Register for our Dec 19th Webinar: Beyond the Perimeter: Achieving Comprehensive API Security

Data Processing Addendum

Effective: March 8, 2024

This Data Processing Addendum (“DPA”) is made by and between Salt Security, Inc. and its Affiliates (“Salt Security”) and Customer and governs Salt Security’s processing of Customer Data by means of the Services (each as defined below).

Customer”means a person or entity that accepts and agrees to the terms of this DPA (including for clarity the SCCs and each Annex thereto) as of the earlier date (“Effective Date”) where such person or entity either clicks a box indicating acceptance of this DPA or transmits Customer Data to Salt Security for Processing by means of the Services and/or Agreement (defined below). Salt Security reserves the right to modify or update this DPA in its sole discretion, the effective date of such updates and/or modifications will be the earlier of: (i) 30 days from the date of such update or modification; or (ii) Customer’s continued use of the Services.

IF YOU DO NOT ACCEPT THIS DPA, YOU MAY NOT ACCESS OR USE THE SERVICES. THE SERVICES ARE INTENDED FOR CUSTOMER AND ITS AUTHORIZED USERS ONLY AND ARE NOT FOR USE BY CHILDREN UNDER 13 YEARS OF AGE. IF AN INDIVIDUAL IS ENTERING INTO THIS DPA ON BEHALF OF A LEGAL ENTITY, SUCH PERSON REPRESENTS AND WARRANTS THAT IT HAS THE LEGAL AUTHORITY TO BIND SUCH LEGAL ENTITY TO THIS DPA AND THIS DPA APPLIES TO SUCH ENTITY WHICH IS DEEMED THE CUSTOMER.

This DPA forms part of the Agreement between the parties under which Salt Security will provide the Services to Customer. This DPA applies where, and to the extent that, Salt Security processes Customer Data on behalf of Customer when using the Services under the Agreement. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement or in applicable Data Protection Laws.

If Customer and Salt Security have executed a written data processing agreement governing Customer’s transfer, and Salt Security’s Processing, of Customer Data,then the terms of such signed agreement will govern and supersede this Agreement.

  1. DEFINITIONS
    1. Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity. In this Section 1.1, “control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The terms “controlled” and “controlling” will be construed accordingly.
    2. Agreement” means the written or electronic agreement between Customer and Salt Security for the provision of the Services to Customer.
    3. Controller Affiliate” means any Affiliate of Customer: (a) (i) that is subject to applicable Data Protection Laws and (ii) permitted to use the Services pursuant to the Agreement between the Customer and Salt Security, but has not signed their own Order and is not a “Customer” as defined under the Agreement; and (b) if and to the extent Salt Security processes Customer Data for which such Affiliate(s)qualify as the Controller, on behalf of such Affiliate(s). Except where otherwise indicated, the term “Customer” shall include Customer and Controller Affiliate(s), if any.
    4. Customer Data” means any Personal Data that Salt Security processes on behalf of Customer pursuant to the Agreement and this DPA while providing the Services.
    5. Data Breach” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data.
    6. Data Protection Laws” means all data protection and privacy laws applicable to the processing of Customer Data by Salt Security on behalf of Customer under the Agreement, including, where applicable, European Data Protection Laws or the California Consumer Privacy Act.
    7. Data Controller” means an entity that, alone or jointly with others,determines the purposes and means of the processing of Personal Data.
    8. Data Processor” means an entity that processes Personal Data on behalf of a Data Controller.
    9. European Data Protection Laws” means, as applicable: (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (b) the UK GDPR which is part of UK law by virtue of the European Union Withdrawal Act 2018 and the UK Data Protection Act2018 (“UK Data Protection Law”); (c) the Federal Data Protection Act of 19 June1992 in Switzerland and the Swiss new Federal Act on Data Protection (“Swiss DPA”); and (d) the EU e-Privacy Directive (Directive 2002/58/EC), in each case together with all laws and regulations supplementing, implementing, amending or replacing the same in any EU Member State, the UK and Switzerland.
    10. Group” means any and all Affiliates that are part of an entity’s corporate group.
    11. Personal Data” has the meaning given to it in the Data Protection Laws (or where not defined in any applicable Data Protection Laws, shall have the meaning set forth in the GDPR).
    12. Processing” has the meaning given to it in the GDPR and “process,”“processes,” and “processed” will be interpreted accordingly.
    13. Restricted Transfer” means: (a) where the GDPR applies, a transfer of Customer Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (b) where the UK Data Protection Law applies, a transfer of Customer Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (c) where the Swiss DPA applies, a transfer of Customer Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
    14. Sensitive Data” means Personal Data that is protected under a special legislation and requires unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under Data Protection Laws, which may include any of the following: (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) financial or credit information, credit or debit card number; (c)information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning a person’s health, sex life or sexual orientation, or data relating to criminal convictions and offenses; (d) Personal Data relating to children; and/or (e)account passwords in unhashed form.
    15. Services” means any product or service provided by Salt Security to Customer pursuant to the Agreement, including, but not limited to,the Salt Security Platform, including as described in Annex 1-B - Nature of the processing.
    16. Standard Contractual Clauses” or “SCCs” means (a) in respect of cross-border transfers of Customer Data subject to the GDPR, the contractual clauses annexed to the European Commission’s Implementing Decisions 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) – as amended pursuant to clause 7.2(a) below; (b) in respect of cross-border data transfers of Customer Data subject to the UK Data Protection Law, the UK Addendum (as defined below) and the EU SCCs – as amended pursuant to clause 7.2(b) below; and (c) in respect of cross-border transfers of Customer Data subject to the Swiss DPA, the EU SCCs as amended pursuant to clause 7.2(c) below.
    17. Subprocessor” means any Data Processor engaged by Salt Security that carries out Processing activities of Customer Data under the instruction of Salt Security, who are either third parties or members of the Salt Security Group.
    18. UK Addendum” means the UK International Data Transfer Addendum available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf as amended or replaced from time to time and incorporating amendments to the Standard Contractual Clauses.
  1. SCOPE OF THIS DPA
    1. Scope of DPA: This DPA applies where and only to the extent that Salt Security processes Customer Data in the course of providing Services to Customer pursuant to the Agreement.
  2. ROLES AND SCOPE OF PROCESSING
    1. Role of the Parties: As between Salt Security and Customer, Customer is the Data Controller of Customer Data and Salt Security shall process Customer Data only as a Data Processor acting on behalf of Customer. For other processing under the Agreement or related thereto, the parties agree and acknowledge that Salt Security and Customer will be independent Data Controllers.
    2. Customer Processing of Customer Data: Customer agrees that: (a) it has complied and will continue to comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Customer Data, and any processing instructions it issues to Salt Security shall be in compliance with applicable law; (b) it has provided adequate notice and obtained all valid consents where required and rights necessary for Salt Security to process Customer Data pursuant to the Agreement and this DPA, and in compliance with Data Protection Laws; (c) it shall only disclose or otherwise make available to Salt Security, Customer Data which is relevant and not excessive with regard to the provision of the Services by Salt Security;and (d) it will not, by act or omission, cause Salt Security to violate any Data Protection Laws, notices provided to, or any consents obtained from, data subjects, in each case, in connection with Salt Security’s processing of Customer Data with regard to the provision of the Services.
    3. Salt Security Processing of Customer Data: As a Data Processor, Salt Security (including by means of Salt Security’s Affiliates), will process Customer Data only (a) in accordance with the Agreement and this DPA and with Customer’s documented lawful instructions as set forth in the Agreement and this DPA; (b) in connection with the provision of the Services; (c) where appropriate, to render Customer Data fully anonymous, non-identifiable and non-personal in accordance with applicable standards; and/or (d) as required under the laws applicable to Salt Security,and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that Salt Security shall notify Customer of the legal requirement in advance, unless such law or order prohibits such notification. The parties agree that Customer’s complete and final instructions with regard to the subject matter, duration, nature and purposes of the processing and the types of data subjects and personal data to be processed as Customer Data under the Agreement, as well as the rights and obligations of Customer as Data Controller, are set out in this DPA. Processing outside the scope of these instructions (if any) will require prior written agreement between Customer and Salt Security on additional instructions for processing unless Salt Security is required to process Customer Data to comply with applicable law. Salt Security shall be prohibited from the following:
      1. Selling, sharing for cross-context behavioral advertising; and
      2. using, retaining, or disclosing Customer Data for any purpose other than in accordance with the Agreement and this DPA, and in connection with providing the Services, except as permitted under applicable Data Protection Law.
    4. Sensitive Data: The parties agree that the Services are not intended for the Processing of Sensitive Data, and that if Customer wishes to use the Services to Process Sensitive Data, it must first obtain Salt Security’s explicit prior written consent and enter into any additional agreements as may be required by Salt Security.
  1. SUBPROCESSING
    1. Authorized Subprocessors: Customer agrees that in order to provide the Services set forth in the Agreement, Salt Security may engage Subprocessors to process Customer Data. Information about Salt Security’s Subprocessors, including the type of service rendered by them and their registered location, shall be made available by Salt Security to Customer upon reasonable request, and is generally made available at: https://salt.security/subprocessors(as may be updated by Salt Security from time to time) or such other website address as Salt Security may provide to Customer from time to time (“Subprocessor Site”).
    2. Subprocessor Obligations: Where Salt Security authorizes any Subprocessor as described in Section 4.1:
      1. Salt Security will restrict the Subprocessors’ access to Customer Data only to what is necessary to assist Salt Security in providing or maintaining the Services, and will prohibit the Subprocessor from accessing Customer Data for any other purpose;
      2. Salt Security will enter into a written agreement with the Subprocessor imposing data protection terms materially similar to the terms of this DPA; and
      3. Salt Security will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Salt Security to breach any of its obligations under this DPA.
    3. Subprocessor Changes: When Salt Security engages any new Subprocessor after the Effective Date of the Agreement, Salt Security will update the Subprocessor Site (including the name and location of the relevant Subprocessor and the activities it will perform). Salt Security will make commercially reasonable efforts to notify Customer in advance of any such Subprocessor changes. Customer may object in writing to Salt Security’s appointment of a new Subprocessor, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution and if this is not possible, Customer may suspend or terminate the Agreement, in which case Salt Security shall refund Customer the pro-rata, unused portion of any prepaid fees.
  1. SECURITY MEASURES AND DATA BREACH RESPONSE
    1. Security Measures: Salt Security has implemented and will maintain appropriate technical and organizational security measures designed to protect Customer Data from Data Breaches and to preserve the security and confidentiality of the Customer Data (“Security Measures”). The Security Measures applicable to the Services are set forth in Annex II, as updated or replaced from time to time in accordance with Section 5.2.
    2. Updates to Security Measures: Customer acknowledges that the Security Measures are subject to technical progress and development and that Salt Security may update or modify the Security Measures from time to time, provided that such changes shall not degrade the overall security posture of the Services.
    3. Personnel: Salt Security restricts its personnel from processing Customer Data without authorization by Salt Security as set forth in Annex II, and shall ensure that any person who is authorized by Salt Security to process Customer Data is under an appropriate statutory or contractual obligation of confidentiality.
    4. Customer Responsibilities: Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, and for securing Customer Data that is outside of Salt Security’s control, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.
    5. Data Breach Response: To the extent required under applicable Data Protection Laws, Salt Security will notify Customer without undue delay after becoming aware of a Data Breach, and will provide information relating to the Data Breach as it becomes known or as is reasonably requested by Customer and available to Salt Security. Salt Security will also take reasonable steps to mitigate and, where possible, remedy the effects of, any Data Breach. Customer will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Data Breach which directly or indirectly identifies Salt Security (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Salt Security’s prior written approval,unless, and solely to the extent that, Customer is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by such laws, Customer shall provide Salt Security with reasonable prior written notice to provide Salt Security with the opportunity to object to such disclosure and in any case Customer will limit the disclosure to the minimum scope required by such laws.
  1. AUDIT
    1. Audit Reports: Salt Security audits its compliance against data protection and information security standards (such as a SOC 2 Type II audit) on a regular basis. Upon Customer’s request, Salt Security will provide Customer with details of the audits it conducts relevant to the Services it is providing to Customer and, if required, supply Customer with an accurate summary of its most recent relevant audit report (“Report”) so that Customer can verify Salt Security’s compliance with this DPA. Customer acknowledges that the Report will constitute Salt Security’s Confidential Information and will protect the Report in accordance with the confidentiality provisions of the Agreement.
    2. Inspection Rights: Only if the audit reports and information provided pursuant to Section 6.1 are in Customer’s discretion, acting reasonably, insufficient to reasonably demonstrate compliance with this DPA,Customer may, subject to the following requirements, inspect or audit the technical and organizational security measures of Salt Security. These requirements shall also apply to any audit provisions provided for in any applicable Standard Contractual Clauses entered into by both parties, to the extent permitted by applicable Data Protection Laws and where not in conflict with any provisions of the Standard Contractual Clauses. Customer shall provide any such audit reports to Salt Security and shall not use such reports for any purpose other than as necessary for Customer's own verification of Salt Security’s compliance with this DPA.

      Any such audit shall: (a) not occur more than once during any twelve month period; (b)occur during normal business hours, using the minimal Salt Security resources necessary, and conducted so as not to interfere with Salt Security’s business;(c) be at Customer’s sole expense; (d) not include any third party auditor that is not approved in writing by Salt Security; (e) be subject to the confidentiality provisions in the Agreement or a separate non-disclosure or confidentiality agreement executed by any third party auditors and Salt Security; and (f) occur only upon at least thirty days prior written notice from Customer.
    3. Upon reasonable notice, Customer may take reasonable and appropriate steps to ensure that Salt Security uses Customer Data in a manner consistent with Customer’s obligations under the California Consumer Privacy Act, and to remediate or stop any unauthorized processing of Customer Data, such as requiring documentation that Salt Security has complied with requests by Customer to delete data in connection with a deletion request communicated to Salt Security by Customer.
  1. TRANSFERS OF CUSTOMER DATA
    1. Restricted Transfers: The parties agree that when the transfer of Customer Data under the Agreement from Customer (as “Data Exporter”) to Salt Security(as “Data Importer”) is a Restricted Transfer and European Data Protection Laws require that appropriate safeguards are put in place, it shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated by reference into and form a part of this DPA, as follows:
      1. in relation to transfers of Customer Data that are subject to the GDPR, the EU SCCs will apply, and shall be considered completed as follows:
        1. Module Two will apply;
        2. in Clause 7, the optional docking clause will not apply;
        3. In Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes shall be as set out in Section4.3 of this DPA;
        4. in Clause 11, the optional language will not apply;
        5. in Clause 17, Option 1 will apply, and the EUSCCs will be governed by Irish law;
        6. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
        7. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA;
        8. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA; and
        9. Annex III of the EU SCCs does not apply.
      2. In relation to transfers of Personal Data subjectto the UK Data Protection Law, the EU SCCs and the UK Addendum will apply to such transfers and the UK Addendum shall be considered completed as follows:
        1. The parties’ details for Table 1 are as follows: the Data Exporter is the Customer whose contact details are set out in the Agreement and the Data Importer is Salt Security;
        2. For purposes of Table 2, it is the version of the Approved EU SCCs incorporated by reference into the DPA. The rest of the details for Table 2 are as set out in Annex I to this DPA;
        3. For purposes of Table 4 either party may end the UK Addendum;
        4. The Module identified above for purposes of the EU SCCs shall also apply for purposes of the UK Addendum; and
        5. By executing the DPA, the Data Exporter and Data Importer shall be deemed to have executed the UK Addendum.
      3. In relation to transfers of Personal Data protected by the Swiss DPA (as amended or replaced from time to time), the EUSCCs, as completed pursuant to paragraph (a) above, will also apply to such transfers subject to the following amendments:
        1. all references to “Regulation (EU) 2016/679”,or “that Regulation” shall be read as “Swiss DPA”;
        2. all references to specific Article(s) of“Regulation (EU) 2016/679” are replaced with the equivalent Article of the Swiss DPA;
        3. all references to “Regulation (EU) 2018/1725”are removed;
        4. Clause 13(a) and Part C of Annex II are not used and the competent supervisory authority for purposes of Clause 13 of the Standard Contractual Clauses shall be the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland;
        5. the governing law shall be that of Switzerland for purposes of Clause 17 of the Standard Contractual Clauses;
        6. all references to “Union”, “EU”, and “EU Member State” are to be replaced with “Switzerland”;
        7. Clause 18 is replaced to state: “Any dispute arising from these Clauses shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland. The Parties agree to submit themselves to the jurisdiction of such courts.”
        8. where the Clauses use terms that are defined in the EU General Data Protection Regulation 2016/679, those terms shall be deemed to have the meaning as the equivalent terms are defined in the Swiss DPA; and
        9. the footnotes to the Clauses shall not apply.
      4. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent such conflict relates to a Restricted Transfer to which the Standard Contractual Clauses apply.
    2. Alternative Data Transfer Solutions: Notwithstanding Section 7.1, the parties agree that in the event Salt Security adopts an alternative data transfer solution for the transfer of Customer Data that is not described in this DPA (as recognized under European Data Protection Laws), such solution shall apply with effect from the date that Salt Security implements such new data transfer solution.
    3. Transfers from other countries: If the Processing of Customer Data by Salt Security includes a transfer of Customer Data by and/or mandated by Customer to Salt Security from any other jurisdiction which mandates a particular compliance mechanism for the lawful transfer of such data be established, Customer shall notify Salt Security of such applicable requirements, and the parties may seek to make any necessary amendments to this DPA accordingly.
  1. RETURN OR DELETION OF DATA
    1. Following expiration of the Agreement, upon Customer request and to the extent it is technically feasible,Salt Security shall delete or return to Customer all Customer Data in its possession in accordance with the terms of the Agreement and save to the extent Salt Security is required by applicable law to retain some or all of the Customer Data.
  2. COOPERATION
    1. The Services provide Customer with a number of controls that Customer may use to retrieve, correct, delete or restrict processing of Customer Data, which Customer may use to assist it in connection with its obligations under Data Protection Laws, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Customer is unable to independently access the relevant Customer Data within the Services using the aforementioned tools offered by Salt Security,Salt Security shall provide reasonable cooperation to assist Customer to respond to any requests from individuals or data protection authorities relating to the processing of Customer Data under the Agreement. In the event that any such request is made directly to Salt Security, Salt Security shall not respond to such communication directly without Customer's prior authorization (provided that Salt Security can readily ascertain that such request relates to Customer Data), unless legally compelled to do so, however Salt Security may refer the person or authority initiating the communication to Customer (including Customer’s designated contacts and administrators for the Services) and/or advise them on using the aforementioned tools offered by Salt Security within the Services. If Salt Security is required to respond to such a request, Salt Security will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
    2. If a law enforcement agency sends Salt Security a demand for Customer Data (for example, through a subpoena or court order), Salt Security will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Salt Security may provide Customer’s basic contact information to the law enforcement agency.If compelled to disclose Customer Data to a law enforcement agency, then Salt Security will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Salt Security is legally prohibited from doing so.
    3. To the extent Salt Security is required under European Data Protection Laws, Salt Security will provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments and prior consultations with data protection authorities.
  3. GENERAL
    1. Any liability with this DPA is subject to, and limited by, the limitation on liability set forth in Section12 of the Agreement.
    2. Any claims against Salt Security or its Affiliates under this DPA shall be brought solely against the entity that is a party to the Agreement.
    3. No one other than a party to this DPA, their successors and permitted assignees shall have any right to enforce any of its terms.
    4. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
    5. Subject to clause 7.1(d)above, in the event of any conflict between this DPA and any privacy-related provisions set out in the Agreement or any other existing data protection terms agreed to between the parties, the terms of this DPA shall prevail.
    6. If Salt Security becomes aware or makes a determination that it can no longer meet its obligations under Data Protection Laws or this DPA, it shall promptly notify Customer.
    7. Execution of this DPA by either party shall be deemed acceptance and execution by that party of the Standard Contractual Clauses incorporated herein by reference.
    8. Section 15 (Miscellaneous) of the Agreement applies to this DPA.

ANNEX I

  1. List of parties
    • Controller(s)/ data exporter(s): Customer, as identified in the Agreement.
    • Processor(s)/ data importer(s): Salt Security, as identified in the Agreement.
  2. Description of the processing
    Categories of data subjects whose personal data is processed
    Employees, contractors, customers, clients, and others who may interact with Customer’s APIs.
    Categories of personal data processed
    Personal data that may appear in the Customer’s monitored API environment (such as name, email address etc.), the extent of which is determined and controlled by Customer in its sole discretion.
    Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation,access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
    Not applicable unless explicitly agreed otherwise in accordance with Section 3.4 of the DPA.
    The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
    Continuous.
    Nature of the processing
    Provision of cloud-based security services as described in the Agreement.
    Purpose(s) for which the personal data is processed on behalf of the controller
    The personal data is processed in order to provide the Services as set forth in the Agreement.
    The period for which the personal data will be retained, or,if that is not possible, the criteria used to determine that period
    During the term of the Agreement and thereafter according to Section 8 of the DPA and Salt Security’s ordinary course data retention and backup procedures and in accordance with applicable law, unless otherwise agreed in the Agreement.
    For processing by (sub-) processors, also specify subject matter, nature and duration of the processing
    The subject matter, nature and duration of the processing by Subprocessors are specified above and in the Agreement.
  3. Competent Supervisory Authority

    Pursuant to Clause 13, the supervisory authority of the EEA country where (i) the data exporter is established; or where (ii) the EU representative of the data exporter is established; or where (iii) the data subjects whose personal data are transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF CUSTOMER DATA

Customer acknowledges that the Security Measures are subject to technical progress and development and that Salt Security may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by Customer.

Technical and Organizational Security Measures
Description
Measures of pseudonymization and encryption of personal data.
Data is encrypted at rest using services provided by Amazon Web  Services (AWS), MongoDB Atlas, and SingleStore.

Keys are stored using key management solutions.

Certain Customer Data can be encrypted, designated by the Customer as sensitive, and masked by Salt Security’s Hybrid server. 
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services.
Salt Security’s cloud service and hybrids are monitored 24x7 by customer support and engineering personnel.

The Services are deployed in 3 Availability Zones in AWS, and built using Kubernetes – implementing auto-healing and auto-recovery of all services components.

Confidentiality and integrity are addressed in our SOC 2 Type II report.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
The Services are monitored 24x7 and implement auto-healing and auto-recovery capabilities. In case of a disaster in a production AWS region, Salt Security maintains an alternative backup region in the same geography (US, EU, etc.) and is able to operationalize it within 24 hours.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing.
Salt Security maintains a SOC 2 Type II audit report,

Performs annual penetration tests,

Uses its own product to scan, protect and remediate the Services, and employ code and infra vulnerability scanning on a continuous basis.
Measures for user identification and authorization.
Salt Security uses Okta single-sign-on with strong password and MFA requirements to grant access to specific authorized personnel to its production environments and data.
Measures for the protection of data during transmission.
Data in-transit is encrypted using a unique customer key provided to each Customer upon deployment of the Services.
Measures for the protection of data during storage.
Data at-rest is encrypted using AWS, Mongo Atlas, and SingleStore practices and capabilities.
Measures for ensuring physical security of locations at which personal data are processed.
See our SOC 2 Type II report for more information regarding Salt Security’s physical security measures. No Customer Data is stored on-site at Salt Security office locations.
Measures for ensuring events logging.
We log all cloud events to a dedicated AWS audit account, using AWS Cloud Trail.
Measures for ensuring system configuration, including default configuration.
All configuration of all AWS infra and accounts is enforced by AWS Control Tower.

Application configuration is managed using Terraform, and can be changed only through a secure change management process to our infrastructure-as-code repo.
Measures for internal IT and IT security governance and management.
Admin role to our directory and IT management solution (Okta, Google Workspace, Cybereason EDR and JumpCloud MDM) is granted to limited personnel.
Measures for certification/assurance of processes and products.
Salt Security maintains a SOC 2 Type II audit report.
Measures for ensuring data minimization.
At a customer’s request, Salt Security can initially enable the hybrid server in “Discovery mode,” during which the customer can review and customize sensitive data categories. Once this process is complete and Salt Security turns on “Detection Mode,” all data types identified by the customer as sensitive will be masked and hashed in the customer’s environment. Only metadata, masked and hashed data, and data not identified by the customer as sensitive will be sent to Salt Security’s cloud service.
Measures for ensuring data quality.
Salt Security's databases are continuously backed up.
Measures for ensuring limited data retention.
Salt Security maintains a strict data retention policy of 30 days for traffic metadata, 30 days for non-malicious potential attackers and 4 months for malicious attackers.
Measures for ensuring accountability.
Salt Security has an array of security and data protection policies that identify key accountable stakeholders for ongoing tasks and issues as well as incidents and tests.
Measures for allowing data portability and ensuring erasure.
Salt Security has the ability to export or delete Customer Data from the Services per customer request, using internal tools.
Technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a (sub)-processor, to the Customer.
When Salt Security engages a Subprocessor under Section 4 (Subprocessing) of this DPA, Salt Security and the Subprocessor enter into an agreement with data protection obligations materially similar to those contained in this DPA. In addition to implementing technical and organizational measures to protect personal data, Subprocessors must (a) notify Salt Security in the event of a Data Breach; (b) delete Customer Data when instructed by Salt Security; and (c) not engage additional Sub-processors without notice to Salt Security.