Data Processing agreement

Last updated April 1, 2025

This Data Processing Agreement (“DPA”) forms an integral part of the Pylon Terms of Service (“Terms”) between the party named as “Customer” in the Terms (“Customer” or “Controller”) and Pylon Labs, Inc. (“Company” or “Processor”) and sets out the parties’ respective obligations when Customer personal data is processed by Company in relation to the Services performed by Company on Customer’s behalf pursuant to the Terms. The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose personal data is processed. This DPA will be effective from the date on which the authorized signatories of the parties sign the Order Form.

The parties hereby agree as follows:

1.  Definitions and Interpretation

  1. Capitalized terms and expressions used in this DPA shall have the following meaning. Any capitalized term used but not defined in this DPA has the meaning ascribed to it in the Terms.
    1. “DPA” means this Data Processing Agreement and all Schedules attached hereto;
    2. “Customer Personal Data” means any Personal Data processed by Company on behalf of Customer pursuant to or in connection with the Terms;
    3. “Data Protection Laws” means any applicable laws and regulations in any relevant jurisdiction where Services are provided relating to the use or processing of Personal Data, which may include depending on the circumstances (but is not limited to): (i) the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 et seq.), as amended by the California Privacy Rights Act of 2020 (“CCPA”); (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); (iii) the UK Data Protection Act 2018 and the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) (together with the EU GDPR, collectively, the “GDPR”); and (iii) the Swiss Federal Act on Data Protection (“FADP”); in each case, as updated, amended or replaced from time to time;
    4. “EEA” means the European Economic Area;
    5. “Restricted Transfer” means: (i) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner;
    6. “EU SCCs” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).
    7. “ex-UK Transfer” means the transfer of Personal Data covered by Chapter V of the UK GDPR, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
    8. “Standard Contractual Clauses” means the EU SCCs and the UK SCCs.
    9. “UK SCCs” means the EU SCCs, as amended by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 issued under Section 119A of the UK Data Protection Act 2018, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (the “UK Addendum”) and incorporated by reference to this DPA.
    10. “Personal Data” or “personal data” or “personal information” means any information, including personal information, relating to an identified or identifiable natural person (“data subject”) or as defined in and subject to Data Protection Laws.
    11. “Personal Data Breach” means a breach of security of Company or its Sub-Processors leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Company’s possession, custody or control. Personal Data Breaches do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
    12. “Sub-Processor” means (a) Company, when Company is processing Customer Personal Data and where Customer is itself a processor of such Customer Personal Data, or (b) any third-party Processor engaged by Company to assist in fulfilling Company’s obligations under the Terms and which processes Customer Personal Data. Sub-Processors may include third parties or Company’s affiliates, but shall exclude Company employees, contractors or consultants.
  2. The terms, “Business”, “Commission”, “Controller”, “Data Subject”, “Member State”, “Processor”, “Processing”, “Service Provider”, “Supervisory Authority” shall have the same meaning ascribed by relevant Data Protection Laws.

2. Applicability and Scope

  1. Applicability. This DPA will apply only to the extent that Company processes, on behalf of Customer, Personal Data to which applicable Data Protection Laws apply.
  2. Scope. The subject matter of the data processing is the provision of the Services, and the processing will be carried out for the duration of the Terms. Exhibit A sets out the nature and purposes of the processing, the types of Personal Data Company processes and the categories of data subjects whose Personal Data is processed.

3. Processing of Customer Personal Data

  1. Customer appoints Company as a Processor to process Customer Personal Data on behalf of, and in accordance with, Customer’s instructions (a) as set forth in the Terms, this DPA and as otherwise necessary to provide the Services to Customer (which may include investigating attempted or confirmed security breaches, and detecting and preventing exploits or abuse); (b) as necessary to comply with applicable law, including Data Protection Laws; and (c) as otherwise agreed in writing between the Parties (“Permitted Purposes”).
  2. Customer shall, in its use of the Services, at all times provide and/or process Personal Data, and provide instructions to Company for the processing of such Personal Data, in compliance with Data Protection Laws. Customer shall ensure that the processing of Personal Data in accordance with Customer’s instructions will not cause Company to be in breach of the Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Company by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Company regarding the processing of such Personal Data. Customer shall not provide or make available to Company any Personal Data in violation of the DPA or otherwise inappropriate for the nature of the Services, and shall indemnify Company from all claims and losses in connection therewith.
  3. Company shall:
    1. comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and
    2. only Process Customer Personal Data on the relevant Customer’s documented instructions.
  4. Company shall not process Personal Data for any reason other than the Permitted Purposes, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Supervisory Authority to which the Company is subject; in such a case, the Company shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest, or in violation of Data Protection Laws.
  5. Following completion of the Services, Company shall delete Customer’s Personal Data, unless further storage of such Personal Data is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, Company shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control. If Customer and Company have entered into Standard Contractual Clauses as described in Section 11 (Restricted Transfer), the parties agree that the certification of deletion of Personal Data that is described in Clause 8.1(d) and Clause 8.5 of the EU SCCs (as applicable) shall be provided by Company to Customer only upon Customer’s written request.
  6. Company shall notify Customer after Company determines that it can no longer meet its obligations under Data Protection Laws.

4. Confidentiality Obligations of Company Personnel

  1. Security Policy and Confidentiality. Company requires all employees to acknowledge in writing, at the time of hire, they will adhere to terms that are in accordance with Company’s security policy and to protect Customer Personal Data at all times. Company requires all employees to sign a confidentiality statement at the time of hire.
  2. Company will ensure that any person that it authorizes to process Customer Personal Data (including its staff, agents, and subcontractors) shall be subject to a duty of confidentiality (whether in accordance with Company’s confidentiality obligations in the Agreement or a statutory duty).
  3. Background Checks. Company conducts at its expense a criminal background investigation on all employees who are to perform material aspects of the Services under this Agreement.

5. Security

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Customer Personal Data have in place and maintain throughout the term of the Terms and this DPA appropriate technical and organizational measures designed to ensure a level of security appropriate to that risk, including, as appropriate, the measures identified in Exhibit C hereto. In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
  2. Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Service; and (c) backing up Customer Personal Data.

6. Subprocessing

  1. Customer acknowledges and agrees that Company has Customer’s general authorization to ( 1 ) engage its Affiliates and Sub-Processors to access and process Customer Personal Data solely in connection with the Services including the Permitted Purposes and ( 2 ) from time to time engage additional Sub-Processors for the purpose of providing the Services, including without limitation the processing of Customer Personal Data.
  2. A list of Company’s current Sub-Processors (the “List”) is available to Customer at https://usepylon.com/subprocessors. Such List may be updated by Company from time to time. Upon request, Company will provide a mechanism to subscribe to notifications (which may include but are not limited to email and Slack notifications) of changes or additions to the Sub-Processors on the List and Customer, if it wishes, will subscribe to such notifications. If Customer does not subscribe to such notifications, Customer waives any right it may have to receive prior notice of changes to the List. At least ten (10) days before enabling any change or addition to the Sub-Processors authorized by Company to perform Services under the Terms and this DPA, Company will make such change to the List and notify all subscribers to the List, including Customer if subscribed, via the aforementioned notification channels. Customer may object to such a change by informing Company in writing within fourteen (14) days of receipt of the aforementioned notice from Company, provided such objection is in writing and based on reasonable grounds relating to the protection of Customer Personal Data pursuant to the terms of this DPA. Customer acknowledges that certain Sub-Processors are essential to providing the Services and that objecting to the use of such a Sub-Processor may prevent Company from offering the Services to Customer.
  3. If Customer reasonably objects to an engagement in accordance with Section 6.2, and Company cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Company. Discontinuation shall not relieve Customer of any fees owed to Company under the Terms.
  4. If Customer does not object to a Sub-Processor change or addition in accordance with Section 6.2 within the applicable notice period, such Sub-Processor change or addition shall be deemed accepted by Customer for the purposes of this DPA.
  5. Company will enter into a written agreement with all Sub-Processors imposing on them Sub-Processor data protection obligations comparable to those imposed on Company under this DPA with respect to the protection of Customer Personal Data. Company shall remain responsible for the acts and omissions of its Sub-Processors as if they were the acts and/or omissions of Company hereunder.
  6. If Customer and Company have entered into Standard Contractual Clauses as described in Section 12 (Transfers of Personal Data), (i) the above authorizations will constitute Customer’s prior written consent to the subcontracting by Company of the processing of Customer Personal Data if such consent is required under the Standard Contractual Clauses, and (ii) the parties agree that the copies of the agreements with Sub-Processors that must be provided by Company to Customer pursuant to Clause 9(c) of the EU SCCs may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by the Company beforehand, and that such copies will be provided by the Company only upon written request from Customer.

7. Data Subject Rights

  1. Taking into account the nature of the Processing, Processor shall reasonably assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
  2. Processor shall:
    1. promptly notify Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
    2. ensure that it does not respond to a request from a Data Subject identified as an individual connected to Customer Personal Data except on the documented instructions of Controller or as required by Data Protection Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Data Protection Laws inform Controller of that legal requirement before the Processor responds to the request.

8. Personal Data Breach

  1. Processor shall notify Controller within 72 hours upon Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
  2. Processor shall cooperate with the Controller and take reasonable commercial steps as directed by Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation

Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Processor.

10. Deletion or return of Customer Personal Data

  1. Subject to Section 10, Processor shall promptly and in any event within 30 business days of the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Customer Personal Data.

11. Audit Rights

  1. Subject to the requirements of this section, Processor shall make available to Controller on written request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to reasonable requests for audits, including inspections, by the Customer or a third-party auditor retained by the Customer in relation to the Processing of the Customer Personal Data by the Processor.
  2. All audits requested hereunder shall be (a) carried out at Customer’s sole cost and expense, (b) mutual agreement as to the details of the audit including a reasonable start date, scope and duration of such audit, (c) subject to Company’s security and confidentiality terms and guidelines, and (d) may only be performed a maximum of once annually (with exception for a Personal Data Breach). All third-party auditors must be approved by Company in writing in advance.

12. Restricted Transfer

  1. The parties agree that Company may transfer Personal Data processed under this DPA outside the EEA, the UK, or Switzerland as necessary to provide the Services. Customer acknowledges that Company’s primary processing operations take place in the United States, and that the transfer of Customer’s Personal Data to the United States is necessary for the provision of the Services to Customer. If Company transfers Personal Data protected under this DPA to a jurisdiction for which the European Commission has not issued an adequacy decision, Company will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.
  2. The parties agree that Restricted Transfers are made pursuant to the EU SCCs, which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
    1. Module One (Controller to Controller) of the EU SCCs apply when both Company and Customer are processing Personal Data as a Controller.
    2. Module Two (Controller to Processor) of the EU SCCs apply when Customer is a Controller and Company is a Processor to Customer.
    3. Module Three (Processor to Sub-Processor) of the EU SCCs apply when Customer is a Processor and Company is a Sub-processor to Customer.
  3. For each module, where applicable, the following applies:
    1. In Clause 7, the optional docking clause does not apply.
    2. In Clause 9, Option 2 (general written authorization) applies, and the time period for notice is set forth in Section 6 (Sub-processing);
    3. In Clause 11, the optional language does not apply;
    4. All square brackets in Clause 13 are hereby removed;
    5. In Clause 17 (Option 1), the EU SCCs will be governed by the laws of the Republic of Ireland.
    6. In Clause 18(b), disputes will be resolved before the courts of Ireland;
    7. Exhibit B to this DPA contains the information required in Annex I and Annex III of the EU SCCs;
    8. Exhibit C to this DPA contains the information required in Annex II of the EU SCCs; and
    9. By entering into this DPA, the parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.
  4. Ex-UK Transfers. The parties agree that ex-UK Transfers are made pursuant to the UK SCCs, which are deemed entered into and incorporated into this DPA by reference, and amended and completed in accordance with the UK Addendum, which is incorporated herein as Exhibit D of this DPA.
  5. Transfers from Switzerland. The parties agree that transfers of Customer Personal Data from Switzerland are made pursuant to the EU SCCs with the following modifications:
    1. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) with respect to data transfers subject to the FADP.
    2. The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP.
    3. Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the EU GDPR. Subject to the foregoing, all other requirements of Clause 13 shall be observed.
    4. The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs.
  6. Supplementary Measures. In respect of any Restricted Transfer or ex-UK Transfer, the following supplementary measures shall apply:
    1. As of the date of this DPA, the Processor has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Customer Personal Data is being exported, for access to (or for copies of) Customer’s Personal Data (“Government Agency Requests”);
    2. If, after the date of this DPA, the Processor receives any Government Agency Requests, it shall attempt to redirect the law enforcement or government agency to request that data directly from Customer. As part of this effort, Company may provide Customer’s basic contact information to the government agency. If compelled to disclose Customer’s Personal Data to a law enforcement or government agency, Company shall give Customer reasonable notice of the demand and cooperate to allow Customer to seek a protective order or other appropriate remedy unless Company is legally prohibited from doing so. Company shall not voluntarily disclose Customer Personal Data to any law enforcement or government agency. Customer and Company shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Customer Personal Data pursuant to this DPA should be suspended in the light of the such Government Agency Requests; and
    3. The Customer and Company will meet as needed to consider whether:
      1. the protection afforded by the laws of the country of the Processor to data subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or the UK, whichever the case may be;
      2. additional measures are reasonably necessary to enable the transfer to be compliant with the Data Protection Laws; and
      3. it is still appropriate for Personal Data to be transferred to the relevant Processor, taking into account all relevant information available to the parties, together with guidance provided by the supervisory authorities.
    4. To the extent that Company adopts an alternative data transfer mechanism (including any new version of or successor to the SCCs adopted pursuant to Data Protection Laws), (“Alternative Transfer Mechanism”) the Alternative Transfer Mechanism shall upon written notice to Customer and an opportunity to object, apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Data Protection Legislation applicable to the EEA and extends to territories to which Customer Personal Data is transferred).

13. No Sale or Sharing

To the extent that the processing of Customer Personal Data is subject to U.S. data protection laws, Company is prohibited from: (a) selling Customer Personal Data or otherwise making Customer Personal Data available to any third party for monetary or other valuable consideration; (b) sharing Customer Personal Data with any third party for cross-behavioral advertising; (c) retaining, using, or disclosing Customer Personal Data for any purpose other than for the business purposes specified in this DPA or as otherwise permitted by U.S. data protection laws; (d) retaining, using or disclosing Customer Personal Data outside of the direct business relationship between the parties, and; (e) except as otherwise permitted by U.S. data protection laws, combining Customer Personal Data with personal data that Company receives from or on behalf of another person or persons, or collects from its own interaction with the data subject. Company will notify Customer promptly if it makes the determination that it can no longer meet its obligations under applicable U.S. data protection laws.

14. General Terms

  1. Confidentiality. Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA and the Terms (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; (b) the relevant information is already in the public domain.
  2. Notices. All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post, sent by email, or sent by Slack to the address or email address as notified from time to time by the Parties in writing.
  3. Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Terms.
  4. Notwithstanding anything in the Terms or any order form entered in connection therewith, the parties acknowledge and agree that Company’s access to Customer Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Services.
  5. In no event shall this DPA benefit or create any right or cause of action on behalf of a third party (including a Third-Party Controller), but without prejudice to the rights or remedies available to Data Subjects under Data Protection Laws or this DPA (including the SCCs).

EXHIBIT A

Details of Processing

Nature and Purpose of Processing: Company will Process Customer Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Customer’s instructions as set forth in this DPA. The nature of Processing includes, without limitation:

  • Receiving data, including collection, accessing, retrieval, recording, and data entry
  • Protecting data, including restricting, encrypting, and security testing
  • Holding data, including storage, organization, and structuring
  • Erasing data, including destruction and deletion
  • Analyzing data, including product usage assessment
  • Sharing data, including disclosure to subprocessors as permitted in this DPA

Duration of Processing: Company will Process Customer Personal Data as long as required (i) to provide the Services to Customer under the Agreement; (ii) for Company’s legitimate business needs; or (iii) by applicable law or regulation. 

Frequency of the transfer: Continuous.

Categories of Data Subjects: Data Subjects include the individuals whose Customer Personal Data is provided to Company through the Services by or at the direction of Customer or by any employee or end user of Customer which may include, but is not limited to Personal Data relating to users, employees, contractors, agents, vendors, customers, visitors, and such other individuals whose Personal Data may be submitted to the Services; the extent of which is determined and controlled by Customer in its sole discretion depending on its use of the Services.

Categories of Personal Data: Personal Data relating to individuals provided to Company via the Services, by or at the direction of Customer which may include, but is not limited to the following categories of Personal Data: name, email, job title, Slack username, and communication data; the extent of which is determined and controlled by Customer in its sole discretion depending on its use of the Services.

EXHIBIT B

The following includes the information required by Annex I and Annex III of the EU SCCs, and Table 1, Annex 1A, and Annex 1B of the UK Addendum. 

1. The Parties

Data exporter(s):

Name: The party named as “Customer” in the Terms.

Address: The address for Customer associated with its Company account or as otherwise specified in the Order Form or Terms.

Contact person’s name, position and contact details: The contact details for Customer associated with its Company account or as otherwise specified in the Order Form or Terms.

Activities relevant to the data transferred under these Clauses: As described in Section 2 of the DPA.

Signature and date: By using the Services to transfer Customer Personal Data to Company located in a non-adequate country, the data exporter will be deemed to have signed this Exhibit B.

Role (controller/processor): Controller

Data importer(s):

Name: Pylon Labs, Inc.

Address and contact information: 690 5th Street, San Francisco, CA 94107; security@usepylon.com

Activities relevant to the data transferred under these Clauses: As described in Section 2 of the DPA.

Signature and date: By transferring Customer Personal Data to a non-adequate country on Customer’s instructions, the data importer will be deemed to have signed this Exhibit B.

Role (controller/processor): Processor

2. Description of the Transfer

Data Subjects As described in Exhibit A of the DPA
Categories of Personal Data As described in Exhibit A of the DPA
Special Category Personal Data (if applicable) As described in Exhibit A of the DPA
Nature of the Processing As described in Exhibit A of the DPA
Purposes of Processing As described in Exhibit A of the DPA
Duration of Processing and Retention (or the criteria to determine such period) As described in Exhibit A of the DPA
Frequency of the transfer As described in Exhibit A of the DPA
Recipients of Personal Data Transferred to the Data Importer Company maintains a list of Subprocessors at: https://usepylon.com/subprocessors

3. Competent Supervisory Authority

The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13 of the EU SCCs. The supervisory authority for the purposes of the UK Addendum shall be the UK Information Commissioner’s Office. You can find their contact information at https://usepylon.com/privacy

EXHIBIT C

Description of the Technical and Organizational Security Measures implemented by the Data Importer.

The following includes the information required by Annex II of the EU SCCs and Annex II of the UK Addendum. 

Technical and Organizational Security Measure Details
Measures of pseudonymisation and encryption of personal data Company has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Databases housing sensitive Customer Data are encrypted at rest. Company uses only recommended secure cipher suites and protocols to encrypt all traffic in transit and Customer Data is securely encrypted with strong ciphers and configurations when at rest.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Company’s customer agreements contain strict confidentiality obligations. Additionally, Company requires every downstream Subprocessor to sign confidentiality provisions that are substantially similar to those contained in Company’s customer agreements.

Company has undergone a SOC 2 Type 2 audit that includes the Security and Processing Integrity Trust Service Criteria.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Daily, weekly and monthly backups of production datastores are taken.

Backups are periodically tested in accordance with information security and data management policies.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing Company has undergone a SOC 2 Type 2 audit that includes the Security and Processing Integrity Trust Service Criteria.
Measures for user identification and authorization. Company uses secure access protocols and processes and follows industry best-practices for authentication, including Multifactor Authentication and Single Sign On (SSO). All production access requires the use of two-factor authentication, and network infrastructure is securely configured to vendor and industry best practices to block all unnecessary ports, services, and unauthorized network traffic.
Measures for the protection of data during transmission Company has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Company uses only recommended secure cipher suites and protocols to encrypt all traffic in transit (i.e. TLS 1.2)
Measures for the protection of data during storage Encryption-at-rest is automated using AWS’s transparent disk encryption, which uses industry standard AES-256 encryption to secure all volume (disk) data. All keys are fully managed by AWS.
Measures for ensuring physical security of locations at which personal data are processed All Company processing occurs in physical data centers that are managed by AWS. https://aws.amazon.com/compliance/data-center/controls/
Measures for ensuring events logging Company monitors access to applications, tools, and resources that process or store Customer Data, including cloud services. Monitoring of security logs is managed by the security and engineering teams. Log activities are investigated when necessary and escalated appropriately.
Measures for ensuring system configuration, including default configuration Company adheres to a change management process to administer changes to the production environment for the Services, including changes to its underlying software, applications, and systems. All production changes are automated through CI/CD tools to ensure consistent configurations.
Measures for internal IT and IT security governance and management Company maintains an ISO 27001-compliant risk-based information security governance program. The framework for Company’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data.
Measures for certification/assurance of processes and products Company undergoes annual SOC 2 Type II and ISO 27001 audits.
Measures for ensuring data minimization Company’s customers unilaterally determine what data they route through the Services. As such, Company operates on a shared responsibility model. Company gives customers control over exactly what data enters the platform. Additionally, Company has built in self-service functionality to the Services that allows customers to delete and suppress data at their discretion.
Measures for ensuring data quality Company has a multi-tiered approach for ensuring data quality. These measures include: (i) unit testing to ensure quality of logic used to process API calls, (ii) database schema validation rules which execute against data before it is saved to our database, (iii) a schema-first API design using GraphQL and strong typing to enforce a strict contract between official clients and API resolvers. Company applies these measures across the board, both to ensure the quality of any usage data that Company collects and to ensure that the Company platform is operating within expected parameters.

Company ensures that data quality is maintained from the time a Customer sends Customer Data into the Services and until that Customer Data is presented or exported.
Measures for ensuring limited data retention Customers unilaterally determine what data they route through the Services. As such, Company operates on a shared responsibility model. If a customer is unable to delete Personal Data via the self-services functionality of the Services, then the Company deletes such Personal Data upon the customer's written request, within the timeframe specified in this DPA and in accordance with Data Protection Laws. All Personal Data is deleted from the Services following service termination.
Measures for ensuring accountability Company has adopted measures for ensuring accountability, such as implementing data protection and information security policies across the business, recording and reporting Personal Data Breaches, and formally assigning roles and responsibilities for information security and data privacy functions. Additionally, the Company conducts regular third-party audits to ensure compliance with our privacy and security standards.
Measures for allowing data portability and ensuring erasure Personal Data submitted to the Services by a customer may be deleted by the customer or upon the customer’s written request.

Personal Data is incidental to the Company’s Services. Based on Privacy by Design and Data Minimization principles, Company severely limits the instances of Personal Data collection and processing within the Services. Most use cases for porting Personal Data from Company are not applicable.
Technical and organizational measures of sub-processors The Company enters into Data Processing Agreements with its Authorized Sub-Processors with data protection obligations substantially similar to those contained in this DPA.

EXHIBIT C

UK Addendum

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

Table 1: Parties

Start Date This UK Addendum shall have the same effective date as the DPA
The Parties Exporter Importer
Parties’ Details Customer Company
Key Contact See Exhibit B of this DPA See Exhibit B of this DPA

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs The version of the Approved EU SCCs which this UK Addendum is appended to as defined in and completed in the DPA.

Table 3: Appendix Information

Annex 1A: List of Parties As per Table 1 above
Annex 2B: Description of Transfer See Exhibit B of this DPA
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Exhibit C of this DPA
Annex III: List of Sub processors (Modules 2 and 3 only): See Exhibit B of this DPA

Table 4: Ending this UK Addendum when the Approved UK Addendum Changes

Ending this UK Addendum when the Approved UK Addendum changes
Which Parties may end this Addendum as set out in Section 19
x   Importer
x   Exporter
□   Neither Party
Ending this UK Addendum when the Approved UK Addendum changes

Want faster, smarter customer support?

See how Pylon cuts the busywork and brings your support teams into one place.