Data Privacy Policy

Last Updated: June 21, 2021

This Data Privacy Policy (“Schedule”) is hereby made a part of and incorporated into the Endgame Labs, Inc. SaaS Services Terms and Conditions (the “Agreement”) entered into by and between Endgame Labs, Inc. (“Endgame”), and the customer accepting the Agreement (“Company”) (each individually, a “Party” and collectively, the “Parties”). In the event of any conflict between this Schedule and the Agreement, the provisions of this Schedule shall prevail.

A. Definitions

  1. “Personal Information” shall have the same meaning as the term “personal data”, “personally identifiable information (PII)” or any equivalent term under applicable global data privacy laws and regolations and “Company Personal Data” shall mean Personal Data that Endgame processes on behalf of Company in connection with Endgame’s provision of the Services.

B. Data Protection

  1. Compliance with Applicable Law. Any collection, maintenance and/or use of Personal Information by Endgame shall be undertaken in compliance with all applicable local, state, federal, and international laws, rules and regulations governing Company’s collection, maintenance, transmission, dissemination, use and destruction of Company Personal Information, including, but not limited to compliance with the Payment Card Industry Association Security Standards, to the extent Endgame has access to the payment card information of Company’s employees or clients.
  2. Limitations on Use of Data. Endgame will use Personal Information only in connection with the performance of the Agreement, except as Company may otherwise agree in writing.
  3. Processing of Personal Information Relating to EU Residents. If Company will transfer Company Personal Information relating to EU residents to Endgame for processing under the terms of this Agreement, Company shall inform Endgame of such, and Endgame will provide supplemental provisions that will apply.
  4. Disclosure of Data. Endgame will disclose Personal Information solely to those of its employees and third-party contractors who have a need to know such information for Endgame to perform its obligations under the Agreement, and who are aware of their obligations to protect the received this information from unauthorized use and disclosure under the terms of the Agreement and have affirmatively consented to do so. Personal Information shall not otherwise be disclosed to any third party without Company’s prior written consent.

C. Data Retention

  1. Retention Period. Endgame agrees to retain all Personal Information for a period of time specified by Company in writing and to dispose securely of all data at the end of the specified retention period, unless otherwise instructed in writing.
  2. Disposal/Return of Data. Upon termination of this agreement, Endgame will, at no charge to Company, provide a copy to Company of all of Company’s data in its possession, and will dispose securely of any copies of any data collected or generated under this Agreement on its computer systems or held by third parties on its behalf.

D. Information Security

  1. Information Security Program. With respect to all Personal Information, Endgame will implement reasonable administrative, technical, and physical safeguards designed to protect and secure the confidentiality, integrity, and availability of the information, including from the unauthorized access, use, or disclosure. Without limitation, the safeguards to be implemented by Endgame will include at a minimum, but are not limited to the following:
    1. appropriate administrative controls, such as communication of all applicable information security policies, formalized information security and confidentiality training, assignment of unique access credentials (which shall be revoked upon termination), and a disciplinary process for employees who fail to adhere to applicable information security policies;
    2. controls to ensure the physical safety and security of all facilities (including third-party locations) where Personal Information may be processed or stored, including, at a minimum, locked doors and keys/key cards to access any facility and a business continuity plan that is regularly reviewed and updated;
    3. controls to limit access to Endgame systems and Personal Information, including a password policy for all employees that access Personal Information and a prohibition on the use of shared credentials for users and/or systems;
    4. specific controls to ensure that Endgame has and enforces two-factor authentication for any and all remote connection to Endgame systems that access Personal Information; and
    5. regularly test and evaluate the effectiveness of the safeguards for the protection of Personal Information.
  2. Data Breaches. Endgame shall notify Company promptly upon discovery of any actual or reasonably suspected compromise, unauthorized use or disclosure of Personal Information, or any other breach of this Schedule, and will cooperate with Company in every reasonable way to help Company regain possession of the information and prevent any further compromise, unauthorized use or disclosure. Endgame must document responsive actions taken in connection with any incident involving an actual or suspected breach of security, and conduct a mandatory post-incident review of actions taken, if any, to make changes in business practices relating to the protection of Personal Information.
  3. Audit. Upon reasonable request from Company, Endgame shall provide access to, and the right to inspect and audit, all records and systems relating to (i) the collection, processing, or transfers of data relating to Personal Information and (ii) the information security measures used by Endgame and its contractors to secure Personal Information. Unless otherwise agreed, any such inspection or audit shall occur only during normal business hours. Endgame further agrees to cooperate in any investigation by Company (and in responding to any inquiry relating to Personal Information). In the event of any such investigation or inquiry, upon notice to Endgame, Company may suspend any further transfers of Personal Information for so long as may be necessary to obtain assurances that any additional transfers will not provide the basis for further regulatory action or possible liabilities. Any such suspension will not relieve either Party for any liability arising from the Agreement or any other commercial agreements with Company.