Data Processing Addendum

1. Definitions.

When used in this Data Processing Addendum (“DPA”), the following terms have the following meaning. Any capitalized terms not defined in this Agreement shall have the meaning given in the Terms.

“Data Security Measures” means, as further detailed in Appendix 1, administrative, technical and physical safeguards and other security measures that are designed to (i) ensure the security and confidentiality of Personal Data, (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data or (iii) protect against any actual or suspected unauthorized Processing, loss, use, disclosure or acquisition of or access to any Customer Data.

“Data Subject” means a natural person to which the Personal Data pertains.

“Delete” or “Deletion” means to erase or destroy Personal Data so that it cannot be recovered or reconstructed.

“Customer Data” means the “Personal Data” (as defined in the GDPR) that is uploaded in the Zenwork Service portal/API for availing Service.

“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.

“processor” has the meaning given to it in the GDPR.

“Sale” or “Sell” has the meaning provided in § 1798.140(t) of the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100–1798.199 (“CCPA”);

2. Scope and Rules

This DPA applies when Customer Data is processed by Zenwork. In this context, Zenwork will act as processor to Customer, who can act either as controller or processor of Customer Data.

3.1 Compliance with Applicable Law

Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA.

3.2 Authority to process Customer Data

Each Party acknowledges and agrees that Zenwork has the sole and exclusive authority to determine the purposes for and means of Processing Customer Data under this Agreement, and that Zenwork is acting solely as a Service Provider with respect to this Customer Data. Zenwork has implemented and will maintain the technical and organizational measures as described in the Data Security Measures. Detailed controls can be reviewed in the current Zenwork SOC 2 Type 2 Audit report.

3.3 Disclosure of and Access to Personal Data; No Sales of Customer Data

Zenwork will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Zenwork a demand for Customer Data, Zenwork will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Zenwork may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then Zenwork will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Zenwork is legally prohibited from doing so. Zenwork restricts its personnel from processing Customer Data without authorization by Zenwork as described in the Data Security Measures. Zenwork imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

3.4   Information Security and Incident Response

3.4.1   Zenwork will implement and maintain a comprehensive written information security program that complies with Applicable Law, including the Data Security Measures, to protect Customer Data Processed under this Agreement from loss; theft; misuse; unauthorized access, disclosure, or acquisition; destruction or other compromise

3.4.2   Zenwork will (a) notify Customer of a security incident involving the loss of or unauthorized access to Customer Data (“Security Incident”) without undue delay after becoming aware of the Security Incident, and (b) take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident.

3.4.3   Zenwork’s obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by Zenwork of any fault or liability of Zenwork with respect to the Security Incident.

3.5 Zenwork Audits and Penetration Testing .

3.5.1   Zenwork Audits. Zenwork uses external auditors to verify the adequacy of its security measures. Since our applications and customer data is hosted on AWS infrastructure, we review independent audit reports of AWS at least annually and include all AWS security controls relevant to Zenwork in our SOC audit reports for informational purposes. Zenwork SOC Audits and web application penetration tests are performed at least annually by a group of independent and qualified professionals.

3.5.2   Audit Reports. In addition to the information contained in this DPA, upon Customer’s written request, Zenwork will make available the following documents and information: (i) SOC 1 Type 2 Report (ii) SOC 2 Type 2 Report (iii) Third Party penetration testing report.

3.5.3   Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the processing and the information available to Zenwork, Zenwork will assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation, by providing the information Zenwork makes available under this Section.

3.5.4  Customer Audit:

If Customer reasonably suspects that an Information Security Incident has occurred with respect to Personal Data Processed under the Agreement then the Customer, or a qualified third party selected by Customer, may perform an assessment, audit, examination or review of all controls in Zenwork’s physical and/or technical environment in relation to Personal Data being handled and/or services being provided to Customer pursuant to the Master Service Agreement. Zenwork shall fully cooperate with such assessment by providing access to knowledgeable personnel, physical premises, documentation, infrastructure and application software that processes, stores or transports Customer Date. If Zenwork declines to follow any instruction requested by Customer regarding audits, including inspections, Customer is entitled to terminate the Agreement in accordance with its terms.

3.6   Data Destruction I

Promptly upon the expiration or earlier termination of this Agreement, or any earlier time that Customer requests, Zenwork will securely Delete or, at Customer’s option, return all Personal Data to Customer, and securely Delete any existing copies of the Personal Data, unless further storage of the Personal Data is required by Applicable Law, in which case Zenwork: (i) will continue to ensure the privacy, security and confidentiality of the Personal Data; (ii) will not Process the Personal Data further except to maintain it for 3 years and securely store it for at least one year in archive; (iii) will continue to comply with its obligations under this Agreement; and (iv) will securely Delete the Personal Data immediately after Zenwork’s duty under Applicable Law to retain it expires.

4.1   Upon Customer’s written request, Zenwork will:

Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA.

4.1.1   confirm to Customer its compliance with Applicable Law; and

4.1.2   complete a written information security questionnaire provided by Customer or a third party on Customer’s behalf regarding Zenwork’s business practices and information technology environment in relation to all Personal Data being handled and/or services being provided by Zenwork to Customer pursuant to the Agreement. Zenwork will fully cooperate with such inquiries, including such follow-up questions as Customer may have in relation to Zenwork’s responses.

4.2   Customer shall treat the information provided by Zenwork in the security questionnaire as Zenwork’s Confidential Information.

5. Claims.

Any claims against Zenwork shall only be brought by the Customer entity that is a party to the Terms. In no event shall this DPA or any party restrict or limit the rights of any data subject or of any competent supervisory authority.

Appendix 1

Data Security Measures

1. Independent Certifications/SOC Audit

Any claims against Zenwork shall only be brought by the Customer entity that is a party to the Terms. In no event shall this DPA or any party restrict or limit the rights of any data subject or of any competent supervisory authority.

2. Risk Management

Zenwork has placed into operation a risk management process to set objectives and that the chosen objectives support and align with the organization's mission and are consistent with its risk framework. A risk assessment is performed annually or whenever there are changes in security posture by a third-party vendor

3.1   Policies, including those related to data privacy, security and acceptable use, are assessed and approved by Zenwork’s senior management.

3.2   Policies are documented and published among all relevant personnel. Employees and contracted third parties are required to comply with Zenwork policies relevant to their scope of work.

3.3   New employees receive training on information security, compliance, data protection, anti corruption and anti-bribery.

3.4   Employees receive regular training updates, which cover Zenwork Information Security policies and expectations.

3.5   Where required, policies are supported by associated procedures, standards, and guidelines.

3.6   Information Security policies are updated, as needed, to reflect changes to business objectives or risk.

3.7   Senior management performs an annual review of all Information Security policies.

3.8   Information Security policies are stored, maintained, updated, and published in a centralized, online location.

3.9   Zenwork Information Security Management System contains appropriate sections including: password requirements, Internet usage, computer security, confidentiality, customer data protection, and Company data protection.

4.1   The Chief Executive Officer, the Senior Management Team and all employees are committed to establishing and operating an effective Information Security Management System in accordance with its strategic business objectives. Zenwork is committed to the Information Security Management System, and ensures that IT policies are communicated, understood, implemented and maintained at all levels of the organization and regularly reviewed for continual suitability.

4.2   Confidentiality and nondisclosure agreements are required when sharing sensitive, proprietary personal, or otherwise confidential information between Zenwork and any third-party.

4.3   A formal process is in place to manage third parties with access to organizational data, information systems, or data centers. All such third parties commit contractually to maintaining confidentiality of all confidential information.

5.1   The Chief Executive Officer, the Senior Management Team and all employees are committed to establishing and operating an effective Information Security Management System in accordance with its strategic business objectives. Zenwork is committed to the Information Security Management System, and ensures that IT policies are communicated, understood, implemented and maintained at all levels of the organization and regularly reviewed for continual suitability.

5.2   Zenwork maintains an information assets classification policy and classifies such assets in terms of its value, legal requirements, sensitivity, and criticality to the organization.

5.3   Account sharing is prohibited unless approved by management.

5.4   Media Handling Policy is implemented for procedures relating to disposal of information assets / equipment.

6.1 Security roles and responsibilities for employees are defined and documented.

6.2 Zenwork performs background screening of new hires including job history, references, and criminal checks (subject to local laws).

6.3 Zenwork requires all new employees to sign employment agreements, which include comprehensive non-disclosure and confidentiality commitments.

6.4 Zenwork maintains an information security awareness and training program that includes new hire training.

6.5 Information Security awareness is enhanced through regular communications using company-wide emails, as necessary.

6.6 Access for all new employees is configured with minimum default access to company resources/applications required by an employee to perform the job duty. Only the IT team/CEO has access to change user profiles or give higher access.

7.1 AWS Infrastructure is used for hosting Tax1099 and Compliancely software applications. AWS provides SOC compliant data center services. AWS SOC reports cover controls objectives related to Security, Availability, Confidentiality and PrivacyThe types of controls that are necessary to meet the applicable trust services criteria, either alone or in combination with controls at Zenwork include:

7.1.1 The system is protected against unauthorized access (both physical and logical).

7.1.2 The system is available for operation and use and in the capacities as committed or agreed.

7.1.3 Policies and procedures exist related to security and availability and are implemented and followed.

8.1   The operation of systems and applications that support the Service is subject to documented operating procedures.

8.2   All systems are configured with appropriate antivirus protection

8.3   Organizational charts are in place to communicate key areas of authority, responsibility, and appropriate lines of reporting to personnel. These charts are communicated to employees and are updated as needed.

8.4   Zenwork has implemented a well-defined Change management process to ensure that all changes to the information processing facilities, including equipment, supporting facilities and utilities, networks, application software, systems software and security devices are managed and controlled.

8.5   When an incident is detected or reported, a defined incident response process is initiated by authorized personnel. Corrective actions are implemented in accordance with defined policies and procedures.

9.1   Zenwork maintains an “Acceptable Use” policy that outlines requirements for the use of user IDs and passwords for logical access controls.

9.2   The organization publishes and maintains a password management standard. In general, users are asked to follow the strong password policies.

9.3  IT system access is reviewed on a monthly basis.

9.4   Access is granted on a least privileges basis as default and any additional access needs to be approved.

9.5   Company has established hardening standards production infrastructure that include requirements for implementation of security groups, access control, configuration settings, and standardized policies.

9.6   Company does not allow customers or external users to access its systems.

9.7   Cloud infrastructures are configured to use the AWS's identity and access management system (IAM). Relevant groups have been added in IAM.

9.8   Direct access to cloud infrastructure is possible only through encrypted SSH access by the IT team.

9.9   For AWS access, Multi Factor Authentication is enabled .

9.10   External users can only access the system remotely through secure sockets layer (SSL), or other encrypted communication system.

9.11   Upon notice of termination, all user access is removed. All critical system access is removed immediately upon notification

10.1   All changes are recorded, approved, implemented, tested and versioned before moving to production environment.

10.2   AWS tools are used to prevent Denial of Service (DOS) Attacks.

10.3   VPC has been setup and all production servers are within the private subnet

10.4   Direct access to production instances is only through 2048-bit SSH keys.

10.5   Only the production group has access to production resources.

10.6   There is a formal release process for releasing builds. The testing team does the complete testing of the release. On receipt of sign off mail from the testing team the release is deployed on production servers.

10.7   Separate environments are used for development, testing, and production. Developers do not have the ability to make changes to software in testing or production.

11. Information Security Incident Management.

Zenwork maintains an incident response plan. The plan addresses specific incident response procedures, data backup procedures, roles and responsibilities, customer communication, contact strategies, and legal information flow.

12. Business Continuity Management

Zenwork has a documented Business Continuity Plan and Disaster Recovery guideline to be used in the event of any necessary systems infrastructure recovery. These are tested at least annually.