Personal Data Processed and Transferred

Resilinc acknowledges that, depending on Customer’s use of the Enterprise Services, Customer may elect to include Personal Data from any of the following categories:

·       Basic personal data and contact information (e.g. name, email address, mailing address, social media identifiers, mobile phone number), including basic personal data about employees, suppliers, agents, affiliates, and customers.

·       Authentication data (e.g., username, password, or PIN code).

·       Unique identification numbers and signatures (e.g., supplier account number, supplier tax id, employee number, unique online identifiers).

·       Financial and insurance information (e.g., insurance number, bank account name and number, credit card name and number, invoice number, type of assurance, payment behaviour, creditworthiness).

·       Commercial Information (e.g., history of transactions or purchases, subscription information, payment history).

·       Citizenship and residency information (e.g., citizenship, naturalization status, marital status, nationality, immigration status, passport data, details of residency or work permit); and

·       Any other personal data identified in Article 4 of the GDPR.


 

Categories of Data Subjects Whose Personal Data Is Processed and Transferred

Data subjects include the Customer’s employees, suppliers, agents, affiliates, and customers. Resilinc acknowledges that, depending on Customer’s use of the Enterprise Services, Customer may elect to include personal data from any types of data subjects:

·       Customers’ employees, representatives, contractors, and temporary workers (current, former, prospective).

·       Customer’s collaborators, suppliers, contact persons (natural persons), or contractors (current, prospective, former).

·       Partners, stakeholders, affiliates, prospects, or individuals who actively or passively collaborate, communicate, engage, or otherwise interact with Customer; and

·       Employees, representatives, contractors, and temporary workers of any of the above.

 

ANNEX II

SECURITY MEASURES

Resilinc has developed, implemented, and maintained policies, procedures, and technical, organizational, and physical measures relating to the topics indicated below to protect personal data:

Acceptable use

Access controls

Anonymization, pseudonymization, and/or aggregation of Personal Data

Application security

Asset management

Audit trails.

Business continuity and disaster recovery

Change management

Consent for Processing Personal Data

Controlled use of administrator accounts

Data classification

Data inventory or register

Data minimization

Data retention and deletion

Data security and privacy training

Data subject rights

De-identified data

Encryption

Endpoint device security

Handling data privacy requests

Incident response

Information governance and risk management

Information security

Inventory of hardware and software assets

Legal basis for processing

Mobile device use

Passwords

Patch management

Personal data handling

Physical security

Privacy by design

Privacy notice

Purpose limitation

Remote access

Risk assessments for data security and privacy

Risk management

Secure development

Sensitive information handling

Technical data security measures

Threat management

Use of personal data in direct marketing

User ID controls

Wireless access controls

Written Information Security Policy

Vendor diligence and management

Vulnerability management

What’s in your supply chain?

Better Visibility Starts Now

Email Now
Call Now