Data Security Addendum

This data security addendum (the “Addendum“), forms an integral part of the Terms of Use [https://insoundz.com/terms-and-conditions/] (the “Terms”) for the insoundz Services.

This Addendum provides you with additional information regarding the physical and technical safeguards designed to prevent unauthorized access, use or disclosure of Data involved in insoundz Services as well as address the terms applicable to insoundz processing Personal Data, where such may occur.

Definitions

In this Addendum, the following words and phrases shall (unless the context otherwise requires) have the meanings set out beside them:

• “Affiliate”shall mean a person or entity controlling, controlled by or under the common control with insoundz or Customer (as applicable); the term “control”, for the purpose of this definition, shall mean direct or indirect possession of the power to direct or cause the direction of the management or policies of insoundz or Customer (as applicable), whether through the ability to exercise voting power, by contract or otherwise.
• “Data Subject”shall mean natural persons to which Personal Data relate.
• “Personal Data”shall mean any Personal Data Processed by insoundz or any Subcontractor pursuant to or in connection with the insoundz Services.
• “Applicable Laws”shall mean European Union or a Member State law and any other applicable law with respect to any Personal Data.
• “Applicable Privacy Laws”shall mean EU Privacy Laws, US Privacy Laws, and, to the extent applicable, the data protection or privacy laws of any other country.
• “Customer”means the entity that entered the Terms together with its Affiliates, which have entered the Terms or a part thereof.
• “Data”means all data and information transmitted to the Services by Customer or processed by insoundz and Applications on Customer’s behalf.
• “EEA”means the European Economic Area.
• “EU Privacy Laws”means EU Directive 95/46/EC, as transposed into domestic legislation of each EU member state and as amended, replaced or superseded from time to time, including by the GDPR and laws, rules and guidelines implementing or supplementing the GDPR.
• “GDPR” shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
• “Restricted Processing”shall mean (1) the transferring of Personal Data outside the EEA or to an International Organization, and (2)any Processing of Personal Data that was transferred to any country outside the EEA or to an International Organization; in each case, where such transferring or Processing of Personal Data would be prohibited by Applicable Privacy Laws in the absence of Standard Contractual Clauses.
• “Sell“, “Sale” or “Selling”of Personal Data, shall mean selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party for monetary or other valuable consideration.
• “Services”shall mean the service provided by insoundz to Customer pursuant to the Terms.
• “Controller to Processor Standard Contractual Clauses”(“SCCs”) means the Controller to Processor standard contractual clauses available at the following link: Click here
• “Subcontractor”hall mean any person appointed by or on behalf of insoundz to Process Personal Data on behalf of Customer in connection with the Terms, excluding any employee of insoundz or of any such appointed person.
• “US Privacy Laws”shall mean the applicable state, local, and/or federal privacy laws, including but not limited to the California Consumer Protection Act.
• “Controller“, “Data Subject“, “International Organisation“,“Member State”, “Personal Data”, “Personal Data Breach” and “Processing” shall have the meanings ascribed to them in the GDPR.

Authorization and Compliance

• By virtue of the Terms, Customer is considered as the “Controller” and insoundz is considered as the “Processor” with regards to the Personal Data
• Schedule 2.2 to this Addendum sets out certain details regarding insoundz’s Processing of Personal Data, as required by article 28(3) of the GDPR.
• insoundz shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions. Customer’s instructions for the Processing of Personal Data shall comply with Applicable Privacy Laws
• insoundz acknowledges and confirms that it does not receive or Process any Personal Data as consideration for any services or other items that insoundz provides to Customer under the Terms. insoundz commits to refrain from Selling any Personal Data Processed hereunder, without Customer’s prior written consent, nor taking any action that would cause any transfer of Personal Data to or from insoundz under the Terms or this Addendum to qualify as Selling of such Personal Data.
• insoundz shall Process Personal Data (i) in accordance with this Addendum and the Terms, which set out the Customer’s instructions to insoundz in relation to the Processing of Personal Data, and/or (ii) on documented instructions from Customer, unless prohibited to do so by Applicable Laws to which insoundz is subject. To the extent that insoundz believes that an instruction given by Customer does not comply with any Applicable Law, it shall refuse to comply with such instruction even if Customer insists on it in spite of the notificatio n of insoundz.

insoundz’s Personnel

• insoundz shall ensure that access to Personal Data is strictly limited to those individuals who need to know or access the relevant Personal Data and as strictly necessary for the purpose of the Terms.
• insoundz shall take all steps reasonably necessary to ensure that the individuals who may have access to Personal Data on its behalf (i) are informed of the confidential nature of Personal Data; and (ii) are subject to confidentiality undertakings or appropriate statutory obligations of confidentiality.

Subcontractors

• Customer acknowledges that (i) insoundz’s Affiliates may be retained as Subcontractors; and (ii) insoundz and insoundz’s Affiliates may engage third-party Subcontractors in connection with the provision of the Services.
• insoundz shall ensure that the arrangement between insoundz and any Subcontractor is regulated by a written agreement or other written instrument governed by EU Member State law, imposing on the Subcontractor undertakings that guarantee at least the same level of protection for Personal Data as those set out in this Addendum.
• insoundz’s website [https://insoundz.com/list-of-approved-subprocessors /] lists Subcontractors that are currently engaged by insoundz to Process Personal Data on behalf of Customer. Such list will be updated from time to time and insoundz shall sent the Customer a notice of any such change. If Customer has a legitimate reason under Applicable Privacy Laws to object to the new Subcontractor’s Processing of Personal Data, Customer may terminate the Terms (limited to the Services for which the new Subcontractor is intended to be used) on written notice to insoundz. Such termination shall take effect at the time determined by the Customer, which shall be no later than thirty (30) days from the date of insoundz’s notice to Customer informing Customer of the new Subcontractor. If Customer does not terminate the Terms within this thirty (30) day period, Customer is deemed to have accepted the new Subcontractor.
• Within the thirty (30) day period from the date of insoundz’s notice to Customer informing Customer of the new Subcontractor, Customer may request that the Parties discuss a resolution of the objection. Such discussions shall not extend the period for termination and do not affect insoundz’s right to use the new Subcontractor after the thirty (30) day period.

Rights of Data Subject

• Without derogating from the generality of the above, insoundz shall (i) notify Customer without undue delay of any request raised by an Data Subject in relation to Personal Data concerning him or her to insoundz; and (ii) refrain from responding to any such request, except on a written instruction of Customer or as required by Applicable Law to which insoundz is subject to.
• Taking into account the nature of the Processing of Personal Data by insoundz, insoundz shall assist Customer by reasonably appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligations to respond to a request raised by a Data Subject in relation to Personal Data concerning him or her.

Personal Data Breaches

• insoundz will notify Customer of any Personal Data Breach affecting Personal Data without undue delay after becoming aware of the Personal Data Breach, and reasonably assist Customer in relation to any Personal Data Breach notifications Customer is required to make under the GDPR.
• insoundz will take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach.

Data Security

• insoundz has implemented and will apply various the technical and organizational measures set forth in to protect the security of Data. Customer has reviewed such measures and agreed that as to the Services the measures are appropriate taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Data processing.
• insoundz may change the measures in Schedule 2.3 or at any time without notice so long as it maintains a comparable or better level of security.

Restricted Processing

1. The Parties hereby enter into the Controller-Processor Standard Contractual Clauses. In the event of any conflict or inconsistency between this Addendum and the SCCs, the SCCs shall prevail.
2. For avoidance of doubt, Article 8.1 shall not apply in respect of Restricted Processing that are allowed by Applicable Privacy Laws without entering into the Standard Contractual Clauses or an agreement incorporating the Standard Contractual Clauses.
3. For purposes of the SCCs, module 2 (controller to processor) the following will apply:

• Data exporter and Data importer are listed in Annex I.A.
• For Clause 6 Description of the transfer(s), Annex I.B. will apply
• Clause 7 Docking, will not be used
• Clause 8 Data protection safeguards, for technical and organisational measures Annex 2.3 will apply
• Clause 8.2 Purpose limitation, insoundz shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B
• Clause 9 Use of sub-processors, option 2 (general written authorization) will apply. The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
• Clause 11 Redress, the optional language will not apply.
• Clause 13 supervision, The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
• For Clause 17 Governing law, the following will apply: These SCCs shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.
• For Clause 18 Choice of forum and jurisdiction, the following will apply:
  • Any dispute arising from these SCCs shall be resolved by the courts of an EU Member State.
  • The Parties agree that those shall be the courts of the Republic of Ireland.
  • A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
  • The Parties agree to submit themselves to the jurisdiction of such courts.

Data Protection Impact Assessment and Prior Consultation

If, pursuant to Applicable Privacy Laws, Customer is required to perform a data protection impact assessment or prior consultation with, at Customer’s request, insoundz shall provide such documents as are generally available for the Services. Any additional assistance shall be mutually agreed between the Parties.

Records

Each Party is responsible for its compliance with its own documentation requirements, in particular maintaining records of processing activities where required under the Applicable Privacy Laws. Each Party shall reasonably assist the other Party in its documentation requirements.

Deletion

Upon a written request of Customer at any time, insoundz shall delete all Data in its possession or control, along with all copies, extracts and other objects or items in which it may be contained or embodied; provided, however, that to the extent that insoundz is required by Applicable Law or by the order of a governmental or regulatory body to retain Personal Data, it shall be maintained for as long as such requirement apply. This undertaking shall not apply to any archival copies of data retained by insoundz in the normal course of business.

Information Rights

insoundz shall make available to Customer any information reasonably necessary to Customer to demonstrate compliance with this Addendum.

Audit Rights

insoundz will allow for and contribute to audits to demonstrate compliance with this Addendum in accordance with the following provisions:

• Customer shall provide at least six (6) weeks’ prior written notice to insoundz of a request to audit, provided that any such request shall occur no more than once in any twelve (12) calendar month period.
• Upon receipt of the request under Article 13.1 above, insoundz will inform Customer if insoundz has conducted an audit of its data protection and data security procedures in the preceding twelve (12) calendar month period, in which case Customer agrees to exercise any right it may have to conduct an audit under this Addendum or under the Standard Contractual Clauses (if they apply) by instructing insoundz to provide Customer with a summary of such most recent relevant audit report, which shall be considered insoundz’s confidential information.
• To the extent that the Customer requested an audit under Article 13.1 and insoundz has not performed an audit pursuant to Article 13.2 during the twelve (12) calendar month period prior to the request, the audit shall be conducted by an independent third party auditor who is engaged and paid by Customer, and is under a non-disclosure agreement requiring the auditor to maintain the confidentiality of all insoundz’s confidential information and all audit findings. All audits shall be conducted during normal business hours, at insoundz’s principal place of business or other location(s) where Personal Data is Processed. Any such audit will result in the generation of an audit report, which shall be considered insoundz’s confidential information. insoundz will make available to Customer a summary of the relevant audit report.
• The scope of any audit will be limited to insoundz’s policies, procedures, systems and controls relevant to the Processing of Personal Data.
• The Customer shall bear the costs associated with such audit, including insoundz’s reasonable expenses.
• If the Standard Contractual Clauses apply, nothing in this Article varies or modifies the Standard Contractual Clauses nor affects any supervisory authority’s or Data Subject’s rights under the Standard Contractual Clauses.

Miscellaneous

• This Addendum shall continue to be in force until the termination of the Terms.
• With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the Parties, including the Terms, the provisions of this Addendum shall prevail.
• This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of Israel and subject to the jurisdiction of the courts of Tel-Aviv.
• If any provision of this Addendum is held by a court of competent jurisdiction to be unenforceable under Applicable Law, then such provision shall be excluded from this Addendum and the remainder of this Addendum shall be interpreted as if such provision was so excluded and shall be enforceable in accordance with its terms; provided, however, that in such event this Addendum shall be interpreted so as to give effect, to the greatest extent consistent with and permitted by applicable law, to the meaning and intention of the excluded provision as determined by such court of competent jurisdiction.

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Name:The entity identified as Customer under the Terms.

Address:The address of Customer as provided to insoundz.

Contact person’s name, position and contact details: The contact details associated with Customer at insoundz system’s.

Activities relevant to the data transferred under these Clauses:The activities specified in Schedule 2.2 of the Addendum.

Signature and date:By entering into the Terms and the Addendum, and using the Services for Restricted Processing, the data exporter is deemed to have signed these Standard Contractual Clauses and their respective Annexes.

Role (controller/processor): Controller

Data importer(s):

Name:insoundz, as identified in the Terms.

Address: The address for insoundz as specified in the Terms.

Contact person’s name, position and contact details:The contact details associated with insoundz, as specified in the Terms.

Activities relevant to the data transferred under these Clauses: The activities specified in Schedule 2.2 of the Addendum.

Signature and date: By entering into the Terms and the Addendum, and engaging in Restricted Processing, the data importer is deemed to have signed these Standard Contractual Clauses and their respective Annexes.

Role (controller/processor): Processor.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:
Categories of data subjects are specified in Schedule 2.2 of the Addendum.

Categories of personal data transferred
Categories of personal data transferred are specified in Schedule 2.2 of the Addendum.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. The data exporter may not include sensitive personal data in the personal data described in Schedule 2.2 of the Addendum.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Personal Data is transferred on a continuous basis in accordance with the data exporter’s use of the Services and submission of Personal Data thereto.

Nature of the processing
The nature of the processing of personal data is described in Schedule 2.2 of the Addendum.

Purpose(s) of the data transfer and further processing
The purpose(s) of the processing of personal data is described in Schedule 2.2 of the Addendum.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The period for which Personal Data will be retained is for the duration of the Terms, unless agreed otherwise in the Terms and/or the Addendum.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As set forth in Schedule 2.2 of the Addendum

Schedule 2.2 to the Addendum

[Please Review Carefully]
Controller
The data exporter is the entity identified as the Customer in the addendum.

Processor
insoundz

Nature and purpose of the data processing
insoundz offers our users a set of tool to improve and enhance the sound quality of their products by processing the sound they record for their various uses by our proprietary algorithm and all processing performed is associated with this purpose.

Categories of data subjects
The group of individuals (“Data Subjects”) affected by the processing of personal data under the Terms may include (a) insoundz’s Customers end users; and (b) limited personal data related to Customer’s users as provided to insoundz.

Categories of data
The types of personal data that may be collected, processed and/or used under the Agreement may include the following: (a) with respect to Customer and Customer employees – name, email, country/state/location, company, phone number and usage Data; (b) with respect to insoundz’s Customers end users – end users voice and any personal information that may be incidentally revealed by the speakers on the recording processed.

Special categories of data
When combined with other identifiable information Voice can be seen as a Special categories of data.

Duration of the data processing
Duration of the data processing

Transfer of Agreement Personal data to Subcontractors
[please provide the name of the Sub-processors – or link to designated webpage]

Schedule 2.3 to the Addendum [this should become a separate webpage – please review and advise what is applicable][listed below are examples for minimum requirements please approve and amend with your IT personnel]

Description of the technical and organizational security measures implemented by insoundz:

Measures to ensure confidentiality

Physical access control

• Measures that physically deny unauthorized persons access to IT systems and data processing equipment used to process Personal Data, as well as to confidential files and data storage media.
• Description of physical access control:
  • Locking of servers rooms;

Logical access control

• Measures to prevent unauthorized persons from processing or using Personal Data which is protected by applicable laws
• Description of logical access control system:
  • Password procedure (to contain at least 8 characters comprised of digits, capital letters and special symbols; passwords should not contain the users’ names or identifying numbers), 90 days password replacement period; at least 6 previous passwords cannot be used; locking of accounts upon a number of failed logins);
  • Automatic locking after up to 20 minutes;

Data access control

• Measures to ensure that persons authorized to use data processing systems can only access Data according to their access rights, so that cannot be read, copied, changed or removed without authorization during processing, use and storage. Description of data access control:
• Description of data access control:
  • Differentiated access and usage rights;
  • Data cannot be read, copied, changed or removed without authorization during processing.
  • Multi-factor authorization.
  • Periodical review of login and activity data;

Separation rule

• Measures to ensure that Data collected for different purposes are processed separately and separated from other data and systems in such a way as to preclude the unplanned use of such data for other purposes.
• Description of data access control:
  • Each customer account is processed separately.
• Description of the separation control process:
  • Multi-tenant architecture with unique access authorisation and ID per customer.
  • System and network environments are logically separated to ensure separation of production and non-production environments.

Measures to ensure integrity

Data integrity

• Measures to ensure that stored Data cannot be corrupted by means of a malfunctioning of the system.
• Description of data integrity:
  • Administrators are educated on their legal responsibilities with regard to security and data integrity.
  • We conduct tests to verify the integrity of our solution.
  • Firewalls;
  • Antivirus software.

Transmission control

• Measures to ensure that it is possible to verify and establish to which bodies Personal Data may be or have been transmitted or made available using data communication equipment.
• Description of logical access control system:
  • Password protected API method invocation over HTTPS protocol.

Transport control

• Measures to ensure that the confidentiality and integrity of Customer Data is protected during transmission of Personal Data and transport of data carriers
• Description of transport control:
  • Password protected API method invocation over HTTPS protocol;
  • Granting of access to limited users using password protection.

Input control

• Measures to ensure that it can be subsequently verified and ascertained whether and by whom Data have been entered or modified in data processing systems.
• Description of input control:
  • Input and output integrity routines (i.e., reconciliation and edit checks) are implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption.

Measures to ensure availability and resilience

Availability control

• Measures to ensure that Data are protected against accidental destruction or loss.
• Description of availability controls:
  • Remote storage;
  • Data storage is maintained in various regions;
  • Antivirus software;
  • Firewalls.

Quick recovery

• Measures to ensure the ability to quickly restore the availability of and access to Personal Data and used systems in the event of a physical or technical incident.
• Description of availability controls:
  • DRP and mechanisms are in place and periodically tested
  • Recovery mechanisms include BCP, DRP, and backups for physical and technical incident recovery

Reliability

• Measures to ensure that the functions of the system are available and malfunctions are reported.
• Description of availability controls:
  • Database backup and mirroring of servers;

Measures for the regular testing and evaluation of the security of data processing

Measures to ensure that the data are processed securely and in compliance with data protection regulations.

Verification process

• Sub-processor conducts network penetration tests of our cloud service infrastructure at least once a year.
• Sub-processor conducts application penetration tests of our cloud service infrastructure at least once a year.

Encryption measures [Sub-processors and insoundz]

Measures or operations in which a clearly legible text/information is converted into an illegible, i.e. not easily interpreted.

• Description of encryption measures:
  • Encryption of laptops and USBs;
  • Communications are encrypted with SSL.