Data Processing Addendum and SCC

Annex 1

A.   LIST OF PARTIES

Data exporter(s): 

Name: The entity identified as “Customer” in the Addendum. 

Address: The address for Customer associated with its PRODIGY account or as otherwise specified in the Addendum or the Agreement. 

Contact person’s name, position and contact details: The contact details associated with Customer’s account, or as otherwise specified in the Addendum or the Agreement. 

Activities relevant to the data transferred under these Clauses: The activities specified in Annex 1 of the Addendum. 

Signature and date: By using the PRODIGY services to transfer Customer Data to Third Countries, the data exporter will be deemed to have signed this Annex I.

Role (controller / processor): Controller

Data importer(s): 

Name: Prodigy Consulting Group, Inc. 

Address: 1968 South Coast Hwy, Suite 147 Laguna Beach, CA 92651. 

Contact person’s name, position and contact details: Robert Smith, DPO [email protected]

Activities relevant to the data transferred under these Clauses: The activities specified in Annex 1 of the Addendum. 

Signature and date: By transferring Customer Data to Third Countries on Customer’s instructions, the data importer will be deemed to have signed this Annex I. 

Role (controller / processor): Processor

B.   DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Categories of data subjects are specified in Annex 1 of the Data Processing Addendum.

Categories of personal data transferred

The personal data is described in Annex 1 of the Data Processing Addendum.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

The data exporter might, without our knowledge, include sensitive personal data in the personal data described in Annex 1 of the Data Processing Addendum. 

The frequency of the transfer.

Personal data is transferred in accordance with Customer’s instructions as described in Annex 1 of the Data Processing Addendum.

Nature of the processing

The nature of the processing is described in Annex 1 of the Data Processing Addendum.  

Purpose(s) of the data transfer and further processing

To provide the Products or Services requested and contracted by the Customer/Controller.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

PRODIGY will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.  When it is no longer necessary for us to retain personal data, it is removed from our systems generally within 90 days. 

You may also request at any time to have your personal data deleted.

PRODIGY will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter, nature and duration of the processing are described in Annex 1 of the Data Processing Addendum.

C.   COMPETENT SUPERVISORY AUTHORITY

The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Information Security Program. PRODIGY will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Customer secure Customer Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access to the PRODIGY Network, and (c) minimize security risks, including through risk assessment and regular testing. PRODIGY will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include the following measures:

1. Data transmission. All data in transmission is protected using end-to-end strong encryption.
2. Security patches are administered as soon as patches are tested and verified.
3. Certifications. Multiple certifications are held by our cloud service providers/Processors and Sub-processor including:

a. the certificates issued for the ISO 27001 certification, the ISO 27017 certification, the ISO 27018 certification, and the ISO 27701 certification (or the certifications or other documentation evidencing compliance with such alternative standards as are substantially equivalent to ISO 27001, ISO 27017, ISO 27018, and ISO 27701); and (ii) the

b. System and Organization Controls (SOC) 1 Report, the System and Organization Controls (SOC) 2 Report and the System and Organization Controls (SOC) 3 Report (or the reports or other documentation describing the controls implemented by Sub-processor that replace or are substantially equivalent to the SOC 1, SOC 2 and SOC 3).

1. Customer and account related information can be accessed by support and a select few technical team members in the event of a customer initiated request.
2. All data centers are protected via physical security and use access control for authorized personnel who are cleared via background check.
3. Complete offsite backups are performed as an automated daily process and are encrypted via SSL in transit and also encrypted at rest.
4. Databases are accessible to PRODIGY staff on a need to know basis.
5. Strong password enforcement is built into all WordPress installs.
6. Incoming attacks are mitigated via a proprietary system based on PRODIGY’s knowledge of threat detection and attack vectors.

ANNEX III

LIST OF SUB-PROCESSORS 

Name:  WPEngine, Inc.

Address:  504 Lavaca St #1000, Austin, TX 78701

Contact person’s name, position and contact details: Chad Costello, General Counsel, [email protected]

Name:  ConvertKit LLC

Address:  750 W Bannock St, Boise, ID 83702

Contact person’s name, position and contact details: [email protected]

Name:  Stripe

Address:  510 Townsend street, San Francisco, CA 94103

Contact person’s name, position and contact details: Adi Gilad, DPO, [email protected]