Data Processing Agreement

Last Updated June 9, 2026

This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Service between the party named as “Customer” in the Agreement (“Customer”) and Pylon Labs, Inc. (“Pylon”) involving the provision of Pylon’s Services or other agreement between Customer and Pylon governing Customer’s use of Pylon’s Services (as applicable, the “Agreement”) and is hereby incorporated by reference into the Agreement. All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the Agreement. 

The parties hereby agree as follows:

  1. Definitions and Interpretation
    1. Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meanings:
      1. Customer Personal Data” means any Personal Data subject to Data Protection Laws contained in Customer Data that Customer provides or makes available to Pylon and is Processed on behalf of Customer in the course of providing the Services;
      2. Data Protection Laws” means any applicable laws and regulations in any relevant jurisdiction where Services are provided relating to the use or processing of Personal Data, which may include depending on the circumstances (but is not limited to): (i) the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 et seq.), as amended by the California Privacy Rights Act of 2020 (“CCPA”); (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); (iii) the UK Data Protection Act 2018 and the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) (together with the EU GDPR, collectively, the “GDPR”); and (iv) the Swiss Federal Act on Data Protection (“FADP”); in each case, as updated, amended or replaced from time to time;
      3. “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
      4. EEA” means the European Economic Area;
      5. EU SCCs” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time). 
      6. ex-EEA Transfer” means the transfer of Customer Personal Data, which is processed in accordance with the EU GDPR, from the Data Exporter to the Data Importer (or its premises) outside the EEA, and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the EU GDPR. 
      7.  “ex-UK Transfer” means the transfer of Customer Personal Data covered by Chapter V of the UK GDPR, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
      8. “Personal Data” means “personal data” or “personal information” as defined under Data Protection Laws. 
      9. Personal Data Breach” means a breach of security of Pylon or its Subprocessors leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Pylon’s possession, custody or control. Personal Data Breaches do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
      10. Process” or “Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
      11. Services” means those services and activities to be supplied to or carried out by or on behalf of Pylon for Customer pursuant to the Agreement.
      12. Standard Contractual Clauses” means the EU SCCs and the UK SCCs.  
      13. Subprocessor” means any person appointed by or on behalf of Pylon to process Customer Personal Data on behalf of the Customer in connection with the DPA. 
      14. UK SCCs” means the EU SCCs, as amended by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 issued under Section 119A of the UK Data Protection Act 2018, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (the “UK Addendum”) and incorporated by reference to this DPA.   
    2. As used in this DPA, the terms, “Controller”, “Member State”, “Processor”, and “Supervisory Authority” shall be interpreted in accordance with the GDPR.
    3. As used in this DPA, the terms “Business”, “Business Purpose”, “Sell”, “Share” and “Service Provider” shall be interpreted in accordance with the CCPA.
  2. Scope; Role of the Parties
    1. This DPA applies to the Processing of Customer Personal Data by Pylon. 
    2. With respect to Customer Personal Data, the parties agree that Pylon is a data Processor (or, for CCPA purposes, a Service Provider) and Customer is a data Controller (or, for CCPA purposes, a Business). Each party is responsible for complying with Data Protection Laws as applicable to such party in its respective role.
  3. Processing of Customer Personal Data
    1. Pylon shall not Process Customer Personal Data other than on Customer’s documented instructions, including as documented in the Agreement and this DPA as well as through Customer’s use of the Services unless applicable laws require otherwise. If Pylon is required by applicable laws to otherwise Process Customer Personal Data, Pylon shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
    2. Customer instructs Pylon to process Customer Personal Data to provide the Services to Customer and its Authorized Users. The subject matter, nature, purpose, and duration of this processing, as well as the types of Customer Personal Data collected and categories of Data Subjects, are described in Exhibit A to this DPA.
    3. Pylon shall ensure that its personnel authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
    4. Customer shall, in its use of the Services, at all times Process Customer Personal Data, and provide instructions for the Processing of Customer Personal Data, in compliance with Data Protection Laws. Customer shall ensure that the Processing of Customer Personal Data in accordance with Customer’s instructions will not cause Pylon to be in breach of Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Customer Personal Data provided to Pylon by or on behalf of Customer, (ii) the means by which Customer acquired any Customer Personal Data, and (iii) the instructions it provides to Pylon regarding the Processing of Customer Personal Data. 
    5. Pylon is prohibited from (i) Selling or Sharing Customer Personal Data; (ii) retaining, using, or disclosing Customer Personal Data for any commercial purpose other than the Business Purposes specified in this DPA and the Agreement; (iii) retaining, using, or disclosing Customer Personal Data outside the direct business relationship between Customer and Pylon; and (iv) combining Customer Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer except as permitted under Data Protection Laws.
    6. Pylon shall notify Customer after Pylon determines that it can no longer meet its obligations under Data Protection Laws. If Customer reasonably believes that Pylon’s Processing of Customer Personal Data is not consistent with the requirements of the CCPA and upon Customer’s reasonable notification of the same to Pylon, Customer and Pylon will work together in good faith to remedy the issue, or, if after working together Customer reasonably determines that the issue cannot be remedied, Pylon will stop Processing the affected Customer Personal Data upon written instruction from Customer.
  4. Security
    1. Pylon shall implement and maintain technical and organizational measures in relation to Customer Personal Data designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access, and at a minimum such measures as are compliant with Data Protection Laws. Pylon’s security measures with respect to Customer Data as of the effective date of this DPA are set forth in Exhibit C. Pylon may update such security measures from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.
  5. Subprocessing
    1. Customer hereby grants its general authorization and consent for Pylon to engage its Affiliates as well as the Subprocessors on the List (defined below) to Process Customer Personal Data in connection with the Services.
    2. A list of Pylon’s current Subprocessors (the “List”) is available to Customer at usepylon.com/subprocessors. Such List may be updated by Pylon from time to time. Pylon will provide a mechanism to subscribe to notifications (which may include but are not limited to email notifications) of new Subprocessors and Customer, if it wishes, will subscribe to such notifications where available. If Customer does not subscribe to such notifications, Customer waives any right it may have to receive prior notice of changes to Subprocessors. If Customer subscribes to such notifications, Pylon will, at least ten (10) days before allowing new third-party Subprocessors to Process Customer Personal Data, add such third party to the List and notify Customer via the aforementioned notification mechanism. Customer may object to such an engagement by informing Pylon in writing within ten (10) days of receipt of the aforementioned notice by Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain Subprocessors are essential to providing the Services and that objecting to the use of a Subprocessor may prevent Pylon from providing the Services to Customer.
    3. If Customer objects to an engagement in accordance with the preceding section, Pylon may cure the objection through one of the following options: (i) Pylon will cancel its plans to use the new Subprocessor with regards to processing Customer Personal Data or will offer an alternative to provide the Services without such Subprocessor; (ii) Pylon will take the corrective steps requested by Customer in Customer’s objection notice and proceed to use the Subprocessor; or (iii) Customer may cease providing Customer Personal Data to Pylon for processing involving such Subprocessor. If the objection(s) have not been resolved to the reasonable satisfaction of the parties within thirty (30) days of Pylon’s receipt of Customer’s objection notice, then either party may terminate the Agreement with respect to the Services that cannot be provided without the use of the new Subprocessor and in such case, Customer will be refunded any pre-paid fees for the applicable subscriptions to the extent they cover periods or terms following the date of such termination. Such termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor. 
    4. Pylon will enter into a written agreement with each Subprocessor imposing on the Subprocessor data protection obligations comparable to those imposed on Pylon under this DPA with respect to the protection of Customer Personal Data. Pylon agrees to be liable for the acts and omissions of its Subprocessors to the same extent Pylon would be liable under the terms of the DPA if it performed such acts or omissions itself.
    5. With respect to Standard Contractual Clauses as described in this DPA, (i) the above authorizations will constitute Customer’s prior written consent to the subcontracting by Pylon of the Processing of Customer Personal Data if such consent is required under the Standard Contractual Clauses, and (ii) the parties agree that the copies of the agreements with Subprocessors that must be provided by Pylon to Customer pursuant to Clause 9(c) of the EU SCCs may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by Pylon beforehand, and that such copies will be provided by Pylon only upon request by Customer.
  6. Data Subject Rights
    1. Taking into account the nature of the Processing, Pylon shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under Data Protection Laws with respect to Customer Personal Data.
    2. Pylon shall:
      1. To the extent Pylon is able to verify that a Data Subject is associated with Customer, promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
      2. other than to confirm receipt, ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which Pylon is subject, in which case Pylon shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before Pylon responds to the request. In the absence of Customer’s instructions to the contrary, Pylon may inform the Data Subject that the request cannot be acted upon because the request has been sent to a data Processor or Service Provider.
  7. Personal Data Breach
    1. Pylon shall notify Customer without undue delay upon Pylon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with information to allow the Customer to meet any obligations to report or inform Data Subjects or regulatory authorities of the Personal Data Breach under Data Protection Laws. Pylon’s notification of or response to a Personal Data Breach will not be construed as Pylon’s acknowledgement of any fault or liability with respect to the Personal Data Breach.
    2. Pylon shall reasonably cooperate with Customer and take reasonable commercial steps as are requested by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
  8. Data Protection Impact Assessment and Prior Consultation
    1. Pylon shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the EU GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, Pylon.
  9. Audit rights
    1. Pylon uses external auditors to assess the adequacy of its security measures with respect to Customer Personal Data. Such audits are performed at least once annually at Pylon’s expense by independent third-party security professionals at Pylon’s selection and result in the generation of a confidential audit report (“Audit Report”). Upon Customer’s written request, Pylon will provide Customer with a copy of its latest Audit Report at no cost to Customer, up to once per year. To the extent permitted by Data Protection Laws, such Audit Reports will be Pylon’s Confidential Information under the confidentiality provisions of the Agreement. To the extent permitted by Data Protection Laws, Customer agrees that the Audit Reports will be used to satisfy any audit or inspection request by or on behalf of Customer in relation to Data Protection Laws, this DPA, and/or the Agreement.
    2. To the extent Data Protection Laws require audits beyond the Audit Reports, Customer and Pylon may mutually agree to an audit plan that: (a) ensures the use of an independent third party; (b) provides notice to Pylon in a timely fashion, but at a minimum 30 days’ notice; (c) requests access only during business hours; (d) is performed at Customer’s sole cost and expense; (e) occurs no more than once annually; and (f) restricts findings to only Customer Personal Data relevant to Customer. To the extent permitted by Data Protection Laws, all information collected in connection with such audits will be Pylon’s Confidential Information under the confidentiality provisions of the Agreement.
  10. Data Transfer
    1. The parties agree that Pylon may transfer Customer Personal Data Processed under this DPA outside the EEA, the UK, or Switzerland. Customer acknowledges that Pylon’s primary Processing operations take place in the United States. If Pylon transfers Customer Personal Data Processed under this DPA to a jurisdiction for which the European Commission has not issued an adequacy decision, Pylon will ensure that appropriate safeguards have been implemented for the transfer of Customer Personal Data in accordance with the GDPR.
    2. Ex-EEA Transfers. The parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
      1. Module Two (Controller to Processor) of the EU SCCs apply when Customer is a Controller and Pylon is Processing Customer Personal Data on behalf of Customer as a Processor.
      2. Module Three (Processor to Subprocessors) of the EU SCCs apply when Customer is a Processor and Pylon is Processing Customer Personal Data on behalf of Customer as a subprocessor.
    3. For each module of the EU SCCs, where applicable the following applies: 
      1. The optional docking clause in Clause 7 does not apply. 
      2. In Clause 9, Option 2 (general written authorization) applies; 
      3. In Clause 11, the optional language does not apply;  
      4. All square brackets in Clause 13 are hereby removed; 
      5. In Clause 17 (Option 1), the EU SCCs will be governed by Ireland law.
      6. In Clause 18(b), disputes will be resolved before the courts of Ireland; 
      7. Exhibit B to this DPA contains the information required in Annex I and Annex III of the EU SCCs; 
      8. Exhibit C to this DPA contains the information required in Annex II of the EU SCCs; and 
      9. By entering into this DPA, the parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes. 
    4. Ex-UK Transfers. The parties agree that ex-UK Transfers are made pursuant to the UK SCCs, which are deemed entered into and incorporated into this DPA by reference, and amended and completed in accordance with the UK Addendum, which is incorporated herein as Exhibit D of this DPA. 
    5. Transfers from Switzerland. The parties agree that transfers of Customer Personal Data from Switzerland are made pursuant to the EU SCCs with the following modifications: 
      1. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted as references to the FADP.
      2. Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the EU GDPR. Subject to the foregoing, all other requirements of Clause 13 shall be observed. 
      3. The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs. 
    6. If either (i) any of the means of legitimizing transfers of Customer Personal Data outside of the EEA or UK set forth in this DPA cease to be valid or (ii) any supervisory authority requires transfers of Customer Personal Data pursuant to those means to be suspended, then Data Importer may by notice to the Data Exporter, with effect from the date set out in such notice, amend or put in place alternative arrangements in respect of such transfers, as required by Data Protection Laws.
    7. In the event of inconsistencies between the provisions of the Standard Contractual Clauses and this DPA or the Agreement, the Standard Contractual Clauses shall take precedence. The terms of this DPA shall not vary the Standard Contractual Clauses in any way.
  11. Term; Data Return and Destruction
    1. This DPA will remain in full force and effect so long as the Agreement remains in effect or Pylon retains Customer Personal Data in its possession or control.
    2. On termination of the Agreement for any reason or expiry of its term, and within 30 days of Customer’s request, Pylon will securely delete or destroy or, if directed in writing by Customer, return as specified in the Agreement, Customer Personal Data in its possession or control. Notwithstanding the foregoing, Pylon may retain Customer Personal Data in its ordinary course archival backups provided that: (i) Pylon operates and complies with a reasonable data archive and retention policy with a schedule for deletion and (ii) this DPA will continue to apply to Customer Personal Data until it is so deleted. If Customer and Pylon have entered into Standard Contractual Clauses as described in this DPA, the parties agree that the certification of deletion of Personal Data that is described in Clause 8.1(d) and Clause 8.5 of the EU SCCs (as applicable) shall be provided by Pylon to Customer only upon Customer’s request.
  12. General Terms
    1. This DPA forms part of the Agreement and is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Customer Personal Data.
    2. To the maximum extent permitted by law, Pylon’s liability under or in connection with this DPA (including under the SCCs) is subject to the exclusions and limitations on liability contained in the Agreement. The foregoing shall not limit the rights of data subjects pursuant to Data Protection Laws. 
    3. Except where and to the extent required as a matter of Data Protection Laws, this DPA does not confer any third-party beneficiary rights; it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person. 
    4. This DPA and any action related thereto shall be governed by and construed in accordance with the laws as specified in the Agreement, without giving effect to any conflicts of laws principles. The parties consent to the personal jurisdiction of, and venue in, the courts specified in the Agreement.  
    5. If any provision of this DPA is, for any reason, held to be invalid or unenforceable, the other provisions of the DPA will remain enforceable. 
    6. No modification of, amendment to, or waiver of any rights under the DPA will be effective unless in writing and signed by an authorized signatory of each party. This DPA may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement.  Each party warrants to the other that the execution and delivery of this DPA, and the performance of such party’s obligations hereunder, have been duly authorized and that this DPA is a valid and legally binding agreement on each such party, enforceable in accordance with its terms.
EXHIBIT A
Details of Processing

Nature and Purpose of Processing:   Pylon will Process Customer Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Customer’s instructions as set forth in this DPA. The nature of Processing includes, without limitation: 

  • Receiving data, including collection, accessing, retrieval, recording, and data entry
  • Protecting data, including restricting, encrypting, and security testing
  • Holding data, including storage, organization, and structuring
  • Erasing data, including destruction and deletion
  • Analyzing data, including product usage assessment
  • Sharing data, including disclosure to subprocessors as permitted in this DPA

Categories of Data Subjects: Data Subjects include the individuals whose Customer Personal Data is provided to Pylon through the Services by or at the direction of Customer or by any employee or end user of Customer which may include, but is not limited to Personal Data relating to users, employees, contractors, agents, vendors, customers, visitors, and such other individuals whose Personal Data may be submitted to the Services; the extent of which is determined and controlled by Customer in its sole discretion depending on its use of the Services.

Categories of Personal Data: Personal Data relating to individuals provided to Pylon via the Services, by or at the direction of Customer which may include, but is not limited to the following categories of Personal Data: name, email, job title, Slack username, and communication data; the extent of which is determined and controlled by Customer in its sole discretion depending on its use of the Services.  

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Pylon will Process Customer Personal Data on an ongoing basis to provide the Services to the Customer in accordance with, and as otherwise permitted by, the Agreement, and for any disclosures compelled by law.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The term of the Agreement plus the period from the expiry or termination of the Agreement until deletion of all Customer Personal Data by Pylon in accordance with the Agreement.

EXHIBIT B

The following includes the information required by Annex I and Annex III of the EU SCCs, and Table 1, Annex 1A, and Annex 1B of the UK SCCs. 

  1. The Parties 

Data exporter(s): 

Name: The party named as “Customer” in the Agreement.

Address: The address for Customer associated with its Pylon account or as otherwise specified in the Order Form or Agreement.

Contact person’s name, position and contact details: The contact details for Customer associated with its Pylon account or as otherwise specified in the Order Form or Agreement.

Activities relevant to the data transferred under these Clauses: As described in Section 2 of the DPA.

Signature and date: By using the Services to transfer Customer Personal Data to Pylon located in a non-adequate country, the data exporter will be deemed to have signed this Exhibit B.

Role (controller/processor): Controller 

Data importer(s): 

Name: Pylon Labs, Inc. 

Address and contact information: 690 5th Street, San Francisco, CA 94107; security@usepylon.com

Activities relevant to the data transferred under these Clauses: As described in Section 2 of the DPA.

Signature and date: By transferring Customer Personal Data to a non-adequate country on Customer’s instructions, the data importer will be deemed to have signed this Exhibit B.

Role (controller/processor): Processor

Description of the Transfer

Data SubjectsAs described in Exhibit A of the DPA
Categories of Personal DataAs described in Exhibit A of the DPA
Special Category Personal Data (if applicable)As described in Exhibit A of the DPA
Nature of the ProcessingAs described in Exhibit A of the DPA
Purposes of ProcessingAs described in Exhibit A of the DPA
Duration of Processing and RetentionAs described in Exhibit A of the DPA
Frequency of the transferAs described in Exhibit A of the DPA
Recipients of Personal Data Transferred to the Data ImporterPylon maintains a list of Subprocessors at: usepylon.com/subprocessors

Competent Supervisory Authority

The Supervisory Authority shall be the Supervisory Authority of the Data Exporter, as determined in accordance with Clause 13 of the EU SCCs. The Supervisory Authority for the purposes of the UK SCCs shall be the UK Information Commissioner's Office.

EXHIBIT C

Description of the Technical and Organizational Security Measures implemented by the Data Importer

The following sets forth information regarding Pylon's security practices with respect to Customer Personal Data as of the effective date of this DPA. It includes the information required by Annex II of the EU SCCs and Annex II of the UK SCCs.

Measures of pseudonymisation and encryption of personal data Pylon has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Databases housing sensitive customer data are encrypted at rest. Pylon uses secure cipher suites and protocols to encrypt all traffic in transit and Customer Data is securely encrypted with strong ciphers and configurations when at rest.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services Pylon's customer agreements contain strict confidentiality obligations. Additionally, Pylon requires every downstream Subprocessor to sign confidentiality provisions that are substantially similar to those contained in Pylon's customer agreements. Pylon has undergone a SOC 2 Type 2 audit that includes the Security and Processing Integrity Trust Service Criteria.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Daily, weekly and monthly backups of production datastores are taken. Backups are periodically tested in accordance with information security and data management policies.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the Processing Pylon has undergone a SOC 2 Type 2 audit that includes the Security and Processing Integrity Trust Service Criteria.
Measures for user identification and authorization Pylon uses secure access protocols and processes and follows industry best-practices for authentication, including Multifactor Authentication and Single Sign On (SSO). All access to production environments requires the use of two-factor authentication, and network infrastructure is configured to industry best practices for security.
Measures for the protection of data during transmission Pylon has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Pylon uses only recommended secure cipher suites and protocols to encrypt all traffic in transit (e.g., TLS 1.2).
Measures for the protection of data during storage Encryption-at-rest in primary hosting locations is automated using AWS's transparent disk encryption, which uses industry standard AES-256 encryption to secure all volume (disk) data. All keys are fully managed by AWS.
Measures for ensuring physical security of locations at which Customer Personal Data are Processed Primary hosting of Customer Personal Data occurs in physical data centers in the USA or EU, as applicable, that are managed by AWS. All AWS data center controls apply: aws.amazon.com/compliance/data-center/controls/
Measures for ensuring events logging Pylon monitors access to applications, tools, and resources that Process or store Customer Personal Data in Pylon's possession or control, including cloud services. Monitoring of security logs is managed by the security and engineering teams. Log activities are investigated when necessary and escalated appropriately.
Measures for ensuring system configuration, including default configuration Pylon adheres to a change management process to administer changes to the production environment for the Services, including changes to its underlying software, applications, and systems. All production changes are automated through CI/CD tools to ensure consistent configurations.
Measures for internal IT and IT security governance and management Pylon maintains an ISO 27001-compliant risk-based information security governance program. The framework for Pylon's security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data.
Measures for certification/assurance of processes and products Pylon undergoes annual SOC 2 Type II and ISO 27001 audits.
Measures for ensuring data minimisation Pylon's Customers unilaterally determine what data they route through the Services. As such, Pylon operates on a shared responsibility model. Pylon gives Customers control over exactly what data enters the platform. Additionally, Pylon has built in self-service functionality to the Services that allows Customers to delete and suppress data at their discretion.
Measures for ensuring data quality Pylon has a multi-tiered approach for ensuring data quality. These measures include: (i) unit testing to ensure quality of logic used to process API calls, (ii) database schema validation rules which execute against data before it is saved to our database, (iii) a schema-first API design using GraphQL and strong typing to enforce a strict contract between official clients and API resolvers.
Measures for ensuring limited data retention Customers unilaterally determine what data they route through the Services. As such, Pylon operates on a shared responsibility model. If a Customer is unable to delete Personal Data via the self-service functionality of the Services, then Pylon has processes to delete Customer Personal Data upon request per the terms of the DPA and the Agreement.
Measures for ensuring accountability Pylon has adopted measures for ensuring accountability, such as implementing data protection and information security policies across the business, recording and reporting Personal Data Breaches, and formally assigning roles and responsibilities for information security and data privacy functions. Additionally, Pylon conducts regular third-party audits to ensure compliance with our privacy and security standards.
Measures for allowing data portability and ensuring erasure Personal Data submitted to the Services by Customer may be deleted by the Customer or at the Customer's request as provided in the DPA. Most use cases for porting Personal Data from Pylon are not applicable given the nature of the Services. However, Pylon will respond to requests for data porting in order to address Customer needs as required by applicable Data Protection Laws.
Technical and organizational measures of Subprocessors Pylon enters into data processing agreements with Subprocessors with data protection obligations substantially similar to those contained in this DPA.

EXHIBIT D

UK Addendum

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

Part 1: Tables

Table 1: Parties

Start DateThis UK Addendum shall have the same effective date as the DPA
The Parties Exporter: Customer
Importer: Pylon
Key ContactSee Exhibit B of this DPA

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCsThe version of the Approved EU SCCs which this UK Addendum is appended to as defined in and completed in the DPA.

Table 3: Appendix Information

Annex 1A: List of PartiesAs per Table 1 above
Annex 1B: Description of TransferSee Exhibit B of this DPA
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the dataSee Exhibit C of this DPA
Annex III: List of Sub-processors (Modules 2 and 3 only)See Exhibit B of this DPA

Want faster, smarter customer support?

See how Pylon cuts the busywork and brings your support teams into one place.