DATA PROCESSING ADDENDUM

This Data Processing Addendum, including its Annexes and the Standard Contractual Clauses (“DPA”), forms a part of the Contextual AI Services Agreement, or other written agreement, entered into between the entity identified as the “Customer” in the signature block below (“Customer”) and Contextual AI, Inc. (“Contextual”) that governs Customer’s use of the Services (the “Agreement”) and is hereby incorporated into the Agreement. All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement.

Customer enters into this DPA on behalf of itself and, if applicable and to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates. For the purposes of this DPA only, and except where otherwise indicated, the term “Customer” shall include Customer and its Authorized Affiliates.

  1. Definitions.
    1. “Applicable Data Protection Laws” means data protection and privacy laws applicable to the respective party in its role in the processing of Customer Personal Data under the Agreement, which may include, to the extent applicable, European Data Protection Laws and the CCPA.
    2. “Authorized Affiliate” means a Customer Affiliate who is authorized to use the Services under the Agreement and who has not signed their own separate “Agreement” with Contextual AI.
    3. “California Consumer Privacy Act” or “CCPA” means the California Consumer Privacy Act of 2018, as may be amended, superseded or replaced from time to time.
    4. Customer Data” means, if not defined within the Agreement, the queries and submissions made by Customer (“Inputs”) that are used to generate responses (“Outputs”) based on unaltered proprietary data sets, information and content (in any format) that are owned or licensed by Customer and uploaded to the Services.
    5. “Customer Personal Data” means any ‘personal data’ or ‘personal information’ contained within Customer Data.
    6. “European Data Protection Laws” means (a) Regulation 2016/679 (General Data Protection Regulation) (“EU GDPR”); (b) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (c) the Swiss Federal Data Protection Act and its implementing regulations (“Swiss Data Protection Act”); in each case as may be amended, superseded or replaced from time to time.
    7. “Restricted Transfer” means a transfer (directly or via onward transfer) of personal data that is subject to European Data Protection Laws to a third country outside the European Economic Area, United Kingdom and Switzerland which is not subject to an adequacy determination by the European Commission, United Kingdom or Swiss authorities (as applicable).
    8. “Security Breach” means a breach of security leading to an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
    9. “Services” means, if not defined within the Agreement, the artificial intelligence solutions, including, without limitation, workflow engines, APIs and other online services developed by Contextual and provided to Customer under an Order Form.
    10. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021, as may be amended, superseded or replaced from time to time.
    11. “Subprocessor” means any other processor engaged by Contextual to process Customer Personal Data.
    12. “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioners Office under S.119 (a) of the UK Data Protection Act 2018, as updated or amended from time to time.
    13. The terms “controller”, “data subject”, “supervisory authority”, “processor”, “process”, “processing”, “personal data”, and “personal information” shall have the meanings given to them in Applicable Data Protection Laws. The term “controller” includes “business”, the term “data subject” includes “consumers”, and the term “processor” includes “service provider” (in each case, as defined by the CCPA). 
  2. Processing of Personal Data.
    1. Scope and Roles of the Parties. This DPA applies when and only to the extent Customer Personal Data is processed by Contextual as a processor in its provision of the Services to Customer. Customer will act as either a controller or processor, as applicable, of Customer Personal Data.
    2. Customer Processing. Customer agrees that (i) it will comply with its obligations under Applicable Data Protection Laws in its processing of Customer Personal Data and any processing instructions it issues to Contextual, and (ii) it has provided notice and obtained all consents, authorizations and rights necessary under Applicable Data Protection Laws for Contextual to process Customer Personal Data and provide the Services pursuant to the Agreement (including this DPA and any other processing instructions provided to Contextual).
    3. Contextual Processing. Contextual agrees that (a) when Contextual processes Customer Personal Data in its capacity as a processor on behalf of the Customer, Contextual will (i) comply with Applicable Data Protection Laws, and (ii) process the Customer Personal Data as necessary to perform its obligations under the Agreement, and only in accordance with Customer’s documented instructions (as set forth in the Agreement, in this DPA, or as directed by the Customer or Customer’s Authorized Users through their use of the Services). Contextual is not responsible for determining if Customer’s processing instructions are compliant with applicable law. However, Contextual shall notify Customer in writing if, in its reasonable opinion, the Customer’s processing instructions infringe Applicable Data Protection Laws and provided that Customer acknowledges that Customer Personal Data may be processed on an automated basis in accordance with Customers’ use of the Services, which Contextual does not monitor.
    4. Customer Affiliates. Contextual’s obligations set forth in this DPA shall also extend to Authorized Affiliates, subject to the following conditions: (a) Customer is solely responsible for communicating any additional processing instructions on behalf of its Authorized Affiliates; (b) Customer shall be responsible for Authorized Affiliates’ compliance with this DPA and all acts and/or omissions by an Authorized Affiliate with respect to Customer’s obligations under this DPA; and (c) if an Authorized Affiliate seeks to assert a legal demand, action, suit, claim, proceeding or otherwise against Contextual (“Authorized Affiliate Claim”), Customer must bring such Authorized Affiliate Claim directly against Contextual on behalf of such Authorized Affiliate, unless Applicable Data Protection Laws require the Authorized Affiliate be a party to such claim, and all Authorized Affiliate Claims shall be considered claims made by Customer and shall be subject to any liability restrictions set forth in the Agreement, including any aggregate limitation of liability.
    5. Details of Processing. The details of the processing of Customer Personal Data by Contextual are set out in Annex A to the DPA.
  3. Subprocessing.
    1. Authorization. Customer provides a general authorization to Contextual for use of Subprocessors to process Customer Personal Data in accordance with this Section 3, including those Subprocessors listed in Annex C (“Subprocessor List”).
    2. Subprocessor Obligations. Contextual shall (i) enter into a written agreement with each of its Subprocessors, which includes data protection and security measures no less protective than the measures set forth in this DPA; and (ii) remain liable for any breach of this DPA that is caused by an act, error or omission of one of its Subprocessors to the extent that Contextual would have been liable for such act, error or omission had it been caused by Contextual.
    3. Subprocessor Changes. At least fifteen (15) calendar days prior to the date on which any new Subprocessor shall commence processing Customer Personal Data, Contextual shall update the Subprocessor List and provide Customer with notice of that update. Such notice will be sent to the email address that Contextual has on file.
    4. Subprocessor Objections. Customer may object to Contextual’s appointment of a new Subprocessor on reasonable grounds relating to the protection of Customer Data by notifying Contextual in writing at privacy@contexual.com within ten (10) calendar days after receiving notice pursuant to Section 3.3. In such an event, Contextual and Customer will discuss those objections in good faith with a view to achieving resolution. If the parties are not able to achieve resolution, within ten (10) calendar days from Contextual’s written notification to Customer that no resolution can be found to Customer’s objection, Customer, as its sole and exclusive remedy, may terminate the Order Form(s) with respect to only those parts of the Services which cannot be provided by Contextual without the use of the new Subprocessor. Upon such termination, Contextual will provide Customer with a pro rata reimbursement of any prepaid, but unused fees of such Order Form(s) for the terminated Services following the effective date of such termination.
  4. Security.
    1. Security Measures. If Customer has elected to use the Services in a Contextual-Hosted Deployment, Contextual shall implement and maintain appropriate administrative, physical and technical security measures designed to protect Customer Personal Data from a Security Breach and preserve the security and confidentiality of Customer Personal Data as further set forth in Annex D (“Security Measures”). The Security Measures are subject to technical progress and development and Contextual may update the Security Measures, provided that any updates shall not materially diminish the overall security of Customer Personal Data within a Contextual-Hosted Deployment or the Services. If Customer has elected to use the Services in a Customer-Hosted Deployment, Customer shall implement and maintain appropriate administrative, physical and technical measures designed to protect Customer Personal Data and the Services as further set forth in the security provision in the Agreement.
    2. Confidentiality. Personnel. Contextual shall ensure that all employees or personnel it authorizes to process Customer Personal Data are subject to an appropriate duty of confidentiality.
    3. Security Breach Notification. In the event of a Security Breach, Contextual will (a) notify Customer in writing without undue delay and in no event later than forty-eight (48) hours after becoming aware of the Security Breach; and (b) promptly take reasonable steps to contain, investigate, and mitigate any adverse effects resulting from the Security Breach. Contextual will reasonably cooperate with and assist Customer with respect to any required notification to supervisory authorities or data subjects (as applicable), taking into account the nature of the processing, the information available to Contextual, and any restrictions on disclosing the information (such as confidentiality).
  5. Assistance.
    1. Data Subject Requests. Customer is responsible for responding to and complying with data subject requests (each a “DSR”). The Services include controls that Customer may use to assist it to respond to DSRs. If Customer is unable to access or delete Customer Personal Data using such controls, Contextual shall, taking into account the nature of the processing, reasonably cooperate with Customer to enable Customer to respond to the DSR. If a data subject sends a DSR to Contextual directly and Customer is identified or identifiable from the request, Contextual will promptly forward such DSR to Customer and Contextual shall not, unless legally compelled to do so, respond directly to the data subject except to refer them to Customer to allow Customer to respond as appropriate.
    2. Data Protection Impact Assessments. Contextual will provide reasonably requested information regarding the Services to Customer to carry out data protection impact assessments relating to the processing of Customer Personal Data and any related required consultation with supervisory authorities as required by Applicable Data Protection Laws, so long as Customer does not otherwise have access to the relevant information.
    3. Legal Requests. If Contextual receives a subpoena, court order, warrant or other legal demand from law enforcement or any public or judicial authority seeking the disclosure of Customer Personal Data, Contextual will attempt to redirect the governmental body to request such Customer Personal Data directly from Customer. As part of this effort, Contextual may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Personal Data to a governmental body, Contextual will give Customer reasonable notice of the legal demand to allow Customer to seek a protective order or other appropriate remedy, unless Contextual is legally prohibited from doing so.
  6. Audits and Records.
    1. Audit Program. Upon written request and at no additional cost to Customer, Contextual shall provide Customer, and/or its appropriately qualified third-party representative, access to reasonably requested documentation evidencing Contextual’s compliance with its obligations under this DPA (“Audit Report”).
    2. Audit. Only to the extent Customer cannot reasonably satisfy Contextual’s compliance with this DPA through the Audit Reports, or where required by Applicable Data Protection Laws, Customer may send a written request to conduct an audit of Contextual’s applicable controls on an annual basis. Contextual and Customer shall mutually agree on the details of the audit, including the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any such audit. The Audit Report, audit, and any information arising therefrom shall be considered Contextual’s Confidential Information and may only be shared with a third party (including a third party controller) with Contextual’s prior written agreement.
  7. Transfer of Personal Data.
    1. Restricted Transfers. Where the transfer of Customer Personal Data to Contextual is a Restricted Transfer, such transfer shall be governed by the Standard Contractual Clauses, which shall be deemed incorporated into and form an integral part of the Agreement in accordance with Annex B of this DPA.
    2. Alternative Transfer Mechanisms. If and to the extent that a court of competent jurisdiction or a supervisory authority with binding authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Customer Personal Data to Contextual, the parties shall reasonably cooperate to agree and take any actions that may be reasonably required to implement any additional measures or alternative transfer mechanism to enable the lawful transfer of such Customer Personal Data. Additionally, in the event Contextual adopts an alternative transfer mechanism , such alternative transfer mechanism shall apply instead of the SCCs described in Section 7.1 of this DPA (but only to the extent such alternative transfer mechanism complies with applicable European Data Protection Laws and extends to the territories to which Customer Personal Data is transferred).
  8. Backup; Deletion; and Return.
    1. No Backups. The Services do not include backup services or disaster recovery for Customer Personal Data. It is the Customer’s obligation to backup any Customer Personal Data if desired.
    2. Termination. Upon termination or expiration of the Agreement and following Customer’s written request, Contextual will delete or assist Customer in deleting any Customer Personal Data within its possession or control within thirty (30) days following such request.
  9. US State Law Compliance.
    1. Contextual shall not process, retain, use, or disclose Customer Personal Data for any purpose other than for the purposes set out in the Agreement, this DPA and as permitted under the CCPA or other applicable US state data privacy laws. Contextual shall not sell or share information as those terms are defined under the CCPA or other applicable US state data privacy laws. To the extent that Customer permits or instructs Contextual to process Customer Personal Data subject to applicable US state data privacy laws in a de-identified, anonymized, and/or aggregated form as part of the Services, Contextual shall (i) adopt reasonable measures to prevent such deidentified data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (ii) not attempt to re-identify the information, except that Contextual may attempt to reidentify the information solely for the purpose of determining whether its de-identification processes comply with Applicable Data Protection Laws or are functioning as intended; and (iii) before sharing de-identified data with any other party, including Subprocessors, contractually obligate any such recipients to comply with the requirements of this provision.
  10. General.
    1. The parties agree that this DPA shall replace any existing data processing addendum, attachment, exhibit or standard contractual clauses that the parties may have previously entered into in connection with the Services. Contextual may update this DPA from time to time, provided, however, that no such update shall materially diminish the privacy or security of Customer Personal Data.
    2. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
    3. In the event of any conflict between this DPA and any data privacy provisions set out in any agreements between the parties relating to the Services, the parties agree that the terms of this DPA shall prevail.
    4. Notwithstanding anything to the contrary in the Agreement or this DPA and to the maximum extent permitted by law, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA (including all Annexes hereto), the SCCs or any data protection agreements in connection with the Agreement (if any), whether in contract, tort or under any other theory of liability, shall remain subject to the limitation of liability section of the Agreement and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA, including all Annexes hereto. Customer agrees that any regulatory penalties incurred by Contextual that arise in connection with Customer’s failure to comply with its obligations under this DPA or any laws or regulations including Applicable Data Protection Laws shall reduce Contextual’s liability under the Agreement as if such penalties were liabilities to Customer under the Agreement.
    5. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.
    6. The obligations placed upon each party under this DPA and the Standard Contractual Clauses (as applicable) shall survive so long as Contextual processes Customer Personal Data on behalf of Customer.

 

ANNEX A

DESCRIPTION OF THE PROCESSING / TRANSFER

ANNEX 1(A): LIST OF PARTIES

Data exporter

Name of the data exporter: The entity identified as the “Customer” in the Agreement and this DPA.

Contact person’s name, position and contact details: The address and contact details associated with Customer’s Contextual account, or as otherwise specified in this DPA or the Agreement.

Activities relevant to the data transferred: The activities specified in Annex 1(B)below.

Signature and date: See the end of the main body of this DPA.

Role (Controller/Processor): Controller (for Module 2) or Processor (for Module 3).

Data importer

Name of the data importer: Contextual AI, Inc.

Contact person’s name, position and contact details: [INSERT CONTACT INFO]

Activities relevant to the data transferred: The activities specified in Annex 1.B below.

Signature and date: See the end of the main body of this DPA.

Role (Controller/Processor): Processor

ANNEX 1(B): DESCRIPTION OF THE PROCESSING / TRANSFER

Categories of data subjects whose personal data is transferred:

Data subjects include individuals about whom data is provided to Contextual via the Services (by or at the direction of Customer), which shall include:

IF CUSTOMER HAS NOT FILLED OUT THE ABOVE

SECTION: Customer shall be deemed to have declared that the categories of data subjects include: [(a) individual contacts, prospects, customers, business partners and vendors of Customer (who are natural persons); (b) employees or contact persons of Customer’s prospects,]

customers, business partners and vendors; (c) employees, agents, advisors, freelancers of Customer (who are natural persons); (d) Customer’s users or (e) other individuals whose personal data is included in Customer Data.

Categories of personal data transferred:

The types of Customer Personal Data are determined and controlled by Customer in its sole discretion, and may include, but are not limited to:

IF CUSTOMER HAS NOT FILLED OUT THE ABOVE

SECTION: Customer shall be deemed to have declared that the types of Customer Personal Data may include but are not limited to the following types of Customer Personal Data: (a) name, address, title, contact details; and/or (b) any other personal data processed in the course of the Services as Customer Data..

Sensitive data transferred (if appropriate)

Subject to any applicable restrictions and/or conditions in the Agreement and this DPA, Customer may include ‘special categories of personal data’ or similarly sensitive personal data (as described or defined in Applicable Data Protection Laws) in Customer Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health and/or data concerning a natural person’s sex life or sexual orientation.

Frequency of the Transfer

Continuous or one-off depending on the services being provided by Contextual.

Nature, subject matter and duration of the processing:

Nature: Contextual provides artificial intelligence solutions including, without limitation, workflow engines, APIs and other online services and related services, as further described in the Agreement.

Subject Matter: Customer Personal Data.

Duration: The duration of the processing will be for the term of the Agreement and any period after the termination or expiry of the Agreement during which Contextual processes Customer Personal Data.

Purpose(s) of the data transfer and further processing:

Contextual shall process Customer Personal Data for the following purposes: (a) as necessary for the performance of the Services and Contextual’s obligations under the Agreement (including the DPA), including processing initiated by Customer’s users in their use and configuration of the Services; and (b) further documented, reasonable instructions from Customer agreed upon by the parties (the “Purposes”).

Period for which the personal data will be retained:

Contextual will retain Customer Personal Data for the term of the Agreement and any period after the termination of expiry of the Agreement during which Contextual processes Customer Personal Data in accordance with the Agreement.

ANNEX 1(C): COMPETENT SUPERVISORY AUTHORITY

Competent supervisory authority

The data exporter’s competent supervisory authority will be determined in accordance with the EU GDPR.

 

 

ANNEX B

STANDARD CONTRACTUAL CLAUSES (Modules 2 and 3)

  1. Subject to Section 7.1 of the DPA, where the transfer of Customer Personal Data to Contextual is a Restricted Transfer and Applicable Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be governed by the Standard Contractual Clauses, which shall be deemed incorporated into and form part of the DPA as follows:
    1. In relation to transfers of Customer Personal Data protected by the EU GDPR, the SCCs shall apply as follows:
      1. Module Two terms shall apply (where Customer is the controller of Customer Personal Data) and the Module Three terms shall apply (where Customer is the processor of Customer Personal Data);
      2. in Clause 7, the optional docking clause shall apply and Authorized Affiliates may accede the SCCs under the same terms and conditions as Customer, subject to mutual agreement of the parties;
      3. in Clause 9, option 2 (“general authorization”) is selected, and the process and time period for prior notice of Subprocessor changes shall be as set out in Section 3.3 of the DPA;
      4. in Clause 11, the optional language shall not apply;
      5. in Clause 17, option 1 shall apply and the SCCs shall be governed by Irish law;
      6. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
      7. Annex I shall be deemed completed with the information set out in Annex A to the DPA; and
      8. Annex II shall be deemed completed with the information set out in the Security Addendum, subject to Section 6.1 (Security Measures) of the DPA.
    2. In relation to transfers of Customer Personal Data protected by the UK GDPR, the SCCs as implemented under Section 1(a) above shall apply with the following modifications:
      1. the SCCs shall be modified and interpreted in accordance with Part 2 of the UK Addendum, which shall be deemed incorporated into and form an integral part of the DPA;
      2. Tables 1, 2 and 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out in Annex A and Annex B to the DPA and the Security Addendum respectively, and Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”; and
      3. Any conflict between the terms of the SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
    3. In relation to transfers of Customer Personal Data protected by the Swiss Data Protection Act, the SCCs as implemented under Section 1(a) above will apply with the following modifications:
      1. references to “Regulation (EU) 2016/679” and specific articles therein shall be interpreted as references to the Swiss Data Protection Act and the equivalent articles or sections therein;
      2. references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland” and/or “Swiss law” (as applicable);
      3. references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”);
      4. the SCCs shall be governed by the laws of Switzerland; and
      5. disputes shall be resolved before the competent Swiss courts.
  2. Where the Standard Contractual Clauses apply pursuant to Section 7.1 of this DPA, this section sets out the parties’ interpretations of their respective obligations under specific provisions of the Clauses, as identified below. Where a party complies with the interpretations set out below, that party shall be deemed by the other party to have complied with its commitments under the Standard Contractual Clauses:
    1. where Customer is itself a processor of Customer Personal Data acting on behalf of a third party controller and Contextual would otherwise be required to interact directly with such third party controller (including notifying or obtaining authorizations from such third party controller), Contextual may interact solely with Customer and Customer shall be responsible for forwarding any necessary notifications to and obtaining any necessary authorizations from such third party controller;
    2. the certification of deletion described in Clause 16(d) of the SCCs shall be provided by Contextual to Customer upon Customer’s written request;
    3. for the purposes of Clause 15(1)(a) the SCCs, Contextual shall notify Customer and not the relevant data subject(s) in case of government access requests, and Customer shall be solely responsible for notifying the relevant data subjects as necessary; and
    4. Taking into account the nature of the processing, Customer agrees that it is unlikely that Contextual would become aware of Customer Personal Data processed by Contextual is inaccurate or outdated. To the extent Contextual becomes aware of such inaccurate or outdated data, Contextual will inform the Customer in accordance with Clause 8.4 SCCs.

 

ANNEX C

SUBPROCESSORS

Entity Name Purpose
Google LLC Cloud Service Provider
Auth0 Authentication Provider
Sentry Error Monitoring Provider
Pylon Customer Support
Slack Customer Support

 

 

ANNEX D

SECURITY ADDENDUM

Contextual maintains a comprehensive information security program, which includes administrative, physical and technical security measures designed to protect the Services and Customer Data. Contextual regularly tests and evaluates its security program and may review and update its security measures at any time; provided that such updates do not materially diminish the level of security relating to the Services and Customer Data.

  • Encryption Measures
    • Customer Data within Contextual’s control is encrypted at rest using strong encryption algorithms.
    • Customer Data within Contextual’s control is encrypted in transit using secure protocols.
    • Employee laptops are encrypted using full disk encryption.
    • Secure transmission of credentials.
    • Access to operational environments requires the use of secure protocols.
  • Access and Restoration Measures
    • Strong access controls using the principle of least privilege.
    • Differentiated rights system based on security groups and access control lists.
    • Employees are granted only the access necessary to perform their job functions.
    • Unique accounts and role-based access within operational and corporate environments.
    • Access to systems is restricted by security groups and access-control lists.
    • Authorization requests are tracked, logged, and audited on a regular basis.
    • Employee access is removed upon termination or change of employment.
    • Enforcement of Multi-factor Authentication (MFA) for access to critical and production resources where feasible.
    • Strong and complex passwords are required.
    • Passwords are never stored in clear text and are encrypted in transit and at rest.
    • Account provisioning and de-provisioning processes.
    • Segregation of responsibilities and duties to reduce opportunities for unauthorized or unintentional modification or misuse.
    • Confidentiality requirements are imposed on employees.
    • Mandatory security training for employees, which covers data privacy and governance, data protection, confidentiality, social engineering, password policies, and overall security responsibilities inside and outside of Contextual.
    • Nondisclosure agreements with third parties.
    • Separation of networks based on trust levels.
  • Auditing, Testing, and Evaluation Measures
    • User activity, including logins, configuration changes, deletions, and updates, are written automatically to audit logs in operational systems.
    • All logs can be accessed only by authorized Contextual personnel and access controls are in place to prevent unauthorized access.
    • Write access to logging data is strictly prohibited. Logging facilities and log information are protected against tampering and unauthorized access using access controls and security measures.
    • Network segmentation and interconnections are protected and are reviewed at least bi-annually to ensure all configurations are appropriate.
    • Regular vulnerability scans are performed on externally accessible systems.
    • System patching services are performed to timely patch production infrastructure.
  • User Identification and Authorization Measures
    • Access to operational and production environments is protected using unique user accounts, strong passwords, use of Multi-Factor Authentication (MFA) where feasible, role-based access, and the least privilege principle.
    • Authorization requests and provisioning are logged, tracked, and audited.
    • User activity in operational environments, including access, modification, or deletion of data, is logged.
  • Data Protection Measures
    • Contextual’s customers’ instances are logically separated.
    • Logins and data access are logged and monitored.
    • Endpoint security software to all Contextual managed systems.
    • System inputs recorded via log files.
    • Access Control Lists (ACL) are in place.
    • Multi-factor Authentication (MFA) is in place, where feasible.
  • System Configuration Measures
    • Third party risk management procedures in place that includes change management.
    • Measures in place to monitor changes to in-scope systems so that such changes follow Contextual’s process, and to mitigate the risk of un-detected changes to production.
    • Access control policy and procedures in place.
  • Data Minimization Measures
    • Data collection is limited to the purposes of the processing.
    • Security measures are in place to provide only the minimum amount of access necessary to perform required functions.
  • Data Retention Measures
    • After termination of a Customer’s agreement, Customer Data submitted to the Services is retained in inactive status within the Services until deleted in accordance with Contextual’s data retention processes.