[Last Updated January 2025]
This Data Processing Agreement (“DPA”) forms part of, and is governed by the Master Service Agreement, Terms of Service, and any other agreement (“Agreement”) executed by and between Panaya Ltd., and its affiliates (“Panaya”), and the Customer. Panaya and Customer shall each be referred to as “party” and collectively as “parties”.
This DPA shall be effective as of the updated date above, or the date both parties executed the Agreement, as applicable (“Effective Date”). The term of this DPA coincides with the term of the Agreement and terminates upon expiration or earlier termination of the Agreement or, if later, the date on which Panaya ceases all Processing of Customer Data.
All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
WHEREAS, Panaya provides Customer with the Services as defined under the Agreement and the applicable Subscription Order; and
WHEREAS, the Services require Panaya to Process Customer Data, which may include Personal Data (as such terms are defined below) on Customer’s behalf, subject to the terms and conditions of this DPA and applicable Data Protection Laws.
1.1. “Adequate Country” is a country that received an adequacy decision from the European Commission or other applicable data protection authority.
1.2. The terms “Business”, “Business Purpose”, “Consumer”, “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Personal Information”, “Processing” (and “Process”), “Processor”, “Holder”, “Service Provider”, “Sale”, “Sell” and“Share”, “Special Categories of Personal Data”, “Sensitive Data” and “Supervisory Authority”, shall all have the same meanings as ascribed to them under the applicable Data Protection Laws. Further, under this DPA: “Data Subject” shall also mean and refer to a “Consumer”, “Personal Data” shall also mean and refer to “Personal Information” and “Special Categories of Data” or “Highly Sensitive Data” shall also mean and refer to “Sensitive Data”.
1.3. “Customer Data” means Customer Data (as defined in the Agreement) containing Personal Data (or the equivalent term) Processed by Panaya in the course of providing the Services, all as detailed in Annex I attached herein.
1.4. “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law, UK Data Protection Laws, Swiss Data Protection Laws, Israeli Law and the U.S. Data Protection Laws) as may be amended or superseded from time to time.
1.5. “Deidentified Data” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, be linked directly or indirectly with, or be reasonably be used to infer information about an identifiable natural person, all as defined under applicable US Data Protection Laws.
1.6. “Data Privacy Framework” or “DPF” means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded or replaced.
1.7. “DPF Principles” means the Principles and Supplemental Principles available at: https://www.dataprivacyframework.gov/program-articles/Participation-Requirements-Data-Privacy-Framework-(DPF)-Principles ; as may be amended, superseded or replaced.
1.8. “EEA” means the European Economic Area.
1.9. “European Data Protection Law” means, collectively, the laws and regulations of the European Union, the EEA, their member states, and the United Kingdom, applicable to the Processing of Personal Data, including (where applicable): (i) “EU Data Protection Laws“- EU General Data Protection Regulation (Regulation 2016/679) (“EU GDPR”); Regulation 2018/1725; and the e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (ii) “UK Data Protection Laws” – the Data Protection Act 2018 (DPA 2018), as amended, and EU GDPR as incorporated into UK law as amended (“UK GDPR” and collectively with the EU GDPR shall be referred to herein as the ”GDPR”); (iii) “Swiss Data Protection Laws” or “FADP” – the Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) (“FDPA”) and the Ordinance on the Federal Act on Data Protection (“FODP“); (iv) any national data protection laws made under, pursuant to, replacing or succeeding the EU GDPR or the e-Privacy Law; (v) any amendment or legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding judicial or administrative interpretation of any of the above, or approved certification mechanisms issued by any relevant Supervisory Authority.
1.10. “Instructions” means the written, documented instructions provided by the Customer to the Panaya directing Panaya to perform a specific or general action with regard to Customer Data.
1.11. “Israeli Data Protection Laws” means, collectedly, the: (i)Israeli Protection of Privacy Law, 5741-1981 (as amended under Amendment 13); (ii)the regulations promulgated pursuant thereto, including the Israeli Protection of Privacy (Data Security)Regulations, 5777-2017 and the Israeli Protection of Privacy (Transfer of Data to Databases Abroad) Regulations, 5761-2001; (iii) any amendments or legislation replacing or updating any of the foregoing, and; (iv) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or certification mechanisms approved by the Israeli Privacy Protection Authority.
1.12. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data. Any Personal Data Breach will comprise a Security Incident.
1.13. “Standard Contractual Clauses” or “SCCs” means: (i) the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, which may be found at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN and incorporated herein by reference (“EU SCC”); (ii) the UK “International Data Transfer Addendum to the European Commission Standard Contractual Clauses” available at: available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf and incorporated herein by reference (“UK SCC”); or (iii) the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (“Swiss SCC”).
1.14. “US Data Protection Laws” means any and all applicable federal and state privacy laws and regulations applicable to the Supplier’s Processing activities of Panaya Personal Data under this DPA, and any implementing regulations and amendment thereto, including without limitation the: (i) California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018 including as modified by the California Privacy Rights Act as well as all regulations promulgated thereunder from time to time (‘CCPA’); (ii) the Colorado Privacy Act C.R.S.A. § 6-1-1301 et seq. (SB 21-190) (‘CPA’); (iii) the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022) (‘CTDPA’); (iv) the Florida Digital Bill of Rights S.B 262 (‘FDBR’); (v) the Montana Consumer Data Privacy Act 68th Legislature 2023, S.B. 0384 (‘MTCDPA’); (vi) the Oregon Consumer Data Privacy Act ORS 646A.570-646A.589 (‘OCDPA’); (vii) the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code Ann. § 541.001 et seq (‘TDPSA’); (viii) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq (‘UCPA’); (ix) the Washington “My Health My Data” Act, Wash. Rev. Code § 19.373.005 et seq., and Nev. Rev. Stat. § 603A, as amended by Nevada S.B. 370 (together, the “Washington and Nevada Consumer Health Data Laws”); and (x) the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392). All as amended or superseded from time to time and including any implementing regulations and amendments thereto.
2.1. The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Customer Data, Panaya is acting as a Data Processor (or Sub-processor, as applicable) and Customer is acting as a Data Controller (or Processor, as applicable). Notwithstanding the above, Panaya is the owner and Data Controller of the Usage Data (as defined in the Agreement) and other account information, such as contact information, transactions and other data which is used to manage the customer relationship, provide support, repair bugs, facilitate security, optimize the user experience, provide maintenance and carry out core business functions such as accounting, billing, and filing taxes.
2.2. The Customer shall be exclusively responsible to ensure its Instructions are compliant with applicable Data Protection Laws and enable a lawful Processing of Customer Data, including by obtaining any required consent and providing any required disclosures under applicable Data Protection Laws.
2.3. The subject matter and duration of the Processing carried out by Panaya on behalf of the Customer, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex Iattached hereto.
2.4. For the purposes of providing the Services, Customer shall not disclose, transfer, or otherwise make available to Panaya any of the following categories of information: (i) any information that constitutes Sensitive Personal Information,” “Sensitive Data,” “Sensitive Data Inferences,” “Highly Sensitive Data”, or “Special Categories of Personal Data” as those terms are defined under Data Protection Laws; (ii) Any information that constitutes “consumer health data” under the CTDPA or the Washington and Nevada Consumer Health Data Laws; (iii) any information that constitutes “protected health information” under the Health Insurance Portability and Accountability Act of 1996, 5 U.S.C. § 553 et seq., together with any amending legislation and any regulations promulgated thereunder; and (iv) any Personal Data that is deemed by US regulatory authorities as meriting sensitive treatment under US Data Protection Laws or U.S. state or federal consumer protection laws.
3.1. Panaya represents and warrants that it shall Process Customer Data, on behalf of the Customer, solely for the purpose of providing the Service, all in accordance with Customer’s Instructions. Notwithstanding the above, in the event Panaya is required under applicable laws, including Data Protection Law, to Process Customer Data other than as instructed by Customer, it shall make its best efforts to inform the Customer of such requirement prior to Processing such Customer Data, unless prohibited under applicable law.
3.2. Panaya shall inform Customer without undue delay in the event that, according to Panaya’s reasonable discretion, any of Customer’s Instructions infringes applicable laws, and Panaya shall have the right to immediately cease and suspend any such Processing activity related to the infringing Instruction.
3.3. Panaya hereby certifies it understands the rules, requirements and definitions under applicable Data Protection Laws, and shall not: (i) Sell or Share the Customer Data; (ii) retain, use or disclose the Customer Data for any purpose other than for a Business Purpose specified in the Agreement; or (iii) combine the Customer Data with other Personal Data that it receives from, or on behalf of another customer.
3.4. Panaya shall comply with the requirements set forth under applicable Data Protection Laws with regards to processing of Deidentified Data.
3.5. Panaya shall provide reasonable cooperation and assistance to the Customer in ensuring compliance with its obligation to carry out data protection impact assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities to the extent required under applicable Data Protection Laws, provided that, Panaya shall only be required to assist as for information which is reasonably available to Panaya and Customer does not have reasonable access to such information.
3.6. Panaya shall ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Customer Data; and (ii) that persons authorized to Process the Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.1. It is agreed that where Panaya receives a data subject request or a request from a regulator or authority in respect to Customer Data, where applicable, Panaya will notify the Customer of such request promptly and direct the Data Subject or the applicable authority to the Customer in order to enable the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws or prohibited.
4.2. Panaya reasonably cooperate and assist Customer in responding to such request, provided that the Customer cannot reasonably fulfill such obligations independently with help of available in the documentation, the website or any other self-service feature provided by Panaya.
5.1. The Customer acknowledges that Panaya may transfer Customer Data to and otherwise interact with third party data Processors (“Sub-Processor”). The Customer hereby authorizes Panaya to engage and appoint such Sub-Processors as listed in Annex III, to Process Customer Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Panaya may continue to use those Sub-Processors already engaged by it, as listed in Annex III, or to engage an additional or replace an existing Sub-Processors to Process Customer Data, subject to the provision of a thirty (30) days prior notice of its intention to do so to the Customer (via email correspondence). In case the Customer has not objected to the adding or replacing of a Sub-Processor within such notice period, such Sub-Processor shall be deemed approved by the Customer. In the event the Customer objects to the adding or replacing of a Sub-Processor, within such notice period, Panaya may, under Panaya sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement where the Services cannot be reasonably provided under such circumstances, without liability to Customer.
5.2. Panaya may update the list of Sub-processors online, available at: https://www.panaya.com/subcontractor-list/
which contains a mechanism for Customer to subscribe to notifications of new Sub-Processors.
5.3. Panaya shall, where it engages any Sub-Processor, impose, through a legally binding contract between Panaya and the Sub-Processor, data protection obligations that are no less onerous than, and provide at least the same level of protection as, those set out in this DPA. Panaya shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Laws.
5.4. Panaya shall remain responsible to the Customer for the performance of the Sub-Processor’s obligations in accordance with this DPA.
6.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, Panaya hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect the Customer Data as required under Data Protection Laws to ensure lawful Processing of Customer Data and safeguard Customer Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction.
6.2. The parties acknowledge that security requirements are constantly changing, and that effective security requires the frequent evaluation and regular improvement of outdated security measures.
6.3. The security measures implemented and maintained by Panaya are further detailed in Annex II and in Panaya’s information security policy available at: Security Measure Policy.
7.1. Panaya will notify the Customer without undue delay upon becoming aware of any Security Incident involving the Customer Data and will take necessary steps to remediate, minimize any effects of and investigate any Security Incident and to identify its cause. Upon Customer’s request, Panaya will reasonably co-operate with the Customer and provide the Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident.
7.2. Panaya will notify the Customer in writing and will keep the Customer informed of any material developments in connection with the Security Incident. Panaya’s notification or compliance with its obligations under this Section shall not be construed as an acknowledgment by Panaya of any fault or liability with respect to the Security Incident.
7.3. Panaya shall reasonably co-operate with the Customer and assist Customer with its obligation to notify the affected individuals in the case of a Security Incident, at Customer’s sole cost and expenses.
8.1. Panaya shall maintain accurate written records of any and all the Processing activities carried out under this DPA and shall make such records available to the Customer upon 30-day prior written request, and not more than once per twelve (12) months during the Term of the Agreement. Such records provided shall be considered Panaya’s Confidential Information and shall be subject to confidentiality obligations.
8.2. In the event the records and documentation provided subject to Section 8.1 above are reasonably determined as not sufficient for the purpose of demonstrating compliance, Customer may audit Panaya compliance with this DPA and Data Protection Laws by requesting a certificate issued for security verification reflecting the outcome of an audit conducted by a third party auditor (e.g., SOC2 certificate) or a comparable certification or other security certification of an audit conducted by a third-party auditor, within twelve (12) months as of the date of Customer’s request.
8.3. Alternatively, in the event the records and documentation provided subject to Section 8.1 and 8.2 above are not sufficient for the purpose of demonstrating compliance, Panaya shall make available, solely upon prior reasonable written notice and no more than once per calendar year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA and Data Protection Laws, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to standard confidentiality obligations (including towards third parties). Panaya may object to an auditor appointed by the Customer in the event Panaya reasonably believes the auditor is not suitably qualified or is a competitor of Panaya. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Panaya’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit.
8.4. Nothing in this DPA will require Panaya to either disclose to Customer or its third-party auditor, or to allow Customer or its third-party auditor to access: (i) any data of any other Panaya’s customer; (ii) Panaya’s internal accounting or financial information; (iii) any trade secret of a Panaya or its Affiliates; (iv) any information that, in Panaya’s reasonable opinion, could compromise the security of any Panaya’s systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws.
9.1. Customer may choose to host Customer Data either within the EU or US (as detailed in the Subscription Order), however, acknowledges that Panaya may Process, Customer Data in various jurisdictions where Panaya’s affiliates and Sub-Processors operate. Panaya will ensure that transfers are made in compliance with Data Protection Laws that applies to such Processing.
9.2. Panaya shall ensure any recipients, including recipients of onward transfers are recognized as Adequate Country or certified under the DPF. Further, where European Data Protection Laws apply Panaya will not transfer Customer Data originating from the EEA, UK or Switzerland, unless it takes all such measures as are necessary to ensure the transfer is in compliance with European Data Protection Laws. Such measures may include (without limitation): (i) transferring such Customer Data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including to an Adequate Country or data privacy and transfer frameworks; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with applicable Data Protection Law; or (iii) to a recipient that has executed the Standard Contractual Clauses.
9.3. When Customer and Panaya rely on the SCC to facilitate a transfer to a third country the following shall apply:
a) For Transfer of Customer Data from the EEA the EU SCC shall apply and completed as follows: (1) Module II (Controller to Processors) will apply; (2) In Clause 7 the optional docking clause will not apply; (3) In Clause 9, option 2 (general written authorization) shall apply for the Sub-Processors listed under Annex III and the method for appointing Sub-Processor shall be as set forth in the Sub-Processing Section of the DPA; (4) In Clause 11, the optional language will not apply, and Data Subjects shall not be able to lodge a complaint with an independent dispute resolution body; (5) In Clause 17, option 1 shall apply, and the EU SCC shall be governed by the law of the Republic of Ireland; (6) In Clause 18(b) the parties choose the competent courts of the Republic of Ireland, as their choice of forum and jurisdiction; (7) Annex I(A) of the EU SCC is completed as follows: Customer is the Data Exporter, Panaya is the Data Importer, the parties’ contact details Agreement Effective Date; Annex I(B) of the EU SCC is completed as set out in Annex I of this DPA; Annex I(C) of the EU SCC shall identify the competent supervisory authority/ies as the supervisory authority Republic of Ireland; (8) Annex II of the EU SCC is deemed completed with the information set out in Annex III of this DPA; (9) Annex III of the EU SCC shall be completed with the list of Sub-Processors set out in Annex II of this DPA.
b) For transfer of Customer Data from the UK, the UK SCC shall apply and completed as follows: (1) Table 1 shall be completed as set forth in section (i)(7) above; (2) Table 2 shall be completed as set forth in Section (i)(1) – (i)(4) above; (3) Tables 3 shall be completed as follows: Annex 1A shall be completed with relevant information as set out in Section (i)(7) above; Annex 1B shall be completed with relevant information as set out in Annex I of this DPA; , Annex II shall be completed with relevant information as set out in Annex III of this DPA; Annex III shall be completed with the list of sub-processors set out in Annex II of this DPA; (4) Table 4 shall be completed with the “neither party” option; and (5) Any conflict between the terms of the EU SCC and the UK SCC will be resolved in accordance with Section 10 and Section 11 of the UK SCC.
c) For transfer of Customer Data from Switzerland, the Swiss SCC shall apply in with following modifications (i) references to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA; (ii) references to “EU”, “Union” and “Member State law” will be interpreted as references to Swiss law; and (iii) references to the “competent supervisory authority” and “competent courts” will be replaced with the “the Swiss Federal Data Protection and Information Commissioner ” and the “relevant courts in Switzerland”.
10.1. This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates or as long as Panaya Processes Customer
10.2. Panaya shall be entitled to terminate this DPA or cease the Processing of Customer Data in the event that Processing of Customer Data under the Customer’s instructions or this DPA infringe applicable legal requirements, provided Customer did not cure such infringement within ten (10) days from receiving applicable notice from Panaya. Alternately, Panaya may, in its sole discretion, suspend the Processing of the Customer Data until such infringement is cured without terminating the DPA.
10.3. Following the termination or expiration of this DPA, Panaya shall, upon Customer’s written request, delete all Customer Data Processed on behalf of the Customer and certify to the Customer that it has done so, or, return all Customer Data to the Customer and delete existing copies, unless applicable law or regulatory requirements requires that Panaya continue to store Customer Data. Until the Customer Data is deleted or returned, the parties shall continue to ensure compliance with this DPA. Customer’s choice shall be provided in writing to Panaya, following effect of termination.
10.4. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.
ANNEX I
DETAILS OF PROCESSING
This Annex I includes certain details of the Processing of Personal Data as required under the Data Protection Laws.
Categories of Data Subjects:
The Customer Data uploaded to Panaya’s Platform, including testing instructions, insights, tasks, defect detection and any Personal Data uploaded to the Platform.
Authorized Users Recording Data if Customer uses the Recording Feature.
Categories of Personal Data:
Any category of Customer Data uploaded to the Platform. The Categories of Personal Data are also subject to the tests and queries the Customer runs, the comments and notes added and insights generated by the Services.
If Recording Feature is used- Recorded Data from the Authorized Users.
Special Categories of Personal Data:
None. Unless specifically notified by Customer and approved by Panaya.
Nature of the processing:
Collection, storage, organization, communication, transfer, host and other types of Processing for the purpose of providing the Services as set out in the Agreement.
Purpose(s) of Processing:
To provide the Services.
Retention Period:
For as long as is it necessary to provide the Service by Panaya; provided there is no legal obligation to retain the Customer Data post termination or unless otherwise requested by the Customer.
Process Frequency:
Continuous basis
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES
The following description reviews the technical and organizational measures implemented by Panaya as a Processor of Customer Data, to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons.
As part of our data protection compliance process, Panaya has implemented technical, physical and administrative security measures to protect its Customer Data as explained below.
The security objectives of Panaya are identified and managed to maintain a high level of security and consists of the following (concerning all data assets and systems):
Panaya ensures the protection of the data servers store the Customer Data from unwanted physical access. Customer Data is stored on Amazon Web Services (AWS) virtual private cloud. Please see AWS’s security measures here. Customers can choose to be hosted in either the US production environment or in the European production environment. The US main data center is located in North Virginia on the East coast with a backup location in Oregon on the West coast. The main data center of the European production environment is located in Dublin, Ireland with a backup location in Frankfurt, Germany. Panaya also secures physical access to its offices by ensuring that only authorized individuals such as employees and authorized external parties (maintenance staff, visitors, etc.) can access Panaya’s offices by using security locks and an alarm system, amongst other measures as well.
Access to Panaya’s database is highly restricted in order to ensure that only the relevant personnel who have received prior approval can access the database. Panaya has also implemented appropriate safeguards related to remote access and wireless computing capabilities. Employees are assigned with private passwords that allow strict access or use to Personal Data, all in accordance with such employee’s position, and solely to the extent such access or use is required. There is constant monitoring of access to the Personal Data and the passwords used to gain access. Panaya is using automated tools to identify non-human login attempts and rate-limiting login attempts to minimize the risk of a brute force attack.
User authentication measures have been put in place in order to ensure that access to Customer Data is restricted solely to those employees who have been given permission to access it and to ensure that the Customer Data is not accessed, modified, copied, used, transferred or deleted without specific authorization for such actions to be done. Any access to Customer Data, as well as any action performed involving the use of Customer Data requires a password and user name, which is routinely changed, as well as blocked when applicable. Each employee is able to perform actions solely in accordance with the permissions granted to him by Panaya. Furthermore, Panaya conducts ongoing reviews of the employees who have been given authorization to access Customer Data, in order to assess whether such access is still required. Panaya revokes access to Customer Data immediately upon termination of employment. Authorized individuals can only access Customer Data that are located in their individual profiles.
Panaya has implemented a central read-only log repository which provides easy search and alerting capabilities. All actions in Panaya’s system are logged and log data is being reviewed on a regular basis. Panaya does not allow its customers to access logs. However, in case of a court order or official investigation, Panaya will provide the required information.
Panaya puts a lot of effort and invests a lot of resources into ensuring that Panaya’s security policies and practices are being complied with, including by continuously providing employees with training with respect to such security policies and practices. Panaya strives to raise awareness regarding the risks involved in the processing of Customer Data. In addition, Panaya has implemented applicable safeguards for its hardware and software, including by installing firewalls and anti-virus software on it applicable hardware and software, in order to protect against malicious software.
All transfers of Customer Data from Panaya to its Sub-Processors are protected by the use of encryption safeguards, including the encryption of the Customer Data prior to the transfer of any Customer Data.
Panaya ensures the transparency of input controls, including changing and the deletion of data.
Panaya maintains backup policies and associated measures. Such backup policies include permanent monitoring of operational parameters as relevant to the backup operations. Furthermore, Panaya’s servers include an automated backup procedure. Panaya also conducts regular controls of the condition and labelling of data storage devices for data security. Panaya ensures that regular checks are carried out to determine whether it is possible to undo the backup, as required and applicable. Notwithstanding the above, Panaya does not provide any back up services and it is Customer’s sole responsibility to back up Customer Data.
Panaya has ensured all documents, including without limitations, agreements, privacy policies, online terms, etc. are compliant with the Data Protection Law, including by implementing Data Processing Agreement and where needed Standard Contractual Clauses.
All of Panaya’s employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable provisions binding them to comply with applicable data security practices. In the event of a breach of an employee’s obligation or noncompliance with Panaya’s policies, Panaya implements certain repercussions in order to ensure compliance with Panaya’s policies. In addition, prior to Panaya’s engagement with a Sub-Processor, Panaya undertakes diligence reviews of such Sub-Processor. Panaya ensures that it enters into data protection agreements with all of its customers and Sub-Processors.
External penetration test is performed on an annual basis. The penetration tests include, among others, procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own. The penetration tests and security scans are performed by a reputable third-party vendor. In addition, Panaya conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment. Actions are taken to remediate identified deficiencies on a timely basis. Vulnerability scans is performed using external tools, in order to detect potential security breaches
Panaya operations, policies and procedures are audited regularly to ensure Panaya meets all the Service Organization Control (SOC2) standards expected as a SaaS platform. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. Panaya’s systems and services were audited and verified by such SOC2 compliance certification.
Measures and assurances regarding U.S. government surveillance have been implemented by Panaya, and Panaya agrees and hereby represents it maintains the following additional safeguards:
ANNEX III
LIST OF SUB-PROCESSORS
| Name | Processing region | Description of the processing | Security Measures | Transfer mechanism |
| Amazon Web Services (AWS), Inc. | EU/US | Hosting | https://aws.amazon.com/compliance/programs/ | EU-US Privacy Shield OR DPA [as applicable] |
| OpenAI LLC | US | Generative AI services provider for intelligence product features | https://openai.com/security-and-privacy/ | DPA |
