Please ensure Javascript is enabled for purposes of website accessibility
Data Processing Addendum Joseph DAlesandro September 5, 2023

DATA PROCESSING ADDENDUM

Last Updated: May 17, 2024

This Data Processing Addendum (“DPA”) is hereby incorporated by reference into and is part of the Software as a Services Agreement (“Agreement”) entered into between Ryan, LLC and its tax.com operating division (together with its Affiliates, “Ryan,” “We,” “Our,” or “Us”) and Customer (“You(r)”) and sets out the obligations of the Parties with respect to the Processing of Customer Personal Data in connection with the Agreement. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. Unless otherwise defined herein, any capitalized terms will have the meanings given to them in the Agreement. Ryan and Customer may be referred to herein collectively as the “Parties” or individually as a “Party.”

1. DEFINITIONS

The following will have the following meaning in this DPA:

“Affiliate(s)” means, with respect to any entity, any other entity that directly or indirectly controls, is controlled by, or is under common control with such entity, where “control” refers to the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract, or otherwise.

“Applicable Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in processing Personal Data under the Agreement, including, where applicable, EU & UK Data Protection Law and the CCPA.

“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”), and the regulations promulgated thereunder, as amended or superseded from time to time.

“Controller” also referred to as “Business,” “Processor” also referred to as “Service Provider,” “Data Subject” also referred to as “Consumer,” “Personal Data” also referred to as “Personal Information,” “process” or “processing,” and “Sell” or “Selling” (or any of their analogous terms) will all have the meanings set out in the relevant Applicable Data Protection Law.

Customer” or “You(r)” means the entity or individual that has entered into the Agreement with Ryan, LLC.

Customer Data” means any information submitted to the Online Services by Your Authorized Users.

Customer Personal Data” means Personal Data that You or Your Affiliates provide under the Agreement for Us to process on Your behalf in connection with the Online Services. Customer Personal Data does not include information that is (i) deidentified, anonymized, aggregated, publicly available information, or business contact data (unless the Applicable Data Protection Law otherwise considers such information as Personal Data), (ii) usage statistics; or (iii) any information that the Applicable Data Protection Law specifically states does not constitute Personal Data.

Data Protection Authority” means any supervisory authority with responsibility for the enforcement of Applicable Data Protection Law.

“Data Protection Impact Assessment” means an assessment of the impact of the proposed Processing of Customer Personal Data on the protection of the privacy of natural persons under the GDPR.

“Data Protection Officer” means an individual who is designated by Us to be responsible for the compliance with Applicable Data Protection Law and the DPA.

“EU” means the European Union.

“EU & UK Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR“); and (ii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR“) and the Data Protection Act 2018 Commission Implementing Decision (EU) 2021/914, the International Data Transfer Agreement (the “IDTA”) or the International Data Transfer Addendum to the EU SCCs (the “UK Addendum”) issued by the UK supervisory authority under the UK GDPR (“UK IDTA”).

“GDPR” means the General Data Protection Regulation (EU) 2016/679.

Online Services” means Our proprietary software provided as a subscription-based, third-party hosted service under an Order Form.

“Processor” means Ryan, LLC.

“Security Incident” means a breach of security that causes the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

“Security Measures” means the administrative, physical, and technical security measures described in Schedule 1.

“Sensitive Personal Data” means Personal Data that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health or sex life.

Standard Contractual Clauses” or “SCCs” means those model clauses as approved by the European Commission from time to time, used as a legal mechanism to ensure the protection of Customer Personal Data when it is transferred outside of the European Economic Area or the UK. The version in effect at the time of data transfer will be used, and these can be located at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

“Sub-processor” means any third-party entity engaged by Us to provide services to Us or Customer in connection with the Agreement.

2. SCOPE OF DPA AND ROLES OF THE PARTIES

  1. Scope. The purpose of this DPA is to ensure that the processing of Customer Personal Data within the Service complies with Applicable Data Privacy Laws.
  2. Parties’ Roles
    1. For the Online Services, as between Us and You, We will process Customer Personal Data only as a Processor (or sub-processor) acting on Your behalf and, with respect to CCPA, as a “service provider,” as defined therein, and as otherwise similarly defined under Applicable Data Privacy Laws, in each case regardless of whether You act as a Controller or Processor with respect to Customer Personal Data.
    2. Each party agrees it will comply with Applicable Data Privacy Laws and this DPA in connection with the Agreement;
    3. Each party will notify the other if they reasonably believe that the instruction or processing of Customer Personal Data violates Applicable Data Privacy Laws.
    4. Customer and Processor agree to cooperate in good faith to amend the Agreement or this DPA or enter into further mutually agreeable data processing agreements to comply with Applicable Data Privacy Laws.
  3. Customer
    1. You will, in Your use of the Online Services, comply with Your obligations under Applicable Data Privacy Laws when processing Personal Data and when issuing processing instructions to Us. You represent that You have provided notice and obtained (or will obtain) all necessary consents and rights under Applicable Data Privacy Laws to process Personal Data pursuant to this DPA.
    2. You exclusively control the Personal Data to be collected, uploaded, and stored in the Online Services, and for designating the access controls applicable to Your Authorized Users. If You use the Online Services to process any categories of Personal Data not expressly authorized by the Agreement or this DPA, You assume responsibility for noncompliance with the Applicable Data Privacy Laws.
    3. You will process Personal Data of Ours in accordance with Applicable Data Privacy Laws and Your policy practices set forth on Your site. Such disclosures may be made by Us from time to time for purposes of contract management, service management, or security purposes.
  4. Processor
    Except as otherwise required under Applicable Data Privacy Laws, We and Our Sub-processors will process Customer Personal Data in accordance with Applicable Data Privacy Laws and only to: (a) perform the Online Services for You pursuant to the Agreement; (b) comply with this DPA; (c) carry out Your reasonable written instructions that are consistent with the Agreement and this DPA.

3. COOPERATION

  1. If We receive a request from a Data Subject seeking to exercise rights under Applicable Data Privacy Laws (“Data Subject Requests”), and the Data Subject Request identifies Customer, or We are aware that the Data Subject Request pertains to the processing on behalf of Customer, We will forward the communication promptly to Customer as commercially practicable for Customer to respond and We will cooperate with Customer with the request as reasonably directed.
  2. We will provide reasonable cooperation and provide reasonably requested information regarding the Services to enable Customer to perform data protection impact assessments or in connection with a consultation with supervisory authorities when required under Applicable Data Privacy Laws.

4. SECURITY

  1. We will implement and maintain appropriate technical and organizational security measures designed to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data in accordance with Our Technical and Organizational Measures stated in Annex II. We may review and update or otherwise change Our practices from time to time, provided that any such updates will not materially diminish the overall security of the Online Services or Customer Personal Data.
  2. You are responsible for protecting and securing Your authentication credentials and in protecting the Customer Personal Data when in transit to and from the Online Services. You will promptly alert Us of any reasonably suspected Security Breach at privacy@ryan.com.
  3. “Protected Third Party Information” includes Sensitive Personal Data, Personal Identification Information, Patient Health Information, Personal Financial Information, and Personal Educational Information, as each is defined in Section 5(c)(i)-(iv) below. Customer will be responsible for protecting Protected Third-Party Information and Sensitive Customer Information from disclosure by following the requirements of this Section. You will minimize processing or Protected Third Party Information by limiting processing to what is necessary and not transferring Protected Third-Party Information or Sensitive Customer Information to the Online Services unless the transfer of such information is expressly necessary to utilize the Online Services.
      1. “Personal Identification Information” or “PII” includes information that can be traced to a particular individual, such as name, mailing address, phone number, and email address, when processed in combination with a social security number, driver’s license number, or state ID card, or similar identifier could be used to (1) facilitate identity theft (2) permit access to an individual’s financial account (3) require notification under any data breach notification law if compromised.
      2. “Patient Health Information” or “PHI” includes information regarding a particular individual’s health and medical treatment and includes medical record number, account number, social security number, insurance information, claims information, payment information, patient demographic data, dates of License, date of admission, discharge medical records, medical treatment, reports, test results, and all other information regulated by the Health Insurance Portability and Accountability Act (HIPAA).
      3. “Personal Financial Information” or “PFI” includes credit or debit card information, other payment card information, bank account, investment account, and all other information considered confidential under the Payment Card Industry Data Security Standards (PCI DSS).
      4. “Personal Educational Information” or “PEI” includes student records, test results, courses taken, educational records pertaining to an individual student, and all other information regulated by the Federal Family Educational Rights and Privacy Act (FERPA).
  4. “Sensitive Customer Information” includes Customer’s sensitive non-public data, including but not limited to trade secrets, proprietary information, research & development, business plans and strategies, operating reports, manufacturing data, pricing information, marketing and sales data, information regarding litigation, techniques, formulas, source code, potential acquisitions and equity investments, personnel records, organization charts, and banking information.

5. SUB-PROCESSORS

  1. We will engage Sub-processors under a written (including in electronic form) contract consistent with the terms of this DPA in relation to the Sub-processor’s processing of Personal Data. As between Us and You, We will be liable for Sub-processors’ obligations, performance, and services under the Agreement;
  2. We will evaluate the security, privacy, and confidentiality practices of a Sub-processor before selection to establish that it can provide the level of protection of Personal Data required by this DPA, including ensuring that the Sub-processor is under an appropriate obligation of confidentiality; and 
  3. Our list of Sub-processors in place on the effective date of the Agreement is stated in Annex III. Customer may subscribe to receive notification of any changes to Our Sub-processors, and if no objection is made within 10 days of such change, consent is deemed given.

6. SECURITY INCIDENT NOTIFICATION

  1. We will implement and maintain policies and procedures to detect, respond to, and address Security Incidents including procedures to identify and respond to Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and restore the availability or access to Customer Data to You in a timely manner.
  2. We will notify You within 72 hours, or sooner if required under Applicable Data Privacy Laws, of a Security Incident. In the event of a Security Incident, We will take commercially reasonable measures and actions to remedy or mitigate the effects of the Security Incident, including performing a root cause analysis to identify the cause of such Security Incident.
  3. We will keep You informed as to the status of the Security Incident, periodically providing timely notices of relevant details, a point of contact, and measures taken or planned to address the Security Incident.
  4. We will reasonably cooperate and assist You with any investigations into, and remediation of, the Security Incident (including, upon Customer’s request for Security Incidents caused by Us, and if required by Applicable Data Privacy Laws, the provision of notice to regulators or affected individuals, establishing call centers, and providing a credit monitoring service for one year).

7. DATA EXPORT AND DELETION 

Upon Your request, Agreement termination, or Agreement expiration, We will delete all Customer Data in Our possession or control, except to the extent that We are required to retain such data by law or Our retention policies or as otherwise provided for in the Agreement (in which case, it will keep the data confidential and refrain from further processing except to the extent required by applicable law).

8. COMPLIANCE VERIFICATION AND AUDIT

  1. Upon Your request no more than annually, except for reasonable cause such as a regulatory request or Security Incident caused by Us, We will provide information confirming compliance with the requirements of this DPA by providing You with the following:
    1. Completion of an information security questionnaire, via a secure portal, consolidated into a single questionnaire for multiple product subscriptions;
    2. A summary of the results of any independent third-party assessment or certification (e.g., SOC2, ISO 27001), that We undertake and make available to customers with respect to the Online Services and Our data hosting environment.
  2. If We are unable to reasonably demonstrate compliance with the security and audit obligations under Section 9(a) of this DPA, We will provide additional information and access to security personnel (as generally made available to other customers as reasonably requested), as to Our security practices, subject to the confidentiality requirements of the Agreement. The content and timing of such review will be agreed to by the Parties, and any third-party auditor hired by You may not be a competitor of Ours or have any other actual or apparent conflict of interest.

9. DATA TRANSFERS

  1. We may, in connection with the provision of the Online Services, make international transfers of Personal Data to Our Affiliates and Sub-processors. When making such transfers, We will ensure appropriate protection is in place to safeguard the Personal Data transferred under or in connection with this DPA.
  2. Where the provision of Services involves the transfer of Personal Data from the EEA to countries outside the EEA (which are not subject to an adequacy decision under Applicable Data Protection Laws) such transfer will be subject to the following requirements: (a) We have in place intra-group agreements that incorporate Standard Contractual Clauses with any Affiliates which may have access to the Personal Data; and (b) We have in place agreements with Sub-processors that incorporate the Standard Contractual Clauses, as appropriate, subject to the following modifications:
  3. The modifications to the Standard Contractual Clauses are as follows:
    1. in Clause 2 (Effect and invariability of the Clauses), Module Two shall apply (Controller to Processor); 
    2. in Clause 7 (Docking Clause), the optional docking clause will apply; 
    3. in Clause 9 (Use of sub-processors), for subsection (a), Option 2 will apply, in accordance with any additional requirements outlined herein; 
    4. in Clause 11 (Redress), the optional language will not apply; 
    5. in Clause 13 (Supervision), the competent Supervisory Authority shall be the Data Protection Commission of Ireland; 
    6. in Clause 17 (Governing Law), Option 1 will apply, and will be governed by the law of Ireland; 
    7. in Clause 18 (Choice of Forum and jurisdiction), for subsection (b), disputes shall be resolved before the courts of Ireland; 
    8. Annex I shall be deemed completed with the information set out in Schedule 1 to this DPA;
    9. Annex II shall be deemed completed with the information set out in Schedule 2 to this DPA; 
    10. Annex III shall be deemed completed with the information set out in Schedule 3 to this DPA.
  4. To the extent that Personal Data contained within Customer Data is transferred by or on behalf of Licensee (including onward transfers) from within the United Kingdom, Switzerland, or Brazil to Us in a jurisdiction outside of the same (each a “Transferred Jurisdiction”), the Parties agree that, with respect to any restricted transfer under Applicable Data Privacy Laws, the SCCs (as modified above, together with the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0), in force 21 March 2022 (the “Addendum”), shall provide the appropriate safeguards required of such transfer, subject to the following modifications:
    1. references to the “Regulation (EU) 2016/679,” “the Regulation,” or the GDPR shall be interpreted as references to the Applicable Data Privacy Laws of the Transferred Jurisdiction;  
    2. where required or appropriate, references to specific Articles of the GDPR shall be replaced with the equivalent article or section of the Applicable Data Privacy Laws of the Transferred Jurisdiction;  
    3. references to “EU,” “Union,” and “Member State” shall be replaced with references to the Transferred Jurisdiction;  
    4. the “competent supervisory authority” shall be the UK Information Commissioner, the Swiss Federal Data Protection and Information Commissioner, or Brazil’s National Data Protection Authority, as applicable;  
    5. the “competent courts” shall mean the courts of England, Switzerland, or Brazil, as applicable;  
    6. in Clause 9 and Clause 11(3), the SCCs shall be governed by the laws of England, Switzerland, or Brazil, as applicable;  
    7. with respect to the United Kingdom, Part 2 of the Addendum (Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses), as applicable, is incorporated herein and shall supplement the SCCs; and  
    8. Annex III to the Addendum will be deemed completed using the Sub-processor list found at https://www.tax.com/subprocessors.

10. MISCELLANEOUS

  1. To the extent permitted by Applicable Law, any claims brought under or in connection with this DPA will be subject to the exclusions and limitations set forth in the Agreement.  
  2. Except as expressly permitted by the SCCs, no one other than a party to this DPA will have any right to enforce its terms, but each party may enforce its terms on behalf of its Affiliates, if applicable. 
  3. Except as otherwise specified herein, this DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.
  4. This DPA will remain in force as long as We process Customer Personal Data under the Agreement.

SCHEDULE 1

ANNEX I to the Standard Contractual Clauses 

A. LIST OF PARTIES

Module Selection

Select Applicable SCC Module
Module One: Controller to Controller
Module Two: Controller to Processor
Module Three: Processor to Processor
Module Four: Processor to Controller

Data exporter(s):

Name: The entity identified as “Customer” in the DPA.
Address: The address for Customer associated with its account or as otherwise specified in the DPA or the Agreement.
Contact person’s name, position, and contact details: The contact details associated with Customer’s account, or as otherwise specified in the DPA or the Agreement.
Activities relevant to the data transferred under these Clauses: The activities are specified in Section 2 of the DPA.
Signature and date: By using the Online Services or products the data exporter will be deemed to have signed this Annex I.
Role (controller/processor): Controller.
Data importer(s): 
Name: Ryan as identified in the DPA.
Address: The address for Ryan is specified in the Agreement.
Contact person’s name, position, and contact details: The contact details for Ryan are specified in the DPA or the Agreement.
Activities relevant to the data transferred under these Clauses: The activities are specified in Section 2 of the DPA.
Signature and date: By transferring Customer Personal Data to Third Countries on Customer’s instructions, the data importer will be deemed to have signed this Annex I.
Role (controller/processor): Processor 

B. Details of Data Processing

Categories of data subjects whose personal data is transferred:
The types of Customer Personal Data to be processed may include, but are not limited to: Data subjects relevant for the performance of the Online Services as set out in the Ryan Agreements including as may be set forth below:
  1. Prospects, customers, business partners, and vendors of Customer (who are natural persons)

  2. Employees or contact persons of Customer’s prospects, customers, business partners, and vendors

  3. Employees, agents, advisors, and freelancers of Customer (who are natural persons)
Categories of personal data transferred:
Personal data for the performance of the Online Services as set out in the Ryan Agreements may include:
  • Business contact information

  • IP Address and other automatically collected online data

  • Password/login information
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
Ryan may Process Customer Personal Data, including “sensitive” or “special categories,” (but only in the category of health-related data if required for a particular Online Service) of Customer Personal Data as defined in the Applicable Data Privacy Laws such as necessary for Ryan to perform the contractual obligations under the Ryan Agreements.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):
Subject to the Agreement, Ryan will Process the Customer Personal Data continuously and until deletion of all Customer Personal Data as described in this DPA.
Nature of the processing:
The performance of the Online Services pursuant to the Agreement.
Purpose(s) of the data transfer and further processing:
Data Importer shall process the Customer Personal Data as necessary to perform the Online Services pursuant to the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Subject to the terms of the Agreement and unless otherwise agreed in writing, Ryan shall process the Customer Personal Data for the duration of the Ryan Agreements.
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing:
Same as above.
The identities of the sub-processors used in the provision of the Online Services and the subject matter which they process are listed here:
Sub-processors are used by Ryan as specified in the Ryan Agreements. Ryan shall maintain a list of Sub-processors used by Ryan to perform the Online Services. The list is set forth in Annex III.
In the case of specific authorizations of sub-processors, the identities of the sub-processors used in the provision of the Online Services, contact persons details, description of processing (including a clear delineation of responsibilities in case of several sub-processors), and the subject matter which they process are listed here:
N/A

SCHEDULE 2

ANNEX II to the Standard Contractual Clauses 

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Ryan, LLC (“Ryan,” “We,” “Us”) offers a wide variety of business tax solutions through its tax.com™ platform and operating division. This Annex II sets forth the baseline contours of the information security posture with respect to these solutions. Online Services obtained through an Order Form may include additional security measures as appropriate for the sensitivity of the data and nature of the engagement. The definitions set forth in the Agreement will have the same meaning in this Annex II, except or as otherwise defined herein. Nothing in this Annex II alters the obligations or rights under the Agreement concerning Customer Data.

Information Security Program

  • Information Security Program. We maintain an enterprise-wide information security program that utilizes documented policies, procedures, and standards to protect the confidentiality, integrity, and availability of information and data in electronic and tangible form. We designed the information security program based on ISO/IEC 27001 standards.

Organizational and Administrative Security /Risk Management

  • Information Security Policies. We maintain internal, documented, comprehensive information security policies, including incident response plans, data retention plans, and segregation of duties policies, and regularly review and update them. 
  • Employee Screening. Ryan ensures that all of its employees handling client data have undergone a background screening, to the extent permissible under local laws and regulations.
  • Awareness and Education Program. We provide security awareness and technology use training for employees, at hire and annually, including routine anti-phishing training. 
  • Vendor Management. We subject vendors authorized to perform services on Our behalf involving Our systems, data, or technology to (1) a risk assessment process, (2) obligations of confidentiality, and (3) restrictions on such vendor’s access to Personal Data consistent with Applicable Data Protection Laws and Our security requirements. We remain responsible for the compliance of its subcontractors with the terms of this Annex II.
  • Business Continuity/Disaster Recovery. We maintain and regularly test a business continuity and disaster recovery program designed to reduce the effects of a significant disruption in operations based on generally accepted industry practices.
  • Data Disposal. We maintain internal, documented, comprehensive data retention and disposal policies.
  • Risk Management. We regularly validate the effectiveness of security controls through a documented risk assessment program. We report results to senior management and take appropriate remediation efforts in response to identified risks.

Data Security

  • Authentication. We logically segregate Customer Data by application security group access rules. Customer accounts must utilize unique usernames and complex passwords and enter them at each login to Our resources.
  •  Passwords. We demand minimum password length, complexity, and expiration requirements, disabling features for failed login attempts, and rejection of previously used passwords.
  • Encryption at Rest. We encrypt Our employees’ laptop full disk drives using at least AES-256 for data encryption. We encrypt all non-public Customer Data in the hosted systems using at least AES-256 for data encryption.
  • Encryption in Transit. By default, Our web-accessible Online Services have Transport Layer Security (TLS) enabled to encrypt Your traffic. Our web application endpoints use TLS for secure transport.
  • Access.  We operate the Online Services in a multitenant architecture designed to segregate and restrict Your data access based on business needs. We assign access controls to Personal Data in our databases, systems, and environments on a need-to-know / least privilege necessary basis. We employ multi-factor authentication (MFA) controls or similar compensating controls to limit access.
  • Device Access. We limit network access to authorized devices only. We prohibit access to systems with Client Data from mobile devices.

Physical Security

  • Data Center. We host critical information systems and Our product platform in high-security data centers that meet SSAE18 and ISO 270001 standards. Data center security includes physical security measures designed to minimize disruption and prevent theft, tampering, and damage including:
      • 24×7 monitoring,
      • Cameras,
      • Visitor logs,
      • Entry requirements,
      • Climate control,
      • Fire detection systems, and
      • Dedicated cages for Ryan to separate our equipment from other tenants in the data center.
  • Facilities. We protect Our public workplace facilities using entry and authentication controls as technically and commercially feasible, such as visitor logs, automated badging access controls, color-coded badges with photo ID, keyed entries, alarmed access points, and security cameras. Additional restricted access requirements exist for Our computer systems’ rooms. We maintain a documented clear desk policy.
  • Equipment. We maintain procedures to securely dispose of equipment used to process and store Customer Data.

Availability Control

  • Connectivity. We maintain fully redundant IP network connections with multiple independent connections to a range of Tier 1 Internet access providers for Our data centers. 
  •  Power. Our servers possess redundant internal and external power supplies. Our data centers can draw power from multiple substations on the grid, backup generators, and backup batteries in the event of power failures. 
  •  Uptime. We continuously monitor uptime, with escalation to Our staff for any downtime. 
  • Backup Frequency. Our system backups occur at least daily to geographically disparate sites. 
  • Disaster Recovery. We establish system recovery times on a product-line basis, but at a minimum no later than 8 hours.

Network Security

  • Firewalls. We route network traffic through firewalls to restrict access to approved ports. 
  • Intrusion Prevention. We use Network and Host-based Intrusion Prevention systems (NIPS/HIPS).
  • End Point Controls. We protect its systems from malware/viruses utilizing enterprise-class endpoint control software.
  • E-mail Systems. We scan email using an enterprise-class email security gateway system.
  • Access Control. We protect workstations and laptops from unauthorized access via secure VPN and 2FA (two-factor authentication). We enforce role-based access control (RBAC) for systems management. Network devices are configured to prevent unauthorized updates via access controls and limit access to authorized individuals.
  • Logging and Auditing. We maintain security audit logs on our computing systems that process and store information that captures key security events including suspicious system and /or user behaviors.

Change Management and Application Control

  • Application Control. We maintain policies and procedures for managing changes and updates to production systems, applications, and databases, including processes for documenting security patching, authentication, and testing and approval of changes into production.
  • Key Management. We maintain a key management program that addresses the need to promptly revoke or disable lost, corrupted, or expired keys.
  • Coding Practices. We use logically or physically separate environments for development, testing, and production. Our developers undergo secure development training on best practices twice annually.
  • Secure Development. We employ a secure software development methodology that incorporates security throughout the systems development lifecycle in connection with the development and maintenance of its information systems. Minimally, applications have controls to protect against known vulnerabilities and threats, and secure coding standards are employed that comply with industry standards such as the Open Web Application Security Project (OWASP).

Vulnerability Management 

  •  Patching. We apply the latest security patches to all operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities. 
  • Third-Party Scans. We continuously scan Our environments using industry-leading security tools. These tools provide configured network vulnerability assessments, which test for patch status and basic misconfigurations of systems and sites. 
  • Penetration Testing. We perform penetration tests of Ryan applications using qualified independent third parties; Our hosting service providers perform penetration tests on their own infrastructure.
  • Program. We maintain a Vulnerability Management program in which risk analyses are performed for critical systems and requirements exist for prompt response to critical incidents.

Security Incident Management

  • Security Incident Management Process. Our controls include a Chief Information Security Officer (CISO) tasked with maintaining a comprehensive information security program built on a multi-layered, defense-in-depth approach to security. We maintain an internal, documented, comprehensive information security incident management process in place based on an incident framework that includes key elements (e.g., identification, response, recovery, and post-incident review) to be followed in the event of a Security Incident.

SCHEDULE 3

ANNEX III to the Standard Contractual Clauses 

SUB-PROCESSORS

I. SUB-PROCESSOR LIST

The following table identifies the sub-processors currently authorized by Ryan, LLC, its Affiliates, and its tax.com operating division to process Customer Personal Data for Our Online Services. This list is also available at Our online Trust Center: tax.com/trust-center/subprocessors/.

Name
Description
Location
Microsoft Azure
Cloud computing and storage; platform services
U.S., Canada, E.U
AWS
Cloud computing and storage
U.S.
Cloudera
Cloud Database Management
U.S.
Alteryx
Analytics Automation Platform
U.S.
Amplitude
Product Analytics
U.S.
Automation Anywhere
AI Data Analytics
U.S.
ExaVault, Inc.
Cloud file transfer (FTP) services
(PinPoint, FilePoint, ControlPoint, RatePoint)
LOB, Inc.
Digital Mailroom Management (TrackerPro)
U.S.
Mailgun
Direct Email
(PinPoint, FilePoint, ControlPoint, RatePoint)
U.S.
Twilio
A2P
(Owner Claims Portal)
U.S.

II. SUBSCRIPTION TO SUB-PROCESSOR UPDATES AND RIGHT TO OBJECT

Please refer to the Sub-Processor section of the DPA above.