Data Privacy Exhibits

1. Categories of Data Subjects

Data Subjects of any Client Personal Data that generally can be processed in this Cloud Service may include Client’s and its affiliates’ employees, contractors, business partners, or customers, and to the extent required by law any other legal entities whose personal data is processed by the Cloud Service. AG2 will process Personal Data of all Data Subjects listed above in accordance with the Agreement. Given the nature of the Services, Client acknowledges that AG2 is not able to verify or maintain the above list of Categories of Data Subjects. Therefore, if Client will not use this Cloud Service with all the Data Subjects as set out above, then Client is responsible for providing complete, accurate, and up-to-date information to AG2 on the actual Data Subjects from within the above list that Client will process in this Cloud Service via Additional Instructions to AG2 as set out in the AG2 Data Processing Addendum (DPA). https://AG2.com/dpa

2. Personal Data

The lists as set out below are the Types of Personal Data and Special Categories of Personal Data that generally can be processed within this Cloud Service. AG2 will process all Types of Personal Data and Special Categories of Personal Data listed below in accordance with the Agreement. Given the nature of the Services, Client acknowledges that AG2 is not able to verify or maintain the below lists of Types of Personal Data and Special Categories of Personal Data. Therefore, if Client will not use this Cloud Service for all the Types of Personal Data and Special Categories of Personal Data as set out below, then Client is responsible for providing complete, accurate, and up-to-date information to AG2 on the actual Types of Personal Data and Special Categories of Personal Data from within the below list that Client will process in this Cloud Service via Additional Instructions to AG2 as set out in the DPA.

2.1 Types of Personal Data

  • Basic Personal Information (such as name, address, phone number, email, etc.) Client should not include personal data in text fields that are not intended for or do not request personal data.

2.2 Special Categories of Personal Data

  • This Cloud Service was not designed to process any Special Categories of Personal Data.

3. Processing Activities

The processing activities with regard to Client Content (including Client Personal Data) within this Cloud Service include:

  • Receipt of Content from Data Subjects and/or third parties
  • Computer processing of Content, including data transmission, data retrieval, data access, and network

 access to allow data transfer if required

  • Technical customer support involving Content at Customer request, including monitoring, problem

 determination, and problem resolution

  • Transformation and transition of Content as necessary to deliver the Cloud Service
  • Storage and associated deletion of Content
  • Backup of Content

4. Duration of Processing

  • AG2 will remove Content (including Client Personal Data) that is stored or persisted within this Cloud Service within 90 days after termination or expiration of the Cloud Service. Some Content (including Client Personal Data) may remain in the Cloud Service backups until the expiration of such backups 93 days after data is removed from the online service.

5. Technical and Organizational Measures

The following Technical and Organization Measures (TOMs) apply to all Content processed by AG2 within this Cloud Service (including Client Personal Data):

5.1 Base Technical and Organizational Measures

AG2’s foundational Technical and Organizational Measures for data protection within its Cloud Services are as described in AG2’s Data Security and Privacy Principles for AG2 Cloud Services (https://www.atmosphericg2.com/ /data-security)

5.2 Amendment to TOMs

This cloud service makes the following Amendments to the foundational TOMs as described within AG2’s Data Security and Privacy Principles for AG2 Cloud Services:

  • This Cloud Service does not provide annual independent third-party penetration testing.

5.3 Additional TOMs

The following additional TOMs are applicable to this Cloud Service:

5.3.1 Data Protection

• Client Content is encrypted when transmitted by AG2 on any public networks.

• Client Content is encrypted when transmitted by AG2 within the Cloud Service’s private datacenter

network.

• Client Content is encrypted at rest within the AG2 Cloud Datacenter.

5.3.2 Business Continuity

• The Cloud Service has Business Continuity plans in place to provide for the recovery of both the Cloud

Service, and the associated Client Content, within days in the event of a corresponding disaster.

5.4 Certifications

This Cloud Service provides the following industry recognized compliance, certifications, attestations,

or reports as one measure of proof of this Cloud Service’s implementation of these Technical and

Organizational Measures:

  • ISO 27001
  • ISO 27017
  • ISO 27018

6. Deletion and Return of Content

  • If requested prior to termination or expiration of the Service, AG2 will return a copy of Client Content that is accessible to AG2 within a reasonable period and in a reasonable format.
  • Client may also request removal of Content (including Client Personal Data) at any time prior to termination or expiration of the Cloud Service.

7. AG2 Hosting and Processing Locations

The following AG2 data hosting and processing locations are utilized for this Cloud Service. Client may be

able to request that AG2 utilize a subset of these locations.

  • AG2 Data Hosting Locations: None
  • AG2 Data Processing Locations: United States
  • The AG2 legal entities associated with each of the AG2 Data Hosting and AG2 Data Processing Locations set out above are Subprocessors and can be found at https://www.AG2.com/cloud/subprocessors.

8. Third Party Sub-Processors

This Cloud Service involves the following third party Sub-processors in the Processing of Content, including Client Personal Data:

  • Third Party Sub-Processors:
  • AWS (for data hosting), United States
  • AWS (for data hosting), Ireland
  • SendGrid (for data processing), United States

Any changes to Sub-processors will be communicated via email notification

9. International Data Transfer

  • EU Standard Contractual Clauses signed by all AG2 Data Importers, if applicable, are available at: https://www.AG2.com/software/sla/sladb.nsf/sla/eumc. <<url to be updated>>

10. Privacy Contact and Customer Notifications

The general privacy contact for AG2 Cloud Services is DPA.Help.project@uk.AG2.com. <<Need to change email address>>

  • A self service portal is also available at mycloudservices.atmospheicg2.com to allow subscribed customers to sign up for push notifications of any changes to the data processing or technical and organizational measures  associated with this AG2 Cloud service.

11. Data Privacy Officer and Other Controller

  • Client is responsible for providing complete, accurate and up-to-date information about its data privacy officer and any other Controllers (including their data privacy officer). Please see the Privacy Contact and Customer communications section for contact information.