Save 75% on Vendor Payment Costs – Join our webinar and get 1 month free trial!

Tax1099

Effective Date: SEP 2023

THIS DATA PROCESSING ADDENDUM (this “ADDENDUM” or this “DPA”) IS MADE BY AND BETWEEN Zenwork Intermediate Inc. (“Zenwork”); and [NAME OF CUSTOMER] (“Customer”) (each a "Party" and together the "Parties").

BACKGROUND.

(A) The Parties have entered into the SAAS Terms & Conditions (including any amendments thereto, collectively, the “Agreement”).

(B) For the purposes of this Addendum, Zenwork is a processor in relation to certain data processing carried out on behalf of Customer in relation to the services provided by Zenwork to Customer (“Services”).

(C) The purpose of this Addendum is to set out the data protection terms that will apply to any such Services to ensure that the data protection rights and freedoms of individuals remain protected in accordance with applicable privacy law.

IT IS AGREED that this Addendum is hereby attached to and made a part of the Agreement and that all references to the Agreement shall include this Addendum. It is further agreed as follows:

1. Definitions.

When used in this Addendum, the following terms have the following meaning. Any capitalized terms not defined in this Addendum shall have the meaning given in the Agreement.

“Data Security Measures” means, as further detailed in Attachment B , administrative, technical and physical safeguards and other security measures that are designed to (i) ensure the security and confidentiality of Personal Data (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data (iii) protect against any actual or suspected unauthorized Processing, loss, use, disclosure or acquisition of or access to any Customer Data.

“Authorized Persons” means, with respect to each Party, any person authorized by that Party and otherwise permitted by the terms of this Addendum to process Data (including such Party's staff, agents and subcontractors).

“controller” , “processor”, “data subject”, “personal data”, “processing” (and “process”) and “special categories of data” shall have the meanings given in Data Protection Laws, including any equivalent definitions under laws applicable outside of the European Union, as described on Attachment A attached hereto and incorporated herein.

“Customer Data” means the “Personal Data” (as defined in by the applicable Data Protection Law) belonging to either a Customer or Customer’s consumer that is uploaded in the Zenwork Service portal/API for availing Service.

“Data Protection Laws” shall mean: (i) EU General Data Protection Regulation 2016/679 (“GDPR”), the Swiss Federal Data Protection Act of 19 June 1992 (“FADP”), the UK General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018 (together with the UK GDPR, “UK Data Protection Laws”), as well as any related or similar applicable privacy laws of any member state of the European Union or the European Economic Area (collectively, and as any of the same may be amended or replaced from time to time, the “European Data Protection Laws”) (ii) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in electronic communications sector (as amended or replaced from time to time) and applicable laws implementing that directive in European Union Member States; (iii) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), and the Virginia Consumer Data Protection Act (“VCDPA”) (together, the “US Data Protection Laws”); and (iv) any other data protection legislation or law that applies to the Parties from time to time.

“EEA” shall mean the European Economic Area.

“Standard Contractual Clauses” or “SCCs”

means: (i) where the GDPR applies, the clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

(ii) where the UK GDPR applies, the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for international data transfers, approved by Parliament and effective as of March 21, 2022, available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK IDTA”)

(iii) where the Swiss DPA applies, the EU SCCs subject to the modifications required by the Swiss Federal Data Protection and Information Commissioner in its guidance issued on August 27, 2021, available at: https://www.edoeb.admin.ch/edoeb/en/home/datenschutz/arbeit_wirtschaft/datenuebermittlung_ausland (in each case, as updated, amended or superseded from time to time).

2. Scope and Rules

This DPA applies when Customer Data is processed by Zenwork. In this context, Zenwork will act as processor to Customer, and Customer can act either as controller or processor of Customer Data.

3.1 Compliance with Applicable Law

Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA.

3.2 Authority to process Customer Data

Each Party acknowledges and agrees that Customer has the sole and exclusive authority to determine the purposes for and means of Processing Customer Data under this Agreement, and that Zenwork is acting solely as a Service Provider with respect to this Customer Data. Zenwork has implemented and will maintain the technical and organizational measures as described in the Data Security Measures. Detailed controls can be reviewed in the current Zenwork SOC 2 Type 2 Audit report or ISO- Statement of Applicability.

3.3 Disclosure of and Access to Personal Data; No Sales of Customer Data

Zenwork will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Zenwork a demand for Customer Data, Zenwork will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Zenwork may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then Zenwork will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Zenwork is legally prohibited from doing so. Zenwork restricts its personnel from processing Customer Data without authorization by Zenwork as described in the Data Security Measures. Zenwork imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

3.4   Information Security and Incident Response

3.4.1   Zenwork will implement and maintain a comprehensive written information security program that complies with applicable law, including the Data Security Measures, to protect Customer Data Processed under this Agreement from loss; theft; misuse; unauthorized access, disclosure, or acquisition; destruction or other compromise.

3.4.2   Zenwork will (a) notify Customer of a security incident involving the loss of or unauthorized access to Customer Data (“Security Incident”) without undue delay after becoming aware of the Security Incident, and (b) take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident.

3.4.3   Zenwork’s obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by Zenwork of any fault or liability of Zenwork with respect to the Security Incident.

3.5 Zenwork Audits and Penetration Testing .

3.5.3   Zenwork Audits. Zenwork uses external auditors to verify the adequacy of its security measures. Since our applications and Customer Data is hosted on AWS infrastructure, we review independent audit reports of AWS at least annually and include all AWS security controls relevant to Zenwork in our SOC audit reports for informational purposes. Zenwork SOC Audits and web application penetration tests are performed at least annually by a group of independent and qualified professionals.

3.5.4   Audit Reports. In addition to the information contained in this DPA, upon Customer’s written request, Zenwork will make available the following documents and information: (i) SOC 1 Type 2 Report (ii) SOC 2 Type 2 Report (iii) Third Party penetration testing report (iv) ISO 27001/ 27701 Certificates.

4.1   Data Subject Request:

To the extent required under the applicable Data Protection Law, Zenwork shall notify Customer or redirect data subject to Customer to exercise their rights, if Zenwork receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Taking into account the nature of the Processing, Zenwork shall reasonably assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject request under applicable Data Protection Laws, rules, regulations, and orders of governmental authorities having jurisdiction. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Zenwork shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Zenwork is required under all applicable Data Protection Laws, rules, regulations, and orders of governmental authorities having jurisdiction. To the extent legally permitted, Customer shall be responsible for any costs arising from Zenwork’s provision of any such assistance described in Section 4.1. For the avoidance of doubt, Zenwork shall not be required to delete any of the Personal Data to comply with Data Subject’s request directed by Customer if it is necessary to maintain such information in accordance with applicable Data Protection Laws, in which case Zenwork shall promptly inform Customer of the exceptions relied upon under the applicable Data Protection Laws and Zenwork shall not use the Personal Data retained for any other purpose than provided for by that exception.

4.   Privacy Impact Assessment and Prior Consultation.

Taking into account the nature of the processing and the information available to Zenwork, Zenwork will assist Customer (to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Zenwork) in complying with Customer’s obligations in respect of data protection impact assessments related to Customer’s use of the Services and prior consultation, by providing the information Zenwork makes available under this Section.

5.1   Appointment of Subprocessors.

Customer acknowledges and agrees that (a) Zenwork’s Affiliates may be retained as Subprocessors; and (b) Zenwork may engage third-party Subprocessors in connection with the provision of the Services, subject to Zenwork or a Zenwork Affiliate entering into a written agreement with each Subprocessor containing data protection obligations.

5.2   List of Current Subprocessors and Notification of New Subprocessors.

Zenwork shall make available current list of sub processors to Customer at request. Zenwork shall provide a mechanism to subscribe to notifications of new Subprocessors for each applicable Service, to which Customer may subscribe. Zenwork shall provide a notification to such subscribers of a new Subprocessor within 14 days before authorizing any new Subprocessor to Process Customer Data in connection with the provision of the Services.

5.3   Objection Right for New Subprocessors

To the extent Customer reasonably believes the new Subprocessor’s Processing of Customer Data may violate Data Protection Laws or weaken the security of the Customer Data, Customer may object to Zenwork’s use of a new Subprocessor by notifying Zenwork promptly in writing within ten (10) business days after receipt of Zenwork’s notice in accordance with the mechanism set out in Section 5.2 above. In the event Customer objects to a new Subprocessor, Zenwork will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Subprocessor without unreasonably burdening Customer. Any such written objection shall include Customer’s specific reasons for its objection and proposed options to mitigate alleged risk, if any. In the absence of timely and valid objection by Customer within ten (10) business days, Customer shall be deemed to have accepted such new Subprocessor and such Subprocessors may be commissioned to process Customer Data. If Zenwork is unable to make available such change within a reasonable period of time Customer may terminate the applicable quote with respect only to those Services which cannot be provided by Zenwork without the use of the objected-to new Subprocessor by providing written notice to Zenwork.If Zenwork is unable to make available such change within a reasonable period of time Customer may terminate the applicable quote with respect only to those Services which cannot be provided by Zenwork without the use of the objected-to new Subprocessor by providing written notice to Zenwork.

5.4   Liability

Zenwork shall be liable for the acts and omissions of its Subprocessors to the same extent Zenwork would be liable if performing the services of each Subprocessor directly under the terms of this DPA, except as otherwise set forth herein or in the Agreement or applicable Ordering Documents.

Zenwork may be required to store Personal Data as required to satisfy any legal, regulatory, tax, accounting or reporting requirements, Zenwork’s Data Retention Policy found in Zenwork’s privacy policy outlines the specific data retention for each product, in which case Zenwork: (i) will continue to ensure the privacy, security and confidentiality of the Personal Data; (ii) will not Process the Personal Data further except to maintain it for the applicable time period and ; (iii) will continue to comply with its obligations under this Agreement.

Upon Customer’s written request, Zenwork (i) will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, and (ii) complete a written information security questionnaire provided by Customer or a third party on Customer’s behalf regarding Zenwork’s business practices and information technology environment in relation to all Personal Data being handled and/or services being provided by Zenwork to Customer pursuant to the Agreement. Zenwork will fully cooperate with such inquiries, including such follow-up questions as Customer may have in relation to Zenwork’s responses. Customer shall treat the information provided by Zenwork in the security questionnaire as Zenwork’s Confidential Information.

Any claims against Zenwork shall only be brought by the Customer entity that is a party to the Terms. In no event shall this DPA or any party restrict or limit the rights of any data subject or of any competent supervisory authority.

Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Zenwork, whether in contract or tort under any other theory of liability, is subject to the ‘Limitation of Liability’ section (or functional equivalent) of the SAAS Terms, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the SAAS Terms and all DPAs together. For the avoidance of doubt, Zenwork’s and its Affiliates’ total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the MSA and all DPAs shall apply in the aggregate for all claims under both the MSA and all DPAs, including by Zenwork and all Authorized Affiliates, and shall not be understood to apply individually and severally to Customer and/or any Authorized Affiliate that is a contractual party to any such DPA.

Where the provision of the Services involves the transfer of Personal Data that (1) is subject to European Data Protection and (2) where such Personal Data is transferred either directly or via onward transfer to countries that do not ensure an adequate level of protection within the meaning of such Data Protection Laws, the Parties agree to comply with Section 10 of this DPA and the terms of the EU Standard Contractual Clauses without modification (other than as agreed under this Section 10).

Where a transfer of Personal Data is subject to the GDPR and the FADP, the following additional provisions to the EU SCCs shall also apply in order for the EU SCCs to be suitable for ensuring an adequate level of protection for such transfer in accordance with Article 6 paragraph 2 letter a FADP:

(a) “FDPIC” means the Swiss Federal Data Protection and Information Commissioner.

(b) “Revised FADP” means the revised version of the FADP of 25 September 2020, which is scheduled to come into force on 1 January 2023.

(c) The term “EU Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.

(d) The EU SCCs also protect the data of legal entities until the entry into force of the Revised FADP.

(e) The FDPIC shall act as the “competent supervisory authority” insofar as the relevant data transfer is governed by the FADP.

11.1 United Kingdom.

Where a transfer of Personal Data is subject to UK Data Protection Laws, the Parties shall rely on the EU Standard Contractual Clauses as amended by the UK Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018.

11.2 Incorporation of SCCs.

The Standard Contractual Clauses shall be incorporated into this Agreement by reference and be considered duly executed between the Parties upon entering into force of this Agreement, and the parties agree to observe the terms of the Standard Contractual Clauses without modification. The information required to complete the Standard Contractual Clauses is recorded in Attachment A (“Data Processing Description”) which shall be incorporated into the Standard Contractual Clauses as Annex I.B to such Standard Contractual Clauses, and Zenwork agrees to comply with

Attachment B (“TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA”) of this Agreement, which shall be incorporated into the Standard Contractual Clauses as Annex II.

11.3 Changes to transfer mechanisms.

If, at any time:

(a) the laws or regulatory procedures of any jurisdiction require any further steps to be taken in order to permit the transfer of Personal Data as envisaged under this Addendum (including, without limitation, executing or re-executing the EU Standard Contractual Clauses as separate document setting out the proposed transfers of Personal Data, and entering into additional cross-border transfer clauses); and/or

(b) the transfer mechanisms in this Section 11.3 are (i) amended, replaced or repealed under Data Protection Laws, (ii) declared invalid by a court of competence, or (iii) otherwise terminated, annulled, replaced or repealed under Data Protection Laws, then the Parties shall work together to take all steps reasonably required and negotiate in good faith any other solution to enable a transfer in compliance with Data Protection Laws.

12.US Data Protection Law Requirements

(a) Zenwork will act as a data “Processor” (under the VCDPA, the CPA, the UCPA, and the CTDPA) and/or “Service Provider” (under the CCPA) with respect to any Personal Data provided to Zenwork or made accessible by Customer under the Agreement. Customer will act as a “Controller” (under the VCDPA, the CPA, the UCPA, and the CTDPA) and a “Business” (under the CCPA).

(b) Zenwork shall:

(1) not “sell” or “share” Personal Data or use Personal Data for the purposes of “targeted advertising,” as those terms are defined in the US Data Protection Laws.

(2) promptly notify Customer, and in no event later than five (5) business days, if Zenwork determines that it can no longer meet its obligations under the US Data Protection Laws.

(3) not combine the Personal Data received from Customer with Personal Data that Zenwork receives from, or on behalf of, another person or company, except as permitted under the NA Data Protection Laws.Personal Data that Customer discloses to Zenwork is provided to Zenwork for a Business Purpose, as that term is defined in the US Data Protection Laws, and nothing about the Agreement or the Services involves a “selling” or a “sale” of Personal Data under the US Data Protection Laws.

Attachment A

Data Processing Description

List of the Parties (applicable to the extent the EU SCCs apply)

Data exporter: Customer . Data importer: Zenwork. The activities relevant to the transfer include the provision of the Services by Zenwork to Customer under the Agreement

Contact person’s name, position and contact details for data exporter (Customer):

Contact person’s name, position and contact details for data importer (Zenwork): Jeff Cronin, CSO, DPO, [email protected]

Data Subjects Jeff Cronin, CSO, DPO, [email protected]

The Personal Data to be processed concern the following categories of data subjects: Individuals and Entity data:

Categories/Types of Personal Data

The Personal Data to be processed concern the following categories of data Identity data, contact data, financial data, transaction data, technical data, profile data, usage data, marketing and communications data-Please refer Zenwork’s Privacy Policy for detailed description of personal data that may be processed:

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. identity data, contact data, financial data, transaction data, technical data, profile data and usage data

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Continuous basis- On need basis. Example- during tax filing season

Nature and purpose of Processing

Zenwork will process Personal Data for the purposes of providing the Services in accordance with the Agreement. Personal Data will be subject to the following basic processing activities (please specify):

•Receiving data, including collection, accessing, retrieval, recording, and data entry

•Holding data, including storage, organization and structuring

•Protecting data, including restricting, encrypting, and security testing

•Sharing data, including disclosure, dissemination, allowing access or otherwise making available

•Returning data to the data exporter or data subject

•Erasing data, including destruction and deletion

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:

In accordance with Zenwork’s privacy policy

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter of the processing of the Personal Data is set out in the Agreement. Nature and duration of the Processing is set out above.

Attachment B

Technical and Organizational Measures To Ensure The Security Of The Data

1. Independent Certifications/SOC Audit

Any claims against Zenwork shall only be brought by the Customer entity that is a party to the Terms. In no event shall this DPA or any party restrict or limit the rights of any data subject or of any competent supervisory authority.

2. Risk Management

Zenwork has placed into operation a risk management process to set objectives and that the chosen objectives support and align with the organization's mission and are consistent with its risk framework. A risk assessment is performed annually or whenever there are changes in security posture by a third-party vendor

Any claims against Zenwork shall only be brought by the Customer entity that is a party to the Terms. In no event shall this DPA or any party restrict or limit the rights of any data subject or of any competent supervisory authority.

3. Security Policies

3.1   Policies, including those related to data privacy, security and acceptable use, are assessed and approved by Zenwork’s senior management.

3.2   Policies are documented and published among all relevant personnel. Employees and contracted third parties are required to comply with Zenwork policies relevant to their scope of work.

3.3   New employees receive training on information security, compliance, data protection, anti corruption and anti-bribery.

3.4   Employees receive regular training updates, which cover Zenwork Information Security policies and expectations.

3.5   Where required, policies are supported by associated procedures, standards, and guidelines.

3.6   Information Security policies are updated, as needed, to reflect changes to business objectives or risk.

3.7   Senior management performs an annual review of all Information Security policies.

3.8   Information Security policies are stored, maintained, updated, and published in a centralized, online location.

3.9   Zenwork Information Security Management System contains appropriate sections including: password requirements, Internet usage, computer security, confidentiality, customer data protection, and Customer data protection.

4.1 The Chief Executive Officer, the Senior Management Team and all employees are committed to establishing and operating an effective Information Security Management System in accordance with its strategic business objectives. Zenwork is committed to the Information Security Management System, and ensures that IT policies are communicated, understood, implemented and maintained at all levels of the organization and regularly reviewed for continual suitability.

4.2 Confidentiality and nondisclosure agreements are required when sharing sensitive, proprietary personal, or otherwise confidential information between Zenwork and any third-party.

4.3 A formal process is in place to manage third parties with access to organizational data, information systems, or data centers. All such third parties commit contractually to maintaining confidentiality of all confidential information.

5.1 The Chief Executive Officer, the Senior Management Team and all employees are committed to establishing and operating an effective Information Security Management System in accordance with its strategic business objectives. Zenwork is committed to the Information Security Management System, and ensures that IT policies are communicated, understood, implemented and maintained at all levels of the organization and regularly reviewed for continual suitability.

5.2 Zenwork maintains an information assets classification policy and classifies such assets in terms of its value, legal requirements, sensitivity, and criticality to the organization.

5.3 Account sharing is prohibited unless approved by management.

5.4 Media Handling Policy is implemented for procedures relating to disposal of information assets / equipment.

6.1  Security roles and responsibilities for employees are defined and documented.

6.2  Zenwork performs background screening of new hires including job history, references, and criminal checks (subject to local laws).

6.3  Zenwork requires all new employees to sign employment agreements, which include comprehensive non-disclosure and confidentiality commitments.

6.4  Zenwork maintains an information security awareness and training program that includes new hire training.

6.5  Information Security awareness is enhanced through regular communications using company-wide emails, as necessary.

6.6  Access for all new employees is configured with minimum default access to company resources/applications required by an employee to perform the job duty. Only the IT team/CEO has access to change user profiles or give higher access.

7.1  Cloud Infrastructure is used for hosting Zenwork software applications. Our Cloud Service Provider provides SOC compliant data center services. Cloud Service Provider SOC reports cover controls objectives related to Security, Availability and Confidentiality . The types of controls that are necessary to meet the applicable trust services criteria, either alone or in combination with controls at Zenwork include:

7.1.1  The system is protected against unauthorized access (both physical and logical).

7.1.2  The system is available for operation and use and in the capacities as committed or agreed.

7.1.3  Policies and procedures exist related to security and availability and are implemented and followed.

8.1  The operation of systems and applications that support the Service is subject to documented operating procedures.

8.2  All systems are configured with appropriate antivirus protection

8.3  Organizational charts are in place to communicate key areas of authority, responsibility, and appropriate lines of reporting to personnel. These charts are communicated to employees and are updated as needed.

8.4  Zenwork has implemented a well-defined Change management process to ensure that all changes to the information processing facilities, including equipment, supporting facilities and utilities, networks, application software, systems software and security devices are managed and controlled.

8.5  When an incident is detected or reported, a defined incident response process is initiated by authorized personnel. Corrective actions are implemented in accordance with defined policies and procedures.

9.1  Zenwork maintains “ “Access Control Policy” that outlines requirements for the use of user IDs and passwords for logical access controls.

9.2  The organization publishes and maintains a password management standard. In general, users are asked to follow the strong password policies.

9.3  IT system access is reviewed on a monthly basis.

9.4  Access is granted on a least privileged basis as default and any additional access needs to be approved.

9.5  Zenwork has established hardening standards production infrastructure that include requirements for implementation of security groups, access control, configuration settings, and standardized policies.

9.6  Zenwork does not allow customers or external users to access its internal systems.

9.7  Cloud infrastructures are configured to use the Cloud Service Provider’s AWS's identity and access management system (IAM). Relevant groups have been added in IAM.

9.8  Direct access to cloud infrastructure is possible only through encrypted SSH access by the IT team.

9.9  For Cloud Infrastructure access, Multi Factor Authentication is enabled .

9.10  External users can only access the system remotely through secure sockets layer (SSL), or other encrypted communication system.

9.11  Upon notice of termination, all user access is removed. All critical system access is removed immediately upon notification

10.1  All changes are recorded, approved, implemented, tested and versioned before moving to production environment.

10.2  Cloud Service Provider tools are used to prevent Denial of Service (DOS) Attacks

10.3  VPC has been setup and all production servers can be accessed only by approved staff via Zero Trust Network Architecture.

10.4 Access to production instances is only through Zero Trust Network Architecture. No direct access permitted.

10.5  Only the production group has access to production resources.

10.6  There is a formal release process for releasing builds. The testing team does the complete testing of the release. On receipt of sign off mail from the testing team the release is deployed on production servers.

10.7  Separate environments are used for development, testing, and production. Developers do not have the ability to make changes to software in testing or production.

Zenwork maintains an incident response plan. The plan addresses specific incident response procedures, data backup procedures, roles and responsibilities, customer communication, contact strategies, and legal information flow

12. Business Continuity Management

Zenwork has a documented Business Continuity Plan and Disaster Recovery guideline to be used in the event of any necessary systems infrastructure recovery. These are tested at least annually