Data Processing Agreement

APPENDIX

ANNEX I

  • A. LIST OF PARTIES

Data exporter(s):

  1. Name: Jugo Digital Ltd.

Address: 55 Water St, Manhattan, New York, 10038

Contact: Data Privacy Officer, privacy@jugo.io

Activities relevant to the data transferred under these Clauses: Transferring personal data for the provision of the services as described in the written agreement between Jugo and the Customer identified in the Order.

Signature and date: Please refer to the applicable Order.

Role (controller/processor): Processor

 

Data importer(s):

  1. Name: Please refer to the applicable Order.

Address: Please refer to the applicable Order

Contact person’s name, position and contact details: Please refer to the applicable Order.

Activities relevant to the data transferred under these Clauses: Processing personal data to enable and facilitate the provision of the services detailed and in accordance with the applicable Order.

Signature and date: Please refer to the applicable Order.

Role (controller/processor): Controller

 

  • B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Users of Jugo’s online services pursuant to the services agreement between Jugo and the applicable customer identified therein.

Categories of personal data transferred

Name, email, IP address, and other information transferred by the Customer or its users.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous

Nature of the processing

Processing, storing, visualizing, monioring, and analyzing data.

Purpose(s) of the data transfer and further processing

To facilitate the provision of the services in accordance with the agreement between Jugo and customer.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Ninety days after termination or expiration of the agreement with Customer.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

To facilitate the provision of the services in accordance with the agreement between Jugo and customer.

 

  • C. COMPETENT SUPERVISORY AUTHORITY

 Identify the competent supervisory authority/ies in accordance with Clause 13

 

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

At Jugo, we are committed to protecting the confidentiality, integrity and availability of our information systems and our customers data. We are continually improving our security controls and analyzing their effectiveness to give you confidence in our solution.

Below is an overview of our security controls in place to protect your data.

Data Center Physical Security

Facilities

Jugo leverages infrastructure from Amazon AWS for data center hosting. Our provider data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, and or SOC 1 and 2 compliant.

Our providers employ robust controls to secure the availability and security of their systems. This includes measures such as backup power, fire detection and suppression equipment, secure device destruction amongst others. Learn more about Data Center Controls at AWS.

On-Site Security

AWS implements layered physical security controls to ensure on-site security including, vetted security guards, fencing, video monitoring, intrusion detection technology and more. Learn more about AWS Physical Security.

Network Security

In-house Security Team. Jugo has an in-house team of dedicated and knowledgeable information security professionals across the globe to respond to security alerts and events.

Third-Party Penetration Tests. Third-party penetration tests are conducted against the application and supporting infrastructure periodically, and any resulting findings are tracked to remediation.

Threat Detection. Jugo utilizes threat detection services within AWS to continuously monitor for malicious and unauthorised activity.

Vulnerability Scanning. We perform regular internal scans for vulnerability scanning of infrastructure. Where issues are identified these are tracked until remediation.

Access Control.  Access is limited to least privilege model required for our staff to carry out their jobs. This is subject to frequency internal audit and technical enforcement and monitoring to ensure compliance. 2FA is required for all production systems.

Encryption.  Communication with Jugo is encrypted with TLS 1.2 or higher over public networks. We monitor community testing & research in this area and continue to adopt best practices in terms of Cipher adoption and TLS configuration. Further, Jugo data is encrypted at rest with industry standard AES-256 encryption.

Personnel Security. We deliver robust security awareness training for all new hires and annually for all employees. We also perform a background check on all key employees prior to employment in accordance with industry best practices and applicable law. All employees are required to sign Non-Disclosure and Confidentiality agreements.

Access Controls. Access to systems and network devices is based upon a documented, approved request process. Logical access to platform servers and management systems requires two-factor authentication. A periodic verification is performed to determine that the owner of a user ID is still employed and assigned to the appropriate role. Access is further restricted by system permissions using a least privilege methodology and all permissions require documented business need. Exceptions identified during the verification process are remediated.

PCI-DSS. As a card not present merchant, Jugo outsources our cardholder functions to a PCI-DSS Level 1 service provider.

Vendor Management. We understand the risks associated with improper vendor management. We evaluate and perform due diligence on all of our vendors prior to engagement to ensure their security is to a suitable standard. If they do not meet our requirements, we do not move forward with them. Selected vendors are then monitored and reassessed on an ongoing basis, taking into account relevant changes.

Third-Party Sub Processors. We use third-party sub processors to provide core infrastructure and services which support our services.

Jugo Digital Ltd.
Entity Name Entity Type/Purpose Entity Country
Amazon Web Services Provides instances of the ChurnZero application USA, Ireland (depending on where Customer decides to host its ChurnZero data)
Datadog Server / Platform monitoring as well as log ingestion USA
Loggly Provides centralized Logging USA
SendGrid Provides SMTP services USA