Data Processing Policies
1. Introduction and Scope
This Data Processing Agreement and its Annexes (“DPA”) is entered into by and between Easy Metrics, Inc. (“Easy Metrics,” “we,” “us,” or “our”) and {{Subscriber.Name}} (“Subscriber,” “you,” or “your”) and reflects the parties’ agreement with respect to the Processing of Personal Data by Easy Metrics on behalf of Subscriber in connection with the Easy Metrics Subscription Services under the Easy Metrics Master Services Agreement or Subscriber Terms of Service between the parties (the “Agreement”).
This DPA is supplemental to, and forms an integral part of, the Agreement. It is effective upon the earlier of: (a) the date both parties execute this DPA; (b) the date specified in an Order Form; or (c) the date Subscriber first submits Personal Data to the Subscription Services. In the event of any conflict or inconsistency between the terms of the Agreement and this DPA, this DPA shall take precedence to the extent of such conflict or inconsistency.
The term of this DPA shall follow the term of the Agreement. Terms not otherwise defined in this DPA shall have the meanings set forth in the Agreement.
2. Definitions
2.1 “Applicable Data Protection Laws”
means all worldwide legislation relating to data protection and privacy applicable to the respective party’s Processing of Personal Data under the Agreement, including without limitation: (a) the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (b) the UK GDPR as incorporated by the European Union (Withdrawal) Act 2018; (c) the Swiss Federal Act on Data Protection (“FADP”); (d) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”); (e) the Virginia Consumer Data Protection Act (“VCDPA”); (f) the Colorado Privacy Act (“CPA”); (g) the Connecticut Data Privacy Act (“CTDPA”); (h) applicable data protection laws of Australia, Singapore, Canada, and Brazil (LGPD); and (i) any other applicable data protection or privacy laws; in each case as amended, repealed, consolidated, or replaced from time to time.
2.2 “California Personal Information”
means Personal Data that is subject to the protection of the CCPA/CPRA.
2.3 “Controller”
means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For purposes of U.S. State Privacy Laws, “Controller” includes “Business” as defined under the CCPA/CPRA.
2.4 “Data Subject”
means the identified or identifiable natural person to whom Personal Data relates.
2.5 “Data Subject Request”
means a request by a Data Subject to exercise any rights afforded to them under Applicable Data Protection Laws with respect to their Personal Data.
2.6 “European Data”
means Personal Data that is subject to the protection of European Data Protection Laws.
2.7 “European Data Protection Laws”
means: (a) the GDPR; (b) Directive 2002/58/EC (ePrivacy Directive); (c) applicable national implementations thereof; (d) the UK GDPR and the UK Data Protection Act 2018; and (e) the Swiss FADP and its Ordinances; in each case as may be amended, superseded, or replaced.
2.8 “Instructions”
means the documented instructions issued by Controller to Processor directing the Processor to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
2.9 “Permitted Affiliates”
means any of Subscriber’s Affiliates that: (a) are permitted to use the Subscription Services pursuant to the Agreement but have not signed a separate agreement with Easy Metrics; (b) qualify as a Controller of Personal Data Processed by Easy Metrics; and (c) are subject to Applicable Data Protection Laws.
2.10 “Personal Data”
means any information relating to an identified or identifiable natural person where such information is contained within Subscriber Data and is protected as personal data, personal information, or personally identifiable information under Applicable Data Protection Laws.
2.11 “Personal Data Breach”
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by Easy Metrics and/or its Sub-Processors in connection with the Subscription Services. Personal Data Breach shall not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
2.12 “Processing”
means any operation or set of operations performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Data. “Process,” “Processes,” and “Processed” shall be construed accordingly.
2.13 “Processor”
means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller. For purposes of U.S. State Privacy Laws, “Processor” includes “Service Provider” as defined under the CCPA/CPRA.
2.14 “Standard Contractual Clauses” or “SCCs”
means: (a) with respect to transfers of European Data subject to the GDPR, the standard contractual clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as set out in Annex 3; (b) with respect to transfers subject to the UK GDPR, the International Data Transfer Agreement or Addendum to the EU SCCs issued by the UK Information Commissioner’s Office (“UK Addendum”); and (c) with respect to transfers subject to the Swiss FADP, the SCCs as recognized by the Swiss Federal Data Protection and Information Commissioner; in each case as may be amended, superseded, or replaced.
2.15 “Sub-Processor”
means any third-party Processor engaged by Easy Metrics or its Affiliates to assist in fulfilling its obligations with respect to the provision of the Subscription Services under the Agreement. Sub-Processors may include third parties or Easy Metrics Affiliates but shall exclude any Easy Metrics employee or contractor.
2.16 “U.S. State Privacy Laws”
means the CCPA/CPRA, VCDPA, CPA, CTDPA, and any other applicable U.S. state privacy or data protection law.
3. Subscriber Responsibilities
3.1 Compliance with Laws
Subscriber shall, within the scope of the Agreement and in its use of the Subscription Services, be responsible for complying with all requirements applicable to it under Applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to Easy Metrics.
In particular and without prejudice to the generality of the foregoing, Subscriber acknowledges and agrees that it shall be solely responsible for: (a) the accuracy, quality, and legality of Subscriber Data and the means by which Subscriber acquired Personal Data; (b) complying with all necessary transparency and lawfulness requirements under Applicable Data Protection Laws for the collection and use of Personal Data, including obtaining any necessary consents and authorizations; (c) ensuring Subscriber has the right to transfer, or provide access to, the Personal Data to Easy Metrics for Processing in accordance with the Agreement (including this DPA); (d) ensuring that Subscriber’s Instructions to Easy Metrics regarding the Processing of Personal Data comply with Applicable Data Protection Laws; and (e) complying with all laws applicable to any content created, sent, or managed through the Subscription Services. Subscriber shall inform Easy Metrics without undue delay if it is unable to comply with its responsibilities under this Section 3.1.
3.2 Controller Instructions
The parties agree that the Agreement (including this DPA), together with Subscriber’s use of the Subscription Services in accordance with the Agreement, constitute Subscriber’s complete and final Instructions to Easy Metrics in relation to the Processing of Personal Data. Additional Instructions outside the scope of the Agreement shall require prior written agreement between the parties.
3.3 Security
Subscriber is responsible for independently determining whether the data security provided by the Subscription Services adequately meets Subscriber’s obligations under Applicable Data Protection Laws. Subscriber is also responsible for its secure use of the Subscription Services, including protecting the security of Personal Data in transit to and from the Subscription Services and securely backing up or encrypting any such Personal Data. Easy Metrics strongly recommends that Subscriber implement data tokenization practices for Personally Identifiable Information (“PII”) prior to submission to the Subscription Services.
4. Easy Metrics Obligations
4.1 Compliance with Instructions
Easy Metrics shall Process Personal Data only for the purposes described in this DPA or as otherwise agreed within the scope of Subscriber’s lawful Instructions, except where and to the extent otherwise required by applicable law. Easy Metrics shall not: (a) “sell” or “share” Personal Data as those terms are defined under the CCPA/CPRA; (b) Process Personal Data for purposes other than the Business Purpose specified in this DPA; (c) Process Personal Data outside of the direct business relationship between the parties; or (d) combine Personal Data received from Subscriber with Personal Data received from or on behalf of another person, or collected from Easy Metrics’s own interactions with Data Subjects, except as expressly permitted under Applicable Data Protection Laws. Easy Metrics is not responsible for compliance with any Data Protection Laws applicable solely to Subscriber or Subscriber’s industry.
4.2 Conflict of Laws
If Easy Metrics becomes aware that it cannot Process Personal Data in accordance with Subscriber’s Instructions due to a legal requirement under any applicable law, Easy Metrics shall: (a) promptly notify Subscriber of that legal requirement to the extent permitted by law; and (b) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until Subscriber issues new Instructions with which Easy Metrics is able to comply. If this provision is invoked, Easy Metrics shall not be liable to Subscriber under the Agreement for any failure to perform the applicable Subscription Services until Subscriber issues new lawful Instructions regarding the Processing.
4.3 Security
Easy Metrics shall implement and maintain appropriate technical and organizational security measures to protect Personal Data from Personal Data Breaches, as described in Annex 2 to this DPA (“Security Measures”). Such measures shall take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Easy Metrics may modify or update the Security Measures at its discretion, provided that such modification or update does not result in a material degradation in the overall protection offered.
4.4 Confidentiality
Easy Metrics shall ensure that any personnel authorized to Process Personal Data on its behalf are subject to appropriate confidentiality obligations (whether contractual or statutory) with respect to that Personal Data. Easy Metrics shall ensure that access to Personal Data is limited to those personnel who require access to perform Easy Metrics’s obligations under the Agreement.
4.5 Personal Data Breach Notification
Easy Metrics shall notify Subscriber without undue delay (and in any event within seventy-two (72) hours) after becoming aware of any Personal Data Breach. Such notification shall include, to the extent available: (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the name and contact details of Easy Metrics’s point of contact; (c) a description of the likely consequences of the Personal Data Breach; and (d) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects. Easy Metrics shall provide timely updates as additional information becomes available and shall, at Subscriber’s request, provide reasonable assistance to enable Subscriber to notify relevant supervisory authorities and/or affected Data Subjects, as required under Applicable Data Protection Laws.
4.6 Data Subject Requests
The Subscription Services provide Subscriber with controls to retrieve, correct, delete, or restrict Personal Data, which Subscriber may use to fulfill its obligations relating to Data Subject Requests. To the extent that Subscriber is unable to independently address a Data Subject Request through the Subscription Services, Easy Metrics shall, upon Subscriber’s written request, provide reasonable assistance to Subscriber in responding to such requests. If a Data Subject Request is made directly to Easy Metrics, Easy Metrics shall promptly inform Subscriber and advise the Data Subject to submit their request to Subscriber. Subscriber shall be solely responsible for responding substantively to any Data Subject Requests. Subscriber shall reimburse Easy Metrics for commercially reasonable costs arising from assistance beyond the standard functionality of the Subscription Services.
4.7 Data Protection Impact Assessments
To the extent required under Applicable Data Protection Laws, and to the extent that the required information is reasonably available to Easy Metrics, Easy Metrics shall provide reasonable assistance to Subscriber with data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities.
4.8 Deletion or Return of Personal Data
Upon termination or expiration of the Subscription Services, Easy Metrics shall, at Subscriber’s election, delete or return all Subscriber Data, including Personal Data (and copies thereof) Processed pursuant to this DPA. Subscriber may retrieve its Subscriber Data from its account prior to termination in accordance with the applicable Product Specific Terms. Subscriber may request deletion of its Easy Metrics account after expiration or termination of the subscription by emailing support@easymetrics.com. This obligation shall not apply to the extent Easy Metrics is required by applicable law to retain some or all of the Subscriber Data, in which case Easy Metrics shall securely isolate and protect such data from further Processing and shall delete it in accordance with its standard deletion practices. Easy Metrics shall certify the deletion of Personal Data upon Subscriber’s written request.
5. Sub-Processors
5.1 Authorization
Subscriber provides a general written authorization to Easy Metrics to engage Sub-Processors to Process Personal Data on Subscriber’s behalf. The Sub-Processors currently engaged by Easy Metrics are listed in Annex 4 to this DPA.
5.2 Notification of Changes
Easy Metrics shall notify Subscriber of any intended addition or replacement of Sub-Processors by updating Annex 4 at least thirty (30) days prior to the engagement of any new Sub-Processor, providing Subscriber the opportunity to object. Subscriber may subscribe to Sub-Processor change notifications by contacting support@easymetrics.com.
5.3 Objection Right
Subscriber may object to the engagement of a new Sub-Processor on reasonable grounds relating to the protection of Personal Data within thirty (30) days of receiving notice. If Subscriber objects, the parties shall discuss Subscriber’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no resolution is reached, Easy Metrics shall, at its sole discretion, either: (a) not appoint the new Sub-Processor; or (b) permit Subscriber to suspend or terminate the affected Subscription Services in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by Subscriber prior to suspension or termination).
5.4 Sub-Processor Obligations
Where Easy Metrics engages Sub-Processors, Easy Metrics shall: (a) impose data protection obligations on the Sub-Processors that provide at least the same level of protection for Personal Data as those set forth in this DPA; (b) where appropriate, require Sub-Processors to comply with the Standard Contractual Clauses; and (c) remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause Easy Metrics to breach any of its obligations under this DPA.
6. International Data Transfers
6.1 General
Subscriber acknowledges and agrees that Easy Metrics may access and Process Personal Data on a global basis as necessary to provide the Subscription Services, and that Personal Data may be transferred to and Processed by Easy Metrics, Inc. in the United States and to other jurisdictions where Easy Metrics Affiliates and Sub-Processors maintain operations. Each party shall ensure such transfers are made in compliance with Applicable Data Protection Laws.
6.2 Transfer Mechanisms
Easy Metrics shall not transfer Personal Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data unless it first implements appropriate safeguards to ensure the transfer complies with Applicable Data Protection Laws. Such safeguards may include: (a) the Standard Contractual Clauses; (b) binding corporate rules; (c) approved certification mechanisms; or (d) any other legally adequate transfer mechanism recognized by the relevant authorities.
6.3 Standard Contractual Clauses
To the extent that the transfer of European Data to Easy Metrics constitutes a restricted transfer under European Data Protection Laws, the parties agree to execute and comply with the applicable Standard Contractual Clauses as set forth in Annex 3, under which: (a) Subscriber shall be the “data exporter”; (b) Easy Metrics shall be the “data importer”; and (c) Module Two (Controller to Processor) shall apply. If and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses shall prevail.
6.4 UK International Data Transfer Addendum
For transfers of Personal Data subject to the UK GDPR, the UK Addendum to the EU Standard Contractual Clauses (as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) shall apply and is hereby incorporated by reference.
6.5 Swiss Data Transfers
For transfers of Personal Data subject to the Swiss FADP, the Standard Contractual Clauses shall apply with the modifications required to comply with Swiss data protection law, including references to the FADP in place of the GDPR where applicable, and references to the Swiss Federal Data Protection and Information Commissioner as the competent supervisory authority.
7. Additional Provisions for European Data
7.1 Scope
This Section 7 shall apply only with respect to the Processing of European Data.
7.2 Roles of the Parties
When Processing European Data in accordance with Subscriber’s Instructions, the parties acknowledge and agree that Subscriber is the Controller and Easy Metrics is the Processor of European Data.
7.3 Legal Basis for Processing
Subscriber warrants that it has a lawful basis for each Processing activity conducted under this DPA, including but not limited to consent, performance of a contract, legitimate interests, or compliance with a legal obligation, as applicable under the GDPR.
7.4 Notification of Infringement
If Easy Metrics believes that any Instruction from Subscriber infringes European Data Protection Laws, Easy Metrics shall inform Subscriber without undue delay and shall be entitled to suspend performance of the relevant Instruction until Subscriber confirms or modifies the Instruction.
7.5 Data Protection Officer
To the extent required under European Data Protection Laws, Easy Metrics shall appoint a Data Protection Officer. Subscriber may contact Easy Metrics’s Data Protection Officer at privacy@easymetrics.com.
8. Additional Provisions for U.S. State Privacy Laws
8.1 Scope
This Section 8 shall apply with respect to Personal Data subject to U.S. State Privacy Laws.
8.2 CCPA/CPRA Provisions
When Processing California Personal Information in accordance with Subscriber’s Instructions, Subscriber is a “Business” and Easy Metrics is a “Service Provider” as those terms are defined under the CCPA/CPRA. Easy Metrics shall Process California Personal Information strictly for the Business Purpose of performing the Subscription Services and as otherwise permitted by the CCPA/CPRA. Easy Metrics certifies that it understands and will comply with its obligations under the CCPA/CPRA. Easy Metrics shall: (a) not sell or share California Personal Information; (b) not retain, use, or disclose California Personal Information for any purpose other than the Business Purpose, including for commercial purposes other than providing the Subscription Services; (c) not retain, use, or disclose California Personal Information outside of the direct business relationship between the parties; and (d) notify Subscriber if it determines it can no longer meet its obligations under the CCPA/CPRA. Subscriber has the right to take reasonable and appropriate steps to ensure Easy Metrics’s compliance and to stop and remediate unauthorized use of California Personal Information.
8.3 Other U.S. State Laws
To the extent that the Processing of Personal Data is subject to other U.S. State Privacy Laws (including the VCDPA, CPA, CTDPA, and other applicable state privacy statutes), Easy Metrics shall Process such Personal Data in accordance with the requirements applicable to “Processors” or “Service Providers” under those laws. Easy Metrics shall assist Subscriber in meeting its obligations under such laws, including with respect to Data Subject Requests, assessments, and compliance demonstrations, to the extent reasonably required.
9. Demonstration of Compliance and Audits
9.1 Audit Information
Easy Metrics shall make available to Subscriber all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws and shall allow for and contribute to audits, including inspections, by Subscriber or a qualified third-party auditor appointed by Subscriber, in order to assess compliance with this DPA.
9.2 Audit Procedures
Subscriber acknowledges that the Subscription Services are hosted by data center partners that maintain independently validated security programs (including SOC 2 Type II and ISO 27001 certifications). Subscriber’s audit rights shall be exercised as follows: (a) Easy Metrics shall, upon written request, provide Subscriber (on a confidential basis) a summary copy of its most recent SOC 2 Type II report, penetration testing report(s), and other relevant third-party audit or certification reports; (b) Easy Metrics shall provide written responses (on a confidential basis) to all reasonable information requests made by Subscriber to confirm compliance with this DPA; and (c) if Subscriber reasonably determines that the foregoing documentation is insufficient to verify compliance, Subscriber may conduct or commission an on-site audit, subject to the conditions in Section 9.3.
9.3 Audit Conditions
Any audit conducted under Section 9.2(c) shall: (a) be conducted no more than once per calendar year, unless required by a supervisory authority or following a Personal Data Breach; (b) be conducted during regular business hours with reasonable advance notice of at least thirty (30) days; (c) be subject to reasonable confidentiality obligations; (d) be conducted in a manner that minimizes disruption to Easy Metrics’s operations; and (e) be at Subscriber’s expense, except where the audit reveals material non-compliance by Easy Metrics. Where multiple Subscribers or Permitted Affiliates seek to exercise audit rights, Easy Metrics may satisfy such requests through combined audits.
10. General Provisions
10.1 Amendments
Easy Metrics reserves the right to update this DPA from time to time. If Subscriber has an active subscription, Easy Metrics shall notify Subscriber of material changes via email or in-app notification. Continued use of the Subscription Services after such notification shall constitute acceptance of the updated DPA.
10.2 Severability
If any provision of this DPA is determined to be invalid or unenforceable, the validity and enforceability of the remaining provisions shall not be affected.
10.3 Limitation of Liability
Each party’s and its Affiliates’ liability, taken in the aggregate, arising out of or related to this DPA (and any other DPAs between the parties) and the Standard Contractual Clauses, whether in contract, tort, or under any other theory of liability, shall be subject to the limitations and exclusions of liability set forth in the Agreement. In no event shall either party’s liability be limited with respect to any individual’s data protection rights under this DPA or applicable law.
10.4 Governing Law
This DPA shall be governed by and construed in accordance with the governing law provisions of the Agreement, unless required otherwise by Applicable Data Protection Laws. For the Standard Contractual Clauses, the governing law shall be determined in accordance with Annex 3.
10.5 Permitted Affiliates
By executing the Agreement, Subscriber enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Permitted Affiliates, thereby establishing a separate DPA between Easy Metrics and each such Permitted Affiliate. Each Permitted Affiliate agrees to be bound by the obligations under this DPA. The Subscriber entity that is the contracting party to the Agreement shall exercise any right or seek any remedy any Permitted Affiliate may have under this DPA on behalf of its Affiliates, and shall coordinate all communication with Easy Metrics under this DPA.
10.6 Entire DPA
This DPA, including its Annexes, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, proposals, or representations, written or oral, concerning its subject matter.
Annex 1 — Details of Processing
This Annex forms part of the DPA and describes the Processing of Personal Data carried out on behalf of Subscriber.
A. List of Parties
| Data Exporter (Controller) | Details |
| Name | {{Subscriber.Name}} |
| Address | {{Subscriber.Address}} |
| Contact Person | {{Subscriber.Contact.Name}}, {{Subscriber.Contact.Email}} |
| Role | Controller |
| Data Importer (Processor) | Details |
| Name | Easy Metrics, Inc. |
| Address | 500 108th Ave NE, Suite 1100, Bellevue, WA 98004, USA |
| Contact Person | Data Protection Officer, privacy@easymetrics.com |
| Role | Processor / Service Provider |
B. Description of Processing
| Element | Description |
| Subject Matter of Processing | Processing of Personal Data by Easy Metrics on behalf of Subscriber in connection with the provision of the Subscription Services as described in the Agreement. |
| Nature and Purpose of Processing | Storage and Processing necessary to provide, maintain, and improve the Subscription Services; data ingestion, transformation, analysis, and visualization of operational data; disclosure in accordance with the Agreement and/or as compelled by applicable laws. |
| Duration of Processing | For the term of the Agreement plus the period until deletion of all Personal Data in accordance with Section 4.8 of this DPA. |
| Categories of Data Subjects | Subscriber’s employees, contractors, collaborators, customers, prospects, suppliers, subcontractors, and other end users. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to Subscriber’s end users. |
| Categories of Personal Data | Contact information (name, email, phone number, address); employment details that identify a natural person (employee ID, role, department, shift data, time clock records); transactional and operational data associated with identifiable individuals; authentication credentials (email, access group, IP address); and any other Personal Data submitted by Subscriber via the Subscription Services. |
| Special Categories of Data | The parties do not anticipate the transfer of special categories of data (e.g., health information, biometric data, payment card data). Subscriber shall not submit special category data to the Subscription Services without prior written agreement. |
| Frequency of Transfer | Continuous, as determined by Subscriber’s use of the Subscription Services. |
| Retention Period | As specified in the Agreement and Product Specific Terms, subject to Subscriber’s deletion rights under Section 4.8. |
Annex 2 — Technical and Organizational Security Measures
This Annex forms part of the DPA and describes the technical and organizational security measures implemented by Easy Metrics.
1. Access Control — Preventing Unauthorized Access
1.1 Infrastructure Security
Easy Metrics hosts its Subscription Services with outsourced cloud infrastructure providers (primarily Google Cloud Platform and Amazon Web Services). Physical and environmental security controls at these facilities are audited for SOC 2 Type II and ISO 27001 compliance. Easy Metrics maintains contractual agreements with all infrastructure providers that include appropriate data protection obligations.
1.2 Authentication
Easy Metrics implements a uniform authentication policy for its Subscription Services, including integration with industry-standard identity providers (Auth0/Okta). Subscribers who interact with the Subscription Services via the user interface must authenticate before accessing non-public Subscriber Data. Multi-factor authentication is available and recommended.
1.3 Authorization
Subscriber Data is stored in multi-tenant storage systems accessible to Subscribers only via application user interfaces and application programming interfaces. Subscribers are not permitted direct access to the underlying infrastructure. The authorization model is designed to ensure that only appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
1.4 API Access
Public product APIs may be accessed using API keys or OAuth 2.0 tokens. API access is subject to rate limiting and logging.
2. Access Control — Preventing Unauthorized Use
2.1 Network Security
Network access control mechanisms include Virtual Private Cloud (VPC) implementations, security group assignment, and firewall rules designed to prevent unauthorized network traffic from reaching the Subscription Services infrastructure.
2.2 Intrusion Detection and Prevention
Easy Metrics implements a Web Application Firewall (WAF) solution to protect hosted applications and other Internet-accessible services. The WAF is designed to identify and prevent attacks against publicly available network services.
2.3 Code Security
Automated and manual security reviews of code stored in source code repositories are performed, checking for coding best practices and identifiable software flaws (static code analysis). Easy Metrics maintains relationships with industry-recognized penetration testing service providers for regular penetration tests (at minimum quarterly). Results and remediation plans are documented.
3. Personnel Security
3.1 Access Limitations
A limited subset of Easy Metrics employees have access to the Subscription Services and Subscriber Data via controlled interfaces. All access requests are logged. Employee roles are reviewed at least once every six months, and high-risk privilege grants are reviewed regularly.
3.2 Background Checks
All Easy Metrics employees undergo a third-party background check prior to being extended an employment offer, in accordance with applicable laws. All employees are required to conduct themselves in accordance with company guidelines, non-disclosure requirements, and ethical standards.
3.3 Training
Easy Metrics provides regular data protection and security awareness training to all employees who handle Personal Data.
4. Encryption
4.1 Data In-Transit
Easy Metrics makes HTTPS encryption (TLS 1.2 or higher) available on every application interface. HTTPS implementation uses industry-standard algorithms and certificates.
4.2 Data At-Rest
Sensitive information, including login credentials, is stored using industry-recognized best practices for encryption. Easy Metrics employs technologies such as Google Cloud KMS and AWS KMS to ensure that data is encrypted at rest and access is controlled via granular key management policies.
5. Incident Detection and Response
5.1 Logging and Monitoring
Easy Metrics’s infrastructure is designed to log extensive information about system behavior, traffic, authentication, and application requests. Internal systems aggregate log data and alert appropriate personnel of malicious, unintended, or anomalous activities.
5.2 Incident Response
Easy Metrics maintains documented incident response procedures. Suspected and confirmed security incidents are investigated using industry-standard practices. All incidents are tracked with descriptions, dates, times, relevant activities, and disposition. Notification to Subscriber shall be in accordance with Section 4.5 of this DPA.
6. Availability and Resilience
6.1 Infrastructure Availability
Easy Metrics partners with Internet-scale infrastructure providers that use commercially reasonable efforts to ensure a minimum of 99.9% uptime and maintain N+1 redundancy for power, network, and HVAC services across multiple geographic regions.
6.2 Backup and Recovery
Backup and replication strategies are designed to ensure redundancy and failover protections. Subscriber Data is backed up nightly to durable data stores and replicated across multiple availability zones where necessary. All databases are backed up using industry-recognized best practices, including nightly snapshots and physically segregated data vaults. Note: Easy Metrics’s backup services are designed for disaster recovery purposes. Subscriber is responsible for maintaining its own separate backups for mission-critical data.
6.3 Business Continuity
The service architecture is designed for redundancy and seamless failover. Server instances are designed to prevent single points of failure, supporting maintenance and updates while limiting downtime.
Annex 3 — Standard Contractual Clauses
This Annex forms part of the DPA.
EU Standard Contractual Clauses
For transfers of European Data subject to the GDPR, the parties agree to be bound by the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, which are hereby incorporated by reference into this DPA. The SCCs shall apply as follows:
Module Two (Controller to Processor) shall apply where Subscriber (as data exporter/Controller) transfers European Data to Easy Metrics (as data importer/Processor).
Clause 7 — Docking Clause: The optional docking clause shall apply, enabling Permitted Affiliates to accede to the SCCs as data exporters.
Clause 9(a) — Sub-Processors: Option 2 (General Written Authorization) shall apply. Easy Metrics shall inform Subscriber of any intended addition or replacement of Sub-Processors in accordance with Section 5.2 of this DPA, giving Subscriber the opportunity to object within thirty (30) days.
Clause 11 — Redress: The optional language regarding independent dispute resolution shall not apply.
Clause 13 — Supervision: Where the data exporter is established in an EU Member State, the supervisory authority of that Member State shall act as the competent supervisory authority. Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR, the supervisory authority of the Member State referenced in Article 27(1) GDPR shall apply. Where the data exporter is established in the UK, the UK Information Commissioner’s Office shall be the competent supervisory authority. Where the data exporter is established in Switzerland, the Swiss Federal Data Protection and Information Commissioner shall be the competent supervisory authority.
Clause 17 — Governing Law: Option 1 shall apply. The SCCs shall be governed by the law of the EU Member State in which the data exporter is established, or, where the data exporter is not established in the EU, the law of Ireland. For UK transfers, the SCCs (as supplemented by the UK Addendum) shall be governed by the laws of England and Wales. For Swiss transfers, the SCCs shall be governed by Swiss law.
Clause 18 — Forum and Jurisdiction: Disputes shall be resolved before the courts of the jurisdiction identified in Clause 17.
UK International Data Transfer Addendum
For transfers of Personal Data subject to the UK GDPR, the UK Addendum to the EU Standard Contractual Clauses (as issued by the Information Commissioner under Section 119A of the Data Protection Act 2018, as updated from time to time) is hereby incorporated by reference. In the event of any conflict between the UK Addendum and the SCCs, the UK Addendum shall prevail with respect to UK transfers.
Swiss Addendum
For transfers of Personal Data subject to the Swiss FADP, the SCCs shall apply with the following modifications: (a) references to the GDPR shall be interpreted as references to the FADP; (b) references to “Member State” shall not be interpreted to exclude Swiss Data Subjects from invoking their rights; (c) the Swiss Federal Data Protection and Information Commissioner shall serve as the competent supervisory authority; and (d) the SCCs shall be governed by Swiss law.
Annex 4 — List of Sub-Processors
This Annex forms part of the DPA and lists the Sub-Processors authorized by Subscriber to Process Personal Data on behalf of Subscriber. Last updated: {{Document.Date}}.
| Sub-Processor | Purpose of Processing | Data Processed | Applicability | Location |
| Google Cloud Platform (GCP) | Primary cloud infrastructure provider. Provides compute, storage, database, and data processing services for the Subscription Services. | Raw data files, transactional data, time clock records, application configuration, processed results | All Subscribers | United States |
| Amazon Web Services (AWS) | Cloud infrastructure provider. Provides temporary data storage via S3 for automated data ingestion. S3 uses secure protocols over HTTPS. | Raw data files, transactional data, time clock records | Subscribers not using GCP storage | United States |
| Auth0 (Okta, Inc.) | Authentication and identity management platform. Provides service authentication and SSO integration. ISO 27001 certified. | Email, name, access group, login IP address | All Subscribers | United States |
| Looker (Google LLC) | Data visualization platform for graphical representation of post-processed operational data. | Transformed and aggregated Subscriber data | All Subscribers | United States |
| Atlassian (Jira) | Change management and issue tracking platform for support and troubleshooting. ISO 27001 certified. | Application configuration, raw and processed data for troubleshooting | Subscribers who file support tickets requiring specific data to reproduce | United States / Australia |
| Asana | Project management platform for tracking implementation progress and configuration. | Application configuration, sample data files, point-of-contact information | All Subscribers | United States |
| Salesforce | Subscriber Relationship Management platform for client contact management, sales, and marketing communications. ISO 27001 certified. | Client point-of-contact information, sales communications | Subscribers and prospects contacted through sales and marketing | United States |
| Microsoft (Tableau Cloud) | Business intelligence and data modeling platform for executive reporting. | Raw data, transformed data | Subscribers requesting specialized BI integrations | United States |
| Consero Global | Financial operations and billing management. | Contracts, SLAs, points of contact | All Subscribers | United States |
Easy Metrics shall update this Annex as necessary and shall notify Subscriber of any changes in accordance with Section 5.2 of this DPA.