Data Processing Agreement with Standard Contractual Clauses

Last modified: December 16, 2022

Previous Versions

This Data Protection Agreement with Standard Contractual Clauses (“DPA”) forms part of the PerimeterX Subscription Agreement or other written or electronic agreement that expressly references this DPA ("Agreement") between PerimeterX, Inc. (“PerimeterX”) and Subscriber for the purchase of website security and monitoring services (“Services”) identified in an ordering document Subscriber has signed with PerimeterX (“Order Form”). By signing the Order Form, Subscriber enters into this DPA on behalf of itself and, to the extent required under applicable Data Privacy Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent PerimeterX processes Personal Data for that Authorized Affiliate. For the purposes of this DPA only, and except where indicated otherwise, the term "Subscriber" shall include Subscriber and Authorized Affiliates. All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement.




Data exporter(s):

The exporter (Controller) is Subscriber and Subscriber’s contact details and signature are as provided in the Agreement.

Data importer(s):

The importer (Processor) is PerimeterX and PerimeterX’s contact details and signature are as provided in the Agreement.


Categories of data subjects whose personal data is transferred:

An identifiable or identified natural person (“User”) who uses the Subscriber “Websites” and/or “Apps” (as defined and identified in the Order Form).

Categories of personal data transferred:

For PerimeterX’s Bot Defender Solution: Data Importer may process certain information about how a User uses the Subscriber Websites or Apps, including a User’s Internet Protocol (IP) address and other user engagement and interaction metrics and other statistics. For PerimeterX’s Account Defender solution, Data Importer may process name, email address, usernames, passwords and other login credentials, as well as the categories of Personal Data identified above for Bot Defender.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

No such data will be processed.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

PerimeterX shall process Personal Data in its provision of Services on a continuous basis pursuant to the terms of the Agreement.

Nature of the processing:

PerimeterX shall process Personal Data in its provision of Services pursuant to the terms of the Agreement.

Purpose(s) of the data transfer and further processing:

The transfer is made for the purpose of providing Services to Subscriber pursuant to the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

PerimeterX shall process Personal Data in its provision of Services for a term outlined in the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

The subject matter, nature and duration of the processing of Personal Data by PerimeterX’s Subprocessors is the same as for PerimeterX, as outlined above.

(c) In Annex 1.C of the EU SCC: The competent supervisory authority shall be the supervisory authority applicable to Subscriber in its EEA country of establishment or, where it is not established in the EEA, in the EEA country where its representative has been appointed pursuant to Article 27(1) of Regulation (EU) 2016/679.

Annex II

Data Importer will at a minimum institute the technical and organizational measures to ensure a level of security appropriate with the risk, as is required in Art. 32 of the GDPR. Data Importer will comply with strict internal controls in line with industry best practices, such as SOC2 guidelines and ISO 27001 guidelines. Data Importer will implement security controls in the form of mandatory policies and procedures for all Data Importer employees who have access to Data Exporter's data to follow. Data Importer will have, where appropriate measures of pseudonymization and encryption of Personal Data; Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services; Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing; Measures for user identification and authorization; Measures for the protection of data during transmission; Measures for the protection of data during storage; Measures for ensuring physical security of locations at which Personal Data are processed; Measures for ensuring events logging; Measures for ensuring system configuration, including default configuration; Measures for internal IT and IT security governance and management; Measures for certification/assurance of processes and products; Measures for ensuring data minimization; Measures for ensuring data quality; Measures for ensuring limited data retention; Measures for ensuring accountability and measures for ensuring erasure.

Schedule B Subprocessors

© PerimeterX, Inc. All rights reserved.