Celigo Data Security Addendum

This Data Security Addendum is governed by, incorporated into, and made part of the Terms of Service by and between Customer and Celigo, Inc. Unless defined below, capitalized terms have the same meanings as in the Terms of Service.

1. Applicable Standards

1.1 Celigo will implement administrative, physical and technical safeguards designed to protect Customer Data consistent with generally-accepted industry standards and practices for information security, including the controls and Trust Service Principles of SOC 2 Type 2 (covering security and availability). Celigo will ensure that all such safeguards, including the manner in which Celigo processes, uses, disposes of and discloses Customer Data comply with laws applicable to Celigo’s delivery of the services as stated in the Agreement, including without limitation all applicable Data Protection Legislation.

1.2 Celigo will not make any changes that materially reduce or weaken Celigo’s security controls to Celigo’s systems or environments that transmit, process, or store Customer Data.

2. Data Security

2.1. Celigo will encrypt all electronic Customer Data that is required to be encrypted under applicable laws, regulations, or standards, whether stored at rest or transmitted in transit, in accordance with industry-accepted encryption standards (e.g., AES-256, TLS 1.2. or higher). Celigo will use security technologies (including intrusion prevention systems, security monitoring and alerting, encryption, multi-factor authentication, and firewall protection) in providing the Products.

2.2. Where applicable, Celigo will use a security-conscious software development lifecycle for software engineering that incorporates risk assessmentand vulnerability testing designed to ensure that none of the OWASP Web Application Top 10 Security Risks are present. Celigo will additionally ensure Customer Data is not replicated or used in non-production environments. Celigo will implement change management processes and procedures to ensure that only authorized changes are implemented in the production environment.

2.3. Celigo will maintain a security training program for all Celigo personnel (incl. temporary workers) who have access to, or are likely to have access to Customer Data in written or electronic form.

3. Access Controls. Celigo will grant user access rights and privileges to information resources containing Customer Data solely on a need-to-know basis consistent with role-based authorization. Immediately upon separation or role transfer that eliminates the valid business need for continued access to Customer Data by a Celigo Representative, Celigo will remove such Celigo Representative’s access. Celigo will also employ appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks of employees that will have access to Customer Data consistent with industry standards and applicable law.

4. Audit Logs. Celigo will maintain audit logs for access to systems and networks transmitting, processing, or storing Customer Data. Audit logs will, at a minimum, identify the user accessing the system/data, actions taken by the user, and a date/time stamp. Audit logs will be protected against unauthorized modification and deletion.

5. Business Continuity and Disaster Recovery. Celigo will maintain business continuity and disaster recovery plans designed to ensure that critical services can be restored and provided in a manner consistent with Celigo’s service level agreements agreed to with the Customer.

6. Physical Security. Celigo will use reasonable efforts to ensure that it and Celigo subprocessors, are physically secured. Celigo will s implement physical entry controls for all areas where Customer Data is processed. Such controls will include requiring access to these areas, and the use of individually identifiable entry methods (e.g. key cards), Celigo will contractually require its subprocessors to maintain comparable controls. Celigo and subprocessors will maintain surveillance systems for secure areas to monitor, detect, and respond to suspected security incidents on a 24/7 basis.

7. Subcontractors. Celigo will ensure that any Celigo personnel who processes Customer Data on behalf of Celigo is bound by a written contract that imposes the same restrictions and conditions that apply to Celigo with respect to such data. Celigo will provide Customer with at least ten (10) days’ notice prior to the date on which it engages any new or replacement Celigo Representative to process Customer Data.

8. Permitted Uses. Celigo may maintain, transmit, access, use or disclose Customer Data solely for the benefit of Customer and to perform functions, activities, or services as specified in the Agreement.

9. Breach Notification.

9.1. Celigo will notify Customer of a Security Incident (as defined in the Terms of Service or Data Processing Agreement) by emailing Customer at the address specified in the Agreement as soon as practicable, but no later than seventy two (72) hours after Celigo becomes aware of or has reason to believe that a Security Incident has occurred. Notification of a Security Incident is not an acknowledgement by Celigo of its fault or liability.

9.2. Taking into account the nature of the Security Incident and the information available to Celigo, Celigo agrees to support Customer’s investigation of the Security Incident by providing Customer with a report of the Security Incident and access to relevant records, logs, and other information as required by applicable laws.

9.3. Celigo will exercise reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within Celigo’s reasonable control.

9.4. Celigo agrees that Customer will have the sole right to determine: (i) whether notice of the Security Incident is to be provided to any individuals impacted by any unauthorized disclosure of Customer Data and (ii) the contents of such notice. Notwithstanding the forgoing, Celigo may notify consumer reporting agencies or others as required by Applicable Laws.

9.5. Celigo agrees to reasonably cooperatewith Customer in any litigation or other formal action deemed necessary by Customer to protect its rights relating to the use, disclosure, protection and maintenance of Customer Data. Celigo may seek reimbursement of its expenses for such cooperation, to be agreed by the parties in advance of any such participation.

10. Termination.

10.1. Customer will have the right to terminate the Agreement for Celigo’s material breach of these
Security Requirements as set forth in the termination section of the Agreement.

11. Celigo will provide Customer on request, with the results of any security assessment or audit report performed on behalf of Celigo to assess the effectiveness of Celigo’s information security program as relevant to the security and confidentiality of Customer Data.
In the event an audit conducted by Celigo shows deficiencies, Celigo will use reasonable efforts to promptly remediate and correct all such deficiencies in line with industry standard remediation timeframes.

12. Precedence. In the event of a conflict between these Security Requirements and any terms set forth in the Agreement with respect to the subject matter described herein, these Security Requirements will control unless Customer and Celigo explicitly agree in writing that this Section 12 will not apply with respect to the conflicting terms.

IN WITNESS WHEREOF, the Parties have caused this Addendum to be executed as of the Effective Date.