DATA PROCESSING ADDENDUM

Last updated February 1, 2024. View the prior version here.

This Data Processing Addendum (together with its annexes, this “DPA”) supplements and forms part of the Software-as-a-Service Agreement between FrontApp, Inc. (“Front”) and Customer for Front’s provision of its Services to such Customer (the “Agreement”). This DPA refers to the Front and Customer, individually, as a “Party” and, collectively, as the “Parties”. This DPA shall be effective as of the Effective Date of the Agreement and replaces and supersedes any data processing agreement entered by the Parties prior to such date

Capitalized terms used in this DPA have the meanings given below or, if not defined in this DPA, have the meanings given in the Agreement.

“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”), and any binding regulations promulgated thereunder, in each case, as amended from time to time.

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Customer Personal Data” means any Customer Data that constitutes Personal Data. Customer Data does not include Personal Data that Front Processes as a Controller, such as Personal Data pertaining to Front’s business contacts within Customer’s organization or to Account holders where Processed for the Purpose of administering or operating such accounts or Front’s marketing activities. Front’s Processing of Personal Data as a Controller is subject to the Front Privacy Notice.

“Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Customer Personal Data under the Agreement, including, as applicable, the CCPA and other U.S. state privacy laws, the GDPR, and the FADP, in each case, as amended from time to time.

“Data Subject” means an identified or identifiable natural person to whom Customer Personal Data relates.

“Data Subject Request” means the request of a Data Subject to exercise rights under Data Protection Laws in respect of Customer Personal Data pertaining to such Data Subject in Front’s possession, custody, or control.

“EEA” means the European Economic Area.

“FADP” means the Swiss Federal Act on Data Protection, as amended from time to time.

“GDPR” means, as applicable,(a) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”) in the European Union (“EU”) or (b) the EU GDPR as it forms part of United Kingdom (“UK”) law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), in each case, including any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and as amended from time to time.

“Personal Data” means “personal data,” “personal information,” or information within the scope of similar terms defined in Data Protection Laws.

“Personal Data Breach” means a breach of Front’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Front’s possession, custody, or control.

“Process” and inflections thereof refer to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, and destruction.

“Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.

“Restricted Transfer” means a transfer of Customer Personal Data to an importer located in (a) where the EU GDPR applies, any country or territory outside the EEA that does not benefit from an applicable adequacy decision from the European Commission described in Chapter 45 of the GDPR (an “EU Restricted Transfer”), (b) where the UK GDPR applies, any country or territory outside the UK that does not benefit from an applicable adequacy decision from the UK Government (a “UK Restricted Transfer”), or (c) where the FADP applies, any country outside of Switzerland that does not benefit from an adequacy determination by the Swiss Federal Council (a “Swiss Restricted Transfer”), in each case, which would be prohibited without a legal basis under Chapter V of the GDPR or the FADP, as applicable.

“SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914, as populated in accordance with Annex 2 (Europe Annex).

“Subprocessor” means any third party engaged directly or indirectly by or on behalf of Front to Process Customer Personal Data under Front’s care, custody, or control.

“Supervisory Authority” means (a) in the context of the EEA and the EU GDPR, “supervisory authority” as defined in the EU GDPR; (b) in the context of the UK and the UK GDPR, the UK Information Commissioner’s Office; and (c) in the context of Switzerland and the FADP, the Swiss Federal Data Protection and Information Commissioner.

“UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO under Section 119A of the Data Protection Act 2018, in force from 21 March 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).

The Parties acknowledge and agree that Annex 1 (Data Processing Details) to this DPA describes the details of Front’s Processing of Customer Personal Data (including the respective roles of the Parties relating to such Processing). Annex 2 (Europe Annex) and Annex 3 (California Annex), as applicable, to this DPA apply to Front’s Processing of Customer Personal Data in accordance with their respective terms. The terms of this DPA apply solely with respect to Front’s Processing of Customer Personal Data subject to the GDPR, the CCPA or other Data Protection Laws requiring data protection terms to be included in contracts between Customer and its Processors or Service Providers (as defined in Data Protection Laws).

Front shall Process Customer Personal Data only according to Customer’s instructions or as required by applicable laws (or in the case of Customer Personal Data subject to the GDPR, the laws of the UK or EU, as applicable, to which Front is subject). Customer instructs Front to Process Customer Personal Data to provide the Services and as authorized by the Agreement. The Agreement and Customer’s use of the Services’ settings and features in accordance with the Agreement are the complete expression of such instructions, and Customer’s additional instructions shall be binding on Front only pursuant to an amendment to this DPA signed by both parties. Where Front receives an instruction from Customer that, in its reasonable opinion, infringes Data Protection Laws, Front shall notify Customer.

Front shall ensure that all Front personnel who access Customer Personal Data are subject to contractual or other legal duties of confidentiality with respect to such Customer Personal Data.

The technical, organizational, and physical measures that Front maintains pursuant to the Agreement to protect Customer Personal Data (the “Security Measures”) shall include the measures described in Annex 4 (Security Measures) of this DPA and any other security measures as Front is required to maintain under Data Protection Laws. Front may modify the Security Measures from time to time so long as the modifications do not decrease overall the protection of Customer Personal Data.

Customer is solely responsible for responding to Data Subject Requests. Taking into account the nature of the Processing of Customer Personal Data, and employing appropriate technical and organizational measures, Front shall provide Customer with such assistance as Customer may reasonably request in writing to enable Customer to perform its obligations under Data Protection Laws to respond to Data Subject Requests. Front shall promptly forward to Customer any Data Subject Request that Front receives and Front shall not be obligated to respond to any Data Subject Request, but may instruct the Data Subject to submit the request to Customer.

Front shall notify Customer of a Personal Data Breach without undue delay after becoming aware of the occurrence thereof. Front’s notification of or response to a Personal Data Breach shall not be construed as Front’s acknowledgement of any fault or liability with respect to the Personal Data Breach. If Customer determines that notice of a Personal Data Breach must be given to any Supervisory Authority or other governmental authority, any Data Subject, the public or others in a manner that directly or indirectly refers to or identifies Front, where permitted by applicable laws, Customer shall notify Front prior to giving such notice and in good faith consult with Front regarding such notice and consider any clarifications or corrections of any such notification that Front may reasonably request.

a. Authorization; Current Subprocessors. Customer generally authorizes Front to engage Subprocessors in accordance with this Section 8, including the Subprocessors listed as of the Effective Date at the following web page or such other web page as Front may provide to Customer from time to time: at https://front.com/legal/list-of-subprocessors (the “Subprocessor Page”).

b. Requirements. Front shall enter into a written contract with each Subprocessor imposing on such Subprocessor data protection obligations at least as protective as those in this DPA with respect to Customer Personal Data to the extent applicable to the nature of the services such Subprocessor provides. Front shall be liable for all Processing of Customer Personal Data delegated to the Subprocessor and its actions and omissions related thereto.

c. New Subprocessors. When Front engages any Subprocessor not listed on the Subprocessor Page as of the Effective Date, Front shall notify Customer of the engagement (including the name, location, and function of the Subprocessor) at least 30 days before such Subprocessor Processes Customer Personal Data by updating the Subprocessor Page, and if Customer has subscribed to receive notifications of updates to the Subprocessor Page through a mechanism designated by the Subprocessor Page, providing such notification. If Customer objects to such Subprocessor’s Processing of Customer Personal Data in a written notice to Front on reasonable grounds relating to the protection of Personal Data, Customer and Front shall work together in good faith to consider a mutually acceptable resolution to such objection. If the parties have not resolved such objection to their mutual satisfaction within a timeframe acceptable to Customer, Customer’s sole and exclusive remedy shall be to terminate the Agreement and cancel the Services no later than 90 days after Customer’s receipt of the initial notice of engagement by notifying Front in writing of such termination and paying Front for all amounts due and owing under the Agreement as of the date of such termination. Such termination shall take effect on the first date as of which Front has received such timely notice and payment.

a. Compliance assistance. Taking into account the nature of the Processing and the information available to Front, Front shall provide such information and assistance as Customer may reasonably request to enable Customer to perform its obligations under Data Protection Laws in relation to Front’s Processing of Customer Personal Data, including in relation to (i) the security of Customer Personal Data, (ii) the investigation and reporting of Personal Data Breaches, (iii) the demonstration of Front’s compliance with this DPA, and (iv) the performance of any data protection assessments and consultations with Supervisory Authorities or other government authorities regarding such assessments in relation to Front’s Processing of Customer Personal Data, including those required under Articles 35 and 36 of the GDPR.

b. Information and audits. Front shall cooperate with audits (including inspections) of Front’s technical and organizational measures to verify compliance with Customer’s obligations under Data Protection Laws and Front’s compliance with this DPA, provided that such audits shall be performed (i) at Customer’s sole cost and expense, (ii) by Customer or a qualified and independent third party auditor appointed by Customer in accordance with a recognized audit control standard or framework, (iii) subject to a non-disclosure agreement acceptable to Front in respect of information made available to participants in the audit, (iv) during normal business hours, (v) no more than once in any calendar year during the term of the Agreement unless Customer is required to perform the audit under Data Protection Laws, (vi) in accordance with Front’s safety, security or other relevant policies, and (vii) without unreasonably interfering with Front’s business activities. Customer shall not conduct any scans or technical or operational testing of Front’s applications, websites, Services, networks, or systems without Front’s prior approval. Customer shall promptly provide Front with a copy of any report created by an independent auditor engaged by Customer in respect of such an audit. This Section 9 shall not be construed to require Front to violate a duty of confidentiality to any third party.

c. Audit reports. If the controls or measures to be assessed in the requested audit are assessed in an audit performed by a qualified and independent third-party auditor pursuant to a recognized audit control standard or framework within twelve (12) months of Customer’s audit request and Front has confirmed in writing that there have been no known material changes to the controls audited and covered by such audit, Customer agrees to accept the auditor’s report regarding such audit (“Audit Report”) in lieu of requiring an audit of such controls or measures. Such Audit Report and any other information obtained by Customer in connection with an audit under this Section 9 shall constitute confidential information of Front, which Customer shall use only for the purposes of confirming compliance with the requirements of this DPA or performing Customer’s obligations under Data Protection Laws. Front shall provide Customer with any relevant Audit Report upon Customer’s written request.

Upon expiration or earlier termination of the Agreement, Front shall return and/or delete all Customer Personal Data in Front’s care, custody, or control in accordance with Customer’s instructions as to the post-termination return and deletion of Customer Data expressed in the Agreement. Notwithstanding the foregoing, Front may retain Customer Personal Data where required by law (or in the case of Customer Personal Data subject to the GDPR, the laws of the UK or European Union, as applicable), provided that Front shall (a) maintain the confidentiality of all such Customer Personal Data and (b) Process the Customer Personal Data only as necessary for the purpose and duration specified in the applicable law requiring such retention.

a. Security. Customer is solely responsible for its use of the Services, including (i) making appropriate use of the Services to maintain a level of security appropriate to the risk posed to Customer Data; (ii) securing the account authentication credentials, systems and devices Customer or End Users use to access the Services; and (iii) backing up Customer Data.

b. Legal basis. Customer will not instruct Front to Process Customer Data in violation of Data Protection Laws. Front has no obligation to monitor the compliance of Customer’s use of the Service with Data Protection Laws. Customer shall ensure that (i) there is a valid legal basis for Front’s Processing of Customer Personal Data as contemplated by the Agreement for the purposes of Data Protection Laws and (ii) all notices have been given to, and all consents and permissions have been obtained from, Data Subjects and others as are required, including under Data Protection Laws, for Front to Process Customer Personal Data as contemplated by the Agreement.

c. Prohibited data. Customer acknowledges that the Services are not designed to comply with, and shall ensure that Customer Personal Data does not contain any “protected health information” as defined in, the Health Insurance Portability and Accountability Act (HIPAA).

d. Additional assistance. If Customer requests cooperation, information or assistance pursuant to Sections 6, 9, or 10 of this DPA beyond Front’s provision of self-service features as part of the Services that Customer can use to obtain the requested cooperation, information or assistance, then Customer shall reimburse Front for any costs and expenses reasonably incurred by Front in the course of responding to such requests and Front reserves the right to charge its applicable fees for professional services required to fulfill such requests.

In the event of any conflict or inconsistency between (a) this DPA and the Agreement, this DPA shall prevail or (b) any SCCs entered into pursuant to Annex 2 (Europe Annex) and any other provision of the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply. References to “including” mean “including, without limitation”.

Annex 1 – Data Processing Details

CUSTOMER / ‘DATA EXPORTER’ DETAILS

Name: As provided in the Agreement or applicable ordering document.
Contact details for data protection: As provided in the Agreement or applicable ordering document.
Customer Activities: As described on Customer’s website set out in the applicable ordering document.
Role: Controller (or if Customer uses the Services on behalf of a Controller, Processor).

FRONT / ‘DATA IMPORTER’ DETAILS

Name: FrontApp, Inc.
Contact details for data protection: 300 Montgomery Street, 5th Floor, San Francisco, CA 94104, [email protected]
Front Activities: Front is a communication hub for building strong customer relationships on digital channels.
Role: Processor

DETAILS OF PROCESSING

Categories of Data Subjects: Customer’s personnel, customers, service providers, business partners and affiliates.

Categories of Personal Data: Contact details, communications, and other categories of personal data that users choose to submit to the Services.

Sensitive Categories of Data and associated additional restrictions/safeguards: Not applicable.

Frequency of transfer: Continuous.

Nature of the Processing: Processing operations required to provide the Services in accordance with the Agreement.

Purpose of the Processing: Provide the Services, as more particularly described in the Agreement, and carry out Customer instructions as described in this DPA.

Duration of Processing / Retention Period: Concurrent with term of the Agreement and then thereafter pursuant to Section 10 of the DPA.

Transfers to Subprocessors: As described in the Subprocessor Page (as may be updated from time to time in accordance with the DPA) for the purposes described therein.

Annex 2 – Europe Annex

This Annex 2 (Europe Annex) applies only to the extent required to establish a valid legal basis under Chapter V of the GDPR and/or the FADP (as applicable) in respect of a Restricted Transfer of Customer Personal Data from Customer to Front where no other such legal basis applies.

1. EU RESTRICTED TRANSFERS

   1. Incorporation of SCCs. In respect of any EU Restricted Transfer from Customer to Front, the Parties shall comply with their respective obligations under the SCCs, which are hereby deemed to be (i) populated in accordance with this Paragraph 2 and (ii) entered into by the Parties and incorporated by reference into this DPA.

   2. Population of SCCs. In respect of any EU Restricted Transfer from Customer to Front:

      1. Signature of the SCCs. Each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs and those SCCs are entered into by and between the Parties as of the later of (A) the effective date of the Agreement or (B) the date of the first EU Restricted Transfer to which they apply.

      2. Modules. With respect to the Processing of Customer Personal Data involving an EU Restricted Transfer or UK Restricted Transfer, Module 2 (Controller to Processor) of the SCCs applies where Customer is a Controller and Front is a Processor and Module 3 (Processor to Processor) of the SCCs applies where Customer is a Processor (on behalf of a third-party Controller) and Front is a Processor.

      3. Body of the SCCs. For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:

         1. The optional ‘Docking Clause’ in Clause 7 does not apply.

         2. In Clause 9, Option 2 applies. The minimum time for advance notice of the addition or replacement of Subprocessors shall be as specified in Section 8 of the DPA and the list of Subprocessors already authorized by the data exporter shall be the list on the Subprocessor Page as of the effective date of the Agreement. Option 1 and Annex III to the Appendix to the SCCs do not apply.

         3. In Clause 11, the optional language does not apply.

         4. In Clause 13, all square brackets are removed with the text remaining.

         5. In Clause 17, Option 1 applies and the Parties agree that the SCCs shall governed by the law of Ireland in relation to any EU Restricted Transfer.

         6. For purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.

      4. Annexes to the Appendix to the SCCs

         1. Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with Customer being the ‘data exporter’ and Front being the ‘data importer’.

         2. Part C of Annex I to the Appendix to the SCCs is populated to provide that the competent supervisory authority shall be (1) where Customer is established in an EU Member State, the supervisory authority of that EU Member State; (2) where Customer is not established in an EU Member State but is subject to the GDPR under Article 3(2) and has appointed an EU representative under Article 27 of the GDPR, the supervisory authority of the EU Member State in which Customer’s EU representative is based; or (3) where Customer is not established in an EU Member State but is subject to the GDPR under Article 3(2) and has not appointed an EU representative under Article 27 of the GDPR, the supervisory authority of one of the EU Member States in which Data Subjects whose Personal Data is transferred in the Restricted Transfer in relation to the offering of goods or services to them, or whose behavior is monitored, are located, which supervisory authority must be confirmed in a written notice from Customer to Front.

         3. Annex II to the Appendix to the SCCs is populated to incorporate the description of the Security Measures in Section 5 of the DPA and Front’s obligations under Sections 6 and 7 of the DPA.

   3. Operational Clarifications

      1. When complying with its transparency obligations under Clause 8.3 of the SCCs, Customer agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect, Front’s and its licensors’ trade secrets, business secrets, confidential information and/or other commercially sensitive information.

      2. For the purposes of Clause 10(a) of Module Three of the SCCs, Customer acknowledges and agrees that there are no circumstances in which it would be appropriate for Front to notify any third-party Controller of any Data Subject Request and that any such notification shall be the sole responsibility of Customer.

      3. For the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the Parties, Customer agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.

      4. The terms and conditions of Section 8 of the DPA apply in relation to Front’s appointment and use of Subprocessors under the SCCs. Any approval by Customer of Front’s appointment of a Subprocessor that is given expressly or deemed given pursuant to Section 8 of the DPA constitutes Customer’s documented instructions to effect disclosures and onward transfers to any relevant Subprocessors as required under Clause 8.8 of the SCCs.

      5. The audits described in Clauses 8.9(c) and 8.9(d) of the SCCs shall be subject to any relevant terms and conditions detailed in Section 9 of the DPA.

      6. Certification of deletion of Customer Personal Data as described in Clauses 8.5 and 16(d) of the SCCs, shall be provided only upon Customer’s written request.

   4. Liability to Data Subjects. Nothing in the Agreement shall limit either party’s liability to Data Subjects under the third party beneficiary provisions of the SCCs.

2. UK RESTRICTED TRANSFERS

   1. Incorporation of SCCs; UK Transfer Addendum. In respect of any UK Restricted Transfer from Customer to Front, the Parties shall be bound by the SCCs as set forth in Paragraph 1 and such SCCs are hereby deemed to be (i) modified to address the requirements of the UK GDPR in accordance with UK Transfer Addendum and populated in accordance with this Paragraph 2 and (ii) entered by the Parties and incorporated by reference into this DPA. As permitted by Section 17 of the UK Mandatory Clauses, the Parties agree that the manner of the presentation of the information included in the UK Transfer Addendum as set out in this Paragraph 2 shall not operate or be construed to reduce the Appropriate Safeguards (as defined in the Mandatory Clauses).

   2. Population of UK Transfer Addendum. In respect of any UK Restricted Transfer from Customer to Front:

      1. With respect to Part 1 of the UK Transfer Addendum, as permitted by Section 17 thereof, (A) Tables 1, 2 and 3 to the UK Transfer Addendum are populated with the corresponding details set out in Annex 1 (Data Processing Details) to the DPA, subject to the variations effected by the UK Mandatory Clauses described below, and (B) Table 4 to the UK Transfer Addendum is populated by the box labeled ‘Data Importer’ being ticked.

      2. With respect to Part 2 to the UK Transfer Addendum, the Parties shall be bound by the UK Mandatory Clauses thereof.

3. SWISS RESTRICTED TRANSFERS

   1. Swiss Restricted Transfers. In respect of any Swiss Restricted Transfer from Customer to Front, the Parties shall be bound by the SCCs as set forth in Paragraph 1 and such SCCs are hereby deemed to be (i) modified to address the requirements of the FADP in accordance with this Paragraph 3 and (ii) entered into by the Parties and incorporated by reference into this DPA.

   2. Population of SCCs. In respect of any Swiss Restricted Transfer from Customer to Front:
      1. 
         

      2. In Clause 13, the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner.

      3. In Clause 17 (Option 1), the SCCs shall be governed by the laws of Switzerland.

      4. In Clause 18(b), disputes shall be resolved before the courts of Switzerland.

      5. The term “Member State” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c).

      6. All references to the EU GDPR in this DPA are also deemed to refer to the FADP.

4. DATA PRIVACY FRAMEWORK

For clarity, a transfer of Customer Personal Data from the EU, UK or Switzerland to Front in the United States shall not constitute a Restricted Transfer so long as Front maintains an active certification to the EU-U.S. Data Privacy Shield Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Shield Framework, as applicable (collectively, the “DPF”), and certification to the DPF remains a legal basis for transfer of Personal Data to the United States under the GDPR or FADP, as applicable.

Annex 3 – California Annex

This Annex 3 (California Annex) applies only to Front’s Processing of Personal Data subject to the CCPA.

1. Capitalized terms used in this California Annex but not defined in the Agreement shall have the meanings given in the CCPA. As used in this California Annex, “Personal Information” means Customer Personal Data that constitutes “personal information” under the CCPA.

2. It is the Parties’ intent that Front is a Service Provider with respect to its Processing of Personal Information. Front (a) acknowledges that Personal Information is disclosed by Customer only for limited and specified purposes described in the Agreement; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to Personal Information as is required by the CCPA; (c) agrees that Customer has the right to take reasonable and appropriate steps under Section 9 of the DPA to help to ensure that Front’s use of Personal Information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer in writing of any determination made by Front that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.

3. Front shall not (a) Sell or Share Personal Information; (b) retain, use, or disclose any Personal Information for any purpose other than for the Business Purposes specified in the Agreement, including retaining, using, or disclosing Personal Information for a Commercial Purpose other than the Business Purpose specified in the Agreement, or as otherwise permitted by CPPA; (c) retain, use or disclose Personal Information outside of the direct business relationship between Front and Customer; or (d) combine Personal Information received pursuant to the Agreement with Personal Information (i) received from or on behalf of another person, or (ii) or collected from Front’s own interaction with any Consumer to whom such Personal Information pertains. Front hereby certifies that it understands its obligations under this paragraph and shall comply with them.

4. Giving Customer notice of Subprocessor engagements in accordance with Section 8 of the DPA shall satisfy Front’s obligation under the CPRA to give notice of such engagements.

5. The Parties acknowledge that Front’s Processing of Personal Information authorized by Customer’s instructions described in this DPA is integral to the Services and the Parties’ business relationship.

6. Access to Personal Data does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.

Annex 4 – Security Measures

Measures of pseudonymization and encryption

Customer Personal Data is encrypted both in transit and at rest. In transit, Front uses TLS 1.2 or greater for data encryption between Front and third parties, including customers. At rest, Front leverages its hosting subprocessor, Amazon Web Services (AWS) to store data, which allows for data to be encrypted at rest using RDS, EBS, and S3.

Amazon Relational Database Service (RDS) encrypts databases using keys that are managed using Front’s Amazon Key Management System (KMS). RDS encryption uses the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS instance.

Measures designed to protect ongoing confidentiality, integrity, availability and resilience of processing systems and services

Front encrypts Customer Personal Data and employs identity and access (both logical and physical) management designed to protect it.

Code changes undergo a second code review before deploying to production.

Access to Customer Personal Data is restricted and logged to prevent unauthorized data modification and corruption.

Utilizing multiple AWS Availability Zones. Front has a scalable architecture, with a number of parameters that can autoscale based on demand.

Measures for restoring the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident

Front performs daily backups using an automated system in AWS. Datastores are retained for 7 days. Backup data is also stored in a separate AWS availability zone allowing recovery in the event of a physical or technical incident.

Front maintains a disaster recovery plan designed to facilitate an orderly and effective recovery. The plan is tested on an annual basis.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures

Front undergoes an annual third-party penetration testing. In addition, Front undergoes an annual SOC 2 Type II audit performed by an independent third-party auditor to assess the suitability of the design and effectiveness of our controls.

Measures for user identification and authorisation

Front allows customers to enable multi-factor authentication. Front maintains a principle of least privilege on its business systems that Process Customer Personal Data and all uses of elevated privilege are logged. Front requires all production systems that Process Customer Personal Data to be accessed only with multi-factor authentication.

Measures for the protection of data during transmission

Please see "Measures of pseudonymization and encryption of personal data" above.

Measures for the protection of data during storage

Please see "Measures of pseudonymization and encryption of personal data" above.

Measures designed to protect physical security of locations at which Customer Personal Data are processed

Customer Personal Data is processed by our hosting subprocessor, Amazon Web Services (AWS). AWS data center facilities are ISO 27001:2013 certified and undergo periodic SOC 1 and SOC 2 Type 2 report audits. Certification status and the results of audits are reviewed periodically as part of Front monitoring controls and the vendor management process. Physical access to Front’s offices is strictly controlled with keycards and security guards at the building entrances.

Measures for events logging

System logging and monitoring software is used to collect data from system infrastructure components and endpoints, to monitor for potential security threats and vulnerabilities, and to detect unusual system activity or service requests. Front enables alerting when credentials for certain privileged systems are used.

Measures for system configuration, including default configuration

Infrastructure is virtualized with AWS. Our cloud infrastructure is deployed from Terraform templates. Changes to the system configuration and infrastructure must undergo peer review to guard against unauthorized changes.

Measures for internal IT and IT security governance and management

Front has an Information Security Management System (ISMS) committee that is responsible for security and compliance efforts internally. The ISMS committee meets quarterly to review strategic initiatives, assess key risk and threats to the company, and track progress on the remediation of risks identified during the annual internal risk assessment and third party penetration test.

The ISMS committee exercises oversight of security controls by reviewing the ISMS policy on an annual basis. In addition, the ISMS committee communicates security and compliance efforts to Front’s board of directors on a quarterly basis.

Measures for data minimization

Customers determine what Customer Data will be submitted to the Front Service. Front will inform the Customer if certain data must be provided.

Measures designed to enhance data quality

Customers are responsible for the data they elect to include in Customer Data. Customers can correct or complete data they deemed to be inaccurate or incomplete. Front implements access controls and logging for data systems designed to prevent possible data corruption.

Measures for ensuring limited data retention

Upon written request, customers can request their data to be deleted within the timeline specified in the Data Processing Addendum and in accordance with Data Protection Laws.

Measures for allowing data portability and ensuring erasure

Front allows Customers to obtain Customer Personal Data in a structured, commonly used and machine-readable format. Customers can ask Front to delete their Customer Data as described in the Data Processing Addendum and such requests generally will be processed within 30 days.