ENVOY DATA PROTECTION ADDENDUM

Effective Date: July 15, 2024

1. Definitions

“Agreement” means the Envoy Business Account Terms and Conditions to which this Envoy Data Protection Addendum (or the “DPA”) is incorporated and which this DPA forms part of.

“Approved Sub-processors” means as at the date of the Agreement, those sub-processors listed on its approved sub-processor list available at https://www.envoyglobal.com/privacy-policy/sub-processors/, as updated through the Sub-Processor Notification Process.

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Your Personal Data on the Platform.

“Data Protection Laws” means, as and to the extent they apply to that Party, any applicable laws and regulations in relation to the privacy or processing of personal data relating to identifiable individuals, including but not limited to as may be applicable, as updated, amended, or replaced from time to time: (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); (b) equivalent requirements in the United Kingdom including the UK General Data Protection Regulation and the Data Protection Act 2018 (“UK Data Protection Law”), (d) the Swiss Federal Act on Data Protection (“FADP”); (d) other national laws implementing, revising or replacing the GDPR, each as updated, amended or replaced from time to time; and (e) the California Consumer Privacy Act (“CCPA”) and similar U.S. state privacy laws.

“Services” means the Support Services to be provided by Envoy under the Agreement.

“Standard Contractual Clauses” means the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in the “Data Transfers” section below, including, if applicable, as modified by the UK SCC Addendum.

“Sub-Processor Notification Process” is defined in Section 6.

“UK SCC Addendum” means the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of 12 May 2022 at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/), completed as described in the “Data Transfers” section below.

The terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “process”, “processing”, “transfer” and “appropriate technical and organisational measures” shall be interpreted in accordance with the GDPR, regardless of whether the GDPR applies to the Personal Data. All other terms are defined in the Agreement.

2. General Obligations

2.1 Each Party shall comply with the Data Protection Laws as they apply to it in connection with its obligations under the Agreement.

2.2 Where Company transfers or otherwise makes available Personal Data to Envoy on the Platform, Company shall ensure that (i) it has the necessary rights to transfer or make available such Personal Data to Envoy (including that Company has, or has procured, the necessary legal authority, permissions and/or consents for Envoy and Envoy’s Authorized Parties to process the Personal Data, including special categories of data, to provide the Services); (ii) Company’s instructions comply with (and will not cause Envoy or Envoy’s Authorized Parties to be in breach of) the Data Protection Laws; and (iii) that Company has taken reasonable steps to ensure that any Data Subjects are aware of the nature of the processing of the Personal Data to be undertaken.

2.3 Each Party shall co-operate with the other, and promptly provide such information and reasonable assistance as the other may reasonably require to enable it to comply with its obligations under the Data Protection Laws in respect of this Agreement, and to deal with and respond to all investigations, complaints, and requests for information from any regulator or Data Subject relating to such Personal Data.

2.4 Company shall only provide, and Envoy shall only process, Personal Data in respect of the subject matter, duration, nature and purpose of the Services, and the type of Personal Data and categories of data subject relevant to the Services, or as provided or made available by or on behalf of the Company.

2.5 Company is the “Data Controller” of Personal Data as defined in Data Protection Laws (including a “business” as defined in the CCPA), and Envoy is a “Data Processor” of Personal Data as defined in Data Protection Laws (including as “service provider” as defined in the CCPA). Company and Envoy will comply with all Data Protection Laws applicable to them in their respective roles under the Agreement.

3. Envoy’s Processing Obligations

3.1 Where Envoy processes Personal Data as a Data Processor on Company’s behalf, Envoy shall:

(a) only process such Personal Data in accordance with Company’s written instructions from time-to-time (including as further set forth in Exhibit A, as set out in the Agreement, or as provided as submissions through the Services or instructions to Your Law Firm) or as required for Envoy to provide, manage and facilitate the provision of the Services, unless obligated to do otherwise by an applicable legal requirement;

(b) promptly inform Company if, in Envoy’s opinion, an instruction from Company infringes Data Protection Law. Envoy shall also inform Company if Envoy can no longer meet its obligations under this DPA within five (5) days of such determination. Envoy acknowledges that Company retains the right to, upon notice, take reasonable and appropriate steps to stop and remediate Envoy’s use of Personal Data.

(c) comply with any applicable restrictions under Data Protection Laws on combining Personal Data received pursuant to the Agreement with Personal Data that Envoy receives from, or on behalf of, another person or persons, or that Envoy collects from any interaction between it and a Data Subject.

(d) refrain from:

(i) “Selling” Personal Data to, or “sharing” Personal Data with, any third party, as such terms are defined under the CCPA and similar U.S. state privacy laws;

(ii) Retaining, using, or disclosing Personal Data outside of the direct business relationship between Company (or Your Law Firm) and Envoy;

(iii) Attempting to re-identify any pseudonymized, anonymized, aggregate, or de-identified Personal Data, or linking or otherwise creating a relationship between Personal Data and non-Personal Data without Company’s express written permission; or

(iv) Otherwise engaging in any processing of Personal Data that is prohibited or not permitted by “Data Processors” or “service providers” under Data Protection Laws.

(e) ensure that persons authorised by Envoy to process such Personal Data are subject to appropriate obligations to maintain the confidentiality of such Personal Data;

(f) taking into account the (i) state of the art, (ii) cost of implementation, (iii) nature, scope, context and purposes of processing, and (iv) risk and severity of potential harm, protect such Personal Data by putting in place technical and organisational measures to protect such Personal Data from a Data Breach that comply with applicable law and Exhibit B;

(g) comply with the following with respect to Data Breaches:

(i) Within 72 hours of determining that a Data Breach occurred, inform Company of the Data Breach by connecting with Company’s point of contact as designated on the Platform (the “Breach Notification Contact Point”); and

(ii) Within such time period, and without undue delay as the information becomes available after that, inform Company (via the Breach Notification Contact Point) of:

(A) The nature of the Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;

(B) The likely consequences of the Data Breach; and

(C) Measures taken or proposed to be taken by Envoy to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

(h) notify Company within 5 days of receiving any request from a Company Data Subject to exercise the Data Subject’s rights with respect to his or her Personal Data, and, taking into account the nature of Envoy’s processing, put in place appropriate technical and organisational measures, insofar as is possible, to assist Company to fulfill, at Company’s reasonable cost, Company’s obligations to respond to Data Subjects’ requests to exercise such rights;

(i) where reasonably requested, and taking into account the nature of Envoy’s processing and the Services and the information available to us, assist Company, at Company’s reasonable cost, in complying with Company’s obligations under Articles 32 – 36 of GDPR (and similar requirements under other Data Protection Laws) in respect of such Personal Data;

(j) at the written request of Company, when Envoy ceases providing the Services to Company, delete all copies of such Personal Data, unless applicable law or professional obligation or regulation of Envoy or Envoy’s Authorized Parties requires the continued storage of such Personal Data, in which case Envoy shall retain such Personal Data only for as long as required under such applicable law, professional obligation, or regulation;

(k) subject to reasonable access arrangements being agreed between the Parties and save for disclosure of information which is confidential or where access is otherwise restricted by applicable law or regulation, make available to Company all relevant information necessary to demonstrate compliance with Envoy’s obligations under this DPA and allow for and contribute to audits, including inspections, conducted by Company or another auditor mandated by Company, at Company’s reasonable cost;

(l) subject to reasonable access arrangements being agreed between the Parties and save for disclosure of information which is confidential or where access is otherwise restricted by applicable law or regulation, allow Company to take reasonable and appropriate steps to remediate any unauthorized use of Personal Data;

(m) comply with all Data Protection Laws applicable to Envoy’s use of Sub-processors, and the following conditions:

(i) Envoy shall appoint Sub-processors in accordance with the terms set forth in Section 6 below;

(ii) Envoy enters into a written agreement with them requiring them to process the Personal Data only in accordance with Company’s or Envoy’s written instructions, and to comply with obligations equivalent in all material respects to those imposed on Envoy under this Section 3;

(iii) where relevant, not process or transfer such Personal Data outside the UK or EEA unless (i) an adequacy finding has been made under the Data Protection Laws that the relevant jurisdiction provides an adequate level of protection; (ii) Envoy has put in place appropriate safeguards as required under the Data Protection Laws for such processing or transfers or (iii) the transfer is otherwise lawful under the GDPR and other applicable Data Protection Laws; and

(iv) Envoy remains responsible for its Sub-processors and liable for their acts and omissions to the same extent it is liable for its own acts and omissions.

3.2 Company acknowledges and agrees that Envoy will make the Personal Data available to Envoy’s Authorized Parties. Envoy may, on behalf of Your Law Firm and Local Representatives, retain materials (including Personal Data) held in connection with the legal or immigration services provided by Your Law Firm and Local Representatives, as required by Your Law Firm and Local Representatives to meet their professional responsibility obligations and legal requirements. Any such materials will be held by Envoy on behalf of Your Law Firm and Local Representatives for archival retention in accordance with Envoy’s confidentiality obligations under the Agreement. Your Law Firm and Local Representatives act as independent Data Controllers (and not as Data Processors) in respect of the Personal Data that they process when undertaking the foregoing activities. For example, registered immigration advisers and service providers in the UK are subject to the Code of Standards issued by the Office of the Information Commissioner (the “Code”), which requires them to retain copies of their records after termination of the client relationship. Your Law Firm and Local Representatives may retain their records on systems operated by Envoy.

4. Data Transfers

4.1 If Company’s transfer of any Personal Data to Envoy must comply with GDPR Chapter V (Transfers of Personal Data to third countries or international organisations) or equivalent provisions in UK Data Protection Law or the FADP (each a “Data Transfer Restriction”), then (a) if Envoy is a member of the EU-U.S. Data Privacy Framework or equivalents for UK or Swiss purposes, and such membership would satisfy the Data Transfer Restriction for such transfer, then such transfer will be made pursuant to such framework, but (b) if that would not satisfy the Data Transfer Restriction but the Personal Data would receive an adequate level of protection if transferred pursuant to the Standard Contractual Clauses as set forth below, then Company and Envoy hereby enter into the Standard Contractual Clauses for such Personal Data as set forth in Section 4.2 below, but (c) if instead the Personal Data would not receive an adequate level of protection under the Standard Contractual Clauses as set forth below, then the Standard Contractual Clauses do not apply, and the Personal Data is instead transferred pursuant to one or more of the GDPR derogations set forth in Section 4.3 below or their equivalent under UK Data Protection Law or the FADP.

4.2 Standard Contractual Clauses:

4.2.1 With respect to Personal Data for which UK Data Protection Law governs the transfer, the UK SCC Addendum forms part of this DPA and takes precedence over the rest of this DPA to the extent of any conflict and shall be deemed completed as follows (with capitalized terms not defined elsewhere having the definition set forth in the UK SCC Addendum):

(a) Table 1 of the UK SCC Addendum: The Parties, their details, and their contacts are those set forth in Exhibit A.

(b) Table 2 of the UK SCC Addendum: the “Approved EU Standard Contractual Clauses” shall be the Standard Contractual Clauses as set forth in Section 4.2.2 of this DPA.

(c) Table 3 of the UK SCC Addendum: Annexes 1A and 1B are in Exhibit A, Annex II is in Exhibit B, and Annex III is inapplicable.

(d) Table 4 of the UK SCC Addendum: either Party may exercise the right set forth in Section 19 of the UK SCC Addendum.

(e) By entering into this DPA, the Parties are deemed to be signing the UK SCC Addendum.

4.2.2 For all other Personal Data, the Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, and, except as set forth in Section 4.2.1 and 4.2.3, they will be deemed completed as follows:

(a) Company acts as a Data Controller and Envoy acts as Company’s Data Processor with respect to the Personal Data subject to the Standard Contractual Clauses, and its Module 2 applies.

(b) Clause 7 (the optional docking clause) is included.

(c) Under Clause 9 (Use of sub-processors), the Parties select Option 2 (General written authorization). The initial list of sub-processors is set forth at https://www.envoyglobal.com/sub-processors/, and Envoy shall update that list and provide notice to Company as set forth in Section 6 of this DPA prior to engaging any new sub-processor.

(d) Under Clause 11 (Redress), the optional requirement that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.

(e) Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The Parties select the law of Ireland.

(f) Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland.

(g) Annexes I and II of the Standard Contractual Clauses are set forth in Exhibit A of the DPA.

(h) Annex III of the Standard Contractual Clauses (List of sub-processors) is inapplicable.

4.2.3 With respect to transfers of Personal Data that are subject to the FADP, the Standard Contractual Clauses shall be deemed to have the following differences to the extent required by the FADP:

(a) References to the GDPR in the Standard Contractual Clauses are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.

(b) The term “member state” in Standard Contractual Clauses shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses.

(c) References to Personal Data in the Standard Contractual Clauses also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.

(d) Under Annex I(C) of the Standard Contractual Clauses (Competent supervisory authority):

(i) Where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

(ii) Where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the Standard Contractual Clauses insofar as the transfer is governed by the GDPR.

4.3 Company confirms that its transfers of GDPR-regulated Personal Data and UK Data Protection Law-regulated Personal Data through the Services to Envoy and to Envoy’s Authorized Parties are made under one or more of the following conditions:

(a) the Data Subject has provided appropriate consent to the proposed transfer; OR

(b) the transfer is necessary for the performance of a contract between the Data Subject and the Data Controller (such as the employment contract between the Data Subject and either Company or Company’s affiliate) or the implementation of pre-contractual measures taken at the Data Subject’s request; OR

(c) the transfer is necessary for the establishment, exercise or defence of legal claims (consistent with the explanation in GDPR Recital 111 that this includes transfers necessary for administrative procedures); OR

(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Data Controller and another natural or legal person (such as the contract for immigration services between Company and Envoy, between Company and Your Law Firm, or between Envoy and a Local Representative such as a local immigration services provider).

4.4 The Company acknowledges that Personal Data will be transferred to or from, and/or processed from, those jurisdictions where Your Law Firm or Local Representatives appointed on Matters are based.

5. Your Third Parties

5.1 Where an affiliate of Company is the Data Controller over any Personal Data processed by Envoy under this Agreement, Company will procure that any relevant affiliate complies with their respective obligations under the Data Protection Laws and Section 2.2 in respect of such Personal Data.

6. Our Sub-processors

6.1 Company acknowledges and agrees that Envoy may engage third-party sub-processors in connection with the performance of the Services. The Approved Sub-processors as of the date of the Agreement or this DPA are listed at https://www.envoyglobal.com/sub-processors, as updated in accordance with the Sub-Processor Notification Process. Company acknowledges and expressly agrees that Envoy may engage new sub-processors, and subject to the provisions of Section 6.2, each sub-processor will become an Approved Sub-processor. To be notified of new sub-processors, Company must email privacy@envoyglobal.com to subscribe to the sub-processor notification alerts (“Sub-Processor Notification Process”). Envoy shall provide notification via the Sub-Processor Notification Process of a new sub-processor at least ten (10) business days before authorizing any new sub-processor(s) to process Personal Data in connection with the provision of the Services.

6.2 Company may object to Envoy’s use of a new sub-processor by notifying Envoy promptly in writing to privacy@envoyglobal.com within ten (10) business days after receipt of Envoy’s notice in accordance with the Sub-Processor Notification Process. In the event Company objects to a new sub-processor, as permitted in the preceding sentence, Company may terminate the Agreement with no penalty.

7. Law Firm and Local Representatives Engaged by Company Through Envoy

7.1 Where a Law Firm or Local Representative is involved, the Company has the following understanding:

(a) Each of Company and such Law Firm or Local Representative will provide reasonable cooperation to the other, and shall promptly provide such information and reasonable assistance as the other may reasonably require to enable it to comply with its obligations under the Data Protection Laws in respect of their relationship, and to deal with and respond to all investigations, complaints, and requests for information from any regulator or Data Subject relating to such Personal Data.

(b) If Your Law Firm or Local Representative determines that it has a legal obligation to provide its own privacy policy or privacy notice to a Data Subject employed or to be employed by Company, and Your Law Firm or Local Representative cannot readily provide such notice to the Data Subject via Envoy systems, Company will take reasonable steps to provide the Data Subject with a copy of Your Law Firm or Local Representative’s privacy policy or privacy notice.

8. General

8.1 This DPA is without prejudice to the obligations of the Parties under the Agreement, which shall continue in full force and effect.

8.2 In the event of any conflict or inconsistency the order of precedence so far as the subject matter concerns the processing of Personal Data is as follows: (1) the Standard Contractual Clauses; (2) the remaining provisions of this DPA; and (3) the remaining provisions of this Agreement.

8.3 This DPA constitutes the sole and entire agreement between the Parties with respect to the subject matter contained herein, and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties, both written and oral, regarding such subject matter.

Exhibit A

ANNEXES I and II to the Standard Contractual Clauses

ANNEX I

A. LIST OF PARTIES

MODULE TWO: Transfer controller to processor

 

Data exporter(s): The data exporter is Company, a user of the services under the Agreement.

Activities relevant to the data transferred under these Clauses: Using the importer’s services to manage and facilitate immigration-related procedures

Role (Data Controller/Data Processor): Data Controller

Contact Information: Details about the data export’s contact information are available to the data importer in the Platform (where such details have been provided by the data exporter)

Signature and Date: The Parties agree that acceptance of the Agreement by the data importer and the data exporter shall constitute execution of these Clauses.

 

Data importer(s): Envoy, provider of Services under the Agreement

Name: Envoy Global, Inc.

Address: 230 West Monroe St., Suite 2700, Chicago, Illinois 60606

Contact person’s name, position and contact details: Richard Burke, CEO

Activities relevant to the data transferred under these Clauses: See “Description of Transfer” below

Role (Data Controller/Data Processor): Data Processor

Signature and Date: The Parties agree that acceptance of the Agreement by the data importer and the data exporter shall constitute execution of these Clauses.

 

B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

Categories of Data Subjects whose Personal Data is transferred: Current, former and prospective employees and other categories of workers of Envoy’s customers and their dependents.

 

Categories of Personal Data transferred:

  • Full name
  • Nationality
  • Title/Position/Department
  • Business contact details (e.g., address, telephone, mobile, and email)
  • Dates of employment or prospective employment
  • Accreditations
  • Personal contact details (e.g., home address, home telephone number and personal mobile number)
  • Date of birth
  • Language preference
  • Education and qualifications
  • Family member information
  • Some or all of the following other Personal Data including Government Identification or Social Security number, Driver’s license number, state identification card number, passport number, alien registration number, taxpayer identification number, date of birth, mother’s maiden name, digital or electronic signature, or picture of employee.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measure:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership; and
  • Data concerning sex life or sexual orientation.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): On a continuous basis for as long as Company engages Envoy to provide the Services.

Nature of the processing: The data will be processed as necessary to provide global immigration services to Company in accordance with the terms of this Agreement.

Purpose(s) of the data transfer and further processing: The purpose of the Processing is to provide Support Services under the Agreement, including the Platform, administrative support, and Global Services for its customers’ immigration matters:

  • The core purpose of the Support Services is to allow Envoy’s Authorized Parties to process employee and potential employee immigration matters (and related matters for their dependents) on behalf of Company, and to allow the Company to track the status of such matters and of such individuals’ work authorization.
  • Envoy’s Platform enables the Company to manage its global immigration efforts, with tracking tools that help it manage deadlines, approval status and expirations.
  • Envoy’s Platform enables Envoy’s Authorized Parties to manage the Company’s immigration matters.

The Company consents to the transfer of the relevant Personal Data to Envoy’s Authorized Parties to process the Company’s immigration matters and in order for Envoy to provide the Support Services.

The Personal Data transferred will be subject to the following basic processing activities:

  • Processing for the purpose of managing immigration and related matters for the Company, and providing updates and status reports and providing insight and knowledge material on relevant immigration law and policy updates and related developments.
  • Transfers to Envoy’s Authorized Parties, including Federal Government, State agencies and departments, as required for obtaining visas, permits and other immigration clearance.
  • Data storage (as required for the provision of Envoy’s services and performance of its obligations and to support Your Law Firm and Local Representatives in fulfilling their professional obligations).

The Company acknowledges and agrees that Envoy may retain materials (including Personal Data) held in connection with the services provided by Your Law Firm and Local Representatives, as required to allow Your Law Firm and Local Representatives to meet their professional responsibility obligations.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: The data will be retained for the time period needed to accomplish the purposes of processing, unless otherwise required by law.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Transfers to sub-processors are for the same purposes as transfers to the processor, as set forth above.

C. COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: Transfer controller to processor

Identify the competent supervisory authority/ies in accordance with Clause 13: Ireland Data Protection Commissioner

The Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

See Exhibit B below.

EXHIBIT B

Security Requirements

Envoy uses the following controls to protect the Personal Data it processes to provide the Support Services:

Access Control

Envoy has implemented the following controls:

(a) Controls to specify authorized Envoy individuals permitted to access Personal Data

(b) Access control process to avoid unauthorized access to Envoy’s premises

(c) Video surveillance and alarm devices with reference to access areas

(d) Personnel without access authorization (e.g., technicians, cleaning personnel) are accompanied on Envoy premises when accessing data processing areas

System Access Control

Envoy has implemented the following controls:

(a) Envoy systems processing Personal Data (this includes remote access) are password protected after boot sequences and when left for a specified period

(b) Dedicated user IDs for authentication against systems user management for every Envoy individual

(c) Individual user passwords for authentication

(d) Access control on Envoy systems is supported by an authentication system

(e) Controls to grant Envoy system access to authorized personnel and to assign only the minimum permissions necessary for those personal to access Personal Data in the performance of their function

(f) Password policy that prohibits the sharing of passwords, outlines processes after a disclosure of a password and requires the regular change of passwords

(g) Passwords are stored in encrypted or hashed form or otherwise receive reasonable protection

(h) Procedure to deactivate the Envoy user account when a user leaves the company or function

(i) Process to adjust administrator permissions when an administrator leaves Envoy or a particular function

(j) Process to log access to Envoy systems and review those logs for Data Breaches

Data Access Control

Envoy has implemented the following controls:

(a) Assigned access to files and programs based on a “need-to-know-basis”

(b) Storage of physical media containing Personal Data in protected areas

(c) Controls against use/installation of unauthorized hardware and/or software

(d) Rules for the destruction of data that are no longer required

(e) Controls regarding the assignment of access to authorized personnel and to assign only the minimum permissions necessary for those personal to access Personal Data in the performance of their function

Availability Control

Envoy has implemented the following controls:

(a) Arrangements to create back-up copies stored in specially protected environments

(b) Arrangements to perform regular restore tests from those backups

(c) Contingency plans or business recovery strategies

(d) Controls to help ensure that Personal Data is not used for any purpose other than for the purposes Envoy has been contracted to perform

(e) Controls against unauthorized removal of Personal Data from Envoy’s business computers or premises for any reason

(f) Requirement that when staff members leaves their desk unattended during the day and prior to leaving the office at the end of the day, they place materials containing Personal Data in a protected environment such as a locked desk drawer, filing cabinet, or other protected storage space

(g) Process for disposal of documents or data carriers containing Personal Data

(h) Network firewalls to helped prevent unauthorized access to systems and services

(i) Process to provide each computer used to process Personal Data runs with an up to date antivirus solution

Organizational Requirements

Envoy has implemented the following controls:

(a) Designated a responsible person for data protection compliance

(b) Obtained the written commitment of the employees to maintain confidentiality

(c) Trained staff on data privacy and data security

(d) Implemented a formal Data Breach response process that is consistently followed for the management of Data Breaches