<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=643727312142648&amp;ev=PageView&amp;noscript=1">

DATA PROCESSING ADDENDUM

Last Updated: February 20, 2026

This Data Processing Addendum, including its Annexes and any documents incorporated herein by reference (“DPA”) forms part of, and is hereby incorporated into, the Software Subscription Agreement between Cerenade and Customer (collectively, the “Parties”) for the purchase of software, services, and/or products from Cerenade, (identified as “SOFTWARE” or services in the applicable Agreement, and hereinafter defined as “Services”) (the “Agreement”) to reflect the parties’ agreement regarding the Processing of Personal Data in connection with the provision of Services. By executing an applicable order form, quote, or similar document for the purchase of Cerenade’s Services that references the Agreement (“Order Form”), the Customer agrees that the Order Form together with the Agreement and this DPA, each as made available by Cerenade and incorporated herein by reference, govern Customer’s use of the Services. In the event of a conflict between the DPA and Order Form or Agreement, the DPA shall control with respect to the Processing of Personal Data.

In the course of providing the Services to Customer pursuant to the Agreement, Cerenade may Process Personal Data on behalf of Customer. This DPA supersedes any conflicting or inconsistent provisions in the Agreement, and in the event of ambiguity, this DPA will prevail. This DPA, the UK Addendum and the Standard Contractual Clauses (if applicable) shall terminate simultaneously and automatically with the termination or expiration of the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement or Order Form.


DATA PROCESSING TERMS


1.    DEFINITIONS

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

"CCPA" means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended, including but not limited to by the California Privacy Rights Act, and its implementing regulations.

"Cerenade" means Multimedia Abacus Corp. dba Cerenade, being a California company with offices at 9800 S. La Cienega Blvd., #411 Inglewood, CA 90301.

"Controller" means the entity which determines the purposes and means of the Processing of Personal Data.

"Customer" means the entity that executed the Agreement.

"Customer Data" means any Personal Data provided or otherwise made available to Cerenade by Customer due to its performance under the Agreement.

"Data Protection Laws and Regulations" means all laws and regulations, including laws and regulations of the European Union ("EU"), the European Economic Area ("EEA") and their member states, Switzerland, the United Kingdom ("UK") and the United States and its states, applicable to the Processing of Personal Data under the Agreement.

"Data Subject" means the identified or identifiable person to whom Personal Data relates.

"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal Data” means any information relating to an identified or identifiable natural person where such information is protected similarly as personal data, personal information, or personally identifiable information under Data Protection Laws and Regulations.

"Process(ing)" means any operation or set of operations which is performed upon Customer Data, whether or not by automatic means, such as collection, recording, organization, retention, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Processor" means the entity which Processes Personal Data on behalf of the Controller, including as applicable any "service provider" as that term is defined by the CCPA.

"Restricted Transfer” means transfer of Personal Data originating from Europe to a country that does not provide an adequate level of protection within the meaning of applicable European Data Protection Laws.

Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914, as may be amended, superseded, or replaced.

"Sub-processor" or "Subprocessor" means any Processor engaged by Cerenade.

"Supervisory Authority" means an independent public authority which is established by an EU Member State or the UK pursuant to the GDPR or UK GDPR.

UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 currently found at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf, as may be amended, superseded, or replaced.

"UK GDPR" means the United Kingdom General Data Protection Regulation.



2.    PROCESSING OF PERSONAL DATA

a.    Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Data, Customer is the Controller, Cerenade is the Processor and that Cerenade will engage Sub-processors only pursuant to the requirements set forth in Section 5 "Sub-processors" below.  Cerenade is Customer's "service provider" as that term is defined in the CCPA.

b.    Customer's Processing of Personal Data. Customer shall, in its use of the Services, Process Customer Data in accordance with the requirements of Data Protection Laws and Regulations, including any applicable requirement to provide notice to Data Subjects of the use of Cerenade as Processor or a Service Provider. If Customer's Processing of Customer Data involves special categories of data (as defined or described in the Data Protection Laws and Regulations), Customer must Process special categories of data under a lawful basis in accordance with Articles 6 and 9 of the GDPR. For the avoidance of doubt, Customer's instructions for the Processing of Customer Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data. Customer specifically acknowledges that its use of the Services will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Customer Data to the extent applicable under the CCPA or Data Protection Laws and Regulations.

c.    Cerenade's Processing of Personal Data. 
Cerenade shall treat Customer Data as Confidential Information and shall only Process Customer Data on behalf of and only in accordance with Customer's documented instructions for the following purposes: (i) Processing required to provide the Services in accordance with the Agreement; (ii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement; or (iii) Processing necessary to comply with Data Protection Laws and Regulations.  Without limiting the generality of the foregoing, Cerenade may not (i) retain, use or disclose Personal Data for any purpose other than the business purpose of performing the Services under the Agreement, including any other commercial purpose; (ii) retain, use or disclose Personal Data outside of the direct business relationship between Customer and Cerenade; (iii) sell or share Personal Data; or (iv) combine Personal Data provided by Customer with any other data or information collected from any other source, or from its own interactions with an individual.  Where Cerenade is relying on Data Protection Laws and Regulation as the basis for Processing Personal Data, Cerenade shall promptly notify Customer of such Processing prior to Processing unless Data Protection Laws and Regulations prohibit such prior notice.  
Cerenade shall immediately notify Customer if, in Cerenade's opinion, any instruction with regard to the Processing of Personal Data given by Customer violates, or is likely to violate, Data Protection Laws and Regulations ("Challenged Instruction").  The Parties will work together in good faith to promptly address any Challenged Instruction.
Cerenade shall immediately assist and inform Customer in writing: (i) if at any time, Cerenade determines it cannot comply with this DPA or Data Protection Laws and Regulations; (ii) of any request for access to or surveillance of Customer Data received by Cerenade from any government official (including any court, data protection agency, or law enforcement) unless prohibited by applicable law;  and (iii) of any change in applicable legislation which is likely to have a substantial adverse effect on Cerenade’s obligations set forth in this DPA, including any change in local law.  Cerenade grants Customer the right to use reasonable and appropriate steps to stop and remediate any unauthorized Personal Data use. 
Cerenade certifies that (i) it understands the restrictions, obligations, and prohibitions set forth in this DPA and will comply with them, and (ii) it understands its obligations under Data Protection Laws and Regulations and will comply with them, and (iii) it will keep itself informed of all legal and regulatory requirements for the Processing of Personal Data in compliance with Data Protection Laws and Regulations and provide all Personal Data with the level of privacy protections contemplated by any Data Protection Laws and Regulation.

d.    Details of the Processing. The subject-matter of Processing of Personal Data by Cerenade is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Annex 1 (Details of the Processing) to this DPA.

e.    Compliance with Laws.  Cerenade shall comply with Data Protection Laws and Regulations and provide the same level of protection to Personal Data as required by Data Protection Laws and Regulations.  Cerenade understands and agrees that Personal Data is disclosed only for the specific and limited purposes of providing the Services in the Agreement to Customer.
 

3.    RIGHTS OF DATA SUBJECTS

a. Data Subject Request. Cerenade shall, to the extent legally permitted, promptly notify Customer if Cerenade receives a request from a Data Subject or its agent to exercise any of the Data Subject's right(s) under Data Protection Laws and Regulations, including but not limited to the Data Subject's right of access, right to rectification, restriction of Processing, erasure ("right to be forgotten"), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a "Data Subject Request".  Cerenade shall (i) permit Customer to have sole control over any response to a Data Subject Request, including the timing, method and content; (ii) not respond directly to a Data Subject Request except if required by applicable law; and (iii) comply with any request made by Customer relating to Personal Data (e.g. Cerenade shall delete Personal Data if and when requested by Customer).  Considering the nature of the Processing, Cerenade shall assist Customer by appropriate technical and organizational measures, for the fulfillment of Customer's obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any reasonable costs arising from Cerenade's provision of such assistance.  

4.    Cerenade PERSONNEL

a.    Confidentiality. Cerenade shall ensure that all individuals authorized and engaged in the Processing of Customer Data by Cerenade are informed of the confidential nature of the Customer Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Cerenade shall ensure that such confidentiality obligations survive for so long as each such individual has access to, or otherwise Processes, Customer Data.

b.    Reliability. Cerenade shall take commercially reasonable steps to ensure the reliability of any Cerenade personnel engaged in the Processing of Customer Data.

c.    Limitation of Access. Cerenade shall ensure that Cerenade's access to Customer Data is limited to those personnel performing Services in accordance with the Agreement.

d.    Data Protection Officer. Cerenade has appointed a data protection officer. The appointed person may be reached by Email at privacy@cerenade.com.

5.    SUB-PROCESSORS

a.    General Authorization. Customer grants Cerenade a general authorization to engage third-party Subprocessors, including onward Subprocessors, to Process Personal Data in connection with the provision of the Services, subject to the requirements of this Section 5. This general authorization is granted in accordance with Clause 9(a), Module 2, Option 2 of the Standard Contractual Clauses, which are incorporated into this DPA.

b.    Subprocessor Notifications. Cerenade has currently appointed, as Subprocessors, the third parties listed on Cerenade’s Sub-processor disclosure page available at https://www.cerenade.com/legal/subprocessors (the “Subprocessor List”). Cerenade shall maintain and update the Subprocessor List from time to time. If Cerenade intends to make any addition to or replacement of a Subprocessor, Cerenade will update the Subprocessor List to reflect the intended change and thereby provide notice to Customer. Cerenade will also provide notice of such intended change by email to the individual designated as a main contact by Customer (“Main Contact”) prior to the Subprocessor’s commencing processing of Customer Data.

c.    Objection Right. Customer may object to Cerenade’s engagement of a new Subprocessor by providing written notice within thirty (30) days of receipt of the notice under Section 5(b), provided that such objection is based on reasonable grounds relating to the protection of Personal Data. If Customer does not object within such period, Customer shall be deemed to have accepted the new Subprocessor.

d.    Mitigation and Termination. If Customer raises a valid objection under Section 5(c), Cerenade shall use reasonable efforts to make available a commercially reasonable change to the Services or Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to Subprocessor. If Cerenade is unable to implement such change within a reasonable period, either party may terminate the affected Services, or if applicable, the Agreement, upon thirty (30) days’ written notice, without prejudice to any fees accrued prior to termination.

e.    Subprocessor Agreements. Cerenade shall enter into a written agreement with each Subprocessor prior to the Subprocessor’s Processing of Personal Data, which imposes data protection obligations on the Subprocessor that are no less protective than those imposed on Cerenade under this DPA and the Agreement, including appropriate technical and organizational measures and compliance with applicable Data Protection Laws and Regulations.

f.    Responsibility and Liability. Cerenade shall remain responsible for compliance with its obligations under this DPA and shall be liable for the acts and omissions of its Subprocessors to the same extent Cerenade would be liable if performing the Services of such Subprocessor directly, subject to the liability limitations set forth in the Agreement and this DPA.

6.    SECURITY

a.    Controls for the Protection of Customer Data. Cerenade shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, its current description of which is as set forth in the Cerenade “Information Security Policy & Procedures” Version: 1.0.2.4 provided to Customer and Annex II of this DPA. Cerenade regularly monitors compliance with these measures. Cerenade will not materially decrease its security of the Services during a subscription term.

b.    Third-Party Certifications and Audits. Upon Customer's written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Cerenade shall make available to Customer that is not a competitor of Cerenade (or Customer's independent, third-party auditor that is not a competitor of Cerenade) a copy of Cerenade's then most recent third-party audits or certifications, as applicable.

7.    CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION

a.    Cerenade maintains security incident management policies and procedures and shall notify Customer without undue delay (and in any event no later than 24 hours) after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Cerenade or its Sub-processors of which Cerenade becomes aware (a "Customer Data Incident"). Cerenade shall (i) make reasonable efforts to identify the cause of such Customer Data Incident; (ii) take those steps necessary to remediate the cause of such a Customer Data Incident to the extent the remediation is within Cerenade's control and assist Customer in mitigating the damages relating thereto; and (iii) unless prohibited by applicable law, allow Customer to have sole control over the timing, content, and method of providing notification to the impacted individuals and governmental authorities, if applicable. 

b.    For any Customer Data Incident resulting from the negligent or more culpable acts or omissions of Cerenade or its Sub-processors, Cerenade shall:  (a) take any corrective actions necessary to remedy the Customer Data Incident; and (b) reimburse Customer for its necessary and reasonable out-of-pocket costs and expenses relating to the Customer Data Incident such as:  (i) as required by applicable law, Customer’s costs incurred in notifying impacted individuals, governmental authorities, and credit bureaus; (ii) Customer’s attorneys’ fees and public relations’ fees incurred in responding to the  Customer Data Incident; (iii) as required by applicable law, Customer’s costs of obtaining credit monitoring services and identity theft insurance for the benefit of the impacted individuals; (iv) as required by applicable law, call center support required by law to notify impacted individuals for ninety (90) days; (v) all fines, penalties or charges assessed by a governmental entity; and (vi) forensic IT services and e-discovery services used by Customer relating to the Customer Data Incident (where (i) - (vi) are deemed direct damages).  The costs and expenses described in this Section are not subject to any caps on liabilities or exclusions of damages set forth in the Agreement.


8.    RETURN AND DELETION OF CUSTOMER DATA

a.    Customer may submit one request for one copy of their database, which includes all Customer Data, before or at termination or expiration of the Agreement, without charge to Customer. Such Customer Data shall be accessible to Customer without the use of any proprietary software and shall be provided in a standard and secure format. If Customer submits more than one such request for their database, Customer will be charged a reasonable fee per request at a rate determined by Cerenade and set forth in the Agreement.


b.    Upon termination or expiration of the Agreement, Cerenade shall return all Customer Data to Customer in accordance with the provisions of this section 8(a), and, to the extent allowed by applicable law, delete Customer Data 30 days after Customer's confirmation of receipt of all Customer Data, where such deletion must occur in accordance with then-current NIST guidelines (or their equivalent) for media sanitization. Promptly after deletion of the Customer Data, Cerenade shall provide written certification of compliance with this Section 8.


c.    Cerenade will Process Customer Data until the earlier of: (1) this DPA is terminated or expires, or (2) until notified in writing by Customer to discontinue Processing Customer Data.  The terms of this DPA will survive the termination or expiration of this DPA for so long as Cerenade Processes Customer Data.
 


9.    EUROPEAN SPECIFIC PROVISIONS

a.    GDPR. Cerenade will Process Personal Data in accordance with the GDPR or the UK GDPR requirements if applicable to Cerenade's provision of its Services or the Personal Data Processed therein.

b.    Data Protection Impact Assessment. Upon Customer's request, Cerenade shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer's obligation under the GDPR or the UK GDPR to carry out a data protection impact assessment related to Customer's use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Cerenade. Cerenade shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to Section 9(b) of this DPA, to the extent required under the GDPR.

c.    Transfer mechanisms for data transfers. Where the transfer of Customer Data between the parties involves a Restricted Transfer and Data Protection Laws require putting in place appropriate safeguards, Cerenade and Customer agree to enter into Standard Contractual Clauses, which are hereby incorporated by reference and apply to the Restricted Transfer as follows:

c1.    In relation to Customer Data (i) the Module Two terms apply to the extent Customer is a Controller and the Module Three terms apply to the extent Customer is a Processor of Customer Data; (ii) in Clause 7, the optional docking clause applies; (iii) in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with the ‘Sub-Processors’ Section 5 of this DPA; (iv) in Clause 11, the optional language is deleted; (v) in Clauses 17 and 18, the parties agree that the governing law and forum for disputes will be determined in accordance with the Republic of Ireland (without reference to conflicts of law principles); (vi) the information required to be provided in the Annexes to the Standard Contractual Clauses is set out in this DPA and shall apply for purposes of the Standard Contractual Clauses; and (vii) the supervisory authority that will act as competent supervisory authority will be determined in accordance with GDPR.

c2.    In relation to Customer Data (i) the Module One terms apply; (ii) in Clause 7, the optional docking clause applies; (iii) in Clause 11, the optional language is deleted; (iv) in Clauses 17 and 18, the parties agree that the governing law and forum for disputes will be determined in accordance with the Republic of Ireland (without reference to conflicts of law principles); (v) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; and (vi) the supervisory authority that will act as competent supervisory authority will be the Irish Data Protection Commission.

c3.    In relation to Customer Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with sub-section (A) and the following modifications (i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement; (ii) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of this DPA and Table 4 will be deemed completed by selecting “neither party”; and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

c4.    In relation to Customer Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with sub-section (A) and the following modifications (i) references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA; (ii) references to "EU," "Union," and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner" and the "relevant courts in Switzerland."

c5.    If and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses will prevail to the extent of such conflict.

d.    Taking into account the nature of the Processing and the information available to Cerenade, Cerenade shall assist Customer in meeting Customer's obligations under the GDPR or the UK GDPR, including Articles 32-36 by having appropriate technical and organizational measures.


10.   AUDIT.

Cerenade shall maintain complete and accurate records regarding the Processing it performs under the Agreement and this DPA, including as necessary to demonstrate its compliance with this DPA and Data Protection Laws and Regulations.  Upon prior written request, Cerenade shall allow Customer or its designated agent to audit any such records and perform any such other assessments and audits that are required in order for Customer to establish both Customer's and Cerenade's compliance with this DPA and Data Protection Laws and Regulations. The scope and timing of any audit shall be agreed upon in advance by both Parties. Any audit shall be subject to Cerenade’s and its clients’ confidentiality obligations. Customer shall be responsible for all costs related to any audit. Cerenade shall reasonably cooperate with any such audit and assessment, and make available to Customer all information necessary to demonstrate compliance with this DPA and Data Protection Laws and Regulations. In the event that any such audit or assessments reveals noncompliance with this DPA or Data Protection Laws and Regulations, Customer shall be entitled to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data and to ensure compliance with Data Protection Laws and Regulation, which may include suspending Cerenade's Processing of such Personal Data. 


11.   AMENDMENTS.

Amendments to DPA. Cerenade may amend this DPA from time to time to the extent necessary to (i) reflect changes in applicable Data Protection Laws and Regulations, (ii) incorporate guidance or requirements issued by competent supervisory authorities, or (iii) reflect updates to Cerenade’s Processing activities, technical and organizational measures, or data protection practices. Cerenade shall provide Customer with written notice of any material amendments to this DPA. 


Annex 1

DETAILS OF THE PROCESSING

a.    Subject matter: The general subject of data processing is described in the Agreement.

b.    Duration. The duration of the processing under this DPA is set forth in the DPA.

c.    Purpose. The purpose of the processing under the DPA is the provision of the Services by Cerenade to Customer as specified in the Agreement.

d.    Nature of the processing. Cerenade is providing database management, document management, and analytics services for applications, infrastructure systems, browser and client-side software, and other digital systems, as specified in the Agreement. These Services may include the Processing of Personal Data by Cerenade as determined by Customer in the configuration of the Services.

e.    Categories of Data Subjects. Data Subjects who are clients of Customer or who interact with Customer's software, system or application, which may include (but are not limited to) Customer’s users and customers or as otherwise determined by Customer in the configuration of the Service.

f.    Categories of data. Personal Data that is submitted to the Service by Customer, which may include, but is not limited to, passport and visa information, social security number, and other types of identifiable data configured by Customer, subject to the restrictions in the Agreement.

g.    Special Categories of Data.
g1.    Subject to any applicable restrictions and/or conditions in the Agreement, Customer may also include 'special categories of personal data' or similarly sensitive personal data (as described or defined in Data Protection Laws and Regulations) in Customer Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Customer Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, biometric data for the purposes of uniquely identifying a natural person, and data concerning health or data concerning a natural person's sex life or sexual orientation.


Annex II
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Cerenade will adopt and maintain appropriate security, organizational and technical measures to protect against unauthorized or accidental loss or access, alteration, disclosure or destruction and all other unlawful forms of processing. 

Cerenade has implemented the following security measures:

1.    Access management controls commensurate with industry-standard best practices to prevent unauthorized use or abuse of Personal Data and systems.
2.    Network security controls commensurate with industry-standard best practices to ensure Personal Data remains secure, available to authorized entities, and is protected against deliberate or unintentional alteration.
3.    Ensure that Personal Data remains secure throughout the lifecycle of the Agreement.
4.    Ensure that all devices that access Personal Data are secured.
5.    Centralized authentication management mechanism.
6.    Formal personnel security and organizational security policies commensurate with industry-standard best practices.
7.    Conduct periodic internal and external security assessments against their physical and logical environment commensurate with industry-standard best practices.
8.    Formal logging and monitoring, vulnerability management, risk management and incident management programs commensurate with industry standard best practices.
9.    Use industry-standard and reasonable organizational and technical safeguards to protect Customer’s Personal Data.