{"id":78215,"date":"2023-09-05T14:52:01","date_gmt":"2023-09-05T14:52:01","guid":{"rendered":"https:\/\/tax.com\/?page_id=78215"},"modified":"2024-05-17T17:17:44","modified_gmt":"2024-05-17T17:17:44","slug":"dpa","status":"publish","type":"page","link":"https:\/\/tax.com\/trust-center\/legal\/dpa\/","title":{"rendered":"Data Processing Addendum"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"78215\" class=\"elementor elementor-78215\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-23cd8c6 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"23cd8c6\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;gradient&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\" elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6e364f7\" data-fullscreen-column-settings=\"{&quot;fullscreen&quot;:&quot;&quot;}\" data-id=\"6e364f7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4c268a0 elementor-widget elementor-widget-html\" data-id=\"4c268a0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<script>\n    document.body.classList.add('header-dark')\n<\/script>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-bd074ee custom-crumbs elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"bd074ee\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\" elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1e4f5e1\" data-fullscreen-column-settings=\"{&quot;fullscreen&quot;:&quot;&quot;}\" data-id=\"1e4f5e1\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e2be6c8 elementor-icon-list--layout-inline breadcrumbs-trust-center elementor-widget elementor-widget-litho-lists\" data-id=\"e2be6c8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"litho-lists.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items elementor-inline-items\">\n\t\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/tax.com\/trust-center\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Trust Center<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/tax.com\/trust-center\/legal\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\">\n\t\t\t\t\t\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\"><path fill-rule=\"evenodd\" clip-rule=\"evenodd\" d=\"M9.97724 18.1574L14.462 6.15983C14.556 5.90832 14.422 5.63345 14.1627 5.54589C13.9034 5.45833 13.6169 5.59124 13.5229 5.84275L9.03814 17.8403C8.94412 18.0918 9.07813 18.3667 9.33746 18.4543C9.59679 18.5418 9.88323 18.4089 9.97724 18.1574Z\" fill=\"#3E4050\"><\/path><\/svg>\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Legal<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item list-item\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\">\n\t\t\t\t\t\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\"><path fill-rule=\"evenodd\" clip-rule=\"evenodd\" d=\"M9.97724 18.1574L14.462 6.15983C14.556 5.90832 14.422 5.63345 14.1627 5.54589C13.9034 5.45833 13.6169 5.59124 13.5229 5.84275L9.03814 17.8403C8.94412 18.0918 9.07813 18.3667 9.33746 18.4543C9.59679 18.5418 9.88323 18.4089 9.97724 18.1574Z\" fill=\"#3E4050\"><\/path><\/svg>\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Data Processing Addendum<\/span>\n\t\t\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-23171a4 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"23171a4\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\" elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-8f1ae21\" data-fullscreen-column-settings=\"{&quot;fullscreen&quot;:&quot;&quot;}\" data-id=\"8f1ae21\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-10ef969 content-pages elementor-widget elementor-widget-heading\" data-id=\"10ef969\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">DATA PROCESSING ADDENDUM<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d6bb253 section-heading elementor-widget elementor-widget-text-editor\" data-id=\"d6bb253\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Last Updated: May 17, 2024<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-bc81060 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"bc81060\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\" elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a5654ae\" data-fullscreen-column-settings=\"{&quot;fullscreen&quot;:&quot;&quot;}\" data-id=\"a5654ae\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-5d2b504 legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"5d2b504\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>This Data Processing Addendum (\u201c<strong>DPA<\/strong>\u201d) is hereby incorporated by reference into and is part of the Software as a Services Agreement (\u201c<strong>Agreement<\/strong>\u201d) entered into between Ryan, LLC and its <em>tax.com<\/em>\u00a0operating division (together with its Affiliates, \u201c<strong>Ryan,<\/strong>\u201d \u201c<strong>We,<\/strong>\u201d \u201c<strong>Our,<\/strong>\u201d or \u201c<strong>Us<\/strong>\u201d) and <strong>Customer<\/strong> (\u201c<strong>You(r)<\/strong>\u201d) and sets out the obligations of the Parties with respect to the Processing of Customer Personal Data in connection with the Agreement. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. Unless otherwise defined herein, any capitalized terms will have the meanings given to them in the Agreement. Ryan and Customer may be referred to herein collectively as the &#8220;<strong>Parties<\/strong>&#8221; or individually as a &#8220;<strong>Party<\/strong>.&#8221;<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f6413e4 content-pages elementor-widget elementor-widget-heading\" data-id=\"f6413e4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">1. DEFINITIONS<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-857946b legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"857946b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The following will have the following meaning in this DPA:<\/p><p><strong>\u201cAffiliate(s)\u201d<\/strong> means, with respect to any entity, any other entity that directly or indirectly controls, is controlled by, or is under common control with such entity, where &#8220;control&#8221; refers to the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract, or otherwise.<\/p><p><strong>\u201cApplicable Data Protection Laws\u201d<\/strong> means all data protection and privacy laws applicable to the respective party in its role in processing Personal Data under the Agreement, including, where applicable, EU &amp; UK Data Protection Law and the CCPA.<\/p><p><strong>\u201cCCPA\u201d<\/strong> means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (\u201c<strong>CPRA<\/strong>\u201d), and the regulations promulgated thereunder, as amended or superseded from time to time.<\/p><p><strong>\u201cController\u201d<\/strong> also referred to as <strong>\u201cBusiness,\u201d<\/strong>\u00a0<strong>\u201cProcessor\u201d<\/strong> also referred to as <strong>\u201cService Provider,\u201d<\/strong>\u00a0<strong>\u201cData Subject\u201d<\/strong> also referred to as <strong>\u201cConsumer,\u201d<\/strong>\u00a0<strong>\u201cPersonal Data\u201d<\/strong> also referred to as <strong>\u201cPersonal Information,\u201d<\/strong>\u00a0<strong>\u201cprocess\u201d<\/strong> or <strong>\u201cprocessing,\u201d<\/strong>\u00a0and <strong>\u201cSell\u201d<\/strong> or <strong>\u201cSelling\u201d<\/strong> (or any of their analogous terms) will all have the meanings set out in the relevant Applicable Data Protection Law.<\/p><p>\u201c<strong>Customer<\/strong>\u201d or \u201c<strong>You(r)<\/strong>\u201d means the entity or individual that has entered into the Agreement with Ryan, LLC.<\/p><p>\u201c<strong>Customer Data<\/strong>\u201d means any information submitted to the Online Services by Your Authorized Users.<\/p><p>\u201c<strong>Customer Personal Data<\/strong>\u201d means Personal Data that You or Your Affiliates provide under the Agreement for Us to process on Your behalf in connection with the Online Services. Customer Personal Data does not include information that is (i) deidentified, anonymized, aggregated, publicly available information, or business contact data (unless the Applicable Data Protection Law otherwise considers such information as Personal Data), (ii) usage statistics; or (iii) any information that the Applicable Data Protection Law specifically states does not constitute Personal Data.<\/p><p>\u201c<strong>Data Protection Authority<\/strong>\u201d means any supervisory authority with responsibility for the enforcement of Applicable Data Protection Law.<\/p><p><strong>\u201cData Protection Impact Assessment\u201d<\/strong> means an assessment of the impact of the proposed Processing of Customer Personal Data on the protection of the privacy of natural persons under the GDPR.<\/p><p><strong>\u201cData Protection Officer\u201d<\/strong> means an individual who is designated by Us to be responsible for the compliance with Applicable Data Protection Law and the DPA.<\/p><p><strong>\u201cEU\u201d<\/strong> means the European Union.<\/p><p><strong>\u201cEU &amp; UK Data Protection Law\u201d<\/strong> means (i) Regulation 2016\/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (\u201cGDPR\u201c); and (ii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (\u201cUK GDPR\u201c) and the Data Protection Act 2018 Commission Implementing Decision (EU) 2021\/914, the International Data Transfer Agreement (the &#8220;IDTA&#8221;) or the International Data Transfer Addendum to the EU SCCs (the &#8220;UK Addendum&#8221;) issued by the UK supervisory authority under the UK GDPR (\u201cUK IDTA\u201d).<\/p><p><strong>\u201cGDPR\u201d<\/strong> means the General Data Protection Regulation (EU) 2016\/679.<\/p><p>\u201c<strong>Online<\/strong> <strong>Services<\/strong>\u201d means Our proprietary software provided as a subscription-based, third-party hosted service under an Order Form.<\/p><p><strong>\u201cProcessor\u201d<\/strong> means Ryan, LLC.<\/p><p><strong>\u201cSecurity Incident\u201d<\/strong> means a breach of security that causes the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.<\/p><p><strong>\u201cSecurity Measures\u201d<\/strong> means the administrative, physical, and technical security measures described in Schedule 1.<\/p><p><strong>\u201cSensitive Personal Data\u201d<\/strong> means Personal Data that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health or sex life.<\/p><p>\u201c<strong>Standard Contractual Clauses<\/strong>\u201d or <strong>\u201cSCCs\u201d <\/strong>means those model clauses as approved by the European Commission from time to time, used as a legal mechanism to ensure the protection of Customer Personal Data when it is transferred outside of the European Economic Area or the UK. The version in effect at the time of data transfer will be used, and these can be located at <a href=\"https:\/\/ec.europa.eu\/info\/law\/law-topic\/data-protection\/international-dimension-data-protection\/standard-contractual-clauses-scc_en\">https:\/\/ec.europa.eu\/info\/law\/law-topic\/data-protection\/international-dimension-data-protection\/standard-contractual-clauses-scc_en<\/a>.<\/p><p><strong>\u201cSub-processor\u201d<\/strong> means any third-party entity engaged by Us to provide services to Us or Customer in connection with the Agreement.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a4f3121 content-pages elementor-widget elementor-widget-heading\" data-id=\"a4f3121\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">2. SCOPE OF DPA AND ROLES OF THE PARTIES<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-905dc88 legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"905dc88\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ol><li><strong>Scope.<\/strong> The purpose of this DPA is to ensure that the processing of Customer Personal Data within the Service complies with Applicable Data Privacy Laws.<\/li><li><strong>Parties\u2019 Roles<\/strong><ol><li>For the Online Services, as between Us and You, We will process Customer Personal Data only as a Processor (or sub-processor) acting on Your behalf and, with respect to CCPA, as a \u201cservice provider,\u201d as defined therein, and as otherwise similarly defined under Applicable Data Privacy Laws, in each case regardless of whether You act as a Controller or Processor with respect to Customer Personal Data.<\/li><li>Each party agrees it will comply with Applicable Data Privacy Laws and this DPA in connection with the Agreement;<\/li><li>Each party will notify the other if they reasonably believe that the instruction or processing of Customer Personal Data violates Applicable Data Privacy Laws.<\/li><li>Customer and Processor agree to cooperate in good faith to amend the Agreement or this DPA or enter into further mutually agreeable data processing agreements to comply with Applicable Data Privacy Laws.<\/li><\/ol><\/li><li><strong>Customer<\/strong><ol><li>You will, in Your use of the Online Services, comply with Your obligations under Applicable Data Privacy Laws when processing Personal Data and when issuing processing instructions to Us. You represent that You have provided notice and obtained (or will obtain) all necessary consents and rights under Applicable Data Privacy Laws to process Personal Data pursuant to this DPA.<\/li><li>You exclusively control the Personal Data to be collected, uploaded, and stored in the Online Services, and for designating the access controls applicable to Your Authorized Users. If You use the Online Services to process any categories of Personal Data not expressly authorized by the Agreement or this DPA, You assume responsibility for noncompliance with the Applicable Data Privacy Laws.<\/li><li>You will process Personal Data of Ours in accordance with Applicable Data Privacy Laws and Your policy practices set forth on Your site. Such disclosures may be made by Us from time to time for purposes of contract management, service management, or security purposes.<\/li><\/ol><\/li><li><strong>Processor<br \/><\/strong>Except as otherwise required under Applicable Data Privacy Laws, We and Our Sub-processors will process Customer Personal Data in accordance with Applicable Data Privacy Laws and only to: (a) perform the Online Services for You pursuant to the Agreement; (b) comply with this DPA; (c) carry out Your reasonable written instructions that are consistent with the Agreement and this DPA.<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d93463f content-pages elementor-widget elementor-widget-heading\" data-id=\"d93463f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">3. COOPERATION<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7032776 legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"7032776\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ol style=\"margin-left: 20px;\"><li>If We receive a request from a Data Subject seeking to exercise rights under Applicable Data Privacy Laws (\u201c<strong>Data Subject Requests<\/strong>\u201d), and the Data Subject Request identifies Customer, or We are aware that the Data Subject Request pertains to the processing on behalf of Customer, We will forward the communication promptly to Customer as commercially practicable for Customer to respond and We will cooperate with Customer with the request as reasonably directed.<\/li><li>We will provide reasonable cooperation and provide reasonably requested information regarding the Services to enable Customer to perform data protection impact assessments or in connection with a consultation with supervisory authorities when required under Applicable Data Privacy Laws.<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-01009fc content-pages elementor-widget elementor-widget-heading\" data-id=\"01009fc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">4. SECURITY<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-19c0fc9 legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"19c0fc9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ol><li>We will implement and maintain appropriate technical and organizational security measures designed to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data in accordance with Our Technical and Organizational Measures stated in Annex II. We may review and update or otherwise change Our practices from time to time, provided that any such updates will not materially diminish the overall security of the Online Services or Customer Personal Data.<\/li><li>You are responsible for protecting and securing Your authentication credentials and in protecting the Customer Personal Data when in transit to and from the Online Services. You will promptly alert Us of any reasonably suspected Security Breach at <a href=\"mailto:privacy@ryan.com\">privacy@ryan.com<\/a>.<\/li><li>\u201cProtected Third Party Information\u201d includes Sensitive Personal Data, Personal Identification Information, Patient Health Information, Personal Financial Information, and Personal Educational Information, as each is defined in Section 5(c)(i)-(iv) below. Customer will be responsible for protecting Protected Third-Party Information and Sensitive Customer Information from disclosure by following the requirements of this Section. You will minimize processing or Protected Third Party Information by limiting processing to what is necessary and not transferring Protected Third-Party Information or Sensitive Customer Information to the Online Services unless the transfer of such information is expressly necessary to utilize the Online Services.<br \/><ol><li style=\"list-style-type: none;\"><ol><li>\u201cPersonal Identification Information\u201d or \u201cPII\u201d includes information that can be traced to a particular individual, such as name, mailing address, phone number, and email address, when processed in combination with a social security number, driver\u2019s license number, or state ID card, or similar identifier could be used to (1) facilitate identity theft (2) permit access to an individual\u2019s financial account (3) require notification under any data breach notification law if compromised. <\/li><li>\u201cPatient Health Information\u201d or \u201cPHI\u201d includes information regarding a particular individual\u2019s health and medical treatment and includes medical record number, account number, social security number, insurance information, claims information, payment information, patient demographic data, dates of License, date of admission, discharge medical records, medical treatment, reports, test results, and all other information regulated by the Health Insurance Portability and Accountability Act (HIPAA).<\/li><li>\u201cPersonal Financial Information\u201d or \u201cPFI\u201d includes credit or debit card information, other payment card information, bank account, investment account, and all other information considered confidential under the Payment Card Industry Data Security Standards (PCI DSS). <\/li><li>\u201cPersonal Educational Information\u201d or \u201cPEI\u201d includes student records, test results, courses taken, educational records pertaining to an individual student, and all other information regulated by the Federal Family Educational Rights and Privacy Act (FERPA).<\/li><\/ol><\/li><\/ol><\/li><li>\u201cSensitive Customer Information\u201d includes Customer\u2019s sensitive non-public data, including but not limited to trade secrets, proprietary information, research &amp; development, business plans and strategies, operating reports, manufacturing data, pricing information, marketing and sales data, information regarding litigation, techniques, formulas, source code, potential acquisitions and equity investments, personnel records, organization charts, and banking information.<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-fb83917 content-pages elementor-widget elementor-widget-heading\" data-id=\"fb83917\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">5. SUB-PROCESSORS<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3c7438a legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"3c7438a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ol style=\"margin-left: 20px;\"><li>We will engage Sub-processors under a written (including in electronic form) contract consistent with the terms of this DPA in relation to the Sub-processor\u2019s processing of Personal Data. As between Us and You, We will be liable for Sub-processors\u2019 obligations, performance, and services under the Agreement;<\/li><li>We will evaluate the security, privacy, and confidentiality practices of a Sub-processor before selection to establish that it can provide the level of protection of Personal Data required by this DPA, including ensuring that the Sub-processor is under an appropriate obligation of confidentiality; and\u00a0<\/li><li>Our list of Sub-processors in place on the effective date of the Agreement is stated in Annex III. Customer may subscribe to receive notification of any changes to Our Sub-processors, and if no objection is made within 10 days of such change, consent is deemed given.<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b1b056e content-pages elementor-widget elementor-widget-heading\" data-id=\"b1b056e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">6. SECURITY INCIDENT NOTIFICATION<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-303f7f3 legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"303f7f3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ol style=\"margin-left: 20px;\"><li>We will implement and maintain policies and procedures to detect, respond to, and address Security Incidents including procedures to identify and respond to Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and restore the availability or access to Customer Data to You in a timely manner.<\/li><li>We will notify You within 72 hours, or sooner if required under Applicable Data Privacy Laws, of a Security Incident. In the event of a Security Incident, We will take commercially reasonable measures and actions to remedy or mitigate the effects of the Security Incident, including performing a root cause analysis to identify the cause of such Security Incident.<\/li><li>We will keep You informed as to the status of the Security Incident, periodically providing timely notices of relevant details, a point of contact, and measures taken or planned to address the Security Incident.<\/li><li>We will reasonably cooperate and assist You with any investigations into, and remediation of, the Security Incident (including, upon Customer&#8217;s request for Security Incidents caused by Us, and if required by Applicable Data Privacy Laws, the provision of notice to regulators or affected individuals, establishing call centers, and providing a credit monitoring service for one year).<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e9440f6 content-pages elementor-widget elementor-widget-heading\" data-id=\"e9440f6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">7. DATA EXPORT AND DELETION\u00a0<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-51dc35c legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"51dc35c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Upon Your request, Agreement termination, or Agreement expiration, We will delete all Customer Data in Our possession or control, except to the extent that We are required to retain such data by law or Our retention policies or as otherwise provided for in the Agreement (in which case, it will keep the data confidential and refrain from further processing except to the extent required by applicable law).<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e0018ff content-pages elementor-widget elementor-widget-heading\" data-id=\"e0018ff\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">8. COMPLIANCE VERIFICATION AND AUDIT<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d80ddfa legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"d80ddfa\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ol><li>Upon Your request no more than annually, except for reasonable cause such as a regulatory request or Security Incident caused by Us, We will provide information confirming compliance with the requirements of this DPA by providing You with the following:<ol><li>Completion of an information security questionnaire, via a secure portal, consolidated into a single questionnaire for multiple product subscriptions;<\/li><li>A summary of the results of any independent third-party assessment or certification (e.g., SOC2, ISO 27001), that We undertake and make available to customers with respect to the Online Services and Our data hosting environment.<\/li><\/ol><\/li><li>If We are unable to reasonably demonstrate compliance with the security and audit obligations under Section 9(a) of this DPA, We will provide additional information and access to security personnel (as generally made available to other customers as reasonably requested), as to Our security practices, subject to the confidentiality requirements of the Agreement. The content and timing of such review will be agreed to by the Parties, and any third-party auditor hired by You may not be a competitor of Ours or have any other actual or apparent conflict of interest.<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-320d498 content-pages elementor-widget elementor-widget-heading\" data-id=\"320d498\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">9. DATA TRANSFERS<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a73c8f7 legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"a73c8f7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ol><li>We may, in connection with the provision of the Online Services, make international transfers of Personal Data to Our Affiliates and Sub-processors. When making such transfers, We will ensure appropriate protection is in place to safeguard the Personal Data transferred under or in connection with this DPA.<\/li><li>Where the provision of Services involves the transfer of Personal Data from the EEA to countries outside the EEA (which are not subject to an adequacy decision under Applicable Data Protection Laws) such transfer will be subject to the following requirements: (a) We have in place intra-group agreements that incorporate Standard Contractual Clauses with any Affiliates which may have access to the Personal Data; and (b) We have in place agreements with Sub-processors that incorporate the Standard Contractual Clauses, as appropriate, subject to the following modifications:<\/li><li>The modifications to the Standard Contractual Clauses are as follows:<ol><li>in Clause 2 (Effect and invariability of the Clauses), Module Two shall apply (Controller to Processor);\u00a0<\/li><li>in Clause 7 (Docking Clause), the optional docking clause will apply;\u00a0<\/li><li>in Clause 9 (Use of sub-processors), for subsection (a), Option 2 will apply, in accordance with any additional requirements outlined herein;\u00a0<\/li><li>in Clause 11 (Redress), the optional language will not apply;\u00a0<\/li><li>in Clause 13 (Supervision), the competent Supervisory Authority shall be the Data Protection Commission of Ireland;\u00a0<\/li><li>in Clause 17 (Governing Law), Option 1 will apply, and will be governed by the law of Ireland;\u00a0<\/li><li>in Clause 18 (Choice of Forum and jurisdiction), for subsection (b), disputes shall be resolved before the courts of Ireland;\u00a0<\/li><li>Annex I shall be deemed completed with the information set out in Schedule 1 to this DPA;<\/li><li>Annex II shall be deemed completed with the information set out in Schedule 2 to this DPA;\u00a0<\/li><li>Annex III shall be deemed completed with the information set out in Schedule 3 to this DPA.<\/li><\/ol><\/li><li>To the extent that Personal Data contained within Customer Data is transferred by or on behalf of Licensee (including onward transfers) from within the United Kingdom, Switzerland, or Brazil to Us in a jurisdiction outside of the same (each a \u201c<strong>Transferred Jurisdiction<\/strong>\u201d), the Parties agree that, with respect to any restricted transfer under Applicable Data Privacy Laws, the SCCs (as modified above, together with the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0), in force 21 March 2022 (the \u201cAddendum\u201d), shall provide the appropriate safeguards required of such transfer, subject to the following modifications:<ol><li>references to the \u201cRegulation (EU) 2016\/679,\u201d \u201cthe Regulation,\u201d or the GDPR shall be interpreted as references to the Applicable Data Privacy Laws of the Transferred Jurisdiction;\u00a0\u00a0<\/li><li>where required or appropriate, references to specific Articles of the GDPR shall be replaced with the equivalent article or section of the Applicable Data Privacy Laws of the Transferred Jurisdiction;\u00a0\u00a0<\/li><li>references to &#8220;EU,&#8221; &#8220;Union,&#8221; and &#8220;Member State&#8221; shall be replaced with references to the Transferred Jurisdiction;\u00a0\u00a0<\/li><li>the &#8220;competent supervisory authority&#8221; shall be the UK Information Commissioner, the Swiss Federal Data Protection and Information Commissioner, or Brazil\u2019s National Data Protection Authority, as applicable;\u00a0\u00a0<\/li><li>the &#8220;competent courts&#8221; shall mean the courts of England, Switzerland, or Brazil, as applicable;\u00a0\u00a0<\/li><li>in Clause 9 and Clause 11(3), the SCCs shall be governed by the laws of England, Switzerland, or Brazil, as applicable;\u00a0\u00a0<\/li><li>with respect to the United Kingdom, Part 2 of the Addendum (Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses), as applicable, is incorporated herein and shall supplement the SCCs; and\u00a0\u00a0<\/li><li>Annex III to the Addendum will be deemed completed using the Sub-processor list found at <a href=\"https:\/\/www.tax.com\/trust-center\/subprocessors\">https:\/\/www.tax.com\/subprocessors<\/a>.<\/li><\/ol><\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5951802 content-pages elementor-widget elementor-widget-heading\" data-id=\"5951802\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">10. MISCELLANEOUS<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9e0b4d7 legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"9e0b4d7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ol><li>To the extent permitted by Applicable Law, any claims brought under or in connection with this DPA will be subject to the exclusions and limitations set forth in the Agreement.\u00a0\u00a0<\/li><li>Except as expressly permitted by the SCCs, no one other than a party to this DPA will have any right to enforce its terms, but each party may enforce its terms on behalf of its Affiliates, if applicable.\u00a0<\/li><li>Except as otherwise specified herein, this DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.<\/li><li>This DPA will remain in force as long as We process Customer Personal Data under the Agreement.<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a753092 content-pages elementor-widget elementor-widget-heading\" data-id=\"a753092\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">SCHEDULE 1<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b318515 content-pages elementor-widget elementor-widget-heading\" data-id=\"b318515\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">ANNEX I to the Standard Contractual Clauses&nbsp;<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a0e169b content-pages elementor-widget elementor-widget-heading\" data-id=\"a0e169b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">A. LIST OF PARTIES<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-41f8663 content-pages elementor-widget elementor-widget-heading\" data-id=\"41f8663\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\">Module Selection<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1680e9e elementor-widget elementor-widget-html\" data-id=\"1680e9e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<style type=\"text\/css\">\r\n    .privacy-tb{\r\n        margin: 20px 0;\r\n        line-height: 1.4;\r\n        color: #333;\r\n    } \r\n     \r\n    .privacy-tb .header{\r\n        background-color: #3E4050;\r\n        color: #fff;\r\n        font-size: 14px;\r\n        font-weight: 600;\r\n        font-family: \"Myriad Pro\";\r\n        text-transform: uppercase;\r\n        border-top: 1px solid #ccc;\r\n        border-left: 1px solid #ccc;\r\n        border-bottom: 1px solid #ccc;\r\n    }\r\n    \r\n    .privacy-tb .header .col{\r\n        border-right: 1px solid #ccc;\r\n        padding: 10px;\r\n    }\r\n    \r\n    .privacy-tb .header .col:not(:first-child){\r\n        justify-content: left;\r\n        text-align: left;\r\n    }\r\n    \r\n    .privacy-tb .header .col:not(.mobile-only):not(.tablet-only){\r\n        display: flex;\r\n        align-items: center;\r\n    }\r\n    \r\n    .privacy-tb .body-cell .col:not(:first-child){\r\n        text-align: left;\r\n    }\r\n    \r\n    .privacy-tb .col.last{\r\n        border-right: none;\r\n    }\r\n    \r\n    .privacy-tb .body-cell .col .row{\r\n        height: 100%;\r\n    }\r\n    \r\n    .privacy-tb .body-cell .col .row .col {\r\n        padding: 10px;\r\n        border-bottom:1px solid #D2D3DC;\r\n        font-family: \"Myriad Pro\";\r\n        font-size: 16px;\r\n        line-height: 24px;\r\n        color: #3E4050;\r\n        font-weight: 400;\r\n    }\r\n    \r\n    .privacy-tb .body-cell:nth-child(odd) .col .row .col {\r\n        background-color: #F8F8FA;\r\n    }\r\n    \r\n    .table-footer-text {\r\n        font-family: \"Lato\";\r\n        font-size: 18px;\r\n        line-height: 40px;\r\n        color: #585757;\r\n    }\r\n\r\n<\/style>\r\n<!-- code here -->\r\n<div class=\"container-fluid privacy-tb\">\r\n    <div class=\"row g-0 header\">\r\n        <div class=\"col col-1\"><\/div>\r\n        <div class=\"col col-11\">Select Applicable SCC Module<\/div>\r\n    <\/div>\r\n    <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-1\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\"><\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-11\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\"><b>Module One: <\/b>Controller to Controller<\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n    <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-1\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">&#10004;<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-11\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\"><b>Module Two: <\/b>Controller to Processor<\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n    <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-1\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\"><\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-11\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\"><b>Module Three: <\/b>Processor to Processor<\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n    <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-1\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\"><\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-11\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\"><b>Module Four: <\/b>Processor to Controller<\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n<\/div>\r\n<!-- code end -->\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7502a14 content-pages elementor-widget elementor-widget-heading\" data-id=\"7502a14\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\">Data exporter(s):<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4803ea2 legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"4803ea2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>Name:<\/strong> The entity identified as \u201cCustomer\u201d in the DPA.<br \/><strong>Address:<\/strong> The address for Customer associated with its account or as otherwise specified in the DPA or the Agreement.<br \/><strong>Contact person\u2019s name, position, and contact details:<\/strong> The contact details associated with Customer\u2019s account, or as otherwise specified in the DPA or the Agreement.<br \/><strong>Activities relevant to the data transferred under these Clauses:<\/strong> The activities are specified in Section 2 of the DPA.<br \/><strong>Signature and date:<\/strong> By using the Online Services or products the data exporter will be deemed to have signed this Annex I.<br \/><strong>Role (controller\/processor):<\/strong> Controller.<br \/><strong>Data importer(s):\u202f<br \/>Name:<\/strong> Ryan as identified in the DPA.<br \/><strong>Address:<\/strong> The address for Ryan is specified in the Agreement.<br \/><strong>Contact person\u2019s name, position, and contact details:<\/strong> The contact details for Ryan are specified in the DPA or the Agreement.<br \/><strong>Activities relevant to the data transferred under these Clauses:<\/strong> The activities are specified in Section 2 of the DPA.<br \/><strong>Signature and date:<\/strong> By transferring Customer Personal Data to Third Countries on Customer\u2019s instructions, the data importer will be deemed to have signed this Annex I.<br \/><strong>Role (controller\/processor):<\/strong> Processor\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d5cc312 content-pages elementor-widget elementor-widget-heading\" data-id=\"d5cc312\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">B. Details of Data Processing<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b92f3fd elementor-widget elementor-widget-html\" data-id=\"b92f3fd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<style type=\"text\/css\">\r\n    .privacy-tb{\r\n        margin: 0;\r\n        line-height: 1.4;\r\n        color: #333;\r\n    } \r\n     \r\n    .privacy-tb .header{\r\n        background-color: #3E4050;\r\n        color: #fff;\r\n        font-size: 14px;\r\n        font-weight: 600;\r\n        font-family: \"Myriad Pro\";\r\n        text-transform: uppercase;\r\n        border-top: 1px solid #ccc;\r\n        border-left: 1px solid #ccc;\r\n        border-bottom: 1px solid #ccc;\r\n    }\r\n    \r\n    .privacy-tb .header .col{\r\n        border-right: 1px solid #ccc;\r\n        padding: 10px;\r\n    }\r\n    \r\n    .privacy-tb .header .col:not(:first-child){\r\n        justify-content: left;\r\n        text-align: left;\r\n    }\r\n    \r\n    .privacy-tb .header .col:not(.mobile-only):not(.tablet-only){\r\n        display: flex;\r\n        align-items: center;\r\n    }\r\n    \r\n    .privacy-tb .body-cell .col:not(:first-child){\r\n        text-align: left;\r\n    }\r\n    \r\n    .privacy-tb .col.last{\r\n        border-right: none;\r\n    }\r\n    \r\n    .privacy-tb .body-cell .col .row{\r\n        height: 100%;\r\n    }\r\n    \r\n    .privacy-tb .body-cell .col .row .col {\r\n        padding: 10px;\r\n        border-bottom:1px solid #D2D3DC;\r\n        font-family: \"Myriad Pro\";\r\n        font-size: 16px;\r\n        line-height: 24px;\r\n        color: #3E4050;\r\n        font-weight: 400;\r\n    }\r\n    \r\n    .privacy-tb .body-cell:nth-child(odd) .col .row .col {\r\n        background-color: #F8F8FA;\r\n    }\r\n    \r\n    .table-footer-text {\r\n        font-family: \"Lato\";\r\n        font-size: 18px;\r\n        line-height: 40px;\r\n        color: #585757;\r\n    }\r\n\r\n<\/style>\r\n<!-- code here -->\r\n<div class=\"container-fluid privacy-tb\">\r\n    <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\"><b>Categories of data subjects whose personal data is transferred:<\/b><\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">The types of Customer Personal Data to be processed may include, but are not limited to: Data subjects relevant for the performance of the Online Services as set out in the Ryan Agreements including as may be set forth below:\r\n                    <ol>\r\n                        <li>Prospects, customers, business partners, and vendors of Customer (who are natural persons)<\/li>\r\n                        <br>\r\n                        <li>Employees or contact persons of Customer\u2019s prospects, customers, business partners, and vendors<\/li>\r\n                        <br>\r\n                        <li>Employees, agents, advisors, and freelancers of Customer (who are natural persons)<\/li>\r\n                    <\/ol>\r\n                <\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n    <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\"><b>Categories of personal data transferred:<\/b><\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">Personal data for the performance of the Online Services as set out in the Ryan Agreements may include:\r\n                    <ul>\r\n                        <li>Business contact information<\/li>\r\n                        <br>\r\n                        <li>IP Address and other automatically collected online data<\/li>\r\n                        <br>\r\n                        <li>Password\/login information<\/li>\r\n                    <\/ul>\r\n                <\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n    <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\"><b>Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:<\/b><\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">\r\n                    Ryan may Process Customer Personal Data, including \u201csensitive\u201d or \u201cspecial categories,\u201d (but only in the category of health-related data if required for a particular Online Service) of Customer Personal Data as defined in the Applicable Data Privacy Laws such as necessary for Ryan to perform the contractual obligations under the Ryan Agreements.\r\n                <\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n    <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\"><b>The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):<\/b><\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">\r\n                    Subject to the Agreement, Ryan will Process the Customer Personal Data continuously and until deletion of all Customer Personal Data as described in this DPA.\r\n                <\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n    <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\"><b>Nature of the processing:<\/b><\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">\r\n                    The performance of the Online Services pursuant to the Agreement.\r\n                <\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n    <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\"><b>Purpose(s) of the data transfer and further processing: <\/b><\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">\r\n                    Data Importer shall process the Customer Personal Data as necessary to perform the Online Services pursuant to the Agreement.\r\n                <\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n    <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\"><b>The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:<\/b><\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">\r\n                    Subject to the terms of the Agreement and unless otherwise agreed in writing, Ryan shall process the Customer Personal Data for the duration of the Ryan Agreements.\r\n                <\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n    <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\"><b>For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing:<\/b><\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">\r\n                    Same as above.\r\n                <\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n    <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\"><b>The identities of the sub-processors used in the provision of the Online Services and the subject matter which they process are listed here:<\/b><\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">Sub-processors are used by Ryan as specified in the Ryan Agreements. Ryan shall maintain a list of Sub-processors used by Ryan to perform the Online Services. The list is set forth in Annex III.\r\n                <\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n    <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\"><b>In the case of specific authorizations of sub-processors, the identities of the sub-processors used in the provision of the Online Services, contact persons details, description of processing (including a clear delineation of responsibilities in case of several sub-processors), and the subject matter which they process are listed here:<\/b><\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-6\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">\r\n                    N\/A\r\n                <\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n<\/div>\r\n<!-- code end -->\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3711b30 content-pages elementor-widget elementor-widget-heading\" data-id=\"3711b30\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">SCHEDULE 2<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9a4d024 content-pages elementor-widget elementor-widget-heading\" data-id=\"9a4d024\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">ANNEX II to the Standard Contractual Clauses\u00a0<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-207254d content-pages elementor-widget elementor-widget-heading\" data-id=\"207254d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-74020a1 legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"74020a1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Ryan, LLC (\u201c<strong>Ryan,<\/strong>\u201d \u201c<strong>We,<\/strong>\u201d \u201c<strong>Us<\/strong>\u201d) offers a wide variety of business tax solutions through its <em>tax.com<\/em>\u2122 platform and operating division. This Annex II sets forth the baseline contours of the information security posture with respect to these solutions. Online Services obtained through an Order Form may include additional security measures as appropriate for the sensitivity of the data and nature of the engagement. The definitions set forth in the Agreement will have the same meaning in this Annex II, except or as otherwise defined herein. Nothing in this Annex II alters the obligations or rights under the Agreement concerning Customer Data.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-03f87be legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"03f87be\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>Information Security Program<\/strong><\/p><ul><li><strong>Information Security Program. <\/strong>We maintain an enterprise-wide information security program that utilizes documented policies, procedures, and standards to protect the confidentiality, integrity, and availability of information and data in electronic and tangible form. We designed the information security program based on ISO\/IEC 27001 standards.<\/li><\/ul><p><strong>Organizational and Administrative Security\u00a0\/Risk Management<\/strong><\/p><ul><li><strong>Information Security Policies.<\/strong>\u202fWe maintain internal, documented, comprehensive information security policies, including incident response plans, data retention plans, and segregation of duties policies, and regularly review and update them.\u00a0<\/li><li><strong>Employee Screening.<\/strong>\u202fRyan ensures that all of its employees handling client data have undergone a background screening, to the extent permissible under local laws and regulations.<\/li><li><strong>Awareness and Education Program.<\/strong>\u202fWe provide security awareness and technology use training for employees, at hire and annually, including routine anti-phishing training.\u00a0<\/li><li><strong>Vendor Management. <\/strong>We subject vendors authorized to perform services on Our behalf involving Our systems, data, or technology to (1) a risk assessment process, (2) obligations of confidentiality, and (3) restrictions on such vendor\u2019s access to Personal Data consistent with Applicable Data Protection Laws and Our security requirements. We remain responsible for the compliance of its subcontractors with the terms of this Annex II.<\/li><li><strong>Business Continuity\/Disaster Recovery.<\/strong> We maintain and regularly test a business continuity and disaster recovery program designed to reduce the effects of a significant disruption in operations based on generally accepted industry practices.<\/li><li><strong>Data Disposal.<\/strong> We maintain internal, documented, comprehensive data retention and disposal policies.<\/li><li><strong>Risk Management.<\/strong> We regularly validate the effectiveness of security controls through a documented risk assessment program. We report results to senior management and take appropriate remediation efforts in response to identified risks.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cf1de86 legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"cf1de86\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>Data Security <\/strong><\/p><ul><li><b>Authentication. <\/b>We logically segregate Customer Data by application security group access rules. Customer accounts must utilize unique usernames and complex passwords and enter them at each login to Our resources.<\/li><li><b>\u202fPasswords. <\/b>We demand minimum password length, complexity, and expiration requirements, disabling features for failed login attempts, and rejection of previously used passwords.<\/li><li><strong>Encryption at Rest.\u202f<\/strong>We encrypt Our employees\u2019 laptop full disk drives using at least AES-256 for data encryption. We encrypt all non-public Customer Data in the hosted systems using at least AES-256 for data encryption.<\/li><li><strong>Encryption in Transit.<\/strong>\u202fBy default, Our web-accessible Online Services have Transport Layer Security (TLS) enabled to encrypt Your traffic. Our web application endpoints use TLS for secure transport.<\/li><li><strong>Access.<\/strong>\u202f We operate the Online Services in a multitenant architecture designed to segregate and restrict Your data access based on business needs. We assign access controls to Personal Data in our databases, systems, and environments on a need-to-know \/ least privilege necessary basis. We employ multi-factor authentication (MFA) controls or similar compensating controls to limit access.<\/li><li><strong>Device Access.<\/strong> We limit network access to authorized devices only. We prohibit access to systems with Client Data from mobile devices.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-61b7aac legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"61b7aac\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>Physical Security<\/strong><\/p><ul><li><strong>Data Center.<\/strong> We host critical information systems and Our product platform in high-security data centers that meet SSAE18 and ISO 270001 standards. Data center security includes physical security measures designed to minimize disruption and prevent theft, tampering, and damage including:<\/li><li style=\"list-style-type: none;\"><ul><li style=\"list-style-type: none;\"><ul><li>24\u00d77 monitoring,<\/li><li>Cameras,<\/li><li>Visitor logs,<\/li><li>Entry requirements,<\/li><li>Climate control,<\/li><li>Fire detection systems, and<\/li><li>Dedicated cages for Ryan to separate our equipment from other tenants in the data center.<\/li><\/ul><\/li><\/ul><\/li><li><strong>Facilities.<\/strong> We protect Our public workplace facilities using entry and authentication controls as technically and commercially feasible, such as visitor logs, automated badging access controls, color-coded badges with photo ID, keyed entries, alarmed access points, and security cameras. Additional restricted access requirements exist for Our computer systems\u2019 rooms. We maintain a documented clear desk policy.<\/li><li><strong>Equipment.<\/strong> We maintain procedures to securely dispose of equipment used to process and store Customer Data.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-930d609 legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"930d609\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>Availability\u00a0Control <\/strong><\/p><ul><li><strong>Connectivity.<\/strong>\u202fWe maintain fully redundant IP network connections with multiple independent connections to a range of Tier 1 Internet access providers for Our data centers.\u00a0<\/li><li><strong>\u202fPower. <\/strong>Our servers possess redundant internal and external power supplies. Our data centers can draw power from multiple substations on the grid, backup generators, and backup batteries in the event of power failures.\u00a0<\/li><li><strong>\u202fUptime.<\/strong> We continuously monitor uptime, with escalation to Our staff for any downtime.\u00a0<\/li><li><strong>Backup Frequency.<\/strong>\u202fOur system backups occur at least daily to geographically disparate sites.\u00a0<\/li><li><strong>Disaster Recovery.<\/strong> We establish system recovery times on a product-line basis, but at a minimum no later than 8 hours.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-48c134e legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"48c134e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>Network Security<\/strong><\/p><ul><li>\u202f<strong>Firewalls. <\/strong>We route network traffic through firewalls to restrict access to approved ports.\u00a0<\/li><li><strong>Intrusion Prevention.<\/strong> We use Network and Host-based Intrusion Prevention systems (NIPS\/HIPS).<\/li><li><strong>End Point Controls.<\/strong> We protect its systems from malware\/viruses utilizing enterprise-class endpoint control software.<\/li><li><strong>E-mail Systems.<\/strong> We scan email using an enterprise-class email security gateway system.<\/li><li><strong>Access Control.<\/strong>\u202fWe protect workstations and laptops from unauthorized access via secure VPN and 2FA (two-factor authentication). We enforce role-based access control (RBAC) for systems management.\u00a0Network devices are configured to prevent unauthorized updates via access controls and limit access to authorized individuals.<\/li><li><strong>Logging and Auditing.<\/strong>\u202fWe maintain security audit logs on our computing systems that process and store information that captures key security events including suspicious system and \/or user behaviors.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-574bb02 legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"574bb02\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>Change Management and Application Control<\/strong><\/p><ul><li><strong>Application Control<\/strong><strong>.<\/strong> We maintain policies and procedures for managing changes and updates to production systems, applications, and databases, including processes for documenting security patching, authentication, and testing and approval of changes into production.<\/li><li><strong>Key Management.<\/strong> We maintain a key management program that addresses the need to promptly revoke or disable lost, corrupted, or expired keys.<\/li><li><strong>Coding Practices.<\/strong> We use logically or physically separate environments for development, testing, and production. Our developers undergo secure development training on best practices twice annually.<\/li><li><strong>Secure Development.<\/strong> We employ a secure software development methodology that incorporates security throughout the systems development lifecycle in connection with the development and maintenance of its information systems. Minimally, applications have controls to protect against known vulnerabilities and threats, and secure coding standards are employed that comply with industry standards such as the Open Web Application Security Project (OWASP).<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-741d104 legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"741d104\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>Vulnerability Management\u00a0<\/strong><\/p><ul><li><strong>\u202fPatching.<\/strong> We apply the latest security patches to all operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities.\u00a0<\/li><li><strong>Third-Party Scans. <\/strong>We continuously scan Our environments using industry-leading security tools. These tools provide configured network vulnerability assessments, which test for patch status and basic misconfigurations of systems and sites.\u00a0<\/li><li><strong>Penetration Testing. <\/strong>We perform penetration tests of Ryan applications using qualified independent third parties; Our hosting service providers perform penetration tests on their own infrastructure.<\/li><li><strong>Program. <\/strong>We maintain a Vulnerability Management program in which risk analyses are performed for critical systems and requirements exist for prompt response to critical incidents.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-894cb42 legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"894cb42\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>Security Incident Management <\/strong><\/p><ul><li><strong>Security Incident Management Process. <\/strong>Our controls include a Chief Information Security Officer (CISO) tasked with maintaining a comprehensive information security program built on a multi-layered, defense-in-depth approach to security. We maintain an internal, documented, comprehensive information security incident management process in place based on an incident framework that includes key elements (e.g., identification, response, recovery, and post-incident review) to be followed in the event of a Security Incident.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c03af29 content-pages elementor-widget elementor-widget-heading\" data-id=\"c03af29\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">SCHEDULE 3<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d13aea2 content-pages elementor-widget elementor-widget-heading\" data-id=\"d13aea2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">ANNEX III to the Standard Contractual Clauses&nbsp;<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-930b8aa content-pages elementor-widget elementor-widget-heading\" data-id=\"930b8aa\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">SUB-PROCESSORS<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bd0b020 legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"bd0b020\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><b>I. SUB-PROCESSOR LIST<\/b><\/p><p>The following table identifies the sub-processors currently authorized by Ryan, LLC, its Affiliates, and its tax.com operating division to process Customer Personal Data for Our Online Services. This list is also available at Our online Trust Center: <a href=\"\/trust-center\/subprocessors\/\">tax.com\/trust-center\/subprocessors\/<\/a>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ba239a5 elementor-widget elementor-widget-html\" data-id=\"ba239a5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<style type=\"text\/css\">\r\n    .privacy-tb{\r\n        line-height: 1.4;\r\n        color: #333;\r\n        padding-bottom: 24px;\r\n    } \r\n     \r\n    .privacy-tb .header{\r\n        background-color: #3E4050;\r\n        color: #fff;\r\n        font-size: 14px;\r\n        font-weight: 600;\r\n        font-family: \"Myriad Pro\";\r\n        text-transform: uppercase;\r\n        border-top: 1px solid #ccc;\r\n        border-left: 1px solid #ccc;\r\n        border-bottom: 1px solid #ccc;\r\n    }\r\n    \r\n    .privacy-tb .header .col{\r\n        border-right: 1px solid #ccc;\r\n        padding: 10px;\r\n    }\r\n    \r\n    .privacy-tb .header .col:not(:first-child){\r\n        justify-content: left;\r\n        text-align: left;\r\n    }\r\n    \r\n    .privacy-tb .header .col:not(.mobile-only):not(.tablet-only){\r\n        display: flex;\r\n        align-items: center;\r\n    }\r\n    \r\n    .privacy-tb .body-cell .col:not(:first-child){\r\n        text-align: left;\r\n    }\r\n    \r\n    .privacy-tb .col.last{\r\n        border-right: none;\r\n    }\r\n    \r\n    .privacy-tb .body-cell .col .row{\r\n        height: 100%;\r\n    }\r\n    \r\n    .privacy-tb .body-cell .col .row .col {\r\n        padding: 10px;\r\n        border-bottom:1px solid #D2D3DC;\r\n        font-family: \"Myriad Pro\";\r\n        font-size: 16px;\r\n        line-height: 24px;\r\n        color: #3E4050;\r\n        font-weight: 400;\r\n    }\r\n    \r\n    .privacy-tb .body-cell:nth-child(odd) .col .row .col {\r\n        background-color: #F8F8FA;\r\n    }\r\n    \r\n    .table-footer-text {\r\n        font-family: \"Lato\";\r\n        font-size: 18px;\r\n        line-height: 40px;\r\n        color: #585757;\r\n    }\r\n\r\n<\/style>\r\n<!-- code here -->\r\n<div class=\"container-fluid privacy-tb\">\r\n    <div class=\"row g-0 header\">\r\n        <div class=\"col col-3\">Name<\/div>\r\n        <div class=\"col col-7\">Description<\/div>\r\n        <div class=\"col col-2\">Location<\/div>\r\n    <\/div>\r\n    <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-3\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">Microsoft Azure<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-7\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">Cloud computing and storage; platform services<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-2\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">U.S., Canada,  E.U<\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n    <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-3\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">AWS<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-7\"> <div class=\"row\">\r\n                <div class=\"col col-12\">Cloud computing and storage<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-2\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">U.S.<\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n        <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-3\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">Cloudera<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-7\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">Cloud Database Management<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-2\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">U.S.<\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n        <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-3\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">Alteryx<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-7\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">Analytics Automation Platform<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-2\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">U.S.<\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n    <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-3\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">Amplitude<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-7\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">Product Analytics<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-2\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">U.S.<\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n        <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-3\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">Automation Anywhere<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-7\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">AI Data Analytics<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-2\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">U.S.<\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n        <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-3\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">ExaVault, Inc.<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-7\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">Cloud file transfer (FTP) services<br> (PinPoint, FilePoint, ControlPoint, RatePoint)<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-2\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\"><\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n        <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-3\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">LOB, Inc.<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-7\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">Digital Mailroom Management (TrackerPro)<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-2\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">U.S.<\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n        <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-3\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">Mailgun<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-7\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">Direct Email <br>(PinPoint, FilePoint, ControlPoint, RatePoint) \r\n<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-2\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">U.S.<\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n        <div class=\"row g-0 body-cell\">\r\n        <div class=\"col col-3\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">Twilio<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-7\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">A2P<br>(Owner Claims Portal)<\/div>\r\n            <\/div>\r\n        <\/div>\r\n        <div class=\"col col-2\">\r\n            <div class=\"row\">\r\n                <div class=\"col col-12\">U.S.<\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div><!-- body cell -->\r\n<\/div>\r\n<!-- code end -->\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-21c0e36 legal-agreements elementor-widget elementor-widget-text-editor\" data-id=\"21c0e36\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>II. SUBSCRIPTION TO SUB-PROCESSOR UPDATES AND RIGHT TO OBJECT<\/strong><\/p><p>Please refer to the Sub-Processor section of the DPA above.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Trust Center Legal Data Processing Addendum DATA PROCESSING ADDENDUM Last Updated: May 17, 2024 This Data Processing Addendum (\u201cDPA\u201d) is hereby incorporated by reference into and is part of the Software as a Services Agreement (\u201cAgreement\u201d) entered into between Ryan, LLC and its tax.com\u00a0operating division (together with its Affiliates, \u201cRyan,\u201d \u201cWe,\u201d \u201cOur,\u201d or \u201cUs\u201d) and [&hellip;]<\/p>\n","protected":false},"author":17,"featured_media":0,"parent":78189,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-78215","page","type-page","status-publish","hentry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Data Processing Addendum - Tax.com<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/tax.com\/trust-center\/legal\/dpa\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Data Processing Addendum - Tax.com\" \/>\n<meta property=\"og:description\" content=\"Trust Center Legal Data Processing Addendum DATA PROCESSING ADDENDUM Last Updated: May 17, 2024 This Data Processing Addendum (\u201cDPA\u201d) is hereby incorporated by reference into and is part of the Software as a Services Agreement (\u201cAgreement\u201d) entered into between Ryan, LLC and its tax.com\u00a0operating division (together with its Affiliates, \u201cRyan,\u201d \u201cWe,\u201d \u201cOur,\u201d or \u201cUs\u201d) and [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/tax.com\/trust-center\/legal\/dpa\/\" \/>\n<meta property=\"og:site_name\" content=\"Tax.com\" \/>\n<meta property=\"article:modified_time\" content=\"2024-05-17T17:17:44+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"24 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/tax.com\/trust-center\/legal\/dpa\/\",\"url\":\"https:\/\/tax.com\/trust-center\/legal\/dpa\/\",\"name\":\"Data Processing Addendum - Tax.com\",\"isPartOf\":{\"@id\":\"https:\/\/tax.com\/#website\"},\"datePublished\":\"2023-09-05T14:52:01+00:00\",\"dateModified\":\"2024-05-17T17:17:44+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/tax.com\/trust-center\/legal\/dpa\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/tax.com\/trust-center\/legal\/dpa\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/tax.com\/trust-center\/legal\/dpa\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/tax.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trust Center\",\"item\":\"https:\/\/tax.com\/trust-center\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Legal Resources\",\"item\":\"https:\/\/tax.com\/trust-center\/legal\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Data Processing Addendum\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/tax.com\/#website\",\"url\":\"https:\/\/tax.com\/\",\"name\":\"Tax.com\",\"description\":\"Global Tax Expertise Meets Smart Technology\",\"publisher\":{\"@id\":\"https:\/\/tax.com\/#organization\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/tax.com\/#organization\",\"name\":\"Tax.com\",\"url\":\"https:\/\/tax.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/tax.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/tax.com\/wp-content\/uploads\/2022\/08\/Favicon_t_260x260.svg\",\"contentUrl\":\"https:\/\/tax.com\/wp-content\/uploads\/2022\/08\/Favicon_t_260x260.svg\",\"width\":260,\"height\":260,\"caption\":\"Tax.com\"},\"image\":{\"@id\":\"https:\/\/tax.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/tax-com-global\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Data Processing Addendum - Tax.com","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/tax.com\/trust-center\/legal\/dpa\/","og_locale":"en_US","og_type":"article","og_title":"Data Processing Addendum - Tax.com","og_description":"Trust Center Legal Data Processing Addendum DATA PROCESSING ADDENDUM Last Updated: May 17, 2024 This Data Processing Addendum (\u201cDPA\u201d) is hereby incorporated by reference into and is part of the Software as a Services Agreement (\u201cAgreement\u201d) entered into between Ryan, LLC and its tax.com\u00a0operating division (together with its Affiliates, \u201cRyan,\u201d \u201cWe,\u201d \u201cOur,\u201d or \u201cUs\u201d) and [&hellip;]","og_url":"https:\/\/tax.com\/trust-center\/legal\/dpa\/","og_site_name":"Tax.com","article_modified_time":"2024-05-17T17:17:44+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"24 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/tax.com\/trust-center\/legal\/dpa\/","url":"https:\/\/tax.com\/trust-center\/legal\/dpa\/","name":"Data Processing Addendum - Tax.com","isPartOf":{"@id":"https:\/\/tax.com\/#website"},"datePublished":"2023-09-05T14:52:01+00:00","dateModified":"2024-05-17T17:17:44+00:00","breadcrumb":{"@id":"https:\/\/tax.com\/trust-center\/legal\/dpa\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/tax.com\/trust-center\/legal\/dpa\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/tax.com\/trust-center\/legal\/dpa\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/tax.com\/"},{"@type":"ListItem","position":2,"name":"Trust Center","item":"https:\/\/tax.com\/trust-center\/"},{"@type":"ListItem","position":3,"name":"Legal Resources","item":"https:\/\/tax.com\/trust-center\/legal\/"},{"@type":"ListItem","position":4,"name":"Data Processing Addendum"}]},{"@type":"WebSite","@id":"https:\/\/tax.com\/#website","url":"https:\/\/tax.com\/","name":"Tax.com","description":"Global Tax Expertise Meets Smart Technology","publisher":{"@id":"https:\/\/tax.com\/#organization"},"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/tax.com\/#organization","name":"Tax.com","url":"https:\/\/tax.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/tax.com\/#\/schema\/logo\/image\/","url":"https:\/\/tax.com\/wp-content\/uploads\/2022\/08\/Favicon_t_260x260.svg","contentUrl":"https:\/\/tax.com\/wp-content\/uploads\/2022\/08\/Favicon_t_260x260.svg","width":260,"height":260,"caption":"Tax.com"},"image":{"@id":"https:\/\/tax.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/tax-com-global"]}]}},"_links":{"self":[{"href":"https:\/\/tax.com\/wp-json\/wp\/v2\/pages\/78215","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tax.com\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/tax.com\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/tax.com\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/tax.com\/wp-json\/wp\/v2\/comments?post=78215"}],"version-history":[{"count":0,"href":"https:\/\/tax.com\/wp-json\/wp\/v2\/pages\/78215\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/tax.com\/wp-json\/wp\/v2\/pages\/78189"}],"wp:attachment":[{"href":"https:\/\/tax.com\/wp-json\/wp\/v2\/media?parent=78215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}