Data Processing Addendum

Last updated: November 9, 2024

This Data Processing Addendum (“DPA”) forms part of Alpine Anchor’s Master Services Agreement, including any Order Form placed under it (together, the “Agreement”) entered into by and between Alpine Anchor, LLC (“Alpine Anchor”) and the Account Holder who enters into the Agreement with Alpine Anchor (“Account Holder”). Any terms not defined in this DPA shall have the meaning set forth in the Agreement. In the event of a conflict between the terms and conditions of this DPA and the Agreement, the terms and conditions of this DPA shall take precedence with regard to the subject matter of this DPA.

1. Definitions

(a) “Anonymous Data” means Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable Data Subject.

(b) “Authorized Individual” means an employee of Alpine Anchor who has a need to know or otherwise access Personal Data to enable Alpine Anchor to perform its obligations under this DPA or the Agreement.

(c) “Authorized Sub-Processor” means the Sub-Processor engaged by Alpine Anchor who is either (1) listed as a Sub-Processor on Alpine Anchor’s List and/or (2) authorized by Account Holder under Section 4 of this DPA.

(d) “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

(e) “Data Protection Laws” means all applicable federal and state laws and regulations regarding privacy and data protection.

(f) “Data Subject” means an identified or identifiable person to whom Personal Data relates.

(g) “Instruction” means a direction, either in writing, in textual form (e.g., by e-mail) or by using a software or online tool, issued by Account Holder to Alpine Anchor and directing Alpine Anchor to Process Personal Data.

(h) “Personal Data” means any information relating to Data Subjects Processed through the Services by Alpine Anchor on behalf of Account Holder. Personal Data does not include Anonymous Data.

(i) “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

(j) “Process” or “Processing” means any operation performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

(k) “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

(l) “Services” means the services provided by Alpine Anchor pursuant to the Agreement.

(m) “Sub-Processor” means another Processor engaged by Alpine Anchor to process Personal Data.

2. Relationship of the Parties; Processing of Data

(a) Account Holder acknowledges and agrees that with regard to the Processing of Account Holder Usage Data and product support data, Account Holder may act either as a Controller or Processor and Alpine Anchor is an independent Controller. Alpine Anchor has the right to Process Usage Data or support ticket data relating to or obtained in connection with the operation, support, or use of the Services for its legitimate business purposes.

(b) Account Holder shall Process Personal Data in compliance with all applicable laws and regulations. Account Holder is solely responsible for the accuracy, quality, and legality of Personal Data and the means by which Account Holder acquired such data.

(c) Alpine Anchor shall Process Personal Data only (i) for the purposes set forth in the Agreement and this DPA, (ii) in accordance with the Instructions provided by Account Holder, and (iii) in compliance with applicable Data Protection Laws.

3. Authorized Individuals

(a) Alpine Anchor shall take commercially reasonable steps to ensure that access to Personal Data is limited to Authorized Individuals.

(b) Alpine Anchor shall ensure that all Authorized Individuals are bound by confidentiality obligations.

4. Authorized Sub-Processors

(a) Account Holder acknowledges that Alpine Anchor may engage Sub-Processors in connection with the provision of the Services.

(b) Alpine Anchor will provide notice to the Account Holder of any new Sub-Processor. Account Holder may object to such engagement in writing within ten (10) days of receipt of the notice.

5. Security Measures

Alpine Anchor shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data, including:

  • Encryption of Personal Data in transit and at rest
  • Access controls and authentication requirements
  • Regular security assessments and updates
  • Employee training on data security
  • Incident response procedures
  • Regular backups
  • System monitoring and logging

6. Data Subject Rights

(a) Alpine Anchor shall promptly notify Account Holder upon receipt of any request from a Data Subject regarding their Personal Data.

(b) Alpine Anchor shall provide reasonable assistance to Account Holder in responding to Data Subject requests, where possible.

7. Personal Data Breach Response

(a) Alpine Anchor shall notify Account Holder within 48 hours of becoming aware of a confirmed Personal Data Breach.

(b) Alpine Anchor shall provide reasonable assistance to Account Holder in addressing and responding to the Personal Data Breach, including implementing any commercially reasonable corrective measures required by the Master Services Agreement.

8. Audit Rights

(a) Account Holder may request a copy of Alpine Anchor’s most recent third-party audit report related to the security and privacy controls of our systems and Services once per calendar year (“Annual Audit Report”). The Annual Audit Report will cover:

  1. Infrastructure security controls
  2. Access management systems
  3. Data encryption practices
  4. Incident response procedures
  5. Business continuity and disaster recovery
  6. Security monitoring and logging systems
  7. Compliance with documented security policies

(b) To request an Annual Audit Report, Account Holder must submit a written request to [email protected] with at least sixty (60) days advance notice. The request must:

  1. Specify the scope of information being requested
  2. Provide details about how the information will be used
  3. Include any specific compliance requirements that need to be addressed

(c) Upon receipt of a valid request, Alpine Anchor will provide the Annual Audit Report within the 60-day notice period, subject to appropriate confidentiality obligations being in place.

(d) The Annual Audit Report and any related information are considered Alpine Anchor’s Confidential Information and shall be protected accordingly under the terms of the Agreement.

(e) If Account Holder requires any additional audit-related information beyond what is contained in the Annual Audit Report to meet specific regulatory or contractual obligations, Account Holder must:

  1. Submit a detailed written request outlining the additional requirements
  2. Provide documentation of the specific regulatory or contractual obligations necessitating the additional information
  3. Allow Alpine Anchor an additional 30 days to respond to such requests

(f) Account Holder shall be responsible for any costs associated with requests for additional audit-related information beyond the standard Annual Audit Report.

9. Return or Deletion of Data

Upon termination of the Services, Alpine Anchor shall delete or return all Personal Data to Account Holder, unless required to retain such data by applicable law.

Schedule 1 - Details of Processing

Categories of Data Subjects:

  • Account Holder employees, contractors, and agents
  • Account Holder customers and business partners

Categories of Personal Data:

  • Names
  • Email addresses
  • IP addresses
  • Other Personal Data as determined by Account Holder

Purpose of Processing:

  • Providing the Services as specified in the Master Services Agreement
  • Technical support and maintenance
  • Service optimization and improvement

Duration of Processing:

  • For the duration of the Agreement plus any required retention period

Schedule 2 - Security Measures

Alpine Anchor implements and maintains appropriate technical and organizational security measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are detailed in Section 5 and include:

  1. Access Control
    • Multi-factor authentication
    • Role-based access control
    • Regular access reviews
    • Secure password policies
  2. Data Security
    • Encryption of data in transit and at rest
    • Regular security updates and patches
    • Vulnerability scanning
    • Network security controls
  3. Operational Security
    • Security monitoring and logging
    • Incident response procedures
    • Regular security training for employees
    • Business continuity and disaster recovery plans
  4. Organizational Measures
    • Security policies and procedures
    • Employee confidentiality agreements
    • Regular security assessments
    • Vendor security reviews

For more detailed information about our security practices, please contact [email protected].