Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the Order Form and Platform Access and Services Agreement (the “Platform Terms”) (the DPA, along with the Platform Terms, is collectively referred to as the “Agreement”) entered into between Aumni, Inc. (“Aumni”) and the Customer (collectively with its affiliates and subsidiaries worldwide, “Customer”) the terms of this DPA are incorporated by reference therein. This DPA shall apply to all Processing of Customer Personal Data by Aumni to provide the Product as agreed to in the Order Form.

‍

If there is any conflict between this DPA and the Platform Terms, this DPA shall prevail solely to the extent of such conflict.

‍

1. DEFINITIONS

In this DPA, the following terms shall have the meanings set out below and their cognate terms shall be construed accordingly:

‍

1.1 Customer Data has the meaning given to it in the Platform Terms.

‍

1.2 Customer Personal Data means any Customer Data that is Personal Data processed by Aumni in connection with the performance of the Product. Customer Data does not include Out of Scope Customer Personal Data (as defined in Section 3.1 below).

‍

1.3 Data Breach means any unauthorized interference with the availability of, or any unauthorized, unlawful or accidental loss, misuse, destruction, alteration, acquisition of, access to, disclosure of, or damage to Customer Data or Confidential Information, or any other unauthorized Processing of Customer Personal Data that may adversely affect the privacy or security of individuals or the Customer. Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Data or Confidential Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other similar incidents.

‍

1.4 Data Protection Laws means all applicable laws relating to privacy, security, or protection of Personal Data, as may be defined in such laws, including, the EEA Law, U.S. State Privacy Laws such as the California Consumer Protection Act (“CCPA”) as amended by the California Privacy Rights Act of 2021 (“CCPA”), and any subsequent supplements, amendments, or replacements to the same.

‍

1.5 EEA means the European Economic Area and the European Union, Switzerland, and the United Kingdom of Great Britain and Northern Ireland (“UK”).  

‍

1.6 EEA Law means EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”), the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Addendums etc.) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR”), the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”) and any successor or amendments thereto (including without limitation implementation of GDPR by Member States into their national law), and any other law relating to the data protection, security, or privacy of individuals that applies in the EEA.

‍

1.7 Personal Data means any information, that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household or with a particular individual’s or household’s device; or to the extent required by any applicable Data Protection Law any inferences drawn therefrom. Personal Data includes, but is not limited to, name, alias, postal address, identification number, phone number, physical address, email address, details of orders and fulfillments, location data, online identifiers such as internet protocol addresses, cookie or other unique identifiers or as otherwise defined (including under similar terms such as “personal information,” “personal health information,” “personally identifiable information,” and “sensitive personal information”) under Data Protection Laws.

‍

1.8 Process, processed, or processing means the collection, receipt, recording, organization, structuring, alteration, use, transmission, access, sharing, provision, disclosure, distribution, copying, transfer, storage, management, retention, deletion, combination, restriction, summarizing, aggregation, correlation, inferring, derivation, analysis, adaptation, retrieval, consultation, destruction, disposal, or other handling of Personal Data.

‍

1.9 Services means services provided by Aumni as agreed to and defined in the Order Form.

‍

1.10 Standard Contractual Clauses means the standard contractual clauses for international transfers published by the European Commission on June 4, 2021 governing the transfer of EEA Personal Data to Third Countries as adopted by the European Commission or Swiss Federal Data Protection and Information Commissioner (“Swiss FDPIC”) relating to data transfers to Third Countries (collectively “EU SCCs”); (ii) the international data transfer addendum (“UK Transfer Addendum”) adopted by the UK Information Commissioner’s Office (UK ICO) for data transfers from the UK to Third Countries; or (iii) any similar such clauses adopted by a data protection regulator relating to Personal Data transfers to Third Countries, including without limitation any successor clauses thereto.

‍

1.11 Third Country means countries that have not received an adequacy decision from an applicable regulator relating to cross-border transfers of Personal Data, including regulators such as the European Commission, UK ICO, or Swiss FDPIC relating to data transfers.

‍

1.12 The terms “Business”, “business purpose”, Controller, Data Processor, Subprocessor, Data Subjects, Deidentify, Sell, Service Provider, Share, and Third Party shall have the same meaning as in the applicable Data Protection Laws, and their cognate terms shall be construed accordingly.

‍

2.  GENERAL DATA PROCESSING OBLIGATIONS

‍

2.1 Role of Parties. The parties acknowledge and agree that with respect to processing of Customer Personal Data, Aumni is a Data Processor, and a Service Provider (collectively “Processor”) and Customer is a Controller, except that if Customer is a Data Processor in which case Aumni is a Subprocessor.  If Customer is a Processor of Customer Personal Data, Customer represents and warrants that Customer’s instructions and Processing of Customer Personal Data, including its appointment of Aumni as a Subprocessor, have been authorized by the respective Controller.  

This DPA shall apply solely to the Processing of Customer Data by Aumni acting as a Processor or Subprocessor to provide the Services.

‍

2.2 Compliance with Data Protection Laws. Each party will comply with obligations under applicable Data Protection Laws in connection with Processing of Customer Personal Data.

‍

2.3 Purpose of Processing.  The purpose of Processing under this DPA is the provision of the Services pursuant to the Agreement and related ordering documentation.  Exhibit 1 (Details of Processing of Customer Personal Data) describes the subject matter and details of the Processing of Customer Personal Data.

‍

2.4 Customer Instructions and Restrictions on Processing.  

2.4.1. Aumni shall use, retain, disclose, or otherwise Process Customer Personal Data only on behalf of the Customer and for the specific business purpose of providing the Services and in accordance with Customer’s instructions, including as described in the Agreement. Aumni shall not Sell or Share Customer Personal Data, nor use, retain, disclose, or otherwise Process Customer Personal Data outside of its business relationship with the Customer or for any other purpose except as required by law. Aumni will inform Customer if, Aumni determines that it is no longer able to meet its obligations under Data Protection Laws or where in Aumni’s reasonable opinion, any of Customer’s instructions infringes any Data Protection Laws. Customer reserves the right to take reasonable and appropriate steps to ensure Aumni’s Processing of Customer Personal Data is consistent with Customer’s obligations under Data Protection Law and discontinue and remediate unauthorized use of Customer Personal Data.

‍

2.4.2. Aumni shall have rights to use Customer Personal Data solely (i) to the extent necessary to (a) perform its obligations under this Agreement; (b) operate, manage, test, maintain and enhance the Service including as part of its business operations; (c) to disclose aggregate statistics about the Service in a manner that prevents individual identification or reidentification of the Customer, Customer Data, any individual device, or individual person; and/or (d) protect the Service from a threat to the Service or Customer Personal Data; or (ii) if required by court order of a court or authorized governmental agency, provided that prior notice first be given to the Customer; (iii) as otherwise expressly authorized by the Customer or Data Protection Law.  

‍

2.4.3. Except where authorized by Customer, Aumni will not combine the Customer Personal Data, with Personal Data which it receives from or on behalf of another person or persons, or collects from its own interaction with individual, provided that Aumni may combine Personal Data to perform any business purpose permitted or required under the Agreement to perform the Services.

‍

2.4.4 The obligations imposed by this Section 2.4 apply to Personal Data only to the extent that Data Protection Laws require such obligations with respect to the Personal Data.  

‍

3. CUSTOMER’S OBLIGATIONS

‍

3.1 Customer is solely responsible for the accuracy, quality, and legality of Customer Personal Data that Customer provides or causes to provide to the Service, including without limitation the means by which Customer collected or obtained Customer Personal Data. Customer will use commercially reasonable efforts not to provide or cause to provide any data or information with Customer Personal Data that is not typically included in equity financing or fund transaction documents ("Out of Scope Customer Personal Data"). If Aumni discovers such Out of Scope Customer Personal Data, Aumni may provide to Customer that such information must be removed. If Out of Scope Customer Personal Data is provided, it will be handled with the same set of security requirements as all other data on the Aumni platform. Customer is solely responsible for the security and integrity of any Customer’s systems from where Customer Personal Data is provided to Aumni.

‍

3.2 Customer shall, in its use of the Services, Process Customer Personal Data in compliance with the requirements of Data Protection Laws, including any applicable industry standards and self-regulatory programs that are binding on Customer. Customer shall be responsible for complying with any notice and consent obligations under such Data Protection Laws.

‍

3.3 Customer understands and agrees that Customer is solely responsible for its own actions and activity in connection with the Customer Account and that Customer will keep its account passwords and login information confidential.

‍

4. CONFIDENTIALITY OBLIGATIONS

‍

Each party agrees, both during and after termination of this Agreement, to hold the Confidential Information in the strictest confidence and comply with the applicable confidentiality obligations in the Platform Terms.  

‍

5. AUMNI OBLIGATIONS

‍

5.1 Data Protection Compliance Assistance.

5.1.1 Where Aumni is acting as a Processor, Aumni will reasonably assist Customer in complying with its obligations under the applicable Data Protection Laws, including without limitation, conducting data protection impact assessments, and any consultations with the supervisory or regulatory authority.

‍

5.1.2 Aumni shall not perform its obligations under this Agreement in such a way as to cause Customer to breach any of its obligations under applicable Data Protection Laws.

‍

5.2 Data Subject Rights.

5.2.1 Where Aumni is acting as a Processor or Subprocessor, Aumni will promptly notify Customer in writing, and in any case without undue delay, if Aumni receives (i) any requests from a Data Subject, with respect to Customer Personal Data, including individual opt-out requests, requests for access and/or deletion and all similar individual rights requests; or (ii) any complaint or inquiry relating to the Processing of Customer Personal Data, including allegations that the Processing infringes on any individual's or third party's rights. Aumni will not respond to any such request or complaint unless expressly authorized to do so by Customer or required to respond under applicable Data Protection Laws.

‍

5.2.2 To the extent Customer, in its use of the Services, does not have the ability to respond to a request under this Section 5, Aumni shall upon Customer’s written request provide reasonable assistance to the Customer in responding to such request.

‍

5.2.3 Aumni shall comply with any instructions given by the Customer regarding responding to requests under this Section 5.

‍

5.3 Subprocessors.

5.3.1 Aumni will select and retain Subprocessors that have agreed by written contract to comply with terms substantially similar to those contained in this DPA to assist Aumni in performing its rights and obligations under the Agreement.  To the extent required by applicable Data Protection Law, Aumni will (i) provide Customer with a list of its Subprocessors upon request; and (ii) enable Customer to terminate the applicable Services without penalty by providing, before the end of the notice period, written notice of termination that includes an explanation of the grounds for non-approval if Customer does not approve of a new Subprocessor.  

‍

5.3.2 For EEA Customer Personal Data, Customer authorizes Aumni to use Vendor’s Subprocessors (as described in Clause 9 of the Standard Contractual Clauses). Aumni shall inform Customer of any intended changes concerning the addition or replacement of Subprocessors in accordance with Clause 9(a) of the Standard Contractual Clauses. Where that Subprocessor fails to fulfil its data protection obligations, Aumni shall remain fully liable to Customer for the performance of its Subprocessors obligations. Without limiting the foregoing, Aumni will develop and use reasonable steps to select and retain Subprocessors that assist Aumni in performing its obligations under the Agreement that are capable of maintaining security practices consistent with this DPA and requiring such Subprocessor to agree by written contract to comply with terms substantially similar to those contained in this DPA.

‍

5.4 Staff Confidentiality. Aumni shall implement policies and procedures designed to ensure that all employees, agents, officers, consultants, Subprocessors and any third party authorized to Process the Customer Personal Data or Confidential Information are subject to written confidentiality agreements or are under an appropriate statutory obligation of confidentiality.

‍

5.5 Security. Aumni will implement and maintain commercially reasonable administrative, technical and physical safeguards, including procedures and practices commensurate with the level of sensitivity of the Customer Personal Data and Confidential Information and the nature of its activities under the Agreement, to protect the security, confidentiality and integrity of such information Processed by Aumni or in its possession and control including such safeguards (a) designed to ensure the security of systems upon which such information is Processed; and (b) designed to prevent a Data Breach. The description of technical and organization measures designed to ensure the security of Customer Personal Data is described more fully in Exhibit 2 (Aumni Security Measures) to the DPA.

‍

5.6 Data Breach.

5.6.1. In the event Aumni discovers or learns of a Data Breach affecting Customer Data, Aumni shall take appropriate and prompt steps to: (a) investigate, mitigate, and remedy the Data Breach and prevent further Data Breaches, (b) notify Customer of such Data Breach without unreasonable delay; (c) furnish to Customer necessary and relevant details of the Data Breach as may be available; (d) assist Customer, as needed, in its investigation, mitigation, and remedying of the Data Breach; (e) provide information and reasonably assist Customer, as needed, in meeting Customer’s legal obligations, including any applicable obligations to notify individuals affected by the Data Breach; and (f) cooperate with Customer in any other reasonable action, step, or proceeding as may be deemed necessary by Customer in connection with the Data Breach and any dispute, inquiry or claim concerning the Data Breach.

‍

5.6.2. Unless prohibited by an applicable statute or court order, Aumni shall notify Customer of any third-party legal process relating to any Data Breach, including, but not limited to, any legal process initiated by any governmental entity.

‍

5.6.3. Aumni will comply with any reasonable instructions given by the Customer regarding any requests in connection with a Data Breach.

‍

‍5.6.4. Aumni’s cooperation or obligation to report or respond to Data Breaches under this DPA is not and will not be interpreted as an acknowledgment by Aumni of any fault or liability of Aumni with respect to a Data Breach.

‍

5.7 Audits.

5.7.1. Upon written request from the Customer, Aumni shall make available to the Customer once a year such information as is reasonably required by the Customer to demonstrate Aumni’s compliance with its obligations under this DPA.

‍

5.7.2. If the Customer in its reasonable opinion determines that the information provided under Section 5.7.1 is not sufficient, Aumni will assist with Customer’s request for additional information through completing a reasonable questionnaire or request for information provided by Customer (“Questionnaire”), or a third party acting on Customer’s behalf, regarding Aumni’s compliance with this Addendum.

‍

5.7.3. If the Customer in its reasonable opinion determines that the information provided under Section 5.7.2 is not sufficient, Aumni will allow the Customer or a third party acting on behalf of the Customer to conduct audits solely as necessary to fulfill Customer's obligations under Data Protection Laws no more than once annually.

‍

5.7.4. Any such audit under this Section 5.7 will occur only after Customer has provided Aumni with at least 60 days’ prior written notice and during a mutually agreed upon date, time, and location. Audits must not unreasonably interfere with Aumni’s business or operations and the scope of such audit will be subject to Aumni’s reasonable pre-approval. Individuals responsible for conducting such audit shall be subject to a contract of confidentiality with Aumni. The work required by Aumni to participate in any audit may result in additional fees (at a mutually agreed upon hourly rate) to be paid by the Customer, unless otherwise agreed in writing prior to the commencement of such audit. If the audit reveals any vulnerability or inadequacy, Aumni shall correct any such vulnerability or inadequacy at its sole cost and expense and shall certify the same in writing to Customer.

‍

5.7.5. To ensure that Aumni complies with applicable Data Protection Laws and its contractual obligations regarding data privacy and security, the Customer agrees that Aumni is not required to provide the Customer with access to the Aumni’s systems or information in a manner that may compromise the security, privacy, or confidentiality of Aumni’s other Customers’ confidential or proprietary information. Any information disclosed pursuant to this Section 5.7 will be deemed Aumni’s Confidential Information.

‍

6. DATA TRANSFERS

‍

6.1. Transfers of EEA Customer Personal Data by Customer to Aumni or Aumni to Customer in Third Countries are subject to the Standard Contractual Clauses, Module Two (“Controller to Processor”), and Module Three (“Processor to Processor”) attached to this DPA and incorporated by reference. The information required for the purposes of the SCCs is provided in Exhibit 1 (“Description of Processing and Transfer Details”) to this DPA. The Parties agree that the SCCs are incorporated into this DPA without further need for reference, incorporation, or attachment and that by signing the Agreement and executing this DPA, each party is deemed to have signed and executed the SCCs.

‍

6.2 Where the Customer Personal Data is subject to the Swiss DPA, the SCCs above shall be read to be modified as follows as applicable:

‍

a. References to “Regulation (EU) 2016/679” and any articles therefrom shall be interpreted to include references to the Swiss DPA.  

b. References to “EU”, “Union” and “Member State” shall be interpreted to include references to “Switzerland”.

‍

6.3 For Customer Personal Data transfers subject to UK Data Protection Law and transferred in accordance with the UK Transfer Addendum, the Parties agree as follows:

‍

a. Each Party agrees to be bound by the terms and conditions set out in the UK Transfer Addendum, in exchange for the other Party also agreeing to be bound by the UK Transfer Addendum.

b. The Standard Contractual Clauses will be interpreted in accordance with Part 2 of the UK Transfer Addendum.  

c. Sections ‎9 to ‎11 of the UK Transfer Addendum override Clause 5 (Hierarchy) of the EU SCCs

d. For the purposes of Section 12 of the UK Transfer Addendum, the EU SCCs will be amended in accordance with Section 15 of the UK Transfer Addendum.  

e. Information required by Part 1 of the UK Transfer Addendum is provided as Exhibit 1 to this DPA.

f. To the extent that any revised transfer addendums or mechanisms are issued by the UK ICO, the Parties agree to incorporate such revisions in accordance with Section 18-20 of the UK Transfer Addendum.

‍

6.4. For Customer Personal Data transfers subject to other Data Protection Laws and require the use of SCC’s (or other measures) to transfer Customer Personal Data to Third Countries, the parties agree to implement the same as soon as practicable and document such requirements for implementation.

‍

6.5. To the extent that any substitute or additional appropriate safeguards or mechanisms under any Data Protection Laws are required to transfer data to a Third Country the parties agree to implement the same as soon as practicable and document such requirements for implementation in an attachment to this DPA.

‍

‍7. RETURN OR DESTRUCTION OF CUSTOMER PERSONAL DATA

‍

7.1. To the extent Customer does not already have the ability to do so as part of the Services, either upon request or direction by Customer or within thirty (30) days of the termination or expiration of this Agreement, Aumni will reasonably assist and cooperate with the Customer (a) to provide a copy of all Customer Personal Data in Aumni’s possession to the Customer and upon written verification from Customer of Customer’s receipt of such Customer Personal Data, destroy such information in accordance with this Section 7; (b) subject to Section 7.1 (a), promptly and securely destroy all such Customer Personal Data  in accordance with applicable Data Protection Laws; and (c) certify in writing that it has complied with this Section 7; and in the case of 7.1(b) and 7.1(c), except to the extent that Aumni is required by applicable law to keep a copy of the Customer Personal Data.  

‍

7.2. Aumni agrees to comply with the terms of this DPA to the extent any Customer Personal Data is remains in its possession or control in accordance with this Section 7.1.

Exhibit 1 to Data Protection Agreement

‍

‍DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

This Exhibit 1 includes details of the Processing of Customer Personal Data by Aumni.

‍

1. Customer Details (for SCC purposes, the “Data Exporter”)

Company Name - As mentioned in the applicable Order Form

Address - As mentioned in the applicable Order Form

Contact name, position, and contact information - As mentioned in the applicable Order Form

Role - Controller

‍

2. Aumni Details (for SCC purposes, the “Data Importer”)

Company Name - Aumni, Inc.

Address - 2800 E. Cottonwood Parkway, Suite 110, Cottonwood Heights, Utah 84121

Contact name, position, and contact information - As mentioned in the applicable Order Form

Role - Processor

‍

3. Activities relevant to the data processed in accordance with this DPA (and, for SCC purposes, transferred under these Clauses)

The activities relevant to the data transferred at the Services more fully described in the Agreement and applicable ordering documents.

For processing involving Customer Personal Data relating to California consumers, we process such Customer Personal Data for the following business purposes:

• Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes
• ​ Debugging to identify and repair errors that impair existing intended functionality
• Performing the Services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business. 
• Undertaking internal research for technological development and demonstration
• Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
• To retain and employ another service provider or contractor as a subcontractor, where the subcontractor meets the requirements for a service provider or contractor under CCPA and the accompanying regulations.
• To build or improve the quality of the Services we provide.
• To prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent, or illegal activity.

4. Processing Information

Categories of data subjects whose personal data is processed –

Customer may submit or give access to Customer Personal Data to Aumni, the extent of which is determined and controlled by Customer in its sole discretion, and which may include but is not limited to Customer Data relating to the following categories of data subjects:

‍

• Customer’s authorized users, employees, agents, or representatives

• Customer’s customers

‍

Categories of personal data processed –

Aumni may process the following categories of Customer Personal Data: As to Customer’s authorized users, employees, agents, or representatives, contact details of the individual which may include first and last name, email address and IP address.

‍

To the extent Customer provides or causes to provide the following Customer Personal Data to Aumni, the following categories of Personal Data may be processed:

‍

• Contact details including phone numbers and postal address

• Government identification numbers (e.g., W-9 (including SSN), passport, driver’s license, national ID card, etc.)

• Documents for address verification (e.g., copies of utility bills)

• Financial account numbers and related information (e.g., wire transfer details)

• Documents for verification of relationships between the investor and its beneficial owners.

‍

Sensitive personal data processed – None

Frequency of the processing – Continuous

‍

Nature of the processing and purpose of the data processing and further processing - The objective of Processing of Customer Personal Data by Aumni is the performance of the Agreement and this DPA.

‍

Period for which the personal data will be retained or criteria used to determine that period - Subject to Section 7 (Return or Deletion of Customer Personal Data) of this DPA, Aumni will process Customer Data for the duration of the Agreement, unless otherwise agreed upon in writing.  

‍

Subprocessor (subject matter, nature, and duration of processing) - In addition to the following, the subject matter, nature, and duration of the Processing more fully described in the Agreement, DPA, and accompanying order forms.

Exhibit 2 to Data Protection Agreement

‍

‍Aumni Security Measures

‍

Aumni will implement and maintain a written security program with commercially reasonable administrative, technical, and physical safeguards, including procedures and practices commensurate with the level of sensitivity of the Customer Data and the nature of its activities under the Agreement, to protect the security, confidentiality, availability, and integrity of Customer Data Processed by Aumni or in its possession and control including such safeguards (a) to protect the security of systems upon which such data is Processed; and (b) designed to prevent a Data Breach.

‍

Aumni’s personnel will not Process Customer Data without authorization. Aumni’s Personnel are obligated to maintain the confidentiality of any Customer Data and this obligation continues even after their engagement ends.

‍

Without limiting the foregoing, Aumni will:

‍

1. Develop and use reasonable steps to select and retain agents and subcontractors that assist Aumni in performing its obligations under the Agreement that are capable of maintaining security practices consistent with this DPA and requiring such Subprocessors to agree by written contract to comply with terms substantially similar to those contained in this DPA;

‍

2. Conduct routine risk assessments to identify, document, and remediate material internal and external risks to the security, confidentiality, availability, and integrity of Customer Data that could result in a Data Breach, and assess the sufficiency of any security measures in place to control these risks;

‍

3. At a minimum, the risk assessments required by subpart (2) should include assessment of risks in each area of relevant operation, including, but not limited to:

‍

i. employee training and management;

ii. secure system design and testing;

iii. quarterly (at a minimum) security and vulnerability scans; and

iv. review, assessment, and response to internal and third-party security vulnerability reports;

‍

4. Design and implement reasonable safeguards to control the risks identified through the risk assessments, including through reasonable and appropriate security policies and guidelines and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;

‍

5. Establish and enforce written procedures that follow role-based access control principles to control access to systems, networks, services, and facilities that may Process or store Customer Data and make such procedures available to Customer upon request.

‍

6. Monitor access by Aumni personnel to Customer Data and limit any such access to those with a need to know in order to perform its obligations under the Agreement;

‍

7. Implement multi-factor authentication for any system Processing Customer Data;

‍

8. Implement and conduct routine security training for Aumni personnel with access to Customer Data;

‍

9. Implement anti-malware software on any systems that Process Customer Data;

‍

10. Commensurate with the nature and sensitivity of the Customer Data, encrypt Customer Data in transit across public networks or outside of Aumni’s physical or logical controls and at rest when stored on any device or storage media (such as servers, databases, backups, etc.)  using industry standard encryption tools.

‍

11. Provide reasonable assistance to Customer in Customer’s assessment and implementation of appropriate administrative, technical, and physical safeguards to provide an appropriate level of security of Customer Data, including (upon Customer’s reasonable request) completion of periodic assessments;

‍

12. Automatically collect system, application, and user level logs on an ongoing basis for any network or system Processing Customer Data and retain such logs for security response for at least one year;

‍

13. Implement, maintain, and monitor physical security controls for any processing facilities that are used for Processing Customer Data, including without limitation appropriate perimeter security that provide protection against unauthorized access, damage, or interference; and

‍

14. Evaluate and adjust its security program in light of the results of the testing and monitoring required by subpart (2), any material changes to Aumni’s operations or business arrangements, or any other circumstances that Aumni knows or has reason to know may have a material impact on the effectiveness of its security program.

‍

Business Continuity and Disaster Recovery Requirements:

‍

During the term of the Agreement or so long as Aumni Processes Customer Data, whichever is longer, Aumni shall implement and maintain a disaster recovery plan that ensures that all Customer Data Processed by Aumni is capable of being recovered, and that the integrity of all such recovered Customer  Data is retained, in the event that Aumni's network, systems or other facilities experience a Data Breach or any significant interruption or impairment of operation or any loss, deletion, corruption, or alteration of Personal Information (“Disaster Recovery Plan”).