DATA PROCESSING ADDENDUM

Effective as of November 14, 2024

INTRODUCTION

This Data Processing Addendum (“DPA”), including its annexes, forms an integral part of the Planner 5D Terms of Service, available at https://planner5d.com/pages/terms (“Agreement”) entered into by and between the customer, i.e. an entity or person accessing the Services (“Customer”) and UAB Planner5D, a legal entity incorporated and acting under the laws of Lithuania with its registered address at Antakalnio St. 17, Vilnius, Lithuania, LT-10312, including its subsidiaries and affiliates (“Planner 5D”). Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA will have the meanings given to them in Section 1 of this DPA.

This DPA shall apply if and to the extent Planner 5D is acting as a Processor of Personal Data and processes Personal Data on behalf of the Customer in connection with the Agreement, concluded between Planner 5D and the Customer, and incorporated by reference herein.

This DPA is supplemental to the Agreement. To the extent the Customer is using the Services under Agreement and absent any other offline data processing agreement between the Customer and Planner 5D, the Customer shall be deemed to have accepted this DPA and applicable Standard Contractual Clauses upon acceptance or execution of the applicable Terms of Service, i.e., the Agreement.

1. DEFINITIONS

Customer Personal Data” means Personal Data provided by the Customer or collected during their use of the Services;

Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Data Subject”means an identifiable individual whose Personal Data is processed.

“Applicable Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the EU GDPR); (ii) Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (the EU e-Privacy Directive ); (iii) the GDPR as incorporated into the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively the UK GDPR); (iv) Swiss Data Protection Act (the Swiss DPA); (v) any national data protection laws made under or pursuant to items (i) – (iv); (vi) in each case as may be amended, superseded or replaced.

Personal Data” means any information relating to identified or identifiable individual contained within Customer’s data, that is collected and Processed by Planner 5D in relation to provision of the Services under the Agreement.

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-processors in connection with the provision of Services under the Agreement;

Processing” means any operation or set of operations that is performed on Personal Data, whether or not by automatic means, such as viewing, accessing, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

“Services” shall have the meaning as set forth in the Agreement;

Standard Contractual Clauses”, "SCC" and "EU SCC" means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021, currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, that may be amended, superseded or replaced;

Sub-processor” means any processor engaged by Planner 5D to support the delivery of the Services under the Agreement;

UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018, currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf , that may be amended, superseded or replaced;

Any capitalized terms not defined in this DPA shall be given with the meaning set forth in the Agreement, and in each case, their cognate terms shall be construed accordingly.

2. SCOPE AND TERMS OF PROCESSING

2.1. Roles of the Parties. The Parties acknowledge and agree that with regard to processing of Customer Personal Data, Customer is a Controller of the Customer Personal Data, and Planner 5D is a Processor of the Customer Personal Data.

2.2. Compliance with Laws. Each Party undertakes to comply with its obligations under the Applicable Data Protection Laws in respect to processing of the Personal Data under or in connection with the Agreement or this DPA. The Customer shall be solely responsible for accuracy, quality and legality of the Personal Data and the means by which the Customer obtained the Personal Data. The Customer represents and warrants that upon transferring any Personal Data to Planner 5D (i) the Customer has an appropriate and sufficient legal basis (including obtaining any necessary consents and authorizations) to collect and submit such Personal Data to Planner 5D for Processing, (ii) Planner 5D is entitled to further Process such Personal Data for the purposes of performing the Agreement and as per the terms hereof, (iii) all Personal Data submitted by the Customer to Planner 5D is accurate, true, relevant and necessary with reference to the performance of the Agreement. The Customer shall collect and maintain throughout the term of the Agreement all necessary rights, consents and authorizations to provide the Personal Data to Planner 5D and to authorize Planner 5D to Process Personal Data in accordance with this DPA.

2.3. Purpose Limitation. Planner 5D will process Customer Personal Data solely as needed to perform its obligations under the Agreement, including this DPA, and strictly in accordance with Customer’s documented instructions. Planner 5D will not process Customers Personal Data for any other purposes, except where and to the extent required by any applicable laws.

2.4. Customer’s Instructions. The Agreement, including this DPA and, if applicable, the SCCs, along with the Customer’s configuration of any settings or options in the Services constitute Customer’s complete instructions to Planner 5D in relation to Processing of Personal Data. The Customer may provide additional reasonable instructions during the term of the Agreement, provided they are consistent with the Agreement, the nature and lawful use of the Services. If Planner 5D determines that it cannot Process Customer Personal Data in accordance with the Customer's instructions due to a legal requirement under any applicable law, Planner 5D will promptly inform the Customer and suspend such Processing (other than merely storing and maintaining affected Personal Data) until the moment the Customer provides revised processing instructions with which Planner 5D is able to comply. If this provision is invoked, Planner 5D will not be liable to the Customer under the Agreement for any failure to perform the applicable Services until such time as the Customer issues new lawful instructions with regard to the Processing.

Planner 5D is not responsible for Customer’s compliance with the Applicable Data Protection Laws and has no obligation to monitor it.

2.5. Confidentiality. Planner 5D will ensure that Planner 5D personnel who is authorized to Process Customer Personal Data (i) are informed of the confidential nature of the Personal Data, (ii) are subject to the appropriate confidentiality obligations and (iii) process Customer Personal Data only for the purpose of providing the Services and fulfilling other Planner 5D’s obligations under the Agreement, including this DPA.

3. DATA SECURITY

3.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing of Personal Data, Planner 5D will implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from Personal Data Breaches, as described in the Annex 2 to this DPA (“Security Measures”). The Security Measures shall be reviewed, updated or modified by Planner 5D where and when necessary, upon decision of Planner 5D. The Customer agrees that Planner 5D may unilaterally update or modify the Security Measures from time to time provided that such updates and modifications do not materially reduce the level of protection for the Personal Data.

3.2. The Customer shall be independently responsible for determining whether the data security provided for in the Services adequately meets Customer’s obligations under the Applicable Data Protection Laws. The Customer agrees that except as provided by this DPA, the Customer shall be responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of the Personal Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Personal Data uploaded in relation to the Services.

4. PERSONAL DATA BREACH NOTIFICATION

4.1. Upon becoming aware of a Personal Data Breach, Planner 5D will notify the Customer without undue delay and will provide relevant information about the Personal Data Breach to the Customer, once it becomes available to Planner 5D. Planner 5D will make reasonable efforts to identify the cause of the Personal Data Breach and to mitigate its effects to the extent within reasonable control of Planner 5D. At Customer’s request, Planner 5D will assist Customer by providing information reasonably necessary for Customer to meet its data breach reporting obligations under the Applicable Data Protection Laws. Planner 5D’s notification of Personal Data Breach does not constitute an acknowledgement by Planner 5D of its fault or liability.

4.2. Planner 5D will document all Personal Data Breaches (if any) including the facts relating to the Personal Data Breach, its effects and remedial action taken.

4.3. After having notified the Customer about the Personal Data Breach, Planner 5D will make appropriate efforts to secure the Personal Data and limit any possible detrimental effect to the Data Subjects concerning the particular Personal Data Breach. Planner 5D will cooperate with the reasonable instructions of the Customer (if any), with any third parties designated by the Customer, and with any competent supervisory authority, to respond to the Personal Data Breach.

5. ASSISTANCE AND COOPERATION

5.1. Data Subjects Requests. Considering the nature of the Processing, upon Customer written request, Planner 5D will provide reasonable assistance to Customer to enable the Customer to respond to the Data Subject requests or to the requests from the data protection authorities relating to the processing of Personal Data under the Agreement. If any such request is made directly to Planner 5D, Planner 5D will promptly notify the Customer, redirecting the request and providing the available details. The Customer will be solely responsible for responding substantively to any such requests or communications involving Processing of Customer Personal Data, unless Planner 5D is required to do so in order to comply with applicable laws. Customer agrees to indemnify and hold harmless Planner 5D against any claims arising from Customer’s failure to respond, or inadequate response, to Data Subject requests or requests from data protection authorities when Planner 5D has notified the Customer of such requests. Planner 5D’s assistance is provided on a reasonable efforts basis and does not relieve the Customer of its primary responsibilities under Applicable Data Protection Laws.

5.2. Data Protection Impact Assessment. Upon Customer’s reasonable request, and taking into account the nature of Processing, Planner 5D will provide reasonable assistance to the Customer to conduct a data protection impact assessment and to consult with relevant data protection authority, to the extent required by the Applicable Data Protection Laws.

5.3. Right to Recover Costs for Compliance. Customer agrees to reimburse Planner 5D for any reasonable costs and expenses incurred in responding to Data Subject or regulatory requests, Data Protection Impact Assessments, or data audits initiated by the Customer, except where such actions arise due to Planner 5D’s non-compliance with this DPA.

6. RETURN AND DELETION OF PERSONAL DATA

6.1. Upon Customer’s request, or upon termination or expiry of the Agreement resulting in cessation of Services involving the Processing of Customer Personal Data, Planner 5D shall delete all copies of Customer Personal Data. This requirement shall not apply to the extent Planner 5D is required by any applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data archived on Planner 5D’s back-up systems. In this event Planner 5D shall isolate and protect the Customer Personal Data from any further processing, except to the extent required by such law until deletion is possible.

6.2. Customer may download or be provided with Customer Personal Data submitted by it, which is then Processed by Planner 5D, in a commonly acceptable, machine-readable format, for any purpose.

6.3. Upon request, Planner 5D will provide written confirmation to the Customer that the deletion or return of Personal Data has been completed.

6.4. For clarity, Planner 5D may continue to process information derived from Personal Data that has been deidentified, anonymized, and/or aggregated such that the data is no longer considered Personal Data under the Applicable Data Protection Laws in a manner that does not identify individuals to improve Planner 5D’s Services and systems.

7. SUB-PROCESSORS

7.1. Customer provides Planner 5D with general written authorization to engage Sub-processors to Process the Customer Personal Data under the Agreement. The list of Sub-processors currently engaged by Planner 5D is made available to the Customer at Sub-processors List. Sub-processors that Planner 5D engages with may change over time. In case of addition or replacement of any Sub-processor, Planner 5D will notify Customer prior to such engagement or replacement by posting the update at Sub-processors List (“Sub-processors List”). Customer may subscribe to receive email notifications when Planner 5D adds or replaces a Sub-processor by filling out this form. Customer may object to Planner 5D’s addition or replacement of a Sub-processor by notifying Planner 5D in writing at privacy@planner5d.com within thirty days as of Planner 5D’s notice on addition or replacement of Sub-processor. Such Customer’s objection shall be based on reasonable grounds related to the ability of Sub-processor to comply with Applicable Data Protection Laws. Upon receipt of such objection, Planner 5D will have the right to cure the objection through one of the following options in its sole discretion: a) Planner 5D will not appoint such objected Sub-processor, if Planner 5D is reasonably able to provide Services to the Customer under the Agreement without using the objected Sub-processor, or b) Planner 5D will allow Customer to terminate the affected Services in accordance with the Agreement, without liability to either party, if Planner 5D requires the use of the objected Sub-processor and is unable to satisfy Customer’s objection.

7.2. Where Planner 5D engages Sub-processors, Planner 5D will impose contractual terms on the Sub-processors which are no less protective for Personal Data than those set out in this DPA, to the extent applicable to the nature of services provided by such Sub-processors.

7.3. Planner 5D will remain responsible for each Sub-processor’s compliance with this DPA.

8. TRANSFER OF PERSONAL DATA

8.1. Customer Personal Data that Planner 5D processes under the Agreement may be processed in any country in which Planner 5D and Sub-processors maintain facilities to perform Services, as detailed in the Sub-processors List.

8.2. In cases authorized by the Customer under this DPA, Customer Personal Data may be transferred from the European Economic Area (“EEA”), Switzerland and the United Kingdom to countries outside EEA, Switzerland and the United Kingdom that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the EU Commission (“Adequacy Decision”), subject to proper data processing agreement in place.

8.3. If the Processing of Customer Personal Data includes transfers from the EEA, Switzerland and the United Kingdom to countries outside EEA, Switzerland and the United Kingdom, which have not been subject to an Adequacy Decision (“Other Countries”), and such transfer is not permitted through alternative recognized compliance mechanisms as may be adopted by Planner 5D for the lawful transfer of Personal Data (as defined in the Applicable Data Protection Laws), such transfer shall be subject to the terms of the respective Standard Contractual Clauses, which are deemed entered into and incorporated into this DPA by reference, and completed as indicated in sub-sections 8.3.1., 8.3.2., 8.3.3. below and in Annexes to this DPA.

8.3.1. Following Clause 8.3 hereof, in relation to transfers of Customer Personal Data under the EU SCC from either Customer to Planner 5D or from Planner 5D to Sub-processor, the EU SCC will apply completed as follows:

  1. Module Two of EU SCC (Controller to Processor) applies where Customer is a Controller of Customer Personal Data and Planner 5D is Processing Customer Personal Data as Processor;
  2. Module Three of EU SCC (Processor to Sub-processor) applies where Customer is a Processor of Customer Personal Data and Planner 5D is Processing Customer Personal Data as Sub-processor;
  3. In Clause 7 of EU SCC, the optional docking clause does not apply;
  4. In Clause 9 of EU SCC, Option 2 (general written authorization) applies, and the time period for prior notice of Sub-processor changes shall be as set out in Clause 7.1. of this DPA;
  5. In Clause 11 of EU SCC, the optional language does not apply;
  6. In Clause 17 of EU SCC, Option 1 shall apply, and the EU SCC shall be governed by the laws of the Republic of Lithuania;
  7. In Clause 18(b), disputed shall be resolved before the court of the Republic of Lithuania;
  8. Annexes of the EU SCC will be deemed completed with the information set out in the Annexes of this DPA.

8.3.2. In relation to transfers of Customer Personal Data protected by UK Data Protection Law, the EU SCCs apply as completed in accordance with Section 8.3.1. above, and are deemed amended as specified by the UK Addendum , which is deemed executed by the parties and incorporated into and forming an integral part of this DPA. In addition, Tables 1, 2 and 3 in Part 1 of the UK Addendum are deemed completed respectively with the information set out in Annexes 1 and 2 to this DPA; Table 4 in Part 1 is deemed completed by selecting “Importer.” Any conflict between the terms of the EU SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

8.3.3. In relation to transfers of Customer Personal Data protected by the Swiss DPA, the EU SCCs will apply in accordance with Sub-section 8.3.1. above, with the following modifications:

  1. Any references in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the Swiss DPA;
  2. References to “EU”, “Union”, “Member State” and “Member State law” will be interpreted as references to Switzerland and Swiss law, as the case may be, and will not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs;
  3. Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland will have authority over data transfers governed by the Swiss DPA. Subject to the foregoing, all other requirements of Clause 13 will be observed;
  4. References to the “competent supervisory authority” and “competent courts” will be interpreted as references to the FDPIC and competent courts in Switzerland;
  5. In Clause 17, the EU SCCs will be governed by the laws of Switzerland; and
  6. Clause 18(b) states that disputes will be resolved before the applicable courts of Switzerland.

8.3.4. In the event that Standard Contractual Clauses are invalidated or deemed insufficient, Planner 5D and the Customer agree to cooperate in good faith to implement additional safeguards to ensure compliance with Applicable Data Protection Laws.

9. AUDIT

9.1. Customer shall have the right at its own expense, on at least thirty (30) calendar days’ notice, to perform audits (including inspections) of Planner 5D’s and its Sub-processors’ activities in accordance with the Agreement in relation to the Processing of the Customer Personal Data by Planner 5D pursuant to the terms of this DPA. Any audit under this DPA shall be limited to assessing Planner 5D’s compliance with this DPA, specifically regarding technical and organizational security measures, and shall be conducted as Customer‘s expense. Except in the case of a confirmed Personal Data Breach, such audits shall not occur more than once in any twelve (12) month period.

9.2. The audit methodology shall be specified and agreed upon between the parties before the audit is carried out. Planner 5D reserves the right to limit the scope and frequency of any audit or inspection requested by the Customer to reasonable intervals. Such audits and inspections shall be conducted either by the Customer itself or by a mutually agreed independent, reputable, third party auditor, who is not a competitor of Planner 5D, provided that such third-party auditor or Customer (in case the audit or inspection is conducted by Customer itself) shall be subject to confidentiality obligations and provided that such audits and inspections and the results therefrom, including the documents reflecting the outcome of the audit and/or the inspections, shall only be used by the Customer to assess the Planner 5D‘s compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Planner 5D’s prior written approval, unless otherwise is mandatory required by the Applicable Data Protection Laws. Upon Planner 5D’s first request, following completion of such audit or inspection, Customer shall return all records or documentation in Customer’s possession or control provided by Planner 5D in the context of the audit and/or the inspection. The audit shall be performed on a business day during the working hours of Planner 5D and it shall not unreasonably disturb Planner 5D’s usual course of business or jeopardize the secrecy and confidentiality of any third party’s information being in the Planner 5D’s possession at the time of audit / inspection. Planner 5D will disclose only the information reasonably necessary to verify compliance with this DPA, and the Customer agrees to maintain the confidentiality of any disclosed security information.

10. GENERAL PROVISIONS

10.1. Validity. This DPA shall become effective from the moment of conclusion of the Agreement and shall remain valid until Planner 5D Processes Customer Personal Data on behalf of the Customer or until the end of the term of the Agreement, whichever is the later. Planner 5D may amend and update the terms of this DPA from time to time by posting a revised version of the DPA at this url: Data Processing Addendum.

10.2. Order of Precedence. If any terms and conditions contained in this DPA are in conflict with the terms and conditions set forth in the Agreement, the terms and conditions set forth in this DPA shall be deemed to be the controlling terms and conditions to the extent of such conflict only. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect.

10.3. Severability. Should any provision of this DPA be determined to be invalid or unenforceable, then the validity and enforceability of the other provisions of this DPA shall be affected.

10.4. Authorization. An entity agreeing to this DPA as Customer represents that it is authorized to agree to and enter into this DPA for and on behalf of itself.

10.5. Governing Law. This DPA shall be governed and construed in accordance with the governing law and jurisdiction provisions set in the Agreement, unless otherwise required by the Applicable Data Protection Laws or the Standard Contractual Clauses.

10.6. Limitation of Liability. Any claim or remedy Customer may have against Planner 5D, its employees, agents, affiliates and Sub-processors, arising under or in connection with this DPA (including Standard Contractual Clauses), whether in contract, tort or under any other theory or liability, shall to the maximum extent permitted by law be subject to the limitations and exclusions of liability stated in this DPA and the Agreement. The total aggregate liability of Planner 5D arising under or in connection with this DPA (including Standard Contractual Clauses) shall not exceed the greater of $750 or the amount paid by Customer to Planner 5D for use of the Services and Materials during the twelve (12) months preceding the incident giving rise to the liability. Any such claim or remedy shall be brought solely by the Customer entity that is a party to the Agreement.

10.6.1. Planner 5D shall not be liable for data breaches or Personal Data exposure caused directly or indirectly by the Customer’s actions, including but not limited to sharing login credentials, misconfiguring security settings, or any other act or omission on the Customer’s part that compromises security. In such cases, the Customer shall indemnify and hold harmless Planner 5D from any resulting claims, costs, or liabilities.

ANNEXES TO THE DPA

ANNEX 1 – Details of Processing;

ANNEX 2 – Technical and Organizational Security Measures;

ANNEX 3 – Sub-processors List.

ANNEX 1 to DPA

DETAILS of PROCESSING

1. LIST of PARTIES:

Data exporter:

Name:

The entity identified as “Customer” in this DPA.

Address:

The address of the Customer associated with Customer’s Planner 5D account or otherwise specified in this DPA or the Agreement.

Contact person’s name, position and contact details:

The contact details associated with Customer’s Planner 5D account or otherwise specified in this DPA or the Agreement.

Activities relevant to the data transferred under Standard Contractual Clauses:

The data exporter is the Customer of the data importer and utilizing the data importer’s services on planner5d.com to create interior and exteriors designs, floorplans and other visual content.

Role (controller/processor):

Controller.

Data importer:

Name:

UAB Planner 5D.

Address:

Antakalnio St. 17, Vilnius, Lithuania, LT-10312.

Contact person’s name, position and contact details:

Head of Legal, privacy@planner5d.com

Role (controller/processor):

Processor.

2. DESCRIPTION of TRANSFER:

Categories of Data Subjects whose Personal Data is being Transferred:

Customer employees, consultants, agents and authorized third parties to use the Services as users under Customer’s Planner 5D account, and any other Data Subjects whose Personal Data is submitted to Planner 5D by Customer through the Services.

Categories of Personal Data being transferred:

Name, email address, any other Personal Data submitted by Customer through Services.

Information about user’s use of Services, which in conjunction with other information may constitute Personal Data: Internet Protocol (IP) address, Internet service providers (ISP), computer/device and connection information such as operating system and platform, browser type and version, location and time zone information, website navigation information.

Sensitive data transferred (if applicable) and applied restrictions or safeguards:

No sensitive data is collected by Planner 5D.

Frequency of transfer:

Customer Personal Data may be transferred on a continues or one-off basis depending on the Customer’s use of Services and Customer’s processing instructions.

Purposes of the data transfer and further processing:

To provide, maintain and improve Services provided to data exporter under the Agreement.

Nature of processing:

Provision of Services to the Customer in accordance with the Agreement.

Duration of Processing and period for which Personal Data will be retained, or if that is not possible, the criteria used to determine that period:

The Personal Data will be retained until termination or expiry of the Agreement, as outlined in Section 6 of the DPA.

3. COMPETENT SUPERVISORY AUTHORITY:

The data exporter’s competent supervisory authority will be determined in accordance with the Applicable Data Protection Laws.

ANNEX 2 to DPA

TECHNICAL AND ORGANIZATION SECURITY MEASURES

Planner 5D takes data security and data privacy matters seriously and responsibly. Planner 5D confirms its recognition of security measures and practices as important part of its activities. Below is the general information of how Planner 5D secures Personal Data that is entrusted to Planner 5D to the extent of the Agreement and its performance.

A. Responsible Disclosure
  1. each partner of Planner 5D signs with Planner 5D a non-disclosure agreement which serves as an instrument for securing Planner 5D’s information, including Personal Data which from time to time is in the possession of Planner 5D;
  2. only very small part of Planner 5D’s team has access to production servers – all of them are experienced in infrastructure, development and security;
  3. Planner 5D strictly protects accesses to code or other resources, including Personal Data, which are and can be granted only on a reasonable need-to-know basis.
B. Employee Security and Safeguards
  1. all employees of Planner 5D and contingent workers are required to sign a non-disclosure agreement which serves as an instrument for securing Planner 5D’s information, including Personal Data which from time to time is in the possession of Planner 5D;
  2. Planner 5D continuously trains its personnel on best security practices, including how to identify social engineering, phishing scams and hackers.
C. Internal IT Security
  1. Planner 5D offices are secured by multiple levels of physical and programmatic protection;
  2. all the apps as well as the websites of Planner 5D are protected with SSL (HTTPS);
  3. Planner 5D works across multiple data-centers which are far away from one another so that loss of a data center would not harm functionality of Planner 5D;
  4. user data collected and processed by Planner 5D is stored in Planner 5D’s databases which have multiple levels of protection;
  5. Planner 5D maintains protection against distributed denial-of-service (DDoS);
  6. Planner 5D assures that account data is mirrored and backed up off site;
  7. employees of Planner 5D use single sign-on (SSO) and two-factor authentication;
  8. Planner 5D uses separate environments for production, staging and development activities and sensitive data from production environment is never used in other environments and is never moved therefrom;
  9. any developed features before their release are carefully tested on staging environment for security and other purposes;
  10. passwords of users’ accounts are hashed and Planner 5D’s personnel cannot know them; if a password is lost, it cannot be retrieved and it shall be reset.
D. Data Minimization
  1. Planner 5D allows its visitors to use certain functionalities of its platform anonymously and minimizes the Personal Data is requires from Customers to only what is necessary to provide the requested Services;
  2. Planner 5D does not store credit card data – all such data is handled exclusively by Planner 5D’s payment services providers.
E. Investing in Data Security
  1. Planner 5D constantly monitors for security vulnerabilities and has bug bounty program in place to report if there is something missed;
  2. Planner 5D constantly monitors leaks of its users’ passwords on another websites and protects users’ accounts accordingly;
  3. Planner 5D uses best practices when writing code, which helps to protect from security vulnerabilities and threats;
  4. Planner 5D constantly monitors logs containing suspicious activities;
  5. Planner 5D possesses such infrastructure as well as engages support and development teams that are ready to help with the issues 24/7;
  6. Planner 5D assures constant scanning of source code repositories for security and other purposes;
  7. API, user interface and other parts are under constant automated and manual testing;
  8. Planner 5D regularly reviews and updates its internal policies and documents that impact processing of Personal Data.

ANNEX 3 to DPA

SUB-PROCESSORS LIST

The Customer authorized the use of the Sub-processors as listed at this url: Sub-processors List.