Data Processing Addendum

Data Processing Addendum

Effective: January 5, 2024

This Data Processing Addendum (“DPA”) forms part of the Customer Agreement, SaaS Services Agreement, Terms of Use (available at https://superwall.com/privacy/terms or such other location as such terms may be posted from time to time), or other agreement entered into by and between Customer and Nest22, Inc. (Superwall”) under which Customer accesses and uses Superwall's products and services (for purposes of this DPA, the “Application Services”), including without limitation any such agreement that incorporates this DPA by reference (each an “Agreement”).

In this DPA, “Data Protection Legislation” means any and all governmental laws, rules, directives, regulations or orders that are applicable to a particular Party's performance under this DPA, which may include, as applicable, EU Data Protection Law, UK Data Protection Law, the California Consumer Privacy Act of 2018, sections 1798.100 through 1798.199 of the California Civil Code and any attendant regulations issued thereunder as may be amended from time to time, including but not limited to the California Privacy Rights Act of 2020 (the “CPRA”) and its implementing regulations (together referred to as the “CCPA”), and the Brazilian Federal Law 13,709 (“LGPD”). EU Data Protection Law includes Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”) UK Data Protection Law” includes the Data Protection Act 2018 and the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”).

In the course of providing the Application Services to Customer pursuant to the Agreement, Superwall may process Customer Personal Data. “Customer Personal Data” means any data which is defined as ‘personal data' or ‘personal information' under applicable Data Protection Legislation processed by Superwall pursuant to the Agreement. Superwall agrees to comply with the following provisions with respect to Customer Personal Data. Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement.

By entering into this DPA, Customer instructs Superwall to process Customer Personal Data: (a) to provide the Application Services in accordance with the features and functionality of the Application Services and related documentation; (b) to enable Customer's authorized user-initiated actions on and through the Application Services; (c) as set forth in the Agreement and applicable order; and (d) as further documented by written instructions given by Customer. Notwithstanding the foregoing, Superwall will inform Customer promptly if it becomes aware that Customer's instructions may violate applicable Data Protection Legislation.

Data Processing Terms

The parties agree that Customer is the data controller and that Superwall is its data processor in relation to Customer Personal Data. Customer shall comply at all times with Data Protection Legislation in respect of all Personal Data it provides to Superwall pursuant to the Agreement. The subject matter of the data processing covered by this DPA is the Application Services ordered by Customer either through Superwall's website or through an order and provided by Superwall to Customer via www.Superwall.com, or as additionally described in the Agreement or the DPA. The processing will be carried out for the term of the Agreement or until the term of Customer's ordering of the Application Services ceases. Further details of the data processing are set out in Annexes 1A, 1B, 1C, 2, and 3 hereto.

In Paragraphs 1 through 11 below, (a) “data controller”, “data processor”, “Data Subject”, “Personal Data”, “processing”, “Supervisory Authority”, and “appropriate technical and organizational measures” shall be interpreted in accordance with applicable Data Protection Legislation and (b) “Customer Personal Data” shall refer to Customer Personal Data comprising of personal data of data subjects located in the European Economic Area (“EEA) or the United Kingdom (“UK”).

In Paragraph 12 below, the terms “service provider“, “business“, “consumer”, “business purpose”, “sell” (and “selling”, “sale”, and “sold”), “subcontractor” and “service provider” have the meanings given to them in §1798.140 of the CCPA, as applicable.

In respect of Customer Personal Data, Superwall:

1. shall process the Customer Personal Data only in accordance with the documented instructions from Customer (as set out in this DPA or the Agreement or as otherwise notified by Customer to Superwall from time to time). If Superwall is required to process the personal data for any other purpose provided by applicable law to which it is subject, Superwall will inform Customer of such requirement prior to the processing unless that law prohibits this on important grounds of public interest.
2. shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, implement and maintain appropriate technical and organizational measures designed to protect Customer Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure (including those outlined in Annex 2 of this DPA, (“Security Measures”). These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Customer Personal Data and having regard to the nature of Customer Personal Data which is to be protected. Superwall may make such changes to the Security Measures as Superwall deems necessary or appropriate from time to time, including without limitation to comply with applicable law, provided no such changes will materially reduce the overall level of protection for Customer Personal Data.
3. may hire other third party companies to process Customer Personal Data for the purposes of providing the Application Services (“Sub-Processors”), including those set forth in Annex 3, provided that Superwall complies with the provisions of this DPA. Any such Sub-Processors will be permitted to process Customer Personal Data only to deliver the Application Services Superwall has retained them to provide, and they shall be prohibited from using Customer Personal Data for any other purpose. Superwall remains responsible for its Sub-Processors' compliance with the obligations of this DPA. Any Sub-Processors to whom Superwall transfers Customer Personal Data will have entered into written agreements with Superwall requiring that the Sub-Processor abide by terms no less protective than those in this DPA. If Customer requires prior notification of any updates of additional Sub-Processor to the list of Sub-Processors, Customer can request such notification in writing by emailing [email protected]. Superwall will update the Sub-Processor list within thirty (30) days of any such notification if Customer does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a Sub-Processor's non-compliance with applicable Data Protection Legislation. If, in Superwall's reasonable opinion, such objections are legitimate, and Superwall is unable to modify the Application Services to prevent disclosure of Customer Personal Data to the Sub-Processor, then Customer may, by providing written notice to Superwall, terminate the Agreement.
4. at the Customer's request and cost (and insofar as is possible), shall reasonably assist the Customer by implementing appropriate and reasonable technical and organizational measures to assist with the Customer's obligation to respond to requests from Data Subjects under Data Protection Legislation (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data), provided Superwall is legally permitted to do so and that the Data Subject request was made in accordance with relevant Data Protection Legislation, and provided that Superwall reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance. If Superwall receives a request from a Data Subject in relation to Customer Personal Data then, to the extent legally permissible, Superwall will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Application Services. Customer hereby agrees that Superwall may confirm to a Data Subject that his or her requests relates to Customer.
5. ake reasonable steps at the Customer's request and cost to assist Customer in meeting Customer's obligations under Article 32 to 36 of the General Data Protection Regulation taking into account the nature of the processing under this DPA, provided that Superwall reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance.
6. in the event of a Personal Data Breach (as defined in Annex 2), comply with the incident response procedure as set out in Annex 2 of this DPA.
7. at the end of the applicable term of the Application Services, upon Customer's request, Superwall shall securely destroy or return to Customer any Customer Personal Data within Superwall's possession or control, subject to Superwall's standard data backup and archival practices. Such request must be made within thirty (30) days of termination. Thereafter Superwall may permanently delete the Customer Personal Data from its live systems.
8. make available information to Customer at Customer's request which is necessary to demonstrate compliance with this DPA and allow for any audits, including inspections, conducted by Customer or another auditor, as requested by Customer on reasonable, legitimate grounds for suspecting a breach of this DPA. Superwall will provide for such audits by allowing Customer to review confidential summary reports (“Audit Report”) prepared by third-party security professionals at Superwall's selection and expense. If Customer can demonstrate that it requires additional information, beyond the Audit Report, and where required by Data Protection Legislation, Superwall shall allow, no more than once every 12 months and at Customer's expense, Customer and its respective auditors or authorized agents to conduct audits or inspections of Superwall's procedures relevant to the protection of Customer Personal Data to verify Superwall's compliance with its obligations under this DPA during the term of the Agreement, provided that Customer has given Superwall at least forty-five (45) days prior written notice and such audit or inspection is conducted during reasonable business hours with minimal disruption to Superwall. Such audit may be carried out by Customer or an inspection body mutually agreed upon by the parties and composed of independent members in possession of the required professional qualifications and bound by a duty of confidentiality. Such audit shall have a duration of no longer than 48 hours.
9. Representatives of Customer performing an audit pursuant to Paragraph 7 above shall protect the confidentiality of all information obtained through such audits in accordance with the Agreement, may be required to execute an enhanced mutually agreeable nondisclosure agreement, and shall abide by Superwall's security policies while on Superwall's premises. Upon completion of an audit, Customer agrees to promptly furnish to Superwall any written audit report or, if no written report is prepared, to promptly notify Superwall of any non-compliance discovered during the course of the audit. The results of any such audit shall be considered Superwall's confidential information. For the avoidance of doubt no access to any part of Superwall's IT system, data hosting sites or centers, or infrastructure will be permitted as part of an audit or inspection and the audit will not include access to any information that could compromise confidential information relating to other Superwall clients or suppliers, Superwall's proprietary technology or any trade secrets.
10. Superwall shall provide information reasonably requested by Customer to demonstrate compliance with the obligations set out in this DPA.
11. Restricted Transfers
    • Subject to EU Data Protection Law, Superwall currently makes available the Standard Contractual Clauses (available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914) as a data transfer safeguard, as amended, superseded or replaced from time to time (“EU SCCs”). The Standard Contractual Clauses apply to any transfer of Customer Personal Data under this DPA from the European Economic Area (EEA) to a country which is not deemed to have Adequacy as defined in EU Data Protection Law (to the extent such transfers are subject to EU Data Protection Law) (“Restricted Transfer”). The EU SCCs and the terms of this Paragraph apply to the legal entity that executed the EU SCCs as “data exporter” and its participating affiliates, all of which shall be deemed “data exporters.” Where such a Restricted Transfer is made, the EU SCCs are incorporated into this DPA and apply to the transfer with effect from commencement of the relevant transfer as follows: (i) the module two (controller to processor) terms shall apply to the extent Customer is a Controller of Customer Personal Data and the module three (processor to processor) terms shall apply to the extent Customer is a Processor of the Customer Personal Data; (ii) Clause 9, Option 2 of the applicable module of the EU SCCs shall apply and Superwall may engage Sub-Processors as described in Paragraph 3 of this DPA; (iii) in Clause 11, the optional language shall be deleted; (iv) the audits described in Clauses 8.3 and 8.9 of the applicable module of the EU SCCs shall be carried out as set out in and subject to the requirements of Paragraph 8 of this DPA; (v) pursuant to Clauses 8.5 and 16(d), upon termination of this DPA, Customer Personal Data will be returned and/or destroyed in accordance with Paragraph 7 of this DPA; (vi) in Clause 17, Option 1 shall apply and the EU SCCs shall be governed by Irish law; (vii) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (viii) the Annexes of the EU SCCs shall be populated with the information set out in the Annexes to this Addendum.
    • Where a Restricted Transfer is made subject to UK Data Protection Law, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, published by the UK Information Commissioner's Office on March 21, 2022, as amended, superseded or replaced from time to time. (“UK Transfer Addendum) and the EU SCCs as amended and modified by the UK Transfer Addendum (collectively referred to as the “UK IDTA SCCs”) is incorporated into this DPA and applies to the transfer with effect from commencement of the relevant transfer. For the purposes of the UK IDTA SCCs: (ix) the Tables of the UK IDTA SCCs shall be populated with the relevant information set out in the Annexes to this Addendum, and for the purposes of Table 2 of the UK IDTA SCCs, the first tick box in the table shall be deemed to be ticked and the date shall be the date on which the relevant transfer commences; (x) the UK IDTA SCCs shall be governed by the laws of and disputes shall be resolved before the courts of England and Wales; and (xi) both “Importer” and “Exporter” are selected in Table 4 of the UK Transfer Addendum.
    • Where there is a transfer of Customer Personal Data that would otherwise be prohibited by applicable Swiss data protection laws as amended superseded or replaced from time to time (“Swiss Restricted Transfer”), where Customer and its participating affiliates is the data exporter and Superwall is the data importer, with effect from commencement of the Swiss Restricted Transfer, the parties hereby enter into the EU SCCs which shall be amended as follows: If and to the extent the Standard Contractual Clauses conflict with any provision of this Addendum regarding the transfer of Customer Personal Data from Customer to Superwall, the Standard Contractual Clauses shall prevail to the extent of such conflict.
      • References to GDPR in the EU SCCs shall be understood as references to the Swiss Federal Data Protection Act
      • Clause 1c - In addition to personal data pertaining to and protect personal data pertaining to legal entities as well, until the entry into force of the revised FADP on September 1, 2023, that eliminates this broader scope;
      • Clause 13 - To the extent transfer of personal data is subject to FADP, the Swiss Federal Data Protection and Information Commissioner (FDPIC) shall act as the competent supervisory authority. To the extent transfer of personal data is subject to GDPR, the supervisory authority of the Member State in which the Swiss data exporter's representative according to Article 27(1) of the GDPR is established shall act as competent supervisory authority;
      • Clause 18c - The term “Member State” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of pursuing their rights at their place of habitual residence (Switzerland) in accordance with Clause 18c of the SCCs. Accordingly, data subjects with their place of habitual residence in Switzerland may also bring legal proceedings before the competent courts in Switzerland.
    • If and to the extent the Standard Contractual ClausesEU SCCs (including as amended by the UK Transfer Addendum or as necessary for a Swiss Restricted Transfer) conflict with any provision of theis Addendum Agreement, regarding the transfer of Customer Personal Data from Customer to Superwall, tthe EU SCCs (including such clauses as amended by the UK Transfer Addendum or as necessary for a Swiss Restricted Transfer) Standard Contractual Clauses shall prevail to the extent of such conflict.
12. If Customer Data comprises Personal Data subject to the LGPD (“LGPD Covered Data”), then Customer Personal Data, as the term is used in this DPA, shall be deemed to include LGPD Covered Data.
13. If Superwall is processing Customer Personal Data within the scope of the CCPA (“CCPA Personal Data”), the Parties agree as follows. CCPA Personal Data is disclosed by Customer only for limited and specified purposes of providing Services to Customer pursuant to the terms of the Agreement. Each party agrees to comply with applicable obligations under CCPA and shall provide the same level of privacy protection to CCPA Personal Data as required by CCPA. Customer shall have the right to take reasonable and appropriate steps to help ensure that Superwall uses the CCPA Personal Data in a manner consistent with its obligations under CCPA. Superwall shall notify Customer if it makes a determination that it can no longer meet its obligations under CCPA. Upon such notice, Superwall may take reasonable and appropriate steps to stop and remediate unauthorized use of CCPA Personal Data. Superwall agrees not to retain, use or disclose CCPA Personal Data obtained in the course of providing services for any purpose other than for the Business Purposes set forth in the agreement, including retaining, using or disclosing CCPA Personal Data for a commercial purpose other than the Business Purpose set forth in the Agreement, or as otherwise permitted by CCPA. Superwall will not (a) sell (as defined in CCPA) or share (as defined in CCPA) any CCPA Personal Data, (b) retain, use or disclose CCPA Personal Data outside of the direct business relationship between Superwall and Customer, (c) combine CCPA Personal Data with personal data received by Superwall from or on behalf of another person or persons, or collects from its own interactions with the consumer, provided that Superwall may combine CCPA Personal Data to perform any Business Purpose as defined in regulations adopted pursuant to paragraph (10) of subdivision (a) of Section 1798.185, except as provided for in paragraph (6) of subdivision (e) of this section and in regulations adopted by the California Privacy Protection Agency. Notwithstanding the foregoing, Superwall may (i) to process or maintain personal information on behalf of the business that provided the personal information or directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA, (ii) to retain and employ another service provider (as defined in CCPA) as a subcontractor, where the subcontractor meets the requirements for a service provider under the CCPA and applicable regulations, (iii) for internal use by Superwall to build or improve the quality of its services it is providing to Customer, even if this Business Purpose is not specified in the Agreement, provided that Superwall does not use the CCPA Personal Data to perform services on behalf of another person, (iv) to prevent, detect or investigate data security incidents or protect against malicious, deceptive, fraudulent or illegal activity, even if this Business Purpose is not specified in the Agreement or (v) for the purposes enumerated in California Civil Code section 1798.145, subdivisions (a)(1) through (a)(7). If Superwall receives a request to know or a request to delete from a consumer with respect to CCPA Personal Data, then Superwall shall either act on behalf of Customer in responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a service provider. To the extent of any conflict, this Paragraph 13 will supersede other terms in this DPA with respect to CCPA Personal Data.

Customer Responsibilities

Without limiting its responsibilities under the Agreement, Customer is solely responsible for: (a) Customer Data, subject to Superwalls Processing obligations under the Agreement and this DPA; (b) providing any notices required by Data Protection Legislation to, and receiving any required consents and authorizations required by Data Protection Legislation from, persons whose Personal Data may be included in Customer Data; and (c) ensuring no special categories of Personal Data (GDPR Article 9) or Personal Data relating to criminal convictions and offenses (GDPR Article 10) are submitted for Processing by the Application Services. Further, no provision of this DPA includes the right to, and Customer shall not, directly or indirectly, enable any person or entity other than its authorized users to access and use the Application Services or use (or permit others to use) the Application Services other than as described in the applicable Ordering Document, the Agreement and this DPA, or for any unlawful purpose.

Liability

Each Party's (and each of its affiliate's) liability taken together in the aggregate, arising out of or related to this DPA, including without limitation under the Standard Contractual Clauses, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement, except to the extent such liability cannot be limited under Data Protection Legislation.

Term and Termination

Unless earlier terminated as provided herein, this DPA shall terminate automatically together with termination or expiry of the Agreement.

Annex 1A

LIST OF PARTIES

Data exporter(s):

• Name: The Customer entity identified in the Agreement or on an applicable Ordering Document.
• Address: The Customer's address specified on the Ordering Document.
• Contact person's name, position and contact details: The Customer's contact nominated for receiving notifications, as set forth above in the DPA.
• Activities relevant to the data transferred under the Standard Contractual Clauses: The data exporter is a customer of the data importer and utilizing the data importer's services as described in more detail in the Agreement.
• Role (controller/processor): Controller and/or Processor.

Data importer(s):

• Name: Nest 22, Inc.
• Address: 2093 PHILADELPHIA PIKE #5307 CLAYMONT, DE 19703
• Contact person's name, position and contact details: Brian Anglin, Chief Technology Officer, [email protected]
• Activities relevant to the data transferred under these Clauses: The data importer is providing certain services to the data exporter, as described in more detail in the Agreement.
• Role (controller/processor): Processor.

Annex 1B

DESCRIPTION OF THE TRANSFER

Categories of data subjects:

Individuals about whom data is uploaded to the Application Services by (or at the direction of) the data exporter or by its authorized users, subsidiaries, and other participants whom the data exporter has granted the right to access the Application Services in accordance with the provisions of the Agreement.

Categories of personal data:

The Personal Data transferred may include but is not limited to the following categories of data: Any data uploaded to the Application Services by (or at the direction of) the data exporter or by its authorized users, subsidiaries and other participants whom the data exporter has granted the right to access the Application Services in accordance with the provisions of the Agreement.

Sensitive data transferred (if applicable) and applied restrictions or safeguards: 

Not Applicable

Frequency of the transfer:

At data exporter's discretion in using the Application Services, during the term of the Agreement.

Nature of the processing: 

Customer Personal Data transferred will be processed in accordance with the Agreement and any Ordering Document, and may be subject to the following basic processing activities:

Customer Personal Data will be processed to the extent necessary to provide the Services in accordance with both the Agreement and the data exporter's instructions. The data importer processes Personal Data only on behalf of the data exporter. Processing operations include, but are not limited to the provision of the Application Services - this operation relates to all aspects of Personal Data processed.

Technical support, issue diagnosis and error correction to ensure the efficient and proper running of the systems and to identify, analyze and resolve technical issues both generally in the provision of the Application Services and specifically in answer to a data exporter query. This operation may relate to all aspects of Personal Data processed but will be limited to metadata where possible.

URL scanning for the purposes of the provision of targeted threat protection and similar service which may be provided under the Agreement. This operation relates to attachments and links in emails and will relate to any Personal Data within those attachments or links which could include all categories of Personal Data.

Disclosures in accordance with the Agreement, as compelled by Data Protection Legislation.

Purpose(s) of the data transfer and further processing: 

Personal Data is processed for the purposes of providing the Application Services in accordance with the Agreement and any applicable Ordering Document. Period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:  Personal Data will be retained until termination or expiry of the Agreement, in accordance with Paragraph 7 of this DPA.

Annex 1C

COMPETENT SUPERVISORY AUTHORITY: 

Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located shall act as competent supervisory authority.

Annex 2

TECHNICAL AND ORGANIZATIONAL MEASURES

Introduction

Superwall considers protection of Customer Data a top priority.  As further described in this Superwall Information Security Policy, Superwall uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration or disclosure of Customer Data stored on systems under Superwall's control. Superwall maintains these security measures and is currently in the process of being audited for SOC2 - Type II.

1. Customer Data and Management. Superwall limits its personnel's access to Customer Data as follows:
   1. Requires unique user access authorization through secure logins and passwords, including multi-factor authentication for Cloud Hosting administrator access and individually-assigned Secure Socket Shell (SSH) keys for external engineer access;
   2. Limits the Customer Data available to Superwall personnel on a “need to know” basis;
   3. Restricts access to Superwall's production environment by Superwall personnel on the basis of business need;
   4. Encrypts user security credentials for production access; and
   5. Prohibits Superwall personnel from storing Customer Data on electronic portable storage devices such as computer laptops, portable drives and other similar devices.
2. Data Encryption.  Superwall will utilize standard production ciphers using 128-bit AES in CBC mode and PKCS7 padding, with HMAC using SHA256 for authentication or equivalent.
3. Network Security, Physical Security and Environmental Controls
   1. Superwall uses firewalls, network access controls and other techniques designed to prevent unauthorized access to systems processing Customer Data.
   2. Superwall maintains measures designed to assess, test and apply security patches to all relevant systems and applications used to provide the Services.
   3. Superwall monitors privileged access to applications that process Customer Data, including cloud services.
   4. The Services operate on Heroku Web Services (“Heroku”) and are protected by the security and environmental controls of Sales Force.  Detailed information about Heroku security is available at https://www.heroku.com/policy/security . For Heroku SOC Reports, please see https://www.heroku.com/compliance.
   5. The Services operate using Altinity's data warehouse and are protected by the security and environmental controls of Altinity. Detailed information about Altinity security is available at https://altinity.com/wp-content/uploads/2022/03/security-march2022.pdf. For Altinity SOC Reports, please see https://altinity.com/blog/altinity-is-soc-2-type-ii-compliant. 
4. Independent Security Assessments.  Superwall periodically assesses the security of its systems and the Services as follows:
   1. Private and public security bug bounty programs.
   2. Superwall hires accredited third parties to perform audits and to attest SOC2 - Type 2 compliance and certifications annually, starting in March 2024.
5. Incident Response.  If Superwall becomes aware of unauthorized access or disclosure of Customer Data under its control (a “Breach”), Superwall will:
   1. Take reasonable measures to mitigate the harmful effects of the Breach and prevent further unauthorized access or disclosure.
   2. Upon confirmation of the Breach, notify Customer in writing of the Breach without undue delay. Notwithstanding the foregoing, Superwall is not required to make such notice to the extent prohibited by Laws, and Superwall may delay such notice as requested by law enforcement and/or in light of Superwall's legitimate needs to investigate or remediate the matter before providing notice.
   3. Each notice of a Breach will include:
      1. The extent to which Customer Data has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the Breach;
      2. A description of what happened, including the date of the Breach and the date of discovery of the Breach, if known;
      3. The scope of the Breach, to the extent known; and
      4. A description of Superwall's response to the Breach, including steps Superwall has taken to mitigate the harm caused by the Breach.
6. Business Continuity Management
   1. Superwall maintains an appropriate business continuity and disaster recovery plan.
   2. Superwall maintains processes to ensure failover redundancy with its systems, networks and data storage.
7. Personnel Management
   1. Superwall performs employment verification, including proof of identity validation and criminal background checks for all new hires, including contract employees, in accordance with applicable law.
   2. Upon employee termination, whether voluntary or involuntary, Superwall immediately disables all access to Superwall systems, including Superwall's physical facilities.

Annex 3