STANDARD TERMS AND DATA PROCESSING ADDENDUM

Between:

Penneo A/S
Reg. no. 35633766
Enghavevej 40, 4th floor
DK-1674 Copenhagen V
(hereinafter referred to as „Penneo“)

&

Customer Name
Reg. no.
Address
Postal Code and city
Country
(hereinafter referred to as the „Customer“).

Penneo and the Customer (individually referred to as a „Party“ and collectively as the „Parties“) have entered into these Standard Terms (hereinafter referred to as the „Standard Terms“) and Data Processing Addendum (hereinafter referred to as “Data Processing Addendum” or “DPA”). 

DEFINITIONS: 

General definitions 

  • Agreement” refers to the Standard Terms, the Data Processing Addendum, the Order confirmation and any appendix relating to those documents. 
  • Platform(s)“ refers to the digital service Platform(s), Penneo Sign and/or Penneo KYC,  provided by Penneo to the Customer under the Agreement. 
  • Order confirmation” is an integral part of the Agreement and provides details on the prices, product features and additional services, agreed between Penneo and the Customer. 
  • The “Usage“ for each Platform is determined by the subscription package and specified in the Order confirmation and/or latest invoice. 

Penneo Sign 

  • Penneo Sign“ refers to Penneo’s signature platform, enabling the creation of case files and electronic signature of documents.
  • Signature” refers to a single individual’s electronic signature applied to one document. 

Penneo KYC 

  • Penneo KYC“ refers to Penneo’s Platform, enabling the secure collection and storage of identification data and related documents, supporting the Customer in performing customer due diligence processes and risk assessments.
  • Active client(s)” refers to client relationship(s) that have been active in the Penneo KYC Platform at any time during the Subscription period. 
  • Inactive client(s)” refers to client relationship(s) that have been archived in the Penneo KYC platform for the entire Subscription Period. The data associated with the inactive client(s) will no longer be updated in the Platform.  
  • Client(s)” in Penneo KYC refers to client relationship(s) between the Customer and its client (legal entity or natural person) created in the Penneo KYC platform. It includes both Active clients, and Inactive clients. 

1. SCOPE OF THE AGREEMENT

  1. 1.1. Scope. The Agreement grants the Customer access to Penneo’s Platform(s) as described in the Order confirmation and according to the selected subscription package. The purpose of the Agreement is to set out the terms of the delivery of the Platform(s).
  2. 1.2. Platform(s). The Platform(s) is provided as a Software as a Service (SaaS), which the Customer can reach via the internet. The Customer can connect to the Platform(s) using a web application, desktop application, Penneo’s API or through partnership integrations, depending on the subscription package.
  3. 1.3. Customer support. Customer support is included in the subscription package, and is provided primarily in English. The Customer can submit standard support requests pertaining to the Platform(s)’ usage and functionalities through an accessible ticket system. Additional support must be agreed upon in writing by both parties and may incur additional invoicing from Penneo.
  4. 1.4. Deviations. Any deviations to the Agreement must be stated in an appendix, which will become an integral part of the Agreement once signed by the Parties. 

2. TERM AND TERMINATION 

  1. 2.1. Subscription period. The Agreement enters into force on the date of signature of the Agreement. The Customer commits to a twelve (12)-months subscription period (hereinafter referred to as “Subscription period”) from the signature of the Agreement, or any other date agreed upon in the Order confirmation (hereinafter referred to as the “Start date”).
  2. 2.2. Automatic Renewal. Unless terminated in accordance with clause 2.4., the Agreement will automatically be renewed for an additional twelve (12)-month period, based on the Customer’s Usage at the time of renewal. 
  3. 2.3. New Order confirmation. The signature of a new Order confirmation or any agreement materially altering the Agreement will result in an adjustment to the Start date and Subscription period accordingly, unless otherwise specified in the Order confirmation.
  4. 2.4. Termination. The Customer may terminate the Agreement by providing Penneo with at least three (3) months‘ notice before the end of the current Subscription period by using the form on Penneo’s website available at https://penneo.com/contact/#manage-subscription. The termination will become effective at the end of the notice period (hereinafter referred to as the „Expiration of the Agreement“).
  5. 2.5. Expiration of the Agreement. The Customer’s right to access and use the Platform(s) will cease upon Expiration of the Agreement. Penneo will delete the Customer’s account, and data associated with it, ninety (90) days from the Expiration of the Agreement. 

3. FEES, USAGE AND PAYMENT TERMS

  1. 3.1. Fees. The Fees for each Subscription period are invoiced on an annual basis, based on the Customer’s Usage, agreed in the Order confirmation or in accordance with clause 3.2. Any discounts in the Order confirmation only apply to the first year of the Subscription period, unless explicitly stated otherwise in the Order confirmation. 
  2. 3.2. Usage adjustments during the Subscription period. The Customer cannot downgrade the Usage during an active Subscription period. Usage can always be increased during a Subscription period by notifying Penneo and will be invoiced for the remaining Subscription period. Any exceeding Usage without prior notification will be invoiced at the end of the Subscription period. 
  3. 3.3. Usage adjustments upon renewal. The Customer may request a reduction of Usage for the next Subscription period by providing at least three (3) months‘ notice before the renewal date through https://penneo.com/contact/#manage-subscription. If the reduction is less than 10% of the current Usage, the request may exceptionally be submitted up to one (1) month before the renewal date. Penneo will notify the Customer of the overuse in due time before the renewal of the Subscription period. If the Customer does not respond within one (1) month of the notification, the Usage will automatically be upgraded for the next Subscription period. 
  4. 3.4. Payment terms and invoicing. All payments are due within fourteen (14) days from the invoice date, to the bank account specified in the invoice and must be received, without any fees or costs charged to Penneo. All payments made by the Customer under the Agreement are non-refundable. The Customer agrees to receive invoices via email or through electronic invoicing using an EAN number, or equivalent national electronic invoicing number specified by the Customer. If the Customer uses a credit card, or similar online payment method for the initial payment, Penneo may bill that payment method upon renewal of the Subscription period, including for unpaid fees or overuse. 
  5. 3.5. Taxes and claims. The Fees stated in the Order confirmation include all applicable taxes, excluding VAT, which will be calculated and added at the time of invoicing. The Customer cannot offset fees against claims from other legal matters. 
  6. 3.6. Late payment. In the event of late payment, Penneo reserves the right to:
    1. 3.6.1. Apply interest at a 1.5% rate per month on the outstanding balance or the maximum permitted by law, whichever is lower, for each month until the full payment is received by Penneo
    2. 3.6.2. Deactivate the Customer’s access to the Platform(s) if payment remains overdue for twenty (20) days following Penneo’s notice to the Customer. The Customer’s access to the Platform(s) will only be restored once the full payment has been received by Penneo. 
  7. 3.7. Price adjustments. 
    1. 3.7.1. Penneo adjusts prices based on a relevant national price index. Positive index adjustments (over 0%) is calculated as the difference between the index from November to November each year, and will automatically apply upon renewal the following year without further notice, with no further notice required.
    2. 3.7.2. Penneo will notify the Customer at least four (4) months before the renewal date of any other price increase for the next Subscription period.
    3. 3.7.3. In exceptional cases where Penneo’s supplier(s) necessary for the delivery of the Platform(s) increase(s) prices, Penneo reserves the right to adjust the price accordingly, providing justification. Penneo will notify the Customer with a three (3) months’ written notice. 

4. MARKETING AND COMMUNICATION BETWEEN THE PARTIES

  1. 4.1. Reference. Penneo is entitled to use the Customer’s name, logo and other identifying details as a reference on its website and in marketing materials, unless the Customer has objected expressly and in writing. 
  2. 4.2. Service notifications. The Customer will receive notifications relevant to the use of the Platform(s) via email directed to Customer’s users with administrative rights or directly in the Platform(s). The Customer is responsible for maintaining an up-to-date list of users with administrative rights. A notification is considered to be received once it reaches the recipient’s email system. If the access is prevented due to issues in the recipient’s email system, the recipient assumes any associated risks. 
  3. 4.3. Communication. All notices, communications, and information related to the Agreement shall be delivered via email or other electronic means. 

5. SECURITY MEASURES AND UPTIME

  1. 5.1. Security measures. Penneo shall implement and maintain appropriate security measures to ensure secure and reliable delivery of the services specified in the Agreement. Penneo’s security measures shall form part of Penneo’s Information Security and Privacy Management System, which includes formal policies, clearly defined roles and responsibilities, as well as technical, organisational and physical controls. Penneo shall engage an independent auditor to audit Penneo’s Information Security and Privacy Management System. Appendix C of the DPA contains further information about security measures implemented.
  2. 5.2. Uptime commitment. Penneo commits to maintain an uptime of at least 99.9% on a monthly basis. Penneo maintains a publicly available website to allow the Customer to monitor Penneo’s uptime available at https://status.penneo.com/
  3. 5.3. Maintenance. Scheduled maintenance that is required for operational purposes must be communicated to the Customer and is excluded from the downtime in accordance with clause 5.2. Penneo shall strive to schedule such maintenance outside office hours, which is defined as 17.00 to 06:00 CET/CEST.

6. PROCESSING OF PERSONAL DATA

  1. 6.1. Data Processing Addendum. Penneo and the Customer have entered into a Data Processing Addendum, as an integral part of the Agreement, for the processing of personal data. 

7. RIGHT TO USE AND INTELLECTUAL PROPERTY RIGHTS

  1. 7.1. Right to use. The Customer’s right to use the Platform(s) is non-exclusive, non-transferable and conditional upon payment and compliance with the Agreement. 
  2. 7.2. Restrictions. The Customer is prohibited from engaging in any misleading, unethical, fraudulent or illegal activities in connection to the Platform(s) or using the Platform(s) to store or transmit any material containing illegal or unethical content.
  3. 7.3. Intellectual property rights. Penneo retains all intellectual property rights on the Platform(s). The Customer shall respect all intellectual property rights associated with the Platform(s) and is responsible for any infringements of those rights by its employees or third parties.  
  4. 7.4. Product feedback. If the Customer provides feedback, suggestions or comments regarding Penneo’s Platform(s) and services, the Customer hereby grants Penneo a perpetual, irrevocable, transferable, royalty-free, global license to exploit and incorporate the Feedback into the Platform(s). 

8. CONFIDENTIALITY 

  1. 8.1. Definition. Confidential information means any information disclosed by one Party (“the Disclosing Party”) to the other Party (“the Receiving Party”) under or in connection to the Agreement and the delivery of the Platform(s) that should be reasonably considered to be confidential due to its nature and the circumstances of disclosure (hereinafter referred to as “Confidential Information”). 
  2. 8.2. Duty of confidentiality. The Receiving Party may only use Confidential Information in accordance with the Agreement and may not disclose such information to third parties, both during and after the term of the Agreement, unless authorised in writing by the Disclosing Party. 
  3. 8.3. Exclusion. The duty of confidentiality does not apply to information that (a) was already known to the Receiving Party prior to the Agreement, (b) becomes publicly available through no fault of the Receiving Party, (c) is received from a third party without breach of confidentiality obligations, or (d) is required to be disclosed by law, by court order or by order of a public authority.

9. MATERIAL BREACH OF THE AGREEMENT 

  1. 9.1. Notification of breach. If either Party materially breaches the terms of the Agreement, the non-breaching Party shall notify the breaching party via email without undue delay.  If the breaching party has not remedied a material breach within ten (10) business days from the notice, the non-breaching Party may terminate the Agreement immediately.
  2. 9.2. Consequences. In case of the Customer’s material breach, Penneo is entitled to retain the full payment for the Subscription period during which the breach occurred, regardless of when the Agreement is terminated. In case of Penneo’s material breach, the Customer may request a refund for payments made from the date of breach notice to Penneo, in accordance with clause 9.1. 

10. LIABILITY 

  1. 10.1. Liability. Each Party is liable for damages caused to the other Party, except as limited below. These limitations do not apply in case of gross negligence or intentional misconduct by the responsible Party. 
  2. 10.2. Indirect and consequential loss. Penneo disclaims liability for indirect or consequential loss, including, but not limited to, operational losses, lost profit, and Customer’s goodwill. 
  3. 10.3. Unilateral changes. Penneo disclaims liability for any damages resulting from unilateral changes made by the Customer or any third-party to the Platform(s), such as, additional features, integrations, removal of settings, without Penneo’s prior approval. 
  4. 10.4. Liability cap. Except for product liability covered by clause 10.5, Penneo’s liability arising from the Agreement will be limited to the lower of these amounts:  
    • EUR 3,500 (or equivalent amount calculated according to the exchange rate at the time of the damage) per total loss per Subscription period.
    • The amount paid by the Customer to Penneo for the Subscription period during which the damage occurred. 
  1. 10.5. Product liability. Penneo maintains customary and adequate product liability insurance at a minimum of 15,000,000 DKK. Any claims for product liability under the Agreement are limited to the coverage amount provided by the insurance. 
  2. 10.6. IP indemnification. The Parties agree to fulfill their obligations under the Agreement without infringing on any third party’s Intellectual Property Rights. If a Party fails to do so, it shall: (a) defend the other Party against third-party claims of Intellectual Property infringement arising from its use of the Platform(s) or performance under the Agreement; and (b) indemnify and reimburse the other Party for any resulting damages, fines, or costs provided the claim arises from its actions, omissions, or responsibilities. 

11. FORCE MAJEURE

  1. 11.1. Force majeure. If Penneo is unable to fulfill its obligations under the Agreement due to a force majeure event, it will promptly notify the Customer. Force majeure refers to circumstances beyond Penneo’s control that cannot be mitigated through reasonable financial and/or practical measures, including but not limited to war, mobilisation, terrorist attacks, failure or breakdown of public electricity supply, strikes, pandemics, fires, or flooding.
  2. 11.2. Consequence of force majeure. Neither party shall be liable for any damages arising from force majeure. If the Platform(s) remain inaccessible due to force majeure for more than thirty (30) consecutive days, either Party may terminate the Agreement in writing, without any claims to the other Party.

12. DISPUTES 

  1. 12.1. Applicable law. The Agreement, and any dispute arising from the Agreement, is governed in accordance with Danish law.
  2. 12.2. Jurisdiction. In the event of a dispute arising from the Agreement, the Parties agree to attempt to resolve the matter through good-faith negotiations. If an amicable resolution cannot be reached, any dispute shall be submitted to the exclusive jurisdiction of the City Court of Copenhagen, as the court of first instance. 

13. OTHER PROVISIONS

  1. 13.1 Updates. The Customer will be notified by email of any updates to the Standard Terms and Data Processing Addendum at least three (3) months before the changes become effective.
  2. 13.2. Enforceability. If any provision of the Agreement is found to be illegal, invalid, or unenforceable, it shall be enforced to the fullest extent permitted by law to reflect the original intent of the Parties. The invalidity of any provision will not affect the validity or enforceability of the remaining provisions. 
  3. 13.3. Survival of provisions. Any provision of the Agreement intended to survive termination, in whole or in part, shall remain valid, binding and enforceable on the Parties beyond the termination of the Agreement. 

DATA PROCESSING ADDENDUM (DPA)

BETWEEN 

Penneo A/S (Data Processor)

AND 

The Customer (Data Controller)

The Customer and Penneo have entered into an agreement on Penneo’s standard terms for the delivery of digital Platform(s). This Data Processing Addendum (hereinafter referred to as “Data Processing Addendum” or “DPA”) is an integral part of the Agreement and defines the terms related to the processing of personal data and contains the following appendices:

  • Appendix A contains details about the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subject. 
  • Appendix B contains the Customer’s conditions for the Penneo’s use of sub-processors and a list of sub-processors authorised by the Customer. 
  • Appendix C contains the Customer’s instructions with regards to the processing of personal data, the minimum security measures to be implemented by Penneo and how audits of Penneo and any sub-processors are to be performed.
  1. SCOPE, TERM AND PARTIES
    1. Processing instructions. Penneo will process the Customer’s data, that will include personal data, as Data Processor, on behalf of the Customer for the purpose of delivering the Platform(s). The data will only be processed in accordance with the Customer’s instruction, as the Data Controller. 
    2. Deletion. Penneo will process the Customer’s data, including personal data, for the duration of the Agreement between Penneo and the Customer. Penneo will delete all Customer’ data, including personal data, ninety (90) days after the Expiration of the Agreement. No processing or conversion of data after termination is made by Penneo. 
    3. Contact. The Customer may direct questions related to this DPA to Penneo’s DPO at compliance@penneo.com
  2. CONFIDENTIALITY 
    1. Confidentiality. Penneo must treat the Customer’s data processed under the Agreement between the Customer and Penneo as confidential information. Penneo must ensure that all employees are bound by a confidentiality agreement that is valid beyond the term of the employment.
  3. LEGAL BASIS OF PROCESSING 
    1. Legal basis of processing.  Each Party must ensure that the processing of data for which they act as the data controller has a legal basis and complies with the General Data Protection Regulation (hereinafter referred to as “GDPR”) and the relevant national data protection regulations.
  4. SECURE PROCESSING 
    1. Security measures. Penneo has implemented security measures that shall sufficiently protect the integrity and confidentiality of the Customers’ data. Penneo shall also ensure the availability of the data in the Platform(s). 
    2. Security incident. Penneo must notify the Customer without undue delay and, where feasible, no later than thirty-six (36) hours after becoming aware of a Security Incident. A Security Incident is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer’s data processed by Penneo and/or its sub-processors.
    3. Reporting. Penneo must assist the Customer in meeting the Customer’s reporting obligation to the relevant data protection authority within seventy-two (72) hours.
  5. SUB-PROCESSING
    1. General authorisation. Penneo has the Customer’s explicit and general authorisation for the engagement of sub-processors. Penneo must have a written agreement with each sub-processor, ensuring that the sub-processor is consistent with the provisions of the EU legislation and the provisions outlined in this DPA. Penneo remains responsible to the Customer if a sub-processor fails to meet its data protection obligations for the processing activities under the Agreement.
    2. Sub-processor list. Penneo maintains an up-to-date list of its sub-processors that is publicly available on https://penneo.com/subprocessors/.
    3. Notice of new sub-processors. Penneo will notify the Customer in writing of any intended changes regarding the addition or replacement of sub-processors at least thirty (30) days in advance. 
    4. Objection to new sub-processors. During the thirty (30) day notice period, the Customer may object in writing to the introduction of a new sub-processor, leading to the termination of the Agreement, in accordance with clause 2.4 of the Standard Terms.
    5. Third countries. Any transfer of personal data to third countries may only be made by Penneo on the basis of documented instructions from the Customer, and must always be made in compliance with chapter V of the GDPR. 
  6. ASSISTANCE AND COOPERATION OBLIGATIONS 
    1. Data Subject’s Rights. Penneo will assist the Customer, as far as possible, in meeting its obligations to address data subject rights requests.
    2. Cooperation Obligations. Upon the Customer’s reasonable request, Penneo will provide reasonable assistance to the Customer in fulfilling the Customer’s obligations under the GDPR, provided that the Customer cannot reasonably fulfil such obligations independently with the help of the documentation already made available by Penneo.
  7. ERASURE AND RETURN OF DATA 
    1. During the Subscription period. The Customer can access, rectify, retrieve and delete data through the features available in the Platform(s) during the Subscription period.
    2. Upon Expiration of the Agreement. Penneo will delete all Customer’ data that Penneo stores in the role of Data Processor, including personal data, ninety (90) days upon the Expiration of the Agreement. 
  8. AUDIT
    1. Audit reports. Penneo regularly undergoes audits performed by independent third-party auditors. Upon request, Penneo will provide the Customer with relevant documentation to verify Penneo’s compliance with best practices in information security and privacy measures. Penneo will provide additional information upon reasonable requests, either in writing or verbally. 
    2. On-site audit. If the audit reports do not reasonably meet the Customer’s compliance requirements, the Customer may request an independent third party audit to be conducted. The additional audit will be carried out at the Customer’s expense and the auditor must be mutually approved by the Customer and Penneo. The audit must occur during regular business hours, without and may not disturb Penneo’s daily operations. The Customer must provide Penneo with written notice at least ninety (90) days prior to the audit.

APPENDIX A – INFORMATION ABOUT THE PROCESSING 

A.1. Penneo Sign 

  1. Purpose and nature of processing: deliver the Penneo Sign Platform to the Customer, in accordance with the Agreement. Penneo does not sell, trade, or otherwise attempt to monetise the Customer’s data in any way. 
  2. Categories of data subjects: 
    1. Customer’s users of the Platform.
    2. Recipients of Case files.
  3. Categories of data processed: 
    1. Requires processing of personal data as defined in Article 4(1) of the GDPR.
    2. Does not require processing of personal data as defined in Article 9(1) and 10 of the GDPR. The Customer can use Penneo Sign to process such data.
  4. Types of data processed:
    1. Required data: full name, email address, IP address.
    2. Optional (as defined by the Customer’s user): job title, phone number, electronic ID information, National identification number. 

A.2. Penneo KYC

  1. Purpose and nature of processing: deliver the Penneo KYC Platform to the Customer, in accordance with the Agreement. Penneo does not sell, trade, or otherwise attempt to monetise the Customer’s data in any way. 
  2. Categories of data subjects: 
    1. Customer’s users of the Platform.
    2. Customer’s clients’ (both active and inactive) contact persons, representatives, beneficial owners, or other natural persons acting on behalf of the client.
  3.  Categories of data processed: 
    1. Requires processing of personal data as defined in Article 4(1) of the GDPR.
    2. Does not require processing of personal data as defined in Article 9(1) and 10 of the GDPR. The Customer can use Penneo KYC to process such data.
  4. Types of data processed:
    1. Customer’s Users: full name, job title, email address, phone number, profile picture. 
    2. Customer’s client’s participants, depending on the Customer’s preferences in the Platform: contact information (e.g. email address and phone number), job title, identification data (e.g. full name, date and place of birth, nationality, residential address), identification documents (e.g. copies of national ID, passport, driver’s licence and similar), electronic ID information, PEP status and family relations.

APPENDIX B – SUB-PROCESSORS

  1. B.1. Upon entering the Agreement with Penneo, the Customer authorises the use of the sub-processors listed on: https://penneo.com/subprocessors/
  2. B.2. New sub-processors can only be added in accordance with clause E in the Data Processing Addendum.

APPENDIX C – SECURITY OF PROCESSING 

Penneo operates an Information Security and Privacy Management System to ensure the confidentiality and integrity of the processed data, as well as ensuring the availability and resilience of the Platform(s). Penneo determines the technical and organisational security measures required to establish the necessary level of information security. In any event, and as a minimum, Penneo ensures that the following security measures have been implemented:

C.1. Governance & Risk Management

Penneo’s information security and privacy policy has been approved by the management and is reviewed at least once a year. Penneo has also established a risk management procedure for identifying, assessing and addressing relevant risks. Both internal and external threats and vulnerabilities are considered in relation to the data processed and stored in Penneo’s Platform(s) on behalf of customers. Penneo has internal communication and reporting channels to ensure that executive management and the Board of Directors can take informed decisions.

C.2. External audit

Penneo engages an external auditor to conduct regular audits of Penneo’s Information Security and Privacy Management System, following best practices in accordance with ISO 27001 and ISO 27701 standards. 

C.3. Access rights and confidentiality

Penneo has implemented a formal Access Management policy ensuring that access rights to the Platform(s) as well as internal systems follow the “least privilege” and “need to know” principles. Penneo has implemented access management in Penneo’s joiner, mover, leaver processes and uses two factor authentication and single sign-on to further protect access to the systems used within the organisation.

Access to Penneo’s Platform(s) production environments is further restricted by additional technical measures, such as two factor authentication, VPN and role-based access, and unique user accounts. Access rights are reviewed at least annually. Penneo’s laptops are protected using passwords, screen lock policy and have enabled hard disk encryption.

C.4. Awareness and training

All new employees at Penneo must complete compliance awareness training covering information security and privacy practices and principles. In addition, all employees must complete an awareness training annually. Penneo provides role-specific  training for employees, focusing on areas such as engineering best practices, information security, and privacy.

C.5. Secure development and operations

Penneo has implemented a formal Software Development Life Cycle policy to ensure secure development. This includes defined measures such as forced peer review on code changes in production. Logically separated environments and micro-segmentation ensure that development and testing occur in non-production environments. This also ensures that components and data processed in production are protected. Customer’s data processed in the Platform(s) is stored in data centers in the EU.

C.6. Business continuity and disaster recovery

Penneo takes daily backups of storage and databases as part of its business continuity planning. Penneo has a disaster recovery plan, tested at least annually, ensuring that Penneo is ready to restore the Platform(s) and the Customer’s data in case of a disaster scenario. Post-test analysis is carried out to ensure continuous improvement of the business continuity management and disaster recovery plan.

C.7. Cryptography

The Customer’s data processed in the Platform(s) is encrypted in transit using TLS 1.2 or higher and at rest. Penneo ensures that employee laptops have hard disk encryption enabled.

C.8. Vendor management

Penneo has a Vendor Management policy to ensure that only trusted and reliable vendors are used to support Penneo’s organisation and Platform(s). Penneo performs an information security and privacy review of all vendors. Penneo also monitors the compliance of sub-processors authorised to process Customer’s data in the Platform(s). At least once a year, Penneo will request and review relevant compliance documentation from the sub-processors.

C.9. Vulnerability management

Penneo monitors vulnerabilities at technical, legal and compliance level. Penneo’s Legal and Compliance team continually assesses the privacy and information security landscape to ensure ongoing organisational compliance, including adherence to regulations such as the GDPR. Pennneo’s Product and Engineering team monitors the landscape for technical vulnerabilities to ensure any relevant vulnerabilities are addressed in a timely and appropriate manner. Penneo also engages external security penetration testers, at least annually, to test for vulnerabilities in the Platform(s). 

Standard Terms and Data Processing Addendum, Vers. 6.0.1. – Updated: 6th of January 2025