Sertifi Data Processing Addendum
Version 09/19/2024
This Data Processing Addendum (“DPA”) forms a part of the Sertifi Inc.’s (“Sertifi”) Terms of Services (“Terms of Services”) under which Sertifi, Inc. provides the Subscription Service, and is entered into by and between Sertifi and Customer. This DPA reflects the parties’ agreement with respect to the Processing of Personal Data submitted to the Subscription Service and is intended supplement (and not replace) any Processing terms contained in the Terms of Services. In the event of any conflict between the terms of this DPA and the Terms of Services with respect to the subject matter herein, this DPA shall control. All capitalized terms not defined herein shall have the meaning set forth in the Terms of Services.
1. DEFINITIONS
1.1. “Order Form(s)” The Order Form(s) executed by Sertifi and Customer are merged and incorporated into the Terms of Services which together constitute one legal, valid and binding agreement.
1.2. “Affiliate” means any person or entity directly or indirectly Controlling, Controlled by or under common Control with Customer, where “Control” means the legal power to direct or cause the direction of the general management of the company, partnership or other legal entity.
1.3. “Customer” means the entity that purchased the Subscription Service directly from Sertifi under an Order Form or indirectly through an authorized reseller of Sertifi pursuant to a Use Authorization.
1.4. “Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data. For purposes of this DPA, Data Controller is Customer and, where applicable, its Affiliates either permitted by Customer to submit Personal Data to the Subscription Service or whose Personal Data is Processed in the Subscription Service.
1.5. “Data Processor” means the natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller. For purposes of this DPA, Data Processor is the Sertifi entity that is a party to the Terms of Services.
1.6. “Data Protection Laws” means all applicable laws and regulations regarding the Processing of Personal Data.
1.7. “Data Subject” means an identified or identifiable natural person.
1.8. “Personal Data” means any information relating to a Data Subject uploaded by or for Customer or Customer’s agents, employees, or contractors to the Subscription Service as Customer Data.
1.9. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or or destruction.
1.10. “Sub-Processor” means any legal person or entity engaged in the Processing of Personal Data by Data Processor. For the avoidance of doubt, Sertifi’s co-location data center facilities are not Sub- Processors under this this DPA.
1.11. “Subscription Service” means the Sertifi software as a service (SaaS) offering.
2. SCOPE OF THE PROCESSING
2.1. COMMISSIONED PROCESSOR. Data Controller appoints Data Processor to Process Personal Data on behalf of Data Controller to the extent necessary to provide the Subscription Service described in the Terms of Services and in accordance with the Instructions (as defined below).
2.2. INSTRUCTIONS. The Terms of Services constitutes Data Controller’s written instructions to Data Processor for Processing of Personal Data. Data Controller may issue additional or alternate data processing instructions provided that such instructions are: (a) consistent with the purpose and the scope of the Terms of Services; and (b) confirmed in writing by Data Controller that is received by Data Processor. For the avoidance of doubt, Data Controller shall not use additional or alternate instructions to alter the scope of the Terms of Services. Data Controller is responsible for ensuring its Instructions to Data Processor comply with Data Protection Laws.
2.3. NATURE, SCOPE AND PURPOSE OF THE PROCESSING. Data Processor shall only Process Personal Data in accordance with Data Controller’s Instructions and to the extent necessary for providing the Subscription Service as described in the Terms of Services.
2.4. CATEGORIES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS. Data Controller may submit Personal Data to the Subscription Service as Customer Data, the extent of which is determined and controlled by Data Controller in its sole discretion and is further described in Appendix 1.
3. DATA CONTROLLER
3.1. COMPLIANCE WITH DATA PROTECTION LAWS. Data Controller shall comply with all of its obligations under Data Protection Laws when Processing Personal Data.
3.2. SECURITY RISK ASSESSMENT. Data Controller agrees that in accordance with Data Protection Laws and before submitting any Personal Data to the Subscription Service, Data Controller will perform an appropriate risk assessment to determine whether the security measures within the Subscription Service provide an adequate level of security, taking into account the nature, scope, context and purposes of the processing, the risks associated with the Personal Data and the applicable Data Protection Laws. Data Controller is solely responsible for determining the adequacy of the security measures within the Subscription Service in relation to the Personal Data Processed.
3.3. CUSTOMER’S AFFILIATES. The obligations of Data Processor set forth herein will extend to Customer’s Data Controller Affiliates to which Customer provides access to the Subscription Service or whose Personal Data is Processed within the Subscription Service, subject to the following conditions:
-
- 3.3.1. Data Controller shall at all times be liable for its Affiliates’ compliance with this DPA and all acts and omissions by a Data Controller Affiliate are considered acts and omissions of Data Controller; and
- 3.3.2. Customer’s Data Controller Affiliates will not bring a claim directly against Data Processor. In the event a Data Controller Affiliate wishes to assert a valid legal action, suit, claim or proceeding against Data Processor (a “Data Controller Affiliate Claim”): (i) Customer must bring such Data Controller Affiliate Claim directly against Data Processor on behalf of such Data Controller Affiliate, unless Data Protection Laws require that Data Controller Affiliate be party to such Data Controller Affiliate Claim; and (ii) all Data Controller Affiliate Claims will be considered claims made by Customer and are at all times subject to any aggregate limitation of liability set forth in the Terms of Services.
3.4. COMMUNICATION. Unless otherwise provided in this DPA, all requests, notices, cooperation and communication, including Instructions issued or required under this DPA (collectively, “Communication”), must be in writing and between Customer and Sertifi only and Customer shall inform the applicable Data Controller Affiliate of any Communication from Sertifi pursuant to this DPA. Customer shall be solely responsible for ensuring that any Communications (including Instructions) it provides to Sertifi relating to Personal Data for which a Customer Affiliate is Data Controller reflect the relevant Customer Affiliate’s intentions.
4. DATA PROCESSOR
4.1. DATA CONTROLLER’S INSTRUCTIONS. Data Processor will have no liability for any harm or damages resulting from Data Processor’s compliance with Instructions received from Data Controller. Where Data Processor believes that compliance with Data Controller’s Instructions could result in a violation of Data Protection Laws or is not in the ordinary course of Data Processor’s obligations in operating the Subscription Service, Data Processor shall promptly notify Data Controller Data Controller acknowledges that Data Processor is reliant on Data Controller’s representations regarding the extent to which Data Controller is entitled to Process Personal Data.
4.2. DATA PROCESSOR PERSONNEL. Access to Personal Data by Data Processor will be limited to personnel who require such access to perform Data Processor’s obligations under the Terms of Services and who are bound by obligations to maintain the confidentiality of such Personal Data.
4.3. DATA SECURITY MEASURES. Without prejudice to Data Controller’s security risk assessment obligations under Section 3.2 (Security Risk Assessment) above, Data Processor shall maintain appropriate technical and organizational safeguards, in accordance with commercially reasonable standards, to protect the security, confidentiality and integrity of Customer Data, including any Personal Data contained therein, as described in Section 2 (Physical, Technical and Administrative Security Measures) of the Data Security Guide. Such measures are designed to protect Customer Data from loss, alteration, unauthorized access, acquisition, use, disclosure, or accidental or unlawful destruction, and include:
-
- 4.3.1. Service Access Control. The Subscription Service provides user and role-based access controls. Data Controller is responsible for configuring such access controls within its instance.
- 4.3.2 Logging and Monitoring. The production infrastructure log activities are centrally collected and are secured in an effort to prevent tampering and are monitored.
- 4.3.3. Data Separation. Customer Data shall be maintained logically separated within a multi-tenant cloud infrastructure that is logically and physically separate from Sertifi’s corporate infrastructure.
- 4.3.4. Service Continuity. The production database servers are replicated in near real time to a mirrored data center in a different geographic region.
- 4.3.5. Data Processor regularly tests, assess and evaluates the effectiveness of its information security program and may periodically review and update the such program to address new and evolving security technologies, changes to industry standard practices, and changing security threats.
4.4. DELETION OF PERSONAL DATA. Upon termination or expiration of the Terms of Services, Data Processor shall return and delete Customer Data, including Personal Data contained therein, as described in the Terms of Services, except as required to comply with any legal or regulatory obligation(s).
5. REQUESTS MADE FROM DATA SUBJECTS AND AUTHORITIES
5.1. REQUESTS FROM DATA SUBJECTS. During the Subscription Term, Data Processor shall provide Data Controller with the ability to access, correct, rectify, erase or block Personal Data, or to transfer or port such Personal Data, within the Subscription Service, as may be required under Data Protection Laws (collectively, “Data Subject Requests”).
5.2. RESPONSES. Data Controller will be solely responsible for responding to any Data Subject Requests, provided that Data Processor shall reasonably cooperate with the Data Controller to respond to Data Subject Requests to the extent Data Controller is unable to fulfill such Data Subject Requests using the functionality in the Subscription Data Processor will instruct the Data Subject to contact the Customer in the event Data Processor receives a Data Subject Request directly.
5.3. REQUESTS FROM AUTHORITIES. In the case of a notice, audit, inquiry or investigation by a government body, data protection authority or law enforcement agency regarding the Processing of Personal Data, Data Processor shall promptly notify Data Controller unless prohibited by applicable Data Controller shall keep records of the Personal Data Processed by Data Processor, and shall cooperate and provide all necessary information to Data Processor in the event Data Processor is required to produce such information to a data protection authority.
5.4. COSTS. Customer shall reimburse Sertifi for any reasonable additional costs incurred in connection with the fulfilment of Sertifi’s obligations under Sections 5.2. and 5.3.
6. BREACH NOTIFICATION
Data Processor shall report to Data Controller any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data that it becomes aware of without undue delay and no later than seventy-two (72) hours after it becomes aware of the incident.
7. CUSTOMER MONITORING RIGHTS
Customer may audit Data Processor’s Processing of Personal Data under this DPA by exercising its audit rights set forth in Section 4.2 (Audits and Corrective Actions) of the Data Security Guide.
8. SUB-PROCESSORS
8.1. USE OF SUB-PROCESSORS.
-
- 8.1.1. Data Controller authorizes Data Processor to engage Sub- Processors appointed in accordance with this Section 8 to support the provision of the Subscription Service and to deliver Professional Services as described in the Terms of Services. Data Processor may continue to use those Sub- Processors already engaged at the date of this Addendum, subject to Data Processors compliance with the obligations set out in this Terms of Services. The list of the Service Provider’s Sub -Processors as of the Effective Date is located at https://corp.sertifi.com/resources/technology-security/ .
- 8.1.2. Data Processor shall give Data Controller prior notice of the appointment of any new Sub- Processor by way of updating the list of Sub- Processors pursuant to Section 8.1.1. If, within 30 days of date of notice, Data Controller notifies Sertifi in writing of any reasonable objections to the Sub-Processor, the Parties will work together to resolve any objections amicably and in good faith.
- 8.1.3. Use of a Sub-Processor will not relieve, waive or diminish any obligation Data Processor has under the Terms of Services, and Data Processor is liable for the acts and omissions of any Sub-Processor to the same extent as if the acts or omissions were performed by Data Processor.
9. INTERNATIONAL DATA TRANSFERS
9.1. STANDARD CONTRACTUAL CLAUSES AND ADEQUACY. Where required under Data Protection Laws, Data Processor or Data Processor’s Affiliates shall require Sub-Processors to abide by (i) the Standard Contractual Clauses for Data Processors established in third countries; or (ii) another lawful mechanism for the transfer of Personal Data as approved by the European Commission.
9.2. PRIVACY SHIELD. Sertifi, shall comply with the EU-U.S. and Swiss-U.S. Privacy Shield Framework set forth by the United States Department of Commerce with respect to the Processing of Personal Data transferred from the European Economic Area and Switzerland to the United States.
10. DATA PROTECTION IMPACT ASSESSMENTS
Effective May 25, 2018, Data Processor will, on request, provide Data Controller with reasonable information required to fulfill Data Controller’s obligations under the General Data Protection Regulation (2016/679) (“GDPR”) to carry out data protection impact assessments, if any, for Processing of Personal Data within the Subscription Service. Data Controller is solely responsible for any prior consultation with a supervisory authority required for Processing of Personal Data under GDPR.
11. GENERAL PROVISIONS
11.1. CONFIDENTIALITY. Data Controller may only disclose the terms of this DPA to a data protection or regulatory authority to the extent required by law or regulatory authority, provided however, that any such disclosure shall be limited to the minimum information necessary to satisfy such disclosure requirement. Data Controller shall use commercially reasonable efforts to ensure that data protection or regulatory authorities do not make this DPA public.
11.2. LIMITATION OF LIABILITY. Customer’s remedies with respect to any breach by Sertifi of the terms of this DPA will be subject to any aggregate limitation of liability under the Terms of Services.
11.3. TERMINATION. This DPA shall terminate simultaneously and automatically with the termination of the Terms of Services or expiration of the Subscription Term where Customer does not renew. Notwithstanding the foregoing, Sertifi shall continue to secure Personal Data in accordance with the terms herein for so long as Sertifi has access to such Personal Data.
11.4. WAIVERS AND MODIFICATIONS. A waiver of any right is only effective if it is in writing and only against the party who signed such writing and for the circumstances given.
APPENDIX 1 DETAILS OF PROCESSING
Nature and Purpose of Processing
Data Processor will Process Personal Data as required to provide the Subscription Service and in accordance with the Terms of Services.
Duration of Processing
Data Processor will Process Personal Data for the duration of the Terms of Services and in accordance with Section 4 (Data Processor) of this DPA.
Data Subjects
Data Controller may submit Personal Data to the Subscription Service, the extent of which is solely determined by Data Controller, and may include Personal Data relating to the following categories of Data Subjects:
- Clients and other business contacts;
- Employees and contractors;
- Subcontractors and agents; and
- Consultants and partners.
Categories of Personal Data
Data Controller may submit Personal Data to the Subscription Service, the extent of which is solely determined by Data Controller, and may include the following categories:
- communication data (e.g. telephone, email, IP address);
- business and personal contact details;
- other Personal Data submitted to the Subscription Service.
Processing Operations
The personal data transferred will be subject to the following basic processing activities:
- All activities necessary for the performance of the Terms of Services.
DATA SECURITY GUIDE
This Data Security Guide describes the measures Sertifi takes to protect Customer Data. This Data Security Guide forms a part of any legal agreement into which this Data Security Guide is explicitly incorporated by reference (the “Terms of Services”) and is subject to the terms of the Terms of Services. Capitalized terms not otherwise defined in this Data Security Guide will have the meaning given to them in other parts of the Terms of Services.
1. SECURITY PROGRAM
While providing the Subscription Service, Sertifi will maintain a written information security program of policies, procedures and controls governing the processing, storage, transmission and security of Customer Data (the “Security Program”). The Security Program includes industry-standard practices designed to protect Customer Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. Sertifi regularly tests, assesses and evaluates the effectiveness of the Security Program and may periodically review and update the Security Program to address new and evolving security technologies, changes to industry standard practices, and changing security threats, although no such update will materially reduce the commitments, protections or overall level of service provided to Customer as described herein.
2. PHYSICAL, TECHNICAL AND ADMINISTRATIVE SECURITY MEASURES
2.1. PHYSICAL SECURITY MEASURES.
-
- 2.1.1. Data Center Facilities. (i) Physical access restrictions and monitoring that may include a combination of any of the following: multi-zone security, man-traps, appropriate perimeter deterrents (e.g. fencing, berms, guarded gates), on-site guards, biometric controls, CCTV, and secure cages; and (ii) fire detection and fire suppression systems both localized and throughout the data center floor.
- 2.1.2. Systems, Machines and Devices. (i) Physical protection mechanisms; and (ii) entry controls to limit physical access.
- 2.1.3. Media. (i) Industry standard destruction of sensitive materials before disposition of media; (ii) secure safe for storing damaged hard disks prior to physical destruction; and (iii) physical destruction of all decommissioned hard disks storing Customer Data.
2.2. TECHNICAL SECURITY MEASURES.
-
- 2.2.1. Access Administration. Access to the Subscription Service by Sertifi employees and contractors is protected by authentication and authorization mechanisms. User authentication is required to gain access to production and sub-production instances. Access privileges are based on job requirements and are revoked upon termination of employment or consulting Production infrastructure includes appropriate user account and password controls (e.g., the required use of VPN connections, complex passwords with expiration dates, and a two-factored authenticated connection) and is accessible for administration.
- 2.2.2. Service Access Control. The Subscription Service provides user and role-based access controls. Customer is responsible for configuring such access controls within its instance.
- 2.2.3. Logging and Monitoring. The production infrastructure log activities are centrally collected and are secured in an effort to prevent tampering and are monitored.
- 2.2.4. Firewall System. An industry-standard firewall is installed and managed to protect Sertifi systems by residing on the network to inspect all ingress connections routed to the Sertifi environment.
- 2.2.5. Vulnerability Management. Sertifi conducts periodic independent security risk evaluations to identify critical information assets, assess threats to such assets, determine potential vulnerabilities, and provide for remediation. When software vulnerabilities are revealed and addressed by a vendor patch, Sertifi will obtain the patch from the applicable vendor and apply it within an appropriate timeframe in accordance with Sertifi’s then current vulnerability management and security patch management standard operating procedure and only after such patch is tested and determined to be safe for installation in all production systems.
- 2.2.6. Sertifi updates antivirus, anti-malware, and anti-spyware software on regular intervals and centrally logs events for effectiveness of such software.
- 2.2.7. Change Control. Sertifi ensures that changes to platform, applications and production infrastructure are evaluated to minimize risk and are implemented following Sertifi’s standard operating procedure.
- 2.2.8. Data Separation. Customer Data shall be maintained within a logical single-tenant architecture on multi-tenant cloud infrastructure that is logically and physically separate from Sertifi’s corporate infrastructure.
2.3. ADMINISTRATIVE SECURITY MEASURES.
-
- 2.3.1. Data Center Inspections. Sertifi performs routine reviews of each data center to ensure that it continues to maintain the security controls necessary to comply with the Security Program.
- 2.3.2. Personnel Security. Sertifi performs background screening on all employees and all contractors who have access to Customer Data in accordance with Sertifi’s then current applicable standard operating procedure and subject to applicable law.
- 2.3.3. Security Awareness and Sertifi maintains a security awareness program that includes appropriate training of Sertifi personnel on the Security Program. Training is conducted at time of hire and periodically throughout employment at Sertifi.
- 2.3.4. Vendor Risk Management. Sertifi maintains a vendor risk management program that assesses all vendors that access, store, process or transmit Customer Data for appropriate security controls and business disciplines.
3. SERVICE CONTINUITY
3.1. DATA CENTERS; DATA BACKUP. Sertifi will host Customer’s instances of the Subscription Service in a pair of data centers that attained SSAE 16 Type 2 attestations or have ISO 27001 certifications (or equivalent attestations) acting in an active/active capacity in the geographic regions specified on the Order Form for the Subscription Term.. The deployed servers are enterprise scale servers with redundant power to ensure maximum uptime and service availability. The production database servers are replicated in near real time to a mirrored data center in a different geographic region. Sertifi backs up all Customer Data in accordance with Sertifi’s standard operating procedure.
3.2. PERSONNEL. In the event of an emergency that renders the customer support telephone system unavailable, all calls are routed to an answering service that will transfer to a Sertifi telephone support representative, geographically distributed to ensure business continuity for support operations.
4. AUDITS
4.1. AUDITS AND CORRECTIVE ACTIONS.
-
- 4.1.1. Upon Customer’s request, Sertifi shall provide Customer access to copies of Sertifi’s certification or audit reports performed by an independent third-party of Sertifi’s information security management system supporting the Subscription Service.
- 4.1.2. Corrective Sertifi and Customer may schedule a mutually convenient time to discuss the Audit. If a material deficiency is discovered between Sertifi’s commitments in this Data Security Guide and the information gathered during an Audit, then Sertifi shall take, at its own cost, the necessary corrective actions. This sets forth Customer’s exclusive rights and remedies (and Sertifi’s sole liability) with respect to any material deficiencies noted during an Audit. The Audit and the results derived therefrom are Confidential Information of Sertifi.
5. MONITORING AND INCIDENT MANAGEMENT
5.1. MONITORING, MANAGEMENT AND NOTIFICATION.
-
- 5.1.1. Incident Monitoring and Management. Sertifi will monitor, analyze and respond to security incidents in a timely manner in accordance with Sertifi’s standard operating procedure. Sertifi’s security group will escalate and engage response teams as may be necessary to address an incident.
- 5.1.2. Notification. Unless notification is delayed by the actions or demands of a law enforcement agency, Sertifi will report to Customer any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data (a “Breach”) without undue delay and no later than seventy-two (72) hours following determination by Sertifi that a Breach has occurred.
- 5.1.3. Customer Customer will cooperate with Sertifi in maintaining accurate contact information in the customer support portal and by providing any information that is reasonably requested to resolve any security incident, including any Breaches, identify its root cause(s) and prevent a recurrence. Customer is solely responsible for determining whether to notify the relevant supervisory or regulatory authorities and impacted Data Subjects and for providing such notice.
5.2. USE OF AGGREGATE DATA. Sertifi may collect, use and disclose quantitative data derived from Customer’s use of the Subscription Service for industry analysis, benchmarking, analytics, marketing, and other business purposes in support of the provision of the Subscription Any such data will be in aggregate form only and will not contain Customer Data.
5.3. COOKIES. When providing the Subscription Service, Sertifi uses cookies to: (i) track session state; (ii) route a browser request to a specific node when multiple nodes are assigned; and (iii) recognize a user upon returning to the Subscription Customer shall be responsible for providing notice to, and collecting any necessary consents from, its authorized users of the Subscription Service for Sertifi’s use of cookies.
6. PENETRATION TESTS
6.1. BY A THIRD-PARTY. Sertifi contracts with third-party vendors to perform a penetration test on the Sertifi application per family release to identify risks and remediation that help increase security.
6.2. BY CUSTOMER. No more than once per calendar year Customer may request to perform, at its own expense, an application penetration test of a sub-production instance of the Subscription Service. Customer shall notify Sertifi in advance of any test by submitting a request to schedule an application penetration test using Sertifi’s customer support portal per Sertifi’s then-current penetration testing policy and procedure, including entering into Sertifi’s penetration test Sertifi and Customer must agree on a mutually acceptable time for the test; and Customer shall not perform a penetration test without Sertifi’s express written authorization. The test must be of reasonable duration, but in no event longer than fourteen (14) days, and must not interfere with Sertifi’s day-to-day operations. Promptly on completion of the penetration test, Customer shall provide Sertifi with the test results including any detected vulnerability. Upon such notice, Sertifi shall, consistent with industry-standard practices, use all commercially reasonable efforts to promptly make any necessary changes to improve the security of the Subscription Service. Customer shall treat the test results as Confidential Information of Sertifi subject to the confidentiality and non-use requirements of the Terms of Services.
7. SHARING THE SECURITY RESPONSIBILITY
7.1. PRODUCT CAPABILITIES. The Subscription Service has the capabilities to: (i) authenticate users before access; (ii) encrypt passwords; (iii) allow users to manage passwords; and (iv) prevent access by users with an inactive Customer manages each user’s access to and use of the Subscription Service by assigning to each user a credential and user type that controls the level of access to the Subscription Service. Customer shall be responsible for implementing encryption and access control functionalities available within the Subscription Service for protecting all Customer Data containing sensitive data, including credit card numbers, social security and other government-issued identification numbers, financial and health information, Personal Data, and any Personal Data deemed sensitive or “special categories of personal data” under Data Protection Laws. Customer is solely responsible for its decision not to encrypt such data and Sertifi will have no liability to the extent that damages would have been mitigated by Customer’s use of such encryption measures. Customer is responsible for protecting the confidentiality of each user’s login and password and managing each user’s access to the Subscription Service.
7.2. CUSTOMER COOPERATION. Customer shall promptly apply any application upgrade that Sertifi determines is necessary to maintain the security, performance or availability of the Subscription Service.
7.3. LIMITATIONS. Notwithstanding anything to the contrary in this Data Security Guide or other parts of the Terms of Services, Sertifi’s obligations extend only to those systems, networks, network devices, facilities and components over which Sertifi exercises control. This Data Security Guide does not apply to: (i) information shared with Sertifi that is not data stored in its systems using the Subscription Service; (ii) data in Customer’s VPN or a third-party network; (iii) any data processed by Customer or its users in violation of the Terms of Services or this Data Security Guide; or (iv) Integrated Products. For the purposes of this Data Security Guide, “Integrated Products” shall mean Sertifi-provided integrations to third-party products or any other third-party products that are used by Customer in connection with the Subscription Service. Customer agrees that its use of such Integrated Products will be: (a) in compliance with all applicable laws, including but not limited to, Data Protection Laws; and (b) in accordance with its contractual agreement with the provider of such Integrated Products. Any Personal Data populated from the Integrated Products to the Subscription Service must be collected, used, disclosed and, if applicable, internationally transferred in accordance with Customer’s privacy policy, which will adhere to Data Protection Laws. For clarity, as between Sertifi and Customer, Customer assumes all liability for any breaches of confidentiality that occur outside of the Subscription.