Gusto | Online Payroll Services, HR, and Benefits
See demo
Create free account
How it works
Sign in
Gusto

Terms

Service Provider Data Processing Agreement

Last Updated: February 26, 2026

This Service Provider Data Processing Agreement (“SPDPA”) governs the Processing of Personal Data by any entity (“Service Provider”) which Processes Personal Data on behalf of Gusto, Inc. ("Company") pursuant to: (i) any agreement, purchase order, or other arrangement that references this SPDPA, or; (ii) in the absence of such reference, any agreement, purchase order, or other arrangement where Company permits Service Provider to process Personal Data on Company's behalf ((i) and (ii) collectively the “Agreement”).

  1. Acceptance of Terms.
    1. By entering into an agreement, purchase order, or other arrangement with Company that references this SPDPA, or otherwise providing services to Company that involve the Processing of Company Personal Data, Service Provider agrees to be bound by this SPDPA.
  2. Subject Matter and Duration.
    1. Subject Matter. This SPDPA reflect the parties’ commitment to abide by Data Protection Laws concerning the Processing of Company Personal Data in connection with Service Provider’s execution of the Agreement. All capitalized terms that are not expressly defined in this SPDPA will have the meanings given to them in the Agreement. If and to the extent language in this SPDPA conflicts with the Agreement, this SPDPA shall control unless the Agreement expressly states that terms of this SPDPA are superseded.
    2. Duration and Survival. This SPDPA will become legally binding when Service Provider begins Processing Company Personal Data or upon the effective date of the Agreement, whichever occurs first. Service Provider will Process Company Personal Data until the relationship terminates as specified in the Agreement, or Company otherwise revokes Service Provider’s permission to Process Company Personal Data. Service Provider’s obligations and Company’s rights under this SPDPA will continue in effect so long as Service Provider Processes Company Personal Data, including any data retained for legal compliance purposes.
  3. Definitions. For the purposes of this SPDPA, the following terms and those defined within the body of this SPDPA apply.
    1. Company Personal Data” means Personal Data Processed by Service Provider on behalf of Company.
    2. Data Protection Laws” means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Company Personal Data are subject. “Data Protection Laws” may include, but are not limited to, the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; the United Kingdom Data Protection Act 2018; the California Consumer Privacy Act of 2018 (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, Connecticut’s Act Concerning Data Privacy and Online Monitoring, and the Utah Consumer Privacy Act (in each case as supplemented by implementing regulations and as amended, adopted, or superseded from time to time). “Personal Data” has the meaning assigned to the terms “personal data” or “personal information” under applicable Data Protection Laws, and will, at a minimum, mean any information relating to an identified or identifiable natural person.
    3. Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    4. Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company Personal Data, including ransomware, denial of service attacks and other similar security events.
    5. Services” means any and all services that the Service Provider performs under the Agreement.
    6. Subprocessor(s)” means Service Provider’s vendors and third-party service providers that Process Company Personal Data.
  4. Processing Terms for Company Personal Data.
    1. Documented Instructions. Service Provider shall Process Company Personal Data solely for the purpose of providing the Services to Company, and solely to the extent necessary to provide the Services to Company, in each case, in accordance with the Agreement, this SPDPA, and Data Protection Laws. Service Provider will, unless legally prohibited from doing so, promptly inform Company in writing if Service Provider: (i) reasonably believes that there is a conflict between Company’s instructions and applicable law; (ii) seeks to Process Company Personal Data in a manner that is inconsistent with Company’s instructions or Data Protection Laws; or, (iii) makes a determination that it can no longer meet its obligations under this SPDPA or Data Protection Laws. Service Provider shall provide all notices under this section within the timeframes required by Data Protection Laws.
    2. Authorization to Use Subprocessors. To the extent necessary to fulfill Service Provider’s contractual obligations under the Agreement, Company hereby authorizes Service Provider to engage Subprocessors.
    3. Service Provider and Subprocessor Compliance. Service Provider shall (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Company Personal Data that imposes on such Subprocessors data protection and information security requirements for Company Personal Data that are at least as protective as the obligations in this SPDPA; and (ii) remain fully liable to Company for Service Provider’s Subprocessors’ failure to perform their obligations with respect to the Processing of Company Personal Data.
    4. Right to Object to Subprocessors. Service Provider will notify Company via email prior to engaging any new Subprocessors that Process Company Personal Data and allow Company thirty (30) days to object. If Company has objections to the appointment of any new Subprocessor, the parties will work together in good faith to resolve the grounds for the objection for no less than thirty (30) days, and failing any such resolution, Company may terminate the part of the Service performed under the Agreement that cannot be performed by Service Provider without use of the objectionable Subprocessor. Service Provider shall refund any pre-paid, unused fees to Company in respect of the terminated part of the Services.
    5. Confidentiality. Any person authorized to Process Company Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.
    6. Personal Data Inquiries and Requests. Service Provider agrees to provide reasonable assistance and comply with all reasonable instructions from Company related to any requests from individuals exercising their rights in Company Personal Data granted to them under Data Protection Laws (e.g., access, deletion, etc.). If a request is sent directly to Service Provider, Service Provider shall promptly notify Company within five (5) days of receiving such request and shall not respond to the request unless Company has authorized Service Provider to do so.
    7. Prohibited Uses of Company Personal Data. Service Provider shall not:
      1. sell or share Company Personal Data as the terms "sell" and “share” are defined by the CCPA or other Data Protection Laws;
      2. retain, use, or disclose Company Personal Data outside of the direct business relationship between the parties;
      3. combine Company Personal Data with Personal Data it receives from (or on behalf of) another person; or
      4. attempt to identify (or re-identify) any person using Company de-identified or aggregate information.
    8. Data Protection Impact Assessment and Prior Consultation. Service Provider agrees to provide reasonable assistance to Company where, in Company’s judgement, the type of Processing performed by Service Provider requires a data protection impact assessment, data risk assessment, and/or prior consultation with the relevant data protection authorities.
  5. Demonstrable Compliance. Service Provider agrees to provide information reasonably necessary to demonstrate compliance with this SPDPA upon Company’s reasonable request. Service Provider agrees that in order to stop and remediate unauthorized use of Company Personal Data, Company may take reasonable and appropriate steps and Service Provider will provide reasonable assistance to Company when necessary.
  6. Processing Details Documentation.
    1. Processing Details Requirement. Service Provider acknowledges that specific details regarding the Processing of Company Personal Data, including categories of data subjects, categories of personal data, and sensitive data categories (if any) ("Processing Details"), are essential components of this SPDPA and required for compliance with Data Protection Laws.
    2. Documentation Process. Prior to Processing any Company Personal Data, Service Provider shall complete a "Processing Details Addendum" documenting all information required in Section 13 and Section 2.B of Exhibit A. This Addendum shall be submitted to Company for approval at [email protected], via Company’s standard procurement process or as otherwise instructed by Company.
    3. Incorporation by Reference. Upon Company's written approval, the Processing Details Addendum shall be incorporated into and form an integral part of this SPDPA with the same force and effect as if fully set forth herein, without requiring amendment of the online terms.
    4. Condition Precedent. Service Provider shall not Process any Company Personal Data until Company has received and approved the Processing Details Addendum. Any Processing of Company Personal Data without an approved Processing Details Addendum shall constitute a material breach of this SPDPA.
    5. Default Categories. If Service Provider fails to specify certain Processing Details but begins Processing with Company's authorization, the following default categories shall apply to the extent not otherwise specified:
      1. Default Data Subjects: Gusto employees or workers (including contractors and contingent workers), applicants for employment at Gusto, Gusto customers or clients (businesses using Gusto's services), employees or agents of Gusto customers (including their contractors, contingent workers, and job applicants), and any other individuals whose personal data is processed by Gusto in connection with its services.
      2. Default Personal Data Categories: Contact information (including name, email address, physical address, phone number, and user IDs), professional details (including job title, department, employer, work history, and professional qualifications), authentication data (including usernames and passwords), financial information (including bank account details, tax information, and payment data), identification information (including government-issued identifiers), and any other personal data reasonably necessary to perform the Services as described in the Agreement.
      3. Default Sensitive Data: None, unless explicitly authorized in writing by Company.
    6. Updates and Amendments. Service Provider shall promptly update the Processing Details Addendum if there are any changes to the Processing activities, data categories, data subjects, or other relevant details, and shall submit such updates to Company for approval.
    7. Material Breach. Any material inaccuracy, omission, or failure to provide the information required by this Section constitutes a material breach of this SPDPA and shall result in immediate termination of Service Provider's authorization to Process Company Personal Data, and may constitute grounds for termination of the Agreement at Company's sole discretion.
  7. Information Security Program.
    1. Security Measures. Service Provider shall implement and maintain reasonable administrative, technical, and physical safeguards that protect Company Personal Data (the “Information Security Program”). At a minimum, such safeguards shall include:
      1. Pseudonymisation of Company Personal Data where appropriate, and encryption of Company Personal Data in transit and at rest;
      2. The ability to ensure the ongoing confidentiality, integrity, availability of Service Provider’s Processing and Company Personal Data;
      3. The ability to restore the availability and access to Company Personal Data in the event of a physical or technical incident; and,
      4. A process for regularly testing, assessing and evaluating the effectiveness of the Service Provider’s Information Security Program to ensure the security of its Processing and Company Personal Data.
  8. Security Incidents.
    1. Security Incident Procedure. Service Provider will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to Company Personal Data in a timely manner.
    2. Notice. Service Provider agrees to provide written notice without undue delay (but in no event longer than forty-eight (48) hours) to Company’s Designated POC if it knows or reasonably suspects that a Security Incident has taken place. Such notice will include all available details required under Data Protection Laws for Company to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident. If all information specified to be included in the notice is not available with the initial notice, then Service Provider shall continue providing Company with updated information as it becomes available.
    3. Remediation. Service Provider shall: (i) help Company investigate, remediate and take any other action Company deems necessary regarding the Security Incident and any dispute, inquiry, investigation or claim concerning the Security Incident; and (ii) provide Company with assurance satisfactory to Company that such Security Incident will not recur. In the event of a Security Incident, Company has the right to control the breach notification process. Service Provider will be liable for any costs and expenses incurred by Company in connection with the Security Incident, including: (1) the cost of preparing and delivering notices to affected individuals; (2) the cost of providing credit monitoring services or other credits or benefits extended to affected individuals; (3) reasonable attorneys’ fees associated with investigation, remediation and response; (4) liability to third parties that Company incurs in connection with the Security Incidents (such as amounts paid or for which Company is liable to third parties in tort or arising out of contracts); and (5) labor and subcontractor costs, including employee time spent and additional costs incurred in connection with call center support.
  9. Cross-Border Transfers of Company Personal Data.
    1. Cross-Border Transfers of Company Personal Data. Company authorizes Service Provider to transfer Company Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States, provided that such transfer complies with Data Protection Laws.
    2. EEA, Swiss, and UK Standard Contractual Clauses. If Service Provider or its Subprocessors Process Company Personal Data originating in the European Economic Area, Switzerland, and/or United Kingdom in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that Module Two’s obligations in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Standard Contractual Clauses”) as supplemented by Exhibit A attached hereto shall apply, the terms of which are incorporated herein by reference. Each party’s signature to this Addendum shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.
  10. Audits.
    1. Company Audit. Company (or its appointed representative) may carry out an audit of Service Provider’s premises, architecture, systems, policies, procedures, and records relevant to the Processing of Company Personal Data. Any audit must be: (i) conducted during Service Provider’s regular business hours; (ii) with reasonable advance notice to Service Provider; (iii) carried out in a manner that prevents unnecessary disruption to Service Provider’s operations; and (iv) is subject to reasonable confidentiality procedures. Following an audit, Service Provider shall make any necessary changes to ensure compliance with its obligations under this SPDPA at its own expense and without unreasonable delay and shall notify Company when such changes are complete.
  11. Company Personal Data Storage and Deletion.
    1. Data Storage. Service Provider will not store or retain any Company Personal Data except as necessary to perform the Services under the Agreement and will comply with any data localization obligations required by local law.
    2. Data Deletion. Service Provider will abide by the following with respect to deletion of Company Personal Data:
      1. Within thirty (30) calendar days of the Agreement’s expiration or termination, or sooner if requested by Company, Service Provider will securely destroy (per subsection (iii) below) all copies of Company Personal Data (including automatically created archival copies), except to the extent Service Provider is required to retain such data by applicable law. Any data retained pursuant to legal requirements remains subject to all terms of this SPDPA until destruction.
      2. Upon Company’s request, Service Provider will promptly return to Company a copy of all Company Personal Data within thirty (30) days and, following such return, will also delete all Company Personal Data as set forth above.
      3. Company Personal Data shall be disposed of in a method that prevents any recovery of the data in accordance with industry best practices for shredding of physical documents and wiping of electronic media (e.g., NIST SP 800-88).
      4. Upon Company’s request, Service Provider will provide a “Certificate of Deletion” certifying that Service Provider has deleted all Company Personal Data. Service Provider will provide the “Certificate of Deletion” within thirty (30) days of Company’s request.
  12. Indemnification.
    1. Indemnity. Service Provider shall indemnify, defend, and hold harmless Company and its officers, directors, employees and agents from and against any claims, disputes, demands, liabilities, damages, losses, fines, and costs and expenses, including, without limitation, reasonable attorneys’ fees arising out of or relating to: (i) a Security Incident; (ii) Service Provider’s negligence or willful misconduct related to Company Personal Data; (iii) Service Provider’s breach of this SPDPA and/or (iv) Service Provider's failure to accurately document or adhere to the Processing Details as set forth in the approved Processing Details Addendum. Service Provider's total liability under this Section 12 shall not exceed the greater of (x) $5,000,000 or (y) 5 times the total fees paid by Company to Service Provider under the Agreement in the twelve (12) months preceding the incident giving rise to the claim. Notwithstanding any limitation or exclusion of liability provision in the Agreement, Service Provider's indemnification and liability obligations under this Section 12 shall govern and take precedence over any conflicting provisions in the Agreement, unless the Agreement contains an express provision that specifically states it is intended to override the indemnification obligations set forth in this Section 12. . This Section 12 shall survive termination of the Agreement.
  13. Processing Details.
    1. Documentation Requirement. The specific Processing Details required in this Section 13 shall be documented in the Processing Details Addendum as described in Section 3 of this SPDPA. The information in the Processing Details Addendum shall be deemed to satisfy the requirements of this Section 13 upon Company's written approval.
    2. Binding Effect. The Processing Details documented in the approved Processing Details Addendum shall be legally binding on Service Provider and shall be treated as if fully set forth in this Section.
    3. Service Provider shall provide the following information to Company:
      1. Subject Matter and Business Purpose. The subject matter and business purpose of the Processing is the Services pursuant to the Agreement.
      2. Duration. The Processing will continue until the expiration or termination of the Agreement.
      3. Categories of Data Subjects. To be specified in the Processing Details Addendum as required by Section 6 of this SPDPA. If not otherwise specified, default categories in Section 6.e.i shall apply.
      4. Nature and Purpose of the Processing. The purpose of the Processing of Company Personal Data by Service Provider is the performance of the Services.
      5. Categories of Personal Data.To be specified in the Processing Details Addendum as required by Section 6 of this SPDPA. If not otherwise specified, default categories in Section 6.e.ii shall apply.
  14. Amendments to Terms.
    1. Company reserves the right to modify, amend, or update this SPDPA at any time in its sole discretion. Company will provide notice of any material changes by posting the updated Terms on its website or through other reasonable means of notification. Service Provider's continued Processing of Company Personal Data after the effective date of any changes constitutes Service Provider's acceptance of the modified Terms. If Service Provider does not agree with the changes to this SPDPA, Service Provider must work in good faith with Company to reach a mutually acceptable resolution, and failing that, Company has a right to terminate the Agreement without penalty. Unless instructed by Company in writing to pause the services, Service Provider must continue to provide the services under the Agreement under the old terms while the parties work to resolve.
    2. Company will make reasonable efforts to communicate material changes to this SPDPA, but Service Provider is responsible for periodically reviewing Company's website for the most current version of this SPDPA. The "Last Updated" date at the top of this SPDPA will indicate when the latest modifications were made.
    3. For clarity, no amendment to this SPDPA will reduce Service Provider's obligations with respect to security, privacy, or data protection required by applicable Data Protection Laws.
  15. Severability.
    1. If any provision of this SPDPA is found by a court of competent jurisdiction to be invalid, unconscionable, or unenforceable for any reason, such provision shall be modified to the minimum extent necessary to make it valid and enforceable, or if modification is not possible, such provision shall be severed from this SPDPA. The invalidity, unconscionability, or unenforceability of any provision shall not affect the validity or enforceability of any other provision of this SPDPA, and all other provisions shall remain in full force and effect.
    2. The parties agree that any provision found to be invalid, unconscionable, or unenforceable shall be modified and interpreted to accomplish the objectives of such provision to the greatest extent possible under applicable law and to maintain the balance of the bargain contemplated in this SPDPA.
    3. If the severance or modification of any provision would cause this SPDPA to fail in their essential purpose, the parties shall promptly negotiate a replacement provision that is valid and enforceable and that comes as close as possible to expressing the intent of the original provision.
  16. Contact Information.
    1. Company and Service Provider agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”). Service Provider will provide Company written notice of its Designated POC (emailing [email protected] to suffice). The Designated POC for Company is:

Gusto, Inc.

Attn: Legal Privacy 525 20th St.

San Francisco, CA 94107

[email protected]

EXHIBIT A TO THE DATA PROCESSING ADDENDUM

This Exhibit A forms part of the Addendum and supplements the Standard Contractual Clauses. Capitalized terms not defined in this Exhibit A have the meaning set forth in the Addendum.

The parties agree that the following terms shall supplement the Standard Contractual Clauses:

  1. Supplemental Terms. The parties agree that: (i) a new Clause 1(e) is added the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must submit the request for specific authorization in accordance with Section 3(d) of the Addendum; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).
  2. Annex I. Annex I to the Standard Contractual Clauses shall read as follows:

A. List of Parties

Data Exporter: Company.

Address: As set forth in the Notices section of the Agreement.

Contact person’s name, position, and contact details: Company’s Designated POC.

Activities relevant to the data transferred under these Clauses: The Services.

Role: Controller.

Data Importer: Service Provider.

Address: As set forth in the Notices section of the Agreement.

Contact person’s name, position, and contact details: Service Provider’s Designated POC.

Activities relevant to the data transferred under these Clauses: The Services.

Role: Processor.

B. Description of the Transfer:

The specific details required in this Section 2.B shall be documented in the Processing Details Addendum as described in Section 3 of the SPDPA. The information in the Processing Details Addendum shall be deemed to satisfy the requirements of this Section 2.B upon Company's approval.

Categories of data subjects whose personal data is transferred: To be specified in the Processing Details Addendum as required by Section 5 of this SPDPA. If not otherwise specified, default categories in Section 6.e.i shall apply.

Categories of personal data transferred: The categories of personal data transferred under the Clauses including, but not limited to: To be specified in the Processing Details Addendum as required by Section 6 of this SPDPA. If not otherwise specified, default categories in Section 6.e.ii shall apply.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: To be specified in the Processing Details Addendum as required by Section 6 of this SPDPA. If not otherwise specified, default categories in Section 6.e.iii shall apply.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal data is transferred in accordance with the standard functionality of the Services, or as otherwise agreed upon by the parties.

Nature of the processing: The Services.

Purpose(s) of the data transfer and further processing: The Services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain personal data in accordance with the Addendum.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: To be specified in the Processing Details Addendum as required by Section 6 of this SPDPA.

C. Competent Supervisory Authority: The data protection authority in the EEA country where the affected data subjects reside will serve as the competent supervisory authority for personal data transfers.

D. Data Transfer Impact Assessment Outcome: Taking into account the information and obligations set forth in the Addendum and, as may be the case for a party, such party’s independent research, to the parties’ knowledge, the personal data originating in the European Economic Area, Switzerland, and/or the United Kingdom that is transferred pursuant to the Clauses to a country that has not been found to provide an adequate level of protection under applicable data protection laws is afforded a level of protection that is essentially equivalent to that guaranteed by applicable data protection laws.

  1. Annex II. Annex II of the Standard Contractual Clauses shall read as follows:

Data importer shall implement and maintain appropriate technical and organisational measures that protect personal data in accordance with the Addendum. Service Provider agrees that it has the following security measures in place:

    1. Encryption. Service Provider shall use commercially reasonable encryption methodologies to protect personal data transferred over public networks, and shall implement whole disk encryption for all personal data at rest. Service Provider will fully document and comply with industry standard key management procedures for crypto keys used for the encryption of personal data.
    2. Storage. Service Provider shall retain all personal data in a physically and logically secure environment to protect from unauthorized access, modification, theft, misuse and destruction. Service Provider shall utilize platforms to host personal data that are configured to conform to reasonable industry standard security requirements and will only use hardened platforms that are continuously monitored for unauthorized changes.
    3. Networking. Service Provider shall utilize platforms configured to conform to reasonable industry standard security requirements designed to ensure that all network traffic among Company systems is restricted to only what is necessary to ensure the proper functioning of the Services.
    4. Vulnerability Management.
      1. Updates and Patches. With regards to the handling of personal data, Service Provider shall establish and maintain mechanisms for vulnerability and patch management that are designed to evaluate application, system, and network device vulnerabilities and apply industry standard security fixes and patches in a timely manner taking a risk-based approach for prioritizing critical patches.
      2. Audit Logging; Intrusion Detection. Service Provider shall collect and retain audit logs recording privileged user access activities, authorized and unauthorized access attempts, system exceptions, and information security events, complying with applicable policies and regulations. Audit logs shall be reviewed at least daily and file integrity (host) and network intrusion detection (IDS) tools shall be implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents. Physical and logical user access to audit logs shall be restricted to authorized persons.
      3. Information Risk Assessment. On an annual basis, Service Provider shall cooperate with Company, to perform formal risk assessments to determine the likelihood and impact of potential privacy and security risks to personal data in a manner consistent with applicable Data Protection Laws, to the extent applicable. At least annually, Service Provider will conduct an independent third-party review of its security policies, standards, operations, and procedures related to the Services provided to Company. Upon request, Service Provider will provide Company with a copy of the report.
      4. Physical Security. Where the Service Provider is Processing personal data, such personal data shall be housed in secure areas, physically protected from unauthorized access, with appropriate environmental and perimeter controls. The facilities shall be physically protected from unauthorized access, damage, theft and interference.
      5. Disaster Recovery Management. Service Provider shall provide documentation of its formal and secure disaster recovery plan, maintain comprehensive industry standard controls designed to ensure the security, confidentiality, and integrity of the personal data. Service Provider shall share evidence with Company that Service Provider conducts regular testing of that plan on at least an annual basis, which impacts any Company systems and personal data governed by the Agreement.

Pursuant to Clause 10(b), data importer will provide data exporter assistance with data subject requests in accordance with the Addendum.

  1. Annex III. A new Annex III shall be added to the Standard Contractual Clauses and shall read as follows:

The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference.

Table 1: The start date in Table 1 is the effective date of the Addendum. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.

Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the Addendum.

Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.

Table 4: The parties agree that Exporter may end the UK Addendum as set out in Section 19.