Data Processing Agreement

This Data Processing DPA (“DPA”) supplements the Terms of Service (the “Agreement”) entered into by and between Customer (as defined in the Agreement) and Logic and Rhythm, LLC (dba Current). a Limited Liability Company located at 1307 Hayes Street San Francisco, CA 94107 (“Current”). By executing the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws (defined below), in the name and on behalf of its Affiliates (defined below), if any. This DPA incorporates the terms of the Agreement, and any terms not defined in this DPA shall have the meaning set forth in the Agreement.

Recitals

1. Vendor has entered into one or more purchase orders, contracts and/or agreements (the "Agreement") with Customer pursuant to which Vendor has agreed to provide certain services to Customer as more particularly described in the Agreement ("Services").
   
   

2. In delivering the Services under the Agreement, Vendor may process Personal Data controlled by Customer, and/or its customers, employees, contacts or partners.
   
   

3. As part of its privacy notices and its contractual arrangements, Customer has provided certain assurances to its customers, contacts, employees, partners and/or end-users to ensure the appropriate protection of all data, including Personal Data when Customer engages third-party vendors. Customer’s engagement of Vendor is conditional upon Vendor’s agreement to the terms and conditions of this DPA.
   
   

4. The parties are entering into this DPA to ensure that the processing by vendor of Personal Data provided to Vendor or collected by Vendor for Customer and/or on its behalf, is done in a manner compliant with Applicable Data Protection Law and its requirements regarding the collection, use and retention of Personal Data of data subjects.
   
   

5. This DPA is incorporated into and forms part of the Agreement. All capitalized words not defined in this DPA will have the meaning set forth in the Agreement.
   
   

1. Definitions

1. "Affiliate" means any entity that is directly or indirectly controlled by, controlling or under common control with an entity. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
   
   

2. "Applicable Data Protection Law" means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, European Data Protection Law and all laws and regulations of the United States, including the CCPA.
   
   

3. "CCPA" means Title 1.81.5 California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100–1798.199), including any amendments and its implementing regulations that become effective on or after the effective date of this DPA (as amended, superseded or replaced from time to time).
   
   

4. "European Data Protection Law" means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("EU GDPR") (ii) the EU GDPR as saved into UK law by virtue of section 3 of the UK's European Union (Withdrawal) Act 2018 ("UK GDPR") and the UK Data Protection Act 2018 (together, "UK Data Protection Law"); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances ("Swiss DPA"); (iv) the e-Privacy Directive (the Directive 2002/58/EC); (v) any applicable data protection laws made under or pursuant to or that apply in conjunction with (i), (ii), (iii) or (iv) (in each case, as may be amended, superseded or replaced from time to time).
   
   

5. "Europe" means the European Economic Area (the "EEA"), United Kingdom ("UK") and Switzerland.
   
   

6. "Personal Data" means information relating to an identified or identifiable natural person ("data subject"). An identified or identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity, including any data that is protected as "personal data", "personally identifiable information" or "personal information", under Applicable Data Protection Law and processed by Vendor in accordance with Section 2.1 of this DPA in connection with the Services, and as more particularly described in Schedules 1 and 2 of this DPA (as applicable).
   
   

7. "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
   
   

8. "Security Incident" means a personal data breach or any unauthorized access or breach of security leading to, or reasonably believed to have led to, the theft, accidental or unlawful destruction loss, alteration, unauthorized disclosure or access to any Personal Data processed by Vendor (and/or any processor or Sub-processor) under or in connection with the Agreement.
   
   

9. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021.
   
   

10. "Sub-processor" means any third-party or service provider (including any Vendor Affiliates) engaged by Vendor in its role as a processor, which processes any Personal Data relating to this DPA and/or the Agreement. The term "Sub-processor" shall also include any third-party appointed by a Sub-processor to process any Personal Data relating to this DPA and/or the Agreement.
    
    

11. "UK Addendum" means the "UK Addendum to the EU Standard Contractual Clauses" issued by the Information Commissioner's Office under s.119A(1) of the UK Data Protection Act 2018.
    
    

12. The terms "controller", "processor", "supervisory authority", “personal data breach” and "processing" shall have the meaning given to them in European Data Protection Law and "process", "processes" and "processed" shall be interpreted accordingly. The terms "consumer", "personal information", "business", "sale" (including the terms “sell,” “selling,” “sold,” and other variations thereof) and "service provider" shall have the meaning given to them in the CCPA.
    
    

2. Scope of this DPA and Relationship of the Parties

1. Role and Responsibilities Customer may act as a “Business,” or “Controller” and Logic and Rhythm may act as a “Service Provider,” or “Processor” (as such terms are defined by Data Protection Laws). Customer shall ensure that it has lawfully collected and that it may lawfully provide Customer Personal Data to Logic and Rhythm for the purposes of the Agreement.
   
   

2. Compliance with Law. Each party will comply with its obligations under Applicable Data Protection Law in respect of the Personal Data it processes under the Agreement and this DPA. If Applicable Data Protection Law and corresponding obligations related to the processing of Personal Data change, the parties shall discuss in good faith any necessary amendments to this DPA.
   
   

3. California The parties agree that: (i) Vendor shall not retain, use or disclose Personal Data for any purpose other than the permitted purposes under this DPA; (ii) Personal Data was not sold to Vendor and Vendor shall not sell Personal Data subject to the CCPA; and (iii) Vendor shall not retain, use or disclose Personal Data outside of the direct business relationship between Customer and Vendor. Vendor certifies that it understands the restrictions set out in this Section 2.3 and will comply with them.

4. Vendor Processing of Personal Data

1. Vendor Processor Purposes for Processing. Vendor will at all times (and shall ensure that any of its Sub-processors as applicable): (i) process the Personal Data solely for the purposes defined in the Agreement ("Permitted Purpose"), particularly under Schedules 1 and 2 of this DPA, and only in accordance with Customer's documented lawful instructions; and (ii) not process the Personal Data for its own purposes or those of any third-party. Vendor shall not (a) sell or disclose Personal Data for monetary or other valuable consideration; (b) retain, use or disclose Personal Data for any purpose other than for the Permitted Purpose, including retaining, using or disclosing Personal Data for a commercial purpose other than performing the Services under the Agreement; or (iii) retain, use, or disclose Personal Data outside the direct business relationship between vendor and Customer.
   
   

2. Reservation of Rights. Vendor shall not at any time acquire any ownership, license, rights, title, or other interest in or to Personal Data, all of which shall, as between Customer and Vendor, be and remain the proprietary and confidential information of Customer.
   
   

3. Vendor Processor Obligations. In the event that Vendor or any of its authorized third parties, including its Sub-processors (as applicable), collects any Personal Data on behalf of Customer or furnishes or otherwise provides Personal Data to Customer in relation to the Services, then Vendor represents, warrants, and covenants that (i) it shall (and shall procure that any of its Sub-processors) do so in compliance with all Applicable Data Protection Law; and (ii) it has (and has ensured that its Sub-processors have) provided appropriate notice to individuals and obtained all necessary consents, approvals, and authorizations to provide such Personal Data to Customer in compliance with Applicable Data Protection Law and any instructions provided by Customer.
   
   

4. Compliance with Applicable Data Protection Law. Each Party shall comply with its obligations under Applicable Data Protection Law with respect to any Personal Data it processes under this DPA and the Agreement.
   
   

5. Third Party Controller Notices. Where Customer is itself a processor or service provider (as applicable) of the Personal Data acting on behalf of a Third Party Controller, Customer shall serve as the sole point of contact for Vendor and Vendor need not interact directly with (including to seek any authorizations directly from) any such Third Party Controller, other than through the regular provision of the Services to the extent required under the Agreement. Where Vendor would (including for the purposes of the SCCs) otherwise be required to provide information, assistance, cooperation, or other notification to such Third Party Controller, Vendor shall provide it solely to Customer.
   
   

5. Sub-processing

1. Authorized Sub-processors. Customer hereby provides a general authorization to Vendor in its role as a processor or service provider to engage Sub-processors to process Personal Data. The Sub-processors engaged by Vendor are listed in Schedule 4.
   
   

2. Notice. Vendor shall notify Customer of any new engagement of a Sub-processor at least thirty (30) days before any such changes by sending an email to the workspace admins and owners, in order to allow Customer to raise any reasonable objections on grounds of data protection. If Customer objects to the addition or replacement of any Sub-processor on reasonable grounds relating to data protection and Vendor is unable to resolve such objection, Customer may terminate the Agreement and Vendor shall refund Customer any prepaid unused fees under the Agreement following the effective date of termination.
   
   

3. Sub-processor Requirements. To the extent Personal Data is subject to European Data Protection Law, Vendor shall:

   1. enter into a written agreement with each Sub-processor imposing data protection terms that require Sub-processor to protect Personal Data to the standard required by applicable European Data Protection Law and this DPA (including its Schedules);
      
      

   2. retain Sub-processors which present sufficient guarantees in terms of security and data protection in accordance with European Data Protection Law;
      
      

   3. ensure the Sub-processor processes Personal Data strictly for the Permitted Purpose;
      
      

   4. remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Vendor to breach any of its obligations under this DPA.
      
      

6. Cooperation and Individual Rights

1. Notices and Requests. Vendor shall, taking into account the nature of the processing, reasonably cooperate with Customer to enable Customer (or its Third Party Controller) to respond to any requests, complaints or other communications from data subjects, consumers, governmental and regulatory or judicial bodies relating to the processing of the Personal Data under the Agreement, including requests from data subjects seeking to exercise their rights under Applicable Data Protection Law. In the event that any such request, complaint or communication is made directly to Vendor, Vendor shall promptly notify Customer in writing by emailing the workspace admins and owners, and shall not respond to such communication without Customer's express authorization.
   
   

2. Government or Regulatory Requests. If Vendor becomes aware that any government agency or authority (including law enforcement or national security) requests access to the Personal Data (whether on a voluntary basis or through a subpoena or court order), Vendor shall: (i) promptly notify Customer by email; (ii) inform the government agency that Vendor is a processor of the data and is not authorized to disclose the data, and that Vendor will need to immediately notify Customer regarding the request; (iii) attempt to redirect the agency to request the data directly from Customer; (iv) reasonably cooperate with all instructions of Customer, including if Customer (or its Third Party Controller) wishes to limit, challenge or protect against disclosure; and (v) not provide access to the data unless and until authorized by Customer in writing. Vendor shall not be required to comply with the obligations under Section 6.2(i) to (v) in full if it is under a legal prohibition or mandatory legal compulsion that prevents it from complying. Vendor shall use reasonable and lawful efforts to challenge any such prohibition or compulsion, and Vendor shall only disclose the Personal Data to the extent it is legally required to do so and in accordance with applicable lawful process. In no event shall Vendor knowingly disclose the Personal Data in a massive, disproportionate, and indiscriminate manner that goes beyond what is necessary in a democratic society.
   
   

3. DPIA Assistance. Vendor will assist Customer (or its Third Party Controller) to conduct a data protection impact assessment and, at Customer's reasonable request, consult with applicable data protection authorities in respect of any proposed processing activity that present a high risk to data subjects.
   
   

4. Customer Requests. Vendor will promptly deal with all inquiries from Customer relating to its processing of the Personal Data under the Agreement including making available all information necessary to demonstrate its compliance with Applicable Data Protection Law and this DPA.
   
   

7. Security and Audits

1. Security Audit Standards. Vendor shall maintain records in accordance with SOC 2, Type II. Upon request, Vendor shall provide copies of relevant external compliance certifications, audit report summaries and/or other documentation reasonably required by Customer to verify Vendor's compliance with this DPA. Vendor shall also respond to Customer security questionnaires and meet by teleconference or in person to address any follow up questions.
   
   

2. Security Measures. Taking into account the state of the art, the costs of implementation, and the nature, scope context and purposes of the Processing as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, Vendor shall implement and maintain appropriate technical and organizational security measures designed to protect Personal Data (including but not limited to Security Incidents) and to preserve the security and confidentiality of Personal Data. Such measures will include, at minimum, those measures described in Schedule 3 of this DPA ("Security Measures"). Vendor shall ensure that any person who is authorized by Vendor to process Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty), including to ensure that the authorized person processes any Personal Data only for the purpose of delivering the Services under the Agreement to Customer.
   
   

3. Updates to Security Measures. Vendor shall regularly and periodically determine whether upgrades, additions or modifications of applicable controls or Security Measures are required to meet the obligations under this DPA, including upon actual or constructive knowledge of relevant changes in technology and internal and external threats to Personal Data and the Services. For clarity, Customer acknowledges that the Security Measures are subject to technical progress and development and that Vendor may update and/or modify the Security Measures from time to time, provided that such updates and/or modifications do not result in the degradation of the overall security of the Personal Data and continue to exceed the measures described in Schedule 3.
   
   

4. Data Access. Vendor shall ensure that any person who processes Personal Data on Vendor's behalf: (a) is required to protect and process all Personal Data in a manner consistent with the terms of the Agreement and this DPA; and (b) will receive appropriate training by Vendor regarding the protection of Personal Data prior to receiving access to Personal Data.
   
   

5. Security Incident Response. Upon becoming aware of a Security Incident, Vendor shall notify Customer without undue delay in accordance with Section 3.2.3 and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer, including the type of data affected, the identity of affected person(s), and steps taken to mitigate the Security Incident as soon as such information becomes known or available to Vendor. Vendor shall keep and maintain a record of every Security Incident and provide a copy of such records to Customer promptly upon request.
   
   

6. Security Audits. On written request from Customer, Vendor shall provide written responses (which may include audit report summaries/extracts) to all reasonable requests for information made by Customer related to the Vendor’s processing of Personal Data necessary to confirm Vendor's compliance with this DPA, provided that Customer shall not exercise this right more than once in any 12 month rolling period. Notwithstanding the foregoing, Customer (or its appointed representatives) may also exercise such audit right of Vendor's operations and facilities in the event Customer is expressly requested or required to provide this information to a data protection authority, Vendor has experienced a Security Incident, or as may be required under Applicable Data Protection Law. Such inspections shall take place during normal business hours and be subject to reasonable prior notice.
   
   

8. International Transfers

1. Processing Locations. Customer acknowledges and agrees that Vendor may transfer and process Personal Data to and in the United States and anywhere else in the world where Vendor, its Affiliates or its Sub-processors maintain data processing operations. Vendor shall at all times ensure such transfers are made in compliance with the requirements of Applicable Data Protection Law and this DPA.
   
   

2. European Data Transfers. Vendor shall not transfer, whether by direct or onwards transfer, any Personal Data under this DPA that is protected by European Data Protection Laws ("European Data") in or to any country, territory or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of European Data Protection Law) (a "non-Adequate Country"), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with European Data Protection Law.
   
   

3. Standard Contractual Clauses. The parties agree that where Customer transfers (directly or via onward transfer) European Data to Vendor located in a non-Adequate Country, the parties agree to be subject to the Standard Contractual Clauses, which shall be automatically incorporated by reference and form an integral part of this DPA, as follows:
   
   

   1. Vendor as a Processor or Sub-processor. In relation to European Data that is protected by the EU GDPR and is processed in accordance with Sections 2.1.1 and 2.1.2 of this DPA, the SCCs shall apply completed as follows:

      1. Module Two (Section 2.1.1) or Three (Section 2.1.2) will apply;

      2. in Clause 7, the optional docking clause will apply;

      3. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes is identified in Section 5 above;

      4. in Clause 11, the optional language will not apply;

      5. in Clause 17, Option 1 will apply, and the SCCs will be governed by California State law;

      6. in Clause 18(b), disputes shall be resolved before the courts of California State;

      7. Annex I of the SCCs shall be deemed completed with the information set out in Schedule 1 of this DPA; and

      8. Subject to Sections 7.2 and 7.3 of this DPA, Annex II of the SCCs shall be deemed completed with the information set out in Schedule 3 to this DPA;
         
         

   2. UK Transfer Mechanism. In relation to European Data that is protected by the UK GDPR, the SCCs: (i) shall apply as completed in accordance with Sections 8.3.1 and 8.3.2 above. Any conflict between the terms of the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum. For Data Transfers out of the United Kingdom, the UK Addendum will automatically apply.
      
      

   3. Swiss Transfer Mechanism. To the extent the European Data is subject to the Swiss DPA, Vendor agrees to process such European Data in compliance with the SCCs, which are incorporated herein in full by reference and form an integral part of this DPA in accordance with Sections 8.3.1 and 8.3.2 and the following modifications:

      1. references to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA;

      2. references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the Swiss DPA;

      3. references to "EU", "Union" and "Member State" shall be replaced with references to "Switzerland";

      4. Clause 13(a) and Part C of Annex II shall not be used and the "competent supervisory authority" shall be the Swiss Federal Data Protection and Information Commissioner;

      5. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection and Information Commissioner" and "applicable courts of Switzerland";

      6. in Clause 17, the SCCs shall be governed by the laws of Switzerland;

      7. in Clause 18(b), disputes shall be resolved before the courts of Switzerland; and

      8. the SCCs shall also protect the data of legal entities until the entry into force of the revised Swiss Federal Data Protection Act.
         
         

   4. Additional Measures. Vendor agrees to implement and maintain any additional contractual, technical or organizational measures to supplement the safeguards under the SCCs which are required from time to time by Customer or the Third Party Controller in order to protect the European Data, so long as such safeguards are consistent with requirements under European Data Protection Law. If Vendor is unable to implement and maintain such supplementary measures, Customer may immediately terminate the Agreement (in whole or in part) without penalty.
      
      

4. Alternative Transfer Mechanism. Vendor shall promptly notify Customer in the event that a data protection authority and/or Applicable Data Protection Law no longer permits the lawful transfer of Personal Data to Vendor pursuant to the terms of this DPA and/or requires that the parties adopt an alternative transfer solution that complies with Applicable Data Protection Law, then without prejudice to any other right or remedy available to Customer, Vendor shall work with Customer and promptly take all reasonable and appropriate steps Customer may deem necessary to ensure such processing or transfer is in compliance with Applicable Data Protection Law.
   
   

9. Deletion & Return of Data

1. Deletion & Return. Upon Customer's request, or upon termination or expiry of this DPA or Agreement, whichever happens first, Vendor shall (and shall procure that any Sub-processor shall): (a) securely destroy (upon written instructions of Customer) or return to Customer all Personal Data (including copies) in its possession or control (including any Personal Data processed by its Sub-processors and in back-up) in accordance with Schedule 1 of this DPA. This requirement shall not apply to the extent that Vendor is required by any applicable law to retain some or all of the Personal Data, in which event Vendor shall, on ongoing basis, isolate and protect the security and confidentiality of such Personal Data and prevent any further processing except to the extent required by such law and shall destroy or return to Customer all other Personal data; and/or immediately cease processing all Personal Data.
   
   

10. Limitation of Liability

1. Limitation of Liability. This DPA is fully subject to any limitations of liability set forth in the Agreement. Notwithstanding the foregoing, nothing in this DPA is intended to limit the parties’ direct liability towards data subjects or applicable supervisory data protection authorities where such liability cannot be limited by applicable law.
   
   

11. General

1. Disclosures. Vendor acknowledges that Customer may disclose this DPA and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request.
   
   

2. Survival. The obligations placed upon the Vendor under this DPA (including, to the extent applicable, the Standard Contractual Clauses) shall survive so long as Vendor and/or its Sub-processors process Personal Data on behalf of Customer. The provisions contained in this DPA and its attachments, exhibits and schedules that by their context are intended to survive termination or expiration will survive. The accrued rights and liabilities of the parties, as well as any express or implied obligations of the parties shall survive termination of this DPA.
   
   

3. Governing Law. This DPA is governed by the law which governs the Agreement and any dispute between the parties is to be handled as set out in the Agreement, unless required otherwise by Applicable Data Protection Law or the Standard Contractual Clauses.
   
   

4. Order of Precedence. It is not the intention of either party to contradict or restrict any of the provisions set forth in the SCCs and, accordingly, if and to the extent the SCCs conflict with any provision of the Agreement (including this DPA), the SCCs shall prevail to the extent of such conflict.
   
   

5. Modifications. This DPA may not be modified except by a subsequent written instrument signed by both parties.
   
   

6. Severability. If any part of this DPA is held unenforceable, the DPA will be interpreted with the unenforceable portion of the DPA deleted, and the validity of all remaining parts will not be affected.
   
   

7. Conflicts. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. In the event of any conflict between this DPA and any data privacy provisions set out in any Agreement, the parties agree that the terms of this DPA shall prevail.
   
   

8. Customer Entities. Each corporate entity of Customer has the right to enforce all the provisions of this DPA.

   
   

Schedule 1

Description of Processing Activities / Transfer

Data exporter(s)

Name: Customer, as stated and defined in the applicable Order (as such term is defined under the Agreement)

Address: Customer’s registered business address and any address provided to Logic and Rhythm, LLC at the time that Customer uses the Services.

Contact person’s name, position and contact details: Customer’s contact for the purposes of the SCC’s will be the contact of the person that properly accepts and binds Customer to the Agreement unless another contact person’s information is specifically provided to Logic and Rhythm in writing.

Activities relevant to the data transferred under these Clauses:

Signature and date: The UK SCC’s and EU SCC’s will be considered executed upon Customer’s proper acceptance of the Agreement.

Role (controller/processor): Controller and Processor

Data importer(s):

Name Logic and Rhythm, LCC (dba Current)

Address security@current.so

Signature

Scott Savarie, Co-Founder

Date November 13, 2023

Role (controller/processor) Controller

Description of the Transfer

Categories of Personal Data

Refer to Privacy Policy

Special Category Personal Data (if applicable)

Refer to Privacy Policy

Purposes of Processing

In order for Logic and Rhythm to provide the services (Current) to the Customer as stated in the Agreement

Duration of Processing and Retention (or the criteria to determine such period)

For as long as Customer is using the Services.

Frequency of the transfer

Continuous. As initiated by the Customer.

Recipients of Personal Data Transferred to the Data Importer

Logic and Rhythm will maintains a list of sub-processors in its Privacy Policy. An export of data can re delivered upon request.

Competent Supervisory Authority

The competent supervisory authority, in accordance with Clause 13 of the SCCs will be determined in accordance with European Data Protection Law.

Schedule 3

Technical and Organizational Measures

Vendor shall implement the following minimum technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons:

Measures of encryption of personal data

All customer data is encrypted at rest and during transfer.

Measures for ensuring ongoing confidentiality, integrity and resilience of processing systems and services

Logic and Rhythm has established protocols and measures to safeguard the confidentiality, integrity, and resilience of its processing systems and services. These encompass an Access Control Policy, a Business Continuity and Disaster Recovery Policy, and a Secure Development Policy. Logic and Rhythm is committed to maintaining and furnishing these policies upon request.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Every night, customer data stored in the database undergoes nightly backups utilizing the tooling provided by Amazon Web Services, which also includes restoration capabilities. The effectiveness of both backup and restore functionalities is tested annually.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Logic and Rhythm routinely monitors and tests controls to ensure their effectiveness and timely updates. We use Secureframe, Inc, a compliance automation software, to automates various controls, such as employee activity compliance, adherence to policies, infrastructure monitoring, and development procedures. Leadership receives immediate notifications of any control risks, enabling swift action. Logic and Rhythm is SOC2 Type II certified. A report can be request by emailing security@current.so

Measures for user identification and authorization

Logic and Rhythm upholds an Access Control Policy available upon request. Access control measures encompass documented roles and permissions, encrypted connections to production systems, strong password management, and the use of single-sign-on or 2FA where applicable. The policy extends to all Logic and Rhythm employees that work on Current and any external parties with access to engineering networks and system resources.

Measures for the protection of Data transmission

All data outside the Logic and Rhythm’s network is encrypted using HTTPS/SSL. Measures are outlined in the Logic and Rhythm’s Data Management Policy, which can be provided upon request.

Measures for the protection of Data during storage

All customer data is encrypted at rest.

Measures for ensuring physical security of locations at which personal data are processed

Logic and Rhythm does not operate physical servers or other infrastructure. All customer data is encrypted at rest and stored in AWS’ data centers. The physical security of the data centers in ensured by AWS.

For employer-provided computers: All Logic and Rhythm employees are required to complete physical security training, use strong passwords, enable screen lock, use anti-virus software, encrypt their hard drive. We use JAMF, a mobile device management software, to ensure these requirements are met or remotely wipe the device in the event it gets stolen.

Measures for ensuring events logging

Logic and Rhythm implement detailed event logging using AWS CloudTrail. Alerts are set up to notify us if logging stops or there is unexpected activity.

Measures for ensuring system configuration, including default configuration

Logic and Rhythm’s security governance and management are delineated in its security policies, notably the Information Security Roles and Responsibilities Policy, which all employees must review and accept before joining. The policy is available upon request. Defined roles within the organization are mandated to provide clear responsibilities and guide the protection of information, aiming to coordinate activities and actions related to the dissemination of security policies, standards, and implementation.

Measures for internal IT and IT security governance and management

All employees with access to any of Current’s systems undergo security training.

Measures for certification/assurance of processes and products

Logic and Rhythm undergoes a yearly SOC 2 Type II audit and has always received its certifications without any exceptions. Additionally, we we complete a Cloud Application Security Assessment penetration test every year.

Measures for ensuring data minimization and accountability

Data is gathered for commercial or business purposes, including serving, customizing, and enhancing services, marketing, selling, corresponding with customers, and meeting legal obligations. Logic and Rhythm commits not to collect extra categories of Personal Data or deploy the gathered data for significantly different, unrelated, or incompatible purposes without notifying the customer. More details on the type of data we collect can be found in our Privacy Policy.

Measures for ensuring data quality

The software engineering team at Logic and Rhythm instruments all data collection, ensuring that any changes undergo peer review. Testing occurs during development, followed by verification post-deployment.

Measures for ensuring limited data retention

Logic and Rhythm retains data for as long as necessary or to comply with regulatory and contractual obligations. When data is no longer required, it is securely disposed of.

Measures for allowing data portability and ensuring erasure

Customers can request their Personal Data in a machine-readable format or ask Logic and Rhythm to transmit it to another controller where possible. The service facilitates data export in standard machine-readable formats. For portability or erasure rights, Logic and Rhythm securely retrieves stored data, restricting access to those with a business justification during copying, transfer, or erasure processes.

Schedule 4

List of Authorized Sub-Processors

Amazon.com, Inc. (AWS)

Description: Hosting and cloud computing services

Location: United States

Mixpanel, Inc.

Description: Product Analytics

Location: United States

Open AI, LLC

Description: Artificial Intelligence

Location: United States

Sentry, Inc.

Description: Crash / Error Monitoring

Location: United States

Stripe, Inc.

Description: Payment Processor

Location: United States