Firm Data, Inc.
Data Security Agreement

This Data Security Agreement (“Agreement”) supplements the myFirmData Terms of Use (available here) (“Terms”) between the Customer and Company (the Terms and this Agreement, collectively, the “Agreement”). The capitalized terms not otherwise defined herein have the meaning described in the Terms.

Agreement Summary

1. Definitions. Unless otherwise defined in the Agreement, all capitalized terms used in this Agreement will have the meanings given to them below:
   
   “Applicable Data Protection Law” means all federal, state, and provincial laws and regulations governing consumer data security and privacy, including but not limited to the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act (GLBA), the California Consumer Privacy Act (CCPA), and any similar laws in Canada.
   
   “Customer” has the meaning set forth in the Terms.
   
   “Customer Data” means the Personal Data that is uploaded to the Services under Customer’s Company accounts.
   
   “Personal Data” means any information that identifies, relates to, describes, or is capable of being associated with an individual, including but not limited to names, addresses, email addresses, phone numbers, and other identifiers as defined under Applicable Data Protection Law.
   
   “Reasonable Security Measures” means administrative, technical, and physical safeguards appropriate to the nature of the Personal Data, as required under Applicable Data Protection Law.
   
   “Security Incident” means a breach of Company’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data.
   
   “Security Measures” means the security standards attached to this Agreement as Annex 1.

2.  Company Obligations.

2.1 Confidentiality of Customer Data. Company will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with any applicable law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Company a demand for Customer Data, Company will attempt to redirect the governmental body to request that data directly from Customer, unless it is prohibited from doing so. As part of this effort, Company may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then Company will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Company is legally prohibited from doing so.

2.1.1      Confidentiality Obligations of Company Personnel. Company will restrict its personnel from processing Customer Data without authorization by Company as described in the Annex 1 (Security Measures). Company will impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

2.2 Data Security Program. Company will implement and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards appropriate to the size, scope, and nature of its business, as well as the sensitivity of the Personal Data, using the security measures set forth in Annex 1.

2.3 Employee Training. Company will provide ongoing training to its employees and contractors on the proper use of security procedures and protocols, as required under Applicable Data Protection Law.

2.4 Data Minimization. Company will collect, use, retain, and share Personal Data only to the extent reasonably necessary and proportionate to achieve the purposes disclosed to the Customer, as required under Applicable Data Protection Law.

2.5 Data Retention and Disposal. Company will retain Personal Data only for as long as it is needed for business purposes. Thereafter, Company will take all reasonable steps to dispose of Personal Data, including by shredding, erasing, or otherwise modifying the data to make it unreadable or undecipherable

3.  Customer Obligations.

3.1  Consent. Customer expressly consents to Company’s collection, use, and disclosure of the Customer Data as necessary for Company to perform the Services, and Customer represents and warrants that has obtained all necessary and legally required consents from third parties in connection with the same.

3.2  Accuracy of Information. Customer will ensure that all Customer Data provided to Company is accurate and up-to-date.

3.3 Compliance with Terms. Customer agrees to comply with the terms of this Agreement and all Applicable Data Protection Law.

4. Third-Party Service Providers.

4.1  Selection. Company will take reasonable steps to select and retain service providers (“Third Party Service Providers”) capable of maintaining appropriate safeguards for Personal Data.

4.2  Authorized Third-Party Service Providers. Customer generally authorizes Company to engage Third Party Service Providers to process Customer Data on behalf of Company.

4.3  Third-Party Service Providers Obligations. Where Company engages a Third Party Service Provider to process Customer Data:

(i) Company will enter into a written agreement with the Third Party Service Providers and, to the extent that the Third Party Service Provider performs the same data processing services provided by Company under this Agreement, Company will impose on the Third Party Service Providers the same contractual obligations that Company has under this Agreement; and

(ii) Company will remain responsible for its compliance with the obligations of this Agreement and for any acts or omissions of the Third Party Service Providers that cause Company to breach any of Company’s obligations under this Agreement.

5. Security Incident Notification.

5.1  Security Incident. Subject to Section 5.3, Company will (a) notify Customer of a Security Incident without undue delay after becoming aware of the Security Incident, and (b) take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident.

5.2  Company Assistance. Subject to Section 5.3, upon Customer’s request and taking into account the nature of the applicable processing, Company will assist Customer by providing, when available, information reasonably necessary for Customer to meet its Security Incident notification obligations under Applicable Data Protection Law. Customer acknowledges that Company’s notification of a Security Incident is not an acknowledgement by Company of any fault or liability.

5.3  Unsuccessful Security Incidents. Customer agrees that: (a) an unsuccessful Security Incident will not be subject to this Section 5. An unsuccessful Security Incident is one that results in no unauthorized access to Customer Data or to any of Company’s equipment or facilities storing Customer Data, and could include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.

5.4  Communication. Notification(s) of Security Incidents, if any, will be delivered to the Customer contact name and via the email address that Customer provided to Company when setting up its account with Company for the Services. It is Customer’s sole responsibility to ensure Customer that the contact information it provides Company is updated and accurate.

5.5  Notification Obligations. If Company notifies Customer of a Security Incident, or Customer otherwise becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data, Customer will be responsible for (a) determining if there is any resulting notification or other obligation under Applicable Data Protection Law and (b) taking necessary action to comply with those obligations. This does not limit Company’s obligations under this Section 5.

6. Audit. Company will keep records of its Processing in compliance with Applicable Data Protection Laws and, upon Customer’s request, make available to Customer any records reasonably necessary to demonstrate compliance with Company’s obligations under this Agreement and Data Protection Laws. If Company receives an audit report (“Audit Report”) from a third-party audit or certification program, Company will make such Audit Report available to Customer upon request. To the extent that Company does not have an Audit Report or such Audit Report does not provide sufficient information for Customer to verify Company’s compliance with this Agreement, Customer may, no more than once per year r, unless required by Applicable Data Protection Law or following a Security Incident, at its expense conduct a confidential audit of reasonable scope and duration pursuant to an audit plan mutually agreed upon between Customer and Company.

7. Termination of the Agreement. This Agreement will continue in force until the termination of the Terms (the “Termination Date”).

8. Return or Deletion of Customer Data. During the term of the Agreement, Customer may, through the features of the Services or such other means mutually agreed between the parties, access, return to itself or delete Customer Data. Following termination or expiration of the Agreement, Company will, in accordance with its obligations under the Agreement, delete all Customer Data from Company’s systems in accordance with industry-standard secure deletion practices. Notwithstanding the foregoing, Company may retain Customer Data: (i) as required by Applicable Data Protection Law or (ii) in accordance with its standard backup, archival or record retention policies, provided that Company maintains the confidentiality of all such retained Customer Data and refrains from the further use or processing of such data.

9. Duties to Inform. Where Customer Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by Company, Company will inform Customer without undue delay. Company will, without undue delay, notify all relevant parties in such action (for example, creditors, bankruptcy trustee) that any Customer Data subjected to those proceedings is Customer’s property and area of responsibility and that Customer Data is at Customer’s sole disposition.

10. Entire Agreement; Conflict. Except as amended by this Agreement, the Agreement will remain in full force and effect. If there is a conflict between the Terms and this Agreement, the terms of this Agreement will control. Additionally, where this Agreement requires data processing practices that afford stronger privacy protections than those described in our Privacy Policy, the practices in this Agreement will control.

Annex 1 Security Measures

Capitalized terms not otherwise defined in this document have the meanings assigned to them in the Agreement.

Company undertakes to comply with the level of security stipulated herein.

Security standards

Company will either be certified and/or accredited against one or more of the global standards described in the table below or will employ the security measures identified thereafter. In cases where Company has chosen to certify and/or accredit only parts of its Information Security Management System (ISMS) or infrastructure, it will provide reasonable assurance that the parts used in connection with the processing of the Customer Data are included in the scope of such certification/accreditation.

Standard
Global standards	United States
CSA (Cloud Security Alliance) ISO 27001 ISO 27017 ISO 27018 PCI DSS SOC 1 SOC 2	FIPS FISMA HIPAA NIST

If Company is not certified and/or accredited against any of the standards mentioned above, Company confirms that it either is able to demonstrate each of the following:

Risk management

• Company will have a risk assessment process that defines the criteria for performing a risk assessment, as well as the risk acceptance criteria.
• The risk assessment process will identify the appropriate risk owners (for each risk) and identify risks associated with the loss of confidentiality, integrity, availability and accountability.
• The results of the risk assessment will form the basis for the risk treatment plan, in accordance with the risk criteria set by the party. The risk treatment plan will identify the risk treatment options and define the controls used to address the identified risks.

Information security policy

• Company will have an information security (IS) policy, which is approved by management, published and communicated to all employees.

Organization of information security

• Company will define and assign information security responsibilities within the organization. It can assign the responsibility for information security to a single role or multiple roles.

Human resource security

• The parties acknowledge that Customer will not provide to Company, and Company will not be processing, sensitive personal data under this Agreement.
• Company will have a training program that covers their information security policy.
• Company will have an established process for termination or change of employment duties. The process will ensure that access to the other party’s data is removed as soon as the employee terminates their contract with such party.

Asset management

• Company will maintain an inventory of assets related to the processing of the other party’s personal information. Customer may request this inventory to be produced where necessary to demonstrate to the regulatory authority that personal information is kept in documented assets.

Access control

• Company will have a documented access control policy.

Cryptography

• Company will use commercially reasonable efforts to utilize encryption to protect the Customer’s data while in transit and at rest. The encryption mechanism chosen should not be developed in house, unless it has been peer-reviewed and approved for use by a reputable authority / institution. The encryption algorithms used must be in accordance with FIPS 140-2 Annex A.

Physical and environmental security

• The Customer acknowledges that Company’s personnel are fully remote. Company will direct its personnel to use reasonable measures to protect the assets used to process the Customer’s personal information from external and environmental threats.

Operations security

• Company will have a change management program in place.
• Company will have detection, prevention and recovery controls to protect against viruses, malware, Trojans or any other type of malicious code.
• Company will maintain reasonable back-ups that will allow the restoration of the service in case of an incident.

Communication security

• Company will establish network controls to protect access to systems and applications that process data on behalf of the Customer (e.g. firewall, web application firewall, IDS, etc.).