INTUIT

Supplier Data Processing Addendum

(Updated April 2026)

This Intuit Supplier Data Processing Addendum ("DPA"), which includes any Annexes attached hereto, is an addendum to and forms part of the Agreement (as defined below) between the applicable Intuit entity who is a party to that Agreement and its Enterprise Members ("Intuit") and the entity or other person who is a counterparty to that Agreement ("Company") for the provision of Services by Company to Intuit and reflects the parties' agreement concerning the Processing of Personal Data (as such terms are defined herein). This DPA is effective as of the effective date of the Agreement ("Addendum Effective Date"). As used in this DPA, "Agreement" refers to any agreement(s) entered into by the parties that provides that this DPA will be incorporated therein by reference, and "Enterprise Members" means all Intuit affiliates, subsidiaries and related companies that Intuit controls by ownership of fifty percent (50%) or greater equity interest, or controls the day-to-day management by management contract, solely in connection with Intuit's relationship with such entity.

SECTION A — Personal Data Processing

1. Role of the Parties

  1. Company as Processor. For purposes of this DPA, Company acts as a Processor on behalf of Intuit with respect to its Processing of Intuit Personal Data. Intuit may act as a Controller or a Processor with respect to that Processing. To the extent that Intuit acts as a Processor on behalf of any third-party Controller (each, a "Relevant Controller") with respect to the Processing of Intuit Personal Data delegated to Company, Company will be a (sub)Processor. Where Intuit is a Processor acting on behalf of a Relevant Controller, Intuit shall serve as the sole point of contact, and Company shall direct all correspondence, including authorizations, to Intuit (save only to the extent otherwise expressly required by Applicable Data Protection Laws or the SCCs).
  2. Company as Controller. Solely to the extent Company must process any Personal Data or other information regulated by Applicable Data Protection Laws of Intuit's employees, contractors, staff or other representatives ("Account Data") it shall Process that Personal Data only: (a) in order to manage the relationship with Intuit; (b) carry out Company's core business operations, such as accounting and filing taxes; (c) in order to detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (d) for identity verification if and as consistent with requirements of applicable law; (e) to comply with Company's legal or regulatory obligation to retain records; and (f) as otherwise permitted under Applicable Data Protection Law and in accordance with this DPA and the Agreement ("Controller Processing"). Company: (a) independently determines the purposes and means of such Controller Processing; (b) shall comply with Applicable Data Protection Laws as a separate and independent Controller; (c) shall ensure that there is, and will be throughout the term of the Agreement, a valid legal basis for such Controller Processing; (d) shall ensure that all Data Subjects have (i) been presented with all notices and statements; and (ii) provided all consents, in each case (i) and (ii), as required by Applicable Data Protection Laws relating to such Controller Processing; and (e) shall apply safeguards to any such Account Data that are consistent with those set out in Annex 2 (Technical and Organizational Measures (TOMs)). Nothing in this Section shall operate or be construed to grant Company any right or license to collect, use or otherwise Process any Account Data in a manner that would contradict or be inconsistent with the Agreement (including any restrictions or limitations set out therein) and/or Company's obligation to perform the Services in accordance with the Agreement.

2. Processing Scope and Restrictions

  1. Company shall: (i) comply with all Applicable Data Protection Laws in Processing Intuit Personal Data; (ii) Process Intuit Personal Data only on behalf of Intuit in accordance with the Agreement; and (iii) not Process Intuit Personal Data other than: to the limited extent necessary for Company to provide the Services to Intuit, or on Intuit's other written instructions; or as strictly required by applicable laws; provided that Company shall inform Intuit in advance of any such Processing required by applicable laws and of the relevant legal requirements requiring such Processing. If Company reasonably believes that there is a conflict between Intuit's instructions and Applicable Data Protection Laws, or if Company becomes aware of or believes that it (or its Sub-processors) are unable to Process Intuit Personal Data in a manner that is consistent with Intuit's instructions, Applicable Data Protection Laws, the Agreement, or this DPA, then Company shall: (i) promptly inform Intuit in writing of such potential conflict or inconsistency; (ii) cooperate with Intuit in good faith in an attempt to promptly resolve any conflict or inconsistency; and (iii) at Intuit's written election, cease Processing Intuit Personal Data.
  2. Without limiting the foregoing, Company shall not (i) sell or share Intuit Personal Data (as "sell" and "share" are defined by the California Consumer Privacy Act, as amended ("CCPA") or similar U.S. state privacy laws); (ii) combine the Intuit Personal Data received from or on behalf of Intuit with the Personal Data Processed on behalf of Company's other customers; or (iii) retain, use, or disclose Intuit Personal Data for any purpose other than for the business purposes specified in the Agreement or otherwise Process Intuit Personal Data outside of the direct business relationship between Intuit and Company. Intuit and Company hereby acknowledge and agree that nothing in the Agreement shall be construed as providing for the sale or transfer for valuable consideration of Personal Data to Company.
  3. Tax Return Information. This Section solely becomes applicable to the extent that Company Processes Intuit Personal Data that constitutes U.S. tax return information ("Tax Return Information"), which is deemed as "sensitive data". Company understands, acknowledges, and agrees that if it Processes Tax Return Information, it is subject to U.S. Internal Revenue Service ("IRS") regulations (including IRC sections 6713 and 7216) governing its use and disclosure, and that the penalties for unauthorized disclosure or use of such Tax Return Information under U.S. IRC 6713 and 7216 can result in criminal prosecution, imprisonment, and the assessment of monetary fines. Therefore, where applicable, Company shall access such Tax Return Information only to provide the Services pursuant to the Agreement and shall not disclose such Tax Return Information to anyone, including to its Sub-processors, without Intuit's prior written approval. Additionally, Company shall notify, and hereby represents and warrants that it has notified, in writing, any of its employees who may have access to such Tax Return Information of the applicability of U.S. IRC sections 6713 and 7216, including a description of the requirements and penalties of those sections. Company shall ensure that all Tax Return Information remains within the United States unless Intuit has provided explicit written permission otherwise.
  4. Sensitive Data. If Company Processes Intuit Personal Data that contains any (a) protected health information subject to the Health Insurance Portability and Accountability Act ("HIPAA") or other information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (b) health insurance information; (c) biometric information; or (d) any other categories of Intuit Personal Data that Intuit deems "sensitive" as notified by Intuit to Company from time-to-time, the parties agree to enter into additional addenda or any legally required agreements (such as a Business Associate Agreement), as deemed necessary by Intuit.
  5. Deidentified Data. To the extent that any Intuit Personal Data consists of information derived from Personal Data that Intuit has determined cannot reasonably be used to infer information about, or otherwise be linked to, a particular individual ("Deidentified Information"), Company shall (i) take reasonable measures to ensure that such information cannot be associated with a particular individual; (ii) not attempt to or actually re-identify such information; and (iii) contractually prohibit its Sub-processors from attempting to or actually re-identifying Deidentified Information.
  6. Call Recording Services. To the extent Company, records or monitors calls as part of the Services, Company must: 1) ensure that an unavoidable message stating "this call will be recorded and monitored" is played or recited at the beginning of each call, before any recording commences; 2) not alter this message without Intuit's prior written consent; and 3) adhere to any supplemental recording procedures mandated by Intuit for specific products, services, or call types, including those involving sensitive information. Company must consult with Intuit before recording calls related to lending or debit. Retaliation for reporting violations is prohibited.
  7. AI Services. To the extent Company's Services utilize artificial intelligence, machine learning, large language models, or other similar or successor technologies ("AI"), in whole or in part, to process, analyze, create, generate, modify or output content of any kind, Company shall during the term of the Services:
  8. Provide any information necessary to assist Intuit in response to disclosures required by laws and regulations;
  9. Provide Intuit with information regarding the safety of the Services, any known issues, and any potential hallucinations; and
  10. Prohibit use of Intuit Content to train or develop any AI, either directly or indirectly, except as needed to provide the Services to Intuit. This restriction applies to any third-party AI used by Company. Company cannot use any insights, results, or data generated from Intuit's use of AI for its own benefit or for the benefit of others, even if the data is anonymized or aggregated. Unless stated otherwise in the Agreement, "Intuit Content" means all Intuit information or data provided by Intuit and shall include any messages or files, pages, data, works, information and/or materials on, within, displayed, linked or transmitted to, from or through the Services, including, without limitation, trade or service marks, images, photographs, illustrations, graphics, audio clips, video clips, email or other messages, metatags, domain names, software and text or other communications or other information, data, text (including but not limited to names of files, databases, directories and groups/workgroups of the same), software, music, sound, photographs, graphics and video transmitted, entered, or stored by any Intuit employee, contractor, or representative using the Service. For the avoidance of doubt, Intuit Content shall also include any data sets, models, or other outputs generated by AI/ML algorithms used in connection with the Services.

3. Sub-processing

  1. Intuit generally authorizes Company to retain Sub-processors to Process Intuit Personal Data to the extent necessary to fulfill Company's contractual obligations under the Agreement, subject to and in accordance with this Section 3 and any restrictions in the Agreement. Company may continue to use those Sub-processors already engaged by Company as of the Addendum Effective Date (a complete and accurate list of which Company shall provide in writing to Intuit in advance of the Addendum Effective Date via the supplier management platform notified by Intuit to the Company from time-to-time, which includes at least the Sub-processor's name, location, address, and the function and description of delegated Processing) (the "Sub-processor List") subject to Company meeting or having met the obligations set out in Section 3.c. Company represents and warrants that the Sub-processor List is true, complete, and accurate as of the Addendum Effective Date.
  2. Company shall give Intuit written notice of the appointment of any proposed new Sub-processor at least thirty (30) days in advance of such appointment by sending an email to cybersoc@intuit.com, including full details of the Processing to be undertaken by any proposed Sub-processor (containing at least the Sub-processors name, location, address, and the function and description of delegated Processing). If Intuit does not object to Company's appointment of a proposed Sub-processor during the aforementioned period, Company may commence use of that Sub-processor to Process Intuit Personal Data. If Intuit notifies Company in writing of any objections (on reasonable grounds) to the proposed appointment within the aforementioned period: (a) Company shall work with Intuit in good faith to make available a commercially reasonable change in the provision of the Services that avoids the use of that proposed Sub-processor; and (b) where such a change cannot be made within fourteen (14) days from Company's receipt of Intuit's notice, notwithstanding anything in the Agreement, Intuit may terminate the Agreement or that part of the Agreement requiring such Processing without penalty or liability (other than for fees due and owing to Company for Services rendered prior to the effective date of such termination) on written notice to Company, and Company shall refund Intuit any prepaid fees covering Services have not been rendered.
  3. With respect to each Sub-processor, Company shall enter into a binding written contract including terms that offer at least the same level of protection for Intuit Personal Data as those set out in this DPA and that otherwise comply with the requirements of Applicable Data Protection Law. Company shall be liable to Intuit for all acts and omissions of Company's Sub-processors as if they were Company's acts or omissions.

SECTION B — Cooperation

1. Data Subject Requests

Company shall: (a) promptly (and, in any event, within two (2) business days of receipt) notify Intuit if it receives a Data Subject Request; (b) not respond to any Data Subject Request, or take any other action, except on the written instructions of Intuit or as required by Applicable Data Protection Laws (subject to informing Intuit of any such requirement); (c) provide Intuit with assistance reasonably necessary for Intuit or any Relevant Controller to perform its obligations under Applicable Data Protection Laws, owed by Intuit to any Relevant Controller, or to fulfill and/or respond to Data Subject Requests within any deadlines imposed under Applicable Data Protection Law; and (d) where required as part of the Services, provide or procure the provision of notice to Data Subjects regarding the Processing of Intuit Personal Data by Company using a notice provided by or on behalf of Intuit for that purpose. If Intuit transmits to Company a Data Subject Request to delete Intuit Personal Data, Company shall acknowledge receipt to Intuit in writing within two (2) business days and shall comply with such deletion request within ten (10) business days from the date of the request, unless an applicable exception under Applicable Data Protection Laws applies. If Intuit transmits to Company a Data Subject Request to access Intuit Personal Data, Company shall acknowledge receipt to Intuit in writing within two (2) business days and shall comply with such access request within four (4) business days from the date of the request, unless an applicable exception under Applicable Data Protection Laws applies. To the extent that an application programming interface to automate Data Subject Requests communications between Intuit and Company is not already in place, Company agrees to implement such an application programming interface at Intuit's request.

2. Data Protection Impact Assessments and Prior Consultation

Company shall provide appropriate and reasonable assistance to Intuit and/or any Relevant Controller with any data protection/privacy impact assessments and prior consultations with Supervisory Authorities which Intuit and/or any Relevant Controller reasonably considers to be required by Applicable Data Protection Laws in connection with Company's Processing of Intuit Personal Data. Such assistance shall be provided within two (2) weeks of Intuit's request.

3. Notification of Privacy Inquiries

If a competent Supervisory Authority requires Company to disclose Intuit Personal Data, Company shall notify Intuit promptly but in no event later than forty-eight (48) hours of receipt of such request so that Intuit and/or any applicable Relevant Controller may seek to retain the confidentiality of the Intuit Personal Data. Company shall cooperate with Intuit and/or the Relevant Controller to redirect the appropriate authority to request the Intuit Personal Data directly from Intuit and/or the Relevant Controller (as directed by Intuit).

SECTION C — Data Security; Company Personnel; Security Incidents; Assessments, Testing, and Audits; Data Return and Deletion

1. Securing Intuit Confidential Information

Company shall implement and maintain a written information security program with appropriate technical, physical, and organizational measures to ensure the privacy, security, integrity, and availability of Intuit Confidential Information ("Information Security and Privacy Program") that complies with all Applicable Data Protection Laws and that meets or exceeds the minimum-security standards described in Annex 2 (Technical and Organizational Measures).

2. Company Personnel

Company shall ascertain the reliability of any Company personnel who may Process Intuit Confidential Information and shall ensure: (i) that access is strictly limited to those individuals who need to know or access the relevant Intuit Confidential Information for the purposes described in the Agreement and this DPA; and (ii) that all such individuals are subject to binding confidentiality undertakings or professional or statutory obligations of confidentiality, including with respect to Confidential Information. Company shall provide such personnel with appropriate privacy and security training, as relevant, to ensure the protection of Confidential Information.

3. Security Incidents

  1. In the event of a Security Incident, Company shall: (a) notify the Intuit Security POC of the Security Incident without undue delay (and, in any event, within forty-eight (48) hours) after becoming aware of the Security Incident. The notification shall include, at a minimum, the nature of the breach, the type of data involved, the number of individuals/records potentially affected, the date/time of the incident, the immediate measures taken to contain and investigate the incident, and the name and contact information of a designated point of contact to allow Intuit to meet its obligations under Applicable Data Protection Laws to inform Data Subjects and/or any applicable Supervisory Authority of the Security Incident; and (b) take all necessary measures and steps to identify the cause of such Security Incident, mitigate its effects, and prevent further Security Incidents. Company shall, at its own expense, promptly investigate the Security Incident if it occurred on Company infrastructure or in a different location for which Company is responsible and will reasonably assist Intuit as set forth herein. Intuit has the right to participate in the investigation and response to the Security Incident, and Company agrees to cooperate fully in the investigation and remediation of any harm or potential harm caused by the Security Incident. In addition, Company agrees to promptly take action to correct any demonstrable Security Incident and will conduct a forensic and security review and audit in connection with such Security Incident and make all reasonably required or reasonably requested updates to its security and privacy measures to prevent any recurrence and inform Intuit of such actions. If action is not promptly taken to Intuit's satisfaction, Intuit may terminate the Agreement and any or all Statements of Work at Intuit's discretion for cause.
  2. Company will assist Intuit with fulfilling its obligations, if any, to notify affected Data Subjects and other third parties, taking into account the nature of the handling and the information available to Company. Additionally, to the extent that a Security Incident gives rise to a need, in Intuit's sole judgment, to undertake other remedial measures (including, without limitation, credit monitoring services and the establishment of a call center to respond to inquiries) (collectively, with any notification requirements, "Remedial Actions"), at Intuit's request and direction, and at Company's cost, Company agrees to undertake such Remedial Actions. Intuit shall have sole discretion to control and direct the timing, content, and manner of any notices, including but not limited to, communication with Intuit customers and/or employees, regarding the same. If the Remedial Action taken by Company to the Security Incident is not promptly taken or not taken to Intuit's satisfaction, Intuit may terminate the Agreement at Intuit's sole discretion for cause.

4. Assessment, Testing, and Audits

  1. Assessment. Company shall maintain records to demonstrate its compliance with this DPA, and Company will provide such records to Intuit upon request. Company agrees to complete any security and/or privacy assessment provided by Intuit within two (2) weeks of receipt.
  2. Testing. Intuit shall have the right to use one or more commercially available cybersecurity risk scoring tools that utilize passive scans on Company's external systems or assets that are exposed to the internet (e.g., website, applications, etc.). Company agrees to respond promptly to Intuit for any requests about negative findings, such as detected vulnerabilities or issues with current practices. In addition to conducting regular internal testing, Company certifies that it shall on an annual basis: (i) through third party security experts perform penetration testing to identify vulnerabilities and remediation steps that will increase the security of Company and the Services; and (ii) provide Intuit with reputable penetration scan results, as requested by Intuit. In addition, if in its sole discretion, Intuit determines the results to be inadequate, Company shall grant Intuit access to Company facilities to test the systems to ensure that such systems are safe for the receipt and handling of Intuit Confidential Information.
  3. Audits. Company shall allow for and cooperate with audits, including inspections conducted by Intuit or another auditor designated by Intuit, as reasonably necessary and no less frequently than as required by Applicable Data Protection Law(s) in accordance with the following procedures:
  4. To the extent appropriate, Intuit will rely on audits furnished by Company that address the areas of audit and review as requested by Intuit. Company will provide Intuit, upon request, with the most recent certifications and/or summary audit report(s) pertinent to Company's compliance with its obligations under this DPA, including Annex 2 (e.g., ISO 27001 and/or SOC 2, Type II). Company will cooperate with Intuit by providing available additional information to help Intuit better understand Company's security practices.
  5. Company agrees to permit Intuit, no more than once annually, during normal business hours, to conduct an audit through an independent third party auditor, unless as otherwise agreed to in writing by Intuit and Company, or as required by a regulator or under Applicable Data Protection Law(s) where Intuit has the right to conduct audits directly and such right cannot be contractually waived by Intuit, or if there is a Security Incident.
  6. If, in Intuit's reasonable discretion, Intuit determines that an audit report furnished by Company is not appropriate or is inadequate, Company agrees to cooperate in good faith with the audit, and promptly provide access to records (including, but not limited to, security scan records), systems, processes, files, and other information relevant to the handling of Intuit Confidential Information. At Intuit's request, Company agrees to provide Intuit or Intuit's designee access to Company's premises, if necessary, to properly conduct the audit in accordance with this Section and Applicable Data Protection Law(s).
  7. Intuit shall provide Company with reasonable written notice of no less than thirty (30) days (unless a shorter notice period is required by Applicable Data Protection Law(s), an order of a Supervisory Authority, as otherwise agreed between the parties, or in the event of a Security Incident) before the audit. Intuit agrees to schedule audits to minimize disruption to Company's business, upon Company's written request to require any third party it employs to sign a non-disclosure agreement, and to make the results of the audit available to Company. Intuit will only disclose the results of the audit to third parties if, in Intuit's sole discretion, such disclosure is advisable to demonstrate Intuit's own compliance or as otherwise required under Applicable Data Protection Law(s).
  8. Each party shall bear its own costs in connection with the audit, except that Company shall be responsible for all reasonable costs and expenses in connection with the audit if the audit discloses a failure on the part of Company to comply with its obligations under Applicable Data Protection Law(s) or this DPA.
  9. Intuit's right to audit, inspect, and make copies or extracts of Company's records and processes will continue for the longer of: (i) a period of one (1) year following the termination or expiration of the Agreement; (ii) any longer period expressly provided for in the Agreement or ordering document; or (iii) any period required under Applicable Data Protection Laws. Company shall maintain all records and logs necessary to facilitate such audits for the entirety of the applicable survival period.
  10. Security POC
  11. Company shall designate a security point-of-contact ("Company Security POC") to serve as its privacy and security coordinator to address urgent security concerns, and who shall also: (i) oversee the application of Company's compliance with this DPA and Applicable Data Protection Laws; and (ii) serve as a point-of-contact for communications with Intuit pertaining to this DPA. Company agrees that the Company Security POC or a duly appointed designee will be available 24 hours per day, 365 days per year, without limitation.
  12. Without undue delay, and in any event within three (3) business days, following the Addendum Effective Date, Company shall provide Intuit's security point-of-contact ("Intuit Security POC") with full contact information for the Company Security POC, which shall include at a minimum Company Security POC's: contact name, role, email address, and phone number. Company shall promptly notify Intuit in writing of any changes to such contact information.
  13. Unless otherwise notified by Intuit (including by written notice to the Company Security POC), Company Security POC shall liaise directly (including with respect to escalation of urgent security concerns and notifications of Security Incidents pursuant to Section 3.a. of Section C) with the Intuit Security POC whose details are as follows:
Contact Intuit Security POC
Name Intuit Operations Center (IOC)
Email cybersoc@intuit.com
Phone number 1-800-595-3006
(Ask for the security on-call person)

5. Data Return and Deletion

Intuit Confidential Information shall be securely disposed of by Company and its Sub-processors if such information is no longer reasonably required to perform the Services, either: (i) within forty-five (45) days of receipt if during the Agreement Term, (ii) immediately upon Intuit's written request, or (iii) when such information must be destroyed under Applicable Data Protection Law(s). Company (and its Sub-processors) shall securely dispose of all Intuit Confidential Information immediately at the termination of the provision of the Services. If instructed by Intuit, a copy of such information shall be returned to Intuit prior to disposal by secure file transfer in such a format as is reasonably requested by Intuit. Company shall solely retain copies of Intuit Confidential Information to the extent required under Applicable Data Protection Law(s); provided that Company shall notify Intuit of such requirement and ensure the ongoing security and confidentiality of all such Intuit Confidential Information to the standard required by the Agreement and this DPA (including as set out in Annex 2 (Technical and Organizational Measures (TOMs)) until all such Confidential Information has been permanently and completely destroyed or deleted, including from any back-up.

SECTION D — Restricted Transfers

1. General

Where Company is certified under a scheme (such as the EU–U.S. Data Privacy Framework, UK Extension and/or Swiss–U.S. Data Privacy Framework (as applicable)) that benefits from an adequacy decision of the European Commission, UK Government and/or Swiss authorities (as applicable), the parties will rely on such scheme and corresponding adequacy decision in respect of any Restricted Transfers. Where Company withdraws from such scheme, the corresponding adequacy decision is invalidated, and/or such scheme does not otherwise apply to a Restricted Transfer, the parties shall, only if and to the extent permitted and required under the GDPR and/or FADP (if and as applicable) to establish a valid basis under the GDPR and/or the FADP in respect of a Restricted Transfer, be deemed to have automatically (i) in relation to an EU Restricted Transfer, entered into the SCCs by reference and shall comply with their respective obligations set out in the SCCs; and (ii) in relation to a UK Restricted Transfer, entered into the SCCs varied to address the requirements of the UK GDPR in accordance with the UK Transfer Addendum; and (iii) in relation to a Swiss Restricted Transfer, entered into the SCCs varied to address the requirements under the FADP.

2. Completion of the SCCs

Where the SCCs apply to a Restricted Transfer in accordance with Section 1 of this Section D, each of the parties is deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs, and the following shall apply:

  1. Module Selection. As and where relevant: (i) Module One of the SCCs applies to any Restricted Transfer effected as part of the Controller Processing; (ii) Module Two of the SCCs applies to any Restricted Transfer as and where Company acts as a direct Processor on behalf of Intuit; and (iii) Module Three of the SCCs applies to any Restricted Transfer involving Processing by Company acting as (sub)Processor to Intuit on behalf of any Relevant Controller.
  2. Population of the SCCs. The SCCs and the Clauses thereof (as and where applicable to the relevant Module) shall be populated as follows: (i) the optional 'Docking Clause' in Clause 7 is not used, (ii) in Clause 9, "option 2: general written authorisation" applies and shall be populated with the respective and corresponding information from Section A.3.b, (iii) in Clause 11, the optional language is not used and is deleted, (iv) in Clause 13, all square brackets are removed and all text therein is retained and for the Annexes to the SCCs the supervisory authority shall be the competent supervisory authority that has supervision over the Customer in accordance with Clause 13, (v) in Clause 17, "option 1" applies, and for Clauses 17 and 18, the laws and courts of Ireland shall be selected, and (vi) the Annexes to the SCCs are populated with the respective and corresponding information detailed in Annex 1 (Details of Processing), with Intuit being 'data exporter' and Company being 'data importer', and Annex 2 (Technical and Organizational Measures (TOMs)) to this DPA and the Sub-processor List.

3. Variations of the SCCs

To the extent relevant to a Restricted Transfer, the SCCs as completed and populated in Section 2 of this Section D shall be varied with respect to:

  1. UK Restricted Transfers by the UK Transfer Addendum in the following manner: (i) Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Section 2 of this Section D, (ii) Table 4 to the UK Transfer Addendum is completed by the box labelled 'Neither Party' being deemed to have been ticked, and (iii) in Part 2 to the UK Transfer Addendum, the parties agree to be bound by the UK Mandatory Clauses of the UK Transfer Addendum; and
  2. Swiss Restricted Transfers by the FADP in the following manner: (i) the Swiss Federal Data Protection and Information Commissioner shall be the sole Supervisory Authority for Swiss Restricted Transfers exclusively subject to the FADP, (ii) the terms "General Data Protection Regulation" or "Regulation (EU) 2016/679" as utilized in the SCCs shall be interpreted to include the FADP with respect to Swiss Restricted Transfers, (iii) references to Regulation (EU) 2018/1725 are removed, (iv) references to the "Union", "EU" and "EU Member State" shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the SCCs, (v) where Swiss Restricted Transfers are exclusively subject to the FADP, all references to the GDPR in the SCCs are to be understood to be references to the FADP, and (v) where Swiss Restricted Transfers are subject to both the FDPA and the GDPR, all references to the GDPR in the SCCs are to be understood to be references to the FDPA only insofar as the Swiss Restricted Transfers are subject to the FADP.

4. Transfers by Company

Without limitation to its duties, responsibilities and obligations under Applicable Data Protection Laws and other applicable terms and conditions of the Agreement, this DPA and/or the SCCs (as applicable), Company shall not make any Restricted Transfer without the prior consent of Intuit; provided that Intuit agrees that such consent will be inferred and deemed given in the event that Company's engagement of a Sub-processor involving a Restricted Transfer is approved in accordance with Section 3.b. of Section A after Company has specifically informed Intuit that such engagement would involve a Restricted Transfer.

SECTION E — Miscellaneous

1. Indemnification

Each party (the "Indemnifying Party") shall defend, indemnify and hold harmless the other party (the "Indemnified Party") from and against any and all claims, actions, liabilities, losses, damages and expenses (including reasonable legal expenses) that arise from third party claims and/or government agency actions arising out of or in connection with the Indemnifying Party's Processing activities under or in connection with the DPA, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, willful misconduct, breach of statutory duty or non-compliance by the Indemnifying Party with any part of the Applicable Data Protection Laws.

2. Incorporation and Precedence

This DPA shall be incorporated into and form part of the Agreement with effect from the Addendum Effective Date. In the event of any conflict or inconsistency between: (a) this DPA and the Agreement, this DPA shall prevail to the extent of such conflict and inconsistency relevant to the Processing of Personal Data; and (b) any SCCs entered into pursuant to Section D and this DPA and/or the Agreement, the SCCs shall prevail to the extent of such conflict and inconsistency relevant to the Restricted Transfer(s) to which those SCCs apply.

3. Amendment

The parties shall act in good faith to implement any variations to this DPA that Intuit considers reasonably necessary to address the requirements of Applicable Data Protection Laws relating to the Processing of Personal Data. Notwithstanding anything to the contrary, in the event that an emergency update to this DPA is needed to ensure compliance with Applicable Data Protection Laws, Intuit will notify Company's Security POC in writing, and those changes will take effect unless Company reasonably objects in writing within five (5) business days of such notice. If Company refuses to promptly amend this DPA to meet requirements under Applicable Data Protection Law(s), then, in addition to any termination rights provided in the Agreement, Intuit may terminate the Agreement upon thirty (30) days' written notice.

4. Termination

Notwithstanding anything to the contrary in the Agreement or this DPA, Intuit may terminate the Agreement or any portion thereof immediately upon written notice to Company, and without judicial notice or resolution or prejudice to any other remedies, in the event a Supervisory Authority or other tribunal or court in any country finds there has been a breach of Applicable Data Protection Law(s) by virtue of Company's Processing of Intuit Personal Data in connection with the Agreement. Any breach of this DPA will be deemed a material breach under the Agreement.

SECTION F — Definitions

In this DPA, the following terms shall have the meanings set out in this Section F. Capitalized terms not defined here shall have the meaning given to them in the Agreement.

  1. "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where "control" refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
  2. "Applicable Data Protection Laws" means all applicable U.S. and foreign laws, ordinances, statutes, regulations, guidance, and other binding restrictions relating to the Processing of Personal Data under or in connection with the Agreement, as amended or replaced from time to time, including the GDPR.
  3. "Controller" means the entity that determines the purposes and means of the Processing of Personal Data.
  4. "Confidential Information" shall have the same meaning designated to such term(s) under the Agreement, but including but not limited to Intuit Personal Data and any Account Data.
  5. "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  6. "Data Subject Request" means the exercise by a Data Subject of their rights with respect to Personal Data and the Processing thereof, including, as applicable, (i) deletion, (ii) opt-out, (iii) correction, (iv) access, and (iv) restriction, sharing, and the sale of Personal Data.
  7. "EEA" means the European Economic Area.
  8. "FADP" means the Federal Act on Data Protection of 19 June 1992, including its revised version of 25 September 2020.
  9. "FDPIC" means Swiss Federal Data Protection and Information Commissioner.
  10. "Intuit Confidential Information" means all Confidential Information of Intuit, including without limitation all Intuit Personal Data.
  11. "Intuit Personal Data" means any Personal Data that is provided or otherwise made available to Company or any Sub-processor by or on behalf of Intuit or that is otherwise to be Processed by Company or any Sub-processor as part of the Services.
  12. "GDPR" means, as and where applicable: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR"); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) ("UK GDPR"), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or reenactment, to or of the foregoing. References to "Articles" and "Chapters" of, and other relevant defined terms in, the GDPR shall be construed accordingly.
  13. "Personal Data" means any information that relates to an identified or identifiable natural person or constitutes "personal data," "personal information," "personally identifiable information," or similar terms defined in Applicable Data Protection Laws.
  14. "Process" and inflections thereof means any operation or set of operations performed on data, whether or not by automated means, such as (but not limited to) collection, access, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  15. "Processor" means the entity that Processes Personal Data on behalf of the Controller, including as applicable any "service provider" as that term is defined by the CCPA.
  16. "Restricted Transfer" means the disclosure, grant of access or other transfer of Personal Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an "EU Restricted Transfer"); (ii) in the context of the UK, any country or territory outside the UK which does not benefit from an adequacy decision from the UK Government (a "UK Restricted Transfer"); and (iii) in the context of Switzerland, a country or territory outside of Switzerland which does not benefit from an adequacy decision from the Swiss authorities (a "Swiss Restricted Transfer"), which would be prohibited without a legal basis under Chapter V of the GDPR and/or the FADP (as applicable).
  17. "SCCs" means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.
  18. "Security Incident" means: (i) any actual or reasonably suspected accidental, unlawful, or unauthorized acquisition, modification, destruction, loss, alteration, encryption, disclosure, Processing of, or access to, Intuit Confidential Information; or (ii) a "security incident," "security breach," "personal data breach," or any similar terms under Applicable Data Protection Laws affecting Personal Data. For clarity, Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Intuit Confidential Information (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
  19. "Services" means those services to be supplied to or carried out by or on behalf of Company for Intuit pursuant to the Agreement.
  20. "Sub-processor" means any third party (including, where applicable, Company's Affiliates) engaged to Process Intuit Personal Data on behalf of Company.
  21. "Supervisory Authority" (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner's Office; (iii) in the context of Switzerland and the FADP, the FDPIC; and (iv) in the context of any other Applicable Data Protection Laws, means the relevant regulatory or governmental authorities, or other public bodies, with competent jurisdiction under those laws.
  22. "UK Transfer Addendum" means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof (the "UK Mandatory Clauses").

Annex 1

Details of Processing

INTUIT DETAILS

Name The Intuit entity who is a party to the Agreement.
Address Unless otherwise provided to Company, the address shown in or determined by the Agreement or, if no such address is contained within the Agreement, Intuit's principal business trading address.
Contact Details for Data Protection Intuit Security POC or any other point of contact as expressly set out in the Agreement or otherwise provided by Intuit to Company in writing from time-to-time.
Intuit Activities Intuit is a global technology platform engaged in the use and receipt of the Services as part of its ongoing business operations.
Role Controller or Processor (having regard to Section 1 of Section A)

COMPANY DETAILS

Name The entity or other person who is a counterparty to the Agreement.
Address Unless otherwise provided to Intuit, the address shown in or determined by the Agreement or, if no such address is contained within the Agreement, Company's principal business trading address.
Contact Details for Data Protection Company Security POC, or any other point of contact provided by Company for the purpose of providing it with data protection related communications or alerts.

Company warrants (on an ongoing basis) that such contact details are valid and up to date and that Company will ensure relevant communications are directed to the appropriate individual within its organisation with responsibility for data protection related.
Company Activities Provision of the Services under the Agreement
Role
  • Processor with respect to Processing of Intuit Personal Data as part of the Services (for the purposes of this Annex 1, "Processor Processing").
  • Controller with respect to the Controller Processing.

DETAILS OF PROCESSING

Categories of Data Subjects Processor Processing

Any Data Subjects who are identified or identifiable by the Intuit Personal Data, which may include having regard to the Agreement and the nature of the Services:
  • Employees, including temporary, prospective employees, relatives, guardians and associates of the data subject, existing and prospective customers, suppliers, visitors or registrants at offices, web sites and/or events, advisors, consultants and other professional experts, and/or other categories as set out in the relevant Agreement.
Controller Processing

Intuit's employees, contractors, staff or other representatives who are natural persons.
Categories of Personal Data Processor Processing

Relevant Personal Data comprised in the Intuit Personal Data may include, having regard to the Agreement and the nature of the Services:
  • Personal contact details, including name, home address, home telephone or mobile number, fax number, email address, and passwords;
  • Family, lifestyle, and social circumstances, including age, date of birth, marital status, number of children and name(s) of spouse and/or children;
  • Employment details, including employer entity name, job title and function, employment history, salary and other benefits, job performance and other capabilities, education/qualification, identification numbers, and business contact details, results from background checks;
  • Administrative, audit, accounting and financial information, including tax information and bank details, information gathered in connection with investigations such as video footage and ID badge records;
  • Network, computer, email and phone or other communications or messaging systems, logs, data and files, including network traffic data and domain names of websites visited, emails and files stored in company workspaces, imaging and forensic analysis of computing resources and any data stored on those resources;
  • Personal Data about individuals named in legal matters or correspondence, or provided in connection with the provision of legal, banking, audit and/or financial services, including for conflict checking and billing purposes, financial details, goods and services provided;
  • Browser and device information, data collected through automated electronic interactions, application usage data, demographic information;
  • Geographic or geo-location information; and/or
  • Other Personal Data as set out in the relevant Agreement.
Controller Processing

Relevant Personal Data comprised in Account Data may include:
  • Business Contact details – name, role, employer, business address, business email address, business telephone details and other business contact information.
  • Systems Authentication details – username, password, security questions and other access protocols.
  • Technological details – to the extent collected and used for information and systems security purposes, internet protocol (IP) addresses, unique identifiers and numbers (including unique identifier in tracking cookies or similar technology), pseudonymous identifiers, and internet / application / program activity data.
Sensitive Categories of Data, and associated additional restrictions/safeguards Processor Processing

Categories of sensitive data:

As provided in the Agreement.

Additional safeguards for sensitive data:

See Section 2.d. of Section A (requiring additional addenda).

Controller Processing

None.
Frequency of transfer Ongoing
Nature and purpose of the Processing: Processor Processing

Processing operations relevant to the provision and/or receipt of Intuit Personal Data under the Agreement

Controller Processing

Processing operations relevant to permitted business/customer relationship administration, business to business marketing, systems access authentication, information and systems security, or legal, regulatory or compliance.
Duration of Processing / Retention Period: For the period determined in accordance with the Agreement
Transfers to Sub-processors Transfers to Sub-processors are as, and for the purposes, described from time to time in the Sub-processor List (as may be updated from time to time in accordance with the DPA).
Competent Supervisory Authority
  • EU Restricted Transfers – (A) the Supervisory Authority of the EU Member State in which Intuit is established (where applicable); or (B) where Intuit is not established in an EU Member State, the Irish Data Protection Commissioner.
  • UK Restricted Transfers – the UK Information Commissioner's Office.
  • Swiss Restricted Transfers – the Swiss Federal Data Protection and Information Commissioner

Annex 2

Technical and Organizational Measures (TOMs)

For the duration of Company's provision of Services to Intuit, Company will implement and maintain, and shall cause its Sub-processors to implement and maintain in accordance with a binding written contract, the following minimum-security requirements:

1. Organization of Information Security

  1. Security Ownership. Company agrees to implement and maintain a comprehensive written information security program ("Information Security and Privacy Program") with appropriate technical, physical, and organizational measures to ensure the privacy, security, integrity, and availability of Intuit Confidential Information and to protect such information against Security Incidents. Company shall take necessary steps to ensure compliance with the terms set forth herein by its personnel and Sub-processors to the extent applicable to their scope of performance.
  2. Security Roles and Responsibilities. Company shall ensure that all information security obligations are defined and allocated in accordance with Company's approved policies for information security in accordance, at minimum, with ISO 27001 or equivalent information security industry standard. To the extent Company does not have such policies in place, it agrees to implement the policies no later than the effective date of this Annex 2. Such policies shall be published and communicated to Company personnel, and Sub-processors.
  3. Risk Management. Company shall have a risk management framework and conduct an annual risk assessment of its environment and systems to understand its risks and apply appropriate controls to manage and mitigate risks before Processing.
  4. Insurance. Company shall maintain cyber risk or similar insurance that (i) covers liability for financial losses arising out of or resulting from any Security Incident or breach of this DPA, including, without limitation, response and investigation costs, litigation defense and damages, and regulatory defense and penalties; (ii) with limits equaling at least $5,000,000 per claim or occurrence and in the aggregate; and (iii) that is primary and not in excess over or contributing with any insurance maintained by Intuit. Such insurance shall comply with any other insurance requirements as set forth in the Agreement.

2. Human Resources Security

  1. General. Company shall inform and train its personnel, and require its Sub-processors to inform and train their personnel, about relevant security procedures and their roles. Company shall further inform personnel and Sub-processors of the possible consequences of breaching Company's security policies and procedures, which must include disciplinary action, including termination of employment for Company's employees, and termination of the contract or assignment for Sub-processors.
  2. Training. Company agrees to implement and train Company's personnel, including Sub-processors on its Information Security and Privacy Program in a way that produces a commercially reasonable degree of care to prevent the unauthorized collection, use, sharing, retention, destruction, and other inappropriate or prohibited use of Intuit Confidential Information in accordance with industry best practices.
  3. Background Checks. In addition to any other terms in the Agreement related to this subject matter, Company shall perform criminal and other relevant background checks on its personnel (and any Sub-processors) in compliance with Applicable Data Protection Law(s).
  4. Credentialing and Location. Company shall ensure that access for any personnel (and any Sub-processor personnel) engaged to provide professional services to Intuit, or who have access to Intuit systems, originates only from specific locations or designated network connections approved in advance by Intuit. Company shall implement technical controls to ensure all access originates only from Intuit-approved jurisdictions as set forth in the Agreement and shall strictly prohibit the use of unauthorized VPNs, proxy servers, or other location-obfuscation technology to spoof a permitted location or circumvent geographic restrictions.

3. Asset Management

  1. Asset Inventory. Company must implement and maintain, without limitation, an asset inventory management process to identify, maintain and address required changes as outlined in ISO 27001 (or equivalent Information Security standard) asset management sections.
  2. Information Classification. Company shall classify, categorize, and/or tag Intuit Confidential Information to help identify it and to allow for access to it to be appropriately restricted.
  3. Management of IT Systems. Company shall implement and maintain assets at minimum according to the following industry standard algorithms:
  4. Devices must be secured with a password/PIN screen lock with the automatic activation feature set to fifteen (15) minutes or less. Users must lock the screen or log off when the device is unattended.
  5. Devices must run an acceptable industry standard anti-malware solution. On-access scan and automatic update functionality must be enabled by Company.
  6. Company shall not accept or store Intuit Confidential Information on smartphones, tablets, USB drives, DVD/CDs, or other portable media without prior written authorization from Intuit. These devices must not be rooted or jailbroken.
  7. Company shall take measures to prevent accidental exposure of Intuit Confidential Information (e.g., using privacy filters on laptops when in areas where over-the-shoulder viewing of Intuit Confidential Information is possible).
  8. Company shall create and maintain baseline security configurations in accordance with industry standards to achieve a standardized and secure asset build. This includes restrictions for unauthorized applications, pre-configured systems with approved security software.

4. Personnel Access Controls

  1. Conditions for Access. Access to systems containing stored Intuit Confidential Information must not be granted to Company's personnel or Sub-processors unless: (i) they have a need to view or know the information in order to perform authorized work; (ii) they are trained in the proper handling of Intuit Confidential Information; (iii) they are subject to an obligation to handle Intuit Confidential Information in ways at least as restrictive as those practices outlined in the DPA and this Annex 2; (iv) their access can be uniquely identified (e.g., by a unique User ID); (v) they are required to use a password or other authorizing token configured to meet industry best practice standards; and (vi) the date, time, requestor, and nature of the access (i.e., read-only or modify) has been recorded in a log file which is maintained and preserved according to Applicable Data Protection Law(s) and commercially reasonable industry standards applicable to Company's industry.
  2. Procedures for Changing Roles. Company shall ensure that procedures are in place to modify or revoke access permissions to Intuit Confidential Information when job responsibilities change and/or the need for data access changes.

5. Access Authorization

  1. Company shall have user account creation and deletion procedures, with appropriate approvals, for granting and revoking access to Intuit Confidential Information.
  2. Company shall use an enterprise access control system that requires its personnel revalidation by managers at regular intervals based on the principle of "least privilege" and need-to-know criteria based on job role.
  3. Company shall maintain and update a record of personnel authorized to access systems that contain Intuit Confidential Information and Company shall review users' access rights at regular intervals.
  4. Company shall maintain robust procedures for the lifecycle of access privileges, including (i) revalidating the access rights of users who undergo a change in reporting structure or job role to ensure continued "least privilege" compliance; (ii) deactivating authentication credentials that have not been used for more than ninety (90) days; and (iii) revoking access immediately, and in no event later than twenty-four (24) hours, for any personnel whose employment or engagement has been terminated.
  5. Company shall ensure that access to program source code and associated items such as software object code, designs, specifications, verification plans, and validation plans, will be restricted in order to prevent the introduction of unauthorized functionality and to avoid unintentional changes.
  6. Company shall have controls to avoid personnel assuming access rights they have not been assigned to gain unauthorized access to Intuit Confidential Information.
  7. In accordance with NIST standards, network, application, and server authentication passwords must be a minimum of 8 characters (length of fifteen (15) or more strongly recommended in accordance with industry best practices). Systems shall not impose arbitrary composition rules and periodic password changes are not required. All passwords must be checked against a blocklist of known compromised passwords and dictionary words and forced changes must occur upon evidence of compromise.

6. Authentication

  1. Company shall use industry standard practices such as then-current NIST standards or substantially equivalent standards related to information security, to identify and authenticate users who attempt to access information systems.
  2. Where authentication mechanisms are based on passwords, Company shall require the password to conform to robust password control parameters, such as biometrics, multi-factor authentication and Company personnel shall have a unique and valid username.
  3. Company shall ensure that deactivated or expired identifiers are not granted to any individuals following deactivation or expiration.
  4. Company shall monitor repeated attempts to gain access to the information system using an invalid password.
  5. Company shall maintain industry-standard procedures to deactivate immediately change passwords that have been leaked or suspected to be leaked.
  6. Company shall use industry-standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage (e.g., passwords shall not be stored or shared in plain text). Such practices shall be designed to ensure strong, confidential passwords.
  7. Administrator Access. Where web portal services are part of the engagement, Company agrees to work together with Intuit in good faith to ensure Single Sign-on (SSO) is available and/or implemented between Company and Intuit. Administrator or Root privilege accounts should be restricted to system setup, configuration and maintenance work and not daily functions such as email, web browsing, etc.

7. Cryptography

  1. Cryptographic Controls Policy. Company agrees to: (i) adopt commercially reasonable practices with regard to encrypting Intuit Confidential Information (at a minimum, industry-standard transparent encryption techniques — full disk or database transparent encryption — must be employed to safeguard Intuit Confidential Information in Company's systems from retrieval by unauthorized persons); (ii) transmit data over secure and encrypted connections using industry-standard encryption techniques aligned to then-current NIST standards or substantially equivalent standard; and (iii) encrypt by application/field level encryption the following Intuit Confidential Information when it is stored on Company's systems:
  • Financial account numbers
  • Payment card information
  • Government issued identification numbers (e.g., Driver's license number, Social Security Number)
  • Encryption keys
  • Passwords: Whenever practicable, message digest algorithms such as SHA-256 shall be used to hash and verify the user's password, and "salt" shall be added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings.
(iv) For all endpoints or devices (e.g. laptops, mobile devices), encryption consistent with NIST or substantially equivalent standard must be used (e.g., FileVault, Bitlocker).

8. Key Management

  1. Company shall assess and manage the lifecycle of cryptographic algorithms, hashing algorithms, etc., consistent with NIST or substantially equivalent standard and deprecate and disallow usage of weak cypher suites and mathematically insufficient block lengths and bit lengths.
  2. Company shall use a key management system ("KMS") that is at a minimum of FIPS 140-2 validated (or better) for the management and storage of encryption keys.
  3. Company shall rotate encryption keys annually where reasonably practicable.

9. Physical and Environmental Security

  1. Physical Access to Facilities.
    1. Company shall limit access to facilities where systems that process Intuit Confidential Information are located to authorized individuals.
    2. Company shall define, implement, and maintain security perimeters used to protect areas that contain both sensitive or critical information and information handling facilities.
    3. Facilities shall be monitored and access controlled at all times (24x7).
    4. Access shall be controlled through key card and/or appropriate sign-in procedures for facilities with systems handling Intuit Confidential Information. Company must register personnel and require them to carry appropriate identification badges.
  2. Physical Access to Equipment. Company equipment that is located off premises shall be protected using industry-standard processes to limit access to authorized individuals.
  3. Protection from Disruptions. Company shall use industry standard systems to protect against loss of data due to power supply failure or line interference.
  4. Clear Desk. Company shall have policies requiring a "clean desk/clear screen" to ensure safekeeping of Intuit Confidential Information.
  5. Printed Material. With respect to printed material containing Intuit Confidential Information, Company agrees to: (i) store such material in secured areas with access limited to individuals with a business need to access; and (ii) dispose of such material in a secure manner, employing processes including, at a minimum, onsite shredding prior to recycling or placement in secure bins with subsequent off-site shredding by a licensed contractor.
  6. Wearables. Wearables containing camera or video recording devices (e.g., smart eyeglasses) are not permitted to access or Process any Intuit Confidential Information.

10. Operations Security

  1. Operational Policy. Compliance with industry-standard policies and all Applicable Data Protection Laws and the protection of Intuit Confidential Information requires appropriate management structure and control. Company shall maintain and adhere to written policies describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Intuit Confidential Information and to its systems and networks. Company shall ensure the policies are communicated to all persons involved in the handling of Intuit Confidential Information.
  2. Security and handling Controls. Company agrees to:
    1. Maintain, document, and make available standards and procedures to address the configuration, operation, and management of systems and networks, services, and Intuit Confidential Information.
    2. Implement standards and procedures that include security controls, identification and patching of security vulnerabilities, change control processes and procedures, problem management, and incident detection and management.
    3. Maintain logs of administrator and operator activity and data recovery events and have in place alerting triggers for any anomalous activity.

11. Communications Security and Data Transfer

  1. Company shall utilize a Data Loss Prevention (DLP) or equivalent software to detect and/or prevent any Intuit Confidential Information from being leaked intentionally or unintentionally.
  2. Networks. Company shall, at a minimum, use the following controls to secure its networks that store or process Intuit Confidential Information:
    1. Firewalls must be deployed to protect and filter malicious traffic at the perimeter of Company's datacenter(s) and Intuit Confidential Information.
    2. Company must implement intrusion prevention systems that allow traffic flowing through the firewalls and LAN to be logged and protected at all times.
    3. Access to network devices for administration must utilize a minimum of 256-bit, industry-standard encryption.
    4. Initial user passwords shall be changed during the first log-on. Company shall have a policy prohibiting the sharing of user IDs and passwords.
    5. Logical or physical segmentation shall be in place between Intuit Confidential Information and Company's other customer data.

12. Information Security Aspects of Business Continuity Management

  1. Data Backup Plan. Company will establish and maintain defined and documented procedures to create and maintain retrievable exact copies of Intuit Confidential Information, including but not limited to Intuit Content. Company shall maintain independent archival and backup copies of the Intuit Confidential Information in accordance with the same security standards provided to original, online copies. Intuit Confidential Information must be backed up regularly, at minimum once a week, preferably once every 24 hours, and the backups must be encrypted and stored in secure, environmentally controlled, limited-access facilities until such time that deletion or destruction is required under the Agreement, or this Annex 2 or the DPA.
  2. Disaster Recovery Plan. Company will establish and maintain defined and documented procedures to restore any loss of Intuit Confidential Information. Company shall review and update as appropriate such disaster recovery plans at least once annually.
  3. Business Continuity Plan. Company will establish and maintain defined and documented procedures to enable continuation of critical business processes for protection of the security of Intuit Confidential Information while operating in emergency mode. Company shall review and update as appropriate business continuity plans at least annually.
  4. Business Impact Analysis. Company will assess the relative criticality of specific applications and data in support of other contingency plan components.
  5. Annual Test. At least once annually, Company will conduct a test and evaluation of its business continuity plan(s).
  6. Availability. Upon request, but no more than once annually, Company will make its disaster recovery plan and its business continuity plan, as well as the results of its annual test and evaluation of such plans available to Intuit for review.

13. Vulnerability Management

  1. Company must:
    1. have a defined responsibilities and implementation process for vulnerability management.
    2. conduct vulnerability scans on internal assets at least every forty-five (45) days. Remediation of all vulnerabilities is conducted on criticality, applicability, and endpoint.
    3. Company shall maintain a formal patch management program in alignment with NIST SP 800-40. Vulnerabilities shall be remediated based on a Risk-Based Vulnerability Management (RBVM) approach, prioritizing assets by criticality and exploitability (e.g., CISA KEV Catalog, EPSS):
    • Critical vulnerabilities (CVSS 9.0+) shall be patched within 15 days
    • High vulnerabilities (CVSS 7.0+) shall be patched within 30 days
    • For systems subject to PCI DSS or HIPAA, all critical patches shall be applied within 30 days.

    Where a patch cannot be applied within the mandated window due to documented operational constraints, Company will implement compensating controls (e.g., network segmentation, WAF rules, or virtual patching) to reduce residual risk to an acceptable level. All exceptions and compensating measures must be documented and made available for audit upon request.

  2. Security Threats and Associated Modifications. Intuit may, from time to time, advise Company of recent security threats that have come to its attention and recommend that Company implement specific modifications to its software, policies, or procedures. To the extent such modifications are needed to comply with Company's obligations under Applicable Data Protection Law(s), the Agreement, or this Annex 2, Company agrees to within a reasonable time, no longer than 3 months of the Effective Date of this DPA: (1) implement the recommended modifications; or (2) implement alternative modifications guaranteeing a level of protection equal to or superior than the level of protection granted by the modifications recommended by Intuit.
  3. Penetration Testing. Company agrees to, on an annual basis and after any significant changes to the environment (e.g., migration from one cloud service provider to another, a merger and/or acquisition, etc.), through an independent third-party, perform penetration testing to identify vulnerabilities and remediation steps that will increase the security of Company and the Services. Company shall provide Intuit with reputable penetration scan results, as requested by Intuit. The testing shall adhere to the following minimum requirements: the testing will include both manual and automated techniques and produce a report with findings and recommendations; and the testing scope will also include any integrations specific to the services provided under the Agreement, including but not limited to testing of API and web application services.
  4. Zero-Day Vulnerabilities. In the event Company becomes aware of a "zero-day" vulnerability that may affect information technology systems used by the Company to Process or store Intuit Confidential Information, Company agrees to notify Intuit promptly. Such notice shall include details regarding any initial mitigating compensating controls implemented and the expected remediation timeline for the deployment of a patch once available.

14. Other Information Security Controls

  1. Testing Key Controls, Systems and Procedures. Notwithstanding the minimum standards set forth in this Annex 2, Company agrees to regularly test the key controls, systems, and procedures of its Information Security and Privacy Programs to ensure such programs are properly implemented and effective in addressing the threats and risks identified, and incorporate reasonable, industry-standard, security safeguards. Tests should be conducted or reviewed by qualified independent third parties.
  2. Publicly Accessible Networks. Company shall not transmit (via email or otherwise) Intuit Confidential Information electronically over publicly accessible networks without using industry-standard encryption in transit, or another mechanism that has been mutually agreed upon in writing by Intuit and Company.
  3. Encoding Data into a URL or Logs. Intuit Confidential Information must never be transferred or shared in a URL (e.g., using a GET method) in a manner that could expose the information to third parties or cause such information to appear in log files.
  4. PCI Compliance. Solely to the extent that Company transmits or otherwise in receipt of any card or account data used for payment (credit, debit, prepaid, stored value, gift, or chip) including, but not limited to, any card bearing the logo of one of the PCI Security Standards Council's payment brands ("Payment Card"), then, in addition to Company's obligations in the DPA, Company shall comply with any applicable industry security standards including, but not limited to, PCI DSS standards and shall provide evidence to Intuit of such compliance (1) at least once a year and (2) upon Intuit's request.
  5. Logging. Company must maintain logs from information systems, network devices, and applications for a minimum period of ninety (90) days and store log files on a centralized logging server. Company agrees that:
    1. Logs should be sufficiently detailed to assist in the identification of the source of an issue and enable a sequence of events to be recreated.
    2. Logs must record date, time, and source location (IP address/hostname) for all access attempts.
    3. Logs must capture system and network security event information, alerts, failures, events, and errors.
    4. Logs must be continually monitored, reviewed and analyzed for suspicious and unauthorized activity and to verify the integrity of the logging process.

15. Secure Disposal & Certification

  1. When deleting Intuit Confidential Information, Company (and its Sub-processors) agree to: (i) destroy hard copies and/or irreversibly delete such data from any media (including back-up copies) such that the media contains no residual data; and (ii) if necessary to ensure that it is impossible to recover any portion the data, physically destroy any storage media used to store it and provide a written certification of secure disposal immediately of its compliance.
  2. Company must deploy and follow policies and procedures to ensure that all Intuit Confidential Information is irreversibly and securely deleted from storage media prior to the decommissioning or disposal of storage media, or prior to such media being (i) reassigned or reallocated by Company to a different environment or user, or (ii) permanently removed from Company's facilities. Company agrees to maintain an auditable program implementing the disposal and destruction requirements set forth herein and under Applicable Data Protection Law(s) for all storage media containing Confidential Information.

16. Security Incident Response Procedures

In accordance with best industry standards, Company agrees to implement and maintain written policies and procedures to detect, respond to, and otherwise address Security Incidents that: (i) monitor systems and detect successful and attempted attacks on or intrusions of Intuit Confidential Information or information systems relating thereto, (ii) identify and respond to suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (iii) restore the availability of or access in a timely manner. Company shall test Security Incident procedures at regular intervals.