Data Processing Addendum

The following definitions and rules of interpretation apply in this DPA. This DPA comprises part of the Agreement and any terms not otherwise defined herein shall have the meaning set forth in the Agreement.

1. Definitions
   1. “California Personal Information” means Personal Data that is subject to the protection of the CCPA.
   2. “CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018) and its implementing regulations, as the same may be amended from time to time including by the California Privacy Rights Act of 2020.
   3. “Consumer“, “Business“, “Controller”, “Business Purpose”, “Personal Data”, “Personal Information”, “Processor”, “Sell“, “Share” and “Service Provider” will have the meanings given to them in the CCPA. VCDPA, or other Data Protection Legislation, as applicable.
   4. “Controller, Data Subject, Personal Data, Personal Data Breach, Processor, Processing/Process/Processed and Supervisory Authority” is as defined in the GDPR.
   5. “Data Protection Legislation” means all applicable data protection and privacy applicable to the parties’ Processing of Personal Data, including Regulation (EU) 2016/679 (“GDPR“); the GDPR as defined in section 3(10) (as supplemented by section 205(4)) of the DPA 2018 (“UK GDPR“); the Data Protection Act 2018 (“DPA 2018“); the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; the CCPA; the VCDPA and any other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data.
   6. “Services” means the services to be provided by Us to You under the Agreement.
   7. “Standard Contractual Clauses” means, together, the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 2021 (“EU SCCs“) and the UK International Transfer Addendum to the EU SCCs (“UK Addendum“).
   8. “VCDPA” means Va. Code Ann. § 59.1-575 et seq. (also known as the Virginia Consumer Data Protection Act), as the same may be amended from time to time.
   9. “Virginia Personal Information” means Personal Data subject to the protection of the VCDPA.
2. In the case of conflict or ambiguity between:
   1. any provisions contained in the body of this DPA and any provisions contained in the Schedules, the provisions in the body of this DPA will prevail; and
   2. any of the provisions of this DPA and any provisions in the Agreement, the provisions of this DPA will prevail.

1. The parties acknowledge that for the purpose of the Data Protection Legislation, You are the Controller and We are the Processor for all Personal Data entered into the Pinpoint platform by both Your team and any of Your candidates, recruiters, or third parties . 
2. You retain control of the Personal Data and remain responsible for Your compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions You give to Us. 
3. You warrant that Our expected use of the Personal Data for the provision of the Services and as specifically instructed by You will comply with the Data Protection Legislation.
4. The Schedules describe the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which We may process Personal Data to fulfil the Services.

You shall:

1. provide clear and comprehensible written instructions to Us for the Processing of Personal Data, such instructions being as set out in this Agreement together with any other specific instructions agreed by the parties in writing from time to time;
2. unless otherwise agreed in writing, the parties hereby agree that the Agreement together with the Customer’s use of the Services, constitute Your complete and final instructions in relation to the Processing of Personal Data;
3. ensure that You have all the necessary licences, permissions and consents from Data Subjects; and
4. ensure that You have an applicable legal basis, for the transfer of Personal Data to Us and to the processing of that Personal Data by Us.

1. We will only process the Personal Data to the extent, and in such a manner, as is necessary for the Services in accordance with Your written instructions. We will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. We will immediately notify You if, in Our opinion, Your instruction would not comply with the Data Protection Legislation.
2. We will promptly comply with any request or instruction from You requiring Us to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3. We will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless You or this DPA specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires Us to process or disclose Personal Data, We will first use reasonable endeavours to inform You of the legal or regulatory requirement and give You an opportunity to object or challenge the requirement, unless the law prohibits such notice.
4. We will reasonably assist You with meeting Your compliance obligations under the Data Protection Legislation, taking into account the nature of Our processing and the information available to Us, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.
5. We will promptly notify You of any changes to Data Protection Legislation that may adversely affect Our performance of the Services.
6. You acknowledge that We are free to use meta-data, statistics and such other information derived from the Personal Data We receive from You which cannot be identified as originating or deriving directly from such Personal Data, and cannot be reverse-engineered by a third party such that it can be so identified, for any purpose whatsoever.

We will ensure that any and all employees:

1. are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
2. have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
3. are aware both of Our duties and their personal duties and obligations under the Data Protection Legislation and this DPA.

1. We will at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out at Schedule 3. 
2. We may update the security measures from time to time, provided they do not result in a reduction in the security over the Personal Data to which they apply. We will maintain an up-to-date written record of Our then-current security measures, which We shall provide to You on request, and review at least on an annual basis to ensure they remain current and complete.
3. We will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
   1. the pseudonymisation and encryption of Personal Data;
   2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
   3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
   4. a process for regularly testing, assessing and evaluating the effectiveness of security measures.

1. We will notify You within 72 hours of becoming aware if any of Your Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. We will restore such Personal Data at Our own expense.
2. We will without undue delay notify You if We become aware of:
   1. any accidental, unauthorised or unlawful processing of Your Personal Data; or
   2. any Personal Data Breach relating to Your Personal Data.
3. Where We become aware of an event within the scope of clause 7.2, We shall, without undue delay, also provide You with the following information:
   1. a description of the nature of such event, including the categories and approximate number of both Data Subjects and Personal Data records concerned;
   2. the likely consequences of the event; and
   3. a description of the measures taken or proposed to be taken to address such event, including measures to mitigate its possible adverse effects.
4. Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. We will reasonably co-operate with You in Your handling of the matter, including:
   1. assisting with any investigation;
   2. making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by You; and
   3. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing.
5. We will not inform any third party of any Personal Data Breach without first obtaining Your prior written consent, except when required to do so by law, to maintain any policy of insurance, or to maintain regulatory or equivalent certifications.
6. Subject to clause 7.5 You have the sole right to determine:
   1. whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Your discretion, including the contents and delivery method of the notice; and
   2. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

1. If an adequate protection measure for the international transfer of Personal Data is required under Data Protection Legislation (and has not otherwise been arranged by the parties) the Standard Contractual Clauses shall be incorporated into this Agreement in the Schedules as if they had been set out in full.
2. The parties shall ensure that whenever Personal Data is transferred outside the European Economic Area and the United Kingdom (“GDPR Territories“) they:
   1. are Processing Personal Data in a territory which is subject to a current finding by the European Commission under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; 
   2. participate in a valid cross-border transfer mechanism under the Data Protection Legislation, so that the parties can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the GDPR; or
   3. otherwise ensure that the transfer complies with the Data Protection Legislation.
3. In the case of any Processing of Personal Data outside of the GDPR Territories as at the date of this DPA, We have identified in the Schedules the relevant transfer mechanism. We will promptly inform You of any change to such mechanisms.
4. You authorise Us to enter into the Standard Contractual Clauses with the sub-Processor on Your behalf, if required to ensure the relevant Processing of Personal Data complies with Data Protection Legislation. We will make the executed Standard Contractual Clauses available to You on written request.

1. This clause 9 will apply only with respect to California Personal Information and Virginia Personal Information.
2. When processing California Personal Information in accordance with Your instructions, the parties acknowledge and agree that You are a Business and We are a Service Provider for the purposes of the CCPA.
3. When processing Virginia Personal Information in accordance with Your instructions, the parties acknowledge and agree that You are a Controller and We are a Processor for the purposes of the VCDPA.
4. We will not Sell or Share the California Personal Information we collect pursuant to the Agreement.
5. We will Process California Personal Information as reasonably necessary to perform the Services, and only for the following limited and specified Business Purpose(s): auditing, security and integrity, repair functionality, short-term transient use, performing services on behalf of Customer, advertising and marketing, internal research, and quality and safety.
6. We will not retain, use, or disclose California Personal Information We collect pursuant to the Agreement for any purpose other than the Business Purpose(s) set forth in clause 9.5 above, or as otherwise permitted by the CCPA.
7. We will not retain, use, or disclose California Personal Information We collect pursuant to the Agreement for any commercial purpose other than the Business Purpose(s) set forth in clause 9.5 above, unless expressly permitted by the CCPA.
8. We will not retain, use, or disclose California Personal Information We collect pursuant to the Agreement outside the direct business relationship between You and Us, unless expressly permitted by the CCPA.
9. We will comply with all applicable sections of the CCPA, including providing the same level of privacy protection to California Personal Information collected pursuant to the Agreement as is required of Customer by the CCPA.
10. We will implement reasonable security procedures and practices appropriate to the nature of the Personal Information to protect California Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Cal. Civ. Code § 1798.81.5.
11. We will notify Customer if We make a determination that We can no longer meet Our obligations under the CCPA.
12. We grant Customer the right to take reasonable and appropriate steps to ensure We use California Personal Information We collect pursuant to the Agreement in a manner consistent with Customer’s obligations under the CCPA, including by providing the audit rights set forth in clause 15 below.
13. We grant Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of California Personal Information by Us.
14. We will enable Customer to comply with consumer requests made pursuant to the CCPA.
15. We certify that we understand the restrictions set forth in this clause 9 that apply to California Personal Information and will comply with them.
16. We will ensure that each person processing Virginia Personal Information is subject to a duty of confidentiality with respect to the data.
17. We will, upon Customer’s reasonable request, make available to Customer the information in Our possession that is necessary to demonstrate Our compliance with the VCDPA.

1. We may only authorise a third party (sub-Processor) to process the Personal Data if:
   1. You are provided with an opportunity to object to (but not prevent) the appointment of each sub-Processor within 30 days of Us providing You with reasonable details of the forthcoming changes to Our sub-Processors, with such details to be provided by Us updating Our dedicated sub-Processor webpage at www.pinpointhq.com/security-privacy/sub-processors;
   2. We enter into a written contract with the sub-Processor that contains terms similar to those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon Your written request and at Your expense, provide You with copies of such contracts (subject to redaction of any confidential information); and
   3. We maintain control over all Personal Data We entrust to the sub-Processor.
2. You authorise Us to use sub-Processors set out on Our dedicated sub-Processor webpage. These sub-Processors include but are not limited to the general categories of data storage, hosting (including data centres and providers of virtual software environments) and IT support. 
3. If You object to Our engagement of a sub-Processor in accordance with the procedure at clause 10.1.1, We will discuss Your concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, We will, at Our sole discretion, either not appoint the new sub-Processor, or permit You to suspend or terminate the affected Services in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any Fees incurred prior to such suspension or termination).
4. Where the sub-Processor fails to fulfil its obligations under such written agreement, We remain fully liable to You for the sub-Processor’s performance of its agreement obligations.

1. We will take such technical and organisational measures as may be appropriate, and promptly provide such information to You as You may reasonably require, to enable You to comply with:
   1. the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and
   2. information or assessment notices served on You by any supervisory authority under the Data Protection Legislation.
2. We will notify You immediately if We receive any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.
3. We will notify You without undue delay if We receive a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.
4. We will give You Our full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
5. We will not disclose the Personal Data to any Data Subject or to a third party other than at Your request or instruction, as provided for in this DPA or as required by law.

1. This DPA will remain in full force and effect for so long as We retain any of Your Personal Data related to the Services in Our possession or control.
2. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Services in order to protect Personal Data will remain in full force and effect.
3. If a change in any Data Protection Legislation prevents either party from fulfilling all or part of the Services, the parties will discuss in good faith with a view to implementing any changes necessary to ensure the processing of Personal Data complies with the new requirements. 

1. At Your request, We will give You a copy of or access to all or part of Your Personal Data in Our possession or control in a commonly accessible and electronic format determined by Us. 
2. We offer You candidates access to a suite of data management tools, giving them the ability to assert many of the rights granted to them under the Data Protection Legislation. These include (but are not limited to) the ability to revoke their application, manage their communication and speculative application preferences, and to delete their Personal Data from the Pinpoint platform at any time. You will be notified automatically by the Pinpoint platform whenever a candidate exercises these rights.
3. Any data removed from the Pinpoint platform using the data management tools is deleted immediately from the production system and will be deleted within 30 days from all backup datasets. Any other data export or removal requests will be removed from the production system within 15 days and from all backup datasets within 45 days.
4. On termination of the Services for any reason or expiry of its term, We will promptly securely delete or destroy or, if directed in writing by You within thirty (30) days of termination, return and not retain, all or any Personal Data related to this DPA in Our possession or control. This requirement shall not apply to Personal Data which We have archived on Our backup systems which are not reasonably accessible, provided that such Personal Data is deleted promptly in the event such backups become reasonably accessible (such as by Us using those backups to restore Our systems).
5. Clause 13.4 shall not apply to the extent any law, regulation, or government or regulatory body requires Us to retain any documents or materials that We would otherwise be required to return or destroy.

1. We will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data We carry out for You (“Records“) and provide You with copies of the Records upon request.

1. No more than once during any consecutive 12-month period, on Your request We will provide You with the relevant information from Our SOC 2 Type 2 audit (which may have been carried out internally or by third-party representatives) to evidence Our compliance with this DPA and provide the summary results to You. You shall be entitled to ask questions of Us related to compliance with Data Protection Legislation in advance of the audit, We shall use Our reasonable endeavours to respond adequately when providing the audit results.
2. On Your written request, We will exercise relevant audit rights We have in connection with Our sub-Processors’ compliance with their obligations regarding Your Personal Data, and provide You with a summary of the audit results.
3. The audit rights set out at clauses 15.1 – 15.2 are Your only contractual rights (and Our only contractual obligations) in connection with the auditing of Our Processing of Personal Data. Save that nothing in this DPA shall prevent or is intended to undermine the rights and powers granted to Data Subjects or Supervisory Authorities, and accordingly We shall submit to any audits required by a Supervisory Authority or Data Protection Legislation. 

1. We may vary this DPA from time to time on giving You shall be given at least 30 days’ notice in writing provided that any variation required by applicable law will be effective immediately. If You do not accept the variation, You may, within 30 days of being notified of the variation (“Review Period“) notify Us of your objection. If We can no longer provide the Services under the terms of the DPA prior to the modification, We may terminate the Agreement on written notice to You. Your continued use of the Services after the Review Period will constitute Your acceptance of the variation.

1. Incorporation of the EU SCCs
   1. To the extent clause 8.1 applies and the transfer is made pursuant to the GDPR, this Schedule 1 and the following terms shall apply: Module 2 of the EU SCCs, and no other optional clauses unless explicitly specified, are incorporated into this Schedule 1 as if they had been set out in full in the case where the exporter is a Controller, the importer is a Processor and the transfer requires such additional protection.
2. Clarifications to the EU SCCs
   1. Deletion of data. For the purposes of clause 8.5 of the EU SCCs (Duration of processing and erasure or return of data), the parties agree as follows: At the end of the provision of the processing services the importer shall delete all Personal Data and shall certify to the exporter that it has done so, if requested to provide such certification by the exporter in writing.
   2. Auditing. The parties acknowledge that the importer complies with its obligations under clause 8.9 of the EU SCCs (Documentation and compliance) by exercising its contractual audit rights it has agreed with its sub-processors.
   3. Sub-Processors. For the purposes of clause 9 of the EU SCCs (Use of sub-processors), the parties agree that the process for appointing sub-processors set out in clause 9 applies.
   4. Best Efforts Obligations. For the purposes of clauses 14(c), 15.1(b) and 15.2 of the EU SCCs (Local laws and practices affecting compliance with the clauses) the parties agree that “best efforts” and the obligations of the importer under clause 15.2 shall mean exercising the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a leading practice engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.
   5. Competent Supervisory Authority. For the purposes of clause 13 of the EU SCCs, the competent Supervisory Authority shall be:
      1. if the exporter is established in an EU Member State: The Irish Data Protection Commissioner;
      2. where the exporter is not established in an EU Member State and has appointed a representative pursuant to Article 27(1) GDPR, it shall notify the importer of this and the EU Member State in which the exporter’s representative is appointed shall be the competent Supervisory Authority; and
      3. where the exporter is not established in an EU Member State, but falls within the territorial scope of Article 3(2) GDPR but has not appointed a representative pursuant to Article 27(1) GDPR: the exporter shall notify the importer of its chosen competent supervisory authority, which must be the Supervisory Authority of an EU Member State in which the Data Subjects whose personal data is transferred under the EU SCCs in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
   6. Governing Law & Jurisdiction. For the purposes of clauses 17 and 18 of the EU SCCs, the parties agree that the governing law shall be where the exporter is established. If those laws do not allow for third party rights, the law of Ireland shall apply.
3. Processing Particulars for the EU SCCs
   1. The Parties
      1. Exporter (Controller): Customer
      2. Importer (Processor): Pinpoint
   2. Description Of Data Processing
      1. Categories of data subjects: Customer may submit Personal Data in the course of using the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to Customer’s candidates, employees, contractors, suppliers and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to Customer’s end users.
      2. Categories of personal data transferred: Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data: 
         1. Customer Data of all types may be submitted by Candidates to the Customer or uploaded by Customer. Such information may include, but is not limited to name, contact information, employment history, and other personal details that the Customer solicits or Candidates submit.  
         2. Contact details of Customer’s employees, end users, and other contacts. Such information may include, but is not limited to, contact information, name, and payment information. 
         3. Any other Personal Data submitted by, sent to, or received by Customer or Customer’s end users via the Subscription Service. 
   3. Sensitive data transferred: Customer may submit special categories of Personal Data to the Subscription Service, the extent of which is determined and controlled by Customer. For clarity, these special categories of Personal Data may include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life, and similar information.
   4. Frequency of the transfer: Continuous during the provision of the Services.
   5. Nature of the processing: Personal Data is processed as necessary to provide the Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by the Customer in its use of the Services.
   6. Purpose of the processing: Personal Data is processed as necessary to provide the Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by Customer in its use of the Services.
   7. Duration of the processing: For the duration of the Agreement, unless otherwise agreed In writing.
   8. Sub-Processor Transfers: As set out at clause 9 of the EU SCCs (Use of sub-processors).
   9. Competent Supervisory Authority: As set out at paragraph 2.6.
   10. Technical and Organisational Measures: As set out at Schedule 3.

1. Parties. As set out in Schedule 1.
2. Selected SCCs, Modules and Clauses. Module 2 of the EU SCCs and no other optional clauses unless explicitly specified, and as amended by the clarifications in Schedule 1, paragraph 2, but subject to any further amendments detailed in this Schedule 2.
3. Appendix Information. The processing details required by the UK Addendum are as set out in Schedule 1, paragraph 3.
4. Termination of the UK Addendum. In the event the template UK Addendum issued by the Information Commissioner’s Office and laid before Parliament in accordance with s119A of the DPA 2018 on 2 February 2022, as it is revised under Section ‎18 is amended, either party may terminate this Schedule 2 on written notice to the other in accordance with Table 4 and paragraph 19 of the UK Addendum and replace it with a mutually acceptable alternative.

1. Access Control
   1. Preventing Unauthorised Product Access
      1. Outsourced processing: Pinpoint hosts its Service with outsourced cloud infrastructure providers. Additionally, Pinpoint maintains contractual relationships with vendors in order to provide the Service in accordance with our Data Processing Agreement. Pinpoint relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
      2. Physical and environmental security: Pinpoint hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
      3. Authentication: Pinpoint implements a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
      4. Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers only via application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorisation model in each of Pinpoint’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
      5. Application Programming Interface (API) access: Public product APIs may only be accessed using an API key.
   2. Preventing Unauthorised Product Use. Pinpoint implements industry standard access controls and detection capabilities for the internal networks that support its  products.
      1. Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorised protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
      2. Intrusion detection and prevention: Pinpoint uses a third-party service provider to monitor and protect its infrastructure from automated scanners, bots and targeted attacks. It blocks attacks and alerts in case of critical threats. It also brings additional features like IP blocking, suspicious behaviour monitoring, and informs us of any vulnerabilities in dependencies.
      3. Static code analysis: Security reviews of code stored in Pinpoint’s source code repositories is performed, checking for coding best practices and identifiable software flaws.
      4. Penetration testing: Pinpoint performs dynamic application security testing (DAST) via the use of a third party service. This service is a web security scanner that works with ethical hackers to perform fully automated tests to identify vulnerabilities in web applications. Pinpoint systems are tested by independent third party penetration testing firms.
   3. Limitations of Privilege & Authorisation Requirements
      1. Product access: A subset of Pinpoint’s employees have access to the products and to select customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security.
      2. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high-risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.
2. Transmission Control
   1. In-transit: Pinpoint makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every Customer site hosted on the Pinpoint products. Pinpoint’s HTTPS implementation uses industry standard algorithms and certificates.
   2. At-rest: Pinpoint stores user passwords following policies that follow industry standard practices for security. Pinpoint has implemented technologies to ensure that stored data is encrypted at rest.
3. Input Control
   1. Detection: Pinpoint designed its infrastructure to log extensive information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Pinpoint personnel, including security, operations, and support personnel, are responsive to known incidents.
   2. Response and tracking: Pinpoint maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel and appropriate resolution steps are identified and documented. For any confirmed incidents, Pinpoint will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
   3. Communication: If Pinpoint becomes aware of unlawful access to Customer data stored within its products, Pinpoint will notify Customer in accordance with the terms of the Agreement.
4. Availability Control
   1. Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
   2. Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
   3. Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
   4. Pinpoint’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Pinpoint operations in maintaining and updating the product applications and backend while limiting downtime.