DATA PROTECTION ADDENDUM
(Version dated December 14, 2023)
The terms of this Data Protection Addendum (“DPA“) are incorporated into the Order (as defined below) between Precisely Software Incorporated (“Precisely”) and Customer pursuant to which Precisely is providing certain Hosted Software and associated Services for the DPA Term to reflect the parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of all Applicable Laws, including Data Protection Laws. Orders for Hosted Software pursuant to an Order are governed by the version of this DPA applicable on the Effective Date of the Order as indicated by the version date above. The terms of this DPA may not be modified with respect to the Order to which they apply except by mutual agreement of Customer and Precisely. New versions of this DPA will only apply to subsequent Orders.
This DPA applies only to the extent Precisely Processes Customer Personal Data on behalf of Customer in connection with the Hosted Software and associated Services as a Data Processor (as such terms are defined below). In the event and to the extent of a conflict between this DPA and the Order, this DPA shall control with respect to that conflict. In the event and to the extent of a conflict between this DPA and the SCCs, the SCCs shall control with respect to that conflict.
1. DEFINITIONS
1.1 For the purposes of this DPA, the following terms will have the corresponding definitions:
“Applicable Laws” means all laws, regulations, binding court orders, and binding regulatory decisions in any jurisdiction as may be applicable to either party or otherwise relevant to this DPA.
“Business Days” means any day excluding Saturday, Sunday and any day which is recognized as a legal holiday in the jurisdiction of either of the parties.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. The term Data Controller shall include the term “Business” as that term has been defined in the CCPA.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller. The term Data Processor shall include the term “Service Provider” as that term has been defined in the CCPA.
“Data Protection Laws” means all laws, regulations, binding court orders, and binding regulatory decisions, relating to data protection and privacy of personal data, as amended, extended, re-enacted or replaced from time to time, in any jurisdiction as may be applicable to the Hosted Software, including the General Data Protection Regulation (EU) 2016/679, the UK Data Protection Act of 2018, California Consumer Privacy Act, California Consumer Privacy Act (“CCPA”) and other similar laws.
“Data Subject” means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Deidentified Data” means any Personal Data (including Customer Personal Data), which has been deidentified or aggregated such that the Data Subject to whom it relates cannot be identified, directly or indirectly, by Precisely or any other party reasonably likely to receive or access such Personal Data.
“DPA Term” with respect to this DPA once executed in accordance with Section 1, means the duration of the Processing under this DPA with respect to an Order beginning on the Commencement Date of such Order and continuing for the duration that Precisely is Processing Customer Personal Data in connection with the Order.
“Order” means a Precisely provided document pursuant to which Customer acquires a license to Hosted Software as evidenced by (a) a written agreement signed by Customer and Precisely (including a Product Schedule), (b) Customer’s acceptance of applicable online ordering terms, or (c) Precisely’s quotation that has been accepted by Customer’s issuance of a purchase order referencing the quotation by number.
“Personal Data Breach” means a validated breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise Processed under this DPA.
“Sale” and its derivatives, means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Customer Personal Data to a third party for valuable consideration other than as for the purposes described in the Order (or as otherwise agreed in writing by the parties).
“SCCs” means
(a) for transfers of Personal Data subject to the GDPR, Module 2 (Transfer Controller to Processor) of the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (as may be amended, updated or superseded from time to time, and available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en#d1e32-37-1) (“EU SCCs”); and
(b) for transfers of Personal Data subject to UK Data Protection Act of 2018, the EU SCCs supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, the text of which is available at: https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf, as may be amended, updated or superseded from time to time (“UK SCCs”).
“Subprocessor” means any other Processors engaged by Precisely to Process Customer Personal Data.
“Transfer” means to disclose or otherwise make Customer Personal Data available to a third-party including by enabling remote access or by other means.
1.2 In the event of any conflict or ambiguity between the provisions of this DPA and any Order, the conflict or ambiguity shall be resolved in the following descending order of precedence: this DPA and the Orders (with the most recent taking precedence).
1.3 Terms that have been capitalized but not defined in this DPA shall have the same meaning as in the Order or the Data Protection Laws, as applicable.
2. ROLES AND RESPONSIBILITIES
2.1 Parties’ Customer, as Controller, appoints Precisely as a Data Processor to Process the Customer Personal Data on Customer’s behalf. This DPA does not apply where Precisely is the Controller.
2.2 Customer’s Instruction. Precisely shall Process Customer Personal Data for the purposes set forth in the Order and only in accordance with Customer’s lawful, documented instructions, unless Precisely is required to Process Customer Personal Data by the Applicable Laws to which Precisely is subject to. In such case, Precisely will inform the Customer of these legal requirements, unless Applicable Laws prohibit such information. Customer agrees that this DPA and any Orders comprise Customer’s complete instructions to Precisely regarding the Processing. The Customer’s instructions may be specific or of a general nature as set out in this DPA or as otherwise notified in writing by the Customer to Precisely from time to time, including the costs (if any) associated with complying with such instructions. Precisely is not responsible for determining if Customer’s instructions are compliant with applicable law. However, Precisely may refrain from complying with the Customer’s instruction if it notifies the Customer that, in Precisely’s opinion, an instruction for the Processing of Customer Personal Data given by the Customer infringes Data Protection The purpose of this section is only to determine the scope and the purposes of Processing of Customer Personal Data by Precisely and nothing in this DPA will be deemed an obligation of Precisely to accept any instructions of the Customer other than to provide the Hosted Software as provided under the Order.
2.3 Customer Compliance. Customer shall, in its use of the Hosted Software, Process Customer Personal Data in accordance with the requirements of Data Protection Laws, including any applicable requirements to provide notice to Data Subjects of the use of Precisely as Processor. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the lawfulness of the means by which Customer acquired and Processes Customer Personal Data prior to disclosing, transferring or otherwise making available, any Customer Personal Data to Precisely. Customer shall ensure that its provision of Customer Personal Data to Precisely in connection with the Order is lawful under Data Protection Laws.
2.4 Sale of Personal Data. The parties acknowledge and agree that Customer does not Sell Customer Personal Data to Precisely in connection with the Order and that Precisely does not Sell Customer Personal Data to any third parties.
3. DATA PROCESSING
3.1 Each Party shall comply with Data Protection Laws in connection with the performance of its obligations and the exercise of its rights under this DPA.
3.2 To the extent applicable, Precisely shall ensure that all personnel who have access to Customer Personal Data are subject to suitable confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
3.3 Taking into account industry standards, the costs of implementation, the nature and purposes of the Processing and any other relevant considerations relating to the Processing of Customer Personal Data on Precisely’s systems, Precisely shall implement and maintain technical and organizational measures designed to protect Customer Personal Data against a Personal Data Breach by putting in place the measures set out in Schedule 2. Customer hereby confirms that these technical and organizational measures are appropriate to protect Customer Personal Data to meet the requirements of this DPA. Precisely is permitted to implement alternative measures having equivalent effect. In doing so, the security level of the measures specified in Schedule 2 must not be degraded.
3.4 In the event that Precisely becomes aware of a Personal Data Breach affecting Customer Personal Data stored on Precisely’s systems or site, Precisely shall notify Customer without undue delay and undertake such remediation as reasonably necessary to rectify the adverse effects of the Personal Data Breach.
4. SUBPROCESSING
Customer authorizes Precisely to appoint and use Subprocessors in accordance with this Section 4. Precisely may continue to use those Subprocessors already engaged by Precisely prior to the DPA Term, which are listed in the Precisely website (currently posted at https://www.precisely.com/sub-processors). Precisely shall give Customer notice of the appointment of any new Subprocessor by updating such list from time to time in order to give Customer an opportunity to object to such change, including reasonable details of the Processing to be undertaken by the Subprocessor. If, within five (5) Business Days of receipt of that notice, Customer notifies Precisely in writing of any objections (on reasonable grounds) to the proposed appointment: (a) Precisely shall use reasonable efforts to make available a commercially reasonable change in the provision of the Hosted Software which avoids the use of that proposed Subprocessor; and (b) where: (i) such a change cannot be made within thirty (30) Business Days from Precisely’s receipt of Customer’s notice; (ii) no commercially reasonable change is available; and/or (iii) Customer declines to bear the cost of the proposed change, notwithstanding anything in the Order, either party may by written notice to the other party with immediate effect terminate the Order either in whole or to the extent that it relates to the Hosted Software which require the use of the proposed Subprocessor. With respect to each Subprocessor, Precisely shall: (a) before the Subprocessor first Processes Customer Personal Data (or, as soon as reasonably practicable), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Customer Personal Data required by this DPA; and (b) ensure that the arrangement between Precisely and the Subprocessor is governed by a written contract including terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this DPA. Precisely shall be liable for the acts and omissions of its Subprocessors to the same extent Precisely would be liable if performing the services of each Subprocessor directly under the terms of this DPA.
5. TRANSFERS OF PERSONAL DATA AND THE SCCs
5.1 Customer authorizes Precisely to Transfer the Customer Personal Data across any national borders or permit remote access to Customer Personal Data from any employee, contingent worker, affiliate, Subprocessor or other third party outside of the country, and Customer hereby consents to the Transfer of Customer Personal Data, provided such Transfer complies with the provisions of this DPA and Data Protection Laws, including but not limited to the requirement to ensure an adequate level of data protection while transferring Customer Personal Data.
5.2 With regard to Transfers of Customer Personal Data originating from the EEA to countries outside the EEA (which are not subject to an adequacy decision under Data Protection Laws), Precisely will conduct the transfers of Customer Personal Data pursuant to the EU SCCs or another lawful transfer mechanism. With regard to Transfers of Customer Personal Data originating from the UK, Precisely will conduct the transfers of Customer Personal Data pursuant to the UK SCCs or another lawful transfer mechanism. Schedule 1 sets out the description of Customer Personal Data Processing and Schedule 2 sets out the Technical and Organizational Measures necessary to complete the SCCs.
5.3 For each applicable version of the SCCs between Precisely and Customer: (a) Customer and Precisely are deemed to have executed the SCCs as of the start of the DPA Term; and (b) Precisely is the “Data Importer” and Customer is the “Data Exporter” under the SCCs. Nothing in this DPA shall modify the terms and conditions of the SCCs. Therefore, in the case of any conflict between this DPA and the SCCs, the latter shall prevail.
5.4 In the event that EU or UK authorities or courts determine that the SCCs are no longer an appropriate basis for Transfers, Precisely and Customer shall promptly take steps reasonably necessary to demonstrate adequate protection for the Customer Personal Data, using another approved mechanism. Customer understands and agrees that Precisely may terminate the Transfers as needed to comply with Data Protection Laws.
5.5 Precisely shall, where legally permissible, advise Customer of any US-based governmental requests for access to Customer Personal Data (“US Data Requests”), and advise Customer of any EU-EEA based governmental requests for access to Customer Personal Data (“EU-EEA Data Requests”) or UK based governmental requests for access to Customer Personal Data (“UK Data Requests”) and work with Customer so that Customer may object to such US Data Requests, EU-EEA Data Requests, or UK Data Requests. For the avoidance of doubt, Customer understands that Precisely may not be legally allowed to notify the Customer of US Data Requests, EU-EEA Data Requests or UK Data Requests under certain circumstances.
6. COOPERATION
6.1 With regard to Customer Personal Data as required under Data Protection Laws, Precisely shall provide reasonable assistance to Customer, at Customer’s sole cost and expense, as reasonably appropriate under the circumstances, to carry out/respond to: (i) data protection impact assessments and prior consultations with data protection authorities; (ii) Data Subject requests to exercise rights, including requests to access their Customer Personal Data, to the extent that Customer is unable to access the relevant Customer Personal Data through the Hosted Software; (iii) inquiries or complaints received from a Data Subject, regulator, or other third party; and (iv) making any filings, disclosures, or registrations required by data protection authorities in connection with the provision or receipt of the Hosted Software.
6.2 Precisely will promptly inform Customer of (i) any Data Subject requests to exercise rights or (ii) any communications received from a Data Subject, regulator, or other third party, that relate to Precisely’s provision of the Hosted Software to Customer. For the avoidance of doubt, Customer is responsible for responding to such requests or communications.
7. DELETION/RETURN OF CUSTOMER PERSONAL DATA
To the extent applicable, upon the termination of the Order for any reason, or at any time upon Customer’s written request, Precisely shall, as soon as reasonably practicable, make the Customer Personal Data accessible for download or return to Customer and/or securely delete or destroy, in accordance with Data Protection Laws, all originals and copies of Customer Personal Data, except to the extent otherwise required by the Order, this DPA or any Data Protection Laws. Upon written request by Customer, Precisely shall promptly provide to Customer a written confirmation that all Customer Personal Data has been returned to Customer or securely destroyed in accordance with the Order and this DPA. Notwithstanding the foregoing, Precisely may retain Customer Personal Data in accordance with Precisely’s records management and digital archival back-up policies (“Records Management Policy“) provided such Customer Personal Data is destroyed in due course in accordance with the Records Management Policy and Data Protection Laws. Precisely reserves the right to charge Customer for any reasonable costs and expenses incurred by Precisely in destroying the Customer Personal Data pursuant to this section if the costs exceed a nominal amount.
8. DEIDENTIFIED DATA
Precisely may freely use and disclose Deidentified Data for Precisely’s own business purposes without restriction.
9. AUDITS
Precisely shall make available to Customer, on written request, such information as reasonably appropriate under the circumstances to demonstrate Precisely’s compliance with Sections 2 to 7 of this DPA. Precisely’s control environment is subject to routine third party inspections and attestations (e.g., AICPA SOC 2 or another generally accepted industry standard that is applicable to Precisely as a service provider) (together, “Controlled Reports”). Upon the Customer’s written request, Precisely will make available to Customer the Controlled Reports that directly relate to the Hosted Software, it being understood that the Controlled Reports are Precisely Confidential Information (level 1). To the extent that the scope of the Controlled Reports does not cover Hosted Software provided to Customer under the Order or does not provide the information reasonably requested by Customer, Customer shall have the opportunity to request such additional information in writing and Precisely shall have the opportunity to provide such additional information in writing or electronic format (level 2). To the extent that the information provided by Precisely on level 1 and level 2 does not reasonably satisfy Customer’s request, independent auditors mutually agreed between the parties may examine or audit the documentation and records regarding those Hosted Software, at the Customer’s expense, as they are deployed on the Customer’s premises (level 3). For the avoidance of doubt, this audit provision does not extend to Precisely’s site or operations that are separate from the Hosted Software. Any audits carried out under this provision must be conducted during regular business hours and upon at least forty-five (45) Business Days advance written notice. Unless otherwise requested due to important reasons (e. g. a binding order of a data protection authority; Personal Data Breach), in each twelve (12) month period, Customer shall be entitled to conduct one (1) such audit. Any information of Precisely obtained or observed during such examination or audit shall be deemed Precisely’s Confidential Information. Customer shall reimburse Precisely for any time expended for any such on-site audit at Precisely’s then-current professional services rates, which shall be made available to Customer upon request. All reimbursement rates shall be reasonable, taking into account the resources expended by Precisely.
10. CCPA AND SIMILAR DATA PROTECTION LAWS
If Precisely is processing Customer Personal Data within the scope of the CCPA or other similar Data Protection Laws implemented by a US state, Precisely makes the following additional commitments to Customer: Precisely will (i) process Customer Personal Data on behalf of Customer; (ii) not retain, use, or disclose that data for any purpose other than for the purposes set out in this DPA and as permitted under the CCPA, including under any “sale” exemption; and (iii) not sell any Customer Personal Data, including that which Precisely receives pursuant to this DPA or the Order. These CCPA terms do not limit or reduce any data protection commitments Precisely makes to Customer in this DPA, the Order, or other agreement between Precisely and Customer.
Schedule 1
Description of Personal Data Processing
| Location(s) of the Processing | Worldwide |
| Data Controller(s)/ Exporter(s) (as applicable) |
Name: As set out in the Order for Customer.
Address: As set out in the Order for Customer. Activities relevant to the data transferred under the DPA: the Data Exporter is exporting Personal Data to receive the Hosted Software described in the Order. Role: Controller |
| Data Processor(s)/ Importer(s) (as applicable) |
Name: As set out in the Order for Precisely.
Address: As set out in the Order for Precisely. Activities relevant to the data transferred under the DPA: Precisely is importing and Processing the Data Exporter’s Personal Data to provide the Hosted Software and Services described in the Order. Role: Processor Contact person’s name, position and contact details: Attn: Chief Privacy Officer, Precisely Global Privacy Office; email: privacy@precisely.com |
| Subject Matter and Duration of the Processing | The subject matter and duration of the Processing shall be according to the Order in connection with the Hosted Software and Services. |
| Purpose of the Processing / Processing Operations | The Customer Personal Data is Processed for the purpose of providing Hosted Software and Services including: (a) customer service activities, such as processing orders, providing technical support and improving offerings, (b) on-premises software or hosting software, (c) sales and marketing activities as permissible under mandatory applicable law, (d) consulting, professional, security, storage, and other services delivered to Customer, and (d) internal business processes and management, fraud detection and prevention, and compliance with governmental, legislative, and regulatory requirements. |
| Categories of Data Subjects (whose Personal Data is transferred) | Customer Personal Data Processed may concern the following categories of data subjects: employees, contractors, suppliers, business partners, representatives and end users of the Customer, and other individuals whose personal data is processed by or on behalf of Customer or Customer’s customers and delivered as part of the Services and Hosted Software.
|
| Categories/ Types of Personal Data transferred | Customer Personal Data related directly or indirectly to the categories of data subjects listed above, including online and offline Customer Personal Data provided by or on behalf of the Customer or its users of the Services and Hosted Software. |
| Types of Special Category (“Sensitive”) Data transferred (if applicable) | N/A
|
| Applied restrictions or safeguards in respect of Sensitive Data (EU SCCs only) |
N/A
|
| Frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) (EU SCCs only) |
Continuous basis for the duration of the Order.
|
| The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period (EU SCCs only) |
DPA Term, or as otherwise agreed in writing between the parties. |
| Specific Elections (EU SCCs only) |
EU SCCs Elections: The parties agree to elect the following options within the EU SCCs:
Competent Supervisory Authority: The parties agree that the supervisory authority of the Data Exporter will act as the competent supervisory authority. Governing Law: For purposes of Clause 17 of the EU SCCs, the parties agree that the law of the country in which the Data Exporter is located will be the governing law. Choice of Forum and Jurisdiction: For purposes of Clause 18 of the EU SCCs, the parties agree that the courts of the country in which the Data Exporter is established will resolve any dispute arising from the EU SCCs. |
Schedule 2
Technical and Organizational Measures
Precisely maintains policies and standards for the protection of Customer Personal Data that originate from industry standard frameworks and establish uniform security and privacy standards for Precisely’s operations. Precisely’s Information Security Management System (ISMS) aligns and complies with ISO27001 standards. Precisely reviews its systems regularly against ISO 27001, CIS , SOC 2 Controls, and NIST Frameworks, and any identified risks or gaps are addressed accordingly. Precisely implements administrative, technical, physical, and product safeguards that relate to the protection of such Customer Personal Data against accidental or unlawful destruction, loss, access to or alteration of Customer Personal Data in Precisely’s possession or control.
Precisely ensures that its subprocessors who have Customer Personal Data maintain data security programs which are at least as stringent as Precisely’s own programs with respect to the applicable service to which such subprocessor has been engaged, and in accordance with generally accepted industry standards and practices. Precisely maintains a risk management program focused on the identification, evaluation, and validation of a subprocessor’s security controls.
| Categories | Practices |
| Administrative Safeguards | Background Checks
Precisely employees undergo background checks to the extent allowed by local law and sign a non-disclosure agreement before hire. All employees attest and reaffirm company handbook, data privacy, and security policies annually thereafter. Security and Privacy Training Upon hire and on an ongoing basis, all Precisely employees are required to undertake tested security and privacy training, which cover safe data handling and classification, data privacy law compliance, security best practices, and adherence to the principle of least privilege. The company provides training on specific role-based aspects of security and privacy. Examples include the product development team undergoing privacy by design and secure software development training, the professional services team undertaking data privacy compliance, and ePHI specific training, in addition to training and testing all employees on phishing, vishing, and smishing vectors. Incident Management Precisely has implemented an Incident Response Plan which details the processes for detecting, reporting, identifying, analyzing, and responding to security incidents impacting Precisely infrastructure and data under its purview. Data Breach Notification In the event of a data breach, Precisely will follow its Incident Response Plan and fulfil its contractual obligations to notify partners and customers of incidents impacting the infrastructure and data related to the delivery of their services and products. Third Party Risk Management Precisely may use sub-processors to perform or deliver services. They are only allowed access to customer data where needed to provide the services and shall be bound by written agreements that require them to provide strict levels of data protection as required by Precisely and applicable regulations. These agreements are no less stringent than the data protection levels afforded by the customer’s agreement with Precisely. Initial and ongoing vendor assessments are conducted to ensure proper data security and privacy practices are in place throughout the vendor relationship. Changes to vendor services provided or changes to existing contracts require a security risk assessment to confirm that the changes do not present additional or undue risk. |
| Technical Safeguards | Data Encryption
All customer data held by Precisely is encrypted in transit and at rest. Information Classification and Handling Policy Precisely has implemented an Information Classification and Handling Policy which governs data labeling and retention. Where appropriate, platforms use built-in rules to govern retention and employees follow operational guidelines for the secure removal of data at termination of services. Precisely follows NIST guidelines for the irrevocable logical and physical deletion of data. Backup and Recovery Precisely performs regular, secure backup and recovery testing of data and supporting systems. Backup intervals are dependent on the type of data and underlying repositories. Intervals range from minutes to daily. Wherever possible, resilient and redundant systems, services, and stack components are used for automated failover capability. Vulnerability Remediation Precisely has a Vulnerability Remediation policy to identify and remediate vulnerabilities according to the risk they present. Precisely utilizes numerous coordinated management frameworks to monitor code, services, and systems and ensure vulnerabilities are assessed and remediated. Intrusion and Malware Protection Precisely has in place multilayered network and endpoint solutions to protect company assets which are centrally monitored and alerted upon. Data Protection Precisely implements multiple data security controls including DLP (Data Loss Prevention), data profiling, and data governance technologies to ensure data is secure throughout its lifecycle. Logging & Monitoring Precisely has a process in place to log, monitor, and respond to events and anomalies in its systems and solutions. Precisely has deployed centralized non-repudiable logging and monitoring solutions to identify and investigate possible security events and track anomalous behavior. Dedicated and centralized SIEM (Security Info & Event Management) platforms allow for Precisely and its partners to proactively identify events and respond to incidents. Identity & Access Control Access to personal data is restricted based on least privilege through login credentials and timed access controls to those employees who require it to perform their job functions. In addition, Precisely utilizes access controls such as Multi-Factor Authentication, Single Sign-On, MAM,, strong password controls, and restricted access to administrative accounts. Precisely’s solutions offer role-based access controls that allow customers to create least-privilege roles that only grant the minimum rights needed to perform specific functions. Security Operations Center Precisely maintains 24x7x365 monitoring operations with oversight of its entire infrastructure. Along with its partners, the company maintains a proactive threat hunting and rapid reaction posture to security incidents. |
| Physical Safeguards | Workplace Security
Precisely maintains strict facility access controls by the use of electronic access controls and alarm systems to limit ingress to authorized individuals only. Visitor registration and escort policies and surveillance systems ensure all access is monitored. In addition, Precisely offices have fire suppression and fire detection systems or devices as well as clearly defined emergency exits and evacuation routes. Workplace health and safety measures are kept up to date with local laws and regulations as well as industry best practice. Data Center Security All data centers where data is processed and stored are in the geographic regions tailored to the regulatory requirements of customers. The Tier 1 facilities and service providers hold SOC 2, HIPAA, PCI DSS, and ISO 27001 amongst other certifications. |
| Product Security | Secure Design Principles
Precisely products and services are designed with security in mind. Precisely utilizes a Secure Software Development Lifecycle based on the OWASP methodologies where applicable. The company incorporates automated and manual scanning of code and artifacts to detect and remediate defects and vulnerabilities. Precisely DevOps systems and processes support the core pillars of information security: Confidentiality, Integrity and Availability. |