Data Processing Agreement

[Last updated: May, 2022]

 

This Data Processing Addendum (“DPA”) governs the Processing by Panaya (“Panaya”, “we”, “our”) with regards to customer’s Personal Data (“Customer”, “you”). Panaya and Customer shall each refer to as “party” and collectively as “parties”. This DPA is an integral part of the Master Subscription Agreement (“MSA” and collectively with the Exhibits therein “Agreement“) between Panaya and Customer for the provision of the Services by Panaya to Customer.

This DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data during the course of the engagement between the parties and under the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the MSA.

WHEREAS, the Panaya supplies software as a service to the Customer;

 

WHEREAS, the parties desire to supplement the Agreement to achieve compliance with the UK, EU, Swiss, United States and other data protection laws and agree on the following:

 

  1. DEFINITIONS

1.1. “Adequate Country” is a country that an adequacy decision from the European Commission .

1.2. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq.

1.3. “Controller“, “Processor“, “Data Subject“, “Personal Data“, “Processing” (and “Process“), “Personal Data Breach” and “Special Categories of Personal Data” shall all have the meanings given to them in EU Data Protection Law. The terms “Business”, “Business Purpose”, “Consumer”, “Service Provider”, “Sale” and “Sell” shall have the same meanings as ascribed to them in the CCPA. “Data Subject” shall also mean and refer to a “Consumer”. “Personal Data” shall also mean and refer to “Personal Information,” as such term is defined in the CCPA.

1.4. “Customer Data” means any and all Personal Data uploaded to Panaya’s system while providing its Services, as detailed in ANNEX I.

1.5. “Data Protection Law” means any and all applicable privacy and data protection laws and regulations, including, where applicable, the Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations (“Israeli Law”), the EU Data Protection Law, the UK Data Protection Law and the CCPA, as all may be amended or superseded from time to time.

1.6. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) – (iii); and (iv) any legislation replacing or updating any of the foregoing.

1.7. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other party’s Personal Data will comprise a Security Incident.

1.8. “Standard Contractual Clauses” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference:                                                       https://eur-ex.europa.eu/legalcontent/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.

1.9. ”UK Data Protection Laws” shall mean the Data Protection Act 2018 (DPA 2018), as amended, and GDPR, as incorporated into UK law as the UK GDPR, as amended (“UK GDPR“), and any other applicable UK data protection laws, or regulatory Codes of Conduct or other guidance that may be issued from time to time.

 

1.10. “UK SCC” means the UK ‘International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers’, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State.

Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Law. A reference to any term or section of CCPA, UK Data Protection Laws or GDPR means the version as amended. Any references to the GDPR in this DPA shall mean the GDPR and/or UK GDPR depending on the applicable Law.

 

  1. RELATIONSHIP OF THE PARTIES

2.1. The parties acknowledge that in relation to all Customer Data, as between the parties, Customer is the Controller of Customer Data, and that Panaya, in the course of providing the Services is acting as a Processor on behalf of the Customer. For the purpose of the CCPA (and to the extent applicable), Customer is the Business and Panaya is the Service Provider.

2.2. The purpose, subject matter and duration of the Processing carried out by Panaya on behalf of the Customer, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in ANNEX I attached hereto.

  1. REPRESENTATIONS AND WARRANTIES

3.1. The Customer represents and warrants that: (i) its Processing instructions shall comply with applicable Data Protection Law; (ii) it will comply with Data Protection Law, specifically with regards to the lawful basis principal for Processing Personal Data and all applicable CCPA provisions; and (iii) due to the nature of the Services, Panaya does not monitor or control the Customer Data obtained by Panaya’s system and thus, the type of Personal Data or Categories of the Data Subjects processed by it is subject to the Customer’s sole discretion.

3.2. Panaya represents and warrants that it: (i) shall process Personal Data, as set forth under Article 28(3) of the GDPR, on behalf of the Customer, solely for the purpose of providing the Service, and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with Customer’s written instructions including the Agreement and this DPA;  (ii) in the event Panaya is required under applicable laws, including Data Protection Law or any union or member state regulation, to Process Personal Data other than as instructed by Customer, it shall inform the Customer of such requirement prior to Processing such Personal Data, unless prohibited under applicable law; and (iii) shall provide reasonable cooperation and assistance to Customer in ensuring compliance with its obligation to carry out data protection impact assessments with respect to the processing of Personal Data and to consult with the supervisory authority (as applicable).

3.3. Panaya shall take reasonable steps to ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Personal Data; (ii) that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (iii) that such personnel are aware of their responsibilities under this DPA and any applicable Data Protection Laws.

3.4. If the EU Data Protection Law or the CCPA do not apply to the Customer, then Customer must abide by any other Data Protection Law and data security laws and regulations that are applicable to it, and at a minimum Customer shall: (i) obtain and maintain any and all authorizations, permissions and informed consents, as may be necessary under applicable laws and regulations, in order to allow the Processor to lawfully collect, handle, retain, process and use the processed data within the scope of the Services;  (ii) substantiate the legal basis and legitimize, pursuant to applicable law, any and all Personal Data or personally identifiable information transferred through the Services; (iii) have, properly publish and abide by an appropriate privacy policy that complies with all applicable Data Protection Law.

  1. RIGHTS OF DATA SUBJECTS AND THE PARTIES’ COOPERATION OBLIGATIONS

4.1. It is agreed that where Panaya receives a request from a Data Subject or an applicable authority in respect of Personal Data Processed by Panaya, where relevant, it will direct the Data Subject or the applicable authority to the Customer in order to allow the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.

4.2. Where applicable, Panaya shall assist the Customer in ensuring that Personal Data Processed is accurate and up to date, by informing the Customer without delay if it becomes aware of the fact that the Personal Data it is Processing is inaccurate or has become outdated.

  1. DO NOT SELL PERSONAL INFORMATION

It is hereby agreed that any sharing of Personal Information between the parties is made solely in order to fulfill a Business Purpose and Panaya does not receive or process any Personal Information as consideration for the Services. Thus, such Processing of Personal Information shall not be considered as a “Sale” under the CCPA.

  1. SUB-PROCESSOR

6.1. The Customer acknowledges that Panaya may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”). The Customer hereby, authorizes Panaya to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a SubProcessor on its behalf. Panaya may continue to use those Sub-Processors already engaged by it, as listed in ANNEX III, and subject to the provision of a 30-day prior notice to the Customer, Panaya may engage an additional or replace an existing Sub-Processor to process Personal Data. In case the Customer has not objected to the adding or replacing of a Sub-Processor in the allotted time period, such SubProcessor shall be considered as approved by the Customer. In the event the Customer objects, it may, under Panaya’s sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement.

6.2. Panaya shall, where it engages any Sub-Processor, impose, through a legally binding contract between Panaya and the Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor (“Contract”). Panaya shall ensure that the Contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Data Protection Law.

6.3. Panaya shall remain fully responsible to the Customer for the performance of the Sub-Processor’s obligations in accordance with the Agreement. Panaya shall notify the Customer of any failure by the Sub-Processor to fulfil its contractual obligations.

  1. TECHNICAL AND ORGANIZATIONAL MEASURES

7.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, Panaya shall implement appropriate physical, technical and organizational measures to protect the Customer Data as required under Data Protection Laws to ensure lawful processing of Customer Data and safeguard Customer Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction. The parties acknowledge that security requirements are constantly changing and that effective security requires the frequent evaluation and regular improvement of outdated security measures.

7.2. Panaya is SOC2 certified. For more information on Panaya’s security measures please see ANNEX II attached hereto.

  1. SECURITY INCIDENT

8.1. Panaya shall notify the Customer upon becoming aware of any confirmed Security Incident involving the Customer’s Data in Panaya’s possession or control, as determined by Panaya in its sole discretion. Panaya shall, in connection with any Security Incident affecting the Customer Data: (i) take such steps as necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Customer and provide the Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; (iii) notify the Customer in writing of any request, inspection, audit or investigation by a supervisory authority or other authority; (iv) keep the Customer informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) cooperate with the Customer and assist Customer with the Customer’s obligation to notify affected individuals in the case of a Security Incident.

8.2. Panaya’s notification regarding or response to a Security Incident under this Section 8 shall not be construed as an acknowledgment by Panaya of any fault or liability with respect to the Security Incident.

  1. AUDIT RIGHTS

9.1. Panaya shall respond promptly and adequately with respect to any inquiries from the Customer regarding the Processing of Personal Data in accordance with this DPA. Panaya shall make available to the Customer all information necessary to demonstrate compliance with the obligations under the EU Data Protection Law.

9.2. Panaya shall make available, solely upon prior written notice and no more than once per year (except for in the case of a Security Incident), information necessary to reasonably demonstrate compliance with this DPA to a reputable auditor nominated by the Customer, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). Panaya may object to an auditor appointed by the Customer in the event Panaya reasonably believes that the auditor is not suitably qualified or independent, is a competitor of Panaya or otherwise unsuitable (“Objection Notice”). The Customer will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from Panaya. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Panaya’s premises, equipment, personnel and business. Any and all conclusions of such Audit shall be confidential and reported back to Panaya immediately.

  1. DATA TRANSFER

10.1. The Customer acknowledges and agrees that in order to be provided with the Services Panaya may transfer or access to and Process Customer Data from countries outside the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”), Switzerland and the United Kingdom, including the US, as detailed herein or may process the Customer Data within the EEA however, certain Sub-Processors’ may transfer or process the Customer Data in the US.

10.2. The parties acknowledge that EU Data Protection Law does not require Standard Contractual Clauses or an alternative transfer solution in order for Customer Data to be processed in or transferred to an Adequate Country (“Permitted Transfers”).

10.3. In the event such Processing includes transferring of Personal Data to a country outside the EEA that has not received the adequacy decision from the European Commission or is not exempt under Article 49 of the GDPR (“Restricted Transfer”), the following shall apply:

10.3.1. In order to maintain the integrity, security and confidentiality of the Personal Data, a Restricted Transfer shall be subject, in addition to the terms of this DPA, to the terms and obligations of the Module II of the Standard Contractual Clauses in which event Panaya shall be deemed as the Data Importer and the Customer shall be deemed as the Data Exporter.

10.3.2. The purpose and description of the transfer shall be detailed in ANNEX I.

10.3.3. In case Panaya engages any Sub-Processor, such Restricted Transfer shall be subject, in addition to the terms of the Contract, to the terms and obligations of the Module III of thStandard Contractual Clauses in which event Panaya shall be deemed as the Data Exporter and the Sub-Processor shall be deemed as the Data Importer.

10.3.4. Where the UK SCC applies, it will be deemed completed as follows:

10.3.4.1. Table 1 shall be deemed completed with the information set out in Annex I of this Addendum, as appropriate, the contents of which are hereby agreed by the Parties;

10.3.4.2. In Table 2, Parties select the checkbox that reads: “Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum”, and the accompanying table shall be deemed to be completed according to Parties preferences.

10.3.4.3. Table 3 shall be deemed completed with the information set out in Annex I and Annex  II to this Agreement, the contents of which are hereby agreed by the Parties;

10.3.4.4. In Table 4, Parties agree that only the Exporter may end the SCC as set out in Section 19 of the UK SCC.

10.4. The Customer further agrees that where Panaya engages a Sub-Processor, and those processing activities include a Restricted Transfer, Panaya and the SubProcessor shall be bound by the Standard Contractual Clauses in which Panaya shall be deemed as the Data Exporter and the Sub-Processor shall be deemed as the Data Importer. For the purposes of such engagement, Panaya and the SubProcessor will enter into Module III of the Standard Contractual Clauses.

10.5. Subject to Clause 13 of Standard Contractual Clauses, Panaya agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Standard Contractual Clauses.

10.6. Especially for EU-US transfers: Additional measures and assurances regarding US government surveillance (“Additional Safeguards”) are further detailed in ANNEX II

  1. CONFLICT

In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.

  1. TERM AND TERMINATION

12.1. This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates. The Customer shall be entitled to suspend the Processing of its Customer’s Data in the event that Panaya is in breach of Data Protection Laws, the terms of this DPA all in accordance with a binding decision of a competent court or the competent supervisory authority.

12.2. Panaya shall be entitled to terminate this DPA or terminate the Processing of Customer Data in the event that Processing of Personal Data under the Customer’s instructions or this DPA infringe applicable legal requirements. Such termination shall be subject to informing the Customer and the Customer insists on compliance with the instructions.

12.3. Following the termination of this DPA, Panaya shall, at the choice of the Customer, delete all Customer’s Personal Data processed on behalf of the Customer and certify to the Customer that it has done so, or otherwise, return all Customer’s Data to the Customer and delete existing copies unless applicable law or regulatory requirements requires that Panaya continue to store the Customer’s Personal Data. Until the Personal Data is deleted or returned, Panaya shall continue to ensure compliance with this DPA.

  

ANNEX I
DETAILS OF PROCESSING AND TRANSFERRING OF CUSTOMER PERSONAL DATA

This Annex I include certain details of the Processing and transferring of the Customer Data as required by Article 28(3) GDPR and the Standard Contractual Clauses.

Categories of Data Subjects whose Personal Data is Processed or Transferred:

The Customer Data uploaded to Panaya’s system (from Customer’s SAP, Salesforce, Oracle, etc.) such as employee, customers, contact information, etc.

Categories of personal data processed and transferred:

The Customer Data uploaded to Panaya’s system (from Customer’s SAP, Salesforce, Oracle, etc.)

Sensitive data processed or transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measure:

NA

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

The Personal Data is transferred on a one-off basis.

Nature of the processing and transferring:

Recording, testing and optimization.

Purpose(s) for which the personal data is processed or transferred on behalf of the controller:

Providing the Services.  

Duration of the processing:

The duration of processing shall be for the term of the MSA with an additional period of 30 days from the expiration of the MSA until deletion of Personal Data by Panaya.

ANNEX II
TECHNICAL AND ORGANISATIONSL MEASURES

The following description reviews the technical and organizational measures implemented by Panaya as the data importer to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

As part of our data protection compliance process, we have implemented technical, physical and administrative security measures to protect our customers’ and customer’s users’ Personal Data as explained below.

The security objectives of Panaya are identified and managed to maintain a high level of security and consists of the following (concerning all data assets and systems):

  • Availability – information and associated assets should be accessible to authorized users when required. The computer network must be resilient. Panaya will detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems, and information.
  • Confidentiality – ensuring that information is only accessible to those authorized to access it, on a need-to-know-basis.
  • Integrity – safeguarding the accuracy and completeness of information and processing methods and therefore requires preventing deliberate or accidental, partial or complete, destruction, or unauthorized modification, of electronic data.

Physical Access Control

Panaya ensures the protection of the data servers which store the Personal Data for Panaya from unwanted physical access.

The data processed by Panaya is stored on Amazon Web Services (AWS) virtual private cloud.  Please see AWS’s security measurehere. Customers can choose to be hosted in either the US production environment or in the European production environment. The US main data center is located in North Virginia on the East coast with a backup location in Oregon on the West coast. The main data center of the European production environment is located in Dublin, Ireland with a backup location in Frankfurt, Germany. Panaya also secures physical access to its offices by ensuring that only authorized individuals such as employees and authorized external parties (maintenance staff, visitors, etc.) can access Panaya’s offices by using security locks and an alarm system, amongst other measures as well.

System Control

Access to Panaya’s database is highly restricted in order to ensure that only the relevant personnel who have received prior approval can access the database. Panaya has also implemented appropriate safeguards related to remote access and wireless computing capabilities. Employees are assigned with private passwords that allow strict access or use to Personal Data, all in accordance with such employee’s position, and solely to the extent such access or use is required. There is constant monitoring of access to the Personal Data and the passwords used to gain access. Panaya is using automated tools to identify non-human login attempts and rate-limiting login attempts to minimize the risk of a brute force attack.

Data Access Control

User authentication measures have been put in place in order to ensure that access to Personal Data is restricted solely to those employees who have been given permission to access it and to ensure that the Personal Data is not accessed, modified, copied, used, transferred or deleted without specific authorization for such actions to be done. Any access to Personal Data, as well as any action performed involving the use of Personal Data requires a password and user name, which is routinely changed, as well as blocked when applicable. Each employee is able to perform actions solely in accordance with the permissions granted to him by Panaya. Furthermore, Panaya conducts ongoing reviews of the employees who have been given authorization to access Personal Data, in order to assess whether such access is still required. Panaya revokes access to Personal Data immediately upon termination of employment. Authorized individuals can only access Personal Data that are located in their individual profiles.

Log Management

Panaya has implemented a central read-only log repository which provides easy search and alerting capabilities. All actions in Panaya’s system are logged and log data is being reviewed on a regular basis. Panaya does not allow its customers to access logs. However, in case of a court order or official investigation, Panaya will provide the required information.

Organizational and Operational Security

Panaya puts a lot of effort and invests a lot of resources into ensuring that Panaya’s security policies and practices are being complied with, including by continuously providing employees with training with respect to such security policies and practices. Panaya strives to raise awareness regarding the risks involved in the processing of Personal Data. In addition, Panaya has implemented applicable safeguards for its hardware and software, including by installing firewalls and anti-virus software on applicable Company hardware and software, in order to protect against malicious software.

Transfer Control

All transfers of Customer Data between the Customer, Panaya’s service providers and Panaya’s servers are protected by the use of encryption safeguards, including the encryption of the Personal Data prior to the transfer of any Personal Data. Panaya’s servers are protected by industry best standards. In addition, to the extent applicable, Panaya’s business partners execute an applicable Data Processing Agreement, all in accordance with applicable laws.

Input Control

Panaya ensures the transparency of input controls, including changing and the deletion of data.

Availability Control

Panaya maintains backup policies and associated measures. Such backup policies include permanent monitoring of operational parameters as relevant to the backup operations. Furthermore, Panaya’s servers include an automated backup procedure. Panaya also conducts regular controls of the condition and labelling of data storage devices for data security. Panaya ensures that regular checks are carried out to determine whether it is possible to undo the backup, as required and applicable.

Contractual Obligations

Panaya has ensured all documents, including without limitations, agreements, privacy policies, online terms, etc. are compliant with the Data Protection Law, including by implementing Data Processing Agreement and where needed Standard Contractual Clauses.

Additional Safeguard

Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”) have been implemented due to the Schrems II Case. These measures include the following:

  • encryption both in transit and at rest;
  • As of the Effective Date, Panaya has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II Case.
  • No court has found Panaya to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
  • Panaya shall not comply with any request under FISA for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance).
  • Panaya will use all available legal mechanisms to challenge any demands for data access through any national security process that it receives, as well as any non-disclosure provisions attached thereto.
  • Panaya will notify Customer if Panaya can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.

Data Retention

Personal Data is retained for as long as needed for us to provide our services or as required under applicable laws.

Job Control and Third-Party Contractors and Service Providers

All of Panaya’s employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable provisions binding them to comply with applicable data security practices. In the event of a breach of an employee’s obligation or noncompliance with Panaya’s policies, Panaya implements certain repercussions in order to ensure compliance with Panaya’s policies. In addition, prior to Panaya’s engagement with third party contractors, Panaya undertakes diligence reviews of such third-party contractors. Panaya agrees with third party contractors on effective rights of control with respect to any Personal Data processed on behalf of Panaya. Panaya ensures that it enters into data protection agreements with all of its customers and service providers.

Software Development Life Cycle

Software development and change management at Panaya are performed in a manner to help ensure applications are properly designed, tested, approved and aligned to Panaya’s customers’ business objectives. Changes are discussed, evaluated and approved by relevant managers from Product, Development and Operations. Changes are documented and approved within a SDLC application. Personnel responsibilities for the design, acquisition, implementation, configuration, modification, and management of systems are assigned. In addition, changes performed to the application are communicated to Panaya’s customers through release notes published on Panaya customer success website.

Penetration Testing

External penetration test is performed on an annual basis. The penetration tests include, among others, procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own. The penetration tests and security scans are performed by a reputable Third-party vendor. In addition, Panaya conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment. Actions are taken to remediate identified deficiencies on a timely basis. Vulnerability scans is performed using external tools, in order to detect potential security breaches

Compliance Programs

Panaya operations, policies and procedures are audited regularly to ensure Panaya meets all the Service Organization Control (SOC2) standards expected as a service as a software. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. Panaya’s systems and services were audited and verified by such SOC2 compliance certification.

Panaya’s customers remain responsible for complying with applicable compliance laws, regulations and privacy programs in addition to Panaya’s compliance with privacy and security regulations.

Responsible disclosure policy

We encourage responsible disclosure, and we promise to investigate all legitimate reports and fix any issues as soon as we can. We ask that during your research you make every effort to maintain the integrity of our any data you come across, avoiding violating the privacy of any person or degrading our offerings. Please provide Panaya reasonable time to fix any vulnerability you find before you make it public. In return we promise to investigate reports promptly and not to take any legal action against you.

 

ANNEX III
List of Sub-Processors

Name Server location Description of the processing
AWS The EU or the USA Hosting