Data Processing Addendum

Cato Digital DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) supplements the Cato Digital Customer Agreement, as updated from time to time between Customer and Cato Digital, or other agreement between Customer and Cato Digital governing Customer’s use of the Services (the “Agreement”). Unless otherwise defined herein, terms used but not defined within this Addendum are defined in the Cato Digital Contract Definitions.

Cato Services do not currently support Data Processing which falls under regulatory controls, including GDPR, CCPA, HIPAA, or others

This DPA is an agreement between you and the entity you represent (“Customer”, “you” or “your”) and Cato Digital, Inc. and the Cato Digital Contracting Party or Cato Digital Contracting Parties (as applicable) under the Agreement (together “Cato Digital”, or “our”).

• Data Processing.
  • Scope and Roles. This DPA applies when Customer Data is processed by Cato Digital. In this context, Cato Digital will act as processor to Customer, who can act either as controller or processor of Customer Data.
  • Customer Controls. Customer can use the Service Controls to assist it with its obligations under Applicable Data Protection Law, including its obligations to respond to requests from data subjects. Taking into account the nature of the processing, Customer agrees that it is unlikely that Cato Digital would become aware that Customer Data transferred under the Standard Contractual Clauses is inaccurate or outdated. Nonetheless, if Cato Digital becomes aware that Customer Data transferred under the Standard Contractual Clauses is inaccurate or outdated, it will inform Customer without undue delay. Cato Digital will cooperate with Customer to erase or rectify inaccurate or outdated Customer Data transferred under the Standard Contractual Clauses by providing the Service Controls that Customer can use to erase or rectify Customer Data.
  • Details of Data Processing.
    • Subject matter. The subject matter of the data processing under this DPA is Customer Data.
    • Duration. As between Cato Digital and Customer, the duration of the data processing under this DPA is determined by Customer.
    • Purpose. The purpose of the data processing under this DPA is the provision of the Services initiated by Customer from time to time.
    • Nature of the processing. Compute, storage and such other Services as described in the Documentation and initiated by Customer from time to time.
    • Type of Customer Data. Customer Data uploaded to the Services under Customer’s Cato Digital accounts.
    • Categories of data subjects. The data subjects could include Customer’s customers, employees, suppliers and End Users.
  • Compliance with Laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including any Applicable Data Protection Law.
• Customer Instructions. The parties agree that this DPA and the Agreement (including Customer providing instructions via configuration tools such as the Cato Digital management console and APIs made available by Cato Digital for the Services) constitute Customer’s documented instructions regarding Cato Digital’s processing of Customer Data (“Documented Instructions”). Cato Digital will process Customer Data only in accordance with Documented Instructions (which if Customer is acting as a processor, could be based on the instructions of its controllers). Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Cato Digital and Customer, including agreement on any additional fees payable by Customer to Cato Digital for carrying out such instructions. Customer is entitled to terminate this DPA and the Agreement if Cato Digital declines to follow instructions requested by Customer that are outside the scope of, or changed from, those given or agreed to be given in this DPA. Taking into account the nature of the processing, Customer agrees that it is unlikely Cato Digital can form an opinion on whether Documented Instructions infringe Applicable Data Protection Law. If Cato Digital forms such an opinion, it will immediately inform Customer, in which case, Customer is entitled to withdraw or modify its Documented Instructions.
• Confidentiality of Customer Data. Cato Digital will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Cato Digital a demand for Customer Data, Cato Digital will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Cato Digital may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then Cato Digital will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Cato Digital is legally prohibited from doing so.
• Confidentiality Obligations of Cato Digital Personnel. Cato Digital restricts its personnel from processing Customer Data without authorization by Cato Digital as described in the Security Standards. Cato Digital imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
• Security of Data Processing.
  • Cato Digital has implemented and will maintain the technical and organizational measures for the Cato Digital Network. In particular, Cato Digital has implemented and will maintain the following technical and organizational measures: (a) security of the Cato Digital Network as set out in Section 1.1 of the Security Standards; (b) physical security of the facilities as set out in Section 1.2 of the Security Standards; (c) measures to control access rights for authorized personnel to the Cato Digital Network as set out in Section 1.3 of the Security Standards; and (d) processes for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures implemented by Cato Digital as described in Section 2 of the Security Standards.
  • Customer can elect to implement technical and organizational measures to protect Customer Data. Such technical and organizational measures include the following which can be obtained by Customer from Cato Digital as described in the Documentation, or directly from a third-party supplier: (a) pseudonymization and encryption to ensure an appropriate level of security; (b) measures to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services that are operated by Customer; measures to allow Customer to backup and archive appropriately in order to restore availability and access to Customer Data in a timely manner in the event of a physical or technical incident; and (c) processes for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures implemented by Customer.
• Sub-processing.
  • Authorized Sub-processors. Customer provides general authorization to Cato Digital’s use of sub-processors to provide processing activities on Customer Data on behalf of Customer (“Sub-processors”) in accordance with this Section. The Cato Digital website (currently posted at CatoDigital.cato.digital/compliance/sub-processors/) lists Sub-processors that are currently engaged by Cato Digital. At least 30 days before Cato Digital engages a Sub-processor, Cato Digital will update the applicable website and provide Customer with a mechanism to obtain notice of that update. To object to a Sub-processor, Customer can: (i) terminate the Agreement pursuant to its terms; (ii) cease using the Service for which Cato Digital has engaged the Sub-processor; or (iii) move the relevant Customer Data to another Region where Cato Digital has not engaged the Sub-processor.
  • Sub-processor Obligations. Where Cato Digital authorizes a Sub-processor as described in Section 7.1 (Authorized Sub-processors): Cato Digital will restrict the Sub-processor’s access to Customer Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and Cato Digital will prohibit the Sub-processor from accessing Customer Data for any other purpose;
    • Cato Digital will enter into a written agreement with the Sub-processor and, to the extent that the Sub-processor performs the same data processing services provided by Cato Digital underthis DPA, Cato Digital will impose on the Sub-processor the same contractual obligations that Cato Digital has under this DPA; and
    • Cato Digital will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Cato Digital to breach any of Cato Digital’s obligations under this DPA.
• Cato Digital Assistance with Data Subject Requests. Taking into account the nature of the processing, the Service Controls are the technical and organizational measures by which Cato Digital will assist Customer in fulfilling Customer’s obligations to respond to data subjects’ requests under Applicable Data Protection Law. If a data subject makes a request to Cato Digital, Cato Digital will promptly forward such request to Customer once Cato Digital has identified that the request is from a data subject for whom Customer is responsible. Customer authorizes on its behalf, and on behalf of its controllers when Customer is acting as a processor, Cato Digital to respond to any data subject who makes a request to Cato Digital, to confirm that Cato Digital has forwarded the request to Customer. The parties agree that Customer’s use of the Service Controls and Cato Digital forwarding data subjects’ requests to Customer in accordance with this Section,represent the scope and extent of Customer’s required assistance.
• Optional Security Features. Cato Digital makes available many Service Controls that Customer can elect to use. Customer is responsible for (a) implementing the measures described in Section 5.2, as appropriate, (b) properly configuring the Services, (c) using the Service Controls to allow Customer to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident (for example backups and routine archiving of Customer Data), and (d) taking such steps as Customer considers adequate to maintain appropriate security, protection, and deletion of Customer Data, which includes use of encryption technology to protect CustomerData from unauthorized access and measures to control access rights to Customer Data.
• Security Incident Notification.
  • Security Incident. Cato Digital will (a) notify Customer of a Security Incident without undue delay after becoming aware of the Security Incident, and (b) take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident.
  • Cato Digital Assistance. To enable Customer to notify a Security Incident to supervisory authorities or data subjects (as applicable), Cato Digital will cooperate with and assist Customer by including in the notification under Section 9.1(a) such information about the Security Incident as Cato Digital is able to disclose to Customer, taking into account the nature of the processing, the information available to Cato Digital, and any restrictions on disclosing the information, such as confidentiality. Taking into account the nature of the processing, Customer agrees that it is best able to determine the likely consequences of a Security Incident.
  • Unsuccessful Security Incidents. Customer agrees that: (i) an unsuccessful Security Incident will not be subject to this Section 9. An unsuccessful Security Incident is one that results in no unauthorized access to Customer Data or to any of Cato Digital’s equipment or facilities storing Customer Data, and could include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and (ii) Cato Digital’s obligation to report or respond to a Security Incident under this Section 9 is not and will not be construed as an acknowledgement by Cato Digital of any fault or liability of Cato Digital with respect to the Security Incident.
  • Communication. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means Cato Digital selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on the Cato Digital management console and secure transmission at all times.
• Cato Digital Certifications and Audits.
  • Audit Reports. At Customer’s written request, and provided that the parties have an applicable NDA in place, Cato Digital will provide Customer with a copy of the Report so that Customer can reasonably verify Cato Digital’s compliance with its obligations under thisDPA.
  • Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the processing and the information available to Cato Digital, Cato Digital will assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation, by providing the information Cato Digital makes available under this Section 10.
  • Customer Audits. If customer chooses to conduct any audit, including any inspection, it has the right to request or mandate on its own behalf, and on behalf of its controllers when Customer is acting as a processor, under Applicable Data Protection Law or the Standard Contractual Clauses, it may instruct Cato Digital as described in this section for those reports. If Cato Digital declines to follow any instruction requested by Customer regarding audits, including inspections, Customer is entitled to terminate the Agreement in accordance with its terms.
• Requests for Customer Data.
  • If Cato Digital receives a valid and binding order (“Request”) from any governmental body (“Requesting Party”) for disclosure of Customer Data, Cato Digital will use every reasonable effort to redirect the Requesting Party to request Customer Data directly from Customer.
  • If compelled to disclose Customer Data to a Requesting Party, Cato Digital will: (a) promptly notify Customer of the Request to allow Customer to seek a protective order or other appropriate remedy, if Cato Digital is legally permitted to do so. If Cato Digital is prohibited from notifying Customer about the Request, Cato Digital will use all reasonable and lawful efforts to obtain a waiver of prohibition, to allow Cato Digital to communicate as much information to Customer as soon as possible; and (b) challenge any overbroad or inappropriate Request (including where such Request conflicts with the law of the European Union or applicable Member State law).
  • If, after exhausting the steps described in this section, Cato Digital remains compelled to disclose Customer Data to a Requesting Party, Cato Digital will disclose only the minimum amount of Customer Data necessary to satisfy the Request.
• Warranty. Cato Digital agrees and warrants that it has no reason to believe that the legislation applicable to it, or its sub-processors, including in any country to which Customer Data is transferred either by itself or through a sub-processor, prevents it from fulfilling the instructions received from Customer and its obligations under this DPA and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by this DPA, Cato Digital will promptly notify the change to Customer as soon as Cato Digital is aware, in which case Customer is entitled to suspend the transfer of Customer Data and/or terminate the Agreement.
• Entire Agreement; Conflict. This DPA incorporates the Standard Contractual Clauses by reference. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control, except that the Service Terms will control over this DPA. Nothing in this document varies or modifies the Standard Contractual Clauses.
• Termination of the DPA. This DPA will continue in force until the termination of the Agreement (the “Termination Date”).
• Return or Deletion of Customer Data. At any time up to the Termination Date, and for 90 days following the Termination Date, subject to the terms and conditions of the Agreement, Cato Digital will return or delete Customer Data when Customer uses the Service Controls to request such return or deletion. No later than the end of this 90-day period, Customer will close all Cato Digital accounts containing Customer Data.
• Duties to Inform. Where Customer Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by Cato Digital, Cato Digital will inform Customer without undue delay. Cato Digital will, without undue delay, notify all relevant parties in such action (for example, creditors, bankruptcy trustee) that any Customer Data subjected to those proceedings is Customer’s property and area of responsibility and that Customer Data is at Customer’s sole disposition.
• Definitions. Unless otherwise defined herein, terms used but not defined within this Addendum are defined in the Cato Digital Contract Definitions.

“Standard Contractual Clauses” means(i) the Controller-to-Processor Clauses, or (ii) the Processor to-Processor Clauses, as applicable in accordance with Sections under Sub-processor Obligations.

Annex 1 — Security Standards

Capitalized terms not otherwise defined in this document have the meanings assigned to them in the Agreement.

• Information Security Program. Cato Digital will maintain an information security program designed to (a) enable Customer to secure Customer Data against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable risks to the security and availability of the Cato Digital Network, and (c) minimize physical and logical security risks to the Cato Digital Network, including through regular risk assessment and testing. Cato Digital will designate one or more employees to coordinate and be accountable for the information security program. Cato Digital’s information security program will include the following measures:
  • Logical Security.
    • Access Controls. Cato Digital will make the Cato Digital Network accessible only to authorized personnel, and only as necessary to maintain and provide the Services. Cato Digital will maintain access controls and policies to manage authorizations for access to the Cato Digital Network from each network connection and user, including through the use of firewalls or functionally equivalent technology and authentication controls. Cato Digital will maintain access controls designed to (i) restrict unauthorized access to data, and (ii) segregate each customer’s data from other customers’ data.
    • Restricted User Access. Cato Digital will (i) provision and restrict user access to the Cato Digital Network in accordance with least privilege principles based on personnel job functions, (ii) require review and approval prior to provisioning access to the Cato Digital Network above least privileged principles, including administrator accounts; (iii) require at least quarterly review of Cato Digital Network access privileges and, where necessary, revoke Cato Digital Network access privileges in a timely manner, and (iv) require two factor authentication for access to the Cato Digital Network from remote locations.
    • Vulnerability Assessments. Cato Digital will perform regular external vulnerability assessments and penetration testing of the Cato Digital Network, and will investigate identified issues and track them to resolution in a timely manner.
    • Application Security. Before publicly launching new Services or significant new features of Services, Cato Digital will perform application security reviews designed to identify, mitigate and remediate security risks.
    • Change Management. Cato Digital will maintain controls designed to log, authorize, test, approve and document changes to existing Cato Digital Network resources, and will document change details within its change management or deployment tools. Cato Digital will test changes according to its change management standards prior to migration to production. Cato Digital will maintain processes designed to detect unauthorized changes to the Cato Digital Network and track identified issues to a resolution.
    • Data Integrity. Cato Digital will maintain controls designed to provide data integrity during transmission, storage and processing within the Cato Digital Network. Cato Digital will provide Customer the ability to delete Customer Data from the Cato Digital Network.
    • Business Continuity and Disaster Recovery. Cato Digital will maintain a formal risk management program designed to support the continuity of its critical business functions (“Business Continuity Program”). The Business Continuity Program includes processes and procedures for identification of, response to, and recovery from, events that could prevent or materially impair Cato Digital’s provision of the Services (a “BCP Event”). The Business Continuity Program includes a three-phased approach that Cato Digital will follow to manage BCP Events:
      • Activation & Notification Phase. As Cato Digital identifies issues likely to result in a BCP Event, Cato Digital will escalate, validate and investigate those issues. During this phase, Cato Digital will analyze the root cause of the BCP Event.
      • Recovery Phase. Cato Digital assigns responsibility to the appropriate teams to take steps to restore normal system functionality or stabilize the affected Services.
      • Reconstitution Phase. Cato Digital leadership reviews actions taken and confirms that the recovery effort is complete and the affected portions of the Services and Cato Digital Network have been restored. Following such confirmation, Cato Digital conducts a post-mortem analysis of the BCP Event.
    • Storage Media Decommissioning. Cato Digital will maintain a media decommissioning process that is conducted prior to final disposal of storage media used to store Customer Data. Prior to final disposal, storage media that was used to store Customer Data will be degaussed, erased, purged, physically destroyed, or otherwise sanitized in accordance with industry standard practices designed to ensure that the Customer Data cannot be retrieved from the applicable type of storage media.
  • Physical Security.
    • Access Controls. Cato Digital will (i) implement and maintain physical safeguards designed to prevent unauthorized physical access, damage, or interference to the Cato Digital Network, (ii) use appropriate control devices to restrict physical access to the Cato Digital Network to only authorized personnel who have a legitimate business need for such access, (iii) monitor physical access to the Cato Digital Network using intrusion detection systems designed to monitor, detect, and alert appropriate personnel of security incidents, (iv) log and regularly audit physical access to the Cato Digital Network, and (v) perform periodic reviews to validate adherence with these standards.
    • Availability. Cato Digital will (i) implement redundant systems for the Cato Digital Network designed to minimize the effect of a malfunction on the Cato Digital Network, (ii) design the Cato Digital Network to anticipate and tolerate hardware failures, and (iii) implement automated processes designed to move customer data traffic away from the affected area in the case of hardware failure.
  • Cato Digital Employees. A. Employee Security Training. Cato Digital will implement and maintain employee security training programs regarding Cato Digital information security requirements. The security awareness training programs will be reviewed and updated at least annually. B. Background Checks. Where permitted by law, and to the extent available from applicable governmental authorities, Cato Digital will require that each employee undergo a background investigation that is reasonable and appropriate for that employee’s position and level of access to the Cato Digital Network.
  • Continued Evaluation. Cato Digital will conduct periodic reviews of the information security program for the Cato Digital Network. Cato Digital will update or alter its information security program as necessary to respond to new security risks and to take advantage of new technologies.