This Data Processing Addendum (“DPA”) supplements the Midpage AI Enterprise Terms, Midpage AI Website Terms of Service, Content License Agreement, or other agreement between Customer and Midpage AI Inc. (“Midpage”) governing Customer’s use of Midpage’s Services (the “Agreement”). Where the Agreement is a Content License Agreement, references to “Customer” in this DPA shall be read as references to “Licensee” as defined therein, and references to “Authorized Users” shall be read as references to “Authorized Users” as defined therein. Where the Agreement is the Website Terms of Service, references to “Customer” shall be read as references to “Subscriber” or “you,” as those terms are defined in the Website Terms of Service, and references to an “Order Form” shall be read as references to the subscription plan and seat count selected by you through the Midpage website sign-up flow.

1. 1. Scope and Term
   1. 1.1. Roles of the Parties. For the purposes of the Agreement, the Parties agree that:
      1. 1.1.1. Customer is either a Controller of Customer Data, or a Processor of Customer Data acting on another Controller’s behalf (e.g. Customer’s Affiliate) while passing down relevant processing instructions to Midpage. Processing details are stated in Schedule 1 (Description of Processing).
      2. 1.1.2. Midpage is a Processor (or respectively, a Sub-processor) of Customer Data. Processing details are stated in Schedule 1 (Description of Processing). Midpage will notify Customer if it becomes aware, or reasonably believes, that Customer’s instructions violate Applicable Data Protection Law, in which case Midpage may suspend the instruction until Customer modifies it, confirms its legality or withdraws it.
   2. 1.2. Term of the DPA. The term of this DPA coincides with the term of the Agreement and terminates upon expiration or earlier termination of the Agreement (or, if later, the date on which Midpage ceases all Processing of Customer Personal Data).
   3. 1.3. Order of Precedence. If there is any conflict or inconsistency among the following documents, the order of precedence from highest to lowest will be: (1) the applicable terms stated in Schedule 2 (Region-Specific Terms including any transfer provisions); (2) Schedule 1 (Description of Processing); (3) the main body of this DPA; and (4) the Agreement.
   4. 1.4. Related-Party Claims. Any claim arising out of or related to this DPA may only be brought by the Customer entity that is a party to the Agreement. For the avoidance of doubt, Customer’s Affiliates that are not signatories to the Agreement may not independently assert claims against Midpage under this DPA, except to the extent required by Applicable Data Protection Law.
2. 2. Processing of Personal Data
   1. 2.1. Customer Instructions
      1. 2.1.1. This DPA, the Agreement including incorporated documents, and Customer’s use of the Services (including relevant configurations and settings) constitute Customer’s documented instructions regarding Midpage’s Processing of Customer Data (“Documented Instructions”).
      2. 2.1.2. Midpage must Process Customer Data solely in accordance with the Documented Instructions, as further stated in Schedule 1 (Description of Processing). Customer:
         1. 2.1.2.1. must ensure its Documented Instructions comply with Applicable Data Protection Law. Midpage is not responsible for monitoring Customer’s compliance with Applicable Data Protection Law; and
         2. 2.1.2.2. is responsible for determining whether the Services are appropriate for the Processing of Customer Data under Applicable Data Protection Law.
   2. 2.2. Confidentiality. Midpage must treat Customer Personal Data as Customer’s Confidential Information under the Agreement. Midpage must ensure personnel authorized to Process Personal Data are bound by written or statutory obligations of confidentiality.
3. 3. Security
   1. 3.1. Security Measures. Midpage has implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, integrity and availability of Customer Data and protect against Security Incidents. Customer is responsible for configuring the Services and using features and functionalities made available by Midpage to maintain appropriate security in light of the nature of Customer Data. Midpage’s current technical and organizational measures are described in Schedule 3 (Security Measures). Customer acknowledges that the Security Measures are subject to technical progress and development and that Midpage may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Services during a Subscription Term.
   2. 3.2. Security Incidents. Midpage must notify Customer without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of a Security Incident. Midpage must make reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within Midpage’s reasonable control. Upon Customer’s request and taking into account the nature of the Processing and the information available to Midpage, Midpage must assist Customer by providing information reasonably necessary for Customer to meet its Security Incident notification obligations under Applicable Data Protection Law. Midpage’s notification of a Security Incident is not an acknowledgment by Midpage of its fault or liability.
4. 4. Sub-processing
   1. 4.1. General Authorization. By entering into this DPA, Customer provides general authorization for Midpage to engage Sub-processors to Process Customer Personal Data. Midpage must: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect Customer Personal Data to the standard required by Applicable Data Protection Law and to the same or substantively similar standard provided by this DPA; and (ii) remain liable to Customer if such Sub-processor fails to fulfill its data protection obligations with regard to the relevant Processing activities under the Agreement.
   2. 4.2. Notice of New Sub-processors. Midpage maintains a list of its Sub-processors at https://www.midpage.ai/subprocessors. Midpage will provide reasonable advance notice (via updates to such list or email notification) before allowing any new Sub-processor to Process Customer Personal Data.
   3. 4.3. Objection to New Sub-processors. If Customer has a reasonable, good-faith objection to a new Sub-processor based on legitimate data protection concerns, Customer may notify Midpage in writing. The parties will discuss the objection in good faith. If the parties are unable to resolve the objection within ninety (90) days, Customer may, as its sole and exclusive remedy, terminate the Agreement (or, where the Agreement is a Subscription under the Website Terms of Service, cancel the applicable Subscription) upon written notice and receive a pro rata refund of any prepaid, unused Fees.
   4. 4.4. AI Training Restriction. Midpage shall not, and shall require that its Sub-processors do not, use Customer Data to train or fine-tune any generalized machine learning or artificial intelligence model, whether offered by Midpage, any Sub-processor, or any third party.
5. 5. Assistance and Cooperation Obligations
   1. 5.1. Data Subject Rights. To the extent that Customer is unable to independently access Customer Personal Data from within the Services and to the extent such information is known to Midpage, and taking into account the nature of the Processing, Midpage shall provide reasonable and timely assistance to enable Customer to respond to requests for exercising a data subject’s rights (including rights of access, rectification, erasure, restriction, objection, and data portability) in respect to Customer Personal Data. If Midpage receives a request directly, and is not otherwise obligated to respond, Midpage shall not respond to such communication without Customer’s prior authorization, except to acknowledge receipt of the request and to attempt to redirect the requester to contact Customer directly.
   2. 5.2. Cooperation Obligations. Upon Customer’s reasonable request, and taking into account the nature of the Processing, Midpage will provide reasonable assistance to Customer in fulfilling Customer’s obligations under Applicable Data Protection Law (including data protection impact assessments and consultations with regulatory authorities), provided that Customer cannot reasonably fulfill such obligations independently with help of available documentation.
   3. 5.3. Third Party Requests. Unless prohibited by law, Midpage will promptly notify Customer of any valid, enforceable subpoena, warrant, or court order from law enforcement or public authorities compelling Midpage to disclose Customer Personal Data to allow Customer to seek a protective order or other appropriate remedy. In the event that Midpage receives an inquiry or a request for information from any other third party (such as a supervisory authority or data subject) concerning the Processing of Customer Personal Data, Midpage shall attempt to redirect such inquiries to Customer, and will not provide any information unless required to do so under applicable law. For the avoidance of doubt, nothing in this DPA shall be interpreted to require Midpage to pursue action or inaction that could result in a civil or criminal penalty for Midpage, including without limitation a contempt of court.
6. 6. Deletion and Return of Customer Personal Data
   1. 6.1. During Subscription Term. During the term of the Agreement, Customer may, through available features of the Services or applicable APIs, or by written request to legal@midpage.ai, access, retrieve or delete Customer Personal Data.
   2. 6.2. Post Termination. Following expiration or termination of the Agreement, Midpage will delete all Customer Data from its active systems within sixty (60) days. Notwithstanding the foregoing, Midpage may retain Customer Data (i) as required by Applicable Data Protection Law or (ii) in electronically stored copies maintained in accordance with its standard backup or record retention policies, provided that, in either case, (a) Midpage will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to, retained Customer Data; (b) Midpage will not further Process such retained Customer Data except as required by Applicable Data Protection Law; and (c) Midpage will delete such retained Customer Data from backup systems in accordance with its standard data retention and deletion practices, as soon as reasonably practicable. For the avoidance of doubt, this Section 6.2 governs Customer Data only and, where the Agreement is a Content License Agreement, does not modify any obligations regarding Licensed Content or Licensed Technology set forth in the Agreement.
7. 7. Audit
   1. 7.1. Audit Reports. Midpage maintains an ongoing program of independent third-party audits conducted no less than annually. Upon written request from a Customer that has executed an Enterprise Agreement or Content License Agreement with Midpage, and subject to such Customer’s execution of a mutually acceptable non-disclosure agreement, Midpage will supply a copy of its most recent relevant audit report (or, at Midpage’s discretion, a summary sufficient to enable Customer to verify Midpage’s compliance with the applicable audit standards and this DPA). For all other Customers, Midpage will, upon written request and subject to a mutually acceptable non-disclosure agreement, make available a summary of its then-current security and compliance posture sufficient to enable Customer to verify Midpage’s compliance with this DPA. If the materials provided under this Section 7.1 do not reasonably address Customer’s compliance concern, Customer may submit specific written questions related to Midpage’s Processing of Customer Personal Data, and Midpage will provide written responses on a confidential basis within a reasonable timeframe. Customer may exercise its rights under this Section no more than once in any twelve (12) month period.
   2. 7.2. On-site Audits. Where required by Applicable Data Protection Law or a binding instruction from a regulatory authority with jurisdiction over Customer, and only to the extent Customer cannot reasonably satisfy Midpage’s compliance with this DPA through the exercise of its rights under Section 7.1, Customer, or its authorized representatives, may, at Customer’s expense, conduct an audit (including inspection) during the term of the Agreement to assess Midpage’s compliance with the terms of this DPA. Any audit must (i) be conducted during Midpage’s regular business hours, with reasonable advance written notice of at least sixty (60) calendar days (unless Applicable Data Protection Law or a regulatory authority requires a shorter notice period); (ii) be subject to reasonable confidentiality controls obligating Customer (and its authorized representatives) to keep confidential any information disclosed that, by its nature, should be confidential; (iii) be conducted by an independent, mutually agreed third-party auditor that is not a competitor of Midpage; (iv) occur no more than once every twelve (12) months; (v) restrict its findings to only information relevant to Customer's Personal Data and Midpage’s compliance with this DPA, and shall not extend to source code, other customers’ data, or competitively sensitive operational information; and (vi) be conducted pursuant to an audit plan agreed in advance with Midpage. Customer shall provide Midpage with a copy of any audit report promptly upon completion, and such reports shall be Midpage’s Confidential Information.
8. 8. International Provisions
   To the extent Midpage Processes Personal Data protected by Applicable Data Protection Laws in one of the regions listed in Schedule 2 (Region-Specific Terms), the terms specified for the applicable regions will also apply, including the provisions relevant for international transfers of Personal Data (directly or via onward transfer).
9. 9. Definitions
   1. 9.1. “Applicable Data Protection Law” means all Laws applicable to the Processing of Personal Data under the Agreement.
   2. 9.2. “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
   3. 9.3. “Customer Data” means all data that Customer (or its Authorized Users) provides, submits, or makes accessible to Midpage in connection with the Services or, where the Agreement is a Content License Agreement, Licensed Content and Licensed Technology (as applicable), including any inputs, queries, or instructions, and any responses or outputs generated by Midpage’s systems in response thereto. For the avoidance of doubt, where the Agreement is a Content License Agreement, Customer Data does not include the Licensed Content itself.
   4. 9.4. “Customer Personal Data” means Personal Data contained in Customer Data, including any Personal Data provided in connection with account management, technical support, or use of Midpage’s systems.
   5. 9.5. “Documentation” means the documentation and technical specifications made generally available by Midpage at https://docs.midpage.ai (or such successor URL), as updated by Midpage from time to time.
   6. 9.6. “Personal Data” means information about an identified or identifiable natural person, or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Applicable Data Protection Law.
   7. 9.7. “Processing” (and “Process” and “Processed”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
   8. 9.8. “Processor” means the entity which Processes Personal Data on behalf of the Controller.
   9. 9.9. “Security Incident” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data Processed by Midpage and/or its Sub-processors, and for the purposes of this definition, “Processing” includes Personal Data and Customer Data.
   10. 9.10. “Sub-processor” means any third party engaged by Midpage to Process Customer Personal Data.

Schedule 1: Description of Processing

1. 1. Categories of data subjects whose Personal Data is Processed:
   Customer has the sole discretion to determine and control the categories of data subjects whose Personal Data is transmitted in connection with the Services and, accordingly, Customer shall not transmit or otherwise make available to Midpage any Personal Data to the extent Customer does not have the consent to make such Customer Personal Data available to Midpage, unless such information is anonymized in accordance with the requirements of relevant Applicable Data Protection Law. In the case of a Content License Agreement, data subjects may also include Authorized Users of the Licensee Service and individuals whose Personal Data is contained in queries submitted through the Integration.
2. 2. Types of Personal Data Processed:
   Limited to only those types of Personal Data necessary, but may include names, addresses, emails, phone numbers and other identifiable information. Customer has the sole discretion to determine and control the types of Personal Data transmitted to Midpage. 
3. 3. Duration and frequency of the transfer:
   Continuous during performance of the Services.
4. 4. Nature of the Processing:
   Midpage will Process Personal Data in order to provide the Services in accordance with the Agreement, including this DPA.
5. 5. Purpose(s) of the Processing:
   1. 5.1. Customer Data. Midpage will Process Customer Data as a Processor in accordance with Customer’s Documented Instructions to:
      1. 5.1.a. Provide, maintain, and improve the Services, and enable the use of various features and functionalities in accordance with the Documentation and as directed by Authorized Users, including investigating Security Incidents, and resolving issues, bugs and errors;
      2. 5.1.b. Provide and maintain access to Licensed Content and Licensed Technology through applicable APIs and integrations, in accordance with the Agreement;
      3. 5.1.c. enforce obligations under applicable legal agreements; and
      4. 5.1.d. comply with Midpage’s legal obligations.
   2. 5.2. Controller Activities. Midpage is a Controller of Personal Data as specified in Midpage’s Privacy Policy. This DPA does not limit or prohibit Midpage from acting in that capacity.
6. 6. Duration of Processing:
   Midpage will Process Customer Personal Data for the term of the Agreement as outlined in Section 6 (Deletion and Return of Customer Personal Data).
7. 7. Transfers to Sub-processors:
   Midpage will transfer Customer Personal Data to Sub-processors as permitted in Section 4 (Sub-processing).

Schedule 2: Region-Specific Terms

Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this Schedule will have the meanings given to them in this Schedule.

1. 1. Europe, United Kingdom and Switzerland
   1. 1.1. Customer Instructions. In addition to Section 2.1 (Customer Instructions), and Schedule 1 (Description of Processing) of the DPA above, Midpage will Process Customer Personal Data only on Documented Instructions from Customer, including with regard to transfers of such Customer Personal Data to a third country or an international organisation, unless required to do so by Applicable Data Protection Law to which Midpage is subject; in such a case, Midpage shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Midpage will promptly inform Customer if it becomes aware that Customer’s Processing instructions infringe Applicable Data Protection Law.
   2. 1.2. European Transfers. Where Personal Data protected by the EU Data Protection Law is transferred, either directly or via onward transfer, to a country outside of Europe that is not subject to an adequacy decision, the following applies:
      1. 1.2.a. The EU SCCs are hereby incorporated into this DPA by reference as follows:
         1. 1.2.a.i. Customer is the “data exporter” and Midpage is the “data importer.”
         2. 1.2.a.ii. Module Two (Controller to Processor) applies where Customer is a Controller of Customer Personal Data and Midpage is Processing Customer Personal Data as a Processor.
         3. 1.2.a.iii. Module Three (Processor to Processor) applies where Customer is a Processor of Customer Personal Data and Midpage is Processing Customer Personal Data as another Processor.
         4. 1.2.a.iv. By entering into this DPA, each party is deemed to have signed the EU SCCs as of the commencement date of the Agreement.
      2. 1.2.b. For each Module, where applicable:
         1. 1.2.b.i. In Clause 7, the optional docking clause does not apply.
         2. 1.2.b.ii. In Clause 9, Option 2 applies, and the time period for prior notice of Sub-processor changes is stated in Section 4 (Sub-processing) of this DPA.
         3. 1.2.b.iii. In Clause 11, the optional language does not apply.
         4. 1.2.b.iv. In Clause 17, Option 1 applies, and the EU SCCs are governed by Irish law.
         5. 1.2.b.v. In Clause 18(b), disputes will be resolved before the courts of Ireland.
         6. 1.2.b.vi. The Appendix of EU SCCs is populated as follows:
            • The information required for Annex I(A) is located in the Agreement.
            • The information required for Annex I(B) is located in Schedule 1 (Description of Processing) of this DPA.
            • The competent supervisory authority in Annex I(C) will be determined in accordance with the Applicable Data Protection Law; and
            • The information required for Annex II is located in Schedule 3 (Technical and Organizational Security Measures).
   3. 1.3. Swiss Transfers. Where Personal Data protected by Swiss Data Protection Law is transferred, either directly or via onward transfer, to any other country that is not subject to an adequacy decision, the EU SCCs apply as stated in Section 1.2 (European Transfers) above with the following modifications:
      1. 1.3.a. All references in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to Swiss Data Protection Law, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of Swiss Data Protection Law; all references to the EU Data Protection Law in this DPA will be interpreted as references to Swiss Data Protection Law.
      2. 1.3.b. In Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
      3. 1.3.c. In Clause 17, the EU SCCs are governed by the laws of Switzerland.
      4. 1.3.d. In Clause 18(b), disputes will be resolved before the courts of Switzerland.
      5. 1.3.e. All references to Member State will be interpreted to include Switzerland and Data Subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with Clause 18(c).
   4. 1.4. United Kingdom Transfers. Where Personal Data protected by the UK Data Protection Law is transferred, either directly or via onward transfer, to a country outside of the United Kingdom that is not subject to an adequacy decision, the following applies:
      1. 1.4.a. The EU SCCs apply as set forth in Section 1.2 (European Transfers) above with the following modifications:
         1. 1.4.a.i. Each party shall be deemed to have signed the UK Addendum.
         2. 1.4.a.ii. For Table 1 of the UK Addendum, the parties’ key contact information is located in the Agreement.
         3. 1.4.a.iii. For Table 2 of the UK Addendum, the relevant information about the version of the EU SCCs, modules, and selected clauses which this UK Addendum is appended to is located above in Section 1.2 (European Transfers) of this Schedule.
         4. 1.4.a.iv. For Table 3 of the UK Addendum:
            • The information required for Annex 1A is located in the Agreement.
            • The Information required for Annex 1B is located in Schedule 1 (Description of Processing) of this DPA.
            • The information required for Annex II is located here.
            • The information required for Annex III is located in Section 4 (Sub-processing) of this DPA.
2. 2. United States of America
   The following terms apply where Midpage Processes Personal Data subject to the US State Privacy Laws:
   1. 2.1. To the extent Customer Personal Data includes personal information protected under US State Privacy Laws that Midpage Processes as a Service Provider or Processor, on behalf of Customer, Midpage will Process such Customer Personal Data in accordance with the US State Privacy Laws, including by complying with applicable sections of the US State Privacy Laws and providing the same level of privacy protection as required by US State Privacy Laws, and in accordance with Customer's Documented Instructions, as necessary for the limited and specified purposes identified in Schedule 1 (Description of Processing). Midpage will not:
      1. 2.1.a. retain, use, disclose or otherwise Process such Customer Personal Data for a commercial purpose other than for the limited and specified purposes identified in this DPA, the Agreement, or as otherwise permitted under US State Privacy Laws;
      2. 2.1.b. “sell” or “share” such Customer Personal Data within the meaning of the US State Privacy Laws; and
      3. 2.1.c. retain, use, disclose or otherwise Process such Customer Personal Data outside the direct business relationship with Customer and not combine such Customer Personal Data with personal information that it receives from other sources, except as permitted under US State Privacy Laws.
   2. 2.2. Midpage must inform Customer if it determines that it can no longer meet its obligations under US State Privacy Laws.
   3. 2.3. Customer may take reasonable and appropriate steps to stop and remediate any unauthorized Processing of Customer Personal Data.
   4. 2.4. To the extent Customer discloses or otherwise makes available Deidentified Data to Midpage or to the extent Midpage creates Deidentified Data from Customer Personal Data, in each case in its capacity as a Service Provider, Midpage will:
      1. 2.4.a. adopt reasonable measures to prevent such Deidentified Data from being used to infer information about, or otherwise being linked to, a particular natural person or household;
      2. 2.4.b. publicly commit to maintain and use such Deidentified Data in a de-identified form and to not attempt to re-identify the Deidentified Data, except that Midpage may attempt to re-identify such data solely for the purpose of determining whether its de-identification processes are compliant with the US State Privacy Laws; and
      3. 2.4.c. before sharing Deidentified Data with any other party, including Sub-processors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this Section 2.4 (including imposing this requirement on any further Recipients).
   5. 2.5. Definitions
      1. 2.5.a. “Deidentified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, a data subject.
      2. 2.5.b. “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework self-certification program operated by the US Department of Commerce.
      3. 2.5.c. “Europe” includes, for the purposes of this DPA, the Member States of the European Union and European Economic Area.
      4. 2.5.d. “EU Data Protection Law” includes (i) the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation, or GDPR) and (ii) the EU e-Privacy Directive (Directive 2002/58/EC) as amended, superseded or replaced from time to time.
      5. 2.5.e. “EU SCCs” means the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, superseded, or replaced from time to time.
      6. 2.5.f. “Service Provider” has the same meaning as given in the CCPA.
      7. 2.5.g. “Swiss Data Protection Law” means the Swiss Federal Act on Data Protection and its implementing regulations as amended, superseded, or replaced from time to time.
      8. 2.5.h. “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, as amended, superseded or replaced from time to time.
      9. 2.5.i. “UK Data Protection Law” means the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 as amended, superseded or replaced from time to time.
      10. 2.5.j. “US State Privacy Laws” means all applicable state laws relating to the protection and Processing of Personal Data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”).

Schedule 3: Security Measures

Midpage maintains administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of Customer Data in connection with the Services, including, at a minimum, the following measures:

1. 1. Data Security
   1. 1.a. Encryption of Customer Data at rest (AES-256) and in transit (TLS 1.2 or higher) using industry-standard cryptographic algorithms.
   2. 1.b. Security monitoring on all production systems, including activity logging, file integrity monitoring, vulnerability scanning, and malware detection.
   3. 1.c. Use of secure cloud infrastructure with measures for redundancy and disaster recovery.
2. 2. Access Controls
   1. 2.a. Role-based access controls limiting system access to authorized personnel.
   2. 2.b. Multi-factor authentication for access to production systems and environments containing Customer Data.
   3. 2.c. Access permissions reviewed no less than bi-annually and updated to reflect changes in roles or employment status.
3. 3. Data Deletion and Disposal
   1. 3.a. Secure deletion methods designed to prevent data recovery upon Customer request or in accordance with Section 6 of the DPA.
   2. 3.b. Cryptographic erasure or overwrite of storage media prior to decommissioning or reuse.
4. 4. Personnel Security
   1. 4.a. Background checks on personnel with access to Customer Data, to the extent permitted by applicable law.
   2. 4.b. Security awareness training for all employees upon onboarding and no less than annually thereafter.
   3. 4.c. Written confidentiality obligations binding all personnel authorized to Process Customer Data.
5. 5. Incident Response
   1. 5.a. An incident response plan to identify, contain, and resolve Security Incidents.
   2. 5.b. Clear internal escalation and communication procedures for Security Incident reporting.
   3. 5.c. Post-incident review process, with the incident response plan reviewed and updated no less than annually.
6. 6. Vendor and subprocessor Security
   1. 6.a. Security assessments of subprocessors prior to engagement and periodically thereafter.
   2. 6.b. Contractual obligations requiring subprocessors to maintain security measures no less protective than those described in this Schedule 3.

Midpage maintains an independent third-party SOC 2 Type II audit on at least an annual basis. Copies of the most recent audit report are available to Customer upon request.