Information Security Addendum

Information Security Addendum

1. DataCamp has developed and implemented a set of documented information security policies and procedures that include administrative, technical and physical controls designed to (i) ensure the security, integrity and availability of Customer Data; (ii) protect against anticipated threats to the security, integrity or availability of Customer Data; (iii) prevent the destruction, loss, theft, unauthorized access, unauthorized use, or alteration of Customer Data; and (iv) ensure the proper disposal of Customer Data. DataCamp reviews its information security policies and procedures at least annually to ensure their continued effectiveness and determine whether adjustments are necessary in light of then-current circumstances including, without limitation, changes in (w) technology, (x) threats to Customer Data, (y) changes in regulatory requirements, and (z) accepted industry practices and may make adjustments to its security policies and procedures in its reasonable discretion. DataCamp has implemented information security policies and procedures that are no less rigorous than accepted industry practices, specifically those set forth in (i) National Institute of Standards and Technology Special Publication 800-53, or (ii) ISO/IEC 27001. All DataCamp personnel handling Customer Data have been appropriately trained in the implementation of DataCamp's information security policies and procedures.

2. Upon Customer's reasonable written request, and no more than once per calendar year, DataCamp will make available for Customer's inspection and audit, copies of certifications, records or reports demonstrating DataCamp's compliance with this Security Annex. While it is the Parties' intention ordinarily to rely on the provision of the documentation to demonstrate DataCamp's compliance with this Security Annex, in the event that Customer reasonably determines that it must inspect DataCamp's premises or equipment for purposes of this Security Annex, then no more than once per calendar year, any audits described in this Paragraph 2 will be conducted, at Customer's expense, through a qualified, independent third-party auditor ("Independent Auditor") designated by Customer. Before the commencement of any such on-site inspection, the Parties will mutually agree on reasonable timing, scope, and security controls applicable to the audit (including without limitation restricting access to DataCamp's confidential information, trade secrets and data belonging to other customers). Any inspection will be of reasonable duration and will not unreasonably interfere with DataCamp's day-to-day operations. All Independent Auditors are required to enter into a non-disclosure agreement containing confidentiality provisions reasonably acceptable to DataCamp and intended to protect DataCamp's and its customers' confidential and proprietary information. To the extent that Customer or any Independent Auditor causes any damage, injury or disruption to DataCamp's premises, equipment, personnel and business in the course of such an audit or inspection, Customer will be solely responsible for any costs associated therewith. Customer will promptly notify DataCamp with information regarding any alleged non-compliance discovered during the course of an audit.

3. DataCamp has implemented the following technical and organizational measures to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. As used in this Paragraph 3, "Applications" means the online learning platform, Workspace coding environment, and Certification program at www.datacamp.com, and the related DataCamp mobile application.

• a. Measures of pseudonymization and encryption of personal data, including all communication between users and the Applications being secured with 128-bit TLS 1.2 encryption and above. All databases and backups are encrypted at rest with AES-256. When a user deletes or requests us to delete their user account we replace personal identifiable information with a nil value. After 30 days our daily incremental backups rotate and the information is fully removed from our systems.
• b. Measures for ensuring ongoing integrity, availability and resilience of processing systems and services, including the logical separation of data based on a microservice architecture, separation of DataCamp's development and production environments, central management of endpoints with automatic device locking, automatic password policy enforcement, automatic software roll-out, remote wiping in case of stolen or damaged equipment, and protected with anti-malware software and data loss protection. DataCamp's internal networks are protected with multiple layers of controls (firewall, virus scanner, watchful monitoring, etc.).
• c. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, including daily backups with a 30-day retention period, an established a Business Continuity Plan to recover the IT systems at an alternative location in case of a disruptive incident and to provide user access to them. DataCamp regularly tests its Business Continuity Plan, at least annually.
• d. Processes for regularly assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the Application, including regular penetration testing and testing for common vulnerabilities. Due to the risks to system integrity and the data integrity of data belonging to other users, DataCamp does not permit customers to independent security scans or tests.
• e. Measures for user identification and authorization, including establishing minimum password requirements, limiting access to critical infrastructure to engineers who require such access in order to maintain the stability and efficiency of our systems. Access is based upon the principles of least privilege, need to know and need to use and requires the use of two-factor authentication.
• f. Measures for the protection of data during transmission, including minimum encryption standards of 128-bit TLS 1.2 encryption and above.
• g. Measures for the protection of data during storage, including requiring that databases and backups are encrypted at rest with AES-256 and hosting Applications in ISO 27001 certified data centers.
• h. Measures for ensuring physical security of locations at which personal data are processed, including requiring badge-based access to all offices.
• i. Measures for ensuring events logging, including user-, file- and network-activity anomaly detection monitors our infrastructure. All access to servers and hosting providers are monitored. All endpoints, servers and other equipment (such as network routers and switches) involved in hosting the storage or processing of customer information have the available audit logging facilities activated to allow the recording and monitoring of activities. To prevent modification or deletion, log files are kept in a centralized log system and all access to log files is monitored.
• j. Measures for ensuring system configuration, including default configuration and patch management procedures based on risk levels.
• k. Measures for internal IT and IT security governance and management, including use of automated inspection tools to ensure best practices related to authentication, network security, operating systems and application security are adhered to.
• l. Measures for ensuring limited data retention, including records retention and protection policy to ensure compliance with all relevant legal, regulatory and contractual requirements in the collection, storage, retrieval and destruction of records.
• m. Supplier Due Diligence Assessment Procedure to understand the information security approach and controls the potential supplier has in place before contracting with the company. The information security requirements of DataCamp are reflected within the written contractual agreement entered into with the supplier.

4. Upon request by Customer at the termination or expiration of the Agreement, DataCamp will securely erase Customer Data that is in DataCamp's possession. Notwithstanding the foregoing, DataCamp may retain copies of Customer Data: (x) to the extent DataCamp has a separate legal right or obligation to retain some or all of the Customer Data; (y) that is incorporated into DataCamp business records such as email and accounting records, and (z) in backup systems until the backups have been overwritten or expunged in accordance with DataCamp's backup policy; provided, however, in each case the confidentiality obligations and use restrictions in the Agreement will continue to apply to such Customer Data for the duration of the retention.

5. DataCamp has designed and implemented a documented risk management process including steps focused on the identification, analysis, evaluation, mitigation and monitoring of risks relevant to the provision of its services to customers.

6. DataCamp has designed and implemented a documented incident management policy, including logging of Security Incidents and criteria for classification and prioritization of Security Incidents. Upon becoming aware of a Security Incident, DataCamp will notify customers without undue delay and will provide reasonable information to customers in a manner reasonably sufficient to enable customers to fulfill their data breach reporting obligations under applicable law. Customers must keep its passwords secure and confidential, and notify DataCamp promptly of any known or suspected unauthorized access to the Service or any other breach of security by contacting [email protected]. DataCamp's notification of or response to a Security Incident will not be construed as an acknowledgement by DataCamp of any fault or liability with respect to the Security Incident. As used herein, a "Security Incident" means any unauthorized or accidental access, loss, alteration, disclosure or destruction of Customer Data.