Data Processing Addendum

EFFECTIVE DAY 1 JUNE 2024

This Data Processing Addendum, including its annexes and the Standard Contractual Clauses, (“DPA”) is made by and between Cention, and Customer, pursuant to the Master Subscription Agreement or other written or electronic agreement between the parties (as applicable) (“Agreement”), and will be effective on the date both parties have signed the Agreement.


This DPA forms part of the Agreement and sets out the terms that apply when Personal Data is processed by Cention under the Agreement. The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose Personal Data is processed.

Definitions. Any capitalized term used but not defined in this DPA has the meaning provided to it in the Agreement.

    1. “Account Data” means Personal Data that relates to Customer’s relationship with Cention, including to access Customer’s account and billing information, identity verification, maintain or improve performance of the Services, provide support, investigate and prevent system abuse, or fulfill legal obligations.
 
    1. “Affiliate” means any entity controlled by, controlling or under common control by an entity, where “control” means ownership of or the right to control greater than 50% of the voting securities of such entity.
 
    1. “Applicable Data Protection Legislation” refers to laws and regulations applicable to Cention’s processing of personal data under the Agreement, including but not limited to (a) the GDPR, (b) in respect of the UK, the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2019 (together, “UK Data Protection Laws”), (c) the Swiss Federal Data Protection Act and its implementing regulations (“Swiss DPA”), (d) CCPA, and (e) Australian Privacy Principles and the Australian Privacy Act (1988), in each case, as may be amended, superseded or replaced.
 
    1. “Controller” or “controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
 
    1. “Customer Data” means personal data that relates to Customer’s relationship with Cention, including Personal Data that Cention processes as a Processor on behalf of Customer.
 
    1. “Europe” means for the purposes of this DPA the European Economic Area (“EEA”), United Kingdom (“UK”) and Switzerland.
 
    1. “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
 
    1. “Personal Data” or “personal data” means any information, including personal information, relating to an identified or identifiable natural person (“data subject”) or as defined in and subject to Applicable Data Protection Legislation.
 
    1. “Privacy Policy” means the then-current privacy policy for the Services available at https://cention.com/privacy-policy.
 
    1. “Processor” or “processor” means the entity which processes Personal Data on behalf of the Controller.
 
    1. “Processing” or “processing” (and “Process” or “process”) means any operation or set of operations performed upon Personal Data, whether or not by automated means, means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, securing, organization, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
 
    1. “Restricted Transfer” means: (i) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
 
    1. “Security Breach” means a breach of security leading to any accidental, unauthorized or unlawful loss, disclosure, destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data transmitted, stored or otherwise processed by Cention. A Security Incident shall not include an unsuccessful attempt or activity that does not compromise the security of Customer Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.
 
    1. “Standard Contractual Clauses” or “SCCs” means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/uri=CELEX:32021D0914&from=EN (“EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c), or (d) of the UK GDPR (“UK SCCs”) and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the “Swiss SCCs”) (in each case, as updated, amended or superseded from time to time).
 
    1. “Sub-processor” or “sub-processor” means (a) Cention, when Cention is processing Customer Data and where Customer is itself a processor of such Customer Data, or (b) any third-party Processor engaged by Cention or its Affiliates to assist in fulfilling Cention’s obligations under the Agreement and which processes Customer Data. Sub-processors may include third parties or Cention Affiliates but shall exclude Cention employees, contractors or consultants.
 
  1. “Third Party Request” means any request, correspondence, inquiry, or complaint from a data subject, regulatory authority, or third party.

Applicability and Scope.

  1. Applicability. This DPA will apply only to the extent that Cention processes, on behalf of Customer, Personal Data to which Applicable Data Protection Legislation applies.

  2. Scope. The subject matter of the data processing is the provision of the Services, and the processing will be carried out for the duration of the Agreement. Schedule 1 (Details of Processing) sets out the nature and purpose of the processing, the types of Personal Data Cention processes and the categories of data subjects whose Personal Data is processed.

  3. Cention as a Processor. The parties acknowledge and agree that regarding the processing of Customer Data, Customer may act either as a controller or processor and Cention is a processor. Cention will process Customer Data in accordance with Customer’s instructions as set forth in Section 5 (Customer Instructions).

  4. Cention as a Controller of Account Data. The parties acknowledge that, regarding the processing of Account Data, Customer is a controller and Cention is an independent controller, not a joint controller with Customer. Cention will process Account Data as a controller (a) in order to manage the relationship with Customer; (b) carry out Cention’s core business operations; (c) in order to detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (d) identity verification; (e) to comply with Cention’s legal or regulatory obligations; and (f) as otherwise permitted under Applicable Data Protection Legislation and in accordance with this DPA, the Agreement, and the Privacy Policy.

3. Cention as a Processor - Processing Customer Data.

  1. Customer Instructions. Customer appoints Cention as a processor to process Customer Data on behalf of, and in accordance with, Customer’s instructions (a) as set forth in the Agreement, this DPA, and as otherwise necessary to provide the Services to Customer (which may include investigating security incidents, and detecting and preventing exploits or abuse); (b) as necessary to comply with applicable law, including Applicable Data Protection Legislation; and (c) as otherwise agreed in writing between the parties (“Permitted Purposes”).
  2. Lawfulness of Instructions. Customer will ensure that its instructions comply with Applicable Data Protection Legislation. Customer acknowledges that Cention is neither responsible for determining which laws are applicable to Customer’s business nor whether Cention’s Services meet or will meet the requirements of such laws. Customer will ensure that Cention’s processing of Customer Data, when done in accordance with Customer’s instructions, will not cause Cention to violate any applicable law, including Applicable Data Protection Legislation. Cention will inform Customer if it becomes aware, or reasonably believes, that Customer’s instructions violate applicable law, including Applicable Data Protection Legislation.
  3. Additional Instructions. Additional instructions outside the scope of the Agreement or this DPA will be mutually agreed to between the parties in writing.

4. Purpose Limitation.

Cention will process Personal Data in order to provide the Services in accordance with the Agreement. Schedule 1 (Details of Processing) of this DPA further specifies the nature and purpose of the processing, the processing activities, the duration of the processing, the types of Personal Data and categories of data subjects.

5. Compliance.

Customer shall be responsible for ensuring that: a) all such notices have been given, and all such authorizations have been obtained, as required under Applicable Data Protection Legislation, for Cention (and its Affiliates and Sub-processors) to process Customer Data as contemplated by the Agreement and this DPA; b) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including Applicable Data Protection Legislation; and c) it has, and will continue to have, the right to transfer, or provide access to, Customer Data to Cention for processing in accordance with the terms of the Agreement and this DPA.

6. Confidentiality.

  1. Confidentiality Obligations of Cention Personnel.
    1. Security Policy and Confidentiality. Cention requires all employees to acknowledge in writing, at the time of hire, they will adhere to terms that are in accordance with Cention’s security policy and to protect Customer Data at all times. Cention requires all employees to sign a confidentiality statement at the time of hire.
    2. Cention will ensure that any person that it authorizes to process Customer Data (including its staff, agents, and subcontractors) shall be subject to a duty of confidentiality (whether in accordance with Cention’s confidentiality obligations in the Agreement or a statutory duty).
    3. Background Checks. Cention conducts at its expense a criminal background investigation on all employees who are to perform material aspects of the Services under this Agreement.
    4. Responding to Third Party Requests. In the event any Third Party Request is made directly to Cention in connection with Cention’s processing of Customer Data, Cention will promptly inform Customer and provide details of the same, to the extent legally permitted. Cention will not respond to any Third Party Request, without prior notice to Customer and an opportunity to object, except as legally required to do so or to confirm that such Third Party Request relates to Customer.
  2. Responding to Third Party Requests. In the event any Third Party Request is made directly to Cention in connection with Cention’s processing of Customer Data, Cention will promptly inform Customer and provide details of the same, to the extent legally permitted. Cention will not respond to any Third Party Request, without prior notice to Customer and an opportunity to object, except as legally required to do so or to confirm that such Third Party Request relates to Customer.

7. Sub-processors.

  1. Authorization for Sub-processing. Customer agrees that (a) Cention may engage Sub-processors as listed at https://cention.com/subprocessors (the “Sub-processor Page”) which may be updated from time to time and Cention Affiliates; and (b) such Affiliates and Sub-processors respectively may engage third party processors to process Customer Data on Cention’s behalf. Customer provides a general authorization for Cention to engage onward sub-processors that is conditioned on the following requirements: (a) Cention will restrict the onward sub-processor’s access to Customer Data only to what is strictly necessary to provide the Services, and Cention will prohibit the sub-processor from processing the Personal Data for any other purpose. (b) Cention agrees to impose contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Customer Data to the standard required by Applicable Data Protection Legislation; and (c) Cention will remain liable and accountable for any breach of this DPA that is caused by an act or omission of its sub-processors.
  2. Current Sub-processors and Notification of Sub-processor Additions.
    1. Customer understands that effective operation of the Services may require the transfer of Customer Data to Cention Affiliates or to Cention’s Sub-processors, see Schedule 3. Customer hereby authorizes the transfer of Customer Data to locations outside Europe subject to continued compliance with this DPA throughout the duration of the Agreement. Customer hereby provides general authorization to Cention engaging additional third-party Sub-processors to process Customer Data within the Services for the Permitted Purposes.
    2. Cention may, by giving reasonable notice to the Customer, add to the Sub-processor Page. Cention will notify Customer if it intends to add or replace Sub-processors from the Sub-Processor Page at least 10 days prior to any such changes. To receive such notification, Customers can follow link https://cention.com/subprocessors. If Customer objects to the appointment of an additional Sub-processor within thirty (30) calendar days of such notice on reasonable grounds relating to the protection of the Personal Data, then Cention will work in good faith with Customer to find an alternative solution. In the event that the parties are unable to find such a solution, Customer may terminate the Agreement at no additional cost.

8. Impact Assessments and Consultations.

Customer shall be responsible for ensuring that: a) all such notices have been given, and all such authorizations have been obtained, as required under Applicable Data Protection Legislation, for Cention (and its Affiliates and Sub-processors) to process Customer Data as contemplated by the Agreement and this DPA; b) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including Applicable Data Protection Legislation; and c) it has, and will continue to have, the right to transfer, or provide access to, Customer Data to Cention for processing in accordance with the terms of the Agreement and this DPA.

9. Security.

  1. Cention has in place and will maintain throughout the term of this Agreement appropriate technical and organizational measures designed to protect Customer Data against Security Breaches.
  2. These measures shall at a minimum comply with applicable law and include the measures identified in Schedule 2 (Technical and Organizational Security Measures).
  3. Customer acknowledges that the security measures are subject to technical progress and development and that Cention may update or modify the security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
  4. Cention will ensure that any person authorized to process Customer Data (including its staff, agents, and subcontractors) shall be subject to a duty of confidentiality.
  5. Upon becoming aware of a Security Breach involving Customer Data processed by Cention on behalf of Customer under this DPA, Cention shall notify Customer without undue delay and shall provide such information as Customer may reasonably require, including to enable Customer to fulfil its data breach reporting obligations under Applicable Data Protection Legislation.
  6. Cention’s notification of or response to a Security Breach shall not be construed as an acknowledgement by Cention of any fault or liability with respect to the Security Breach.
  7. Customer is solely responsible for its use of the Service, including (a) making appropriate use of the Service to ensure a level of security appropriate to the risk in respect of Customer Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Service; and (c) backing up Customer Data.

10. Return or Deletion of Customer Data.

Upon termination or expiry of this Agreement, Cention will (at Customer’s election) delete or return to Customer all Customer Data in its possession or control as soon as reasonably practicable and within a maximum period of 30 days of termination or expiry of the Agreement, save that this requirement will not apply to the extent that Cention is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data Cention will securely isolate and protect from any further processing, except to the extent required by applicable law.

11. Audits.

  1. The parties acknowledge that when Cention is acting as a processor on behalf of Customer, Customer must be able to assess Cention’s compliance with its obligations under Applicable Data Protection Legislation and this DPA.
  2. Cention shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and the obligations under Article 28 of the GDPR. While it is the parties’ intention ordinarily to rely on the provision of the documentation to demonstrate Cention’s compliance with this DPA and the provisions of Article 28 of the GDPR, Cention shall permit Customer (or its appointed third party auditors) to carry out an audit at Customer’s cost and expense (including without limitation the costs and expenses of Cention) of Cention’s processing of Customer Data under the Agreement following a Security Breach suffered by Cention, or upon the instruction of a data protection authority acting pursuant to Applicable Data Protection Legislation. Customer must give Cention reasonable prior notice of such intention to audit, conduct its audit during normal business hours, and take all reasonable measures to prevent unnecessary disruption to Cention’s operations. Any such audit shall be subject to Cention’s security and confidentiality terms and guidelines and may only be performed a maximum of once annually. If Cention declines to follow any instruction requested by Customer regarding audits, Customer is entitled to terminate the Agreement.
  3. Cention shall use external auditors to verify the adequacy of its security measures with respect to its processing of Customer Data. A description of Cention’s certifications and standards for audit can be found at https://cention.com/security.

12. Transfer Mechanisms.

  1. Location of Processing. Customer acknowledges that Cention and its Sub-processors may transfer and process personal data in other locations in which Cention, its Affiliates or its Sub-processors maintain data processing operations, as more particularly described in the Sub-processor Page. Cention shall ensure that such transfers are made in compliance with Applicable Data Protection Legislation and this DPA.
  2. Transfer Mechanism. The parties agree that when the transfer of personal data from Customer (as “data exporter”) to Cention (as “data importer”) is a Restricted Transfer and Applicable Data Protection Legislation require that appropriate safeguards are put in place, such transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and form part of this DPA, as follows:
    1. In relation to transfers of Customer Data that is protected by the GDPR, the EU SCCs shall apply, completed as follows:
      1. Module Two or Module Three will apply (as applicable);
      2. in Clause 7, the optional docking clause will apply;
      3. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in section 7.ii.b of this DPA;
      4. in Clause 11, the optional language will not apply;
      5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by by the law of the EU Member State in which the data exporter is established and if no such law by Swedish law;
      6. in Clause 18(b), disputes shall be resolved before the courts of the EU Member State in which the data exporter is established and otherwise Sweden;
      7. Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 to this DPA; and
      8. Subject to section 9.iii of this DPA, Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2 to this DPA;
    2. In relation to transfers of Account Data protected by the GDPR and processed in accordance with Section 2.iv of this DPA, the EU SCCs shall apply, completed as follows:
      1. Module One will apply;
      2. in Clause 7, the optional docking clause will apply;
      3. in Clause 11, the optional language will not apply;
      4. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Swedish law;
      5. in Clause 18(b), disputes shall be resolved before the courts of Sweden;
      6. Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 to this DPA; and
      7. Subject to section 9.iii of this DPA, Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2 to this DPA;
    3. In relation to transfers of personal data protected by the UK GDPR or Swiss DPA, the EU SCCs as implemented under sub-paragraphs (a) and (b) above will apply with the following modifications:
      1. references to “Regulation (EU) 2016/679” shall be interpreted as references to UK Privacy Laws or the Swiss DPA (as applicable);
      2. references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of UK Privacy Laws or the Swiss DPA (as applicable);
      3. references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “UK” or “Switzerland”, or “UK law” or “Swiss law” (as applicable);
      4. the term “member state” shall not be interpreted in such a way as to exclude data subjects in the UK or Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., the UK or Switzerland);
      5. Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the UK Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable);
      6. references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Information Commissioner” and the “courts of England and Wales” or the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland” (as applicable);
      7. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland (as applicable); and
      8. with respect to transfers to which UK Privacy Laws apply, Clause 18 shall be amended to state “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts”, and with respect to transfers to which the Swiss DPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
    4. To the extent that and for so long as the EU SCCs as implemented in accordance with sub-paragraph (a)-(c) above cannot be used to lawfully transfer Customer Data and Account Data in accordance with the UK GDPR to Cention, the UK SCCs shall be incorporated into and form an integral part of this DPA and shall apply to transfers governed by the UK GDPR. For the purposes of the UK SCCs, the relevant annexes, appendices or tables shall be deemed populated with the information set out in Schedules 1 and 2 of this DPA.
    5. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict.
    6. Alternative Transfer Mechanism. To the extent that Cention adopts an alternative data export mechanism (including any new version of or successor to the Standard Contractual Clauses adopted pursuant to Applicable Data Protection Legislation) (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall upon notice to Customer and an opportunity to object, apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Applicable Data Protection Legislation applicable to Europe and extends to territories to which Customer Data and Account Data is transferred).

14. Miscellaneous.

  1. If there is a conflict between the Agreement and this DPA, the terms of this DPA will prevail. The order of precedence will be: (a) this DPA; (b) the Agreement; and (c) the Privacy Policy. To the extent there is any conflict between the Standard Contractual Clauses, and any other terms in this DPA, the Agreement, or the Privacy Policy, the provisions of the Standard Contractual Clauses will prevail.
  2. Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.
  3. In no event does this DPA restrict or limit the rights of any data subject or of any competent supervisory authority.
  4. In the event (and to the extent only) of a conflict (whether actual or perceived) among Applicable Data Protection Legislation, the parties (or relevant party as the case may be) shall comply with the more onerous requirement or standard which shall, in the event of a dispute in that regard, be solely determined by Cention.
  5. Not with standing anything else to the contrary in the Agreement and without prejudice to Sections 2(iii) and 2 (iv), Cention reserves the right to make any modification to this DPA as may be required to comply with Applicable Data Protection Legislation.
  6. Except as amended by this DPA, the Agreement will remain in full force and effect.
  7. Notwithstanding anything in the Agreement or any order form entered in connection therewith, the parties acknowledge and agree that Cention access to Customer Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.

Schedule 1 : Details Of Processing

Annex I

A. List Of Parties

Data exporter(s): [Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Name of Data exporter:

The party identified as the “Customer” in the Agreement and this DPA

Address:

As set forth in the Agreement

Contact person’s name, position, and contact details:

As set forth in the Agreement

Activities relevant to the data transferred under these Clauses:

See Annex 1(B) below

Signature and date:

This Annex I shall automatically be deemed executed when the Agreement is executed by Customer

Role (controller/processor):

Controller or Processor

Data importer(s): [Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection]

Name:

Cention Group Sdn Bhd

Address:

19th floor Menara Worldwide, 198 Jalan Bukit Bintang, 55100 Kuala Lumpur, Malaysia

Contact person’s name, position, and contact details:

Centions Privacy Team – [legal@cention.com]

Signature and date:

This Annex I shall automatically be deemed executed when the Agreement is executed by Cention.

Role (controller/processor):

Processor

B. DESCRIPTION OF PROCESSING/ TRANSFER

Categories of Data Subjects whose personal data is transferred

Module One
Customer’s employees and individuals authorized by Customer to access Customer’s Cention account: Employees or contact persons of Customer’s prospects, customers, business partners and vendors.

Modules Two and Three
Customer’s end users: Prospects, customers, business partners and vendors of Customer (who are natural persons).

Categories of Personal Data transferred

Module One
Account Data which constitutes Personal Data, such as name and contact information as well as Customer billing address.

Modules Two and Three
Any Customer Data processed by Cention in connection with the Services and which could constitute any type of Personal Data included in chats or messages, including, without limitation, username, password, email address, IP address as well as customer attribute data, website page view data, click data and social media information.

Frequency of the transfer

Continuous.

Nature and purpose(s) of the data transfer and Processing

Module One
Personal data contained in Account Data will be processed to manage the account, including to access Customer’s account and billing information, for identity verification, to maintain or improve the performance of the Services, to provide support, to investigate and prevent system abuse, or to fulfill legal obligations.

Modules Two and Three
Personal Data contained in Customer Data will be subject to the following basic processing activities:

Cention provides a communication platform to facilitate interaction and engagement between the Customer and end users. This service will consist of providing a communication platform for the Customer to use in order to on-board and retain end users as well as analyze their use of the Customer’s product and/or services.

Cention will process personal data as necessary to provide the Services under the Agreement. Cention does not sell Customer’s Personal Data or Customer end users’ Personal Data and does not share such end users’ Personal Data with third parties for compensation or for those third parties’ own business interests.

Additional details about Cention’s products and services can be found at https://cention.com.

Retention period (or, if not possible to determine, the criterial used to determine the period)

Module One
Cention will process Account Data as long as required (a) to provide the Services to Customer; (b) for Cention’s lawful and legitimate business needs; or (c) in accordance with applicable law or regulation. Account Data will be stored in accordance with the Privacy Policy.

Modules Two and Three
Upon termination or expiry of this Agreement, Cention will (at Customer’s election) delete or return to Customer all Customer Data (including copies) in its possession or control as soon as reasonably practicable and within a maximum period of 30 days of termination or expiry of the Agreement, save that this requirement will not apply to the extent that Cention is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data Cention will securely isolate and protect from any further processing, except to the extent required by applicable law.

For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing

Modules Two and Three only
Cention will restrict the onward sub-processor’s access to Customer Data only to what is strictly necessary to provide the Services, and Cention will prohibit the sub-processor from processing the Personal Data for any other purpose.

Cention imposes contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Customer Data to the standard required by Applicable Data Protection Legislation.

Cention will remain liable and accountable for any breach of this DPA that is caused by an act or omission of its sub-processors.

Identify the competent supervisory authority/ies in accordance with Clause 13

Where the EU GDPR applies, the competent supervisory authority shall be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter’s EU representative has been appointed pursuant to Article 27(1) GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located.. Where the UK GDPR applies, the UK Information Commissioner’s Office.

Schedule 1 : Details Of Processing

Annex I

A. List Of Parties

Further details of Cention’s technical and organizational security measures to protect Customer Data are available at:

Where applicable, this Schedule 2 will serve as Annex II to the Standard Contractual Clauses. The following table provides more information regarding the technical and organizational security measures set forth below.

Technical and Organizational Security Measure

Evidence of Technical and Organizational Security Measure

Measures of pseudonymisation and encryption of personal data

  • All data sent to or from Cention is encrypted in transit using TLS 1.2.
  • Customer Personal Data is encrypted at rest using 256-bit encryption, leveraging AWS’ encryption framework.
  • All Cention datastores used to process Customer data are configured and patched using commercially reasonable methods according to industry-recognized system-hardening standards.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

  • Cention has implemented a formal procedure for handling security events. When security events are detected, they are escalated to an emergency alias, relevant parties are paged, notified, and assembled to rapidly address the event. After a security event is contained and mitigated, relevant teams write up a post-mortem analysis, which is reviewed in person and distributed across the company and includes action items that will make the detection and prevention of a similar event easier in the future.
  • All Customer Data is permanently stored in AWS (For European customers: Stockholm and Ireland, For APAC customers: Singapore and Sidney, For US customers within the US) and is backed up for disaster recovery.
  • Cention relies on Amazon Web Services (AWS), a reputable Infrastructure-As-A-Service provider. Cention leverages their portfolio of globally redundant services to ensure Services run reliably. Cention benefits from the ability to dynamically scale up, or completely re-provision its infrastructure resources on an as-needed basis, across multiple geographical areas, using the same vendor, tools, and APIs. Cention’s infrastructure scales up and down on demand as part of day-to-day operations and does so in response to any changes in our customers’ needs. This includes not just compute resources, but storage and database resources, networking, security, and DNS. Every component in Cention’s infrastructure is designed and built for high availability.
  • Cention’s data security, high availability, and built-in redundancy are designed to ensure application availability and protect information from accidental loss or destruction. Cention’s Disaster Recovery plan incorporates geographic failover. Subscription Service restoration is within commercially reasonable efforts and is performed in conjunction with AWS’ ability to provide adequate infrastructure at the prevailing failover location. All of Cention recovery and resilience mechanisms are tested regularly and processes are updated as required.
  • Cention operates a dedicated 24×7 on-call incident management function, ready to immediately respond to, and mitigate, any Customer impacting issues. 
  • Cention has no direct reliance on specific office locations to sustain operations. All operational access to production resources can be exercised at any location on the Internet. Cention leverages a range of best-of- breed technologies and other critical cloud tools to deliver uninterrupted remote work for all employees.
  • All Customer Data deleted by Cention is deleted from AWS datastores in accordance with the NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitation December 18, 2014 (available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf). With respect to Customer Data encrypted in compliance with this security policy, this deletion may be done by permanently and securely deleting all copies of the keys used for encryption.
  • See “Back Ups and Monitoring” at www.cention.com/security.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

  • See response for “Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services” above.

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

  • Cention regularly tests their security systems and processes to ensure they meet the requirements of this security policy and ensures that the physical and environmental security controls are audited yearly for ISO 27001 compliance, among other certifications.
  • Application Scans. Cention performs periodic (but no less than once per month) application vulnerability scans. Vulnerabilities shall be remediated on a risk basis.
  • Third party penetration tests. Cention employs an independent third-party vendor to conduct periodic (but no less than once per year) penetration tests on their web properties. 
  • Bug bounty program. Cention maintains a security bug bounty program, which gives independent security researchers a platform for testing and submitting vulnerability reports.

Measures for user identification and authorisation

  • Single Sign-On (SSO)
  • Logical Access Controls. Cention assigns a unique ID to each employee and leverages an Identity Provider to manage access to systems processing Customer Data. 
  • All access to systems processing Customer Data is protected by Multi Factor Authentication (MFA). 
  • Cention restricts access to Customer Data to only those people with a “need-to-know” for a Permitted Purpose and following least privileges principles.
  • Cention regularly reviews at least every 180 days the list of people and systems with access to Customer Data and removes accounts upon termination of employment or a change in job status that results in employees no longer requiring access to Customer Data.
  • Cention mandates and ensures the use of system-enforced “strong passwords” in accordance with the best practices (described below) on all systems hosting, storing, processing, or that have or control access to Customer Data and will require that all passwords and access credentials are kept confidential and not shared among personnel.
  • Password best practices implemented by Cention’s Identity Provider. Passwords must meet the following criteria: a. contain at least 10 characters; b. must contain lowercase and uppercase letters, numbers, and a special character; c. cannot be part of a vendor provided list of common passwords.
  • Cention maintains and enforces “account lockout” by disabling accounts with access to Customer Data when an account exceeds more than five (5) consecutive incorrect password attempts.
  • Cention does not operate any internal corporate network. All access to Cention resources is protected by strong passwords and MFA. 
  • Cention monitors their production systems and implements and maintains security controls and procedures designed to prevent, detect, and respond to identified threats and risks.
  • Strict privacy controls exist in the application code that are designed to ensure data privacy and to prevent one customer from accessing another customer’s data (i.e., logical separation).

Measures for the protection of data during transmission

Measures for the protection of data during storage

  • Intrusion Prevention. Cention implements and maintains a working network firewall to protect data accessible via the Internet and will keep all Customer Data protected by the firewall at all times.
  • Cention keeps its systems and software up to date with the latest upgrades, updates, bug fixes, new versions, and other modifications necessary to ensure security of the Customer Data. 
  • Security Awareness Training. Cention requires annual security and privacy training for all employees with access to Customer Data.
  • Customer instances are logically separated and attempts to access data outside allowed domain boundaries are prevented and logged. 
  • Endpoint security software
  • System inputs recorded via log files
  • Access Control Lists (ACL)
  • Multi-factor Authentication (MFA)
  • See “Back Ups and Monitoring” and “Permissions and Authentication” at https://www.cention.com/security.
  •  

Measures for ensuring physical security of locations at which personal data are processed

  • Physical Access Control. Cention’s services and data are hosted in AWS’ facilities and protected by AWS in accordance with their security protocols.
  • Access only to approved personnel. 
  • All personnel who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. 

Measures for ensuring events logging

  • See “Measures for the protection of data during storage” above.

Measures for ensuring system configuration, including default configuration

  • Change and Configuration Management. Cention uses continuous automation for application and operating systems deployment for new releases. Integration testing and unit testing are done upon every build with safeguards in place for availability and reliability. Cention has a process for critical emergency fixes that can be deployed to Customers within minutes. As such Cention can roll out security updates as required based on criticality.
  • Access Control Policy and Procedures
  • Change Management Procedures

Measures for internal IT and IT security governance and management

  • Information security management procedures in accordance with the ISO 27001:2013 standard.
  • Information-related business operations continue to be carried out in accordance with the ISO27001:2013 standard.
  • Information security policy
  • Security Breach Response Plan
  • Other written security policies include: (a) Business Continuity Policy; (b) Secure Software Development Policy; (c) Electronic Device Policy; (d) Data Classification Policy; (e) Network Security Policy; (f) IT Security Policy; (g) Physical Security Policy; (h) Access Control Policy.

Measures for certification/assurance of processes and products

Measures for ensuring data minimisation

  • Data collection is limited to the purposes of processing (or the data that the Customer chooses to provide). 
  • Security measures are in place to provide only the minimum amount of access (least privilege) necessary to perform required functions. 
  • Upon termination or expiry of this Agreement, Cention will (at Customer’s election) delete or return to Customer all Customer Data (including copies) in its possession or control as soon as reasonably practicable and within a maximum period of 30 days of termination or expiry of the Agreement, save that this requirement will not apply to the extent that Cention is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data Cention will securely isolate and protect from any further processing, except to the extent required by applicable law.
  • More information about how Cention processes personal data is set forth in the Privacy Policy available at https://www.cention.com/privacy-policy.
  •  

Measures for ensuring data quality

  • Cention has a process that allows data subjects to exercise their privacy rights (including a right to amend and update their Personal Data), as described in Cention’s Privacy Policy.
  • See “Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services” above.
  •  

Measures for ensuring limited data retention

  • See “Measures for ensuring data minimization” above.

Measures for ensuring accountability

  • Cention has implemented data protection policies
  • Cention follows a compliance and privacy by design approach
  • Cention maintains documentation of your processing activities
  • Cention has appointed a data protection officer
  • Cention adheres to relevant codes of conduct and signing up to certification schemes.

Measures for allowing data portability and ensuring erasure

  • Secure Disposal. Return or Deletion. Cention will permanently and securely delete all live (online or network accessible) instances of the Customer Data within 90 days upon Customer’s deletion request. 
  • Archival Copies. When required by law to retain archival copies of Customer Data for tax or similar regulatory purposes, this archived Customer Data is stored as a “cold” or offline (i.e., not available for immediate or interactive use) backup stored in a secure facility.
  • Cention has a process that allows data subjects to exercise their privacy rights (including a right to amend and update their Personal Data), as described in Cention’s Privacy Policy.

Technical and organizational measures to be taken by the [sub]-processor to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the Customer.

  • Vendor & Services Providers. Prior to engaging new third-party service providers or vendors who will have access to Cention Data, Cention conducts a risk assessment of vendors’ data security practices.
  • Cention will restrict the onward sub-processor’s access to Customer Data only to what is strictly necessary to provide the Services, and Cention will prohibit the sub-processor from processing the Personal Data for any other purpose.
  • Cention imposes contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Customer Data to the standard required by Applicable Data Protection Legislation.
  • Cention will remain liable and accountable for any breach of this DPA that is caused by an act or omission of its sub-processors.

Schedule 3 : List Of Sub-Processors

Annex III

In Clause 9 of the 2021 Standard Contractual Clauses, Option 2 will apply and the time period for prior notice of sub-processor changes will be as set forth in Section 7.ii (Current Sub-processors and Notification of Sub-processor Changes) of this DPA.

Customer agrees that (a) Cention may engage Cention and Sub-processors as listed at https://www.cention.com/subprocessors – (the “Sub-processor Page”).

Cention may, by giving reasonable notice to the Customer, add or make changes to the Sub-processor Page. Cention will notify Customer if it intends to add or replace Sub-processors from the Sub-Processor Page at least 10 days prior to any such changes. In order to receive such notification, Customers can follow link https://cention.com/subprocessors. If Customer objects to the appointment of an additional Sub-processor within thirty (30) calendar days of such notice on reasonable grounds relating to the protection of the Personal Data, then Cention will work in good faith with Customer to find an alternative solution. In the event that the parties are unable to find such a solution, Customer may terminate the Agreement at no additional cost.