Titlebg W MiniTitlebg W Data Processing Addendum v1.2

This Data Processing Addendum (“DPA”) is an addendum to the Autom Mate End User License Agreement found at https://www.autommate.com/eula/ as updated from time to time (the “Agreement”), between Autom Mate Corporation (“Autom Mate”) and the customer who has subscribed to the Autom Mate Solution as defined in the Agreement (“Customer”), and will be incorporated by reference into, and subject to the terms and conditions of, the Agreement. In the event of any inconsistency or conflict between this DPA and the Agreement with respect to the Processing of Customer Personal Data, the terms of this DPA will govern solely to the extent of such inconsistency or conflict.

This DPA sets out the terms that apply when Customer Personal Data is Processed by Autom Mate under the Agreement. The purpose of the DPA is to ensure such Processing is conducted in accordance with the Data Protection Legislation and respects the rights of individuals whose Personal Data is Processed under the Agreement. This DPA applies to Autom Mate and any Autom Mate affiliate involved in the Processing of Customer Personal Data.

1. Definitions

In this DPA, all of the definitions stated in the Agreement shall apply herein and in addition:

1.1. “Controller” means “Controller” or “Business” as those terms are defined by applicable Data Protection Legislation.

1.2. “Customer Personal Data” means Personal Data that is included or embedded in documents created or uploaded by Customer or its users using the Solution or that Autom Mate collects to administer the Solution.

1.3. “Data Privacy Framework” means the EU-US Data Privacy Framework, the Swiss-US Data Privacy Framework, and the UK Extension to the EU-US Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce, as may be amended, superseded, or replaced from time to time.

1.4. “Data Privacy Framework Principles” means the Data Privacy Framework Principles and Supplemental Principles contained in the relevant Data Privacy Framework, as may be amended, superseded, or replaced from time to time.

1.5. “Data Protection Legislation” means privacy and data protection laws and regulations applicable to Autom Mate’s Processing of Customer Personal Data in the provision of the Solution to Customer, including, as applicable: (a) the GDPR; (b) any legislation which implements or supplements the GDPR; (c) any legislation which implements the European Community’s Directive 2002/58/EC; (d) in respect of the United Kingdom, the Data Protection Act 2018 and the EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018;
(e) the Federal Data Protection Act of 19 June 1992 (Switzerland) and its implementing regulations; and/or (f) U.S. Privacy Laws; in each case, as may be amended, superseded, or replaced from time to time.

1.6. “Data Subject” means an individual to whom Customer Personal Data relates.

1.7. “GDPR” means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and any amendment or replacement to it.

1.8. “Personal Data” means any data or information that constitutes “personal data,” “personal information,” or any analogous term as defined by applicable Data Protection Legislation.

1.9. “Process,” “Processing,” and “Processed” have the meaning as defined by applicable Data Protection Legislation.

1.10. “Processor” means “Processor,” “Service Provider,” or “Contractor” as those terms are defined by applicable Data Protection Legislation.

1.11. “Sale” and “Selling” have the meaning defined in U.S. Privacy Laws.

1.12.“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise Processed.

1.13. “Standard Contractual Clauses” or “SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN.

1.14. “Supervisory Authority” will have the meaning ascribed to it in the GDPR.

1.15. “UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).

1.16. “U.S. Privacy Laws” means U.S. privacy and data protection laws and regulations applicable to Autom Mate’s Processing of Customer Personal Data in the provision of the Solution to Customer, including, as applicable, (a) the
California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”); (b) Colorado Privacy Act, Colorado Rev. Stat. §§ 6-1-1301 to 6-1-1313; (c) Connecticut Personal Data Privacy and Online Monitoring Act, Public Act No. 22-15); (d) Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 to 13-61-404); and (e) Virginia Consumer Data Protection Act, Virginia Code Ann. §§ 59.1-575 to 59.1-585.

1.17. The terms “Business,” “Share,” and “Service Provider” as used in this DPA will have the meanings ascribed to them in the CCPA.

2. Processing of Data

2.1. Scope and Purpose of Processing. This DPA applies only where and to the extent Data Protection Legislation governs Autom Mate’s Processing of Customer Personal Data on behalf of Customer in the course of providing the Solution pursuant to the Agreement, including Autom Mate’s Processing of Customer Personal Data for the nature, purposes, and duration set forth in Appendix I. Autom Mate will not collect, use, disclose, release, disseminate, transfer, or otherwise communicate or make available to a third-party Customer Personal Data except to provide the Solution or as expressly
permitted by the Agreement or this DPA.

2.2. Processor and Controller Responsibilities. The parties acknowledge and agree that: (a) Autom Mate is a Processor of Customer Personal Data under the Data Protection Legislation; (b) Customer is a Controller or Processor, as applicable, of Customer Personal Data under the Data Protection Legislation; and (c) each party will comply with the obligations applicable to it under the Data Protection Legislation regarding the Processing of Customer Personal Data.

2.3. Authorization by Third-Party Controller. If Customer is a Processor, Customer warrants to Autom Mate that Customer’s instructions and actions with respect to Customer Personal Data, including its appointment of Autom Mate as another Processor, have been authorized by the relevant Controller.

2.4. Customer Instructions. Customer instructs Autom Mate to Process Customer Personal Data: (a) in accordance with the Agreement, this DPA, any applicable order, and Customer’s use of the Solution; and (b) to comply with other reasonable instructions provided by Customer or a user where such instructions are consistent with the terms of the Agreement. Customer will ensure that its instructions for the Processing of Customer Personal Data comply with the Data Protection Legislation. Customer has sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer obtained the Customer Personal Data. Customer will disclose Customer Personal Data to Autom Mate solely pursuant to a valid business purpose.

2.5. Autom Mate’s Compliance with Customer Instructions. Autom Mate will only Process Customer Personal Data in accordance with Customer’s instructions and will treat Customer Personal Data as Confidential Information. Autom Mate may Process Customer Personal Data other than on the written instructions of Customer if it is required under applicable law to which Autom Mate is subject. In this situation, Autom Mate will inform Customer of such requirement before Autom Mate Processes the Customer Personal Data unless prohibited by applicable law.

2.6. Assistance with Customer’s Obligations. Customer may request Autom Mate to, correct, amend, restrict, block or delete Customer Personal Data contained in the Solution. Autom Mate will promptly comply with reasonable requests by Customer to assist with such actions to the extent Autom Mate is legally permitted and able to do so. Autom Mate may charge a reasonable fee for any assistance not strictly required by Data Protection Legislation.

2.7. Notification Obligations. Autom Mate will, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the Processing of Customer Personal Data relating to such individual. Autom Mate will forward such Data Subject request relating to Customer Personal Data to Customer and Customer will be responsible for responding to any such request. Autom Mate will provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject request, to the extent legally permitted and to the extent Customer does not have access to such Customer Personal Data through its use or receipt of the Solution.

2.8. General Authorization for Subprocessors. Customer generally authorizes the use of subprocessors to process Customer Personal Data in connection with fulfilling Autom Mate’s obligations under the Agreement and/or this DPA and explicitly approves the list of subprocessors located at https://www.autommate.com/privacy-policy/.

2.9. New Subprocessors. When Autom Mate engages a new subprocessor to Process Customer Personal Data, Autom Mate will, at least thirty (30) days before the new subprocessor Processes any Customer Personal Data, notify Customer and give Customer the opportunity to object to such subprocessor. If Customer has reasonable grounds to object to Autom Mate’s change in subprocessors related to data protection concerns, Customer shall notify Autom Mate promptly within no more than thirty (30) days after receipt of Autom Mate’s notice. Autom Mate will use reasonable efforts find an acceptable, reasonable, alternate solution; otherwise, Customer may suspend or terminate the Solution. If Customer terminates, Autom Mate will promptly refund any fees paid in advance by Customer to Autom Mate pro rata.

2.10. Autom Mate Obligations. Autom Mate will remain liable for the acts and omissions of its subprocessors to the same extent Autom Mate would be liable if performing the service provided by the subprocessor directly. Autom Mate will contractually impose data protection obligations on its subprocessors that are at least equivalent to those data protection obligations imposed on Autom Mate under this DPA.

2.11. Audit Rights. Upon Customer’s written request by email to dpo@autommate.com no more than once per year, Autom Mate will provide a copy of any recent third-party audits or certifications, as applicable, or any summaries thereof, such that Customer may reasonably verify Autom Mate’s compliance with the technical and organizational measures required under this DPA. Where required by the applicable Data Protection Legislation, Autom Mate will allow Customer or a mutually agreed upon independent auditor appointed by Customer to conduct an audit (including inspection), no more than once per year upon eight weeks’ notice sent to dpo@autommmate.com complete with a detailed audit plan describing the proposed scope, duration, and start date of the audit. Autom Mate will contribute to such audits whose sole purpose will be to verify Autom Mate’s compliance with its obligations under this DPA. The auditor must execute a written confidentiality agreement reasonably acceptable to Autom Mate before conducting the audit. The audit must be conducted during Autom Mate’s normal business hours, subject to Autom Mate’s policies, and may not unreasonably interfere with Autom Mate’s business activities. Any audits are at Customer’s sole cost and expense.

2.12. Separate Service. Any request for Autom Mate to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law. Customer will reimburse Autom Mate for any time spent for such separate services for any such audit at rates mutually agreed to by the parties, taking into account the resources expended by Autom Mate. Customer will promptly notify Autom Mate with

2.13. Limits on Auditing Party. Nothing in this DPA will require Autom Mate to disclose to an independent auditor or Customer, or to allow an independent auditor or Customer to access: (a) any data of any other user or customer of Autom Mate; (b) Autom Mate’s internal accounting or financial information; (c) any trade secret of Autom Mate; (d) any premises or equipment not controlled by Autom Mate; or (e) any information that, in Autom Mate’s reasonable opinion, could: (i) compromise the security of Autom Mate’s systems or premises; (ii) cause Autom Mate to breach its obligations under Data Protection Legislation or the rights of any third-party; or (iii) any information that an independent auditor seeks to access for any reason other than the good faith fulfilment of Customer’s rights under the Data Protection
Legislation. Customer will contractually impose, and designate Autom Mate as a third-party beneficiary of, any contractual terms that prohibit any independent auditor from disclosing the existence, nature, or results of any audit to any party other than Customer unless such disclosure is required by applicable law.

3. GDPR

3.1. Applicability. Section 3 only applies to Autom Mate’s Processing of Customer Personal Data subject to GDPR.

3.2. Data Privacy Impact Assessments. Autom Mate will take reasonable measures to cooperate and assist Customer in conducting a data protection impact assessment and related consultations with any Supervisory Authority, if Customer is required to do so under Data Protection Legislation.

3.3. International Transfers. The parties will transfer Customer Personal Data internationally only pursuant to a transfer mechanism valid under the Data Protection Legislation or applicable law, i.e. a valid mechanism in the exporting country. For example, in the case of transfers from within the European Economic Area or the United Kingdom to another country, a scheme which is approved by the European Commission or the UK Government as ensuring an adequate level of protection or any transfer which falls within a permitted derogation.

3.4. Transfer Mechanism. In the event there is more than one mechanism to transfer Customer Personal Data from the European Economic Area, United Kingdom, and/or Switzerland to countries which do not ensure an adequate level of data protection under the Data Protection Legislation, the transfer of Customer Personal Data will be subject to a single transfer mechanism in the following order of precedence: (a) the Data Privacy Framework; (b) a valid transfer mechanism approved for transfers of Customer Personal Data from the European Economic Area, United Kingdom, or Switzerland to the U.S.; or (c) the SCCs and/or the UK Addendum, each as applicable.

3.5. Data Privacy Framework. Autom Mate intends to self-certify under the Data Privacy Framework and comply with the Data Privacy Framework Principles when processing Customer Personal Data that is transferred. from the European Economic Area, United Kingdom, or Switzerland to the USA. To the extent that Customer is (a) located in the United States of America and is self-certified under the Data Privacy Framework or (b) located in the EEA, UK or Switzerland, Autom Mate further agrees (i) to provide at least the same level of protection to any personal data as required by the Data Privacy Principles; (ii) to notify Customer in writing, without undue delay, if Autom Mate can no longer meet the obligation set forth in (i) or its self-certification to the Data Privacy Framework is withdrawn, terminated, revoked, or otherwise invalidated (in which case, an alternative transfer mechanism will apply in accordance with Section 3.4; and (iii) upon written notice, to work with Customer to take reasonable and appropriate steps to stop and remediate any
unauthorized processing of personal data. Until Autom Mate self certifies, it shall use the SCC mechanism for any transfers to the USA.

3.6. European Economic Area Data Transfers: If applicable based on Section 3.4, Autom Mate and Customer conclude Module 2 (Controller-to-Processor) of the SCCs and, to the extent Customer is a Processor on behalf of a third-party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Autom Mate; the optional docking clause in Clause 7 is implemented; Option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 2 of this DPA; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of the Netherlands; the courts in Clause 18(b) are the courts of Amsterdam, Netherlands; Annex I, II and III to the SCCs are Annex I, II and III to this DPA respectively.

3.7. UK Data Transfers: If applicable based on Section 3.4, Autom Mate and Customer conclude the UK Addendum, which is hereby incorporated and applies to Customer Personal Data transfers outside the UK. Part 1 of the UK Addendum is completed as follows: in Table 1, the “Exporter” is Customer and the “Importer” is Autom Mate, their details are set forth in this DPA and the Agreement; in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs; in Table 3, Annexes 1 (A and B) to the “Approved EU SCCs” are Annex I, II and III to this DPA respectively; and in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.

3.8. Changes to Transfer Mechanism. If Autom Mate’s compliance with Data Protection Legislation applicable to international data transfers is affected by circumstances outside of Autom Mate’s control, including if a legal instrument for international data transfers is invalidated, amended, or replaced, then Customer and Autom Mate will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative transfer mechanisms, standard contractual clauses or UK standard contractual clauses are approved by Supervisory Authorities, Autom Mate reserves the right to choose the transfer mechanism of its preference, and amend the Agreement and this DPA by adding to or replacing, the existing transfer mechanism; provided that Autom Mate will ensure continued compliance with Data Protection Legislation.

3.9. Applicability of the Standard Contractual Clauses. When utilized, the SCCs and the UK Addendum concluded between the parties pursuant to this Section 3 will only apply insofar as strictly necessary for Autom Mate to comply with the application Data Protection Legislation.

4. U.S. Privacy Laws

4.1. Applicability. Section 4 only applies to Autom Mate’s Processing of Customer Personal Data subject to U.S. Privacy Laws.

4.2. Compliance Assurance. If the provision of information provided pursuant to Section 2.12 above does not fulfil the requirements of the applicable U.S. Privacy Laws, Customer has the right to take reasonable and appropriate steps to ensure that Autom Mate uses Customer Personal Data consistent with Customer’s obligations under applicable U.S. Privacy Laws.

4.3. Compliance Remediation. Autom Mate shall promptly notify Customer after determining that it can no longer meet its obligations under applicable U.S. Privacy Laws. Upon receiving notice from Autom Mate in accordance with this section, Customer may direct Autom Mate to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

4.4. Limitations on Processing. Autom Mate will Process Customer Personal Data solely as described in the Agreement and this DPA. Except as expressly permitted therein or by the U.S. Privacy Laws, Autom Mate is prohibited from (a) Selling or Sharing Customer Personal Data, (b) retaining, using, or disclosing Customer Personal Data for any other purpose, (c) retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between the parties, and (d) combining Customer Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer or its users, except as expressly permitted under applicable U.S. Privacy Laws.

4.5. Deletion Requests. Autom Mate shall not be required to delete any Customer Personal Data to comply with a Data Subject’s request directed by Customer if retaining such information is specifically permitted by applicable U.S. Privacy Laws; provided, however, that in such case, Autom Mate will promptly inform Customer of the exceptions relied upon under applicable U.S. Privacy Laws and Autom Mate shall not use Customer Personal Data retained for any purpose other than provided for by that exception.

4.6. Deidentified Data. In the event that Customer discloses or makes available deidentified data (as such term is defined in the U.S. Privacy Laws) to Autom Mate, Autom Mate shall not attempt to reidentify the information.

4.7. Sale of Data. The parties acknowledge and agree that the exchange of Personal Data between the parties does not form part of any monetary or other valuable consideration exchanged between the parties with respect to the Agreement or this DPA. Autom Mate will never sell Customer’s Personal Data.

5. Security

5.1. Autom Mate Personnel. Autom Mate will inform its personnel engaged in the Processing of Customer Personal Data of the confidential nature of the Customer Personal Data, and subject them to obligations of confidentiality that survive the termination of that individual’s engagement with Autom Mate.

5.2. Third Party Disclosure. Autom Mate will not disclose Customer Personal Data to any third party unless authorized by Customer or required by law. If a government entity (including a law enforcement agency) or Supervisory Authority demands access to Customer Personal Data, Autom Mate will attempt to redirect the requestor to request the data directly from Customer or notify Customer prior to disclosure, in each case unless prohibited by law.

5.3. Security. Autom Mate will implement commercially reasonable technical and organizational measures to safeguard Customer Personal Data taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

6. Security Breach

6.1. Notification Obligations. Upon becoming aware of any Security Incident affecting Customer Personal Data, the parties shall notify each other without undue delay and shall provide timely updates and information relating to the Security Incident as it becomes known or as is reasonably requested by the other party. Such information will include the nature of the Security Incident, the categories and number of Data Subjects affected, the categories and amount of Customer Personal Data affected, the likely consequences of the Security Incident, and the measures taken or proposed to be taken to address the Security Incident and mitigate possible adverse effects. Autom Mate’s obligations in this Section 6 do not apply to incidents that are caused by Customer or Customer’s personnel or users or to unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

6.2. Manner of Notification. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by any means Autom Mate selects, including via email. It is Customer’s sole responsibility to maintain accurate contact information on Autom Mate’s systems at all times. Furthermore, it is Customer’s sole responsibility to notify the relevant data protection Supervisory Authority and, when applicable, the Data Subjects of a Security Incident as required under the Article 33 and 34 of the GDPR. Autom Mate will promptly comply with reasonable requests by Customer to assist it with meeting such notification requirements to the extent Autom Mate is legally permitted and able to do so.

7. Term and Termination

7.1. Term of DPA. This DPA will remain in effect until, and automatically expire upon, deletion of all Customer Personal Data as described in this DPA or when the Customer no longer maintains a subscription to the Solution.

7.2. Deletion of Customer Personal Data. Autom Mate will delete Customer Personal Data in its possession within 30 days of: (a) receipt of a Customer request that Autom Mate delete Customer’s account and all associated user accounts; or (b) the date that Customer and all associated users delete their accounts. Prior to deletion, Autom Mate will make any Customer Personal Data in its possession available for download by Customer. Autom Mate has no obligation to retain any portion of Customer Personal Data after such period except to the extent that Autom Mate is required under applicable law to keep a copy of the Customer Personal Data.

8. Amendment

8.1. Amendment. Autom Mate may amend this DPA from time to time. When changes are made, Autom Mate will make a new copy of the DPA available at https://www.autommate.com/data-processing-addendum To the extent an amendment is required to comply with applicable Data Protection Legislation, it will become effective immediately; otherwise, it will be effective upon renewal of Customer’s subscription to the Solution.

Appendix I - Annex I

A. LIST OF PARTIES

Data Controller/exporter(s):

Customer.

Address: See order form.

Contact person’s name, position and contact details: Account Owner unless otherwise notified to dpo@autommate.com

Activities relevant to the data transferred under these Clauses:

Autom Mate provides the Solution to Customer as described in the Agreement.

Signature and date: Either the date of physical signature on an Order or the date a Customer renews or receives access to the Solution.

Autom Mate Role (controller/processor): Processor on behalf of Customer, or Subprocessor on behalf of third-party Controller

Data Processor/ importer(s):

Autom Mate Corporation

B. DESCRIPTION OF TRANSFER

1. Categories of data subjects whose personal data is transferred

employees or persons working for Customer in any capacity who Autom Mate will coordinate with in respect of the delivery of the Solution.

2. Categories of personal data transferred

Name, email address and other contact details such as telephone number.

3. Sensitive data transferred

N/A.

4. The frequency of the transfer

Irregular – at commencement of service and on change of personnel notified to Autom Mate

5. Nature of the Processing

Collecting, storing, duplicating, deleting, disclosing, and otherwise Processing Customer Personal Data as reasonably necessary in connection with the performance of the Solution as described in the Agreement and this DPA.

6. Purpose(s) of the data transfer and further Processing

Autom Mate will Process Customer Personal Data (i) to perform its obligations pursuant to the Agreement; (ii) to help ensure security and integrity to the extent the use of Customer Personal Data is reasonably necessary and proportionate for these purposes; (iii) to debug to identify and repair errors that impair existing intended functionality; (iv) to perform other services on behalf of Customer, which may include maintaining or servicing accounts, providing customer support, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing analytics and user outreach; (v) for internal research or analytics for technological development and demonstration; (vi) to undertake activities to verify or maintain the quality or safety of the Solution and to improve, upgrade, or enhance the Solution; and (vii) as otherwise allowed by the Agreement and this DPA.

7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the duration of Customer’s subscription to the Solution + 30 days

8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the Processing

For information about transfers to sub-processors see: https://www.autommate.com/privacy-policy/

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent Supervisory Authority/ies in accordance with Clause 13: Autoriteit Persoonsgegevens.

The competent authority for the processing of Personal Data relating to Data Subjects located in the NL is the NL Information Commissioner.

Annex II

Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data

This document describes technical and organizational security measures and controls implemented by Autom Mate, or Autom Mate affiliates (hereafter referred to as Autom Mate), to protect personal data and ensure the ongoing confidentiality, integrity, and availability of Autom Mate’s products and services.

This document is a high-level overview of Autom Mate’s technical and organizational security measures. More details on the measures we implement are available upon request. Autom Mate reserves the right to revise these technical and organizational measures at any time, without notice, so long as any such revisions will not materially reduce or weaken the protection provided for personal data that Autom Mate processes in providing its various services. In the unlikely event that Autom Mate does materially reduce its security, Autom Mate shall notify its customers.

Autom Mate shall take the following technical and organizational security measures to protect personal data:

Organizational Security Measures

  • Governance: Autom Mate Corp. maintains a robust governance framework with a formal Information Security Management System (ISMS) certified to ISO/IEC 27001 standards. This framework is supported by a dedicated Data Protection Officer (DPO) and a specialized security team responsible for overseeing compliance with GDPR and other data protection regulations.
  • Privacy and Security Policies: Comprehensive security policies and procedures are regularly reviewed and updated to reflect evolving threats and regulatory changes. These policies cover data protection, incident response, access control, risk management, and employee conduct.
  • Data Protection Officer (DPO): Appoint a DPO who regularly reviews data protection risks and controls, ensuring independence in their reviews.
  • Personnel: Dedicated staff responsible for the development, implementation, and maintenance of Autom Mate’s information security program.

Audit and Risk Assessment

  • Periodic reviews and assessments of risks to the Autom Mate organization, monitoring and maintaining compliance with Autom Mate policies and procedures, and reporting the condition of its information security and compliance to senior internal management.

Document Management

  • Data Processing Agreements (DPAs): DPAs are regularly reviewed and updated to ensure compliance with legal standards and are stored securely with controlled limited access. These documents reflect the responsibilities of Autom Mate Corp. and its clients concerning data processing.
  • Controlled Access and Version Management: All critical documents, such as Non-disclosure Agreements (NDAs), Sub-processor Agreements, and security policies, are stored in a secure, centralized repository with version control and access logging to track changes and access.

Access Control

  • Comprehensive Access Control Systems: Implement role-based access control systems to ensure that access to sensitive data is strictly based on the principle of ‘least privilege.’ Controls are enforced through a combination of physical, administrative, and technical measures.
  • Authentication and Authorization: Utilize strong multi-factor authentication and complex password policies across all systems. Mechanisms are in place for automatic logouts after periods of inactivity, and re-validation of credentials is required for continued access.
  • Logical Access Controls: Manage electronic access to data and system functionality based on authority levels and job functions, implementing least privilege access, use of unique IDs and passwords, and prompt adjustment or revocation of access as needed.
  • Password Management: Enforce controls to manage and control password strength and usage, including prohibiting password sharing.
  • Audit Logging: Systematic event logging and monitoring to record user access and system activity for routine review.
  • Physical and Environmental Security: Secure data center, server room facilities, and other sensitive areas to protect information assets from unauthorized physical access and environmental hazards.

Data Security and Privacy

  • Encryption and Data Protection: Utilize state-of-the-art encryption technologies for data at rest and in transit. Autom Mate Corp. provides end-to-end encryption to ensure that data intercepted during transmission remains secure and private.
  • Vulnerability Management: Conduct regular security assessments, including penetration testing and vulnerability scans, to identify and mitigate potential exposures. Patch management processes are rigorously followed to ensure timely application of security patches.
  • Information Security Policies: Maintain robust information security policies and regularly review and, where necessary, improve them.

Incident and Problem Management

  • Incident Response Plan: An established incident response plan details steps for managing data breaches and security incidents, including immediate containment, investigation, and customer notification procedures.
  • Logging and Monitoring: Implement advanced monitoring systems to log and analyze security events. These logs are regularly reviewed to identify and respond to potential security incidents promptly.
  • Incident Management: Investigate, respond to, mitigate, and notify of events related to Autom Mate technology and information assets.
  • Change Management: Maintain procedures and tracking mechanisms to test, approve, and monitor all changes to Autom Mate technology and information assets.

Network and System Security

  • Advanced Network Defenses: Deploy enterprise-grade firewalls, intrusion detection systems, and anti-malware solutions to protect against unauthorized access and cyber threats. Network security configurations are regularly reviewed and optimized.
  • System Hardening: Regularly perform security hardening of all servers and network devices to minimize vulnerabilities and reduce the attack surface.
  • Communication Security: Use cryptographic protocols such as TLS to protect information in transit over public networks. Utilize stateful firewalls, web application firewalls, and DDoS protection at the network edge to filter attacks.
  • Data Security Controls: Implement logical segregation of data, restricted access based on roles, and monitoring. Use commercially available and industry-standard encryption technologies where applicable.
  • Operational Controls: Configure, monitor, and maintain technology and information systems according to internal and industry standards, including secure disposal of systems and media.
  • Network Security: Utilize enterprise firewalls and layered DMZ architectures, intrusion detection systems, and event correlation procedures to protect systems from intrusion.
  • Vulnerability and Threat Management: Conduct vulnerability assessments, manage patches, and implement threat protection technologies with scheduled monitoring to mitigate risks.

Data Integrity and Availability

  • Data Backup and Recovery: Comprehensive backup strategies are implemented, ensuring data integrity and availability. Regularly tested disaster recovery plans guarantee the rapid restoration of services in the event of a disaster.
  • High Availability Infrastructure: Deploy redundant systems and networks to ensure service continuity and resilience against failures.
  • Business Resiliency and Disaster Recovery: Maintain procedures designed to sustain service and recover from emergency situations or disasters.

Compliance and Continuous Improvement

  • Regular Audits and Assessments: Conduct internal and external audits to ensure compliance with security policies and legal requirements. Continuous improvement processes are in place to adapt security practices to new threats.
  • Regulatory Compliance: Ensure all data processing activities are compliant with applicable laws and regulations, including GDPR. Regular training on regulatory changes is provided to all relevant employees.
  • Vendor Management: Implement a formal program including security reviews for critical vendors to ensure compliance with Autom Mate Information Security Policies.

Training and Awareness

  • Security Training Programs: All employees participate in comprehensive security training focused on best practices and recognizing security threats. Specialized training programs are designed for roles with specific security responsibilities.
  • Awareness Campaigns: Regular security awareness campaigns are conducted to keep security at the forefront of Autom Mate Corp.’s culture, emphasizing the importance of every employee’s role in maintaining security.

Data Minimization and Retention

  • Strict Data Minimization Practices: Collect and process only the data necessary for the defined purpose, adhering strictly to data minimization principles. Regular audits ensure compliance with these practices.
  • Data Retention Policies: Enforce strict data retention policies that dictate how long data is held based on legal and contractual requirements. Procedures are in place for the secure deletion of data once it is no longer needed.

By implementing these measures, Autom Mate Corp. aims to uphold the highest standards of data protection and security, ensuring the confidentiality, integrity, and availability of all processed data. This document is reviewed and updated periodically to reflect the latest security practices and compliance requirements.

Annex III

List of Sub-Processors

A list of sub-processors can be found at https://www.autommate.com/privacy-policy/.