Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of, and is subject to, the Flatfile Services Agreement (the “Agreement”) by and between Flatfile and Customer. Notwithstanding anything in the Agreement to the contrary, to the extent Flatfile engages in the Processing of Customer Personal Data that is subject to Applicable Data Protection Laws, this DPA applies. Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement. In the event of a conflict between the Agreement and this DPA, this DPA shall control solely to the extent of the conflict.

1. DEFINITIONS AND INTERPRETATION.

For purposes of this DPA, the following terms shall have the meanings set forth below. To the extent these terms are defined in Applicable Data Protection Laws (including but not limited to the GDPR, UK GDPR, and CCPA), these definitions are intended to be consistent with those laws.

  • “Applicable Data Protection Laws” means all laws, regulations, and binding legal requirements relating to the privacy, protection, security, or processing of Personal Data, including, without limitation: (a) European Union Regulation 2016/679 as implemented by local law in the relevant EEA member nation ("GDPR"); (b) the UK Data Protection Act 2018 and the retained EU law version of the GDPR as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); (c) the Swiss Federal Data Protection Act ("Swiss FDPA"); (d) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”); and (e) any other applicable privacy, data protection, or data security laws or regulations in any jurisdiction governing the Processing of Personal Data, as each may be amended, superseded, or replaced from time to time.
  • “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Supervisory Authority”(and any analogous terms) will have the meaning(s) given in the Applicable Data Protection Laws, and terms such as“Process” and “Processed” shall be construed accordingly.
  • “Customer Personal Data” means Personal Data that Customer uploads or provides to Flatfile as part of the Service and that is governed by this DPA.
  • “EEA” means the European Economic Area.
  • “Restricted Transfer” means a transfer of Customer Personal Data that is subject to restrictions under Applicable Data Protection Laws, including but not limited to: (a) a transfer of Customer Personal Data from the EEA, United Kingdom, or Switzerland to a country or territory outside of those jurisdictions which is not subject to an adequacy decision or adequacy regulations.
  • “SCCs” means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council.
  • “Service Provider” will have the meaning(s) given in the Applicable Data Protection Laws for a company that, with the approval and acceptance of the Customer, assists the Processor in Processing Customer Personal Data on behalf of the Customer.
  • “Subprocessor” means any third party, including any affiliate of the Processor, engaged by the Processor to Process Customer Personal Data on behalf of the Customer in connection with the Agreement. For clarity, a Subprocessor is a Processor engaged by another Processor to carry out specific Processing activities on behalf of the Customer, as contemplated by Article 28 of the GDPR and the UK GDPR.
  • “UK Addendum” means the international data transfer addendum to the SCCs issued by the Information Commissioner for Parties making Restricted Transfers under S119A(1) Data Protection Act 2018.

2. DESCRIPTION OF PROCESSING.

  • 2.1 As applicable and where such concepts are recognized by Applicable Data Protection Law, Customer is the Controller and Flatfile is the Processor or Service Provider (in each case, or words of similar import under Applicable Data Protection Laws) in respect of all Customer Personal Data made available to and Processed by Flatfile in connection with the provision of the Services for the term of the Agreement. For this purpose, Flatfile will Process Customer Personal Data as contemplated in and in accordance with the Agreement and this DPA.
  • 2.2 The subject matter, nature, purpose, and duration of the Processing, as well as the categories of Customer Personal Data and Data Subjects, are described in Exhibit 1 of this DPA.
  • 2.3 Flatfile will only Process Customer Personal Data in accordance with Customer’s documented instructions, including as set out in the Agreement and this DPA, unless required to do so by applicable laws. Flatfile will immediately inform Customer if it is unable to follow the Processing instructions.
  • 2.4 Where Customer is a Processor and Flatfile is a Subprocessor, Customer will comply with all applicable laws that apply to Customer’s Processing of Customer Personal Data and will ensure that its agreement with its Controller requires compliance with all such applicable laws.
  • 2.5 Customer represents and warrants that it has provided all necessary notices and obtained all necessary consents and authorizations under Applicable Data Protection Laws for Flatfile to Process Customer Personal Data as contemplated by the Agreement and this DPA.

3. COMPLIANCE WITH APPLICABLE DATA PROTECTION LAW.

  • 3.1 During the term of the Agreement, Flatfile will comply with the Applicable Data Protection Laws that are applicable to Flatfile’s Processing of Customer Personal Data.
  • 3.2 Flatfile will make available all information reasonably requested by Customer to demonstrate Flatfile’s compliance with Applicable Data Protection Laws and this DPA.
  • 3.3 Flatfile will notify Customer in the event Flatfile makes a determination that Flatfile can no longer meet its obligations under Applicable Data Protection Laws, in which case Customer may take reasonable and appropriate steps in accordance with the Agreement to stop or remediate any unauthorized Processing of Customer Personal Data.
  • 3.4 Flatfile will cooperate with and provide reasonable assistance to Customer for: (a) Customer’s performance of any data protection impact assessment of the Processing of Customer Personal Data by Flatfile, and (b) related consultation with Supervisory Authorities, either or both of which Customer reasonably considers to be required by Applicable Data Protection Laws.

4. RESTRICTIONS.

  • 4.1 Flatfile will not:
    1. 4.1.1 retain, use, disclose, sell, or share (as those terms are defined in Applicable Data Protection Laws) Customer Personal Data for any purpose other than to provide the Services or as otherwise authorized in the Agreement;
    2. 4.1.2 retain, use or disclose Customer Personal Data for a commercial purpose or otherwise beyond the context of the direct business relationship between Flatfile and Customer as set forth in the Agreement; or
    3. 4.1.3combine Customer Personal Data received from or on behalf of Customer with Customer Personal Data Flatfile receives from or on behalf of another person or which Flatfile collects on its own except as permitted by Applicable Data Protection Laws and in accordance with Customer’s documented instructions (including but not limited to as set out in the Agreement and this DPA).
  • 4.2 Notwithstanding the foregoing provisions of Section 4.1, the restrictions in Section 4.1 shall not apply:
    1. 4.2.1if Flatfile is required to perform such actions by any applicable law to which the Flatfile is subject, in which case Flatfile shall inform Customer of that legal requirement; or
    2. 4.2.2to Flatfile’s Processing of de-identified, anonymized or aggregated data, or to the use of internal analytics that do not involve Customer Personal Data.
  • 4.3 Flatfile certifies that it understands the restrictions of this Section 4 and will comply with all Applicable Data Protection Laws.

5. DATA RETENTION AND DELETION.

  • 5.1 Flatfile will retain Customer Personal Data only for as long as necessary to perform the Services, or for such other purposes as agreed to by the parties or as required by applicable law.
  • 5.2Following the termination of the Agreement, Flatfile shall return or safely destroy all non-anonymized and identifiable Customer Personal Data that Flatfile obtained in connection with performing the Services within ninety (90) days following such termination (excluding Customer Personal Data retained in archival or backup systems in accordance with Flatfile’s standard retention policies or Data Subject to legal hold or other legal requirements) and, upon request, Flatfile shall notify Customer in writing once all such information has been returned or destroyed, provided that where continued storage is required by applicable law, Flatfile shall inform Customer of those requirements.
  • 5.3If return or destruction is impracticable or prohibited by applicable laws, Flatfile will prevent additional Processing of Customer Personal Data and will continue to protect the Customer Personal Data remaining in its possession, custody, or control.
  • 5.4For the avoidance of doubt, this Section 5 shall not apply to de-identified or aggregated data (regardless of whether derived from Customer Personal Data) that Flatfile uses or generates in accordance with the Agreement provided that such data cannot be used to identify a Data Subject.

6. INFORMATION SECURITY PROGRAM.

  • 6.1Flatfile will implement appropriate physical, technical and administrative safeguards designed to protect Customer Personal Data from unauthorized or unlawful destruction, loss, alteration, disclosure or access as provided in the Agreement, in each case as appropriate to the risk of the relevant Processing of Customer Personal Data and as such safeguards may be updated from time to time.
  • 6.2Flatfile will maintain annually updated reports or annual certifications of compliance with the following: ISO 27001 and SOC 2 Type II.
  • 6.3Flatfile will conduct annual penetration tests and share summary results of such tests to Customer if requested by the Customer.

7. BREACH NOTIFICATION AND INVESTIGATION.

  • 7.1To the extent required by Applicable Data Protection Laws, Flatfile will notify Customer without undue delay of the discovery of a Personal Data Breach impacting the Customer Personal Data that is Processed under this DPA (“Customer Personal Data Breach”).
  • 7.2Such notice will include (to the extent known) details of the nature of the Customer Personal Data Breach, the number of records impacted, the category and number of affected individuals, the anticipated consequences of the Customer Personal Data Breach and any actual or proposed remedies for mitigating its impact.
  • 7.3Flatfile’s notification of, or response to, a Customer Personal Data Breach will not be construed as an acknowledgement by Flatfile of any fault or liability with respect to the Customer Personal Data Breach.
  • 7.4Flatfile shall provide reasonable assistance to Customer as required for Customer to investigate and remediate the Customer Personal Data Breach.

8. DATA SUBJECT RIGHTS.

  • 8.1To the extent that Applicable Data Protection Laws require Customer to comply with requests from Data Subjects regarding the Processing of Customer Personal Data, such as rights to access, correct, or delete their Personal Data (“Data Subject Request”) and the request relates to Customer Personal Data (including, where applicable, any special categories of Personal Data as defined under Applicable Data Protection Laws), Flatfile will promptly notify Customer of any Data Subject Requests directed to, and directly received by, Flatfile and to provide reasonable assistance necessary to fulfill Data Subject Requests, taking into account the nature of Flatfile’s Processing of Customer Personal Data under the Agreement.
  • 8.2Flatfile will forward to Customer promptly any Data Subject Request received by Flatfile relating to Customer Personal Data and may advise the applicable Data Subject to submit their request directly to Customer.
  • 8.3If a Data Subject makes a valid request under Applicable Data Protection Laws to delete or opt out of Customer’s giving of Customer Personal Data to Flatfile, Flatfile will assist Customer in fulfilling the request according to the Applicable Data Protection Law.

9. SUBPROCESSORS.

  • 9.1Customer grants Flatfile a general authorization to engage Subprocessors in connection with the performance of Flatfile’s obligations under the Agreement. Flatfile will maintain an up-to-date list of authorized Subprocessors, available at (“Subprocessor List”).
  • 9.2Flatfile will provide Customer with advance notice of any intended additions or replacements to the Subprocessor List by email or through the Services. If Customer objects to such change on reasonable data protection grounds within thirty (30) days of notice, the parties will discuss such concerns in good faith. If no resolution is reached, Customer may terminate only the affected portion of the Services without penalty.
  • 9.3To the extent Flatfile engages Subprocessors to Process Customer Personal Data, such entities or individuals shall be subject to an appropriate duty of confidentiality and the same level of data protection and security as Flatfile under this DPA. Flatfile is responsible for the performance of any Subprocessor’s obligations in compliance with the terms of this DPA and Applicable Data Protection Laws applicable to Flatfile.
  • 9.4Flatfile will have a written agreement with each Subprocessor that ensures the Subprocessor only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it, and consistent with the terms of the Agreement and this DPA.
  • 9.5Flatfile remains fully liable for all obligations subcontracted to its Subprocessors, including the acts and omissions of its Subprocessors in Processing Customer Personal Data.

10. AUDIT.

  • 10.1Flatfile will provide a copy of its then-current audit report once per each rolling 12-month period upon request of Customer and subject to the confidentiality obligations set out in the Agreement. Such audit report refers to a SOC 2 Type II audit or another industry standard audit that may be deemed appropriate by Flatfile and will be conducted by an independent third-party auditor on an annual basis.
  • 10.2Additionally, Flatfile will permit an independent Certified Public Accountant engaged by Customer to audit Flatfile’s compliance with this DPA in the event Customer receives a written inquiry from a competent Supervisory Authority or regulator, in each case relating to Flatfile’s Processing of Customer Personal Data under this DPA, provided that such audit will be restricted to relevant Customer Personal Data Processing activities and necessary documentation to confirm Flatfile’s compliance with the terms of this DPA.
  • 10.3Any audit under this Section 10 will be subject to reasonable scheduling, confidentiality obligations, and Flatfile’s security policies and will not unreasonably interfere with Flatfile’s business operations. Customer will pay any reasonably incurred costs and expenses incurred by Flatfile in the event Customer performs an audit under this Section 10 that is not (a) required by Applicable Data Protection Laws or (b) in response to a Customer Personal Data Breach.
  • 10.4Flatfile will maintain records of its compliance with this DPA for 3 years after the DPA ends

11. LIMITATION OF LIABILITY.

  • 11.1Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set forth in the Agreement.
  • 11.2This DPA does not limit any liability to an individual about the individual’s data protection rights under Applicable Data Protection Laws. In addition, this DPA does not limit any liability between the parties for violations of the EEA SCCs or UK Addendum.

12. NO THIRD-PARTY BENEFICIARIES.

  • Nothing in this DPA shall be construed to create any duty or obligation on the part of either party to, or confer any rights, remedies, or benefits upon, any third party (including any Data Subject), except as expressly set forth herein or required under Applicable Data Protection Laws.

13. TERM.

  • This DPA will start when Flatfile and Customer agree to this DPA and will continue until the Agreement expires or is terminated. However, Flatfile and Customer will each remain subject to the obligations in this DPA and Applicable Data Protection Laws until Customer stops transferring Customer Personal Data to Flatfile and Flatfile stops Processing Customer Personal Data.

14. CROSS-BORDER TRANSFERS.

  • 14.1 Authorization for Restricted Transfers. Customer authorizes Flatfile to transfer Customer Personal Data outside the EEA, the United Kingdom, Switzerland, or other relevant jurisdictions as necessary to provide the Services, subject to the requirements of Applicable Data Protection Laws. Flatfile will ensure that any such transfer is made in compliance with Applicable Data Protection Laws, including but not limited to the GDPR and the UK GDPR, as applicable.
  • 14.2 Transfer Mechanisms. If Flatfile carries out a Restricted Transfer of Customer Personal Data, Flatfile will implement appropriate safeguards for such transfers to that territory consistent with Applicable Data Protection Laws. These safeguards may include, but are not limited to:
    • Entering into the SCCs.
    • Entering into the UK Addendum.
    • Entering into any other contractual provisions or frameworks approved by a competent regulator or authority for cross-border Personal Data transfers.
  • 14.3 Transfer Mechanisms. The parties agree that to the extent that the Processing of Customer Personal Data involves a Restricted Transfer then the parties shall each comply with their respective obligations as set out in the SCCs and/or the UK Addendum, each incorporated herein by reference, and amended as follows:
    • The optional docking clause in Clause 7 does not apply.
    • In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of Subprocessor changes is 10 business days.
    • In Clause 11, the optional language does not apply.
    • (SCCs only) In Clause 13(a) (‘Supervision’) and Annex I.C, Option 1 shall apply with the competent Supervisory Authority being the Irish Data Protection Commission;
    • (SCCs only) In Clause 17 (Option 1), the SCCs will be governed by the laws of Ireland.
    • (SCCs only) In Clause 18(b), disputes will be resolved in the courts of Ireland.
    • For the purposes of Annex I.A, the Customer shall be the data exporter and Flatfile shall be the data importer.
    • For the purposes of Annex I.B, the description of transfer is set out at Exhibit 1.
    • For the purposes of Annex I.C, the technical and organizational measures are set out at Exhibit 2.
  • For Customer Personal Data transfers where Swiss law (and not the law in any EEA member state or the United Kingdom) applies to the international nature of the transfer, references to the GDPR in the SCCs are, to the extent legally required, amended to refer to the Swiss FDPA or its successor instead, and the concept of “Supervisory Authority” will include the Swiss Federal Data Protection and Information Commissioner.
  • 14.4 Assistance and Cooperation. If required by Applicable Data Protection Laws, Flatfile will reasonably assist Customer in conducting any mandated data protection impact assessments or data transfer impact assessments and consultations with relevant Supervisory Authorities, taking into consideration the nature of the Processing and Customer Personal Data.

Exhibit 1

Description of Processing

  • Categories of Data Subjects: Customer’s end users or customers and any other Data Subjects included or referenced in Customer content that is uploaded into the Service by Customer’s end users or customers.
  • Categories of Customer Personal Data: Customer Personal Data may include but is not limited to: first and last name, employer, title and position, contact information, personal life data, personal identification data, connection and/or localization data, and any special category Personal Data as defined in Article 9 of the GDPR and/or UK GDPR (including, but not limited to racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, and the Processing of data regarding health, sex life, etc.).
  • Nature and Purpose of Processing: Receiving Customer Personal Data (including collection, accessing, retrieval, recording, and data entry), holding Customer Personal Data (including storage, organization, and structuring), updating Customer Personal Data (including correcting, adaption, alteration, alignment, and combination), sharing Customer Personal Data (including disclosure, dissemination, allowing access, or otherwise making available).
  • Duration of Processing and Retention of Customer Personal Data: Flatfile will Process Customer Personal Data as long as required to conduct the Processing activities instructed in this DPA or by applicable laws and shall retain the Customer Personal Data as described in Section 5.
  • Frequency of Transfer: Continuous.

Exhibit 2

Data Security Policy and Measures

Description of the technical and organizational security measures implemented by Flatfile and its Subprocessor(s):

Measures

1. Physical and Environmental Security

  • 1.1 Flatfile, or Flatfile’s Subprocessors, implements measures designed to prevent unauthorized persons from gaining access to the Customer Personal Data Processing equipment (namely, database and application servers and related hardware). This shall be accomplished by:
    • a) following industry-standard guidelines provided by data centers*;
    • b) securing the decentralized Customer Personal Data Processing equipment and personal computers via standard cloud data hosting providers*;
    • c) the data center where Customer Personal Data is hosted is secured by restricted access controls, and other security measures*;
    • d) maintenance and inspection of supporting equipment shall only be carried out by authorized personnel*, and;
    • e) endpoint monitoring for all Flatfile-owned devices with mobile device management such as JAMF.

2. Access Control (IT-Systems and/or IT-Application)

  • 2.1 Flatfile implements a roles and responsibilities concept with centrally-managed, industry standard SSO providers.
  • 2.2 Flatfile implements an authorization and authentication framework including, but not limited to, the following elements:
    • a) role-based access controls implemented within SCIM providers;
    • b) process to create, modify, and delete accounts implemented;
    • c) access to IT systems and applications is protected by authentication mechanisms;
    • d) authentication methods, such as SAML or OAuth, are used based on the characteristics and technical options of the IT system or application;
    • e) access to IT systems and applications shall require, at least, multi-factor authentication for privileged accounts;
    • f) all access to Customer Personal Data is logged, monitored, and tracked;
    • g) authorization and logging measures for inbound network connections to IT systems and applications (including firewalls to allow or deny inbound network connections) implemented, including:
      • i) with security configurations in the hosting provider;
      • II) audit logging for all logins to the hosting provider;
    • h) privileged access rights to IT systems, applications, and network services are only granted to individuals who reasonably need it to accomplish their tasks (least-privilege principle), in accordance with SOC2 and other standards frameworks;
    • i) privileged access rights to IT systems and applications are documented and kept up to date, annually at minimum and whenever a system is implemented or deprecated;
    • j) access rights to IT systems and applications are reviewed and updated on regular basis, annually at minimum;
    • k) password policy implemented, including requirements regarding password complexity, and minimum length;
    • l) IT systems and applications technically enforce password policy;
    • m) access rights of employees and external personnel to IT systems and applications is removed immediately upon termination of employment or contract; and
    • n) use of secure state-of-the-art authentication certificates ensured.
  • 2.3 IT systems and applications lock down automatically or terminate the session after exceeding a reasonable defined idle time limit.
  • 2.4 Flatfile implements a DMZ between public internet and the private network.
  • 2.5 Privileged access to cloud assets is done through a bastion host.
  • 2.6 Flatfile maintains log-on procedures on IT systems with safeguards against suspicious login activity (e.g., against brute-force and password guessing attacks).

3. Availability Control

  • 3.1 Flatfile protects systems and applications against malicious software by implementing anti-malware solutions with industry-standard solutions built into all physical hardware.
  • 3.2 Flatfile, and Flatfile’s Suppliers, defines, documents and implements a backup concept for IT systems, including the following technical and organizational elements:
    • a) all Customer Personal Data, is in multiple availability zones to protect against environmental threats (e.g., heat, humidity, fire), physical attacks, or accidents*;
    • b) taking regular (daily) backup snapshots that allow for point-in-time rollback; and
    • c) the restoration of Customer Personal Data from backups is tested regularly based on the criticality of the IT system or application.
  • 3.3 IT systems and applications in non-production environments are logically or physically separated from IT systems and applications in production environments.

4. Operations Security

  • 4.1 Flatfile maintains and implements an Information Security Framework reflecting the measures described herein, which is regularly reviewed and updated, annually at minimum but quarterly by practice.
  • 4.2 Employees of Flatfile must complete annual security awareness and data privacy training.
    • a) Such training is designed to ensure that all such individuals understand using, sharing, or removing Customer Personal Data.
    • b) Flatfile will have any person who will provide Services or have access to Customer Personal Data complete their Security Awareness Training before accessing any Customer Personal Data, within 30 days of joining Flatfile, and annually thereafter.
  • 4.3 Flatfile logs security-relevant events, such as user management activities (e.g., creation, deletion), failed logons, changes on the security configuration of the system on IT systems and applications.
  • 4.4 Flatfile continuously analyzes the respective IT systems and applications log data for anomalies, irregularities, indicators of compromise and other suspicious activities within Flatfile’s SSO provider.
  • 4.5 Flatfile scans and tests IT systems and applications for security vulnerabilities on a regular basis.
    • a) Upon execution and once a year thereafter, summaries of such scans and tests will be sent to Customer upon Customer’s written request and will include high level details confirming the IT systems and applications were included within the scan or test.
    • b) All critical vulnerabilities identified must be remediated within seven (7) days of identification.
  • 4.6 Flatfile implements and maintains a change management process for IT systems and applications. All access requests, personnel, or configuration changes enter a project management system managed by IT.
  • 4.7 Flatfile maintains a process to update and implement vendor security fixes and updates on the respective IT systems and applications, with all critical fixes implemented and updated within seven (7) days of review.
  • 4.8 Flatfile irretrievably erases data or physically destroys the data storage media before disposing or reusing of an IT system, and has the ability to do so remotely.

5. Transmission Controls

  • 5.1 With respect to its hosted environment(s), Flatfile, following their hosting provider’s guidance**, documents and updates network topologies and its security requirements on regular basis.
  • 5.2 Flatfile continuously and systematically monitors IT systems, applications and relevant network zones to detect malicious and abnormal network activity by
    • a) Firewalls (e.g., stateful firewalls, application firewalls);
    • b) Proxy servers;
    • c) URL filtering; and
    • d) Security Information and Event Management (SIEM) systems.
  • 5.3 Flatfile administers IT systems and applications by using encrypted connections, with TLS and SSH.
  • 5.4 Flatfile protects the integrity of content during transmission by network protocols, such as TLS 1.2 or greater.
  • 5.5 Flatfile encrypts, or enables its Subprocessors to encrypt, Customer Personal Data that is transmitted over public networks.
  • 5.6 Flatfile uses secure Key Management Systems (KMS) to store secret keys in the cloud.

6. Security Incidents

  • 6.1 Flatfile maintains and implements an incident handling process, including but not limited to:
    • a) records of security breaches;
    • b) Flatfile notification processes according to legal standards; and
    • c) an incident response scheme to address the following at time of incident: (i) roles, responsibilities, and communication and contact strategies in the event of a compromise (ii) specific incident response procedures and (iii) coverage and responses of all critical system components.

7. Asset Management, System Acquisition, Development and Maintenance

  • 7.1 Flatfile identifies and documents information security requirements prior to the development and acquisition of new IT systems and applications as well as before making improvements to existing IT systems and applications.
  • 7.2 Flatfile establishes a formal process to control and perform changes to developed applications.
  • 7.3 Flatfile plans and incorporates security tests into the System Development Life Cycle of IT systems and applications.
  • 7.4 Flatfile implements a security patching process that includes:
    • a) monitoring of components for potential weaknesses (CVEs), integrated in CI/CD pipeline;
    • b) priority rating of fix based on the potential risk;
    • c) timely implementation of the fix; and
    • d) download of patches from trustworthy sources.

8. Human Resource Security

  • 8.1 Flatfile implements the following measures in the area of human resources security:
    • a) A background check must be conducted for all employees and contractors, that will Process Customer Personal Data and/or physically access Customer offices.
      • i. Background checks on hires must be conducted by a reputable third party and include criminal check and employment verification where permitted by applicable law and go back for seven (7) years where such records exist.
    • b) employees with access to Customer Personal Data are bound by confidentiality obligations; and
    • c) employees with access to Customer Personal Data are trained regularly regarding data protection laws and regulations, annually at minimum.
  • 8.2 Flatfile implements an offboarding process for Flatfile employees and external vendors.

9. Cryptography (relevant for DP in the context of network services)

  • 9.1 Flatfile uses secure certificates and implements the following:
    • a) digital certificates are only accepted and trusted if the digital certificate was issued by a trusted certification authority;
    • b) certificates are used and allocated to dedicated IT-systems and applications; and
    • c) the validity of digital certificates is verified.
  • 9.2 Flatfile implements a process for the management and implementation of cryptographic keys, including rules and requirements to generate, store, backup, distribute, and revoke cryptographic keys.
* https://aws.amazon.com/compliance/data-center/controls/**https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/plan-your-network-topol

Experience data projects without the bottlenecks

Book a demo