Data Processing Addendum

The following definitions and rules of interpretation apply in this DPA. This DPA comprises part of the Agreement and any terms not otherwise defined herein shall have the meaning set forth in the Agreement.

1. Definitions“Controller” shall mean the entity which, alone or jointly with others, determines the purposes and means of the Processing of the Personal Data, including the “business” as that term is defined in the CCPA.”Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”/”Process”/”Processed” and “Supervisory Authority” are as defined in the Data Protection Legislation (either by reference to those precise terms or by reference to terms that would reasonably be understood to serve the same function, such as “Personal Data” and “Personal Information”), as applicable.”Data Protection Legislation” means all data protection and privacy legislation and regulatory requirements in force from time to time and applicable to the parties’ Processing of Personal Data in connection with the subject matter governed by the Agreement, including Regulation (EU) 2016/679 (“GDPR“); the Data Protection (Jersey) Law 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); and the U.S State Privacy Laws.”Processor” shall mean an entity that Processes Personal Data on behalf of the Controller, including (as applicable) a “service provider” as that term is defined in the CCPA.”Services” means the services to be provided by Us to You under the Agreement.

   “Standard Contractual Clauses” means, together, the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 2021 (“EU SCCs“).

   “U.S. State Privacy Laws” means all U.S. state comprehensive consumer privacy laws and associated implementing regulations in force from time to time and applicable to the parties’ Processing of Personal Data in connection with the subject matter governed by the Agreement, including, by way of illustrative example only, to the extent applicable and as may be amended from time to time: (i) the California Consumer Privacy Act of 2018 and its implementing regulations (“CCPA“); (ii) the Virginia Consumer Data Protection Act, (iii) the Colorado Privacy Act and its implementing regulations; (iv) the Connecticut Data Privacy Act; and (v) the Utah Consumer Privacy Act. For clarity, for purposes of interpreting this definition and related provisions of this DPA: (1) reference to any particular law or regulation in the illustrative list above is not intended to be a representation or acknowledgement by either party that such law or regulation necessarily applies to the parties’ Processing of Personal data in connection with the subject matter governed by the Agreement; (2) “Personal Data” shall have the meaning given to “personal data” or “personal information” under the relevant U.S. State Privacy Law; and (3) U.S. State Privacy Laws excludes industry-specific, information-specific and similarly narrowly scoped laws and regulations.

   In the case of conflict or ambiguity between:

2. 1. any provisions contained in the body of this DPA and any provisions contained in the Schedules, the provisions in the body of this DPA will prevail; and
   2. any of the provisions of this DPA and any provisions in the Agreement, the provisions of this DPA will prevail.

1. The parties acknowledge that for the purpose of the Data Protection Legislation, You are the Controller and We are the Processor for all Personal Data entered into the Pinpoint platform by Your team or any of Your candidates, recruiters, or third parties.
2. You retain control of the Personal Data and remain responsible for Your compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions You give to Us.
3. You warrant that Our expected use of the Personal Data for the provision of the Services and as specifically instructed by You will comply with the Data Protection Legislation.
4. Schedule 1 describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which We may process Personal Data to fulfil the Services.

You shall:

1. provide clear and comprehensible written instructions to Us for the Processing of Personal Data, such instructions being as set out in this Agreement together with any other specific instructions agreed by the parties in writing from time to time;
2. unless otherwise agreed in writing, the parties hereby agree that the Agreement together with the Customer’s use of the Services, constitute Your complete and final instructions in relation to the Processing of Personal Data;
3. ensure that You have all the necessary licences, permissions and consents from, and provide all the necessary notices to, Data Subjects;
4. ensure that, to the extent required by the Data Protection Legislation, You have an applicable legal basis for the transfer of Personal Data to Us and for the processing of that Personal Data by Us; and
5. obtain Our prior written consent before transferring any Personal Data to Us that is subject to any U.S. privacy laws or regulations other than the U.S. State Privacy Laws.

1. We will only process the Personal Data to the extent, and in such a manner, as is necessary for the Services in accordance with Your written instructions. We will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. We will immediately notify You if, in Our opinion, Your instruction would not comply with the Data Protection Legislation or if we make a determination we can no longer comply with our obligations under the Data Protection Legislation.
2. We will promptly comply with any request or instruction from You requiring Us to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3. We will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless You or this DPA specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires Us to process or disclose Personal Data, We will first use reasonable endeavours to inform You of the legal or regulatory requirement and give You an opportunity to object or challenge the requirement, unless the law prohibits such notice.
4. We will reasonably assist You with meeting Your compliance obligations under the Data Protection Legislation, taking into account the nature of Our processing and the information available to Us, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with Supervisory Authorities under the Data Protection Legislation.
5. We will promptly notify You of any changes to Data Protection Legislation that may adversely affect Our performance of the Services.

We will ensure that Our employees who handle the Personal Data:

1. are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
2. have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
3. are aware both of Our duties and their personal duties and obligations under the Data Protection Legislation and this DPA.

1. We will at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out at Schedule 2.
2. We may update the security measures from time to time, provided they do not result in a reduction in the security over the Personal Data to which they apply. We will maintain an up-to-date written record of Our then-current security measures, which We shall provide to You on request, and review at least on an annual basis to ensure they remain current and complete.
3. We will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
   1. the pseudonymisation and encryption of Personal Data;
   2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
   3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

1. We will notify You within 72 hours of becoming aware if any of Your Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. We will restore such Personal Data at Our own expense.
2. We will without undue delay notify You if We become aware of:
   1. any accidental, unauthorised or unlawful processing of Your Personal Data; or
   2. any Personal Data Breach relating to Your Personal Data.
3. Where We become aware of an event within the scope of clause 7.2, We shall, without undue delay, also provide You with the following information, to the extent relevant and reasonably available to Us at the time, and to the extent sharing of such detail is not prohibited by law enforcement:
   1. a description of the nature of such event, including the categories and approximate number of both Data Subjects and Personal Data records concerned;
   2. the likely consequences of the event; and
   3. a description of the measures taken or proposed to be taken to address such event, including measures to mitigate its possible adverse effects.
4. Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. We will reasonably co-operate with You in Your handling of the matter, including:
   1. assisting with any investigation;
   2. making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by You; and
   3. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing.
5. We will not inform any third party of any Personal Data Breach without first obtaining Your prior written consent, except when required to do so by law, to maintain any policy of insurance, or to maintain regulatory or equivalent certifications.
6. Subject to clause 7.5 You have the sole right to determine:
   1. whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Your discretion, including the contents and delivery method of the notice; and
   2. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

1. If an adequate protection measure for the international transfer of Personal Data is required under Data Protection Legislation (and has not otherwise been arranged by the parties) the Standard Contractual Clauses shall be incorporated into this Agreement in Schedule 1 as if they had been set out in full.
2. The parties shall ensure that whenever Personal Data is transferred outside the European Economic Area (“EEA“) they:
   1. are Processing Personal Data in a territory which is subject to a current finding by the European Commission under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals;
   2. participate in a valid cross-border transfer mechanism under the Data Protection Legislation, so that the parties can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the GDPR; or
   3. otherwise ensure that the transfer complies with the Data Protection Legislation.
3. In the case of any Processing of Personal Data outside of the EEA as at the date of this DPA, We have identified in Schedule 1 the relevant transfer mechanism. We will promptly inform You of any change to such mechanisms.
4. You authorise Us to enter into the Standard Contractual Clauses with each sub-Processor on Your behalf, if required to ensure the relevant Processing of Personal Data complies with Data Protection Legislation. We will make the executed Standard Contractual Clauses available to You on written request.

1. This clause 9 will apply only with respect to Processing of Personal Data that is subject to the U.S. State Privacy Laws.
2. We shall not Sell (as defined in applicable U.S. State Privacy Laws) for monetary or other valuable consideration or Share (as defined in applicable U.S. State Privacy Laws) for purposes of cross-context behavioral advertising such Personal Data to or with third parties (for clarity, this clause does not limit our ability to disclose such Personal Data to sub-Processors as permitted under clause 10 (Sub-Processors).
3. We shall not retain, use, or disclose such Personal Data outside of the direct business relationship between the parties unless permitted by the Data Protection Legislation.
4. We shall not combine such Personal Data with the personal data We may receive from or on behalf of another customer or collect from Our own interactions with a Data Subject.
5. We may Process such Personal Data as reasonably necessary for the following business purposes:
   1. providing the Services;
   2. helping to ensure security and integrity of the Services, to the extent the use of such Personal Data is reasonably necessary and proportionate for those purposes; and
   3. undertaking internal research for the improvement of the Services.
6. You are disclosing such Personal Data to Us only for the performance of the aforementioned limited and specified business purposes, and We may not retain, use, or disclose such Personal Data for any other business or commercial purpose, unless permitted by applicable U.S. State Privacy Laws.
7. We shall comply with obligations applicable to Processors under such U.S. State Privacy Laws, provide the same level of privacy protection as is required by such U.S. State Privacy Laws, notify You if We make a determination We can no longer meet such obligations or provide such protection, allow You to take reasonable and appropriate steps to help to ensure that We use such Personal Data in a manner consistent with Your obligations under such U.S. State Privacy laws, and allow You to take reasonable and appropriate steps to stop and remediate unauthorized use of such Personal Data.

1. We may only authorise a third party (sub-Processor) to process the Personal Data if:
   1. You are provided with an opportunity to object to (but not prevent) the appointment of each sub-Processor within 30 days of Us providing You with reasonable details of the forthcoming changes to Our sub-Processors, with such details to be provided by Us updating Our dedicated sub-Processor webpage at pinpointhq.com/security-privacy/sub-processors;
   2. We enter into a written contract with the sub-Processor that contains terms similar to those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon Your written request and at Your expense, provide You with copies of such contracts (subject to redaction of any confidential information); and
   3. We maintain control over all Personal Data We entrust to the sub-Processor.
2. You authorise Us to use sub-Processors set out on Our dedicated sub-Processor webpage. These sub-Processors include but are not limited to the general categories of data storage, hosting (including data centres and providers of virtual software environments) and IT support.
3. If You object to Our engagement of a sub-Processor in accordance with the procedure at clause 10.1.1, We will discuss Your concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, We will, at Our sole discretion, either not appoint the new sub-Processor, or permit You to suspend or terminate the affected Services in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any Fees incurred prior to such suspension or termination).

1. We will take such technical and organisational measures as may be appropriate, and promptly provide such information to You as You may reasonably require, to enable You to comply with:
   1. the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data, or any other right to which the Data Subject is entitled under the Data Protection Legislation; and
   2. information or assessment notices served on You by any supervisory authority under the Data Protection Legislation.
2. We will notify You immediately if We receive any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.
3. We will notify You without undue delay if We receive a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.
4. We will give You Our full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
5. We will not disclose the Personal Data to any Data Subject or to a third party other than at Your request or instruction, as provided for in this DPA or as required by law.

1. This DPA will remain in full force and effect for so long as We retain any of Your Personal Data related to the Services in Our possession or control.
2. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Services in order to protect Personal Data will remain in full force and effect.
3. If a change in any Data Protection Legislation prevents either party from fulfilling all or part of the Services, the parties will discuss in good faith with a view to implementing any changes necessary to ensure the processing of Personal Data complies with the new requirements.

1. At Your request, We will give You a copy of or access to all or part of Your Personal Data in Our possession or control in a commonly accessible and electronic format determined by Us.
2. We offer Your candidates access to a suite of data management tools, giving them the ability to assert many of the rights granted to them under the Data Protection Legislation. These include (but are not limited to) the ability to revoke their application, manage their communication and speculative application preferences, and to delete their Personal Data from the Pinpoint platform at any time. You will be notified automatically by the Pinpoint platform whenever a candidate exercises these rights.
3. Any data removed from the Pinpoint platform using the data management tools is deleted immediately from the production system and will be deleted within 30 days from all backup datasets. Any other data export or removal requests will be removed from the production system within 15 days and from all backup datasets within 45 days.
4. On termination of the Services for any reason or expiry of its term, We will promptly securely delete or destroy or, if directed in writing by You within thirty (30) days of termination, return and not retain, all or any Personal Data related to this DPA in Our possession or control. This requirement shall not apply to Personal Data which We have archived on Our backup systems which are not reasonably accessible, provided that such Personal Data is deleted promptly in the event such backups become reasonably accessible (such as by Us using those backups to restore Our systems).
5. Clause 13.4 shall not apply to the extent any law, regulation, or government or regulatory body requires Us to retain any documents or materials that We would otherwise be required to return or destroy.

1. We will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data We carry out for You (“Records“) and provide You with copies of the Records upon request.

1. No more than once during any consecutive 12-month period, on Your request We will provide You with the relevant information from Our SOC 2 and ISO 27001 audits (which may have been carried out internally or by third-party representatives) to evidence Our compliance with this DPA and provide the summary results to You. You shall be entitled to ask questions of Us related to compliance with Data Protection Legislation in advance of the audit, We shall use Our reasonable endeavours to respond adequately when providing the audit results.
2. In connection with any processing under the U.S. State Privacy Laws, upon Your reasonable request We shall make available all information in Our possession reasonably necessary to demonstrate Our compliance with the U.S. State Privacy Laws.
3. On Your written request, We will exercise relevant audit rights We have in connection with Our sub-Processors’ compliance with their obligations regarding Your Personal Data, and provide You with a summary of the audit results.

1. We may vary this DPA from time to time on giving You at least 30 days’ notice in writing provided that any variation required by applicable law will be effective immediately. If You do not accept the variation, You may, within 30 days of being notified of the variation (“Review Period“) notify Us of your objection. If We can no longer provide the Services under the terms of the DPA prior to the modification, We may terminate the Agreement on written notice to You. Your continued use of the Services after the Review Period will constitute Your acceptance of the variation.

1. Incorporation of the EU SCCs
   1. To the extent clause 8.1 applies and the transfer is made pursuant to the GDPR, this Schedule 1 and the following terms shall apply: Module 2 of the EU SCCs, and no other optional clauses unless explicitly specified, are incorporated into this Schedule 1 as if they had been set out in full in the case where the exporter is a Controller, the importer is a Processor and the transfer requires such additional protection.
2. Clarifications to the EU SCCs
   1. Deletion of data. For the purposes of clause 8.5 of the EU SCCs (Duration of processing and erasure or return of data), the parties agree as follows: At the end of the provision of the processing services the importer shall delete all Personal Data and shall certify to the exporter that it has done so, if requested to provide such certification by the exporter in writing.
   2. Auditing. The parties acknowledge that the importer complies with its obligations under clause 8.9 of the EU SCCs (Documentation and compliance) by exercising its contractual audit rights it has agreed with its sub-processors.
   3. Sub-Processors. For the purposes of clause 9 of the EU SCCs (Use of sub-processors), the parties agree that the process for appointing sub-processors set out in clause 9 applies.
   4. International Transfer Assessments. For the purposes of clause 14(c) of the EU SCCs (Local laws and practices affecting compliance with the Clauses) the exporter has been provided with a transfer impact assessment by the importer which the exporter accepts as sufficient to fulfil the importer’s obligations pursuant to clause 14(c) and 14(a). The exporter acknowledges that it has been provided with the security measures applied to the Personal Data and approves such measures as being in compliance with the EU SCCs.
   5. Best Efforts Obligations. For the purposes of clauses 14(c), 15.1(b) and 15.2 of the EU SCCs (Local laws and practices affecting compliance with the clauses) the parties agree that “best efforts” and the obligations of the importer under clause 15.2 shall mean exercising the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a leading practice engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.
   6. Competent Supervisory Authority. For the purposes of clause 13 of the EU SCCs, the competent Supervisory Authority shall be:
      1. if the exporter is established in an EU Member State: The Irish Data Protection Commissioner;
      2. where the exporter is not established in an EU Member State and has appointed a representative pursuant to Article 27(1) GDPR, it shall notify the importer of this and the EU Member State in which the exporter’s representative is appointed shall be the competent Supervisory Authority; and
      3. where the exporter is not established in an EU Member State, but falls within the territorial scope of Article 3(2) GDPR but has not appointed a representative pursuant to Article 27(1) GDPR: the exporter shall notify the importer of its chosen competent supervisory authority, which must be the Supervisory Authority of an EU Member State in which the Data Subjects whose personal data is transferred under the EU SCCs in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
   7. Governing Law & Jurisdiction. For the purposes of clauses 17 and 18 of the EU SCCs, the parties agree that the governing law shall be where the exporter is established. If those laws do not allow for third party rights, the law of Ireland shall apply.
3. Processing Particulars for the EU SCCs
   1. The Parties
      1. Exporter (Controller): Customer
      2. Importer (Processor): Pinpoint
   2. Description Of Data Processing
      1. Categories of data subjects: Customer may submit Personal Data in the course of using the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to Customer’s candidates, employees, contractors, suppliers and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to Customer’s end users.
      2. Categories of personal data transferred:Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
         1. Customer Data of all types may be submitted by Candidates to the Customer or uploaded by Customer. Such information may include, but is not limited to name, contact information, employment history, and other personal details that the Customer solicits or Candidates submit.
         2. Contact details of Customer’s employees, end users, and other contacts. Such information may include, but is not limited to, contact information, name, and payment information.
         3. Any other Personal Data submitted by, sent to, or received by Customer or Customer’s end users via the Subscription Service.
   3. Sensitive data transferred: Customer may submit special categories of Personal Data to the Subscription Service, the extent of which is determined and controlled by Customer. For clarity, these special categories of Personal Data may include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life, and similar information.
   4. Frequency of the transfer: Continuous during the provision of the Services.
   5. Nature of the processing: Personal Data is processed as necessary to provide the Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by the Customer in its use of the Services.
   6. Purpose of the processing: Personal Data is processed as necessary to provide the Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by Customer in its use of the Services.
   7. Duration of the processing: For the duration of the Agreement, unless otherwise agreed In writing.
   8. Sub-Processor Transfers: As set out at clause 9.
   9. Competent Supervisory Authority: As set out at paragraph 2.6.
   10. Technical and Organisational Measures: As set out at Schedule 2.

1. Access Control
   1. Preventing Unauthorised Product Access
      1. Outsourced processing: Pinpoint hosts its Service with outsourced cloud infrastructure providers. Additionally, Pinpoint maintains contractual relationships with vendors in order to provide the Service in accordance with our Data Processing Agreement. Pinpoint relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
      2. Physical and environmental security: Pinpoint hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
      3. Authentication: Pinpoint implements a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
      4. Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers only via application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorisation model in each of Pinpoint’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
      5. Application Programming Interface (API) access: Public product APIs may only be accessed using an API key.
   2. Preventing Unauthorised Product Use. Pinpoint implements industry standard access controls and detection capabilities for the internal networks that support its  products.
      1. Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorised protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
      2. Intrusion detection and prevention: Pinpoint uses a third-party service provider to monitor and protect its infrastructure from automated scanners, bots and targeted attacks. It blocks attacks and alerts in case of critical threats. It also brings additional features like IP blocking, suspicious behaviour monitoring, and informs us of any vulnerabilities in dependencies.
      3. Static code analysis: Security reviews of code stored in Pinpoint’s source code repositories is performed, checking for coding best practices and identifiable software flaws.
      4. Penetration testing: Pinpoint performs dynamic application security testing (DAST) via the use of a third party service. This service is a web security scanner that works with ethical hackers to perform fully automated tests to identify vulnerabilities in web applications. Pinpoint systems are tested by independent third party penetration testing firms.
   3. Limitations of Privilege & Authorisation Requirements
      1. Product access: A subset of Pinpoint’s employees have access to the products and to select customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security.
      2. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high-risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.
2. Transmission Control
   1. In-transit: Pinpoint makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every Customer site hosted on the Pinpoint products. Pinpoint’s HTTPS implementation uses industry standard algorithms and certificates.
   2. At-rest: Pinpoint stores user passwords following policies that follow industry standard practices for security. Pinpoint has implemented technologies to ensure that stored data is encrypted at rest.
3. Input Control
   1. Detection: Pinpoint designed its infrastructure to log extensive information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Pinpoint personnel, including security, operations, and support personnel, are responsive to known incidents.
   2. Response and tracking: Pinpoint maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel and appropriate resolution steps are identified and documented. For any confirmed incidents, Pinpoint will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
   3. Communication: If Pinpoint becomes aware of unlawful access to Customer data stored within its products, Pinpoint will notify Customer in accordance with the terms of the Agreement.
4. Availability Control
   1. Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
   2. Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
   3. Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
   4. Pinpoint’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Pinpoint operations in maintaining and updating the product applications and backend while limiting downtime.