Data Processing Addendum

Effective: Aug 8, 2023

This document, known as the Data Processing Addendum (DPA), is an integral part of the Customer Agreement, SaaS Services Agreement, Terms of Use (available at https://legal.apphud.com/terms or any other location that may be specified periodically), or any other written or electronic agreement between the Customer and Apphud. The Agreement outlines the terms governing the Customer's use of the Services. In case of any discrepancies between the terms of this DPA and other provisions in the Agreement, the DPA will prevail.

Definitions

In this DPA:

The term "2021 Standard Contractual Clauses" refers to a set of clauses issued by the European Commission in June 2021, which provide a standardized framework for transferring personal data from the European Union to third countries, in compliance with the EU General Data Protection Regulation (GDPR). These standard contractual clauses can be accessed via the link and are completed as described in the "Data Transfers" section of the agreement or contract. The use of these clauses is important for ensuring that any transfer of personal data to third countries is done in a secure and compliant manner, protecting the privacy and rights of individuals whose data is being transferred.

The term "Applicable Law" is definition states that Applicable Law includes all laws, regulations, and other legal requirements that are relevant to either (i) Apphud as the provider of the Services or (ii) the Customer as the user of the Services. This may include a wide range of laws and regulations, depending on the nature of the Services being provided and the location of the parties involved.

Examples of specific laws and regulations mentioned in the definition include the General Data Protection Regulation (GDPR), which is a data protection law that applies to the processing of personal data in the European Union; the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR), which are equivalent requirements in the United Kingdom; and the California Privacy Rights Act of 2020 (the “CPRA”) and its implementing regulations (together referred to as the “CCPA”), which are data protection laws that apply to the processing of personal data of California residents, and the Brazilian Federal Law 13,709 (“LGPD”).

By defining Applicable Law in this way, the parties to the agreement can ensure that they are aware of and complying with any legal requirements that may impact the provision or use of the Services, and can take appropriate steps to mitigate any legal risks or compliance issues that may arise.

The term "Designated Address" refers to the email address provided by the Customer for legal notices. This may be the email address listed on the Order Form or the email address associated with the Customer's account information on record.

The term "Personal Data" refers to any information that relates to an identified or identifiable individual, within the meaning of the GDPR. This definition is important because it establishes the scope of data that is subject to the terms of the agreement or contract, and ensures that the parties are using a common understanding of what constitutes personal data.

The term "Personal Data Breach" refers to a security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or other processing of, or access to, personal data. This definition is important because it establishes the consequences that may result from a security incident involving personal data, and provides a framework for responding to such incidents in a timely and effective manner.

The term "Process" and "Processing" refers to any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means. Examples of such operations include the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data. This definition is important because it establishes the scope of activities that may be performed with personal data and helps ensure that both parties understand the types of processing that are subject to the terms of the agreement.

The next term is "Subprocessor", which refers to a subcontractor engaged by Apphud for the processing of personal data. This definition is important because it helps establish the responsibilities of Apphud and its subcontractors with respect to the processing of personal data, and ensures that the parties are aware of and have agreed to the use of any subprocessors in the provision of services.

The term "UK Addendum" refers to the International Data Transfer Addendum to the 2021 Standard Contractual Clauses, issued by the Information Commissioner under S119A(1) Data Protection Act 2018, Version B1.0. The UK Addendum is designed to be used in conjunction with the 2021 Standard Contractual Clauses for the transfer of personal data from the European Economic Area to countries outside of the EEA, in order to comply with the UK GDPR and other applicable data protection laws. The UK Addendum is available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf

Certain terms may be defined later in the DPA, and capitalized terms used in the DPA but not defined within it will have the meaning set forth in the Agreement. This is a common provision in contracts and agreements, which helps ensure that the parties are using consistent terminology throughout the document and that any undefined terms are interpreted in a manner consistent with the parties' intentions as expressed elsewhere in the agreement.

Scope, Relationship of the Parties, and Data Use Limitations

This DPA only applies to the extent that Apphud processes Personal Data that is considered Customer Data, which is the data that the Customer submits to Apphud as part of the Services. If Apphud processes any other Personal Data that is not Customer Data, this DPA does not apply to such processing.

Apphud will process Personal Data in order to perform the Services for Customer, comply with the DPA, and carry out Customer's reasonable written instructions that are consistent with the Agreement and DPA. Additionally, Apphud will not sell the Personal Data as defined in the CCPA, and will not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and Apphud, unless required by Applicable Law. Finally, Apphud certifies that it understands and will comply with the restrictions and obligations set forth in this DPA.

Apphud will follow if it receives a demand under Applicable Law to engage in Processing that is not permitted by the terms of the DPA. Apphud will attempt to redirect the demand to the Customer and provide information as reasonably necessary to effectuate the redirect. If Apphud cannot redirect the demand to Customer, Apphud will provide Customer with reasonable notice of the demand as promptly as possible under the circumstances, to the extent legally permitted to do so. It's worth noting that this section does not affect Apphud's obligations under the 2021 Standard Contractual Clauses or the UK Addendum with respect to access by public authorities, which may have additional requirements related to notice and transparency.

With respect to Personal Data, the parties acknowledge and agree that Customer is the “Controller” and Apphud is Customer’s “Processor” as such terms are defined in the GDPR (regardless of whether the GDPR applies). For clarity, with respect to CCPA, Apphud is Customer’s “Service Provider” as defined therein.

Confidentiality and Training

Apphud is committed to ensuring the confidentiality of the Personal Data that it processes on behalf of the Customer. Specifically, Apphud will require its authorized personnel to maintain the confidentiality of the Personal Data through contractual obligations. This means that Apphud will ensure that its employees, contractors, or agents who have access to the Personal Data are bound by confidentiality obligations to protect the confidentiality and security of such data.

Security

Apphud will comply with the security obligations of the GDPR and other applicable laws in its processing of Personal Data on behalf of the Customer. This means that Apphud will take appropriate technical and organizational measures to protect the Personal Data from unauthorized access, alteration, or destruction, and to ensure the confidentiality, integrity, and availability of the data.

Subprocessors

Apphud can use other companies or individuals (Subprocessors) to provide the Application Services as long as they follow the DPA. Subprocessors can only use Customer Data for providing the Application Services and are not allowed to use it for any other purpose. Apphud is responsible for ensuring that its sub-processors comply with the obligations of the DPA.

The customer allows Apphud to use Subprocessors to process Personal Data according to Applicable Law and GDPR Art. 28. Apphud will ensure that its Subprocessors have similar or more strict contractual obligations as Apphud under this DPA, based on the nature of the services provided.

If the Customer objects to a new Subprocessor due to data protection reasons and notifies Apphud within 30 days of Apphud's notice of the new Subprocessor, Apphud will make reasonable efforts to avoid processing Personal Data by the objected Subprocessor. If Apphud is unable to make changes within a reasonable time or if the new Subprocessor cannot comply with the DPA or Applicable Law, the Customer can terminate their subscription to the Services. Apphud will refund any prepaid fees on a pro-rata basis. If the Customer does not object to the new Subprocessor in time, they are deemed to consent to its use.

Apphud is responsible for the actions and failures of its Subprocessors in the same way that it is responsible for its own actions and failures, within the limitations of liability stated in the Agreement or this DPA.

Both parties acknowledge that the auditing privileges granted in this DPA are limited to Apphud's affiliated Subprocessors' facilities and do not encompass the facilities of non-affiliated Subprocessors.

Assistance Responding to Individuals’ Requests to Exercise Rights

Apphud is responsible for reasonably and timely assisting Customer in fulfilling its obligation to honor and respond to requests by individuals to exercise their Personal Data-related rights under the GDPR or other Applicable Law. This includes requests for access, correction, deletion, or other actions related to their Personal Data, to the extent that such assistance is technically possible. In other words, Apphud must provide reasonable assistance to Customer in responding to such requests, but only to the extent that it is technically feasible for Apphud to do so. This obligation helps to ensure that Customer can fulfill its obligations under the applicable data protection laws and regulations with respect to Data Subject Requests.

Apphud's obligable to reasonably assist the customer in responding to requests from data subjects under Data Protection Legislation. This includes requests for information about the processing, access, rectification, erasure, or portability of personal data. Apphud will provide this assistance to the extent possible and only if legally permitted to do so. The customer will be responsible for reimbursing Apphud for any reasonable costs incurred in providing this assistance. If Apphud receives a request from a data subject in relation to the customer's personal data, Apphud will advise the data subject to submit their request to the customer. The customer will then be responsible for responding to the request, including using the functionality of the Application Services if necessary. The customer agrees that Apphud may confirm to a data subject that their request relates to the customer.

Apphud handles Data Subject Requests or complaints from individuals or their representatives. If Apphud receives such a communication that identifies Customer or pertains to the Personal Data that Apphud Processes for Customer, Apphud will forward it to Customer at the Designated Address as soon as commercially practicable but no later than three (3) business days of receipt if the communication arrives via compliance@apphud.com or any other contact method specified in Apphud's then-current publicly available Privacy Notice.

Personal Data Breach Notification

Apphud will comply with the Personal Data Breach-related obligations applicable to it under the GDPR and other Applicable Laws. Apphud will assist Customer in complying with those applicable to Customer by informing Customer of a Personal Data Breach without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach impacting Customer and by otherwise complying with this Personal Data Breach Notification section of this DPA.

Any notification required under this DPA will be provided by Apphud to the Customer at the Designated Address.

The notification will include information on the nature of the breach, the categories and an approximate number of individuals or data subjects affected, the categories and an approximate number of Personal Data records involved, and the likely consequences of the breach. Additionally, the notification will outline measures taken or proposed to be taken by Apphud to address the breach and mitigate any adverse effects. It's important to note that the notification does not constitute an admission of fault or responsibility by Apphud.

If Apphud becomes aware of a Personal Data Breach, it will notify Customer at the Designated Address.

Assistance with DPIAs and Consultation with Supervisory Authorities

Apphud agrees to reasonably assist and cooperate with the Customer in the following matters related to Personal Data processing involving Apphud:

  • Performing any necessary data protection impact assessment for the Processing or proposed Processing of Personal Data, and

  • Consultation with supervisory authorities as required by Applicable Law.

Apphud will provide such reasonable assistance to help the Customer fulfill their legal obligations in compliance with Applicable Law.

Data Return and Destruction

During the Data Retrievability Period of thirty (30) days, Apphud will make all Personal Data stored within the Services available to Customer. After this period, Apphud will promptly destroy all Personal Data, except for instances where retention is required by Applicable Law or necessary to resolve a dispute between the parties.

If retention of Personal Data is required by law, Apphud will inform the Customer and will retain only the Personal Data required by law and for as long as required by law. Apphud will continue to comply with this DPA with respect to the retained Personal Data and will destroy it as soon as legally permissible.

Upon the Customer's request, Apphud will provide certification of the destruction or return of Personal Data within ten (10) business days of completing such destruction or return.

Compliance Verification and Audits

Every year, external auditors conduct audits on Apphud to ensure compliance with well-known industry standards. If requested in writing by the Customer, and subject to confidentiality obligations outlined in the Agreement, Apphud will provide the Customer with relevant audit reports or certificates related to the Services, such as SOC 2 reports or ISO certificates, if available. Alternatively, Apphud will provide any other information that is reasonably necessary to demonstrate compliance with this DPA.

If required by Data Protection Legislation, Apphud will allow Customer and its auditors or authorized representatives to conduct audits or inspections of Apphud's procedures related to the protection of Customer's Personal Data, no more than once every 12 months and at Customer's expense. Customer must give Apphud at least 45 days' written notice and ensure that the audit or inspection is conducted during reasonable business hours with minimal disruption to Apphud. The audit may be conducted by Customer or by an audit body agreed upon by both parties, consisting of independent members with the necessary professional qualifications and bound by confidentiality obligations. The audit shall not exceed 48 hours in duration. Apphud will provide reasonable assistance to facilitate the audit or inspection.

Data Transfers

In order to ensure that Personal Data transferred out of the European Economic Area and its member states, the United Kingdom, and/or Switzerland is protected, Customer gives Apphud authorization to conduct such international transfers subject to the 2021 Standard Contractual Clauses and the UK Addendum, as applicable. The parties are considered to have signed the 2021 Standard Contractual Clauses and UK Addendum by entering into this DPA.

Under GDPR, the 2021 Standard Contractual Clauses are included in this DPA and take precedence over any conflicting provisions of this DPA for international transfers of Personal Data. The following terms apply to the 2021 Standard Contractual Clauses:

  • Customer acts as controller and Apphud acts as processor for the Personal Data governed by the 2021 Standard Contractual Clauses, and Module 2 (Controller to Processor) applies.

  • Clause 7 (the optional docking clause) does not apply.

  • The parties select Option 2 (General written authorization) under Clause 9 (Use of subprocessors), and Apphud must update the list of subprocessors at least 10 business days prior to any intended additions or replacements.

  • The optional requirement under Clause 11 (Redress) that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply. e. The parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights) under Clause 17 (Governing law), and the law of the Netherlands is selected.

  • The courts of the Netherlands are selected under Clause 18 (Choice of forum and jurisdiction).

  • Annexes I and II of the 2021 Standard Contractual Clauses are included in Schedule A of the DPA.

  • Annex III of the 2021 Standard Contractual Clauses (Subprocessor List) is included in Schedule B of the DPA.

If required under UK Data Protection Law, the UK Addendum will be part of this DPA and will take priority over the rest of the DPA in case of any conflict for such transfer. The following provisions will apply:

  • The Customer is the exporter, and their contact details are in Schedule A.

  • Apphud is the importer, and their contact details are in Schedule A.

  • The 2021 Standard Contractual Clauses as completed in Section 27 above will be the Approved EU SCCs referred to in Table 2 of the UK Addendum.

  • Schedule A of the DPA contains Annex 1A and 1B of the UK Addendum.

  • Annex II of Schedule A of the DPA is Annex II of the UK Addendum.

  • Schedule B of the DPA contains Annex III of the UK Addendum.

  • The Customer and Apphud can terminate the UK Addendum according to the terms set out in Table 4 of the UK Addendum.

To protect transfers of Personal Data from Switzerland, the 2021 Standard Contractual Clauses are included in this DPA and will take precedence over the rest of this DPA in case of any conflict. The 2021 Standard Contractual Clauses will be completed as outlined in Section 27, except for the following modifications:

  • The Swiss Federal Data Protection and Information Commission will be the competent supervisory authority under Clause 13 to the extent that the transfer is governed by the Swiss Federal Act on Data Protection.

  • The term "Member State" in the 2021 Standard Contractual Clauses will refer to Switzerland, and data subjects can exercise and enforce their rights under the 2021 Standard Contractual Clauses in Switzerland.

  • References to GDPR in the 2021 Standard Contractual Clauses will refer to the Swiss Federal Act on Data Protection (as amended and replaced).

Data Processing LGPD and CCPA compliance

If Customer Data includes personal data that is subject to the LGPD ("LGPD Covered Data"), then Customer Personal Data, as that term is used in this document, shall be deemed to include LGPD Covered Data.

If Apphud processes Customer Personal Data within the scope of the CCPA ("CCPA Personal Data"), the Parties agree as follows. CCPA Personal Data will be disclosed by Customer only for the limited and specified purposes of providing Services to Customer pursuant to the terms of the Agreement. Each party agrees to comply with applicable obligations under the CCPA and to provide the same level of privacy protection for CCPA Personal Data as required by the CCPA.

Customer shall have the right to take reasonable and appropriate steps to ensure that Apphud uses the CCPA Personal Data in a manner consistent with its obligations under the CCPA.

Apphud will notify Customer if it determines that it can no longer comply with its obligations under the CCPA. Upon such notice, Apphud may take reasonable and appropriate steps to stop and remediate any unauthorized use of the CCPA Personal Data. Apphud agrees not to retain, use or disclose CCPA Personal Data obtained in the course of providing services for any purpose other than the Business Purposes set forth in the Agreement, including retaining, using or disclosing CCPA Personal Data for a commercial purpose other than the Business Purpose set forth in the Agreement or as otherwise permitted by the CCPA.

Apphud will not sell (as defined in the CCPA) or share (as defined in the CCPA) any CCPA Personal Data, retain, use or disclose any CCPA Personal Data outside of the direct business relationship between Apphud and Customer, combine any CCPA Personal Data with personal data that Apphud has received from or on behalf of any other person or persons, or collects from its own interactions with the consumer, provided that Apphud may combine any CCPA Personal Data to fulfill a Business Purpose as defined in regulations adopted by the California Privacy Protection Agency.

Notwithstanding the foregoing, Apphud may:

  • Process or maintain personal information on behalf of the entity that provided the personal information or directed the service provider to collect the personal information and in accordance with the written contract for services required by the CCPA.

  • To retain and employ another service provider (as defined in the CCPA) as a subcontractor, if the subcontractor meets the requirements for a service provider under the CCPA and applicable regulations.

  • For Apphud's internal use to develop or improve the quality of the services it provides to Customer, even if this Business Purpose is not specified in the Agreement, provided that Apphud does not use the CCPA Personal Data to provide services on behalf of another person.

  • To prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent, or illegal activity, even if this Business Purpose is not specified in the Agreement, or for the purposes enumerated in California Civil Code section 1798.145, subdivisions (a)(1) through (a)(7).

If Apphud receives a request to know or a request to delete from a consumer with respect to CCPA Personal Data, then Apphud shall either act on behalf of Customer in responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a service provider. To the extent of any conflict, this paragraph will supersede other terms in this DPA with respect to CCPA Personal Data.

Miscellaneous

This provision establishes a data processing agreement (DPA) that governs the processing of personal data by Apphud on behalf of a customer. Here are the meanings of the numbered provisions:

  1. This provision establishes that if there is a conflict between the DPA and the Agreement (presumably the main contract between the parties), the DPA will take precedence and control the parties' obligations with respect to personal data.

  2. This provision limits the liability of each party (presumably the customer and Apphud) in connection with the DPA, SCCs (Standard Contractual Clauses), and any other data protection agreements or security addenda that the parties have signed in connection with the main Agreement. The liability of each party will be subject to the limitations of liability section in the Agreement, which presumably sets out the maximum amount of damages that a party can be liable for under the Agreement as a whole.

  3. This provision states that the DPA supersedes and replaces any previous agreements or understandings between the parties related to the subject matter of the DPA. This means that any previous agreements or understandings related to the processing of personal data by Apphud on behalf of the customer are no longer valid and have been replaced by the DPA.

Schedule A to DPA

Annexes I and II of the 2021 Standard Contractual Clauses

ANNEX I

A. LIST OF PARTIES

MODULE TWO: Transfer controller to processor

Data exporter(s):

This provision establishes a Standard Contractual Clauses (SCCs) document used in the context of data transfers from a data exporter (likely a customer) to a data importer (the other party). Here are the meanings of the items listed:

  • Name: Refers to the name of the customer entity identified in the Agreement or on any applicable Order Document.

  • Address: Refers to the address of the customer as specified on the Ordering Document.

  • Contact Name, Position, and Contact Details: Refers to the name, position, and contact information of the customer's designated contact person who will receive notifications related to the SCCs.

  • Activities relevant to the data transferred under the Standard Contractual Clauses: Refers to a brief description of the customer's activities that involve the transfer of personal data to the data importer. In this case, it indicates that the data exporter (customer) is using the services of the data importer as described in the Agreement.

  • Role (controller/processor): This refers to the customer's role as either a controller or processor of the personal data being transferred under the SCCs. It is not clear from the text which role the cust

Data importer(s):

  • Name: Apphud, Inc.

  • Address: 850 New Burton Rd, Ste 201, Dover, DE 19904

  • Name, position and contact details of the Contact person: Renat Kurbanov, Chief Technology Officer, compliance@apphud.com

  • Activities relevant to the data transferred under these Clauses: The data importer provides certain services to the data exporter as described in the Agreement.

  • Role (controller/processor): Processor.

B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

Categories of data subjects whose personal data is transferred:

Apphud allows customers to transfer personal data from their end-users of mobile and web applications. The extent of this personal data is determined and controlled by the customer in their sole discretion, meaning they have full control over what personal data they transfer to Apphud.

It's important to note that the customer is responsible for complying with relevant data protection regulations and obtaining appropriate consent from their end-users for the collection and use of their personal data. Apphud has a responsibility to ensure the security and confidentiality of any personal data it processes, as outlined in its Privacy Policy and in accordance with applicable laws.

Categories of personal data transferred:

  1. Identifying information: Names, email addresses, and telephone numbers of end users.

  2. Browsing activity: Information related to the website and application browsing activity of end users.

  3. Login history: Information related to the login history of end users.

  4. Location information: Information related to the location of end users.

  5. Device information: Information related to the devices used by end users, such as device identifiers (excluding Apple ID), operating system, and IP addresses.

If sensitive data is transferred, there must be appropriate restrictions and safeguards in place to protect the nature of the data and minimize any potential risks involved. These may include strict purpose limitation, access restrictions (e.g., limited access only to staff who have undergone specialized training), keeping a record of access to the data, restrictions for onward transfers, or additional security measures.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

The transfer of personal data to Apphud is on a continuous basis and will continue until all customer personal data is deleted.

Nature of the processing:

Apphud will process personal data to provide services to the customer as outlined in the Agreement and as instructed by the customer.

Purpose(s) of the data transfer and further processing:

The purpose of the data transfer and further processing is to provide the services agreed upon in the Agreement and to comply with reasonable instructions from the customer regarding the processing of personal data.

It's important to note that the customer is responsible for providing clear and specific instructions to Apphud regarding the processing of personal data to ensure compliance with applicable data protection regulations. Apphud has a responsibility to process personal data in accordance with the customer's instructions and to provide appropriate technical and organizational measures to ensure the security and confidentiality of the personal data.

C. COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: Transfer controller to processor

  1. If the data exporter is established in an EU Member State, the supervisory authority of that Member State is the competent supervisory authority.

  2. If the data exporter is not established in an EU Member State but has appointed a representative in accordance with Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative is established shall act as the competent supervisory authority.

  3. If the data exporter is not established in an EU Member State and is not required to appoint a representative in accordance with Article 27(2) of Regulation (EU) 2016/679, the supervisory authority of one of the Member States in which the data subjects whose personal data are transferred under these clauses are located shall act as the competent supervisory authority. This is applicable when the data subjects are located in a Member State in connection with the offering of goods or services to them or monitoring their behavior.

ANNEX II

Introduction

Apphud has established an Information Security Policy that outlines commercially reasonable organizational and technical measures to protect Customer Data from unauthorized access, use, modification, or disclosure. These security measures are designed to prevent security breaches and ensure the confidentiality, integrity, and availability of Customer Data. Apphud is responsible for maintaining and updating these security measures to ensure that they remain effective and appropriate over time. By implementing such measures, Apphud aims to safeguard the privacy and security of Customer Data stored on systems under Apphud's control.

Customer Data and Management.

Apphud has implemented the following measures to limit its personnel's access to Customer Data:

  • Requires unique user access authorisation through secure logins and passwords, including multi-factor authentication for Cloud Hosting administrator access and individually assigned Secure Socket Shell (SSH) keys for external engineer access. This ensures that only authorized personnel have access to Customer Data.

  • Limits Customer Data available to Apphud personnel on a "need to know" basis. This means that only personnel who require access to the data to perform their job responsibilities are granted access to it.

  • Restricts access to Apphud's production environment by Apphud personnel on a "need to know" basis. This further limits access to the production environment where Customer Data is stored.

  • Encrypts user security credentials for production access. This protects user security credentials in case of unauthorized access.

  • Prohibits Apphud personnel from storing Customer Data on portable electronic storage devices such as computer laptops, portable drives, and similar devices. This reduces the risk of unauthorized access to Customer Data through the loss or theft of such devices.

By implementing these measures, Apphud is taking steps to ensure the security and confidentiality of Customer Data and limit access to it to only authorized personnel on a need-to-know basis.

Data Encryption.

Apphud will use standard production encryption to protect Customer Data. This encryption will use 128-bit AES in CBC mode and PKCS7 padding, with HMAC using SHA256 or equivalent for authentication. This encryption method is a widely used and accepted standard for data encryption and can help ensure the confidentiality and integrity of Customer Data in transit and at rest. By implementing this encryption standard, Apphud is taking steps to protect Customer Data from unauthorized access, use, or disclosure by ensuring that only authorized parties with the proper credentials and keys can access the data.

Network Security, Physical Security and Environmental Controls

Apphud has implemented the following measures to ensure network security, physical security, and environmental controls:

  • Apphud uses firewalls, network access controls, and other techniques to prevent unauthorized access to systems that process Customer Data. This helps ensure that only authorized personnel and devices can access the network and systems that contain Customer Data.

  • Apphud maintains measures to assess, test, and apply security patches to all relevant systems and applications used to provide the Services. This helps ensure that Apphud's systems and applications are up-to-date with the latest security patches and updates to protect against known vulnerabilities.

  • Apphud will monitor privileged access to applications that process Customer Data, including cloud services. This includes monitoring and logging of privileged access to systems that process Customer Data to detect and prevent unauthorized access or misuse.

By implementing these measures, Apphud is taking steps to ensure the security and integrity of its network, systems, and applications that process Customer Data. These measures help to prevent unauthorized access, mitigate security risks, and maintain the confidentiality and integrity of Customer Data.

Incident Response.

If Apphud becomes aware of unauthorized access or disclosure of Customer Data under its control (a “Breach”), Apphud will take reasonable steps to mitigate the harmful effects of the Breach and to prevent further unauthorised access or disclosure:

  1. Apphud maintains backup and recovery procedures to ensure the availability and integrity of Customer Data. These procedures include regular backups of Customer Data, as well as testing of the restoration process to ensure that backups can be successfully restored. Apphud also maintains disaster recovery and business continuity plans to ensure the availability of the Services in the event of a disruption.

  2. Apphud may use third-party service providers to assist in providing the Services, and may transfer Customer Data to such third-party service providers for that purpose. Apphud will require any third-party service providers to provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of applicable data protection law. Apphud will also require any such third-party service providers to enter into a written agreement that provides for the processing of Customer Data in accordance with applicable data protection law and the terms of the Customer Agreement.

    • Apphud will retain Customer Data in accordance with the terms of the Customer Agreement or as required by applicable law. When Customer Data is no longer required for the purposes for which it was collected, Apphud will securely delete or destroy the Customer Data in accordance with applicable data protection law.

    • To the extent required by applicable data protection law, Apphud will assist Customer in responding to requests from data subjects to exercise their rights under such law with respect to Customer Data, including requests to access, correct, or delete personal data. Apphud will also assist Customer in responding to requests from data subjects to exercise their right to object to the processing of their personal data or to restrict the processing of their personal data, to the extent required by applicable data protection law.

    • Apphud will cooperate with the Customer in any audit or compliance review relating to the processing of Customer Data, including any audits or reviews required by applicable data protection law or regulation. Apphud will also provide Customer with all information reasonably necessary to demonstrate compliance with applicable data protection law or regulation.

Business Continuity Management

Business continuity and disaster recovery planning are essential to ensure that Apphud can maintain operations and continue to provide the Services to customers in the event of unexpected disruptions or disasters. The following measures are implemented by Apphud to ensure business continuity and disaster recovery:

  • Apphud maintains an appropriate business continuity and disaster recovery plan, which includes procedures for responding to various scenarios, such as natural disasters, cyber attacks, and other disruptive events.

  • Apphud maintains procedures to ensure failover redundancy with its systems, networks, and data storage. This means that if one system or network fails, there are backup systems and networks available to ensure continuity of service. Data storage is also replicated to multiple locations to ensure availability in the event of a disaster.

By implementing these measures, Apphud ensures that it is prepared to respond to unexpected events and minimize disruptions to the Services.

Personnel Management

Apphud has personnel management measures in place, which include:

  • Apphud performs employment verification, including proof of identity validation and criminal background checks for all new hires, including contract employees, in accordance with applicable law.

  • Upon employee termination, whether voluntary or involuntary, Apphud immediately disables all access to Apphud systems, including Apphud’s physical facilities.

These measures help ensure that only trustworthy individuals are granted access to Apphud systems and that access is promptly revoked when no longer required.

Last updated