Last updated: August 31, 2022
This Data Processing Addendum (“DPA”) supplements the SaaS Terms of Service or the SaaS Services Agreement, as applicable, entered into between Trovata, Inc. (“Trovata”) and Client (collectively with its affiliates and subsidiaries worldwide, “Client”) and making reference to this DPA (such SaaS Terms of Service or SaaS Services Agreement, as applicable, the “Agreement”) and the terms of this DPA are incorporated by reference therein.
This DPA shall apply to Trovata’s Processing of Personal Data in connection with the Services as described in the Agreement or the applicable Order Form.
In this DPA, the following terms shall have the meanings set out below and their cognate terms shall be construed accordingly:
- 1.1. Client Data means the data Processed by Trovata, including any Client Content, in connection with the provision of the Services as described in the Agreement.
- 1.2. Data Breach means (i) any unauthorized interference with the availability of, or any unauthorized, unlawful or accidental access or damage to or loss, misuse, destruction, alteration, acquisition, disclosure of, Client Data or any other unauthorized Processing of Personal Data that may adversely affect the privacy or security of individuals or Client Data; or (ii) as otherwise defined under applicable Data Protection Laws. Data Breach does not include unsuccessful attempts or activities that do not compromise the confidentiality, availability, or integrity of Client Data or Confidential Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other similar incidents.
- 1.3. Data Protection Laws means all applicable local, state, federal, or international laws, regulations, or treaties relating to the privacy, security, or protection of Personal Data, as may be defined in such laws, including, the European Area Law, the California Consumer Protection Act (“CCPA”), and any subsequent supplements, amendments, or replacements to the same.
- 1.4. European Area means the European Union, European Economic Area, Switzerland, and the United Kingdom of Great Britain and Northern Ireland (“UK”).
- 1.5. European Area Law means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Addendums etc.) (EU Exit) Regulations 2019 (SI 2019/419) (collectively “UK Data Protection Law”); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”); or (iv) any successor or amendments thereto (including without limitation implementation of GDPR by Member States into their national law), or (v) any other law relating to the data protection, security, or privacy of individuals that applies in the European Area.
- 1.6. Order Form means the applicable Order Form (as defined in the SaaS Services Agreement) or Order (as defined in the SaaS Terms of Service) entered into by the Parties.
- 1.7. Personal Data means any Client Data that relates to an identified or identifiable natural person or as otherwise defined under applicable Data Protection Laws.
- 1.8. Process, processed, or processing means the collection, receipt, recording, organization, structuring, alteration, use, transmission, access, sharing, provision, disclosure, distribution, copying, transfer, storage, management, retention, deletion, combination, restriction, summarizing, aggregation, correlation, inferring, derivation, analysis, adaptation, retrieval, consultation, destruction, disposal, or other handling of Personal Data.
- 1.9. Services means services provided by Trovata as agreed to in the Agreement or corresponding Order Form.
- 1.10. Standard Contractual Clauses or SCC’s means (i) the standard contractual clauses for international transfers published by the European Commission on June 4, 2021 governing the transfer of European Area Personal Data to Third Countries as adopted by the European Commission, the Swiss Federal Data Protection and Information Commissioner (“Swiss FDPIC”) relating to data transfers to Third Countries (collectively “EU SCCs”); (ii) the international data transfer addendum (“UK Transfer Addendum”) adopted by the UK Information Commissioner’s Office (UK ICO) for data transfers from the UK to Third Countries; or (iii) any similar such clauses by a data protection regulator relating to data transfers to Third Countries, including without limitation any successor clauses thereto.
- 1.11. Third Country means countries that, where required by applicable Data Protection Laws, have not received an adequacy decision from an applicable authority relating to data transfers, including regulators such as the European Commission, UK ICO, or Swiss FDPIC relating to data transfers.
- 1.12. The terms Controller, Processor, Subprocessor, Data Subjects, Sell, and Service Provider shall have the same meaning as in the applicable Data Protection Laws, and their cognate terms shall be construed accordingly. All other capitalized terms shall have the same meaning as in the Agreement (or corresponding Order Form).
2. GENERAL DATA PROCESSING OBLIGATIONS
- 2.1. Order of Precedence. In the event of a conflict between the Agreement and this DPA, this DPA shall control. In the event of a conflict between the Agreement and/or DPA and the Standard Contractual Clauses, the SCCs shall control.
2.2. Role of Parties. The parties acknowledge and agree that with respect to processing of Personal Data, Trovata is a Processor and a Service Provider (collectively “Processor”), and Client is a Controller, except that if Client is a Processor in which case Trovata is a Subprocessor. If Client is a Processor of Personal Data, Client represents and warrants that Client’s instructions and Processing of Personal Data, including its appointment of Trovata as a Subprocessor, have been authorized by the respective Controller.
This DPA shall apply solely to the Processing of Personal Data by Trovata acting as a Processor to provide the Services.
- 2.3. Compliance with Data Protection Laws. Each party will comply with its obligations under applicable Data Protection Laws in connection with Processing of Personal Data.
- 2.4. Purpose of Processing. The purpose of Processing under this DPA is the provision of the Services pursuant to the Agreement. Exhibit 1 (Description of Processing and Transfer Details) describes the subject matter and details of the Processing of Personal Data.
2.5. Client Instructions and Restrictions on Processing. The Client instructs the following in connection with Trovata’s Processing of Personal Data:
- 2.5.1. Instruction and Direction. Trovata shall use, retain, disclose, or otherwise Process Personal Data only on behalf of Client and for the specific business purpose of providing the Services and in accordance with Client’s instructions, including as described in the Agreement. Trovata shall not Sell Personal Data, nor use, retain, disclose, or otherwise Process Personal Data outside of its business relationship with Client or for any other purpose except as required by law. Trovata will inform Client if, Trovata determines that it is no longer able to meet its obligations under Data Protection Laws or where in Trovata’s reasonable opinion, any of Client’s instructions infringes any Data Protection Laws. Client reserves the right to take reasonable and appropriate steps to discontinue and remediate unauthorized use of Personal Data.
- 2.5.2. Limitation on Use. Trovata shall have rights to use Personal Data solely (i) to the extent necessary to (a) perform its obligations under the Agreement and this DPA; (b) operate, manage, test, maintain and enhance the Services including as part of its business operations; (c) to disclose aggregate statistics about the Services in a manner that prevents individual identification or re-identification of Client, Client Data, Personal Data, including without limitation any individual device or individual person; and/or (d) protect the Services from a threat to the Services or Personal Data; or (ii) if required by court order of a court or authorized governmental agency, provided that prior notice first be given to Client unless legally prohibited; (iii) as otherwise expressly authorized by Client.
- 2.5.3. No Combination of Personal Data. Trovata will not combine Personal Data which Trovata Processes on Client’s behalf, with Personal Data which it receives from or on behalf of another person or persons, or collects from its own interaction with individual, provided that Trovata may combine personal information to perform any business purpose permitted or required under the Agreement to perform the Services.
- 2.5.4. Certification. Trovata certifies that it understands these obligations and restrictions and will comply with them.
3. CLIENT’S OBLIGATIONS
- 3.1. Client shall have sole responsibility for the accuracy, quality, and legality of Client Data and the means by which Client obtained the Client Data. Client will not provide or cause to provide any data or information that is not necessary for Trovata to provide the Services identified in the Agreement. Client is also responsible for the security and integrity of any Client’s systems from where Client Data is provided to Trovata.
- 3.2. Client understands and agrees that Client is solely responsible for its own actions and activity in connection with the Client account and that Client will keep its account passwords and login information confidential.
- 3.3. To the extent required by applicable law, Client is solely responsible for providing its end users with appropriate notice and obtaining all necessary consents or approvals for the Processing of any Personal Data as part of the Services.
4. TROVATA’S OBLIGATIONS
4.1. Data Protection Compliance Assistance.
- 4.1.1. Trovata will reasonably assist Client in complying with its obligations under the applicable Data Protection Laws, including without limitation, conducting data protection, privacy, or security risk impact assessments, and any consultations with the supervisory or regulatory authority.
- 4.1.2. Trovata shall not perform its obligations under this DPA in such a way as to breach any of its obligations under applicable Data Protection Laws.
- 4.1.3. With respect to European Area Personal Data and taking into account the nature of Processing and the information available, Trovata will assist the Client with meeting its compliance obligations under GDPR Articles 32 to 36.
4.2. Data Subject Rights.
- 4.2.1. Trovata will promptly notify Client in writing, and in any case without undue delay, if Trovata receives (i) any requests from a Data Subject, with respect to Personal Data, including individual opt-out requests, requests for access, correction, portability, and/or deletion and all similar individual rights requests; or (ii) any complaint or inquiry relating to the Processing of Personal Data, including allegations that the Processing infringes on any individual's or third party's rights. Trovata will not respond to any such request or complaint unless expressly authorized to do so by Client or is otherwise required to respond under applicable Data Protection Laws.
- 4.2.2. To the extent Client, in its use of the Services, does not have the ability to respond to a request under this Section 4, Trovata shall upon Client’s written request provide reasonable assistance to Client in responding to such request.
- 4.2.3. Trovata shall comply with any reasonable instructions given by Client regarding responding to requests under this Section 4.
- 4.3.1. Trovata will select and retain Subprocessors that have agreed by written contract to comply with terms substantially similar to those contained in this DPA to assist Trovata in performing its rights and obligations under the Agreement.
- 4.3.2. Client authorizes Trovata to use Trovata’s Subprocessors. Information about Trovata’s Subprocessors, including their functions and locations, is available at a website maintained by Trovata, the URL of which Trovata will provide to Client upon request by emailing Trovata at firstname.lastname@example.org. (the “Subprocessor Site”).
- 4.3.3. Where a Subprocessor fails to fulfil its data protection obligations, Trovata shall remain fully liable to Client for the performance of its Subprocessors obligations. Without limiting the foregoing, Trovata will develop and use reasonable steps to select and retain Subprocessors that assist Trovata in performing its obligations under the Agreement that are capable of maintaining security practices consistent with this DPA and requiring such Subprocessor to agree by written contract to comply with terms substantially similar to those contained in this DPA.
- 4.3.4. Trovata shall provide Client with reasonable advanced notice regarding any intended changes concerning the addition or replacement of any Subprocessor(s) to Process Personal Data in connection with the provision of the Services by updating the Subprocessor Site or by other written means. Client may object in writing to Trovata’s notice within ten (10) business days of receipt of such notice, provided that such objection is based on reasonable grounds relating to data protection, privacy and security of Personal Data. In case of such objection from the Client, the Parties will discuss such concerns in good faith with a view to achieving a mutually agreeable resolution. If the Parties are unable to resolve the objection within a reasonable period of time, either Party may upon written notice to the other Party terminate without penalty the applicable Order Form(s) with respect to the applicable Services which cannot be provided by Trovata without the use of the objected-to Subprocessor.
- 4.4. Confidentiality. Trovata shall ensure that all employees, agents, officers, consultants, Subprocessors and any third party authorized to Process the Personal Data or Confidential Information are subject to written confidentiality agreements or are under an appropriate statutory obligation of confidentiality.
- 4.5. Security. Trovata will implement and maintain commercially reasonable administrative, technical and physical safeguards, including procedures and practices commensurate with the level of sensitivity of the Client Data and the nature of its activities under the Agreement, to protect the security, confidentiality, availability, and integrity of such information Processed by Trovata or in its possession and control including such safeguards (a) designed to protect the security of systems upon which such information is Processed; and (b) designed to prevent a Data Breach.
4.6. Data Breach.
- 4.6.1. Breach Response. In the event Trovata discovers or learns of a Data Breach affecting Client Data, Trovata shall take appropriate and prompt steps to: (a) investigate, mitigate, and remedy the Data Breach and prevent further Data Breaches, (b) notify Client of such Data Breach without unreasonable delay, such notification to be sent to the email address of Client’s signatory to this DPA or such other email address for notices provided to Trovata by Client in accordance with the notice provisions of the Agreement; (c) furnish to Client necessary and relevant details of the Data Breach as may be available; (d) reasonably assist Client, as needed, in its investigation, mitigation, and remedying of the Data Breach; (e) provide information and reasonably assist Client, as needed, in meeting Client’s legal obligations, including any applicable legal obligations to notify individuals affected by the Data Breach; and (f) cooperate with Client in any other reasonable action, step, or proceeding as may be deemed necessary by Client in connection with the Data Breach and any dispute, inquiry or claim concerning or arising from the Data Breach.
- 4.6.2. Legal Process Notification. Unless prohibited by an applicable statute or court order, Trovata will notify Client of any third-party legal process relating to any Data Breach, including, but not limited to, any legal process initiated by any governmental entity.
- 4.7. Complaints; Regulator Communications. Trovata shall promptly notify Client if it receives or learns of: (a) any complaint, inquiry, investigation, request, or any other communication relating to an actual or alleged violation of privacy or security relating to the Services or Personal Data or relating to an individual rights request (e.g. access, correction, deletion, portability, etc.); and (b) shall provide Client with reasonable co-operation and assistance in relation to any such communication or request including by providing Client with appropriate details of any such communication, investigation of such actual or alleged violation, and information needed to further investigate such actual or alleged violation and respond to such communications or requests. Trovata shall comply with the reasonable instructions given by Client regarding responding to such communications.
5. PERSONAL DATA TRANSFERS
- 5.1. EEA Personal Data Transfers. Transfers of EU Area Personal Data by Client to Trovata or Trovata to Client in Third Countries are subject to the Standard Contractual Clauses, Module Two (“Controller to Processor”) and Module Three (“Processor to Processor”), as applicable, attached to this DPA and incorporated by reference. The information required for the purposes of the SCCs is provided in Exhibit 1 to this DPA. The Parties agree that the SCCs are incorporated into this DPA without further need for reference, incorporation, or attachment and that by executing the Agreement referencing this DPA, each party is deemed to have executed the SCCs.
5.2. Swiss Personal Data Transfers. Where the Personal Data is subject to the Swiss DPA, the SCCs above shall be read to be modified as follows as applicable:
- 5.2.1. References to “Regulation (EU) 2016/679” and any articles therefrom shall be interpreted to include references to the Swiss DPA.
- 5.2.2. References to “EU”, “Union” and “Member State” shall be interpreted to include references to “Switzerland”.
5.3 UK Personal Data Transfers. For personal data transfers subject to UK Data Protection Law and transferred in accordance with the UK Transfer Addendum, the Parties agree as follows:
- 5.3.1 Each Party agrees to be bound by the terms and conditions set out in the UK Transfer Addendum, in exchange for the other Party also agreeing to be bound by the UK Transfer Addendum.
- 5.3.2 The Standard Contractual Clauses will be interpreted in accordance with Part 2 of the UK Transfer Addendum.
- 5.3.3 Sections 9 to 11 of the UK Transfer Addendum override Clause 5 (Hierarchy) of the EU SCCs
- 5.3.4 For the purposes of Section 12 of the UK Transfer Addendum, the EU SCCs will be amended in accordance with Section 15 of the UK Transfer Addendum.
- 5.3.5 Information required by Part 1 of the UK Transfer Addendum is provided in Exhibit 1 to this DPA.
- 5.3.6 To the extent that any revised transfer addendums or mechanisms are issued by the UK ICO, the Parties agree to incorporate such revisions in accordance with Section 18-20 of the UK Transfer Addendum.
5.4. Onward Transfers. In connection with the provision of the Services to Client, Trovata may receive from or transfer and Process Personal Data to Third Countries provided that its Subprocessors take measures to adequately protect such data consistent with applicable Data Protection Laws. Such measures may include to the extent available and applicable under such laws:
- 5.4.1. Adequacy. Processing in a country, a territory, or one or more specified sectors that are considered under applicable Data Protection Laws as providing an adequate level of data protection.
- 5.4.2. SCC’s. The parties’ agreement to enter in to and comply with the Standard Contractual Clauses and any successors or amendments to such clauses or such other applicable contractual terms adopted and approved under Data Protection Laws.
- 5.4.3. BCR’s. Processing in compliance with Binding Corporate Rules (“BCR’s”) in accordance with Data Protection Laws; or
- 5.4.4. Other Approved Transfer Mechanisms. Implementing any other data transfer mechanisms or certifications approved under Data Protection Laws, including, as applicable, any approved successor or replacement to the EU–US Privacy Shield framework or the Swiss–US Privacy Shield framework.
To the extent that any substitute or additional appropriate safeguards or mechanisms under any Data Protection Laws are required to transfer data to a Third Country the parties agree to implement the same as soon as practicable and document such requirements for implementation in an attachment to this DPA.
6. RETURN AND DESTRUCTION OF PERSONAL DATA
- 6.1 Either upon request or direction by Client or termination or expiration of the Agreement, Trovata will, in accordance with the Agreement, delete or make available to Client for retrieval all Personal Data in Trovata’s possession, except to the extent that Trovata is required by applicable law to keep a copy of the Personal Data and notifies Client of the same.
- 6.2 Trovata agrees to comply with the terms of this DPA to the extent any Personal Data remains in its possession or control.
7. AUDIT RIGHTS
- 7.1. Upon written request from the Client, Trovata shall make available to the Client once a year such information as is reasonably required by the Client to demonstrate Trovata’s compliance with its obligations under this DPA.
- 7.2. If the Client in its reasonable opinion determines that the information provided under Section 7.1 is not sufficient, Trovata will assist with Client’s request for additional information through completing a reasonable questionnaire or request for information provided by Client, or a third party acting on Client’s behalf, regarding Trovata’s compliance with this Addendum.
- 7.3. If the Client in its reasonable opinion determines that the information provided under Section 7.2 is not sufficient, Trovata will allow the Client or a third party acting on behalf of the Client to conduct audits solely as necessary to fulfill Client's obligations under Data Protection Laws no more than once annually.
- 7.4. Any such audit under this Section 7 will occur only after Client has provided Trovata with at least 60 days’ prior written notice and during a mutually agreed upon date, time, and location. Audits must not unreasonably interfere with Trovata’s business or operations, and the scope of such audit will be subject to Trovata’s reasonable pre-approval. Individuals responsible for conducting such audit shall be subject to a contract of confidentiality with Trovata. The work required by Trovata to participate in any audit may result in additional fees (at a mutually agreed upon hourly rate) to be paid by the Client, unless otherwise agreed in writing prior to the commencement of such audit. If the audit reveals any material vulnerability or inadequacy, Trovata shall correct any such vulnerability or inadequacy at its sole cost and expense and shall certify the same in writing to Client.
- 7.5. To ensure that Trovata complies with applicable Data Protection Laws and its contractual obligations regarding data privacy and security, the Client agrees that Trovata is not required to provide the Client with access to Trovata’s systems or information in a manner that may compromise the security, privacy, or confidentiality of Trovata’s other clients’ confidential or proprietary information. Any information disclosed pursuant to this Section 7 will be deemed Trovata’s Confidential Information.
Exhibit 1 to Data Processing Addendum
Description of Processing and Transfer Details
1. Data Exporter
|Company Name||Address||Contact name, position, and contact information||Role|
|Client information as included in the applicable Order Form||Controller|
1. Data Exporter
|Company Name||Address||Contact name, position, and contact information||Role|
|Trovata, Inc. 312 South Cedros Ave, Suite 312, Solana Beach, CA 92075||Processor|
3. Activities relevant to the data transferred under these Clauses
The activities relevant to the data transferred pursuant to the Services are more fully described in the Agreement and applicable Order Form.
4. Processing Information
|Categories of data subjects whose personal data is transferred||
|Categories of personal data transferred||
|Sensitive personal data transferred||
|Frequency of the transfer||Continuous|
|Nature of the processing||
The nature of the processing is more fully described in the Agreement and accompanying Order Form(s).
The purpose of the transfer is to facilitate the performance of the Services more fully described in the Agreement and accompanying Order Form(s).
|Purpose of the data transfer and further processing|
|Period for which the personal data will be retained or criteria used to determine that period||The period for which the personal data will be retained is more fully described in the Agreement, DPA, and accompanying Order Form(s).|
|Subprocessor transfers – subject matter, nature, and duration of processing||The subject matter, nature, and duration of the Processing more fully described in the Agreement, DPA, and accompanying Order Form(s).|
|Signatures||The Parties agree that the EU SCCs and the UK Transfer Addendum are incorporated by reference and that by executing the Agreement referencing this DPA, each party is deemed to have executed the SCCs and the UK Transfer Addendum.|
6. European Area SCC and UK Transfer Addendum Information
|SCC Clause||GDPR||Swiss DPA||UK Data Protection Law|
|Module in Operation
Module Two (Controller to Processor) and Module Three (Processor to Processor)
|Clause 7- Docking Clause||An entity that is not a party to these clauses may, with the agreement of the parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex 1.A|
|Clause 9(a)- Use of Sub-processors||GENERAL WRITTEN AUTHORISATION: The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 15 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.|
|Clause 11 (Redress)||Optional language in Clause 11 shall not apply.|
|Clause 17- Governing Law||These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.||These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Switzerland.||These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of England and Wales.|
|Clause 18 – Choice of Forum and Jurisdiction||(b) The parties agree that those shall be the courts of Ireland.||The parties agree that those shall be the competent courts of Switzerland.||The parties agree that those shall be the competent courts of England and Wales.|
|Annex 1A- List of Parties||The name, address, and contact person’s name, position, and contact details, and each party’s role in processing personal data are provided in Section 1, 2, and 3 above|
|Annex 1B – Description of Transfer||
This information can be found in Section 4 above.
To the extent applicable, the descriptions of safeguards applied to the special categories of Personal Data can be found in Exhibit 2 to the DPA.
|Clause 13 and Annex 1C – Competent Supervisory Authority||Identify the competent supervisory authority/ies in accordance with Clause 13:
Irish Data Protection Commission
|Identify the competent supervisory authority/ies in accordance with Clause 13:
|Identify the competent supervisory authority/ies in accordance with Clause 13:
UK Informational Commissioner
|Annex II – Technical and Organizational Measures||The description of technical and organization measures designed to ensure the security of Personal Data is described more fully in Exhibit 2 to the DPA.|
|Annex II – Technical and Organizational Measures – Subprocessors||The description of technical and organization measures designed to ensure the security of Personal Data processed by Sub-processors is described more fully in Exhibit 2 to the DPA.|
|Annex III – List of Subprocessors||URL with current list of Subprocessors to be provided to Client upon request.|
|Ending the UK Transfer Addendum when the Approved Addendum changes||N/A||
Which Parties may end this Addendum as set out in Section 19:
Exhibit 2 to Data Protection Addendum
Trovata Security Measures
Trovata will implement and maintain an information security program with generally accepted administrative, technical, physical, and organizational security standards to protect the security, confidentiality, availability, and integrity of Personal Data that is submitted to us, both during transmission and once it is received. Trovata undergoes annual SOC 2 Type audits and third-party penetration testing to ensure that adequate measures are implemented and maintained as part of our information security program.
Without limiting the foregoing, Trovata will:
- 1. Maintain an Information Security program that includes policies and information on the organizational structure and responsibilities of the Information Security team; Mobile Device Security; Remote Access; Personnel Security; Asset Management; Data Classification & Handling; Access Control; Encryption; Physical and Environmental Security; Security Operations; Procurement & Vendor Management; Secure Development; Incident Management & Response; Business Continuity & Disaster Recovery; and Compliance;
- 2. Ensure that its personnel are trained to handle and obligated to maintain the confidentiality of any Client Data in its possession;
- 3. Ensure that its agents and subcontractors that assist Trovata in performing its obligations under the Agreement maintain security practices consistent with this DPA;
- 4. Conduct routine risk assessments to identify, document, and remediate material internal and external risks;
- 5. Establish and enforce written procedures and technical controls enforcing role-based access control principles to control access to systems, networks, services, and facilities;
- 6. Ensure the implementation of minimum password requirements that will allow for unique user identification;
- 7. Maintain disaster recovery plans and allow for the recovery of services in the event that Trovata's services experience a significant interruption or impairment of operations;
- 8. Implement and conduct routine security awareness training for Trovata personnel;
- 9. Implement anti-malware software on any systems that Process Client Data;
- 10. Commensurate with the nature and sensitivity of the Client Data, ensure that Client Data is encrypted in transit across public networks or outside of Trovata’s physical or logical controls and encrypted at rest when stored on any device or storage using industry standard encryption tools;
- 11. Collect system, application, and user level logs on an ongoing basis for any network or system Processing Client Data and retain such logs for at least one year;
- 12. Maintain appropriate physical security controls in place for any processing facilities that are used for Processing Client Data, including without limitation appropriate perimeter security designed to protect against unauthorized access, damage or interference;
- 13. Ensure that its security program is evaluated and adjusted on an ongoing basis; and
- 14. Take reasonable steps to destroy Client Data as provided under the Agreement, upon Client Request, by (i) shredding; (ii) permanently erasing and deleting; (iii) degaussing; or (iv) otherwise modifying Client Data to make it unreadable, indecipherable, and irretrievable.