SECURITY MEASURES ADDENDUM
This Security Measures Addendum (the “Security Addendum”) sets forth the administrative, technical, physical, and organizational security measures a vendor (“Vendor”) will implement and maintain for the Processing of YipitData Information (as defined below), including Personal Data, under the agreement with Yipit, LLC, d/b/a YipitData or the YipitData affiliate identified in the agreement (“YipitData”). This Security Addendum is incorporated by reference into the agreement between YipitData and Vendor (including any other addendum, order form, statement of work, or equivalent, the “Agreement”) and applies to all products and/or services (the “Service”) involving the Processing of YipitData Information. In the event of any conflict between the terms of this Security Addendum and the Agreement, the terms of this Security Addendum will prevail.
Definitions: For the purposes of this Security Addendum:
a. “YipitData Information” means (i) any data that YipitData provides to Vendor, including through the Service and (ii) any data that Vendor accesses or Processes on behalf of YipitData, including any Personal Data.
b. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable data privacy laws, that is Processed in relation to the Agreement.
c. “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
d. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
Vendor maintains an information security program (“Information Security Program”) that includes specific security requirements for its personnel and all subcontractors or agents who have access to YipitData Information (“Data Personnel”). Vendor’s security requirements covers the following areas:
1. Information Security Policies and Standards. Vendor will maintain written information security policies, standards and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store YipitData Information. These policies, standards, and procedures shall be designed and implemented to:
a. Prevent unauthorized persons from gaining physical access to systems that Process YipitData Information e.g. physical access controls);
b. Designate one or more employees, or competent subcontractors, to coordinate the Information Security Program;
c. Prevent YipitData Information systems from being used without authorization (e.g. logical access control);
d. Ensure that Data Personnel gain access only to such YipitData Information as they are entitled to access (e.g. in accordance with their access rights) and that YipitData Information cannot be read, copied, modified or deleted without authorization (e.g. data access controls);
e. Ensure that YipitData Information cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the recipients of any transfer of YipitData Information by means of data transmission facilities can be established and verified (e.g. data transfer controls); and
f. Ensure that all systems that Process YipitData Information are the subject of a vulnerability management program that includes regular internal and external vulnerability scanning with risk rating findings and formal remediation plans to address any identified vulnerabilities.
2. Physical Security. Vendor will maintain commercially reasonable security systems at all Vendor sites at which an information system that uses or stores YipitData Information is located (“Processing Locations”) that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.
3. Organizational Security. Vendor will maintain information security policies and procedures addressing:
a. Data Disposal. Procedures for when media are to be disposed or reused have been implemented to prevent any subsequent retrieval of any YipitData Information stored on media before they are withdrawn from the Vendor’s inventory or control.
b. Data Minimization. Procedures for when media are to leave the premises at which the files are located as a result of maintenance operations have been implemented to prevent undue retrieval of YipitData Information stored on media.
c. Data Classification. Policies and procedures to classify sensitive information assets, clarify security responsibilities, and promote awareness for all employees have been implemented and are maintained.
d. Incident Response. All Security Breaches are managed in accordance with appropriate incident response and remediation procedures. Vendor must inform YipitData immediately upon discovery of any Security Breach in a YipitData system or in a Vendor system that contains any information regarding YipitData. In the event of a Security Breach, Vendor must work with the other party in good faith to take corrective action to stop and/or mitigate the Security Breach.
4. Network Security. Vendor maintains commercially reasonable information security policies and procedures addressing network security.
5. Access Control (Governance).
a. Vendor governs access to information systems that Process YipitData Information.
b. Only authorized Vendor staff can grant, modify or revoke access to an information system that Processes YipitData Information.
c. Vendor implements commercially reasonable physical and technical safeguards to create and protect passwords.
6. Virus and Malware Controls. Vendor protects YipitData Information from malicious code and will install and maintain anti-virus and malware protection software on any system that handles YipitData Information.
7. Personnel.
a. Vendor has implemented and maintains a security awareness program to train all employees about their security obligations. This program includes training about data classification obligations, physical security controls, security practices, and Security Breach reporting.
b. Data Personnel strictly follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
c. Vendor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may Process YipitData Information.
8. Business Continuity. Vendor implements disaster recovery and business resumption plans. Business continuity plans are tested and updated regularly to ensure that they are up to date and effective. Vendor shall also adjust its Information Security Program in light of new laws and circumstances, including as Vendor’s business and Processing change.
Last Updated September 2025
