The Only Tire Inflation Solution for Trucks
Over 100 Billion Industry Proven Miles
Improve Safety & Cost Per Mile
with Halo
Aperia Technologies | Halo R
Aperia Technologies | Halo R

Aperia Technologies, Inc.

CLIENT DATA PROCESSING ADDENDUM

­­DATA PROCESSING AGREEMENT

Effective date and last updated October 1, 2025

This Data Processing Addendum and its applicable DPA Appendixes (“DPA” or “Addendum”) forms part of the terms of Agreement between Customer and APERIA TECHNOLOGIES, INC., a Delaware corporation with its principal offices at 3160 Corporate Pl, Hayward, CA 94545 (“Company”), and the user of the Company Services, as defined in this DPA, and its Affiliates.

Company has entered into certain agreements with its Customers for Halo Connect under which Company processes Customer Data, and may be referred to as “Master Terms,” “Terms of Service,” “Order Form,” or other title (the “Agreement”).

Company and Customer shall be individually referred to as a “Party” and collectively as the “Parties”. Upon acceptance of this DPA on the Company website or upon first using the Company Services, the Customer agrees to be bound by its terms.

For the purposes of this Agreement, “Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with Aperia Technologies. Affiliates may perform Processing activities as Subprocessors on behalf of the Customer, and shall be subject to the same data protection obligations as Aperia under this Agreement. Aperia shall remain fully liable for the acts and omissions of its Affiliates in the performance of Processing activities.

The Addendum applies to the Processing of Personal Data as described in Appendix 1, by Customer and Company (“individually, the “Party” and collectively, the “Parties”) subject to the Data Protection Laws in order to provide the Services.

As part of their contractual relations, the Parties shall undertake to comply with the applicable Data Protection Laws with respect to the processing of Personal Data covered under this DPA.

The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.

Company reserves the right to periodically update and modify this DPA, and such modification will automatically become effective.

Basic Agreements of the Parties for Data Protection

  1. Duration of the Assignment/Notice of Termination
  2. a) The duration of the assignment (term of the DPA) is coextensive with the term of the Agreement.
  3. b) The termination of this Addendum therefore depends on the provisions concerning the duration and the termination of the Agreement. Termination of the Agreement shall also have the effect of terminating this DPA.
  4. c) Furthermore, the premature termination of this Addendum upon written notice to the other Party shall be permissible in the event of such other Party’s serious breach of statutory or contractual data protection provisions under the Data Protection Laws, insofar as the contracting Party in question cannot reasonably be expected to continue this DPA.
  5. d) The parties acknowledge that the termination of the DPA at any time and for any reason does not exempt them from their obligations under the Data Protection Laws relating to the collection, processing and use of Personal Data.

 

  1. Data Protection. Each party shall comply with Data Protection Laws in connection with performing the Services and its obligations under the Agreement and this DPA.

 

  1. Data Processing Activities. In relation to Personal Information Processed by Customer in connection with the Agreement, the subject-matter, nature, purpose and duration of the Processing, the data subjects concerned and the categories of Personal Information are specified in Annex I.

 

  1. Controller to Processor Clauses. When Processing Personal Information on behalf of Customer in connection with the Agreement, Company shall:
    1. only Process Personal Information on Customer’s Documented Written Instructions, unless required to do otherwise by applicable Law (in which case it shall, if permitted by such law, promptly notify Customer of that requirement before processing). “Documented Written Instructions” means instructions issued by the Customer in written or electronic form, including:
      • the terms set forth in the Master Services Agreement or other governing contract between the parties;
      • specific requests or authorizations sent via email from the Customer’s designated representatives;
      • execution of an order form or statement of work; or
      • changes to processing parameters communicated via the Customer’s administration portal or ticketing system;
    2. ensure that at all times Personal Information is Processed only to the minimum extent necessary to accomplish the purpose of the Processing permitted under this DPA and Agreement;
    3. immediately inform Customer if Company is of the opinion that an instruction of Customer regarding Processing Personal Information infringes Data Protection Law.
    4. ensure that (i) Company limits access to Personal Information to Company’s personnel who need access to Personal Information for the purposes of performing the Services under the Agreement and (ii) Company’s personnel who have access to Personal Information only Process the Personal Information, as permitted under this DPA and Agreement, and are subject to confidentiality obligations that are at least as protective of Personal Information as Company’s obligations under this DPA and the Agreement.
    5. Customer acknowledges and agrees that Company may (i) engage Sub-Processors listed in Annex III to this Addendum to access and process Personal Data in connection with the Services and (ii) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data. By way of this Addendum, Customer provides general written authorization to Company to engage Sub-Processors as necessary to perform the Services. Company will endeavor to give written notice (30) days prior to any change, but in any event will give written notice no less than (15) days prior to any such change. The Customer may object to a future engagement by informing Company within fifteen (15) days of receipt of the aforementioned notice by Company, provided such objection is in writing and based on reasonable grounds relating to data protection.  Customer acknowledges that objecting to the use of a Sub-Processor may prevent Company from offering its Services to Customer.
    6. be fully liable for all acts or omissions of its employees, affiliates, agents, subcontractors and other representatives in the same manner as for its own acts or omissions.
    7. implement and maintain reasonable and appropriate written information security and privacy programs, which programs shall incorporate physical, technical and organizational measures that are commensurate with the nature of Personal Information Processed under the Agreement, that meet or exceed good industry practices (or such higher standard as may be required in Annex II) and that are adequate to reasonably protect against a Personal Data Breach, including training of all personnel responsible for Processing Personal Information of the requirements of this DPA and the Agreement, such measures described in Annex II and to the extent not otherwise addressed in Annex II and as appropriate:
      • the pseudonymization and encryption of Personal Information;
      • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
      • the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident;
      • a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing; and
      • the ability to establish timely (in any event within 72 hours of occurrence) if a Personal Data Breach has occurred.

 

  1. inform Customer without undue delay within forty-eight (48) hours after having become aware of a breach if any Personal Data processed under this Addendum is lost or destroyed or becomes damaged, corrupted, or unusable or is otherwise subject to unauthorized or unlawful processing including unauthorized or unlawful access or disclosure (“Personal Data Breach”)
  2. promptly notify Company without undue delay, and in any event, within 24 hours, of:
    • any inquiry, request for information from or complaint by a competent data protection or other regulatory authority, relating to Personal Information that Customer Processes in connection with the Agreement; and
    • any complaint, inquiry or request by a data subject relating to the Personal Information Customer Processes in connection with the Agreement, including any request to exercise rights under Data Protection Laws or Company’s or Customer’s privacy policy, such as to access, rectify, amend, correct, share, delete or cease Processing his or her Personal Information.
  3. provide reasonable assistance to the Customer in complying with its obligations under Data Protection Laws with respect to security, breach notifications, data protection impact assessments, and consultations with supervisory authorities or regulators;
  4. on Customer’s request or at the expiration or earlier termination of the Agreement or a Statement of Work to which the Personal Information is applicable, promptly delete or return, at Customer’s option, all Personal Information Processed, unless required otherwise by applicable Law. In that case, Company may retain one copy of the Personal Information required to be retained under applicable Law, until 30 days after that period for retaining Personal Information required under applicable Law ends, and Company will continue to comply with this DPA or the Agreement with respect to any Personal Information Company retains and will only Process that Personal Information as required by that applicable Law and shall securely isolate and protect such retained data, ensuring it is used solely for the purpose mandated by applicable Law and not subject to further processing.  Customer shall delete or return the Personal Information by such means and, in the case of returning Personal Information, in such format, as Company reasonably requests, and shall take steps to block such data from further processing (except to the extent necessary for processing required by law, rule, or regulation), and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control.
  5. maintain the accuracy and integrity of Personal Information that it Processes on behalf of Customer.
  6. maintain all records necessary to be able to demonstrate that Personal Information was only Processed in accordance with applicable notices, consents authorizations and rights and as permitted under this DPA or the Agreement and for each of Company and Customer to comply with Data Protection Law.
  7. upon Customer’s request, allow for and contribute to audits by Company or another auditor mandated by Company of Customer’s compliance with this DPA or the Agreement and of Customer’s privacy and information security programs, and have a third-party auditor, reasonably acceptable to Company, conduct an audit of Customer’s privacy and information security programs.

 

  1. only transfer the Personal Data outside of the European Economic Area if it has fulfilled each of the following conditions: (i) it has in place any of the specifically approved safeguards for data transfers (as recognized under the Data Protection Laws) in relation to the transfer; (ii) data subjects continue to have enforceable rights and effective legal remedies following the transfer; (iii) it provides an adequate level of protection to any Personal Data that is transferred (including by way of a European Commission finding of adequacy); and (iv) it complies with reasonable instructions with respect to the transfer;
  2. not change the location where any Personal Information is Processed under this DPA or the Agreement, except with advance written notice with an opportunity to object on reasonable data protection grounds.
  3. as required by applicable Data Protection Law, and upon Customer’s request, provide notice to, and obtain a consent from, any data subject whose Personal Information is collected by or on behalf of Company in connection with the Agreement. Company will use forms of notice and consent, and provide and obtain any such notice and consent in a manner and at the times that are satisfactory to Customer and meet the requirements of applicable Law.
  4. except for changes made consistent with meeting industry practice or Data Protection Law, Company shall maintain in effect and consistently apply, Company’s privacy and data security practices disclosed to Customer in connection with any due diligence Company most recently conducted on those practices in connection with the Agreement. Company represents and warrants that all responses provided by Company in any such due diligence are true, accurate and complete when made and if later, as of the effective date of the Agreement. 
  5. promptly provide to Customer the minimum information necessary regarding individuals who have opted out of receiving future communications from Customer or who have opted out of any other use or disclosure of Personal Information by Customer, including the relevant contact Information and the specific nature of the request, to enable Customer to observe such opt-outs in compliance with applicable Law. Company also agrees to reflect in its data those individuals who have opted out of receiving communications immediately upon receipt of such information, whether received directly from the individual or from Customer.

 

  1. Technical and Organizational Measures

 

  1. Company shall take suitable technical and organizational measures appropriate to the risk to ensure for protection of the security, confidentiality and integrity of the Personal Data it Processes under this DPA, including those identified in Annex II of this DPA.

 

  1. The technical and organizational measures are subject to the current state of technology and technical progress. In this regard, Company is permitted to implement adequate alternative measures, provided that these measures may not provide a lower level of security to Customer data than those set forth in Annex II of this DPA.

 

  1. Cross-Border Data Transfer
  1. The parties agree that when the transfer of Personal Data is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses or the UK Addendum.
  2. In relation to Personal Data that is protected by the EU GDPR and Restricted Transfers outside the EU, the Standard Contractual Clauses shall be incorporated into this Addendum by reference and the information required to complete the Standard Contractual Clauses is as follows:
  3. Module Two (Controller to Processor) will apply where Company is a Processor and Customer is a Controller of the Personal Data under this DPA;
  4. in Clause 7, the optional docking clause will apply;
  5. in Clause 9, Option 2 applies to the use of subprocessors;
  6. in Clause 11, the optional language will not apply;
  7. Clause 13(a) Option 1 applies (supervisory authority with responsibility for ensuring compliance by the data exporter shall act as competent supervisory authority) as indicated in Annex I.
  8. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the law of The Republic of Ireland;
  9. in Clause 18(b), disputes shall be resolved before the courts of The Republic of Ireland;
  10. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA; and
  11. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA.

 

  1. Definitions and Interpretation. In this DPA, the following definitions apply:
  • “California Personal Information” means Personal Data that is subject to the protection of the CCPA.
  • “CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 or “CPRA”).
  • “Consumer”, “Business”, “Sell”, “Service Provider”, and “Share” will have the meanings given to them in the CCPA.
  • “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
  • “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA and other applicable U.S. federal and state privacy laws, and the data protection and privacy laws of Australia, Singapore, and Japan, in each case as amended, repealed, consolidated or replaced from time to time.
  • “Data Subject” means the individual to whom Personal Data relates.
  • “Europe” means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.
  • “European Data” means Personal Data that is subject to the protection of European Data Protection Laws.
  • “European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (iv) Swiss Federal Data Protection Act and its Ordinance (“Swiss DPA”); in each case, as may be amended, superseded or replaced.
  • “Law” means any applicable laws, ordinances, rules, regulations and lawful orders of any public authority (including, and by way of example only, interpretations and decisions of, or agreements with, any competent regulatory authority) to which either Party, as applicable, is subject in connection with the Agreement;
  • “Personal Information” or “Personal Data” means any data relating to an identified or identifiable individual, including data that identifies an individual or that could be used to identify, locate, track, or contact an individual. Personal Information includes both directly identifiable information such as a name, identification number or unique job title, and indirectly identifiable information such as date of birth, unique mobile or wearable device identifier, telephone number, key-coded data and online identifiers such as IP addresses, and includes any data that constitutes “personal data” under the GDPR.  (iv)
  • “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information transmitted, stored or otherwise Processed.
  • “Controller”, “Data Subject” and “Processing” each have the meaning given in the European Union General Data Protection Regulation 2016/679 (the “GDPR”), irrespective of whether GDPR applies in any particular context;• “Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area or Switzerland to a country outside of the European Economic Area or Switzerland which is not subject to an adequacy determination by the European Commission, (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on an adequacy decision pursuant to Section 17A of the United Kingdom Data Protection Act 2018 and (iii) where any other applicable laws apply, a transfer of Personal Data from one jurisdiction to another, where the receiving jurisdiction does not provide an adequate level of data protection as determined by applicable data protection laws.

 

  • “Standard Contractual Clauses” means any type of standard contractual clauses approved by competent authorities, such as where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”). The Standard Contractual Clauses shall be incorporated by reference and form an integral part of this DPA, and signed automatically as part of the DPA.

 

  • “UK Addendum” means the addendum to the Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022). The UK Addendum shall be incorporated by reference and form an integral part of this DPA.

 

In the event that the definitions in this DPA are inconsistent with the definitions given similar terms or concepts under Data Protection Laws, then the definition given any such similar term or concept under that applicable Data Protection Laws shall prevail to the extent of the inconsistency, so long as such inconsistency results in a broader definition of such term or concept.

 

 

  1. Additional Provisions for California Personal Information
  2. Scope. The ‘Additional Provisions for California Personal Information’ section of this DPA will apply only with respect to California Personal Information.
  3. Roles of the Parties. When processing California Personal Information in accordance with Company Instructions, the parties acknowledge and agree that Company is a Business and Customer is a Service Provider for the purposes of the CCPA.
  4. Responsibilities. Service Provider certifies that Service Provider will Process California Personal Information as a Service Provider strictly for the purpose of performing the Services under the Agreement (the “Business Purpose”) or as otherwise permitted by the CCPA, including as described in the Company Privacy Policy.  Further, Service Provider certifies that Service Provider (i) will not Sell or Share California Personal Information; (ii) will not Process California Personal Information outside the direct business relationship between the parties, unless required by applicable law; and (iii) will not combine the California Personal Information included in Customer Data, as defined in the CCPA, with personal information that Service Provider collects or receives from another source (other than information  received from another source in connection with obligations as a Service Provider under the Agreement).
  5. Compliance. Service Provider will (i) comply with obligations applicable to it as a Service Provider under the CCPA and (ii) provide California Personal Information with the same level of privacy protection as is required by the CCPA. Service Provider will notify Company if Service Provider makes a determination that Service Provider can no longer meet its obligations as a Service Provider under the CCPA.
  6. CCPA Audits. Service Provider will have the right to take reasonable and appropriate steps to help ensure that it uses California Personal Information in a manner consistent with Customer’s obligations under the CCPA. Upon notice, Company will have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of California Personal Information.
  7. Not a Sale. The Parties acknowledge and agree that the disclosure of California Personal Information by the Customer to Customer does not form part of any monetary or other valuable consideration exchanged between the parties.
  8. Browser-Based Opt-Out Signals. Company shall recognize and honor browser-based opt-out preference signals, including Global Privacy Control (GPC) and Do Not Track (DNT), where required by applicable U.S. privacy laws (including but not limited to the California Consumer Privacy Act (as amended by the CPRA), the Colorado Privacy Act, and the Oregon Consumer Privacy Act). When such signals are received from a data subject’s browser or device, Company shall process them as valid requests to opt out of the sale or sharing of personal information to the extent required by law.

 

 

 

 

 

Appendix 1: Standard Contractual Clauses

 

This Appendix incorporates the Standard Contractual Clauses issued by the European Commission under Implementing Decision (EU) 2021/914 of 4 June 2021 for international transfers of personal data to third countries under the GDPR. 

The Parties agree that Module Two (Controller to Processor) applies and that, in certain instances, Module Three (Processor to Processor) may apply

 

ANNEX I – DESCRIPTION OF PROCESSING

 

 

  1. List of Parties

 

Controller or Processor/Data exporter:

 

Name: The Customer, as defined in the Terms of Service or Agreement (on behalf of itself and Permitted Affiliates)

Contact details: The email address(es) designated by Customer in Customer’s account.

Address: The Customer’s address, as set out in the Order Form

Contact person’s name, position and contact details: The Customer’s contact details, as set out in the Order Form

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer’s use of the Services under the Terms of Service or Agreement.

Role (controller/processor): Controller (either as the Controller; or acting in the capacity of a Controller, as a Processor, on behalf of another Controller)

Controller /Data importer:

Name: Aperia Technologies, Inc.

Address: 3160 Corporate Pl, Hayward, CA 94545

Contact details:  privacy@aperiatech.com

For customers in the EU and UK, Company’s DPO can be reached at: dpo@aperiatech.com

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer’s use of the Services under the Terms of Service or Agreement.

Role (controller/processor): Processor (as detailed in Appendix 1)

  1. Description of Transfer

Categories of Data Subjects whose Personal Data is Transferred

Customer may submit Personal Data in the course of using the Service, the extent of which is determined and controlled by Customer in Customer’s sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

Customer’s contacts and other end users including Customer’s employees, contractors, collaborators, customers, prospects, Customers and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to Customer’s end users.

Halo Connect users, marketing subscribers, technicians, drivers/vehicle operators, and others on behalf of Customer may submit Personal Data.

Categories of Personal Data Transferred

Customer may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by Customer in Customer’s sole discretion, and which may include but is not limited to the following categories of Personal Data:

  1. Contact Information (as defined in the General Terms).
  2. Any other Personal Data submitted by, sent to, or received by Customer, or Customer’s end users, via the Subscription Service.
  3. Sensitive Data transferred and applied restrictions or safeguards.

The Parties do not anticipate the transfer of sensitive data.

Frequency of the transfer

Continuous

Nature of the Processing

Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:

 

  1. Storage and other Processing necessary to provide, maintain and improve the Services provided to Customer; and/or
  2. Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.

Purpose of the transfer and further processing

We will Process Personal Data as necessary to provide the Subscription Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by Customer in Customer’s use of the Subscription Services.

Period for which Personal Data will be retained

Subject to the ‘Deletion or Return of Personal Data’ section of this DPA, we will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

  1. Competent Supervisory Authority:

Where the EU GDPR applies, the competent authority shall be the Irish Data Protection Commission.

Where the UK GDPR applies, the competent authority shall be the UK Information Commissioner’s Office.

Annex II – Information Technical Security and Organizational Measures

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):

The physical, technical and organizational measures that are commensurate with the nature of personal information processed, that meet or exceed good industry practices [(or such higher standard as may be required in Annex I to the DPA referenced below)] and that are adequate to reasonably protect against a Personal Data Breach, implemented by the data importer, as required in accordance with the terms of that certain [Data Processing Agreement] between data exporter and data importer dated [insert date] (the “DPA”), including training of all personnel responsible for processing personal information of the requirements of the DPA, such measures described Annex I to the DPA and, to the extent not otherwise addressed in Annex I to the DPA, as appropriate:

  1. the pseudonymization and encryption of Personal Information;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;

iii.  the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident;

  1. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing; and,
  2. the ability to establish timely (in any event within 72 hours of occurrence) if a Personal Data Breach has occurred.

 

 

Information Technology Security Measures

 

  1. Network Security – Customer shall maintain network security policies, procedures, and systems and shall perform network security and activities consistent with best practices in Customer’s industry but that, at a minimum, include but are not limited to: network firewall provisioning, intrusion detection, and regular (but in no event less frequently than annually) vulnerability assessments. In no event shall the foregoing as applied to the Personal Information of the Company be any less stringent and protective than those applied by Customer to the protection of its own data and systems of a like or similar nature.
  2. Application Security – Customer shall provide, maintain and support any of its software and systems provided or used in connection with the services or products under the Agreement and subsequent updates, upgrades, and bug fixes such that they are and remain secure from vulnerabilities, utilizing recognized and comparable industry practices or standards as set forth in paragraph 9 below.
  3. Data Security – Without limiting Customer’s confidentiality obligations or other obligations to protect data and other information of Company or its Affiliates, including without limitation, any Personal Information, under the Agreement or this DPA, Customer shall store all Personal Information in accordance with industry best practices and in compliance with all applicable Laws, and use security measures, including, but not limited to, encryption and firewalls, to protect such Personal Information from unauthorized disclosure or use. Such measures shall be no less rigorous than those measures maintained by Customer for its own data of a similar nature. When Customer stores Personal Information in a third-party’s offsite facility, Customer must have complied with the terms of this DPA related to disclosing Personal Information to third parties or otherwise subcontracting services or products to third parties and shall only use a third party’s offsite storage facility that is otherwise reasonably acceptable to Company, without limiting the foregoing, the facility of a third party that is in full compliance with all of the provisions of this Appendix.
  4. Data storage – Any and all Personal Information will be stored, processed, and maintained solely on designated Customer computing and storage resources, and that no Personal Information will at any time be processed on or transferred to any portable or laptop computing device or any portable storage medium, unless that device or storage medium is in use as part of the Customer’s designated backup and recovery processes and encrypted in accordance with paragraph 6 below. Customer shall store all backup Personal Information as part of its designated backup and recovery processes.
  5. Data Transmission – Any and all electronic transmission or exchange of Personal Information with Company and/or any third parties shall take place via secure means (using HTTPS or SFTP or equivalent) and solely in accordance with paragraph 6 below.
  6. Data Encryption – Customer agrees that any and all Personal Information stored on any portable or laptop computing device or any portable storage medium, including all company backup data, shall be kept in encrypted form, using a commercially supported encryption solution. Encryption solutions will be deployed with no less than a 128-bit key for symmetric encryption and a 2048 (or larger) bit key length for asymmetric encryption.
  7. Data Re-Use –Except as required to provide the services or products under the Agreement or as otherwise permitted under this DPA, Customer shall not distribute, repurpose or share across other applications, environments, or business units of Customer any Personal Information.
  8. Security Breach Notification – In the event of a personal data breach or breach of any of Customer’s security obligations, then in addition to its obligations under the Agreement or the DPA, Customer shall notify Company of such an event within 24 hours of discovery by telephone and e-mail at the following phone number and email address:

Security Breach Notice Telephone No.: +1-844-786-4256

Security Breach Notice Email: security@aperiatech.com

Annex III- List of Sub-processors

To support its business operations and the delivery of the services, Company may engage and use certain sub-processors with access to certain Customer data (each, a “Sub-processor”). As of the effective date of this DPA, all Sub-processors listed herein are actively engaged in providing supporting services to Aperia. For important information about the identity, location and role of each Sub-processor, please see the attached list:

 

Sub-processor

Address

Description of Processing

Personal Data Processed

Transfer Mechanism

Amazon Web Services, Inc.

410 Terry Avenue North, Seattle, WA 98109, USA

Cloud hosting, data storage, and infrastructure services

All categories of personal data processed through cloud infrastructure

Standard Contractual Clauses (EU 2021/914), AWS Data Processing Addendum

Google LLC

1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Email services, business productivity tools (e.g., Google Workspace)

Business contact data, communications data

Standard Contractual Clauses (EU 2021/914), Google Data Processing Amendment

Salesforce.com, Inc.

Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA

Customer relationship management (CRM) and marketing automation

Customer contact information, communication history, engagement data

Standard Contractual Clauses (EU 2021/914), Salesforce Data Processing Addendum

Trend Micro Incorporated

225 E John Carpenter Freeway, Suite 1500, Irving, TX 75062, USA

Security monitoring and threat prevention

IP addresses, system logs, security event data

Standard Contractual Clauses (EU 2021/914), Trend Micro Privacy and Data Protection Agreement

Atlassian Pty Ltd

Level 6, 341 George Street, Sydney NSW 2000, Australia

Project management, issue tracking, and internal documentation tools

Employee and contractor data, project metadata

Standard Contractual Clauses (EU 2021/914), Atlassian Data Processing Addendum

Microsoft Corporation

One Microsoft Way, Redmond, WA 98052, USA

Enterprise software and collaboration tools (e.g., Office 365, Teams)

Business communications, documents, account data

SCCs, Microsoft Products and Services DPA

Datadog, Inc.

620 8th Avenue, 45th Floor, New York, NY 10018, USA

Application performance monitoring and infrastructure analytics

System logs, usage metrics, and diagnostic data

Standard Contractual Clauses (EU 2021/914), Datadog Data Processing Agreement

 

The Controller provides general authorization for the use of these sub-processors. The Processor shall inform the Controller of any intended changes.

 

Each Sub-processor has recevied general written authorization.  This list may be updated from time to time. Subprocessor changes will be communicated via email and/or posted at https://aperia-technologies.secureframetrust.com/