Ibero-American Model Agreement for the International Transfer of Personal Data:

Controller to Processor

By agreeing to the Master License and Services Agreement (“MLSA”), the Data Controller agrees to the terms of this Model Agreement as a supplement to the MLSA and to be incorporated therein to the extent the Data Controller is subject to the privacy laws of the Ibero-American Data Protection Network (or a member state) and where required by applicable privacy legislation

Data Exporter: Entity identified in the Master License and Services Agreement (Command Alkon customer)

Data Importer: Command Alkon Incorporated, including Command Alkon’s sister companies and subsidiaries as defined in the MLSA

Data Importer Contact:

David R. Burkholder, Chief Privacy Officer

Command Alkon Incorporated, 6750 Crosby Court, Dublin, Ohio 43016

+1.205.263.6624 ext. 2837 / privacy@commandalkon.com

Applicable Law: Data protection law of the Data Exporter

Competent Supervisory Authority: Supervisory authority of the Data Exporter

SECTION I: GENERAL PROVISIONS

CLAUSE 1 – Purpose, Parties, Scope of Application and Definitions

1.1 Purpose – The purpose of these model contractual clauses is to ensure and facilitate compliance with the requirements for the international transfer of Personal Data set by the Governing Law, in order to comply with the principles and obligations on the protection of Personal Data. Any interpretation of this Agreement shall take these purposes into account.

1.2 Contracting Parties – The Contracting Parties are the Data Exporter and the Data Importer. This Agreement allows the incorporation of additional importers or exporters as Contracting Parties, using the form in Annex A following the procedure established in Clause 5.

1.3 Scope of Application – This Agreement shall apply to international transfers of Personal Data between Data Exporter(s) and Data Importer(s), in accordance with the specifications of Annex B. The annexes form an integral part of this Agreement.

Definitions – The defined terms are identified in this Agreement by capital letters. For the purposes of this Agreement, the following terms shall be defined:

Agreement: this contract for the international transfer of Personal Data based on model contractual clauses together with its title page and its annexes.

Anonymization: the application of measures of any kind aimed at preventing the identification or re-identification of an individual without disproportionate efforts.

Competent Supervisory Authority: personal data protection authority in the country of the Data Exporter or Data Importer.

Cloud Computing: model for enabling access to a set of IT services (such as networks, servers, storage, applications, and services) in a convenient manner and on demand, which can be rapidly provided and released with administrative efforts and based on the interaction with the service provider.

Consent: expression of the free, specific, unequivocal and informed will of the Data Subject through which he/she accepts and authorizes the Processing of his/her Personal Data.

Personal Data: any information regarding an identified or identifiable individual, expressed in a numerical, alphabetical, graphical, photographic, alpha-numeric, or acoustic way, or in any other form. It is considered that a person is identifiable when his/her identity can be determined directly or indirectly, provided that this does not require disproportionate time or efforts.

Sensitive Personal Data: Personal Data that refer to the intimate sphere of the Data Subject, the undue use of which may result in discrimination or create a serious risk thereof. In an illustrative way, Personal Data that may reveal aspects such as racial or ethnic origin; beliefs or religious, philosophical and moral convictions; trade union membership; political opinions; information regarding health, sexual life, preference or orientation; genetic data; or biometric data aimed at identifying a natural person in an unequivocal manner will be considered as sensitive.

Automated Individual Decisions: decisions that produce legal effects concerning the Data Subject, or that affect him/her in a significant way, based solely on automated processing intended to assess, without human intervention, specific personal aspects, or to analyze or predict, specifically, his/her professional performance, economic situation, health status, sexual preferences, reliability or behavior.

Processor: service provider who, as a natural or legal person or public authority, outside the organization of the Controller, processes Personal Data in the name and on behalf of the Controller.

Standards: Standards for Personal Data Protection for the Ibero-American States approved by the RIPD in 2017.

Data Exporter: natural person or private legal entity, public authority, service, body or service provider, located in the territory of a State that performs international transfers of Personal Data, according to the provisions of the Standards.

Data Importer: natural person or private legal entity, public authority, service, body or service provider located in a third country that receives Personal Data from a Data Exporter through an international transfer of Personal Data.

Governing Law: the Personal Data protection law of the Data Exporter’s jurisdiction.

Administrative, Physical and Technical Measures: measures aimed at preventing any damage, loss, alteration, destruction, access, and, in general, any illicit or unauthorized use of Personal Data, even if accidental, sufficient to ensure the confidentiality, integrity and availability of the Personal Data.

Controller: natural person or private legal entity, public authority, service or body that, alone or together with others, determines the purposes, means, scope and other matters related to the Processing of Personal Data.

Sub-processor: another Processor relied on by the Processor to carry out certain processing activities on behalf of the Controller.

Third-Party Beneficiaries: Data Subject whose Personal Data is subject to an international transfer under this Agreement. The Data Subject is a Third-Party Beneficiary of the rights provided in his/her favor in the MCCs and can therefore exercise the rights granted to it by the MCCs, even if she/he has not joined the model contract between the Parties.

Data Subject: natural person to whom the Personal Data relates.

Onward Transfer: transfer of data by the Data Importer to a third party located outside of the jurisdiction of the Data Exporter that complies with the safeguards set out in the MCCs.

Processing: any operation or set of operations performed on Personal Data through physical or automated procedures, related, but not limited, to the collection, access, registration, organization, structuring, adaptation, indexation, modification, extraction, consultation, storage, conservation, elaboration, transfer, dissemination, possession, exploitation, and in general any use or disposal of Personal Data.

Personal Data Breach: any damage, loss, alteration, destruction, access, and in general any illicit or unauthorized use of Personal Data, even if accidental.

CLAUSE 2 – Effects and Invariability of the Clauses

2.1 Modification of the Model Contractual Clauses/Limitations – This Agreement based on model contractual clauses establishes adequate safeguards for Data Subjects pertaining to the transfer of their data, from Controller(s) to Processor(s), provided that the clauses are not modified in their essence compared to the original model, except to complete the title page and the annexes. This does not prevent the Parties from including model contractual clauses in a broader contract, nor does it prevent them from adding further clauses or safeguards, provided they do not directly or indirectly contradict these model contractual clauses or affect the rights of Data Subjects.

2.2 Hierarchy with the Governing Law/Interpretation – This Agreement shall be read and interpreted in accordance with the provisions of the Governing Law.

The Parties may add new definitions and further safeguards to these model contractual clauses when necessary to comply with the Governing Law and provided this does not negatively affect the protections granted by the model contractual clauses.

This Agreement shall not be interpreted in a manner that conflicts with the rights and obligations set out in the Governing Law.

This Agreement is understood to be without prejudice to the obligations to which the Data Exporter is subject by virtue of its legislation or the Governing Law.

2.3 Hierarchy with other Agreements – In case of a contradiction between this Agreement and the provisions of related agreements between the Parties, the clauses of this Agreement shall prevail.

CLAUSE 3 – Third-Party Beneficiaries

Data Subjects may invoke, as Third-Party Beneficiaries, the clauses of this Agreement against the Data Exporter and/or the Data Importer and require them to ensure compliance.

CLAUSE 4 – Description of the Transfer(s) and the Purpose(s) Thereof

The details and characteristics of the transfer or transfers and, particularly, the categories of the Personal Data transferred and the purposes for which they are transferred are specified in Annex B of this Agreement.

CLAUSE 5 – Docking Clause

The Parties accept that any entity that is not a Party to this Agreement may, with the prior consent of all Parties involved, adhere to this Agreement at any time, either as a Data Exporter or as a Data Importer, by signing the form in Annex A, and completing the other Annexes, if applicable.

Once it has signed Annex A and completed the other annexes, if applicable, the joining entity shall be considered a Party to this Agreement and shall have the rights and obligations of a Data Exporter or a Data Importer, depending on the role under which it has adhered to the Agreement, as indicated in Annex A.

The entity joining the Agreement shall not acquire rights and obligations under this Agreement for the period prior to its adhesion.

SECTION II: OBLIGATIONS OF THE PARTIES

CLAUSE 6 – Data Protection Safeguards

6.1 Instructions – The Data Importer shall carry out Personal Data processing activities without any decision-making power over the scope and content thereof, and instead limit its actions to the terms and instructions established by the Data Exporter.

6.2 Principle of Accountability – The Data Exporter warrants that it has used reasonable efforts to determine that the Data Importer is able to perform its obligations under this Agreement by applying appropriate Administrative, Physical and Technical Measures.

The Data Importer shall implement the necessary mechanisms to demonstrate compliance with the principles and obligations established in this Agreement, thereby ensuring accountability to the Data Subject and the Competent Supervisory Authority for the Processing of the Personal Data in its possession.

The Data Importer shall review and permanently assess the mechanisms that it voluntarily adopts to comply with the principle of accountability, in order to measure their level of effectiveness in complying with this Agreement.

6.3 Principle of Purpose Limitation – The Data Importer shall not process the Personal Data subject to this Agreement for purposes other than those set out in Annex B, unless instructed otherwise by the Data Exporter.

6.4 Transparency – Upon request, the Parties shall make a copy of this Agreement available to the Data Subject free of charge. In any case, the Data Importer shall proactively assume the responsibility to inform about its existence. The sections or annexes of the Agreement containing trade secrets or other types of confidential information such as Personal Data of third parties or confidential information related to the contractual obligations between the Parties may be redacted.

This clause is without prejudice to the obligations imposed upon the Data Exporter by the Governing Law.

6.5 Data Accuracy and Minimization – If the Data Importer becomes aware that the Personal Data it has received is inaccurate, or has become outdated, it shall inform the Data Exporter without undue delay.

In this case, the Data Importer shall cooperate with the Data Exporter to erase or rectify the data.

6.6 Principle of Data Security – The Data Importer and, during the transfer, also the Data Exporter, shall implement and maintain appropriate Administrative, Physical and Technical Measures to ensure the confidentiality, integrity and availability of the Personal Data subject to this Agreement, including protection against Personal Data Breaches. In assessing the appropriate level of security, the parties shall duly consider the state of the art, the costs of implementation, the nature, scope, context and purposes of the Processing, and the risks for the Data Subjects linked to the Processing. To comply with the obligations set out in this paragraph, the Data Importer shall implement, at least, the Administrative, Physical and Technical Measures listed in Annex C to this Agreement. The Data Importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

In the event of a breach of the Personal Data processed by the Data Importer under this Agreement, the Data Importer shall take appropriate measures to address this breach, including measures to mitigate its adverse effects.

The Data Importer shall also notify the Data Exporter within seventy-two (72) hours of becoming aware of the Personal Data Breach. Such notification shall include a description of the Personal Data Breach (including, where possible, the categories of Personal Data and approximate number of Data Subjects affected), its likely consequences, and the measures taken or proposed to address the breach and especially, where appropriate, measures to mitigate its potential adverse effects.

Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

The Data Importer shall cooperate with and assist the Data Exporter in enabling it to comply with its obligations under the Governing Law, in particular to notify the Competent Supervisory Authority and the affected Data Subjects, taking into account the nature of the Processing and the information available to the Data Importer.

6.7 Processing Under the Authority of the Data Importer and Principle of Confidentiality – The Data Importer shall ensure that the persons acting under its authority only process data in accordance with its instructions and shall grant access to the Personal Data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of this Agreement.

The Data Importer shall ensure that the persons authorized to process the Personal Data maintain and respect the confidentiality thereof, which is an obligation that shall continue to apply even after the end of its contractual relationship with the Data Exporter.

6.8 Processing of Sensitive Personal Data – Where the transfer involves Sensitive Personal Data, the Data Importer shall apply the specific restrictions and/or additional safeguards described in Annex C to this Agreement.

Where the transfer involves Personal Data concerning children or adolescents, the Data Importer shall privilege the protection of their superior interests, in accordance with the Convention on the Rights of the Child and other international instruments.

6.9 Onward Transfers – The Data Importer shall only disclose Personal Data to a third party on documented instructions from the Data Exporter.

In addition, the Data Importer may only disclose the Personal Data to third parties located outside the Data Exporter’s jurisdiction if the third party is bound by or agrees to be bound by this Agreement. Otherwise, the Data Importer may only carry out an Onward Transfer in the following cases:

  • (i) in case this is provided for in the Governing Law, the Onward Transfer is to a country that has been the subject of an adequacy decision regarding its level of protection of Personal Data in accordance with the provisions of the Governing Law, provided that such decision covers the Onward Transfer;
  • (ii) the third party recipient of the Onward Transfer otherwise provides adequate safeguards, in accordance with the Governing law, with regard to Personal Data subject to the Onward Transfer;
  • (iii) the Onward Transfer is necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings;
  • (iv) if it is necessary to protect the vital interests of the Data Subject or of another natural person.

All Onward Transfers shall be subject to compliance by the Data Importer with the other safeguards provided in this Agreement and, in particular, compliance with the principle of purpose limitation.

6.10 Documentation and Compliance – The Parties shall be able to demonstrate compliance with their obligations under this Agreement. In particular, the Data Importer shall keep appropriate documentation of the processing activities carried out under the instructions of the Data Exporter, which shall be made available to the Data Exporter and the Competent Supervisory Authority upon request.

The Data Importer shall promptly and in an appropriate manner deal with the Data Exporter’s enquiries that relate to the Processing under this Agreement.

The Data Importer shall make available to the Data Exporter all information necessary to demonstrate compliance with the obligations set out in this Agreement and, at the Data Exporter’s request, allow for and contribute to audits of the processing activities covered by this Agreement, at reasonable intervals or if there are indications of non-compliance. The Data Exporter may choose to conduct the audit by itself or mandate an independent auditor to do so. Audits may include inspections at the premises or physical facilities of the Data Importer and shall, where appropriate, be carried out with reasonable notice.

The Parties shall make the information referred to in the previous paragraphs, including the results of any audits, available to the Competent Supervisory Authority upon request.

6.11 Duration of the Data Processing and Deletion or Return of the Data – Processing by the Data Importer shall only take place for the duration specified in Annex B to this Agreement.

After the end of the provision of the processing services, the Data Importer shall, at the request of the Data Exporter, securely delete all Personal Data processed on behalf of the Data Exporter and certify to the Data Exporter that it has done so, or return to the Data Exporter all Personal Data and securely delete existing copies, should the Data Exporter choose the latter option.

Until the data is deleted or returned, the Data Importer shall continue to ensure compliance with this Agreement. In case of local laws applicable to the Data Importer that prohibit return or deletion of the Personal Data, the Data Importer warrants that it will continue to ensure compliance with this Agreement and will only process the data to the extent and for as long as required under that local law.

CLAUSE 7 – Reliance on Sub-Processors

7.1 Sub-Processor Authorization Form – The Data Importer has the Data Exporter’s general authorization to contract the Sub-processors included in the agreed list. The Data Importer shall specifically inform the Data Exporter in writing of any intended changes to that list through the addition or replacement of Sub-processors at least 15 business days in advance, thereby giving the Data Exporter sufficient time to be able to object to such changes prior to the engagement of the Sub-processor(s) in question. The Data Importer shall provide the Data Exporter with the information necessary to enable the Data Exporter to exercise its right to object.

7.2 Data Sub-Processor Agreement – Where the Data Importer engages a Sub-processor to carry out specific processing activities (on behalf of the Data Exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the Data Importer under this Agreement, including in terms of Third-Party Beneficiary rights for Data Subjects. The Parties agree that, by complying with this provision, the Data Importer fulfils its obligations under the clause on Onward Transfers. The Data Importer shall ensure that the Sub-processor complies with the obligations to which it is subject pursuant to this Agreement.

The Data Importer shall provide the Data Exporter, at the latter’s request, with a copy of the Sub-processor agreement and any subsequent amendments thereto. To the extent necessary to protect business secrets or other confidential information, including Personal Data, the Data Importer may redact the text of the agreement prior to sharing a copy thereof.

The Data Importer shall remain fully responsible to the Data Exporter for the performance of the Sub-processor’s obligations under its agreement with the Data Importer. The Data Importer shall notify the Data Exporter of any failure by the Sub-processor to fulfil its obligations under that agreement.

CLAUSE 8 – Rights of Data Subjects

The Data Importer shall promptly notify the Data Exporter of any request it has received from a Data Subject. It shall not respond to such a request itself unless it has been authorized to do so by the Data Exporter.

The Data Importer shall assist the Data Exporter in fulfilling its obligations to respond to Data Subjects’ requests in the exercise of their rights under the Governing Law. In this regard, the Parties shall set out in Annex C the appropriate Administrative, Physical and Technical Measures, taking into account the nature of the Processing, by which they ensure the assistance to the Data Exporter, as well as the scope and the extent of the assistance required.

In fulfilling its obligations under the previous paragraphs, the Data Importer shall comply with the instructions from the Data Exporter.

CLAUSE 9 – Redress

The Data Importer shall inform the Data Subjects, in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints, who shall handle the complaints received from Data Subjects as quickly as possible.

In case of a dispute between a Data Subject and one of the Parties as regards compliance with this Agreement, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, collaborate in good faith to resolve them.

Whenever a Data Subject invokes a Third-Party Beneficiary Right under this Agreement, the Data Importer undertakes to accept and not dispute the Data Subject’s decision to: (i) lodge a complaint with the Supervisory Authority in his/her country of habitual residence or place of work, or with the Competent Supervisory Authority; (ii) file an action in court as regards his/her Personal Data.

The Data Importer agrees to abide by decisions binding under the Governing Law or other applicable law.

CLAUSE 10 – Civil Liability

Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of this Agreement.

Each Party shall be liable to the Data Subject. The Data Subject shall be entitled to receive compensation for any material or non-material damages caused by the Data Importer or its Sub-processor for violating the Third-Party Beneficiary Rights under this Agreement. This is without prejudice to the liability of the Data Exporter under the Governing Law.

The Parties agree that if the Data Exporter is held liable under the previous paragraph for damages caused by the Data Importer (or its Sub-processor), it shall be entitled to claim back from the Data Importer that part of the compensation corresponding to the Data Importer’s responsibility for the damage.

Where more than one Party is responsible for any damage caused to the Data Subject as a result of a breach of this Agreement, all responsible Parties shall be jointly and severally liable.

The Parties agree that if one Party is held liable under the previous paragraph, it shall be entitled to claim back from the other Party that part of the compensation corresponding to its responsibility for the damage.

The Data Importer may not invoke the conduct of a Sub-processor to avoid its own liability.

CLAUSE 11 – Supervision by the Competent Supervisory Authority

The Data Importer agrees to submit itself to the jurisdiction of and cooperate with the Competent Supervisory Authority in any procedures aimed at ensuring compliance with this Agreement.

In particular, the Data Importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the Supervisory Authority, especially corrective and compensatory measures. It shall provide the Supervisory Authority with a written confirmation that the necessary measures have been taken.

CLAUSE 12 – Local Laws and Practices Affecting Compliance with the Clauses

The Parties confirm that, at the time of entering into this Agreement, they have used reasonable efforts to identify whether the transferred data is covered by any local law or practice in the Data Importer’s jurisdiction that goes beyond what is necessary and proportionate in a democratic society to safeguard important public interest objectives, and that may reasonably be expected to affect the safeguards, rights, and guarantees afforded to the Data Subject under this Agreement. Based on the foregoing, the Parties confirm that they are not aware of the existence of any such practice or rule that adversely affects the specific safeguards under this Agreement.

The Data Importer agrees to notify immediately the Data Exporter if any such laws become applicable to it in the future. In the event of such notification, or if the Data Exporter has reasons to believe that the Data Importer is no longer able to perform its obligations under this Agreement, the Data Exporter shall identify appropriate measures to address the situation (for example, Administrative, Physical and Technical Measures to ensure the security of the data). Likewise, it may suspend transfers under this Agreement if it considers that adequate safeguards cannot be ensured. In this case, the Data Exporter shall have the right to terminate this Agreement in accordance with the conditions set out in Clause 13.

If a court or government agency requires the Data Importer to disclose or use the transferred data in a manner not otherwise permitted by this Agreement, the Data Importer shall assess the legality of such request and challenge it if, after a careful legal assessment, it concludes that there are reasonable grounds to consider that the request is illegal under local law and that the request affects the rights guaranteed by this Agreement. To the extent permitted by local law, it shall also promptly notify the Data Exporter that it has received such a request. If the Data Importer is prohibited by local law from notifying the Data Exporter, the Data Importer shall use reasonable efforts to obtain a waiver of this prohibition.

SECTION III: FINAL PROVISIONS

CLAUSE 13 – Non-Compliance with the Clauses and Termination

The Data Importer shall immediately notify the Data Exporter if it is unable to comply with any provision of this Agreement, for whatever reason.

In the event that the Data Importer fails to comply with its obligations under this Agreement, the Data Exporter shall suspend the transfer of Personal Data to the Data Importer until compliance is again ensured or the contract is terminated.

The Data Exporter shall be entitled to terminate this Agreement when:

  • (i) the Data Exporter has suspended the transfer of Personal Data to the Data Importer pursuant to the previous paragraph and compliance with this Agreement is not restored within a reasonable period of time and in any event within a period of thirty (30) business days following suspension;
  • (ii) the Data Importer is in substantial or persistent breach of this Agreement; or
  • (iii) the Data Importer fails to comply with a binding decision of a court or Competent Supervisory Authority regarding its obligations under this Agreement. In this case, it shall inform the Competent Supervisory Authority of its non-compliance.

Personal Data that has been transferred prior to the termination of the contract pursuant to the previous paragraph shall at the choice of the Data Exporter immediately be returned to the Data Exporter or deleted in its entirety. The same shall apply to any copies of the data. The Data Importer shall certify the deletion of the data to the Data Exporter. Until the data is deleted or returned, the Data Importer shall continue to ensure compliance with this Agreement. In case of local laws applicable to the Data Importer that prohibit the return or deletion of the transferred Personal Data, the Data Importer warrants that it will continue to ensure compliance with this Agreement and will only process the data to the extent and for as long as required under that local law.

CLAUSE 14 – Governing Law

This Agreement shall be governed by the Governing Law.

CLAUSE 15 – Choice of Forum and Jurisdiction

Any dispute arising from this Agreement shall be resolved by the courts of the Data Exporter’s jurisdiction.

Data Subjects may also bring legal action in court against the Data Exporter and/or the Data Importer, which may be initiated, at the Data Subject’s choice, in the country of the Data Exporter, or in which the Data Subject has his/her habitual residence. With respect to the Data Importer, she/he may also bring legal action in the country of the Data Importer.

The Parties agree to submit to the competent court(s) provided for in this clause.

Annex A

Accession Form for New Parties

Data Exporter Accession –

Full name:

Address:

Contact details:

Activities related to the data transferred under this Agreement:

Governing Law:

Competent Supervisory Authority:

Jurisdiction: Courts of…

Data Importer Accession –

Full name:

Address:

Contact details:

Data Exporter’s Signature

Data Importer’s Signature

Annex B

Description of the Transfer

Categories of Data Subjects whose Personal Data is transferred: Customer employees and employees of Customer affiliates, customers, and business partners

Categories of Personal Data transferred: Customer may upload, submit, or otherwise provide certain Customer Personal Data to the products and/or services, the extent of which is typically determined and controlled by Customer in its sole discretion and may include contact information; website, product, and service interaction information; addresses; date of birth; location of birth; e-mail addresses; names; gender; title; telephone numbers; driver’s license number; signature; employee number; geo-location information; pay rate; username; password; performance information; qualifications and restrictions; device information

Sensitive Personal Data transferred (if applicable) and restrictions or safeguards applied: N/A

Transfer frequency: Continuous as needed for provision of the products and/or services

Purpose(s) of the data transfer and further processing: The purpose of the data Processing is the provision of the products and/or services to the Customer

Term: In accordance with the MLSA, this Agreement, Data Importer’s retention schedule, and any applicable legal requirements

Sub-processors: https://dev-marketing.commandalkon.com/sub-processor-list/

Annex C

Administrative, Physical, and Technical Measures to Ensure Data Security

Data Importer maintains appropriate technical and organizational measures to safeguard Customer Personal Data (“Information Security Program”) taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Data Importer governs itself under the following security standards: SOC; NIST 800-171; AWS CIS.

Further detail is available upon request.

Annex D

List of Data Sub-Processors

Sub-processors: https://dev-marketing.commandalkon.com/sub-processor-list/

Annex D

Additional Legal Documentation

Privacy notice: https://dev-marketing.commandalkon.com/privacy-policy/

Privacy and compliance documentation: https://dev-marketing.commandalkon.com/legal/