Respona
Data Processing Addendum

Last updated: 12/09/2025

  1. Introduction

     

    This Data Processing Addendum (this “Addendum” or “DPA”) is supplementary to and forms part of the terms of service available at https://respona.com/terms-of-service/ or such other URL as Respona may designate from time to time (the “Agreement”) between:

    • Respona, LLC, a Delaware limited liability company doing business as Respona (“Respona”), and

    • the entity or person(s) identified as customer in the relevant customer account or order form referencing this Addendum (as applicable) (“Customer”).

    This Addendum applies where and to the extent that Respona is acting as a Processor or service provider (as applicable) of Personal Data on behalf of Customer under the Agreement. In the event of any conflict between this Addendum and the Agreement, this Addendum shall prevail to the extent of such conflict.

    This Addendum forms part of the Agreement solely with respect to Respona’s processing of Personal Data and does not otherwise modify the Agreement. Any capitalized terms not defined in this Addendum shall have the meaning given to them in the Agreement.

    For clarity, the Services under the Agreement include Customer’s use of the Respona Platform and any done for you link building or outreach product that Respona provides to Customer.

    By continuing to use the Services after the effective date of this Addendum, Customer agrees to the terms of this Addendum. Each party enters into this Addendum on behalf of itself and, to the extent required by Applicable Privacy Laws, on behalf of its Affiliates using the Services.

  2. Definitions and Interpretation

     

    In this Addendum, the following terms shall have the meanings set out below:

    “Affiliate” means, with respect to a party, any entity that directly or indirectly controls, is controlled by, or is under common control with that party, where “control” means the ownership or control of more than fifty percent of the voting interests of the entity or the ability to otherwise direct the management or policies of that entity. An entity shall be considered an Affiliate only for so long as such control exists.

    “Applicable Privacy Laws” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question including, where applicable:

    (i) European Privacy Laws;
     (ii) the Australian Privacy Act 1988 (Cth) (“Australian Privacy Laws”);
     (iii) the New Zealand Privacy Act 2020;
     (iv) the Philippines Republic Act No. 10173;
     (v) the Brazilian Data Protection Law (Brazil) No. 13,709/2018 (Lei Geral de Proteção de Dados Pessoais) (the “LGPD”);
     (vi) the California Consumer Privacy Act of 2018 and its regulations, as amended from time to time (including by the California Privacy Rights Act) (collectively, the “CCPA”);
     (vii) the Virginia Consumer Data Protection Act of 2021 (the “VCDPA”); and
     (viii) any similar United States state privacy laws to the extent applicable,

    In each case as amended, superseded, or replaced from time to time.

    “Data Subject” means an identified or identifiable natural person whose Personal Data is processed.

    “European Privacy Laws” means:

    (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”);
     (ii) the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”);
     (iii) the Swiss Federal Data Protection Act and its corresponding ordinances (the “Swiss DPA”);
     (iv) Directive 2002/58/EC on Privacy and Electronic Communications; and
     (v) any national law made under or pursuant to items (i) to (iv);

    In each case as amended, superseded, or replaced from time to time.

    “Personal Data” means any information relating to an identified or identifiable individual or any other information defined as “personal data” or “personal information” under Applicable Privacy Laws.

    “Restricted Transfer” means:

    (i) where the GDPR applies, a transfer of Personal Data from the EEA to a country outside the EEA that is not subject to an adequacy decision by the European Commission;
     (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country that is not based on adequacy regulations pursuant to Section 17A of the UK GDPR; and
     (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside Switzerland that is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.

    “SCCs” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021, as may be amended, superseded, or replaced from time to time.

    “UK Addendum” means the International Data Transfer Addendum to the European Commission’s standard contractual clauses (version B1.0) issued by the UK Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, as may be amended, superseded, or replaced from time to time.

    The terms “Controller,” “Processor,” “Data Subject,” and “processing” have the meanings given to them in Applicable Privacy Laws or, if not defined therein, the GDPR (and “process,” “processes,” and “processed” shall be interpreted accordingly). The terms “Business,” “Service Provider,” and “Share” have the meanings given to them in the CCPA.

    Any capitalized terms used but not defined in this Addendum shall have the meanings given to them in the Agreement.

  3. Processing of Personal Data

     

    3.1 Relationship of the parties

    Customer is a Controller or Business (as applicable) of the Personal Data that it provides or otherwise makes available to Respona under the Agreement (the “Data”). Respona shall process the Data solely as a Processor or Service Provider (as applicable) on behalf of Customer.

    Respona and Customer shall each comply with their respective obligations under Applicable Privacy Laws and applicable guidance from data protection authorities with respect to such processing. Where the concepts of Controller and Processor are not expressly contemplated by Applicable Privacy Laws, the parties’ obligations in connection with this Addendum shall be interpreted under those laws to align as closely as possible with the scope of those roles while still complying fully with those laws.

    3.2 Purpose limitation

    Respona shall process the Data as necessary to perform its obligations under the Agreement strictly in accordance with the documented instructions of Customer (the “Permitted Purpose”).

    Respona shall not:

    • (a) retain, use, disclose, or otherwise process the Data for any purpose other than the Permitted Purpose (including for its own commercial purposes), except where otherwise required by Applicable Privacy Laws applicable to Respona; or
    • (b) sell or share the Data within the meaning of the CCPA, VCDPA, or any similar law, or otherwise process the Data for cross context behavioral advertising.

    Respona shall not combine the Data with personal data collected from other sources except as permitted by Applicable Privacy Laws and solely as necessary to provide the Services.

    Respona shall promptly inform Customer if it becomes aware that Customer’s processing instructions infringe Applicable Privacy Laws, but Respona will not be obliged to actively monitor Customer’s compliance with Applicable Privacy Laws.

    The parties acknowledge that Customer’s transfer of Data to Respona is not a “sale” or “sharing” of personal information within the meaning of Applicable Privacy Laws and that Respona does not provide monetary or other valuable consideration to Customer in exchange for the Data.

    Customer acknowledges that its instructions must be lawful and technically feasible, and Customer shall not instruct Respona to process Data in a manner that would violate Applicable Privacy Laws or the technical limits of the Services.

  4. International Transfers and Standard Contractual Clauses

     

    4.1 International transfers

    To the extent that Respona transfers the Data (or permits the Data to be transferred) to a country other than the country in which the Data was first collected, Respona shall take such measures as are necessary to ensure that the transfer is made in compliance with Applicable Privacy Laws.

    Such measures may include, without limitation:

    • transferring the Data to a recipient that has executed standard contractual clauses adopted by the European Commission, the UK Secretary of State, the UK Information Commissioner’s Office, or the Brazilian Data Protection Authority (as applicable); or

    • transferring the Data to a recipient that has entered into a contract with Respona that ensures the Data will be protected to the standard required by Applicable Privacy Laws.

    Respona will protect the Data in a way that overall provides safeguards that are comparable to those in the jurisdiction in which the Data was first collected.

    4.2 Standard Contractual Clauses (EEA)

    To the extent that the transfer of Data from Customer to Respona involves a Restricted Transfer, the SCCs shall be incorporated by reference and form an integral part of this Addendum, with Customer as “data exporter” and Respona as “data importer.” For the purposes of the SCCs:

    • (a) the Module Two (Controller to Processor) terms shall apply, and Modules One, Three, and Four shall not apply;
    • (b) in Clause 9, Option 2 shall apply (general written authorization for sub processors);
    • (c) in Clause 11, the optional language shall be deleted;
    • (d) in Clause 17, Option 1 shall apply and the SCCs shall be governed by Irish law;
    • (e) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
    • (f) the Annexes of the SCCs shall be populated with the information set out in this Addendum and any annexes to it; and
    • (g) if and to the extent that the SCCs conflict with any provision of the Agreement or this Addendum, the SCCs shall prevail to the extent of such conflict.

    4.3 UK transfers

    In relation to Data that is protected by the UK GDPR, the SCCs as incorporated under Section 4.2 shall apply with the following modifications:

    • (a) the SCCs shall be amended as specified by the UK Addendum, which shall be incorporated by reference;
    • (b) Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed using the information contained in this Addendum and any annexes;
    • (c)Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “importer”; and
    • (d) any conflict between the SCCs and the UK Addendum shall be resolved in accordance with Sections 10 and 11 of the UK Addendum.

    4.4 Swiss transfers

    In relation to Data that is protected by the Swiss DPA, the SCCs as incorporated under Section 4.2 shall apply with the following modifications:

    • (a) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA;
    • (b) references to “EU,” “Union,” and “Member State” shall be replaced with “Switzerland”;
    • (c) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the “Swiss Federal Data Protection and Information Commissioner” and the competent Swiss courts; and
    • (d) the SCCs shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts.

  5. Confidentiality of Processing

     

    Respona shall ensure that any person it authorizes to process the Data, including Respona’s staff, agents, and subcontractors (each an “Authorised Person”), is subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty). Such obligations may arise from a written confidentiality agreement, employment contract, professional duty, or applicable law, and shall remain in effect both during and after the Authorised Person’s engagement with Respona. Respona shall ensure that Authorised Persons access and process the Data solely as necessary to perform their assigned duties for the Permitted Purpose and in accordance with this Addendum.

    Respona shall provide appropriate training to Authorised Persons regarding data protection, information security, and proper handling of the Data. Respona shall implement access controls to ensure that Authorised Persons only have access to the minimum amount of Data required for their role. Respona shall promptly remove access to the Data for any Authorised Person who no longer requires such access, whether due to a change in role, termination of engagement, or any other reason.

    Respona shall monitor compliance with confidentiality obligations and shall take appropriate disciplinary or corrective measures if any Authorised Person fails to comply with the requirements of this Addendum. Respona shall remain responsible for the actions and omissions of its Authorised Persons when processing the Data.

  6. Security

     

    Respona shall implement appropriate technical and organizational measures to protect the Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access (each a “Security Incident”), taking into account the nature of the Data and the risks involved in the processing.

    Such measures may include, as appropriate:

    • encryption in transit and at rest;

    • access controls and authentication;

    • network security measures;

    • regular security testing and monitoring; and

    • policies and training for personnel.

  7. Subprocessing

     

    Customer authorizes Respona to engage third party Processors (“Subprocessors”) to process the Data for the Permitted Purpose, provided that:

    • Respona imposes data protection terms on any Subprocessor it engages that ensure substantially the same standard of protection as provided under this Addendum and, where applicable, the SCCs or UK Addendum; and
    • Respona remains fully liable to Customer for any breach of this Addendum that is caused by an act, error, or omission of its Subprocessors.

    For the purposes of Clause 9(c) of the SCCs, Customer acknowledges that Respona may be restricted from disclosing copies of Subprocessor agreements to Customer due to confidentiality obligations. Where Respona cannot disclose a Subprocessor agreement in full, Respona shall, upon request and subject to any confidentiality obligations, provide Customer with all information it reasonably can about such agreement.

    Respona may update the list of Subprocessors from time to time. Where required by Applicable Privacy Laws, Respona will provide Customer with an opportunity to object to a new Subprocessor in accordance with those laws.

  8. Cooperation and Data Subject Rights

     

    Respona shall provide all reasonable and timely assistance to Customer, at Customer’s cost, to enable Customer to respond to:

    • (a) any request from a Data Subject to exercise any of its rights under Applicable Privacy Laws, including rights of access, rectification, restriction, objection, erasure, or data portability, as applicable; and
    • (b) any other correspondence, inquiry, or complaint received from a Data Subject, regulator, or other third party in connection with Respona’s processing of the Data.

    In the event that any such request, correspondence, inquiry, or complaint is made directly to Respona, Respona shall promptly notify Customer and provide full details of the matter, unless prohibited by law. Respona shall not respond directly to any such request without Customer’s prior written authorization, unless required by law.

  9. Data Protection Impact Assessments and Prior Consultation

     

    To the extent required by Applicable Privacy Laws, Respona shall provide Customer with all reasonable and timely assistance, at Customer’s cost, as Customer may require in order to:

    • (a) conduct data protection impact assessments relating to the Services and Respona’s processing of the Data; and
    • (b) consult with data protection authorities in relation to any high risk processing of the Data.

    Any such assistance shall not include providing access to Respona’s internal systems, infrastructure, proprietary information, or confidential business records, except to the extent expressly required by Applicable Privacy Laws.

    Respona shall not be responsible for determining whether Customer’s use of the Services constitutes “high risk” processing or whether a data protection impact assessment or prior consultation is required. Customer is solely responsible for making such determinations and ensuring compliance with all applicable obligations.

    Respona’s obligation to assist is conditioned upon Customer providing sufficient detail regarding the contemplated processing activities to enable Respona to understand the nature of the assessment or consultation required.

  10. Security Incidents

     

    Upon becoming aware of a Security Incident affecting the Data, Respona shall inform Customer without undue delay and shall provide all such timely information and cooperation as Customer may reasonably require in order for Customer to fulfill its data breach reporting obligations under Applicable Privacy Laws, taking into account the nature of the Data and the processing and the information available to Respona.

    Respona shall further take reasonable measures to remedy or mitigate the effects of the Security Incident and keep Customer informed of material developments in connection with the Security Incident.

    Customer shall not communicate or publish any notice or admission of liability concerning any Security Incident which directly or indirectly identifies Respona, including in any legal proceeding or in any notification to regulatory authorities or affected Data Subjects, without Respona’s prior written approval, unless Customer is compelled to do so under Applicable Privacy Laws. In any event, Customer shall provide Respona with reasonable prior written notice of any such communication or publication where legally permitted.

  11. Deletion or Return of Data

     

    Upon termination or expiry of the Agreement, Respona shall, at Customer’s written election, either:

    • (a) delete all Data in its possession or control; or
    • (b) return to Customer all Data in its possession or control and then delete existing copies, in each case within a reasonable period.

    This requirement shall not apply to the extent that Respona is required by Applicable Privacy Laws or other applicable law to retain some or all of the Data, in which event Respona shall isolate and protect the Data from any further processing except to the extent required by such law until deletion is possible.

  12. Audit Rights

     

    Customer shall have the right, at its own expense, to verify Respona’s compliance with the obligations set forth in this Addendum. Respona shall make available to Customer all information reasonably necessary to demonstrate such compliance, including summaries of third-party audit reports, penetration testing results, records of technical and organizational security measures, and descriptions of internal policies and procedures, to the extent such disclosures do not compromise Respona’s security or confidentiality obligations. Customer agrees that Respona’s obligations under this Section may be fully satisfied by providing independent third-party certifications or audit attestations, such as SOC reports or other industry-standard assessments, where available.

    Any on-site inspection requested by Customer shall be permitted only where required by Applicable Privacy Laws or where Customer has a reasonable and documented belief that Respona has materially breached this Addendum. Customer shall provide no less than thirty days’ written notice of any such request and shall conduct the review during normal business hours in a manner designed to minimize disruption to Respona’s operations. Customer shall ensure that any individuals conducting the audit are bound by written confidentiality obligations no less protective than those contained in the Agreement. Nothing in this Section shall require Respona to disclose trade secrets, proprietary information, information relating to other customers, or information that Respona reasonably determines would present a security or confidentiality risk. All audits shall be limited to what is strictly necessary to verify Respona’s compliance with this Addendum.

  13. Prohibited Data Types

     

    Customer is solely responsible for determining whether the Data it provides to Respona is appropriate for the Services and is lawfully collected in accordance with Applicable Privacy Laws. Customer acknowledges and agrees that the Services are not designed to process certain categories of highly sensitive or regulated information. Customer shall not provide, upload, transmit, or otherwise make available to Respona any data that constitutes government-issued identification numbers, financial account or payment card numbers outside of the limited scope of transaction data processed by Respona’s payment processors, personal health information governed by HIPAA or similar health privacy laws, biometric identifiers, genetic data, information regarding an individual’s sexual orientation or sexual life, information relating to criminal convictions or offenses, information regarding children under sixteen years of age, or any other category of data considered sensitive or special category data under Applicable Privacy Laws unless the parties have expressly agreed in writing and have implemented additional safeguards required under such laws.

    Customer further represents and warrants that it will not use the Services to process data subject to specialized regulatory frameworks such as HIPAA, GLBA, FERPA, FCRA, or other sector-specific laws unless expressly authorized in writing. Customer shall ensure that any Data it provides to Respona is accurate, not excessive in relation to the purpose of the Services, and obtained with all necessary disclosures, consents, permissions, and legal bases required under Applicable Privacy Laws. Respona shall have no obligation to evaluate the legality of Customer’s Data collection practices and shall be entitled to rely on Customer’s representations regarding the nature of the Data and Customer’s compliance with all applicable requirements.

  14. Processing Duration

     

    Respona shall process the Data only for the duration of the Agreement and solely for the Permitted Purpose, unless a different retention period is expressly required under Applicable Privacy Laws. Upon expiration or termination of the Agreement, Respona shall cease processing the Data except to the extent necessary to comply with legal obligations, resolve disputes, maintain security measures, or enforce contractual rights. Any continued retention required by law shall be limited to the minimum period necessary, and Respona shall ensure that such retained Data is subject to appropriate safeguards and is isolated from further processing unrelated to those legal obligations. Customer acknowledges that certain anonymized or aggregated information that cannot reasonably be used to identify an individual may be retained by Respona for analytics, security enhancement, or internal business purposes, provided that such information does not constitute Personal Data under Applicable Privacy Laws.

  15. Modifications to this DPA

     

    Respona may modify this Addendum to reflect changes in Applicable Privacy Laws, regulatory guidance, or industry-standard security practices. Any modification that materially alters the rights or obligations of the parties shall take effect no sooner than thirty days after written notice to Customer, unless an earlier effective date is required to comply with legal obligations or to address a security risk. Customer’s continued use of the Services after the effective date of a modification shall constitute acceptance of the updated Addendum. If Customer objects to a material modification that is not mandated by law, the parties shall work together in good faith to reach a commercially reasonable solution. If no such solution is achieved, Customer may terminate the affected Services, and such termination shall be treated as termination under the Agreement. No modification to this Addendum shall be binding on either party unless made in accordance with this Section.

  16. ANNEX I – DESCRIPTION OF PROCESSING ACTIVITIES

     

    This Annex describes the subject matter, nature, purpose, duration, and scope of Respona’s processing of Personal Data on behalf of Customer, as required under the Standard Contractual Clauses and Applicable Privacy Laws.

    1. Categories of Data Subjects

    Respona processes Personal Data relating to individuals whose information Customer elects to upload, store, or otherwise make available through the Services. This may include Customer’s employees, contractors, and authorized users who administer or access the Services, as well as Customer’s business contacts, sales prospects, outreach recipients, and individuals who respond to or engage with communications facilitated through the Services. Data Subjects may also include individuals whose information is captured in technical logs necessary for the operation and security of the Services.

    2. Categories of Personal Data

    The Personal Data processed by Respona on behalf of Customer may include identifiers such as names, email addresses, professional titles, employer information, and contact details. It may also include communications metadata, such as email headers, reply signals, engagement indicators, and outreach content created by Customer. In addition, the Services may process technical information generated through use of the platform, including IP addresses, device information, log files, time stamps, usage analytics, and other diagnostic data required to ensure security and functionality. Customer is prohibited from providing special category or sensitive data, and nothing in the Services is designed for such data.

    3. Nature and Purpose of the Processing

    Respona processes Personal Data solely for the purpose of providing, maintaining, securing, and supporting the Services under the Agreement. This includes enabling outreach campaigns, detecting replies, generating analytics, performing link-building activities, troubleshooting operational issues, monitoring platform performance, implementing security controls, and improving the core functionality of the Services. The processing may also include storage, organization, retrieval, transmission, and deletion of Personal Data as required to fulfill the Services and Customer’s documented instructions.

    4. Subject Matter and Duration of Processing

    The subject matter of the processing is the Personal Data that Customer submits to, stores on, transmits through, or otherwise makes available within the Services. Respona will process such Personal Data for the duration of the Agreement, unless a longer retention period is required by Applicable Privacy Laws or expressly permitted under this Addendum. Upon termination or expiry of the Agreement, processing shall cease except as required under Sections 11 and 14 of this Addendum.

    5. Frequency of Processing

    Respona processes Personal Data on a continuous and ongoing basis for as long as Customer uses the Services. Processing occurs whenever Customer uploads or interacts with data within the platform, whenever outreach communications are executed, and whenever the system generates logs, analytics, or other operational outputs necessary to perform the Services.

    6. Roles of the Parties

    Customer acts as the Controller or Business with respect to Personal Data submitted to the Services. Respona acts solely as a Processor or Service Provider, processing Personal Data only on behalf of and under the instructions of Customer, consistent with the Agreement and this Addendum.

  17. ANNEX II – TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

     

    This Annex describes in detail the technical and organizational measures implemented by Respona to protect Personal Data processed on behalf of Customer. These measures are intended to ensure a level of security appropriate to the risks presented by the processing, consistent with the requirements of Applicable Privacy Laws, the SCCs, and industry standards for secure cloud-based services.

    1. Governance and Information Security Program

    Respona maintains a formal, documented information security program overseen by senior management. This program establishes administrative, technical, and physical safeguards designed to preserve the confidentiality, integrity, and availability of Personal Data. The security program includes clearly assigned roles and responsibilities, internal oversight procedures, risk assessments, employee training, and continuous improvement processes. Policies within the program cover access control, data handling, incident response, acceptable use, secure development, change management, vendor oversight, and encryption. These policies are reviewed periodically and updated as necessary to reflect regulatory changes, industry developments, and identified risks.

    2. Risk Assessment and Risk Management

    Respona conducts periodic risk assessments that evaluate the likelihood and potential impact of threats to Personal Data, including unauthorized access, accidental loss, or alteration. These assessments consider the nature of the data, the scope of processing, technological architecture, and evolving cybersecurity threats. Based on assessment results, Respona implements risk mitigation measures, including administrative controls, system architecture adjustments, vulnerability remediation, monitoring enhancements, and employee training. Risk assessments are revisited following material system changes or security incidents.

    3. Encryption and Cryptographic Protections

    Personal Data is encrypted during transmission over public networks using secure communication protocols such as TLS. Personal Data stored within production databases, data warehouses, and backup repositories is encrypted at rest using strong encryption methods appropriate to the sensitivity of the data. Cryptographic keys are governed by a key management process that includes rotation, restricted access, and secure storage. Encryption configurations are periodically reviewed to ensure continued alignment with current industry standards and operational requirements.

    4. Access Controls and Identity Management

    Respona maintains a rigorous access control framework to ensure that only authorized personnel may access Personal Data. Access is granted solely on a need-to-know basis and follows the principle of least privilege. All personnel accessing production systems must authenticate using unique credentials, and where supported, multifactor authentication is used for privileged accounts and administrative actions. Access rights are reviewed regularly and promptly revoked when no longer necessary due to role changes or termination. Logical access is logged, monitored, and subject to periodic audit.

    5. Physical and Environmental Safeguards (via Hosting Providers)

    Respona relies on reputable cloud hosting providers that maintain robust physical protections for the infrastructure supporting the Services. These protections include controlled access to data centers, identity verification for facility entry, surveillance systems, intrusion detection mechanisms, environmental controls for temperature and humidity, redundant power supplies, and fire detection and suppression systems. Hosting providers maintain relevant certifications such as ISO 27001, SOC 1, and SOC 2. Respona evaluates provider audit reports and security documentation to confirm adherence to industry standards.

    6. Network Security and System Hardening

    Respona’s systems are protected by network segmentation, firewall rules, and intrusion detection or prevention technologies designed to prevent unauthorized access. Regular security scans and vulnerability assessments are performed to identify potential weaknesses. System hardening practices include disabling unnecessary services, enforcing least-privilege access on system components, restricting administrative interfaces, applying operating system configurations aligned with security benchmarks, and monitoring system logs for suspicious activity. Patches and updates are applied in a timely manner based on severity and risk.

    7. Secure Development and Change Management

    Respona follows secure development lifecycle practices when designing, developing, and modifying components of the Services. These practices include code review, static and dynamic application testing, dependency scanning for vulnerabilities, and pre-deployment testing within controlled environments. Changes to production environments must follow documented change management processes that include approval workflows, testing requirements, rollback procedures, and post-implementation reviews. Production deployments are monitored for unexpected behavior and anomalies.

    8. Monitoring, Logging, and Audit Trails

    Respona maintains system and application logs that record relevant security events, including authentication attempts, access to production systems, modifications to system configurations, and automated alerts. Logs are reviewed periodically to detect anomalous activity and support forensic investigations. Automated monitoring tools assist in identifying performance abnormalities, suspicious behavior, or potential security threats. Access to logs is strictly controlled, and retention periods are established based on operational needs and legal requirements.

    9. Personnel Security and Training

    All personnel authorized to process Personal Data are subject to confidentiality obligations that continue after termination of employment or engagement. Background checks may be conducted to the extent permitted by law and appropriate to the role. Employees receive onboarding and ongoing training regarding information security, secure data handling, phishing awareness, incident reporting, and Applicable Privacy Laws. Compliance with internal security policies is regularly assessed, and violations may result in disciplinary action.

    10. Incident Detection, Response, and Mitigation

    Respona maintains a written incident response plan outlining procedures for identifying, containing, investigating, and remediating potential or actual Security Incidents. Upon detection of an event that indicates a possible compromise of Personal Data, Respona initiates incident response protocols, conducts a prompt investigation, and implements corrective measures necessary to mitigate harm. If a Security Incident results in unauthorized access to Personal Data, Respona will notify Customer without undue delay and provide information reasonably required to support Customer’s regulatory or contractual obligations. Respona will maintain detailed incident records and conduct post-incident reviews to prevent recurrence.

    11. Business Continuity and Disaster Recovery

    Respona maintains and periodically updates business continuity and disaster recovery procedures designed to minimize service disruption and preserve the availability of Personal Data. These procedures include secure backups, data replication where appropriate, redundant infrastructure components, and defined recovery time objectives. Backups are stored securely, tested for restorability, and retained for periods consistent with operational needs and security requirements. Respona’s continuity plans aim to ensure that critical functions can be restored in a timely manner following a system failure or catastrophic event.

    12. Subprocessor Security Oversight

    Before engaging a Subprocessor, Respona conducts a security review to ensure that the Subprocessor implements technical and organizational measures consistent with the requirements of this Annex and Applicable Privacy Laws. Subprocessors are contractually required to implement security protections appropriate to the Personal Data they process. Respona monitors Subprocessor compliance through periodic reviews, updated documentation, and communication regarding incident events or significant operational changes. Respona remains responsible for the performance of its Subprocessors.

    13. Data Minimization and Segregation

    Respona designs its systems to limit access to Personal Data to the minimum amount necessary to provide the Services. Logical segregation ensures that Customer data is stored in isolated environments that prevent unauthorized cross-access between customer accounts. Production and testing environments are separated to ensure that Personal Data is not used inappropriately during development or quality assurance activities unless explicitly authorized and subject to necessary safeguards.

    14. Ongoing Evaluation and Continuous Improvement

    Respona conducts periodic reviews of its security practices, taking into account new threats, regulatory requirements, industry developments, and internal audit findings. Security measures may be updated or supplemented based on these reviews to ensure continued protection of Personal Data and alignment with legal and contractual obligations. Respona maintains documentation of its evaluations and updates as part of its security governance program.