Data Processing Addendum
Last updated October 5, 2022
This Data Processing Addendum (including its appendices, the “Addendum”) supplements and forms part of Fusion Sport’s General Terms and Conditions available at fusionsport.com/legal/general-terms-and-conditions/ or other written agreement executed between Fusion Sport and Customer governing the provision of the Services to Customer (together with any Order Form(s), the “Agreement”) as of the Addendum Effective Date.
Capitalized terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms used but not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
1.1 “Addendum Effective Date” means the date on which Customer and Fusion Sport (a) execute an Order Form that incorporates this Addendum by reference, or (b) otherwise execute a written agreement that this Addendum shall apply in respect of the Agreement.
1.2 “Adequate Jurisdiction(s)” means:
1.1.1 for Customer Personal Data Processed subject to the GDPR, the EEA or a country or territory that is the subject of an adequacy decision by the European Commission under Article 45(3) of the GDPR;
1.1.2 for Customer Personal Data Processed subject to the UK GDPR, the United Kingdom or a country or territory that is the subject of the adequacy regulations issued under Section 17A Data Protection Act 2018 or Paragraphs 4 and 5 of Schedule 21 of the Data Protection Act 2018; and/or
1.1.3 for Customer Personal Data Processed subject to the Swiss FDPA, Switzerland or a country or territory that is (i) included in the list of the states whose legislation ensures an adequate level of protection as published by the Swiss Federal Data Protection and Information Commissioner, or (ii) the subject of an adequacy decision by the Swiss Federal Council under the Swiss FDPA.
1.3 “Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with Customer or Fusion Sport respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
1.4 “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
1.5 “Controller” means the individual or entity that determines the purposes and means of the Processing of Personal Data.
1.6 “Customer” means the entity that has executed the Agreement with Fusion Sport.
1.7 “Customer Personal Data” means Personal Data Processed by Fusion Sport on behalf of Customer for purposes of providing the Services to Customer under the Agreement.
1.8 “Data Protection Laws” means the laws and regulations applicable to the Processing of Customer Personal Data under the Agreement including, in each case to the extent applicable, European Data Protection Laws and the CCPA.
1.9 “Data Subject” means the individual to whom Personal Data relates.
1.10 “EEA” means the European Economic Area.
1.11 “European Data Protection Laws” means the laws and regulations in force from time to time in the EEA, Switzerland, or the United Kingdom applicable to the privacy, security, protection, or Processing of Customer Personal Data under the Agreement, including, in each case to the extent applicable: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”); (b) the UK General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (collectively, (the “UK GDPR”); and (c) the Swiss Federal Act on Data Protection (“Swiss FDPA”).
1.12 “Fusion Sport” means the Fusion Sport entity which is a party to the Agreement.
1.13 “Fusion Sport Content” shall have the meaning given in the Agreement or, if not defined in the Agreement, means: (a) all information, data, datasets (including the structure, organization, selection, coordination, and arrangement thereof), content, and all reports and other materials, provided by Fusion Sport or its licensors through the Services; and (b) any content, data or information that is collected by or on behalf of Fusion Sport regarding use of the Services, which may include usage patterns, traffic logs, and other statistical data associated with use of the Services.
1.14 “Personal Data” means any information that constitutes “personal data,” “personal information,” “personally identifiable information,” or similar term governed by Data Protection Laws.
1.15 “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
1.16 “Processor” means the individual or entity that Processes Personal Data on behalf of a Controller.
1.17 “Security Incident” means a breach of Fusion Sport’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in Fusion Sport’s possession, custody, or control.
1.18 “Services” means the services, features, and/or functionality that Fusion Sport has agreed to provide to Customer under the Agreement.
1.19 “Standard Contractual Clauses (Customer as Exporter)” means “Module Two: Transfer controller to processor” and/or “Module Three: Transfer processor to processor” of the Standard Contractual Clauses approved by the European Commission in decision 2021/914 of 4 June 2021 in the form set out at fusionsport.com/legal/standard-contractual-clauses-exporter/, as supplemented and/or amended by the addendum attached thereto.
1.20 “Standard Contractual Clauses (Customer as Importer)” means “Module Four: Transfer processor to controller” of the Standard Contractual Clauses approved by the European Commission in decision 2021/914 of 4 June 2021 in the form set out at fusionsport.com/legal/standard-contractual-clauses-importer/ as supplemented and/or amended by the addendum attached thereto.
1.21 “Sub-processor” means any entity appointed by Fusion Sport to Process Customer Personal Data on behalf of Customer under the Agreement.
1.22 “Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws.
2. Processing of Customer Personal Data
2.2 Customer’s Instructions.
2.2.1 Fusion Sport will not Process Customer Personal Data other than on Customer’s documented instructions unless Processing is required by Data Protection Laws, in which case Fusion Sport shall to the extent permitted by Data Protection Laws inform Customer of that legal requirement before the relevant Processing of that Customer Personal Data. Customer hereby instructs Fusion Sport to Process Customer Personal Data (a) in accordance with the Agreement and any instructions initiated by end users via the Services; and/or (b) as reasonably necessary to provide the Services, to prevent or address technical problems with the Services, or to exercise its rights or perform its obligations under the Agreement.
2.2.2 Customer represents and warrants that: (a) it is and will at all relevant times remain duly and effectively authorized to give the instructions set out in Section 2.2.1; and (b) its instructions shall comply with Data Protection Laws, with all necessary rights, permissions, and consents secured.
2.3 Details of Processing. Appendix 1 to this Addendum sets out certain information regarding Fusion Sport’s Processing of the Customer Personal Data as required by Article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). Nothing in Appendix 1 confers any right or imposes any obligation on any party to this Addendum.
2.4 Processing subject to the CCPA. Fusion Sport shall not: (a) “sell” (as defined in the CCPA) any Customer Personal Data; (b) retain, use, or disclose any Customer Personal Data for any purpose other than for the specific purpose of providing the Services in accordance with Customer’s instructions set forth in Section 2.2 or as otherwise permitted by the CCPA, including retaining, using, or disclosing Customer Personal Data for a commercial purpose (as defined in the CCPA) other than provision of the Services; or (c) retain, use, or disclose the Customer Personal Data outside of the direct business relationship between Fusion Sport and Customer. Fusion Sport hereby certifies that it understands its obligations under this Section 2.4 and will comply with them. Notwithstanding anything to the contrary in the Agreement, the parties acknowledge and agree that Fusion Sport’s access to Customer Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
3. Fusion Sport and Fusion Sport affiliate personnel
Fusion Sport shall take commercially reasonable steps to ensure the reliability of its employees, agents, or contractors who have access to Customer Personal Data, ensuring in each case that access is limited to those individuals who need to know / access the relevant Customer Personal Data, as necessary for the purposes of the Agreement, and to comply with Data Protection Laws in the context of that individual’s duties to Fusion Sport, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1 Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Fusion Sport shall in relation to Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk. Such measures will include the security measures in Appendix 2 (the “Security Measures”). Customer acknowledges that the Security Measures may be updated from time to time upon reasonable notice to Customer to reflect process improvements or changing practices, provided that the modifications will not materially decrease Fusion Sport’s security obligations hereunder.
4.2 Customer Responsibilities. Customer agrees that, without limitation of Fusion Sport’s obligations under Section 4.1, Customer is solely responsible for its and its end users’ use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data; and (b) securing the account authentication credentials, systems, and devices Customer uses to access the Services. Customer is responsible for reviewing the information made available by Fusion Sport relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws.
5. Security incidents
5.1 Notification. Fusion Sport will notify Customer without undue delay after becoming aware of a confirmed Security Incident affecting Customer Personal Data. Such notification will describe, to the extent possible: (a) the nature of the Security Incident, the categories and numbers of Data Subjects concerned, and the categories and numbers of Customer Personal Data records concerned; (b) the name and contact details of the Fusion Sport’s data protection officer or other relevant contact from whom more information may be obtained; (c) the likely consequences of the Security Incident; and (d) the measures taken or proposed to be taken to address the Security Incident. Fusion Sport’s notification of or response to a Security Incident under this Section 5.1 will not be construed as an acknowledgement by Fusion Sport of any fault or liability with respect to the Security Incident.
5.2 Cooperation. Fusion Sport will reasonably cooperate with Customer and take reasonable commercial steps to investigate, mitigate, and remediate each such Security Incident. Each party must in this regard act in good faith with each other and provide such reasonable mutual assistance to each other.
6. Data subject rights
6.1 Taking into account the nature of the Processing, Fusion Sport will reasonably assist Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under Data Protection Laws. Fusion Sport reserves the right to charge Customer at its then-current consultancy rates (as published from time to time) in the event that such assistance requested by Customer is onerous, complex, or time-consuming, provided that Fusion Sport shall inform Customer of those rates prior to incurring any such charges.
6.2 Fusion Sport will: (a) promptly notify Customer if Fusion Sport receives a request from a Data Subject under Data Protection Laws in respect of Customer Personal Data; and (b) not respond to such a request except on the documented instructions of the Customer or as required by Data Protection Laws, in which case Fusion Sport shall to the extent permitted by Data Protection Laws inform Customer of that legal requirement before Fusion Sport responds to the request.
7. Data protection impact assessment and prior consultation
Fusion Sport will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with supervisory authorities or other competent data protection authorities which Customer reasonably considers to be required Data Protection Laws, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, Fusion Sport. Fusion Sport reserves the right to charge Customer at its then-current consultancy rates (as published from time to time) in the event that such assistance requested by Customer is onerous, complex, or time-consuming, provided that Fusion Sport shall inform Customer of those rates prior to incurring any such charges.
8.1 Authorization. Customer hereby authorizes Fusion Sport to appoint (and permit each Sub-processor appointed in accordance with this Section 8 to appoint) Sub-processors in accordance with this Section 8 and any restrictions in the Agreement. A list of Fusion Sport’s Sub-processors is set forth at fusionsport.com/legal/subprocessors/ and may be updated by Fusion Sport from time to time in accordance with this Addendum.
8.2 New Sub-processors; Right to Object. Fusion Sport will notify Customer of the addition or replacement of any Sub-processor at least fifteen (15) days prior to such engagement. If Customer objects in writing to such changes within fifteen (15) days of being informed thereof on reasonable data protection grounds, Fusion Sport will use commercially reasonable efforts to: (a) work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-processor; or (b) take corrective steps requested by Customer in its objection and proceed to use the new Sub-processor. Where such change or corrective steps cannot be made within thirty (30) days of Fusion Sport’s receipt of Customer’s notice, Customer may, as its sole and exclusive remedy available under this Section 8.2, terminate the relevant portion of the Services which require the use of the proposed Sub-processor by providing written notice to Fusion Sport and receive a refund of any prepaid fees under the Agreement.
8.3 Sub-processor Engagement. With respect to each Sub-processor, Fusion Sport will: (a) carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Customer Personal Data required by this Addendum; and (b) enter into a written contract with such Sub-processor containing data protection obligations not less protective than those in this Addendum with respect to Customer Personal Data. Fusion Sport will remain liable for the acts and omissions of its Sub-processors under the Agreement.
9. Audit rights
9.1 Review of Information and Records. Fusion Sport will make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to reviews of relevant records maintained by Fusion Sport, including by making available to Customer Fusion Sport’s most recent SOC 2 Type 2 or similar audit report or certification (“Reports”), where available. Such information or Reports will be made available to Customer upon written request no more than annually subject to the confidentiality obligations of the Agreement or a mutually agreed non-disclosure agreement.
9.2 Audits. If Customer requires information for its compliance with Data Protection Laws in addition to the information or Reports provided under Section 9.1, to the extent Customer is unable to access the additional information on its own Fusion Sport will allow for and contribute to audits, including inspections, by Customer or another auditor by Customer (“Mandated Auditor”), provided that: (a) Customer provides Fusion Sport with reasonable advance written notice of the audit, the identity of any Mandated Auditor (which shall not be a competitor of Fusion Sport), and the anticipated date and scope of the audit; (b) Fusion Sport approves the Mandated Auditor by notice to Customer, with such approval not to be unreasonably withheld; (c) the audit is conducted during normal business hours and in a manner that does not have any adverse impact on Fusion Sport’s normal business operations; (d) Customer or any Mandated Auditor complies with Fusion Sport’s standard safety, confidentiality, and security procedures in conducting any audit; (e) any records, data, or information accessed by Customer or any Mandated Auditor in the performance of any audit will be deemed to be the Confidential Information of Fusion Sport; (f) Customer may initiate an audit not more than once per calendar year unless otherwise required by a Supervisory Authority; and (g) all such audits shall be at Customer’s sole expense.
9.3 Results of Audits. Customer will promptly notify Fusion Sport of any non-compliance discovered during the course of an audit and provide Fusion Sport any audit reports generated in connection with any audit under this Section 9, unless prohibited by Data Protection Laws or otherwise instructed by a Supervisory Authority. Customer may use the audit reports only for the purpose of meeting Customer’s regulatory audit requirements and confirming that Fusion Sport’s Processing of Customer Personal Data complies with this DPA.
9.4 Audits of Subprocessors. Customer acknowledges and agrees that nothing in this Section 9 shall be construed to require Fusion Sport to furnish more information about its Subprocessors than such Subprocessors are contractually obligated to provide to Fusion Sport or have made generally available to their customers.
10. Cross-border transfers of Customer Personal Data
10.1 Processing Locations. Customer acknowledges and agrees that Fusion Sport and its Affiliates and Sub-processors may be located in jurisdictions around the world, including the United States and Australia, and that Fusion Sport may, subject to this Addendum, transfer and otherwise Process Customer Personal Data on a global basis as necessary to provide the Services.
10.2 European Transfers. This Section 10.1 shall apply if the Services involve the Processing of Customer Personal Data subject to European Data Protection Laws (“European Data”).
10.2.1 If (a) Customer transfers European Data to Fusion Sport, (b) Fusion Sport’s address is not located in an Adequate Jurisdiction, and (c) such transfer is not subject to an alternative adequate transfer mechanism under European Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then the parties agree to comply with the applicable terms of the Standard Contractual Clauses (Customer as Exporter) and that such terms are incorporated herein by reference. For the avoidance of doubt: (i) if Customer is a Controller, “Module Two: Transfer controller to processor” shall apply; and (ii) if Customer is a Processor, “Module Three: Transfer processor to processor” shall apply.
10.2.2 If (a) Fusion Sport transfers European Data to Customer, (b) Customer’s address is not located in an Adequate Jurisdiction, and (c) such transfer is not subject to an alternative adequate transfer mechanism under European Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then the parties agree to comply with the applicable terms of the Standard Contractual Clauses (Customer as Importer) and that such terms are incorporated herein by reference.
10.3 Modifications to the Standard Contractual Clauses. Fusion Sport may modify, amend, or replace the Standard Contractual Clauses (Customer as Exporter) and/or the Standard Contractual Clauses (Customer as Importer) if required by Data Protection Laws, in each case in accordance with Section 12.1.
11. Deletion or return of Customer Personal Data
Following termination or expiration of the Agreement Fusion Sport shall, at Customer’s option, return or delete Customer Personal Data and all copies to Customer in accordance with the terms of the Agreement, except where required by applicable law to retain such Customer Personal Data.
12. General terms
12.1 Modifications to this Addendum. In the event that a modification to this Addendum is required for compliance with Data Protection Laws, Fusion Sport may modify this Addendum by notifying Customer at least thirty (30) days (or such shorter period as may be required to comply with Data Protection Laws) before the change will take effect by either (a) providing notice in accordance with the Agreement, or (b) alerting Customer via the Services. If Customer objects to any such modification, Customer may immediately terminate this Addendum and the Agreement for convenience by giving written notice to Fusion Sport within ninety (90) days of being informed by Fusion Sport of the modification.
12.2 Termination. This Addendum will, notwithstanding the expiration or termination of the Agreement, remain in effect until, and automatically expire upon, Fusion Sport’s deletion of all Customer Personal Data.
12.3 Governing Law and Jurisdiction. This Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.
12.4 Order of Precedence. Nothing in this Addendum reduces Fusion Sport’s obligations under the Agreement in relation to the protection of Customer Personal Data or permits Fusion Sport to Process (or permit the Processing of) Customer Personal Data in a manner which is prohibited by the Agreement. With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and the Agreement, the provisions of this Addendum shall prevail to the extent of such inconsistency.
12.5 Notices. Unless otherwise expressly stated herein, the parties will provide notices under this Addendum in accordance with the Agreement, provided that all such notices may be sent by email: (i) if to Fusion Sport, to firstname.lastname@example.org; and (ii) if to Customer, to Customer’s email address set forth in the Agreement.
12.6 Limitation of Liability. Any liabilities arising in respect of this Addendum are subject to the limitations of liability under the Agreement.
12.7 Severance. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
APPENDIX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
a) The subject matter and duration of the Processing of Customer Personal Data: As described in the Agreement and this Addendum.
b) The nature of the Processing of Customer Personal Data: Fusion Sport’s provision of the Services to Customer, which may include computation, storage, content delivery, and other Processing necessary to provide the Services to Customer under the Agreement.
c) The purposes of the Processing of Customer Personal Data: Processing is necessary for the provision of the Services under the Agreement.
d) The types of Customer Personal Data Processed: Customer, its users, and/or its online visitors may submit Customer Personal Data to the Services, the extent of which is determined and controlled by Customer in Customer’s sole discretion, and which may include but is not limited to the following: online service identification data, professional life data, personal life data, connection data, or localization data (including IP addresses).
e) Special Categories of Customer Personal Data Processed: Customer and/or its online visitors may submit special categories of Customer Personal Data to the Services, the extent of which is determined and controlled by Customer in Customer’s sole discretion, and which may include but is not limited to the following: information revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning an individual’s health or sex life.
f) Categories of Data Subjects: Customer Personal Data may concern the following data subjects:
i. Employees, agents, advisors, and freelancers of Customer (who are natural persons); and/or
ii. Natural persons authorized by the Customer to use the Services.
APPENDIX 2: SECURITY MEASURES
1. Information security program
Implement and maintain information security program (including the adoption and enforcement of internal policies and procedures) in accordance with ISO 27001 and SOC 2 standards designed to:
a) secure Customer Personal Data against accidental or unlawful loss, access or disclosure;
b) identify reasonably foreseeable and internal risks to security and unauthorized access to the servers, storage, and systems under the control of Fusion Sport that Process Customer Personal Data (collectively, the “Fusion Sport Network”), and;
c) minimize security risks, including through risk assessment and regular testing.
Designate one or more employees to coordinate and be accountable for the information security program. Regularly and periodically train personnel with access to Customer Personal Data or the Fusion Sport Network regarding the information security program and Fusion Sport’s obligations with respect to the protection of Customer Personal Data.
2. Access control
Maintain access controls and policies to manage access to the Fusion Sport Network from each network connection and user, including the use of firewalls or functionally-equivalent technology, restricted access and monitoring, and authentication controls. Maintain a role-based security architecture designed to permit access to Customer Personal Data and the Fusion Sport Network only to authorized personnel and third parties.
Require passwords controlling access to Customer Personal Data or the Fusion Sport Network to have minimum complexity requirements and implement automatic temporary lock-out of the user ID when several erroneous passwords are entered, log file of events, monitoring of break-in-attempts (alerts).
Utilization of industry standard encryption technologies for Customer Personal Data at rest and in transit, including when transmitted over networks or via email and in the production database.
4. Availability control
Implement measures designed to ensure that Customer Personal Data is protected from accidental destruction or loss, including:
a) infrastructure redundancy;
b) backup is stored at an alternative site and available for restore in case of failure of the primary system;
c) disaster recovery processes are implemented and tested on an annual basis; and
d) business continuity processes are implemented and tested on an annual basis.
5. Physical security
Sub-processors implement suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment, such as:
a) Employees and contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorized employees or contractors while visiting the Facilities.
b) Limited employee and contractor access to the Facilities is provided to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of the Facility.
c) All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. The Facility also maintains electronic intrusion detection systems designed to detect unauthorized access to the Facilities, including monitoring points of vulnerability (e.g., primary entry doors, emergency egress doors, roof hatches, dock bay doors, etc.) with door contacts, glass breakage devices, interior motion-detection, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.
6. Continued evaluation; risk assessment
Conduct periodic reviews of the security of the Fusion Sport Network and adequacy of Fusion Sport’s information security program as measured against industry security standards and its policies and procedures. Continuously evaluate the security of the Fusion Sport Network and associated Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.
7. Change management
Change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to Fusion Sport’s technology and information assets.
8. Incident preparedness
Maintain policies and procedures to detect, monitor, document, and respond to incidents, and encourage the reporting of such incidents, including through training personnel with access to Customer Personal Data to recognize actual or potential incidents and to escalate and notify senior management of such incidents.
9. Vulnerability management
Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses and other malicious code. Vulnerability scans performed at least monthly and independent penetration testing is conducted at least annually.