Privacy and Personal Information Protection

Under this Schedule B and applicable laws regulating the Processing of Personal Information (“Applicable Privacy Laws”), Customer is the data controller and Terranova is the data processor.
Customer and Terranova warrant that they will comply with all obligations under Applicable Privacy Laws in connection with the Processing of Personal Information that is collected by or disclosed to it under the Agreement.

1 DEFINITIONS
The terms “Personal Information”, “Process” and “Processing” have the meaning under Applicable Privacy Laws, and “Customer Personal Information” means Personal Information disclosed to Terranova by Customer, including all Personal Information about or concerning Authorized Users.
Unless otherwise specifically provided, all terms with a capital letter have the same meaning than under the Agreement. If a term is not defined, it will have the meaning given under Applicable Privacy Laws.
• Subject matter and Purpose of the processing:
• Where the Customer has purchased the Training Platform: Terranova will process the data provided by the Customer for the purpose of providing Customer and Authorized Users access to a web-based training platform. The Training Platform enables Customer to send security awareness training to employees, track attendance and quiz results, and reporting.
• Where the Customer has purchased the Phishing Platform: Terranova will process the data provided by the Customer for the purpose of providing Customer and Authorized Users access to a Phishing Platform. The Phishing Platform enables Customer to send simulated phishing messages, track simulation results and reporting.
• Where the Customer has purchased Professional and/or Managed Services: Terranova will process the data provided by the Customer for the purpose of providing all or some of the activities in any of the two products described above on behalf of the Customer, as set forth in this Agreement.
• Duration of the processing: During the Subscription Term.
• Type of Personal Information processed: Professional coordinates (name, physical and email addresses, IP address and phone number) of Authorized Users.
• Categories of data subject: Customer’s Authorized Users.

2 DATA PROCESSING OBLIGATIONS
Terranova agrees that, in relation to Customer Personal Information, it must (a) only Process it for the purposes of providing the Products and Services to Customer; (b) not disclose Customer Personal Information to any other person without Customer’s prior written consent, unless the disclosure is required by applicable law (and Terranova immediately notifies Customer, unless such notification is prohibited by that law); (c) take appropriate action to ensure any Terranova personnel who Process Customer Personal Information understand and comply with the Terranova’s privacy and confidentiality obligations under the Agreement and this Schedule; (d) upon request, provide all reasonable assistance to Customer to facilitate the exercise of rights of data subjects; (e) provide information reasonably required by Customer to meet its obligations under Applicable Privacy Laws and to demonstrate compliance with this Schedule; and (f) promptly notify Customer as soon as it has received a complaint from any individual regarding the way his or her Personal Information has been processed and cooperate when Customer is investigating any claim related to individual complaints.

3 PERSONAL INFORMATION TRANSFERS
Terranova must not transfer the Customer Personal Information outside of the country where it is hosted as of the Effective Date, unless approved in writing by Customer. The Customer Personal Information is hosted in the territory within the European Union on the Effective Date, and Terranova will not transfer the Customer Personal Information outside the territory of the European Union, unless authorized in writing by the Customer.

4 INFORMATION SECURITY AND BREACH NOTIFICATION
4.1. Terranova has put into place and agrees to maintain during the Subscription Term appropriate, technical and organizational measures to secure Customer Personal Information, having regard to the risk of accidental or unauthorized access, loss, destruction, misuse, modification, disclosure or damage to Personal Information
4.2. If Terranova has knowledge of any (i) accidental loss or destruction of, or unauthorized disclosure of or access to Customer Personal Information; or (ii) data security breach on any of the systems used in the provision of the Products and Services, Terranova must (A) expeditiously report such incident to Customer; (B) mitigate, to the extent practicable, any harmful effect of such disclosure or access that is known to Terranova or its subcontractors; (C) cooperate with Customer in providing any notices to affected individuals regarding the incident, as directed by Customer; and (D) cooperate with any investigation into the incident that is subsequently undertaken by any data privacy authority, in consultation with Customer.
• Terranova’s contact: Jamal Elachqar
Chief Technology Officer jamal@terranovasecurity.com
• Customer’s contact: As provided by Customer to Terranova or in the relevant Purchase Agreement.

5 COMPLIANCE
Terranova will provide Customer (and its auditors and other advisers) with all reasonable co-operation and assistance in relation to any compliance request pursuant to this Schedule B, including as a result of a request by any regulatory body.

6 SUB-PROCESSORS
In the event Terranova wishes to delegate the Processing of Customer Data to a new sub-processor or change a previously appointed sub-processor, Terranova will provide a notice of such appointment or change in appointment to Customer. All sub-processors retained by Terranova and having access to unencrypted Customer Personal Information will be retained pursuant to written agreements providing terms and obligations equivalent to that of this Schedule B and the relevant portions of the Agreement.
As of the Effective Date, the sub-processors used by Terranova, and approved by Customer, are the following:

Europe:
• Microsoft Azure (data center located in Ireland): infrastructure and application hosting; and
• AWS (Ireland): email delivery.