Data Processing Addendum
This Data Processing Addendum (“DPA”) sets forth the terms and conditions governing the privacy, security and Processing of Customer Personal Data. This DPA is incorporated into and forms a part of the Propexo Master Services Agreement (including the Terms and Conditions) (the “Agreement”). Except as modified below, the Agreement’s terms shall remain in full force and effect.
HOW AND WHEN THIS DPA APPLIES
- If and as provided for in the terms and conditions of the Agreement, this DPA is automatically incorporated into and forms a binding and effective part of that Agreement on and from the Addendum EffectiveDate.
- This DPA applies only if and to the extent Applicable Data Protection Laws govern Company’s Processing of Customer Personal Data in performance of the Services as a ‘processor’, ‘service provider’ or similar role defined under Applicable Data Protection Laws.
- Accordingly, this DPA does not apply to Propexo’s Processing of any Personal Data for its own business/customer relationship administration purposes, its own marketing or service analytics (e.g., involving data collected by Propexo relating to Customer’s users’ use of the Services), its own information and systems security purposes supporting the operation of the Services, nor its own legal, regulatory or compliance purposes.
1. DEFINITIONS
In this DPA (including the explanatory notes above) the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:
1.1 “Addendum Effective Date” means the effective date of the Agreement.
1.2 "Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, including, as applicable, any “business” as that term is defined by Applicable Data Protection Laws.
1.3 “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
1.4 “Data Subject Request” means the exercise by a Data Subject of its rights in accordancewith Applicable Data Protection Laws in respect of Customer Personal Data and the Processing thereof.
1.5 “Personal Data Breach” means a breach of Propexo’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Propexo’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise thesecurity of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
1.6 “Personnel” means a person’semployees, agents, consultants, contractors or other staff.
1.7 “Process” and inflections thereof means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.8 “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller, including, as applicable, any “service provider” as that term is defined by Applicable Data Protection Laws.
1.9 “Sub-Processor” means any third party appointed by or on behalf of Propexo to Process Customer Personal Data.
1.10 “Supervisory Authority” means any entity with the authority to enforce Applicable Data Protection Laws.
Unless otherwise defined in this DPA, all capitalized terms in this DPA shall have the meaning given to them in the Agreement.
2. APPLICATION OF THIS DATA PROCESSING ADDENDUM
2.1 The front-end of this DPA applies generally to Propexo’s Processing of Customer Personal Data under the Agreement.
2.2 Annex 2 (California Annex) applies only if and to the extent Propexo’s Processing of Customer Personal Data on behalf of Customer under the Agreement is subject to the CCPA.
2.3 Section 9 (Compliance Review) of this DPA applies to Propexo’s Processing of Customer Personal Data to the extent required under Applicable Data Protection Laws for contracts with Processors, and in such cases, only in respect of Processing of Customer Personal Data subject to such laws.
3. PROCESSING OF CUSTOMER PERSONAL DATA
3.1 The Parties acknowledge and agree that the details of Propexo’s Processing of Customer Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA.
3.2 Propexo shall not Process Customer Personal Dataother than: (a) on Customer’s instructions; or (b) as required by applicable laws provided that, in such circumstances, Propexo shall inform Customer in advance of the relevant legal requirement requiring such Processing if and to the extent Propexo is: (i) required to do so by Applicable Data Protection Laws; and (ii) permitted to do so in the circumstances. Customer instructs Propexo to Process Customer Personal Data to (i) provide the Services to Customer and in accordance with the Agreement; (ii) perform its obligations under the Agreement; and (iii) exercise its rights under the Agreement. The Agreement is a complete expression of such instructions, and Customer’s additional instructions will be binding on Propexo only pursuant to any written amendment to this DPA signed by both Parties. Where required by Applicable Data Protection Laws, if Propexo receives an instruction from Customer that, in its reasonable opinion, infringes Applicable Data Protection Laws, Propexo shall notify Customer.
3.3 The Parties acknowledge that the Propexo’s Processing of Customer Personal Data authorized by Customer’s instructions stated in this DPA is integral to the Services and the business relationship between the Parties. Access to Personal Data does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.
4. PROCESSING OF CUSTOMER PERSONAL DATA
Propexo shall take commercially reasonable steps designed to ascertain the reliability of any Propexo Personnel who Process Customer Personal Data. Propexo shall require its Personnel who are authorized to Process Customer Personal Data are subject to appropriate confidentiality obligations in the event that they are not otherwise subject to professional or statutory obligations of confidentiality.
5. SECURITY
5.1 Propexo shall implement and maintain technical and organizational measures in relation to Customer Personal Data designed to protect Customer Personal Data against Personal Data Breaches as described in Annex 3 (Security Measures) (the “Security Measures”).
5.2 Propexo may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.
6. DATA SUBJECT REQUESTS
6.1 Propexo, taking into account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance as may be reasonably necessary and technically feasible to assist Customer in fulfilling its obligations torespond to Data Subject Requests. If Propexo receives a Data Subject Request, Customer will be responsible for responding to any such request.
6.2 Propexo shall: (a) promptly notify Customer if it receives a Data Subject Request; and (b) not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except as required by Applicable Data Protection Laws.
7. PERSONAL DATA BREACH
7.1 Propexo shall notify Customer without undue delay upon Propexo’s confirmation of a Personal Data Breach affecting Customer Personal Data. Propexo shall provide Customer with information (insofar as such information is within Propexo’s possession and knowledge and does not otherwise compromise the security of any Personal Data Processed by Propexo) designed to allow Customer to meet its obligations under the Applicable Data Protection Laws to report the Personal Data Breach. Propexo’s notification of or response to a Personal Data Breach shall not be construed as Propexo’s acknowledgement of any fault or liability with respect to the Personal Data Breach.
7.2 Customer is solely responsible for complying with applicable laws (including notification laws) and fulfilling any third-party notification obligations related to any Personal Data Breaches.
7.3 If Customer determines that a Personal Data Breach must be notified to any Supervisory Authority, any other governmental authority, any Data Subject(s), the public or others under Applicable Data Protection Laws or otherwise, to the extent such notice directly or indirectly refers to or identifies Propexo, where permitted by applicable laws, Customer agrees to: (a) notify Propexo in advance; and (b) in good faith, consult with Propexo and consider any clarifications or corrections Propexo may reasonably recommend or request to any such notification, which: (i) relate to Propexo’s involvement in or relevance to such Personal Data Breach; and (ii) are consistent with applicable laws.
8. SUB-PROCESSING
8.1 Customer generally authorizes Propexo to appoint Sub-Processors in accordance with this Section8. Information about Propexo’s Sub-Processors, including their functions and locations is as shown in the Sub-Processor list shown from time to time at [INSERT PAGE] or any successor page (the “Sub-Processor Site”). Without limitation, Customer authorizes the engagement of the Sub-Processors listed on the Sub-Processor Site as of the Addendum Effective Date.
8.2 Propexo shall give Customer prior written notice of the appointment of any proposed new or additional Sub-Processor, including reasonable details of the Processing to be undertaken by the Sub-Processor by updating Sub-Processor Site and providing a means by which Customers may subscribe to receive notice of such updates – Customer agrees that Customer is solely responsible for ensuring that it subscribes to such updates – or otherwise providing written notice. If, within fourteen (14) days of receipt of that notice, Customer notifies Propexo in writing of any objections (on reasonable grounds related to protection of Customer Personal Data) to the proposed appointment: (a) Propexo shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services, which avoids the use of that proposed Sub-Processor; and (b) where: (i) such a change cannot be made within fourteen (14) days from Propexo’s receipt of Customer’s notice; (ii) no commercially reasonable change is available; and/or (iii) Customer declines to bear the cost of the proposed change, then Customer may terminate the Agreement by written notice to Propexo as its sole and exclusive remedy.
8.3 If Customer does not object to Propexo’s appointment of a Sub-Processor during the objection period referred to in Section 8.2, Customer shall be deemed to have approved the engagement and ongoing use of that Sub-Processor.
8.4 With respect to each Sub-Processor, Propexo shall maintain a written contract between Propexo and the Sub-Processor that includes terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this DPA. Propexo shall remain liable for any breach of this DPA caused by a Sub-Processor.
9. COMPLIANCE REVIEW
9.1 Propexo shall make available to Customer on request, such information as Propexo (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA and its performance of its obligations under this DPA is consistent with Propexo’s obligations under Applicable Data Protection Laws.
9.2 Subject to Sections 9.3 to 9.6, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Propexo pursuant to Section 9.1 is not sufficient in the circumstances to demonstrate Propexo’s compliance with this DPA, Propexo shall allow for and contribute to audits, including on premise inspections of Propexo’s facilities, by Customer or an auditor mandated by Customer in relation to the Processing of Customer Personal Data by Propexo.
9.3 Customer shall give Propexo reasonable notice of any audit or inspection to be conducted under Section 9.2 (which shall in no event be less than fourteen (14)days’ notice) and shall use its best efforts (andensure that each of its mandated auditors uses its best efforts) to avoid causing any destruction, damage, injury or disruption to Propexo’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Propexo’s other customers or the availability of Propexo’s services to such other customers).
9.4 Prior to conducting any audit, Customer must submit a detailed proposed audit plan providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Propexo will review the proposed audit plan and provide Customer with any feedback, concerns or questions (for example, any request for information that could compromise Propexo security, privacy, employment or other relevant policies). Propexo will work cooperatively with to agree on a final audit plan.
9.5 If the controls or measures to be assessed in the requested audit are assessed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request (“Audit Report”) and Propexo has confirmed in writing that there have been no known material changes in the controls audited and covered by such Audit Report(s), Customer agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures. Propexo shall provide copies of any such Audit Reports to Customer upon request; provided that they shall constitute the confidential information of Propexo, which Customer shall use only for the purposes of confirming compliance with the requirements of this DPA or meeting Customer’s obligations under Applicable Data Protection Laws.
9.6 Propexo need not give access to its premises for the purposes of such an audit or inspection: (a) wherean Audit Report is accepted in lieu of such controls or measures in accordancewith Section 9.5; (b) to any individual unless they producereasonable evidence of their identity; (c) to any auditor whom Propexo has notapproved in advance (acting reasonably); (d) to any individual who has notentered into a non-disclosure agreement with Propexo on terms acceptable to Propexo;(e) outside normal business hours at those premises; or (f) on more than oneoccasion in any calendar year during the term of the Agreement, except for anyaudits or inspections which Customer is required to carry out by a SupervisoryAuthority. Nothing in this DPAshall require Propexo to furnish more information about its Sub-Processors in connection with suchaudits than such Sub-Processorsmake generally available to their customers. Nothing inthis Section 9 shall be construed to obligate Propexo tobreach any duty of confidentiality.
10. RETURN AND DELETION
10.1 Upon expiration or earlier termination of the Agreement, Propexo shall return and/or delete all Customer Personal Data in Propexo’s care, custody or control in accordance Customer’s instructions as to the post-termination return and deletion of Customer Personal Data expressed in the Agreement. To the extent that deletion of any Customer Personal Data contained in any back-ups’ maintained by or on behalf of Propexo is not technically feasible within the timeframe set out in Customer’s instructions, Propexo shall (a) securely delete such Customer Personal Data in accordance with any relevant scheduled back-up deletion routines (e.g., those contained within Propexo’s relevant business continuity and disaster recovery procedures); and (b) pending such deletion, put such Customer Personal Data beyond use.
10.2 Notwithstanding the foregoing, Propexo may retain Customer Personal Data where required by applicable laws, provided that Propexo shall Process the Customer Personal Data only as necessary for the purpose(s) and duration specified in the applicable law requiring such retention.
11. CUSTOMER'S RESPONSIBILITIES
11.1 Customer agrees that, without limiting Propexo’s obligations under Section 5 (Security), Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Propexo uses to provide the Services; (d) refraining from providing Propexo with Restricted Data (as defined below); and (e) backing up Customer Personal Data.
11.2 Customer shall ensure: that all Data Subjects have (i) been presented with all required notices and statements; and (ii) provided all required consents, in each case (i) and (ii) relating to the Processing by Propexo of Customer Personal Data.
11.3 Customer agrees that the Services, the Security Measures, and Propexo’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.
11.4 Customer shall not provide or otherwise make available to Propexo any Customer Personal Data that contains any (a) Social Security numbers or other government-issued identification numbers; (b) protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (c) health insurance information; (d) biometric information; (e) passwords to any online accounts not relevant for use of the Service; (f) credentials to any financial accounts; (i) Personal Data of children under 16 years of age; or data relating to criminal convictions and offenses (together, “Restricted Data”).
11.5 Except to the extent prohibited by Applicable Data Protection Laws, Customer shall compensate Propexo at Propexo’s then-current professional services rates for, and reimburse any costs reasonably incurred by Propexo in the course of providing, cooperation, information, or assistance requested by Customer in respect of this DPA (including pursuant to Sections 6, 7 and 9 of this DPA), beyond providing self-service features included as part of the Service.
12. LIABILITY
The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement; provided that, nothing in this Section 12 will affect any person’s liability to Data Subjects under relevant third-party beneficiary provisions of Applicable Data Protection Laws (if and as they apply).
13. LIABILITY
Propexo may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Applicable Data Protection Laws from time to time and/or to reflect any relevant changes in the Services and its Processing of Personal Data as part thereof.
14. INCORPORATION AND PRECEDENCE
14.1 This DPA shall be incorporated into and form part of the Agreement with effect on and from the Addendum Effective Date.
14.2 In the event of any conflict or inconsistency between: (a) this DPA and the Agreement, this DPA shall prevail.
ANNEX 1: DATA PROCESSING DETAILS
PROPEXO DETAILS
Name: RentDrop, Inc. dba Propexo, a Delaware corporation.
Address: 131 Dartmouth, Floor 3, Boston, MA 02116, United States
Contact Details for Data Protection:
- Role: Head of Data Protection
- Email: data-protection@propexo.com
Propexo Activities: Propexo's unifed API enables companies to integrate with the data that powers the world of professionally managed real estate.
Role: Processor
CUSTOMER DETAILS
Name: The entity or other person who is a counterparty to the Agreement.
Address: Customer’s address is the address shown in or determined by the Agreement (including in any Order Form); or if no such address is contained within the Agreement, Customer’s principal business trading address – unless otherwise notified to Propexo’s contact point noted above.
Contact Details for Data Protection: Propexo’s primary point of contact with Customer; or any other email notified by Customer for the purpose of providing it with Data Protection related communications or alerts. (Customer agrees that it is solely responsible for ensuring that such contact details are valid and up-to-date, and will direct relevant communications to the appropriate individual within its organization.)
Customer Activities: Customer’s activities relevant to this DPA are the use and receipt of the Services as part of its ongoing business operations under and in accordance with the Agreement.
Role:
• Controller – in respect of any Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and/or
• Processor – in respect of any Processing of Customer Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person (including its affiliates, if and where applicable).
DETAILS OF PROCESSING
Categories of Data Subjects:
Any individuals whose Personal Data is comprised within data submitted to the Services by or on behalf of Customer under the Agreement, which will depend upon the nature of the use/deployment of those Services and any systems, platforms or technologies with which Customer integrates the Services and the configuration(s) of such integration(s) – but may include:
• Customer’s own customers, clients, (sub-)licensees.
• Website visitors.
• End-users and other users of Customer’s products and services.
• Individuals whose data is contained in any databases connected to the Services or otherwise Processed or made available to the Services.
Where any of the above is a business or organization, it includes their Personnel or other relevant natural persons. Each category includes current, past and prospective Data Subjects.
Categories of Personal Data:
Any Personal Data comprised within data submitted to Services by or on behalf of Customer under the Agreement, which will depend upon the nature of the use/deployment of those Services and any systems, platforms or technologies with which Customer integrates the Services and the configuration(s) of such integration(s) – but may include:
• Personal details – for example any information that identifies the Data Subject and their personal characteristics, name, age, date of birth and username.
• Contact details – for example home and/or business address, email address, telephone details and other contact information.
• Leasing details – for example rent payment, late fees, lease terms, co-signers, guarantors, income data and other relevant leasing information.
• Technological details – for example internet protocol (IP) addresses, unique identifiers and numbers (including unique identifier in tracking cookies or similar technology), pseudonymous identifiers, precise and imprecise location data, internet / application / program activity data, and device IDs and addresses.
• Any other details – for example any Personal Data relating to relevant Data Subjects included in text fields or contained in any databases submitted to the Services or otherwise Processed by Propexo to perform the Services, or made available by or on behalf of the Customer to the Services.
Sensitive Categories of Data, and associated additional restrictions/safeguards:
Categories of sensitive data:
None – as noted in Section 11.4 of the DPA, Customer agrees that Restricted Data, must not be submitted to the Services.
Additional safeguards for sensitive data:
N/A
Frequency of transfer: Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Services.
Nature of the Processing: Processing operations required in order to provide the Services in accordance with the Agreement.
Purpose of the Processing: Customer Personal Data will be processed: (i) as necessary to provide the Services as initiated by Customer in its use thereof, and (ii) to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA.
Duration of Processing / Retention Period: For the period determined in accordance with the Agreement and DPA, including Section 10 of the DPA.
Transfers to (sub-)processors: Transfers to Sub-Processors are as, and for the purposes, described from time to time in the Sub-Processor Site (as may be updated from time to time in accordance with Section 8 of the DPA).
ANNEX 2: CALIFORNIA ANNEX
1. In this Annex 2, the terms “business,” “business purpose,” “commercial purpose,” “consumer,” “sell,” “share,” and “service provider” shall have the respective meanings given thereto in the CCPA; and “personal information” shall mean Customer Personal Data that constitutes “personal information” as defined in and that is subject to the CCPA.
2. The business purposes and services for which Propexo is Processing personal information are for Propexo to provide the services to and on behalf of Customer as set forth in the Agreement, as described in more detail in Annex 1 (Data Processing Details) to the DPA.
3. It is the Parties’ intent that with respect to any personal information, Propexo is a service provider. Propexo (a) acknowledges that personal information is disclosed by Customer only for limited and specific purposes described in the Agreement; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to personal information as is required by the CCPA; (c) agrees that Customer has the right to take reasonable and appropriate steps under and subject to Section 9 (Compliance Review) of the DPA to help ensure that Propexo’s use of personal information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer in writing of any determination made by Propexo that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
4. Propexo shall not (a) sell or share any personal information; (b) retain, use or disclose any personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purpose specified in the Agreement, or as otherwise permitted by CCPA; (c) retain, use or disclose the personal information outside of the direct business relationship between Propexo and Customer; or (d) combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) collected from Propexo’s own interaction with any consumer to whom such personal information pertains.
5. Propexo shall implement reasonable security procedures and practices appropriate to the nature of the personal information received from, or on behalf of, Customer, in accordance with Section 5 (Security Measures) of the DPA.
6. When Propexo engages any Sub-Processor, Propexo shall notify Customer of such Sub-Processor engagements in accordance with Section 8 (Sub-Processing) of the DPA and that such notice shall satisfy Propexo’s obligation under the CPRA to give notice of such engagements.
7. Propexo agrees that Customer may conduct audits, in accordance with Section 9 of the DPA, to help ensure that Propexo’s use of personal information is consistent with Propexo’s obligations under the CCPA.
8. The parties acknowledge that Propexo’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the Agreement and DPA are integral to Propexo’s provision of the Services and the business relationship between the Parties.
ANNEX 3: SECURITY MEASURES
As from the Addendum Effective Date, Propexo will implement and maintain the Security Measures as set out in this Annex 3.
1. Organizational management and dedicated staff responsible for the development, implementation and maintenance of Propexo’s information security program.
2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Propexo’s organization, monitoring and maintaining compliance with Propexo’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3. Data security controls which include at a minimum logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Customer Personal Data.
4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
5. Password controls designed to manage and control password strength, expiration and usage.
6. System audit or event logging and related monitoring procedures to proactively record user access and system activity.
7. Physical and environmental security of production resources relevant to the Services is maintained by the relevant Sub-Processor(s) (and their vendors) engaged from time-to-time by Propexo to host those resources. Propexo takes steps to ensure that such Sub Processors provide appropriate assurances and certifications that evidence such physical and environmental security – including security of data centre, server room facilities and other areas containing Customer Personal Data designed to: (a) protect information assets from unauthorized physical access; (b) manage, monitor and log movement into and out of Sub-Processor facilities; and (c) guard against environmental hazards such as heat, fire and water damage.
8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Propexo’s possession.
9. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to Propexo’s technology and information assets.
10. Incident management procedures designed to allow Propexo to investigate, respond to, mitigate and notify of events related to Propexo’s technology and information assets.
11. Network security controls that provide for the use of enterprise firewalls and intrusion detection systems designed to protect systems from intrusion and limit the scope of any successful attack.
12. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
13. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
Propexo may freely update or modify these Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of Services and/or relevant Customer Personal Data.