Client Global Data Processing Addendum

Last updated October 1, 2025

This Data Processing Addendum (this “Addendum”) forms part of the Thryv Terms and Conditions, Thryv Enterprise Terms and Conditions, or Sync Terms and Conditions, as applicable, for the purchase of online services from Provider (as may be amended from time to time, the “Agreement”). This Addendum will apply to Provider’s Processing of Company Personal Data—but, only to the extent that Data Protection Laws apply to the Processing of Company Personal Data. This Addendum will be effective until such time as Provider is no longer Processing Company Personal Data.

  1. Definitions

    AUS Privacy Act” shall mean the Privacy Act 1988 (Cth) of Australia, and the Australian Privacy Principles set forth therein

    CCPA” means the California Consumer Privacy Act of 2018, as amended and superseded from time to time, including by the California Privacy Rights Act of 2020, and the regulations promulgated thereunder.

    Company” shall mean the individual or business receiving services from Provider.

    Company Personal Data” shall have the meaning set forth in Section 2.

    Controller,” “Processor,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Processing,” “Sell” and “Share” each have the meaning set forth under applicable Data Protection Laws (including equivalent terms).

    Data Protection Authority” shall have the meaning set forth in Section 11.

    Data Protection Laws” means all applicable state/regional, national, and international laws, orders, regulations, and regulatory guidance now or in the future relating to information security, privacy and data protection including without limitation, the CCPA and similar US state privacy laws and regulations in Colorado, Connecticut, Delaware, Iowa, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia, and other similar US state privacy laws as they take effect.

    GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such Personal Data.

    Model Clauses” means: (a) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU)2016/679 of the European Parliament and of the Council (“EU SCCs”); (b) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022 (“UK SCCs”); and (c) where the Swiss Data Protection Act applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the “Swiss SCCs”), each as may be updated from time to time.

    NZ Privacy Law” means the New Zealand Privacy Act 2020 and any rules, regulations or codes that are created pursuant that Act.

    Personnel” shall have the meaning set forth in Section 6.

    Provider” means the Contracting Party as stated in the Agreement.

    Provider Confidential Information” shall have the meaning set forth in Section 13.

    ROPA” shall have the meaning set forth in Section 12.

    Services” means the services to be provided by Provider for the benefit of Company that are specified in the Agreement.

    Specific Business Purpose” shall have the meaning set forth in Section 3.

    Sub-processor” means a third-party subcontractor engaged by Provider which, as part of Provider’s role of delivering the Services, will Process Company Personal Data.

    US State Privacy Laws means applicable state laws, orders, regulations, and regulatory guidance now or in the future relating to information security, privacy and data protection including without limitation: (a) the CCPA; (b) Virginia’s Consumer Data Protection Act; (c) the Colorado Privacy Act (d) Connecticut’s Act Concerning Data Privacy and Online Monitoring; (e) the Utah Consumer Privacy Act; and (e) all implementing regulations of the foregoing.

  2. Provider’s Obligations. Provider acknowledges that in the course of performing the Services, it may Process Personal Data for Company or on its behalf (“Company Personal Data”). Provider represents and warrants to Company continuously throughout the term of the Agreement that it will: (a) only Process Company Personal Data in accordance with the instructions provided by Company, for the purposes set out in the Agreement and only to the extent necessary to perform the Services and its obligations hereunder, (b) comply with the restrictions set out in Section 4 below, (c) not copy, modify, or create derivative works of any Company Personal Data (including, without limitation, aggregated and/or anonymized data) except with Company’s prior consent or as may be permitted by any applicable law which is incapable of exclusion by contract, (d) implement and maintain organizational, administrative, physical and technical safeguards meeting the highest standards of good industry practice to prevent the unauthorized Processing, destruction or loss of Company Personal Data in Provider’s possession, custody or control, (e) implement and maintain an appropriate network security program that includes encryption of all Company Personal Data, (f) ensure its compliance with Data Protection Laws, (g) take all reasonable precautions with respect to the employment of and access to Company Personal Data given to Personnel (defined below) and Sub-Processors, and (h) at Company’s reasonable request, provide Company, at Company’s cost, with a complete copy of or full access to any and all Company Personal Data that may be in Provider’s possession.

  3. Processing Company Personal Data. Company and Provider acknowledge and agree that with regard to the Processing of Company Personal Data in the context of the provision of the Services, Company and/or its affiliates is/are the Controller, Provider is a Processor and that Provider may engage Sub-Processors pursuant to the requirements set forth in Section 7 (Sub-Processors) below.

    All verbal instructions are to be confirmed in writing or by email without undue delay. Provider shall inform Company immediately if it considers that an instruction violates Data Protection Laws or if it is required to Process Company Personal Data outside the scope of Company’s instructions.

    The nature and purpose of Processing Company Personal Data by Provider is the performance of the Services pursuant to the Agreement, as set out on Annex 1 (the “Specific Business Purpose”). The duration of the Processing shall be for the duration of the Agreement and the rights and obligations under this Addendum shall remain in force after termination of the Agreement until all Company Personal Data Processed under this Addendum is deleted on the systems of Provider and its Sub-Processors. Details about Processing, including the types of Company Personal Data Processed, the categories of Data Subjects under this Addendum, and the jurisdictions where Processing may occur are set out on Annex 1.

    Provider shall, at Company’s cost (a) provide reasonable cooperation, assistance, and information to Company in relation to queries, complaints and other correspondence with any Data Subject or regulatory body (including Data Subject access requests) and as may reasonably be required to enable Company to comply with its obligations under applicable Data Protection Laws, and (b) amend, update, supplement, return or delete any Company Personal Data as soon as reasonably practicable at Company’s request.

  4. U.S. State Privacy Laws. Pursuant to CCPA and other US State Privacy Laws, the parties agree that the Provider is a “Service Provider” or “Processor,” as applicable, as such terms are defined under US State Privacy Laws. Provider will not (a) retain, use, or disclose any Company Personal Data outside the direct business relationship between Provider and Company, or for any purpose other than for the “Specific Business Purpose,” as set out in Annex 1 hereto, and Provider shall only Process Personal Data only as long as it provides Services to Company; (b) Sell any Company Personal Data; (c) Share any Company Personal Data; or (d) combine the Personal Data that Provider receives from, or on behalf of, Company with Personal Data that it receives from, or on behalf of, another person, or collects from its own interaction with a consumer, provided that Provider may combine Company Personal Data if it is within the scope of providing the Services to Company. Provider agrees to comply with the CCPA and all US State Privacy Laws when Processing any Company Personal Data pursuant to the Agreement and shall notify Company if it makes a determination that it can no longer meet its obligations under US State Privacy Laws.
  5. International Transfers. For the purposes of the Model Clauses, the parties agree that Provider will act as the data importer on Provider’s own behalf and on behalf of any of its affiliates; and Company will act on its own behalf and/or on behalf of the relevant affiliates as the data exporter. The parties further agree as follows:
    1. Provider shall not transfer any Company Personal Data from any jurisdiction to any other jurisdiction without Company’s prior written approval and, if applicable, shall have in place a transfer agreement or other mechanism appropriate to comply with Data Protection Laws. The parties agree that any international transfer of Company Personal Data will comply with Data Protection Laws. If Company Personal Data is being transferred to Provider from a country whose laws are not named in this Addendum and which requires additional or different data transfer mechanisms not described in this Addendum, it is Company’s responsibility to contact Provider’s Data Protection Officer at [email protected] to ensure whether such transfers can be supported by Provider and to discuss additional contractual provisions, if required. Provider cannot guarantee it will be able to support data transfer requirements from all global jurisdictions.
    2. If Company Personal Data is transferred from Switzerland, the UK, or European Economic Area (“EEA”) to a jurisdiction that is not within the EU, UK, or EEA, and which do not ensure an adequate level of data protection within the meaning of the laws and regulations of these countries, then such transfer of Company Personal Data will be governed by the terms of the Model Clauses, including Annex 1, unless an alternative transfer mechanism (e.g., Binding Corporate Rules) permitted by Data Protection Laws exists, in which case, the alternative transfer mechanism will be documented in writing. Only when applicable and where this Addendum or the Agreement conflict with the Annexes, the Annexes will control.
    3. For data transfers between Provider and the Company subject to the EU SCCs, the EU SCCs will be deemed entered into (and incorporated into this Addendum by reference) and completed as follows:
      1. Module Two (Controller to Processer) of the EU SCCs will apply where Provider is a Processor and Company is a Controller.
      2. For Module Two, where applicable:
        1. in Clause 7, the optional docking clause will apply;
        2. in Clause 9, Option 1, specific prior authorisation, will apply and the data importer shall submit the request for specific authorisation at least 10 days prior to the engagement of the sub-processor;
        3. in Clause 11, the optional language will not apply;
        4. in Clause 17, Option 2 will apply, and the EU SCCs will governed by Irish law;
        5. in Clause 18(b), disputes will be resolved before the courts of Ireland;
        6. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this Addendum, as applicable;
        7. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this Addendum; and
        8. Annex III of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this Addendum.
      3. For data transfers subject to the UK SCCs, the UK SCCs will be deemed entered into (and incorporated into this Addendum by reference, including Part 2: Mandatory Clauses) and completed as follows:
        1. In Table 1 of the UK SCCs, the parties’ details and key contact information is located in Section A of Annex 1 of this Addendum.
        2. In Table 2 of the UK SCCs, information about the version of the approved EU SCCs, modules and selected clauses which this UK International Data Transfer Agreement is appended to is located in Section 4(d)(ii) of this Addendum.
        3. In Table 3 of the UK SCCs:
          1. The list of Parties is located in Section A of Annex 1;
          2. The description of the transfer is set forth in Section B (Nature and Purpose of the Processing) of Annex 1;
          3. Annex 2 is attached to this Addendum; and
          4. In Table 4 of the UK SCCs, both parties may end the UK SCCs in accordance with the terms of the UK SCCs.
      4. In case of any transfers of Company Personal Data from Switzerland (i) general and specific references in the EU SCCs to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in the Data Protection Laws of Switzerland, as applicable; and (ii) any other obligation in the EU SCCs determined by the Member State in which the data exporter or Data Subject is established shall refer to an obligation under the Swiss Data Protection Act, as applicable. To extent that and for so long as the EU SCCs as implemented in accordance with this Agreement cannot be relied on by the parties to lawfully transfer Company Personal Data in compliance with the applicable standard data protection clauses issued, adopted or permitted under the Swiss Data Protection Act shall be incorporated by reference, and the annexes, appendices or tables of such clauses shall be deemed populated with the relevant information set out in Annex 1 and 2 of this Addendum.
      5. If the relevant authorities adopt a new version of the Model Clauses as a lawful mechanism for International Transfers in a jurisdiction governing the processing of Company Personal Data, the parties are deemed to have agreed to the execution of the new version of the Model Clauses by agreeing to this Addendum.
      6. If an alternative transfer mechanism is adopted by Company during the term of the Agreement (an “Alternative Mechanism”), and Company notifies Provider that some or all International Transfers can be conducted in compliance with Data Protection Laws pursuant to the Alternative Mechanism, the parties will rely on the Alternative Mechanism instead of the transfer mechanisms for International Transfers to which the Alternative Mechanism applies.
      7. Where the Provider intends to transfer Company Personal Data to a third country or international organization in a manner that is not governed by the Model Clauses, the Provider shall notify the Company’s designated Data Protection Officer in writing prior to such transfer. The Provider shall not proceed with such transfer unless (a) the Company has confirmed that the proposed transfer mechanism is appropriate, or (b) the transfer is required by Union or Member State law, in which case the Provider shall inform the Company of that legal requirement before the transfer, unless such law prohibits such information on important grounds of public interest.
  6. Provider Personnel. Provider shall ensure that access to Company Personal Data is limited to those Provider employees and contractors (“Personnel”) and agents who have a need to know or need to access that Company Personal Data to enable Provider to perform its obligations under the Agreement. Provider shall ensure that its Personnel engaged in the Processing of Company Personal Data are informed of the confidential nature of the Company Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality obligations no less restrictive than those contained in this Addendum and such obligations survive the termination of that persons’ engagement with Provider. Provider has appointed, where required by applicable Data Protection Laws, a data protection officer who meets the requirements under such laws for the performance of his or her duties. Details about the appointed person shall be included in Annex 2.
  7. Sub-Processors. Provider has Company’s general authorization for the engagement of Sub-Processor(s) from the “agreed list,” provided that such Sub-Processor(s) must be bound by the same obligations as the ones to which Provider is bound by this Addendum. Company can obtain the current “agreed list” of Sub-Processors by submitting a request here. Company may subscribe to receive notifications by email if Provider makes changes to the Sub-Processor agreed list by completing the form available here . If Company opts in to receive such email, Provider will notify Company of any intended changes to the agreed list through the addition or replacement of sub-processors at least ten (10) days in advance, thereby giving Company sufficient time to be able to object to such changes prior to the engagement of the Sub-processor(s). Provider shall provide Company with the information necessary to enable Company to exercise its right to object. Provider’s Sub-Processor list constitutes Provider Confidential Information, and is subject to the provisions set forth below in Section 13.
  8. Security. Provider shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate: (a) the pseudonymization and encryption of Company Personal Data; (b) measures designed to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and Services; (c) the ability to restore the availability and access to Company Personal Data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing; (e) a process and procedures to monitor and log processing systems for unauthorized changes and other evidence the processing environment has been compromised. Provider shall document and monitor compliance with these measures. Technical and organizational measures are subject to technical progress and further development and Provider may implement alternative adequate measures provided Provider shall not decrease the overall security of the Services during the term of the Agreement. The minimum security measures to be implemented by Provider are in Annex 2 of this Addendum.
  9. Personal Data Breach Notification. Provider shall: (i) provide Company with a mechanism to open a trouble ticket for communicating with Provider regarding, tracking the status of, and resolving obligations associated with, a Personal Data Breach of Company Personal Data; and (ii) notify Company of a Personal Data Breach affecting Company Personal Data as soon as reasonably practicable after Provider becomes aware of it, and in any event within any notice period required pursuant to Data Protection Laws; and
    1. Promptly following Provider’s notification to Company of a Personal Data Breach affecting Company Personal Data, the parties shall coordinate with each other to investigate such Personal Data Breach. Provider agrees to reasonably cooperate with Company in Company’s handling of the matter, including, without limitation: (i) assisting with any investigation; and (ii) making available all relevant records, logs, files, data reporting and other materials required to comply with applicable Data Protection Laws.
    2. Provider shall promptly use commercially reasonable efforts to remedy any Personal Data Breach affecting Company Personal Data and prevent any further Personal Data Breach in accordance with applicable Data Protection Laws.
  10. Data Subjects’ Rights. Provider shall promptly notify Company if it receives a request from a Data Subject for information, access to, correction, amendment, deletion, erasure, portability, restriction of Processing of that person’s Personal Data. Provider shall not respond to any such Data Subject request without first notifying and obtaining Company’s prior written consent, except to confirm that the request relates to Company. Upon request by Company, Provider shall assist Company to fulfill the rights of the Data Subjects and respond to such Data Subjects requests, at Company’s cost.
  11. Assistance and Cooperation with Compliance. Provider shall: (a) maintain a record in writing of all categories of Processing carried out on behalf of Company and make such records available to Company upon request from Company or a relevant data protection authority (“Data Protection Authority”); (b) provide any information required by Company to document compliance with Data Protection Laws and compliance with Provider’s obligations as set out in this Addendum and its Annexes; (c) inform Company without undue delay of (i) any Processing of Company Personal Data outside the scope of this Addendum and its Annexes and of any violations of Data Protection Laws, in particular Personal Data Breaches or changes to the collection, processing or use of Company Personal Data by Provider or any Sub-Processor or individuals employed by Provider or any Sub-Processors and (ii) any control actions or measures taken by a Data Protection Authority or any other authority with respect to the Processing of Company Personal Data and make every effort to support Company insofar as Company is subject to an inspection by a Data Protection Authority, an administrative or criminal procedure or claim by a Data Subject or by a third party or any other claim in connection with the Processing by Provider; and (d) assist Company with the execution of any data protection impact assessment and with consultation of the relevant Data Protection Authority where legally required.
  12. Audit Rights. To the extent the Services under this Addendum or the Agreement entail Provider’s Processing of Personal Data on Company’s behalf, Company has the right to audit Provider’s compliance with its obligations under this Addendum by requesting and reviewing (1) Provider’s record of processing activities (“ROPA”); and (2) Provider’s security documentation (including, where available, the result of any third party security audits) related to Provider’s Processing of Personal Data hereunder. Company is entitled to conduct the audit either by an authorized representative, including its data protection officer, where relevant, or through third parties that it instructs. Company shall notify Provider with information regarding any non-compliance discovered during the course of an audit. Provider shall also grant the above audit rights to any competent Data Protection Authority.
  13. Provider Confidential Information. “Provider Confidential Information” refers to the following items Provider discloses to Company pursuant to this Addendum: (a) any document Provider marks “confidential”; (b) any information Provider orally designates as “confidential” at the time of disclosure; (c) Provider’s Sub-Processor list; (d) Provider’s ROPA and security documentation disclosed pursuant to Section 12; and (e) any other nonpublic information Company should reasonably consider a trade secret or otherwise confidential, whether or not marked “confidential.” Company shall not use Provider Confidential Information for any purpose other than to facilitate the purpose contemplated by this Addendum (as used herein, the “purpose”). Company: (a) shall not disclose Provider Confidential Information to any employee or contractor of Company unless such person needs access in order to facilitate the purpose and is subject to a written agreement with Company with nondisclosure terms no less restrictive than those of this Section 13; and (b) shall not disclose Provider Confidential Information to any other third party without Provider’s prior written consent. Without limiting the generality of the foregoing, Company shall protect Provider Confidential Information with the same degree of care it uses to protect its own confidential information of similar nature and importance, but with no less than reasonable care. Company shall promptly notify Provider of any misuse or misappropriation of Provider Confidential Information that comes to Company’s attention. Notwithstanding the foregoing, Company may disclose Provider Confidential Information to the extent required by applicable law or by proper legal or governmental authority. Company shall give Provider prompt notice of any such legal or governmental demand and reasonably cooperate with Provider in any effort to seek a protective order or otherwise to contest, limit, or protect such required disclosure, at Provider’s expense. Upon termination of this Addendum for any reason, Company shall return all copies of Provider Confidential Information to Provider or certify, in writing, the destruction thereof.
  14. Conflict. Notwithstanding anything to the contrary in the Agreement, in the event and to the extent that the terms of this Addendum conflict with any of the terms of the Agreement, this Addendum supersedes the Agreement. In the event of any conflict or inconsistency between the body of this Addendum and the Model Clauses the applicable Model Clauses shall prevail.

Annex 1 - Details of Processing

  1. List of Parties

    Data Exporter

    Name: Company
    Address: The address Company provides at the time of its Order

    Contact Person:

    • Name As per the Account information
    • Email As per the Account information
    • Position: As per the Account information

    Role (controller/processor): Controller

    Data Importer

    Name: Thryv
    Address:1301 Municipal Way, Suite 220, Grapevine, TX 76051
    Contact: Jeff Wing
    Role (controller/processor): Processor
  2. Nature and Purpose of the Processing
    1. Categories of data subjects whose personal data is processed
      Customer employees and representatives of Customer; clients of Customer’s business.
    2. Categories of personal data processed
      Personal Data relating to the category of data subjects described above. The Personal Data depends on the particular Services, but may include:
      • Employee Personal Data: name, email, and telephone number for purposes of business communication and user authentication.
      • Client Personal Data: name, email, telephone number and other contact information for business communication; payment information and transaction history.
      • Patient Personal Data: protected health information.

      Any other Personal Data Customer inputs into the Services.

    3. The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)
      Transfers will be continuous for the duration necessary for the performance of the Services; any other purposes stipulated in the Agreement; and complying with applicable laws and regulations.
    4. Nature of the processing The “Specific Business Purpose” for processing shall be the provision of Provider’s small business management software services to the Customer. The Personal Data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, erasure or destruction for the purpose of providing Services by Provider to Customer in accordance with the terms of the Agreement.
    5. Purpose(s) of the data transfer and further processing To provide the Services pursuant to the Agreement.
    6. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period The Processing will continue until the date which is the earlier to occur of: (a) the expiration or termination of the Agreement, or (b) the date that Processor retains any Company Personal Data related to the Agreement in its possession or control.
    7. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. The subject matter of the Processing of Company Personal Data are set out in the Agreement and this Addendum.
    8. The duration of the Processing activities shall be for the term set forth in the Agreement. The purpose of the Processing of Company Personal Data by Processor is the performance of the Services pursuant to the Agreement.
    9. Special Categories of Data (if applicable):
      The contents of the Personal Data are varied and under the data exporter’s control, but may, from time to time, depending on the particular Services, include sensitive data under the relevant Data Protection Laws. This may include protected health information.
  3. Competent Supervisory Authority: Ireland

Annex 2 Data Security Measures

This Annex forms part of the Addendum. Provider agrees that it has the following security measures in place:

  1. Encryption. Provider shall use strong encryption methodologies to protect Personal Data transferred over public networks, and shall implement whole disk encryption for all Personal Data at rest. Provider will fully document and comply with Provider’s key management procedures for crypto keys used for the encryption of Personal Data.
  2. Storage. Provider shall retain all Personal Data in a physically and logically secure environment to protect from unauthorized access, modification, theft, misuse and destruction. Provider shall utilize platforms to host Personal Data that are configured to conform to industry standard security requirements and will only use hardened platforms that are continuously monitored for unauthorized changes.
  3. Antivirus; Firewall. Provider shall utilize antivirus programs that are capable of detecting, removing, and protecting against all known types of malicious or unauthorized software with antivirus signature updates at least every twelve (12) hours. Provider will implement firewalls designed to ensure that all outbound traffic to Company systems are restricted to only what is necessary to ensure the proper functioning of the Services. All other unnecessary ports and services will be blocked by firewall rules at Provider network.
  4. Vulnerability Management.
    1. Updates and Patches. With regards to the handling of Personal Data, Provider shall establish and maintain mechanisms for vulnerability and patch management that are designed to evaluate application, system, and network device vulnerabilities and apply Provider -supplied security fixes and patches in a timely manner taking a risk-based approach for prioritizing critical patches.
    2. Data Loss Prevention. Provider shall maintain a "data loss prevention" (DLP) or "extrusion prevention" solution to protect Personal Data, and shall integrate the results of that activity with its program for audit logging and intrusion detection as described below.
    3. Audit Logging; Intrusion Detection. Provider shall collect and retain audit logs recording privileged user access activities, authorized and unauthorized access attempts, system exceptions, and information security events, complying with applicable policies and regulations. Audit logs shall be reviewed at least daily and file integrity (host) and network intrusion detection (IDS) tools shall be implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents. Physical and logical user access to audit logs shall be restricted to authorized Personnel.
    4. Information Risk Assessment. On an annual basis, Provider shall cooperate with Company, at Company's discretion, to perform formal risk assessments to determine the likelihood and impact of potential privacy and security risks to Personal Data. Provider shall conduct the audit annually in accordance with all applicable local laws, regulations and requirements for credit card and privacy (including without limitation PCI DSS) as well as industry common standards for information security. An audit report shall be provided to Company within three (3) months upon the completion of every year’s Services by Provider to Company.
    5. Physical Security. Where Provider is Processing Personal Data, such Personal Data shall be housed in secure areas, physically protected from unauthorized access, with appropriate environmental and perimeter controls. The facilities shall be physically protected from unauthorized access, damage, theft and interference.
    6. Disaster Recovery Management. Provider shall provide documentation of its formal and secure disaster recovery plan, meeting a standard of good industry standards and redacted for proprietary and confidential information. Provider shall share evidence with Company that Provider conducts regular testing of that plan on at least an annual basis, which impacts any Company systems and Personal Data governed by the Agreement.