Pantheon Client Legal Center

Client Data Processing Agreement

• Employees, agents, advisors, contractors, and freelancers of Customer, who are natural persons.
• Customers, business partners, Customers and subcontractors of Customer, who are natural persons.
• Employees or contact persons of Customer’s customers, business partners, Customers and subcontractors.

• Name (first, last, middle, nickname etc.)
• Contact information (email, phone, physical address)
  
• [INCLUDE ADDITIONAL CATEGORIES OF DATA PROCESSED]

1. Customer and Pantheon Systems, Inc. (“Pantheon”) executed a Data Processing Agreement (“DPA”) on [date signed]
2. In accordance with Section 1798.140(w)(2)(B) of the California Consumer Privacy Act (“CCPA”), Service Provider certifies that it will comply with the terms and conditions of this DPA. Service Provider specifically represents and warrants that:
   1. It will retain, use, and disclose Customer Data in the manner permitted by the DPA, Agreement, and Data Protection Laws and Regulations and
   2. It is prohibited from selling Customer’s Personal Information and will refrain from taking any action that would cause a transfer of Customer’s Personal Information to qualify as a “sale” of personal information under the CCPA.

________________________________

“Customer” or “SERVICE PROVIDER”

• Employees, agents, advisors, contractors, and freelancers of Customer, who are natural persons.
• Customers, business partners, Customers and subcontractors of Customer, who are natural persons.
• Employees or contact persons of Customer’s customers, business partners, Customers and subcontractors.

• Name (first, last, middle, nickname etc.)
• Contact information (email, phone, physical address)
• [INCLUDE ADDITIONAL CATEGORIES OF DATA PROCESSED]

1. Information Security Management. Pantheon has a dedicated information security team consisting of a Director of Information Security, a team of Security Engineers responsible for the management of information security throughout the organization, and cross-functional executive leadership responsible for maintaining security and compliance throughout the organization. Pantheon’s Information Security Compliance Committee (ISCC) meets at least quarterly to review changes in the requirements for information security arising from changes in law, contractual requirements and the underlying business at Pantheon. The ISCC reviews and makes any necessary corresponding adjustments to policies, governance and program administration at least annually. Pantheon has further developed a body of written policies to establish a common understanding of rules and procedures governing the development, deployment, operation and management of the Pantheon WebOps offering to its customers.
2. Business Continuity and Backups. Pantheon applies a consistent unified framework for the adoption, documentation and maintenance of business continuity plans. Pantheon’s business continuity plans are designed to address priorities for testing and maintenance of Pantheon’s business and information security requirements. Business continuity procedures are reviewed by the ISCC for potential or identified threats and tested annually with any findings assigned to information security professionals responsible for implementing additional safeguards. Regarding Pantheon’s provision of services to Data Controller, website data in Pantheon systems is backed up daily to Pantheon’s subprocessor and encrypted at rest. These backups are available to Data Controller for download, export or self-service rollback and recovery. Pantheon further applies regular database backups for production web development services backup data. Secondary sites are kept in a warm stated, ready to be failed over to, as configured by Data Controller. Pantheon performs a test restore of backup data on an annual basis to validate the business continuity program.
3. Access Controls. Pantheon applies measures designed to provide access to systems and data to only those individuals who have a specific authorized purpose for such use and with specific controls that protect personal data from being read, copied, modified or removed without authorization during processing or use and after storage to the extent required under the applicable customer agreement(s):
   1. Platform Access Controls. Pantheon will encrypt Data Controller Personal Data not intended for public or unauthenticated viewing when transferring Data Controller Personal Data over public networks. Pantheon will make available to Data Controller such tools as may be necessary and available to Pantheon to support further application of cryptographic protocol, such as TLS or SSH, for the secure transfer of Data Controller Personal Data to and from the Services over public networks. Pantheon applies standard encryption technologies to protect Data Controller data both at rest and in transit where appropriate. Pantheon establishes sessions to the Pantheon web servers utilizing Hypertext Transfer Protocol Secure (HTTPS) and automates adding and renewing Transport Layer Security (TLS) certificates for custom domains added to customer websites. Pantheon users authenticate to production servers over secure shell (SSH) encryption protocol using a uniquely assigned SSH key-pair in which the private key is enabled only with the internal user’s unique username and SSH key stored in a hardware token. Pantheon will monitor use of privileged access and maintain security information an event management measures designed to i) identify unauthorized access and activity, ii) facilitate an appropriate response, and iii) to enable internal and independent third-party audits of compliance with documented Pantheon Risk Management and Information Security policy. Logs, in which privileged access and activity are recorded, will be retained in compliance with Pantheon’s records retention standards. Pantheon will maintain measures designed to protect against unauthorized access, modification and accidental or deliberate destruction of such logs.
   2. Systems Access Controls. In respect of any systems used to access Pantheon platform information containing Data Controller data, this paragraph shall apply. Access to system information is protected by multiple authentication and authorization mechanisms. Pantheon leverages SAML to manage access to corporate resources. Pantheon’s vulnerability assessment consists of scanning server resources, identifying vulnerabilities, assessment of the vulnerabilities, and remediation. Vulnerability scans are performed periodically. To the extent supported by native device or operating system functionality, Data Processor will maintain computing protections for systems containing Data Controller Personal Data and all end-user systems that include, but may not be limited to, endpoint firewalls, full disk encryption, signature-based antivirus and malware detection and removal that shall i) be regularly updated by central infrastructure and ii) logged to a central location, time based screen locks, and endpoint management solutions that enforce security configuration and patching requirements. In accordance with Pantheon’s IT policies, all computers must either have antivirus software installed or alternative means to validate system integrity. Updates are pushed automatically and managed by the IT department.
   3. Physical Security. The platform environment is administered remotely and all access must be performed through connections secured by strong authentication with applicable subprocessors (cf., Platform Access Controls above). Accordingly, Pantheon’s subprocessors are required to maintain physical security at data center locations related to the services Pantheon provides to Data Controller. In lieu of any Data Processor or Data Controller audit access, each subprocessor provides industry standard reports which Pantheon will reasonably demand and assist Data Controller is gathering upon request. At a minimum, such physical access controls at all Pantheon and subprocessor locations shall consist of physical entry controls, such as barriers, card or digitally controlled entry points, surveillance cameras, and added security during non-working hours, to protect against unauthorized entry.