This DPA is for illustrative purposes only. To request an executable version of this DPA,
please email privacy@paloalto.com

Palo Alto Software Data Processing Addendum

Controller (Business) to Processor (Service Provider)

This Palo Alto Software Data Processing Addendum (this “DPA”), including its two exhibits, is entered into by and between Palo Alto Software, Inc. (“Palo Alto Software”) and __________________ (“Customer”) (each, a “Party” and collectively, the “Parties”). This DPA reflects the Parties' agreement with respect to the terms governing the Processing of Personal Data under the LivePlan Terms of Service (the “Agreement”). This DPA hereby supplements and amends the Agreement and shall be effective immediately upon signing, as indicated by the date under the Parties signatures (the “Effective Date”).

The term of this DPA shall follow the term of the Agreement.

Terms not otherwise defined herein shall have the meaning as set forth in the Agreement.

This DPA Includes:

  • Further details of the Processing (Exhibit A).
  • Jurisdiction Specific Terms (Exhibit B).

Recitals

  • Whereas, the Parties entered into the Agreement and have retained the power to alter, amend, revoke, or terminate the Agreement as provided in the Agreement;
  • Whereas, the Parties now wish to amend the Agreement to ensure that Personal Data (as defined below) transferred between the Parties is Processed in compliance with applicable data protection principles and legal requirements.
  • Now, Therefore, in consideration of the mutual agreements set forth in this DPA, the Parties agree as follows:

1. Definitions

1.1. Capitalized definitions not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified or supplemented below, the definitions of the Agreement shall remain in full force and effect.
1.2. For the purpose of interpreting this DPA, the following terms shall have the meanings set out below:
(a) Agreement” means LivePlan's Terms of Service, which govern the provision of Services to Customer, as such terms may be updated by Palo Alto Software from time to time.
(b) Applicable Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including laws of the European Union (or any member state thereof) and the laws of any other country, province, or state to which the Processing of the Personal Data is subject;
(c) Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
(d) Contracted Processor” means any third party appointed by or on behalf of Palo Alto Software to Process Personal Data on behalf of Customer in connection with the Agreement;
(e) Customer” means the party that has entered into this DPA with Palo Alto Software as indicated in the opening paragraph of this DPA;
(f) GDPR” or “General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 “on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC,” as may be amended from time to time;
(g) Personal Data” means any information relating to an identified or identifiable* natural person (a “Data Subject”) Processed by Palo Alto Software on behalf of the Customer pursuant to or in connection with the Agreement
*an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(h) Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data which Palo Alto Software Processes on behalf of the Customer in connection with the Agreement;
(i) Personal Data Recipient” means Palo Alto Software, a Contracted Processor, or both collectively;
(j) Processing” (or any cognate terms) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(k) Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller;
(l) Services” means the services and other activities carried out by or on behalf of Palo Alto Software for the Customer pursuant to the Agreement.

2. Relationship with the Agreement

2.1. The parties agree that this DPA shall replace any existing DPA the Parties may have previously entered into in connection with the Services.
2.2. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
2.3. Any claims brought under or in connection with this DPA shall be subject to the terms and conditions (including but not limited to, the exclusions and limitations) set forth in the Agreement.
2.4. Any claims against Palo Alto Software or its affiliates under this DPA shall be brought solely against the entity that is a party to the Agreement. In no event shall any party limit its liability with respect to any individual's data protection rights under this DPA or otherwise. Customer further agrees that any regulatory penalties incurred by Palo Alto Software in relation to the Personal Data that arise as a result of, or in connection with, Customer's failure to comply with its obligations under this DPA or any Applicable Laws shall count toward and reduce Palo Alto Software's liability under the Agreement as if it were liability to the Customer under the Agreement, to the fullest extent permitted under the applicable laws.
2.5. No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
2.6. This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Laws.

3. Applicability

3.1. This DPA applies where and only to the extent that Palo Alto Software Processes Personal Data that is subject to Applicable Laws on behalf of Customer as Processor in the course of providing Services pursuant to the Agreement.
3.2. If Palo Alto Software determines the purposes and means of Processing with respect to Personal Data, Palo Alto Software shall be a Controller with respect to such Processing operations and shall act in accordance with the Palo Alto Software Privacy Policy and Applicable Laws.
3.3. This DPA will apply to the Processing of all Personal Data, regardless of country of origin, place of Processing, location of Data Subjects, or any other factor.

4. Processing and Disclosing of Personal Data

4.1. In the context of this DPA and its appendices, with regard to the Processing of Personal Data, 1) when Customer acts as a Controller, Palo Alto Software acts as a Processor; and 2) when Customer acts as a Processor, Palo Alto Software acts as a Sub-Processor. For the avoidance of doubt, both situations fall within the scope of and are covered by this DPA.
4.2. Palo Alto Software shall:
(a) comply with all Applicable Laws in the Processing of Personal Data;
(b) not Process Personal Data other than on Customer’s relevant documented instructions (including with regard to international transfers of Personal Data), unless such Processing is required by Applicable Laws to which the relevant Personal Data Recipient is subject, in which case Palo Alto Software shall to the extent permitted by Applicable Laws, inform Customer of that legal requirement before the respective act of Processing of that Personal Data;
(c) only conduct transfers of Personal Data in compliance with all applicable conditions, as laid down in Applicable Laws;
(d) not retain, delete, or otherwise Process Personal Data contrary to or in the absence of the direct instructions of the Customer, provided, however, that the Customer expressly and irrevocably authorizes such retention, deletion, or other Processing if and to the extent required or allowed by Applicable Laws; and
(e) immediately inform the Customer in the event that, in Palo Alto Software’s opinion, a Processing instruction given by the Customer may infringe Applicable Laws.
4.3. The Customer shall provide all information which is applicable to the Customer, as provided in Exhibit A, attached hereto, and incorporated by reference, and keep all such information complete and up to date.
4.4. The Customer instructs Palo Alto Software (and authorizes Palo Alto Software to instruct each Contracted Processor) to Process Personal Data, and in particular, transfer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Agreement and this DPA.
4.5. The Customer represents and warrants that it has all necessary rights to provide the Personal Data to Palo Alto Software for the purpose of Processing such data within the scope of this DPA and the Agreement. Within the scope of the Agreement and in its use of the Services, the Customer shall be solely responsible for complying with the statutory requirements relating to data protection and privacy, in particular regarding the disclosure and transfer of Personal Data to Palo Alto Software and the Processing of Personal Data.

5. Palo Alto Software Personnel

5.1. Palo Alto Software shall take reasonable steps to ensure the reliability of any of its employees, agents, or contractors who may have access to Personal Data.
5.2. Palo Alto Software shall ensure that access to Personal Data is strictly limited to those individuals who need to know or access it, as strictly necessary to fulfill the documented Processing instructions given to Palo Alto Software by the Customer or to comply with Applicable Laws.
5.3. Palo Alto Software shall ensure that all such individuals are subject to formal confidentiality undertakings, professional obligations of confidentiality, or statutory obligations of confidentiality.

6. Security of Processing

6.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, Palo Alto Software shall, with regard to Personal Data, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to that risk, as well as assist the Customer with regard to ensuring compliance with the Customer’s obligations pursuant to the Applicable Laws.
6.2. In assessing the appropriate level of security, Palo Alto Software shall take account, in particular, of the risks that are presented by the nature of such Processing activities, and particularly those related to possible Personal Data Breaches.
6.3. The Customer is responsible for reviewing the information made available by Palo Alto Software relating to data security and making an independent determination as to whether the Services meet the Customer’s requirements and legal obligations under Applicable Laws. The Customer acknowledges that the security measures are subject to technical progress and development and that Palo Alto Software may update or modify the security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
6.4. Notwithstanding the above, the Customer agrees that, except as provided by this DPA, the Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of the Personal Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Personal Data uploaded to the Services.

7. Subprocessing

7.1. The Customer authorizes Palo Alto Software to appoint (and permit each Contracted Processor appointed in accordance with this Section 6 to appoint) Contracted Processors in accordance with this Section 6 and any possible further restrictions, as set out in the Agreement, as the case may be.
7.2. Palo Alto Software may continue to use those Contracted Processors already engaged by Palo Alto Software as of the date of this DPA, subject to Palo Alto Software meeting the obligations set out in Section 6.4. The list of Palo Alto Software’s Contracted Processors as of the Effective Date is located at: https://www.paloalto.com/policies/processors.
7.3. Palo Alto Software shall provide Customer prior written notice of the appointment of any new Contracted Processor by updating the list of Palo Alto Software Contracted Processors. Customer may object in writing to Palo Alto Software's appointment of any Contractor processor within five (5) calendar days of posting such notice of that contractor Processor’s appointment, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss Customer's concerns in good faith with a view to achieving resolution. If this is not possible, Customer may suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination) as a remedy.
7.4. With respect to each Contracted Processor, Palo Alto Software shall:
(a) carry out adequate due diligence to ensure that the Contracted Processor is capable of providing the level of protection and security for Personal Data required by this DPA, the Agreement, and Applicable Laws before the Contracted Processor first Processes Personal Data or, where applicable, in accordance with Section 6.2; and
(b) ensure that the arrangement between Palo Alto Software and the prospective Contracted Processor is governed by a written contract that includes terms which offer at least the same level of protection for Personal Data as those set out in this DPA, and that such terms meet the requirements of Applicable Laws.

8. Rights of the Data Subjects

8.1. Taking into account the nature of the Processing, Palo Alto Software shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations, as reasonably understood by the Customer, to respond to requests to exercise rights of the Data Subjects under Applicable Laws.
8.2. With regard to the rights of the Data Subjects within the scope of this Section 7, Palo Alto Software shall:
(a) promptly notify Customer if any Personal Data Recipient receives a request from a Data Subject under any Applicable Law with respect to Personal Data;
(b) ensure that the Personal Data Recipient does not respond to that request, except on the documented instructions of Customer, or as required by Applicable Laws to which the Personal Data Recipient is subject, in which case Palo Alto Software shall, to the extent permitted by Applicable Laws, inform Customer of that legal requirement before the Personal Data Recipient responds to the request.
8.3. The Customer agrees to pay Palo Alto Software, upon receipt of invoice, a reasonable fee based on the time spent, as well as to account for the materials expended, in relation to the Customer exercising its rights under this Section 8 or the Standard Contractual Clauses.

9. Personal Data Breach

9.1. Palo Alto Software shall notify the Customer without undue delay upon Palo Alto Software becoming aware of a Personal Data Breach affecting Personal Data under Palo Alto Software’s direct control or upon Palo Alto Software being notified of a Personal Data Breach affecting Personal Data under the direct control of a Contracted Processor, providing the Customer with sufficient information to allow the Customer to meet any applicable obligations pursuant to the Applicable Laws, such as to report to the supervisory authorities or any other competent authorities, or inform the Data Subjects of the Personal Data Breach.
9.2. Palo Alto Software shall cooperate with Customer and take all reasonable commercial steps to assist Customer in the investigation, mitigation, and remediation of each such Personal Data Breach.
9.3. Palo Alto Software’s notification of or response to a Personal Data Breach under this Section 8 will not be construed as an acknowledgement by Palo Alto Software of any fault or liability with respect to the Personal Data Breach.

10. Data Protection Impact Assessment and Prior Consultation

10.1. Palo Alto Software shall provide Customer with relevant information and documentation, such as, if available, an audit report (upon a written request and subject to obligations of confidentiality), with regard to any data protection impact assessments, and prior consultations with supervisory authorities when the Customer reasonably considers that such data protection impact assessments or prior consultations are required pursuant to Applicable Laws but in each such case solely with regard to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the respective Personal Data Recipient.

11. Deletion or Return of Personal Data

11.1. Palo Alto Software shall provide the Customer with the technical means, consistent with the way the Services are provided, to request the deletion of Personal Data upon the request of the Customer unless Applicable Laws require storage of any such Personal Data.
11.2. Palo Alto Software shall promptly, following the date of cessation of Services involving the Processing of Personal Data, at the choice of the Customer delete or return all Personal Data to the Customer as well as delete existing copies, unless Applicable Laws require storage of any such Personal Data.

12. Security Reports and Audits

12.1. Customer acknowledges that Palo Alto Software is regularly audited against PCI standards by independent third-party auditors and internal auditors. Upon request, Palo Alto Software shall supply (on a confidential basis) a summary copy of its audit report(s) to Customer, so that Customer can verify Palo Alto Software's compliance with the audit standards against which it has been assessed, and this DPA.
12.2. Palo Alto Software shall also provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires that are necessary to confirm Palo Alto Software's compliance with this DPA.

13. Audit Rights

13.1. Where the Customer is entitled to and desires to review Palo Alto Software’s compliance with the Applicable Laws, the Customer may request, and Palo Alto Software will provide (subject to obligations of confidentiality) relevant documentation, or any relevant audit report Palo Alto Software might have been issued, as elaborated in Section 12. If the Customer, after having reviewed such audit report(s), still reasonably deems that it requires additional information, Palo Alto Software shall further reasonably assist and make available to the Customer, upon a written request and subject to obligations of confidentiality, all other information (excluding legal advice) and/or documentation necessary to demonstrate compliance with this DPA, and the obligations pursuant to the Applicable Laws (Articles 32 to 36 of the GDPR in particular), and shall allow for and contribute to audits, including remote inspections of the Services, by the Customer or an auditor mandated by the Customer with regard to the Processing of the Personal Data by the Contracted Processors. Palo Alto Software shall provide the assistance described in this Section 13.1, insofar as in Palo Alto Software reasonable opinion such audits, and the specific requests of the Customer, do not interfere with Palo Alto Software’s business operations or cause Palo Alto Software to breach any legal or contractual obligation to which it is subject.
13.2. The Customer agrees to pay Palo Alto Software, upon receipt of invoice, a reasonable fee based on the time spent, as well as to account for the materials expended, in relation to the Customer exercising its rights under this Section 13 or clause 5(f) of the Standard Contractual Clauses.

14. Jurisdiction Specific Terms

14.1. To the extent Palo Alto Software processes Personal Data originating from, or protected by, Applicable Laws in one of the jurisdictions listed in Exhibit B, then the terms specified in Exhibit B with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) shall apply in addition to the terms of this DPA.
14.2. Palo Alto Software may update Exhibit B from time to time, to reflect changes in or additions to Applicable Laws to which Palo Alto Software is subject. If Palo Alto Software updates Exhibit B, it will provide the updated Exhibit B to the Customer. If the Customer does not object to the updated Exhibit B within 14 days of receipt, the Customer will be deemed to have consented to the updated Exhibit B.
14.3. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this DPA, the applicable Jurisdiction Specific Terms will take precedence.

15. No Selling of Personal Data

15.1. Palo Alto Software acknowledges and confirms that it does not receive any Personal Data as consideration for any services or other items that Palo Alto Software provides to the Customer. The Customer retains all rights and interests in Personal Data. The Customer agrees to refrain from taking any action that would cause any transfers of Personal Data to or from Palo Alto Software to qualify as selling Personal Data under Applicable Laws.

16. Indemnification.

16.1. The Customer agrees to indemnify and hold harmless Palo Alto Software and its officers, directors, employees, agents, affiliates, successors, and permitted assigns against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind which Palo Alto Software may sustain as a consequence of the breach by the Customer of its obligations pursuant to the Applicable Laws, where this DPA is not in full force and effect.

17. General Terms

17.1. This DPA supersedes and replaces all prior and contemporaneous proposals, statements, sales materials or presentations and agreements, oral and written, with regard to the subject matter of this DPA, including any prior data processing addenda entered into between the Palo Alto Software and the Customer.
17.2. All clauses of the Agreement, that are not explicitly amended or supplemented by the clauses of this DPA, and as long as this does not contradict with compulsory requirements of Applicable Laws under this DPA, remain in full force and effect and shall apply.
17.3. In the event of any conflict between the Agreement (including any annexes and appendices thereto) and this DPA, the provisions of this DPA shall control.
17.4. Should any provision of this DPA be found legally invalid or unenforceable, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of the DPA will continue in effect.
17.5. If Palo Alto Software makes a determination that it can no longer meet any of its obligations in accordance with this DPA, it shall promptly notify the Customer of that determination, and cease the Processing or take other reasonable and appropriate steps to remediate.
17.6. If you are accepting the terms of this DPA on behalf of an entity, you represent and warrant to Palo Alto Software that you have the authority to bind that entity and its affiliates, where applicable, to the terms and conditions of this DPA.

18. Data Protection Officer

18.1.

The identity and contact information of the Data Protection Officer of Palo Alto Software is:

Palo Alto Software, Inc.
44 W. Broadway, STE 500
Eugene, OR 97401
USA

privacy@paloalto.com

19. EU Representative.

19.1.

The European Union Representative of Palo Alto Software pursuant to Article 27 of the GDPR is:

VeraSafe Czech Republic s.r.o.
Klimentská 46
Prague 1, 11002
Czech Republic

VeraSafe Ireland Ltd
Unit 3D North Point House,
North Point Business Park, N
ew Mallow Road, Cork T23AT2P, Ireland

Contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/

[ THE REMAINDER OF THIS PAGE IS INTENTIONALLY LEFT BLANK ]

[ SIGNATURE PAGE TO THE PALO ALTO SOFTWARE DATA PROCESSING ADDENDUM FOLLOWS ]

Each Party is signing this DPA on the date stated below that Party's signature.

Palo Alto Software, Inc.


Signature


Name


Title


Date

[Customer Full Legal Name]


Signature


Name


Title


Date

[ SIGNATURE PAGE TO THE PALO ALTO SOFTWARE DATA PROCESSING ADDENDUM]

Exhibit A


1. Further details of the Processing, in addition to the ones laid down in the Agreement and this DPA, include:

1.1. The subject matter of the Processing of Personal Data is:
(a) The subject matter of the Processing of Personal Data pertains to the provision of Services, as requested by the Customer.
1.2. The duration of the Processing of Personal Data is:
(a) The duration of the Processing of Personal Data will be Processed for the duration of the Agreement, subject to Section 5 of this DPA.
1.3. The nature and purpose of the Processing of Personal Data is:
(a) Personal Data will be Processed for purposes of providing the Services set out and otherwise agreed to in the Agreement and any applicable Order. The nature of such Processing is related to these purposes and is elaborated on in this DPA and the Agreement.
1.4. The categories of Personal Data to be Processed are:
(a) Biographical information, such as first and last name
(b) Contact information, such an email address
(c) Professional information
(d) Email messages and attachments;
(e) Personal Data such as navigational data and;
(f) Any other type of Personal Data captured through custom fields.
1.5. The categories of Data Subjects to whom the Personal Data relates are:
(a) Any individual accessing and/or using the Service through the Customer's account (“Users”); and any individual: (i) whose information is stored on or collected via the Services, or (ii) to whom Users send emails or otherwise engage or communicate with via the Services within the scope of the Agreement and this DPA, such as customers, business partners, or recipients of emails.
1.6. Description of the technical and organizational security measures implemented by Palo Alto Software:

a. Access Control

i. Preventing Unauthorized Product Access

Outsourced Processing: Palo Alto Software hosts its Service with outsourced cloud infrastructure providers. Additionally, Palo Alto Software maintains contractual relationships with Contracted Processors in order to provide the Services in accordance with our DPA. Palo Alto Software relies on contractual agreements, privacy policies, and Contracted Processors compliance programs in order to protect Personal Data Processed or stored by these Contracted Processors.

Physical and environmental security: Palo Alto Software hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.

Authentication: Palo Alto Software implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public Personal Data.

Authorization: Personal Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Palo Alto Software's products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user's permissions against the attributes associated with each data set.

Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth authorization.

ii. Preventing Unauthorized Product Use

Palo Alto Software implements industry standard access controls and detection capabilities for the internal networks that support its products.

Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Network scanning: Palo Alto Software contracts with third-party vulnerability scanners to regularly review the Services for common vulnerabilities and to maintain PCI compliance.

Penetration testing: Palo Alto Software maintains relationships with industry recognized penetration testing service providers for annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.

iii. Limitations of Privilege & Authorization Requirements

Product access: A subset of Palo Alto Software's employees have access to the products and to Personal Data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective Customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security.

b. Transmission Control

In-transit: Palo Alto Software makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces. Palo Alto Software's HTTPS implementation uses industry standard algorithms and certificates.

At-rest: Palo Alto Software stores user passwords following policies that follow industry standard practices for security.

c. Input Control

Detection: Palo Alto Software designed its infrastructure to log extensive information about system behavior, traffic received, system authentication, and other application requests. Palo Alto Software personnel, including security, operations, and support personnel, are responsive to known incidents.

Response and tracking: Palo Alto Software maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Palo Alto Software will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.

Communication: If Palo Alto Software becomes aware of unlawful access to Personal Data stored within its products, Palo Alto Software will: 1) notify the affected Customers of the incident; 2) provide a description of the steps Palo Alto Software is taking to resolve the incident; and 3) provide status updates to the Customer contact, as Palo Alto Software deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer's contacts in a form Palo Alto Software selects, which may include via email or telephone.

d. Availability Control

Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Personal Data is backed up to multiple durable data stores and replicated across multiple availability zones.

Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.

Palo Alto Software's products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Palo Alto Software operations in maintaining and updating the product applications and backend while limiting downtime.

Exhibit B


Jurisdiction Specific Terms

1. Transfers of EU Personal Data

1.1. Privacy Shield” (as used in this Section) means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017, respectively.
1.2. Restricted Transfer of EU Personal Data” (as used in this Section) means any transfer of Personal Data (including data storage in foreign servers) that would be prohibited by the GDPR in the absence of the execution of the Standard Contractual Clauses (as defined below) or another lawful data transfer mechanism;
1.3. Standard Contractual Clauses” (as used in this Section) means the contractual clauses adopted by Decision of the European Commission (Commission Decision C(2010)593) for the purpose of adducing adequate protection of Personal Data transferred from a Controller to a Processor established in a third country, where the legislation in such third country has not been deemed to provide an adequate level of data protection.
1.4. With regard to any Restricted Transfer of EU Personal Data from the Customer to Palo Alto Software within the scope of this DPA, one of the following transfer mechanisms shall apply, in the following order of precedence:
(a) Palo Alto Software's EU-U.S. and Swiss-U.S. Privacy Shield Framework self-certifications (if any);
(b) the Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under Article 46 of the GDPR); or
(c) any other lawful basis, as laid down in the GDPR, as the case may be.
1.5. This DPA hereby incorporates by reference the Standard Contractual Clauses (updated from time to time to reflect the latest version promulgated by the European Commission) for the Customer (as “data exporter”) to Palo Alto Software Contractual Clauses would reflect the information as contained Exhibit A to this DPA. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary, in their entirety (including the Appendices thereto, and including the “Illustrative Indemnification Clause” as an operative clause).
1.6. In cases where the Standard Contractual Clauses apply, and there is a conflict between the terms of the DPA and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall control.

2. California

2.1. Applicable Laws” (as used in the DPA) includes the California Consumer Privacy Act of 2018, Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on June 28, 2018 (“CCPA”) as may be amended from time to time.
2.2. Business Purpose” (as used in this Section) shall have the same meaning as in the CCPA;
2.3. Commercial Purpose” (as used in this Section) shall have the same meaning as in the CCPA;
2.4. Controller” (as used in the DPA) includes “Business” as defined under the CCPA.
2.5. Data Subject” (as used in the DPA) includes “Consumer” as defined under the CCPA.
2.6. Personal Data” (as used in the DPA) includes “Personal Information” as defined under the CCPA.
2.7. Personal Data Breach” (as used in the DPA) includes “Breach of the Security of the System” as defined under the CCPA.
2.8. Processor” (as used in the DPA) includes “Service Provider” as defined under the CCPA.
2.9. The Customer discloses Personal Data to Palo Alto Software solely for: (i) valid Business Purposes; and (ii) to enable Palo Alto Software to perform the Services under the Agreement.
2.10. Palo Alto Software shall not: (i) sell Personal Data; (ii) retain, use or disclose Personal Data for a Commercial Purpose other than providing the Services specified in the Agreement or as otherwise permitted by the CCPA; nor (iii) retain, use, or disclose Personal Data except where permitted under the Agreement between the Customer and Palo Alto Software. Palo Alto Software certifies that it understands these restrictions and will comply with them.

3. United Kingdom

3.1. Applicable Laws” (as used in the DPA) includes the Data Protection Act 2018.