Data Processing Agreement

SWORKSCYBER, LLC d/b/a Rovally

Cybersecurity & Compliance Services

Data Protection Contact

privacy@rovally.com

1111 6th Ave Ste 550, PMB 367700, San Diego, California 92101-5211

This Data Processing Agreement supplements the Master Services Agreement between Rovally and Client.

Last Updated: November 2025

1. INTRODUCTION

Summary: This DPA governs how Rovally handles your data when providing services. It supplements our MSA and applies whenever we process personal data on your behalf.

1.1 Purpose

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement (the "Agreement" or "MSA") between SWORKSCYBER, LLC d/b/a Rovally ("Processor," "Provider," or "Rovally") and the entity identified in the applicable Statement of Work ("Controller" or "Client").

This DPA sets forth the terms and conditions under which Processor will process Personal Data on behalf of Controller in connection with the Services provided under the Agreement. This DPA is designed to ensure compliance with applicable Data Protection Laws, including the European Union General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable privacy regulations.

1.2 Incorporation

This DPA is incorporated into and forms part of the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters. All capitalized terms not defined herein shall have the meanings set forth in the Agreement.

1.3 Effective Date

This DPA shall be effective as of the effective date of the Agreement or, if executed separately, the date of last signature below.

2. DEFINITIONS

Summary: Key terms used throughout this DPA. Most importantly: you're the Controller (you decide what data to process and why), and we're the Processor (we process data only as you instruct).

"Controller" means the entity that determines the purposes and means of the Processing of Personal Data. Under this DPA, the Client is the Controller.

"Data Protection Laws" means all applicable laws and regulations relating to the Processing of Personal Data, including but not limited to: (a) the EU General Data Protection Regulation 2016/679 ("GDPR"); (b) the UK Data Protection Act 2018 and UK GDPR; (c) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"); (d) the Virginia Consumer Data Protection Act; (e) the Colorado Privacy Act; (f) the Connecticut Data Privacy Act; (g) other U.S. state privacy laws; and (h) any other applicable data protection or privacy legislation.

"Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.

"Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to: name, identification number, location data, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

"Processing" (including "Process" and "Processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Processor" means the entity that Processes Personal Data on behalf of the Controller. Under this DPA, Rovally is the Processor.

"Rovally Compliance Platform" means Processor's proprietary software application used to deliver compliance automation, policy management, and questionnaire support services, which incorporates artificial intelligence capabilities as described in Section 7.

"Security Measures" means the technical and organizational measures implemented by Processor to protect Personal Data, as described in Annex II.

"Services" means the cybersecurity, compliance, and IT services provided by Processor to Controller under the Agreement.

"Sub-processor" means any third party engaged by Processor to Process Personal Data on behalf of Controller in connection with the Services.

"Sensitive Personal Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life, or sexual orientation, and (under U.S. laws) Social Security numbers, financial account information, precise geolocation, and other categories designated as sensitive under applicable law.

3. SCOPE OF PROCESSING

Summary: This section describes what data we process, whose data it is, why we process it, and for how long. We only process what's necessary to provide our services.

3.1 Subject Matter and Duration

Processor will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing or required by applicable law. The subject matter of Processing is the provision of cybersecurity, compliance, and IT services as described in the Agreement and applicable Statements of Work.

3.2 Nature and Purpose of Processing

Processor will Process Personal Data solely for the following purposes:

  • Providing the Services described in the Agreement and applicable SOWs
  • Managing user accounts and access controls
  • Monitoring and responding to security incidents
  • Managing compliance programs and evidence collection
  • Generating policies, procedures, and compliance documentation
  • Responding to security questionnaires and due diligence requests
  • Providing IT operations and help desk support
  • Managing and securing endpoint devices
  • Fulfilling legal and regulatory obligations

3.3 Types of Personal Data

The categories of Personal Data Processed under this DPA may include:

  • Identity Data: Names, usernames, employee IDs, job titles, department
  • Contact Data: Email addresses, phone numbers, physical addresses
  • Technical Data: IP addresses, device identifiers, browser type, operating system, login timestamps, access logs
  • Employment Data: Start/end dates, role information, manager relationships, onboarding status
  • Security Data: Security training completion, policy acknowledgments, access permissions, authentication records
  • Device Data: Device names, serial numbers, compliance status, installed software, patch levels
  • Communication Data: Support ticket contents, help desk interactions (limited to service delivery)

3.4 Categories of Data Subjects

The Data Subjects whose Personal Data may be Processed include:

  • Controller's employees, contractors, and temporary workers
  • Controller's authorized users and system administrators
  • Controller's customers and business contacts (if included in covered systems)
  • Third-party vendor contacts (for vendor risk management)
  • Any other individuals whose data is stored in Controller's systems that Processor accesses to provide Services

3.5 Sensitive Personal Data

Processor does not require access to Sensitive Personal Data to perform the Services. Controller shall avoid sharing Sensitive Personal Data with Processor unless explicitly required for a specific service and agreed upon in writing. If Processor inadvertently receives Sensitive Personal Data, Processor will notify Controller and either delete such data or apply enhanced protections as directed by Controller.

4. PROCESSOR OBLIGATIONS

Summary: Our core commitments: we only process data as you instruct, we keep it confidential, we maintain security, and we help you comply with data protection laws.

4.1 Processing Instructions

Processor shall Process Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law. In such case, Processor shall inform Controller of that legal requirement before Processing, unless the law prohibits such notification.

The Agreement, this DPA, and any applicable SOWs constitute Controller's complete and final instructions to Processor for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately in writing.

4.2 Confidentiality

Processor shall ensure that all personnel authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Processor shall ensure that access to Personal Data is limited to those personnel who require such access to perform the Services.

4.3 Security Measures

Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex II. These measures shall include, at a minimum:

  • Encryption of Personal Data in transit and at rest
  • Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
  • Ability to restore availability and access to Personal Data in a timely manner following an incident
  • Regular testing and evaluation of technical and organizational measures
  • Access controls and authentication mechanisms
  • Audit logging and monitoring

4.4 Assistance with Data Subject Rights

Processor shall assist Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection. Processor shall promptly notify Controller of any request received directly from a Data Subject and shall not respond to such request except as instructed by Controller or required by law.

4.5 Assistance with Compliance

Taking into account the nature of Processing and the information available to Processor, Processor shall assist Controller in ensuring compliance with Controller's obligations under Data Protection Laws, including:

  • Data protection impact assessments
  • Prior consultation with supervisory authorities
  • Notifications to supervisory authorities and Data Subjects regarding Personal Data Breaches

4.6 Deletion and Return of Data

Upon termination or expiration of the Agreement, Processor shall, at Controller's election, delete or return all Personal Data to Controller and delete existing copies, unless applicable law requires retention of the Personal Data. Processor shall certify in writing that it has complied with this obligation upon Controller's request.

Processor may retain Personal Data to the extent required by applicable law, provided that Processor shall ensure the confidentiality of such Personal Data and shall Process it only as necessary for the purpose(s) specified in the applicable law.

5. CONTROLLER OBLIGATIONS

Summary: Your responsibilities: ensure you have proper legal basis to share data with us, give us accurate instructions, and notify us if regulations change how we should handle your data.

5.1 Lawful Basis

Controller warrants that it has a lawful basis for the Processing of Personal Data as contemplated by this DPA and the Agreement, including any required consents or authorizations from Data Subjects.

5.2 Instructions

Controller shall ensure that its instructions to Processor comply with applicable Data Protection Laws. Controller acknowledges that Processor is not responsible for determining whether Controller's instructions are compliant with applicable law.

5.3 Data Accuracy

Controller is responsible for ensuring the accuracy and quality of Personal Data provided to Processor. Controller shall promptly notify Processor of any corrections or updates required.

5.4 Regulatory Changes

Controller shall notify Processor of any changes in applicable Data Protection Laws or regulatory guidance that may affect Processor's Processing activities under this DPA.

6. SUB-PROCESSORS

Summary: We use vetted sub-processors (listed in Annex I) to help deliver our services. All sub-processors are bound by data protection terms at least as protective as this DPA. We'll notify you of changes.

6.1 Authorization

Controller provides general authorization for Processor to engage Sub-processors to Process Personal Data in connection with the Services, subject to the requirements of this Section 6. The current list of authorized Sub-processors is set forth in Annex I.

6.2 Sub-processor Requirements

Processor shall:

  • Enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set forth in this DPA
  • Conduct appropriate due diligence on Sub-processors' security and privacy practices
  • Remain fully liable to Controller for the acts and omissions of its Sub-processors

6.3 Changes to Sub-processors

Processor shall notify Controller of any intended changes to Sub-processors (additions or replacements) at least thirty (30) days in advance. Controller may object to such changes on reasonable grounds related to data protection. If Controller objects and the parties cannot resolve the objection, Controller may terminate the affected Services without penalty.

6.4 Sub-processor Categories

Sub-processors utilized by Processor fall into the following categories:

  • Infrastructure Providers: Cloud hosting, data storage, and computing services
  • Security Tool Vendors: Endpoint protection, SIEM, content filtering, and MDM platforms
  • Compliance Platform Vendors: GRC automation and compliance management systems
  • IT Operations Partners: Help desk and IT support service providers
  • AI Technology Providers: Artificial intelligence infrastructure powering the Rovally Compliance Platform (see Section 7)

7. ROVALLY COMPLIANCE PLATFORM AND AI-POWERED SERVICES

Summary: Our platform uses AI to help with policy drafting and questionnaires. Your data is never used to train AI models. Data is encrypted, compartmentalized, and processed only to deliver your services—then deleted.

7.1 Platform Overview

The Rovally Compliance Platform is Processor's proprietary application that delivers compliance automation, policy management, and security questionnaire support services. The Platform incorporates artificial intelligence capabilities to enhance service delivery efficiency and quality.

7.2 AI Technology Providers

The Rovally Compliance Platform utilizes AI infrastructure provided by Anthropic, PBC and OpenAI, LLC (collectively, "AI Providers"). These AI Providers supply the underlying large language model technology that powers Platform features. Processor maintains the following regarding AI Provider relationships:

  • Enterprise Agreements: Processor maintains enterprise-grade agreements with AI Providers that include data protection commitments
  • Sub-processor Status: AI Providers are treated as Sub-processors and are listed in Annex I

7.3 Data Protection Commitments for AI Processing

Processor makes the following binding commitments regarding Personal Data processed through AI-powered features:

7.3.1 No Model Training

Controller's Personal Data is NEVER used to train, fine-tune, improve, or develop AI models. Processor's agreements with AI Providers expressly prohibit the use of API inputs and outputs for model training purposes. This prohibition applies to:

  • Initial model training
  • Model fine-tuning or customization
  • Reinforcement learning from human feedback
  • Any other form of machine learning improvement

7.3.2 Data Compartmentalization

Each Controller's data is strictly isolated and compartmentalized:

  • Controller data is never combined with data from other Processor clients
  • AI processing occurs in isolated sessions with no cross-client data exposure
  • Outputs generated for Controller contain only information derived from Controller's inputs
  • No shared context or memory persists between different clients' processing requests

7.3.3 Ephemeral Processing

Personal Data processed through AI features is handled ephemerally:

  • Data is transmitted to AI Providers only for the duration needed to generate a response
  • AI Providers do not retain API inputs or outputs beyond temporary processing
  • Processor does not persist AI conversation logs containing Personal Data beyond operational needs
  • Temporary processing data is deleted in accordance with AI Provider data retention policies (typically 30 days or less)

7.3.4 Encryption and Security

All data transmitted to AI Providers is protected by:

  • TLS 1.2 or higher encryption in transit
  • Encryption at rest within AI Provider infrastructure
  • Secure API authentication using unique credentials
  • Access logging and monitoring

7.4 AI Processing Use Cases

AI-powered features within the Rovally Compliance Platform are used exclusively for:

  • Policy Generation: Drafting and customizing security policies, procedures, and standards based on Controller's requirements and applicable compliance frameworks
  • Questionnaire Support: Assisting with responses to security questionnaires, due diligence requests, and vendor assessments using Controller's documented policies and controls
  • Compliance Documentation: Generating control narratives, evidence descriptions, and compliance documentation
  • Risk Analysis: Analyzing and documenting risks, control gaps, and remediation recommendations

7.5 Data Minimization

Processor applies data minimization principles to AI processing:

  • Only data necessary for the specific task is transmitted to AI Providers
  • Personal Data is anonymized or pseudonymized where feasible without compromising service quality
  • Sensitive Personal Data is excluded from AI processing unless explicitly required and authorized
  • Processor regularly reviews AI processing to identify opportunities for further data minimization

7.6 Human Oversight

All AI-generated outputs are subject to human review before delivery to Controller. Processor personnel review, validate, and approve AI-generated content to ensure accuracy, appropriateness, and alignment with Controller's requirements. AI is used as a productivity tool to assist Processor's qualified consultants, not as an autonomous decision-making system.

7.7 Transparency and Records

Processor maintains records of AI processing activities and will provide Controller, upon request:

  • Confirmation of which Services utilize AI-powered features
  • Documentation of data protection measures applicable to AI processing
  • Current AI Provider data processing agreements or relevant excerpts
  • AI Provider security certifications (SOC 2, ISO 27001, etc.)

8. PERSONAL DATA BREACH

Summary: If there's a data breach affecting your data, we'll notify you within 24 hours with all the details you need for regulatory reporting. We'll help you investigate and respond.

8.1 Notification

Processor shall notify Controller without undue delay, and in any event within twenty-four (24) hours, after becoming aware of a Personal Data Breach affecting Controller's Personal Data. Notification shall be made to the contact designated in the Agreement or SOW, or if none, to Controller's primary point of contact.

8.2 Notification Contents

The notification shall include, to the extent known:

  • A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned
  • The name and contact details of Processor's data protection contact
  • A description of the likely consequences of the Personal Data Breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate possible adverse effects

8.3 Cooperation

Processor shall cooperate with Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach. Processor shall not inform any third party of the breach without Controller's prior written consent, except as required by law or to Sub-processors who need to know to assist with remediation.

8.4 Documentation

Processor shall document all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken. This documentation shall be made available to Controller upon request.

9. INTERNATIONAL DATA TRANSFERS

Summary: If we need to transfer data outside your jurisdiction, we'll use approved mechanisms (like Standard Contractual Clauses) to ensure it stays protected. We primarily process data in the United States.

9.1 General

Processor primarily processes Personal Data within the United States. Processor shall not transfer Personal Data to a country outside of Controller's jurisdiction unless appropriate safeguards are in place as required by applicable Data Protection Laws.

9.2 Transfer Mechanisms

Where required by Data Protection Laws, Processor shall ensure that transfers are made pursuant to:

  • An adequacy decision by the relevant authority
  • Standard Contractual Clauses approved by the European Commission or UK ICO
  • Binding Corporate Rules
  • An approved certification mechanism or code of conduct
  • Controller's explicit consent, where applicable

9.3 Standard Contractual Clauses

Where the Standard Contractual Clauses ("SCCs") are required, the parties agree that the SCCs shall be incorporated by reference into this DPA. For transfers from the EEA, the EU SCCs (Commission Implementing Decision 2021/914) shall apply. For transfers from the UK, the UK Addendum to the EU SCCs shall apply. For transfers from Switzerland, the Swiss Addendum shall apply.

9.4 Transfer Impact Assessments

Where required, Processor shall cooperate with Controller to conduct transfer impact assessments and implement supplementary measures necessary to ensure an essentially equivalent level of protection for transferred Personal Data.

10. AUDIT RIGHTS

Summary: You have the right to verify our compliance through documentation review or on-site audits. We'll provide certifications and audit reports; additional audits are at your cost with reasonable notice.

10.1 Audit Information

Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws, and shall allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller.

10.2 Audit Procedures

Audits shall be conducted as follows:

  • Notice: Controller shall provide at least thirty (30) days prior written notice of any audit, except in cases of suspected breach
  • Scope: Audits shall be limited to matters relevant to this DPA and shall not unreasonably interfere with Processor's business operations
  • Frequency: No more than one audit per twelve-month period, unless required by a supervisory authority or following a Personal Data Breach
  • Confidentiality: Auditors must agree to confidentiality obligations protecting Processor's proprietary information and other clients' data
  • Costs: Controller shall bear the costs of any audit, except where the audit reveals material non-compliance by Processor

10.3 Certifications and Reports

Processor may satisfy audit requirements by providing:

  • Current SOC 2 Type II report
  • ISO 27001 certification
  • Penetration test results (executive summary)
  • Completed security questionnaire responses
  • Other third-party audit reports or certifications relevant to the Services

Controller agrees that review of such documentation shall satisfy audit requirements absent specific concerns not addressed by the documentation.

11. LIABILITY

Summary: Liability for data protection matters follows the limitations in the MSA. Each party is responsible for its own regulatory fines caused by its own violations.

11.1 Liability Cap

The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement. This DPA does not limit either party's liability for losses which cannot be limited by law.

11.2 Allocation

Each party shall be liable for any fines, penalties, or damages resulting from its own violation of applicable Data Protection Laws. Where both parties are responsible for a violation, liability shall be allocated in proportion to each party's responsibility.

11.3 Indemnification

Each party shall indemnify the other for any fines, penalties, damages, or costs arising from its breach of this DPA or applicable Data Protection Laws, subject to the limitations set forth in the Agreement.

12. GENERAL PROVISIONS

Summary: Standard legal provisions: this DPA lasts as long as we process your data, amendments must be in writing, and we can update it for legal compliance with notice to you.

12.1 Term

This DPA shall remain in effect for the duration of the Agreement and for as long as Processor continues to Process Personal Data on behalf of Controller.

12.2 Amendment

This DPA may only be amended in writing signed by authorized representatives of both parties. Processor may update this DPA to reflect changes in Data Protection Laws or regulatory guidance, with thirty (30) days notice to Controller.

12.3 Severability

If any provision of this DPA is found invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable.

12.4 Governing Law

This DPA shall be governed by the laws specified in the Agreement, except that Data Protection Laws of Controller's jurisdiction shall apply to the extent they impose mandatory requirements.

12.5 Conflict

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters. In the event of any conflict between this DPA and applicable Data Protection Laws, the applicable Data Protection Laws shall prevail.

12.6 Entire Agreement

This DPA, together with the Agreement and its appendices, constitutes the entire agreement between the parties with respect to the Processing of Personal Data and supersedes all prior agreements, understandings, and representations with respect to such subject matter.

ANNEX I
LIST OF SUB-PROCESSORS

Summary: These are the third parties who may process your data as part of delivering our services. All have data protection agreements in place with Rovally.

The following Sub-processors are authorized to Process Personal Data on behalf of Controller. This list may be updated in accordance with Section 6.3.

Last Updated: November 2025

IT Operations Partners

IT Operations Partners Table
Sub-processor Purpose Location
Alectrona, LLC IT Operations Services United States
Fixify, Inc. Help Desk Support Services United States

AI Technology Providers (Rovally Compliance Platform)

AI Technology Providers Table
Sub-processor Purpose Location
Anthropic, PBC AI infrastructure for policy management and questionnaire support United States
OpenAI, LLC AI infrastructure for policy management and questionnaire support United States

Note: Data is processed ephemerally and is never used for model training. See Section 7 for complete data protection commitments.

Security & Compliance Platform Vendors

Security & Compliance Platform Vendors Table
Sub-processor Purpose Location
Secureframe, Inc. Compliance automation platform United States
Drata, Inc. Compliance automation platform United States
Vanta, Inc. Compliance automation platform United States
SentinelOne, Inc. Endpoint detection and response United States
Jamf Software, LLC MDM, EDR, and threat detection (Jamf Pro, Protect, Radar) United States
NinjaOne, LLC Endpoint management and MDM United States
Turngate, Inc. SIEM for SaaS applications United States
Dope Security, Inc. Content filtering and DLP United States

Note: Not all Sub-processors are used for every Client. Specific Sub-processors are engaged based on the Services specified in Client's Statement of Work. Processor may substitute equivalent vendors in accordance with Section 2.8.3 of the Agreement.

ANNEX II
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Summary: The specific security controls we implement to protect your data—encryption, access controls, monitoring, incident response, and more.

Processor implements the following technical and organizational measures to protect Personal Data. These measures are regularly reviewed and updated to address evolving threats and regulatory requirements.

1. Access Control

  • Role-based access control (RBAC) limiting access to Personal Data based on job function
  • Multi-factor authentication (MFA) required for all systems containing Personal Data
  • Unique user identification for all personnel
  • Principle of least privilege applied to all access grants
  • Regular access reviews (quarterly minimum)
  • Prompt access revocation upon personnel departure or role change

2. Encryption

  • TLS 1.2 or higher for all data in transit
  • AES-256 encryption for data at rest
  • Full disk encryption on all workstations and portable devices
  • Encrypted backup storage
  • Secure key management practices

3. Network Security

  • Firewalls and network segmentation
  • Intrusion detection and prevention systems
  • Secure VPN for remote access
  • Regular vulnerability scanning
  • Annual penetration testing

4. Endpoint Security

  • Endpoint detection and response (EDR) on all workstations
  • Automated patch management
  • Mobile device management (MDM) for company devices
  • Application whitelisting where applicable

5. Monitoring and Logging

  • Centralized security logging
  • Security information and event management (SIEM)
  • Audit trail for access to Personal Data
  • Log retention in accordance with legal requirements
  • 24/7/365 security monitoring capability

6. Physical Security

  • Data center physical access controls (cloud providers)
  • Clean desk policy
  • Secure disposal of hardware and media
  • Visitor access controls at office locations

7. Personnel Security

  • Background checks for personnel with access to Personal Data
  • Confidentiality agreements
  • Regular security awareness training
  • Phishing simulation exercises
  • Disciplinary procedures for security violations

8. Incident Response

  • Documented incident response plan
  • Defined roles and responsibilities for incident handling
  • Regular incident response testing and tabletop exercises
  • Post-incident review and lessons learned process

9. Business Continuity

  • Regular data backups
  • Backup testing and restoration procedures
  • Disaster recovery planning
  • Business continuity testing

10. Vendor Management

  • Security assessment of Sub-processors prior to engagement
  • Contractual data protection requirements
  • Ongoing monitoring of Sub-processor security posture
  • Annual review of Sub-processor compliance certifications

11. Certifications

Processor maintains or is in the process of obtaining the following certifications:

  • SOC 2 Type II

Current certification reports are available upon request under NDA.