Effective: May 29, 2026 This Data Processing Addendum (“Addendum”) is entered into between the customer that accepts or is otherwise bound by the Agreement (“Customer”) and Delphina Inc. (“Service Provider”) (each, a “Party” and collectively, the “Parties”). This Addendum forms part of and is incorporated into the Agreement (defined below), and is effective upon Customer’s acceptance of the Agreement, unless separately executed by the parties. Capitalized terms not otherwise defined herein have the meanings given to them under applicable Data Protection Laws or the Agreement (as may be applicable).Documentation Index
Fetch the complete documentation index at: https://docs.delphina.ai/llms.txt
Use this file to discover all available pages before exploring further.
1. Definitions
“Agreement” means the Delphina Terms of Service, any applicable order form, statement of work, subscription, online checkout, or other written or online agreement between Customer and Delphina governing Customer’s use of the Services, in each case as updated from time to time and to the extent such agreement incorporates this Addendum. “Customer Data” means any and all Personal Data and Customer’s Confidential Information (as defined in the Agreement) that Service Provider Processes on behalf of Customer in the course of providing the Services. “Controller” means the entity that determines the purposes and means of the Processing of Personal Data. This definition includes the term “business” under the CCPA and any other similar term used in Data Protection Laws. “Data Subject,” means an identified or identifiable natural person. This definition includes the term “consumer” as used in the CCPA and Other U.S. State Privacy Laws. “Processor” means an entity that Processes Personal Data on behalf of the Controller. This definition includes the term “service provider” as used in Data Protection Laws. “Data Protection Laws” means all applicable state or regional, national, and international laws, orders, regulations, and regulatory guidance now or in the future relating to information security, privacy and data protection applicable to the Processing of Customer Data by Service Provider under the Agreement including without limitation where applicable: (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”) and (b) the Colorado Privacy Act, the Connecticut Data Privacy Act, the Oregon Consumer Privacy Act, the Texas Data Privacy and Security Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, and other similar comprehensive state privacy laws that are or may become applicable to Service Provider’s Processing of Customer Data (collectively, “Other U.S. State Privacy Laws”); in each case, as may be amended, superseded, repealed, consolidated, or replaced, and including any implementing regulations thereunder. “Security Incident” means any act or omission that compromises the security, confidentiality, or integrity of Customer Data, including any unauthorized Processing of, unauthorized disclosure of, or unauthorized access to Customer Data, or the compromise of any information technology systems used to Process Customer Data. For clarity, a Security Incident does not include unsuccessful login attempts, pings, port scans, denial-of-service attacks, or other network attacks that do not result in unauthorized access to or compromise of Customer Data, or incidents caused by Customer’s acts or omissions, including Customer misconfiguration, unauthorized sharing of credentials, or third-party integrations enabled by Customer. “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Data Subject or household. This definition includes the terms “personal information” and “personally identifiable information” as used in Data Protection Laws. “Process”, “Processes”, or “Processing” means any operation or set of operations which is performed upon Customer Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. This definition includes the term “Process”, “Processes”, or “Processing” as may otherwise be defined by applicable Data Protection Laws. “Services” is defined in the Agreement or otherwise means the services to be provided by Service Provider to Customer under the Agreement. “Sub-Processor” means a third-party subcontractor engaged by Service Provider which, as part of Service Provider’s role of delivering the Services, will Process Personal Data of Customer.2. Scope and Applicability
This Addendum applies to the Processing of Customer Data, including Personal Data, by Service Provider on behalf of Customer pursuant to the Agreement. For the purposes of this Addendum, with respect to any Personal Data, as between Service Provider and Customer, Customer is the Controller and Service Provider is the Processor. As between Customer and Service Provider, all Customer Data is owned by Customer; nothing in the Addendum shall confer any rights or ownership in such information to Service Provider. The nature and purposes of Processing of Customer Data, duration of the Processing, categories of Personal Data processed by Service Provider pursuant to the Agreement, and other details of the Processing are set forth in Annex 1. The Parties acknowledge and agree that Customer has no knowledge or reason to believe that Service Provider is unable to comply with the provision of this Addendum.3. Service Provider’s Obligations
Service Provider shall: a. only Process Customer Data in accordance with the instructions provided by Customer and only to the extent necessary to perform the Services and its obligations under the Agreement; b. not retain, use, disclose, de-identify, aggregate, or otherwise Process any Customer Data (i) in any manner that is not explicitly permitted in this Addendum or the Agreement and fully compliant with all Data Protection Laws, or (ii) for any purposes, including any business or commercial purposes, other than those set forth in the Agreement or as permitted by applicable Data Protection Laws. If Service Provider de-identifies Personal Data or receives de-identified data from Customer, Service Provider shall (1) take reasonable measures to ensure that the de-identified data cannot be re-identified or otherwise associated with a particular Data Subject or household, and (2) publicly commit to maintain and use the data in de-identified form and not attempt, or permit any third party to attempt, to re-identify the information; c. comply with all Data Protection Laws, including by providing the same level of privacy protection for Customer Data as required by such laws; d. at Customer’s request at any time during the term, provide Customer with a complete copy of or full access to any and all Customer Data that Service Provider is Processing on behalf of Customer; e. immediately notify Customer if it makes a determination that it can no longer meet its obligations under Data Protection Laws, the Agreement, or this Addendum; f. grant Customer the right, upon notice, to take reasonable steps to stop and remediate any unauthorized use of Personal Data; g. not sell (for monetary or other valuable consideration), including however a “sale” may be defined by Data Protection Laws, or “share” (as that term is defined by the CCPA), or otherwise Process for “targeted advertising” purposes (as that phrase is defined by Data Protection Laws), any Customer Data; h. not retain, use, or disclose Customer Data outside of the direct business relationship between Service Provider and Customer, except as permitted by Data Protection Laws; and i. not combine any Personal Data Processed on behalf of Customer with Personal Data that the Service Provider receives from, or on behalf of, another person or business, or that Service Provider collects from its own interactions with the Data Subject outside the business purposes set forth in the Agreement and its direct business relationship with Customer.4. Service Provider Personnel
Service Provider shall preserve and protect the confidentiality of the Customer Data, including by ensuring that access to Customer Data is limited to those employees and contractors of Service Provider (“Personnel”) who have a need to know or need to access Customer Data to enable Service Provider to perform its obligations under the Agreement. Service Provider shall ensure that its Personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Customer Data, have received appropriate training on their responsibilities, and are subject to appropriate non-use and non-disclosure obligations (whether statutory or contractual) no less restrictive than those contained in this Addendum that survive the termination of the Personnel’s engagement with Service Provider. Service Provider has appointed, where required by applicable Data Protection Laws, a data protection officer who meets the requirements under such laws for the performance of their duties.5. Security
Service Provider shall implement and maintain appropriate technical and organizational measures to ensure a level of security of Customer Data appropriate to the risk, including at minimum the security measures set forth in Annex 2 to this Addendum, which is incorporated herein by reference.6. Sub-Processors
Service Provider may engage Sub-Processors in connection with the provision of Services, provided that (i) a list of current Sub-Processors is maintained in Annex 3, (ii) a Sub-Processor must be bound by a written agreement that contains substantially similar obligations as those contained in this Addendum and as required by Data Protection Laws and (iii) Service Provider shall notify Customer in writing of any proposed new sub-processor at least 30 days prior to such sub-processor processing any Customer Data. If Customer reasonably objects to a new Sub-Processor in writing within fourteen (14) days of notification, Service Provider shall use commercially reasonable efforts to make available an alternative solution or otherwise address Customer’s concerns. Service Provider’s list of currently approved Sub-Processors is set forth in Annex 3 to this Addendum. In connection with any Sub-Processor’s Processing of Customer Data, Service Provider shall be liable for any noncompliance by any Sub-Processor with the obligations under the Agreement, this Addendum, or applicable Data Protection Laws.7. Security Incident
Service Provider shall: (a) provide Customer with the name and contact information for an employee of Service Provider who will serve as Customer’s primary security contact; and (b) notify Customer of any Security Incident that occurs as soon as practicable, but no later than seventy-two (72) hours after Service Provider becomes aware of the Security Incident. Immediately following Service Provider’s notification to Customer of a Security Incident, the Parties shall coordinate with each other to investigate the Security Incident. Service Provider agrees to reasonably cooperate with Customer in Customer’s handling of the matter, including, without limitation assisting with any investigation and making available all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards or as otherwise required by Customer. Service Provider shall promptly use best efforts to remedy any Security Incident and prevent any further Security Incident, at Service Provider’s sole cost and expense, except to the extent that the Security Incident was caused by Customer’s actions, omissions, or breach of the Agreement. Service Provider shall not inform any third party of any Security Incident without first notifying Customer, other than to inform a complainant that the matter has been forwarded to Customer’s legal counsel. Service Provider will reasonably cooperate with Customer in any litigation or other formal action deemed necessary by Customer to protect or enforce its rights with respect to the Customer Data.8. Data Subject Requests
Service Provider shall notify Customer within five (5) business days of receipt of a request from a Data Subject for information, access to, correction, amendment, deletion, erasure, portability, restriction of Processing of that person’s Personal Data included in the Customer Data, withdrawal of consent to Processing, or other request pursuant to any Data Protection Laws (each a “DSR”). Service Provider shall not respond to any DSR without first notifying and obtaining Customer’s prior written consent, except to confirm that the request relates to Customer and has been forwarded to Customer for review and response. Service Provider shall provide reasonable cooperation, assistance, and information to Customer for the purposes of responding to and resolving any DSR, queries, complaints, or other correspondence from any Data Subject, including by amending, updating, supplementing, returning, or deleting any Personal Data as soon as reasonably practicable according to Customer’s instructions.9. Compliance Cooperation
Service Provider will promptly refer to Customer any inquiries received by Service Provider regarding the information security or privacy practices of Customer, including with respect to Service Provider’s handling of Customer Data. Service Provider will cooperate with Customer in compiling necessary records of Processing activities with regard to Customer Data being Processed pursuant to the Agreement. Service Provider shall: (a) maintain a record in writing of all categories of Processing carried out on behalf of Customer as required by law and make such records available to Customer upon request from Customer or a relevant data protection authority or regulator (“Data Protection Authority”); (b) inform Customer without undue delay of any actions or measures taken by a Data Protection Authority or any other authority with respect to the Processing of Customer Data and make every effort to support Customer insofar as Customer is subject to an inspection by a Data Protection Authority, an administrative or criminal procedure, a claim by a Data Subject, or any other claim in connection with the Processing of Customer Data by Service Provider; and (c) assist Customer with the compilation of any data protection impact assessment or with consultation of the relevant Data Protection Authority where legally required. Service Provider will not disclose Customer Data to any third parties, including any Data Protection Authority, unless Service Provider is specifically authorized to do so in writing by Customer, the Agreement, or this Addendum, or as otherwise required by Data Protection Laws. If Service Provider is required by Data Protection Laws to disclose Customer Data to a third party, Service Provider shall provide notice to Customer of the legal requirement and allow Customer an opportunity to object or challenge the requirement, to the extent such notice is permitted by law.10. Audit Rights
Customer (or a third party acting at its direction) shall have the right upon reasonable advance notice to Service Provider and during normal business hours to assess or audit Service Provider’s compliance with the Agreement, this Addendum, or Data Protection Laws, provided that Service Provider may satisfy such audit request by making available relevant security documentation, certifications, audit reports, security questionnaires, or other written responses sufficient to verify Service Provider’s compliance with this Addendum. Any onsite, technical, or systems-level audit will be conducted only to the extent required by applicable Data Protection Laws or following a Security Incident, and must be subject to reasonable confidentiality, security, scope, timing, and access restrictions mutually agreed by the Parties.11. Equitable Relief
Service Provider acknowledges that any breach of its covenants or obligations set forth in this Addendum may cause Customer irreparable harm for which monetary damages would not be adequate compensation and agrees that, in the event of such breach or threatened breach, Customer is entitled to seek equitable relief, including a restraining order, injunctive relief, specific performance and any other relief that may be available from any court, without the necessity of posting a bond, in addition to any other remedy to which Customer may be entitled at law or in equity. Such remedies shall not be deemed to be exclusive but shall be in addition to all other remedies available at law or in equity, subject to any express exclusions or limitations in the Agreement to the contrary.12. Material Breach
Service Provider’s failure to comply with any of the provisions of this Addendum is a material breach of the Agreement. In such event, Customer may terminate the Agreement effective immediately upon written notice to the Service Provider without further liability or obligation to Customer.13. Return or Disposal of Data
Upon Customer’s request, and in any event upon termination or expiration of the Agreement for any reason, Service Provider will return or delete and destroy (at Customer’s choice), and will direct all Personnel and Sub-Processors to return or delete and destroy (at Customer’s choice), all Customer Data (including any copies) in its (and their) possession or control, including in accordance with the Agreement.14. Indemnification
Service Provider hereby agrees to indemnify, defend, and hold harmless Customer and its affiliates, and any of their respective officers, directors, employees, representatives, and agents from and against any and all claims, causes of action, liabilities, damages, losses, costs and expenses (including reasonable attorneys’ fees and legal costs, which shall be reimbursed as incurred) arising from gross negligence or willful misconduct of Service Provider, or any Security Incident.15. Liability
The parties agree that any liability arising under this Addendum, including for Security Incidents, is subject to the limitations and exclusions of liability set forth in the Agreement, except to the extent prohibited by applicable law.16. Miscellaneous
Notwithstanding anything to the contrary in the Agreement, in the event and to the extent that the terms of this Addendum conflict with any of the terms of the Agreement, this Addendum supersedes the Agreement and controls solely with respect to the Processing of Personal Data and Customer Data under applicable Data Protection Laws. In the event of any conflict or inconsistency between the body of this Addendum and any contractual clauses entered into pursuant to Data Protection Laws (e.g., the EU SCCs), such legally-required clauses shall control, unless this Addendum prescribes or requires conduct that is more protective of Data Subjects or Customer. Service Provider’s obligations under this Addendum shall survive the termination of the Agreement and the completion of all services subject thereto. Service Provider may update this Addendum from time to time as described in the Agreement or as necessary to comply with applicable law.Annex 1 — Details of Processing
A. List of Parties
Data Exporter- Name: Customer, as identified in the Agreement or applicable order form/account.
- Address: As provided by Customer.
- Contact Person’s Name, Email, Position: As provided by Customer.
- Role (controller/processor): Controller
- Name: Delphina Inc.
- Address: 74 Banks Street, San Francisco, CA 94110
- Contact Person’s Name, Email, Position: Jeremy Hermann, jeremy@delphina.ai, CEO
- Role (controller/processor): Processor
B. Nature and Purpose of the Processing
1. Categories of data subjects whose Personal Data is processed Employees, consultants, agents, contractors, or users of Customer whose Personal Data is disclosed with Service Provider. 2. Categories of Personal Data processed With respect to employees, consultants, agents, or contractors of Customer: Name, email address, phone number, job title, account settings, IP address, and other business contact information. Information on the Customer’s users may also be processed subject to the discretion of the customer. 3. The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis) Continuous. 4. Nature of the processing Service Provider provides an AI-powered analytics platform that connects to Customer’s data sources to perform automated data discovery, preparation, and predictive analytics. Processing includes the ingestion, transformation, and analysis of Customer Data for the purpose of generating insights, forecasts, and other analytical outputs in support of Customer’s business operations. 5. Purpose(s) of the data transfer and further processing To provide the Services pursuant to the Agreement. 6. The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period The Processing will continue until the date which is the earlier to occur of: (a) the expiration or termination of the Agreement, or (b) the date that Processor retains any Personal Data related to the Agreement in its possession or control. 7. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. The subject matter of the Processing of Personal Data are set out in the Agreement and this Addendum. 8. The duration of the Processing activities Shall be for the term set forth in the Agreement. The purpose of the Processing of Personal Data by Service Provider is the performance of the Services pursuant to the Agreement. 9. Special Categories of Data (if applicable) Customer shall not submit Special Categories of Data, protected health information subject to HIPAA, or other sensitive Personal Data to the Services unless expressly agreed by Service Provider in writing, including under a business associate agreement where required.Annex 2 — Data Security Measures
This Annex forms part of the Addendum. Service Provider will comply with the information security requirements set forth in this Annex.General approach
Service Provider employs a combination of policies, procedures, guidelines, and technical and physical controls that are kept up to date at levels that are at least equivalent to those that are generally accepted industry standards employed by other service providers of Service Provider’s peer group to protect the Customer Data it processes from accidental loss and unauthorized access, disclosure, or destruction. Service Provider shall review and update such policies and standards no less frequently than annually.Governance and policies
Service Provider assigns personnel with responsibility for the determination, review and implementation of security policies and measures. Service Provider:- has documented the security measures it has implemented in a security policy and/or other relevant guidelines and documents;
- reviews its security measures and policies on a regular basis to ensure they continue to be appropriate for the data being protected.
Breach response
Service Provider has a breach response plan that has been developed to address data breach events. The plan is regularly tested and updated at least annually.Intrusion, anti-virus, and anti-malware defences
Service Provider IT systems used to process Customer Data have appropriate data security software installed on them, including:- regular, and no less frequent than annual penetration testing;
- regular, and no less frequent than quarterly vulnerability scanning;
- daily collection, and maintenance, review and audit, of event logs, and retention of such audit logs for a minimum period of six (6) months;
- use of appropriate firewall technologies to protect servers where Customer Data is stored, where such firewalls only have necessary services and ports open to the server;
- use of appropriate intrusion detection and/or prevention systems;
- deployment of current anti-malware software on all servers and workstations, and such anti-malware software is kept current with the most recent updates and patches;
- deployment of data loss prevention tools at network and host level.
Access controls
Service Provider limits access to Customer Data by implementing appropriate access controls, including:- limiting administrative access privileges and use of administrative accounts;
- changing all default passwords before deploying operating systems, assets or applications;
- requiring authentication and authorization to gain access to IT systems (i.e. require users to enter a user id and password before they are permitted access to IT systems);
- ensuring that personnel with access to Customer Data have an individual and unique account that authenticates that individual’s access to the data which is different from the individual’s standard, corporate assigned network account;
- only permitting user access to Customer Data which the user needs to access for his/her job role or the purpose they are given access to Service Provider’s IT systems for (i.e., Service Provider implements measures to ensure least privilege access to IT systems);
- having in place appropriate procedures for controlling the allocation and revocation of Customer Data access rights, including appropriate procedures for revoking employee access to IT systems within twenty-four (24) hours of the end of the employee’s need to access such systems, when they leave their job or change role, and following termination of the Agreement;
- incorporation of appropriate segregation of duties in access rights management procedures (e.g., users cannot change their own privileges or approve their own requests);
- enforcing the use of strong passwords with over eight characters and that include three of the following requirements: upper case letters, lower case letters, numbers and special characters;
- use of multi-factor authentication when providing remote access to Service Provider’s systems or Customer Data;
- all Service Provider and Customer account passwords shall be hashed with strong cryptographic hash functions (e.g., SHA-256, SHA-3, etc.) and Service Provider shall not use deprecated functions (e.g., MD5, SHA-1, etc.). Each user’s password shall be hashed with a different salt, and Service Provider shall not reuse the same salt in multiple hashes or use short salts. Salts must be at least the same size as the output of the hash function (e.g., the output of SHA256 is 256 bits (32 bytes), so the salt should be at least 32 random bytes);
- automatic timeout and locking of user terminals if left idle;
- access to IT system is blocked after multiple failed attempts to enter correct authentication and/or authorization details;
- monitoring and logging access to IT systems;
- monitoring and logging amendments to data or files on IT systems;
- deployment of a written process regarding:
- the addition of Customer users’ access to Customer Data processed by Service Provider;
- the deletion of IDs of Customer users who are no longer Customer employees or who no longer require access to Customer Data processed by Service Provider;
- provision of reports detailing additions and deletions of Customer users upon request. Service Provider shall have the capability to provide these reports on a more frequent basis at the request of the Customer.
Availability and back-up of Customer Data
Service Provider has a documented disaster recovery plan that ensures that key systems and data can be restored in a timely manner in the event of a physical or technical incident. The plan is regularly tested and updated at least annually. At the Customer’s request, Service Provider will provide results of the most recent disaster recovery test (either by providing a copy or through online presentation by Service Provider). Service Provider regularly backs up information on IT systems, and such back-ups are made at least once a week. Service Provider keeps back-ups in separate locations. Back-ups of information are tested periodically, and at least annually. Back-ups are protected from compromise to allow successful restoration in the event the main back-ups are corrupted. Service Provider ensures that there is a level of redundancy in its systems required to ensure the continued ability to provide access to Customer Data, deliver the Service and meet any agreed service level agreements. Such measures include the following: mirroring of hard disks, e.g., RAID technology; uninterruptible power supply (UPS); remote storage; anti-virus/firewall systems.Segmentation of Customer Data
Service Provider:- stores Customer Data on backend database servers that are physically or logically separate from the web server. The web server and backend database server shall be separated by a firewall that allows only authorized traffic to pass back and forth between the web server and the backend database server;
- separates and limits access between network components and, where appropriate, implements measures to provide for separate processing (storage, amendment, deletion, transmission) of Customer Data collected and used for different purposes;
- does not use live data for testing its systems.
Disposal of IT equipment
Service Provider:- has in place processes to securely remove all Customer Data before disposing of IT systems;
- uses appropriate technology to purge equipment of data and/or destroy hard disks.
Encryption
Service Provider uses encryption technology where appropriate to protect Customer Data held electronically, including:- encryption of data at rest and in transit using appropriate, up-to-date and secure encryption technology;
- encryption of portable devices used to process Customer Data using 128-bit or higher encryption.
Transmission or transport of Customer Data
Appropriate controls are implemented by Service Provider to secure Customer Data during transmission or transit, including:- use of VPNs;
- encryption in transit;
- logging Customer Data when transmitted electronically;
- logging Customer Data when transported physically;
- ensuring physical security for Customer Data when transported on portable electronic devices or in paper form.
Device hardening
Service Provider removes unused software and services from devices used to process Customer Data. Service Provider ensures that default passwords that are provided by hardware and software producers are not used.Asset and software management
Service Provider maintains an inventory of IT assets and the data stored on them, together with a list of owners of the relevant IT assets. Service Provider:- documents and implements rules for acceptable use of IT assets;
- requires network level authentication and uses client certificates and network access controls to validate and authenticate systems;
- deploys automated patch management tools and software update tools for operating systems and software;
- proactively monitors software vulnerabilities and promptly implements any out of cycle patches;
- permits the use of only the latest versions of fully supported web browsers and email clients;
- does not allow local administrator rights to end users, restricting such rights to IT support staff only.
- Service Provider stores API keys directly in its environment variables;
- Service Provider does not store API keys on client side;
- Service Provider does not publish API key credentials in online code repositories (whether private or not); and
- Service Provider uses API key management tools to retrieve and manage credentials for large development projects.
Physical security
Service Provider implements physical security measures to safeguard Customer Data, including deployment and enforcement of appropriate policies to ensure that:- Customer Data is printed only where this is necessary for a person to perform his/her job role.
- Sensitive Customer Data or large amounts of Customer Data held in hardcopy are kept securely e.g., in locked rooms or filing cabinet. Generally, steps are taken to ensure that access to hardcopy Customer Data is limited in the same way it would be on an electronic IT system i.e., access is limited to those individuals where it is necessary for them to have access in order for them to perform their job role.
- Hardcopy documents containing Customer Data are only taken off site where necessary for a person’s job role.
- When travelling or working away from the office, hard copy documents and portable devices containing Customer Data are kept secure e.g., never left in a car or unsecured in a public place.
- Paper records which contain confidential information (including Customer Data and sensitive personal data) are shredded after use.
Staff training and awareness
Service Provider’s agreements with staff and contractors and employee handbooks set out its personnel’s responsibilities in relation to information security. Service Provider carries out:- regular (and at least annual) staff training on data security and privacy issues relevant to their job role and ensures that new starters receive appropriate training before they start their role (as part of the on boarding procedures);
- appropriate screening and background checks on individuals that have access to sensitive Customer Data;
- regular (and at least annual) social engineering/phishing testing of staff.
- maintains a record of all individuals that have access to Customer Data, as well as evidence of their training, and shall make such records and information available to the Customer on request;
- conducts background checks, to the extent permitted under applicable law, on any of its personnel prior to assigning them to positions in which they will have access to Customer Data.