Data Processing Addemdum

1. Definitions

For the purposes of this Data Processing Agreement, the following terms shall have the meaning provided below:

• Data Controller, Data Processor, Data Protection Officer, Data Subject, Personal Data, Personal Data Breach, Processing and Supervisory Authority shall have the same meaning as found in the GDPR.
• Data Protection Legislation shall mean the GDPR and any other applicable national implementing law as amended from time to time, as well as any other applicable law concerning the processing of personal data and privacy.
• Data Subject Request shall mean a request by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation regarding their Personal Data.
• GDPR shall mean the General Data Protection Regulation (Regulation (EU) 2016/679).
• Protective Measures shall mean appropriate technical and organisation measures to ensure a level of security appropriate to the risk, which may include, but are not limited to, the pseudonymisation and encrypting of Personal Data, ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner in the event of an incident and regularly testing, assessing and evaluating the effectiveness of the measures adopted.
• Sub-processor shall mean any vendor appointed to process Personal Data on behalf of Fast Track related to this Agreement.

All other capitalised terms shall have the same meaning provided in the Agreement.

2. Processing of Personal Data

1. The Parties acknowledge that, for the purposes of the Data Protection Legislation, the Client is the Data Controller and Fast Track is the Data Processor. The processing of Personal Data that Fast Track is authorised to perform is exhaustively listed in Schedule A and may not be determined or amended by Fast Track at any time. Fast Track may only process the Personal Data, including in respect of international transfers, in line with the written instructions of the Client and may not use the Personal Data for its own purposes unless Fast Track is required to do otherwise by Law.
2. Provided that if so required and permissible at law, Fast Track shall notify the Client, without delay, prior to processing such data.
3. The Client agrees to share the personal data detailed in Schedule A with Fast Track in order for the agreed processing to take place, as required for the provision of the services as detailed in the Main Agreement.
4. Fast Track shall comply with all applicable Data Protection Legislation in the processing of the Client’s Personal Data.
5. Fast Track shall notify the Client immediately if it considers that any of the instructions infringe Data Protection Legislation.
6. The Client shall be responsible for notifying Data Subjects of a data breach or for a request form the Data Subject themselves or from a corresponding provision of an otherwise applicable national data protection law.
7. The Client agrees and warrants that it shall comply fully with the terms of the GDPR and shall ensure that the Personal Data that it supplies or discloses to Fast Track has been obtained fairly and lawfully and in accordance with the provisions of the Data Protection Legislation.

3. Protective Measures

1. Fast Track shall ensure that Protective Measures, which are in line with the requirements of Article 32 of the GDPR and detailed in Schedule C are in place to appropriately protect against a Personal Data Breach, having taken into account the:
   • nature of the data to be protected;
   • harm that might result from a Personal Data Breach;
   • state of technological development; and
   • cost of implementing any measures.
2. In determining the appropriate level of Protective Measures, Fast Track shall take into account the risks that are presented by the Processing taking place and in particular from a Personal Data Breach.

4. Fast Track Personnel

1. Fast Track shall ensure that Fast Track personnel do not process Personal Data except in accordance with this Agreement and that all reasonable steps are taken to ensure the reliability and integrity of any Fast Track personnel who have access to the Personal Data, particularly that they:
   • are aware of and comply with Fast Track’s duties under this Agreement;
   • are subject to appropriate confidentiality undertakings, or professional or statutory obligations of confidentiality with Fast Track;
   • are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Client or as otherwise permitted by this Agreement; and
   • have undergone adequate training in the use, care, protection and handling of Personal Data.
2. Fast Track shall limit access to the Client’s Personal Data to those employees that need to know or access the Personal Data as is strictly necessary for the purposes of the main Agreement between the Parties.

5. International Data Transfers

1. Fast Track shall not transfer Personal Data outside of the EEA unless the prior written consent of the Client has been obtained and the following conditions are fulfilled:
   • Fast Track complies with the general conditions laid down in relation to such transfers (in accordance with GDPR Article 44);
   • Fast Track complies with its obligation to provide appropriate safeguards, which safeguards shall ensure the availability of enforceable Data Subject rights and of effective legal remedies (in accordance with GDPR Article 46);
   • All transfers take place with appropriate security measures in place to protect the personal data; and
   • Fast Track complies with any reasonable instructions notified to it in advance by the Client with respect to the transfer of the Personal Data.

6. Sub-Processing

1. The sub-processors which Fast Track uses as of the date of this Agreement for the processing of Personal Data in accordance with this Agreement are exhaustively listed in Schedule B attached to this Agreement, as may be amended or updated from time to time upon notification to the Client.
2. Prior to Fast Track engaging a Sub-processor to process any Personal Data related to this Agreement, Fast Track must:
   • carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Personal Data required by applicable Data Protection Legislation;
   • notify the Client, in writing, of the intended Sub-processor, processing and any international data transfers and obtain the written consent of the Client to do so;
   • enter into a written agreement with the Sub-processor, applying the same data protection obligations set out in this Agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures to meet the security requirements of Article 32 of the GDPR; and
   • incorporate the European Commission Standard Contractual Clauses into any agreement with a sub-processor when an international transfer is taking place to a country not providing adequate safeguards
   • provide the Client with such information, regarding the Sub-processor, as it may reasonably require.

     </ul>
   </li>
   <li>Fast Track shall remain fully liable for all acts or omissions of any Sub-processor.</li>
   

7. Notification

1. Fast Track shall notify the Client without delay if it:
   • becomes aware of a Personal Data Breach;
   • receives a Data Subject Request;
   • receives any other request, complaint or communication relating to the Parties’ obligations under Data Protection Legislation;
   • receives any communication from any Supervisory Authority or any other regulatory authority in connection with Personal Data processed under this Agreement; or
   • receives a request from any third party for the disclosure of Personal Data.
2. Provided that the obligation to notify shall include the prompt provision of further information to the Client, upon the Client’s request.
3. Fast Track shall not respond to any such requests, except on the documented instructions of the Client, unless Fast Track is obliged to respond by law, in which case Fast Track shall notify the Client of that obligation before responding to the request.

8. Assistance

1. Fast Track shall, taking into account the nature of the processing, provide the Client with reasonable assistance in relation to the Client’s obligations under Data Protection Legislation to respond to requests for exercising Data Subject rights and to security, breach notifications, and consultations with supervisory authorities, insofar as possible and as may reasonably be required by the Client and applicable Data Protection Legislation, including by promptly providing:
   • the Client with full details and copies of the complaint, communication or request;
   • such assistance as is reasonably requested by the Client to comply with any request made by a Data Subject exercising their rights within the relevant timescales set out in the Data Protection Legislation, including but not limited to access, rectification, or deletion of data;
   • the Client, at its request, any Personal Data it holds in relation to a Data Subject;
   • full assistance to the Client in ensuring compliance with Articles 32-36 of the GDPR regarding security of personal data and data breaches;
   • assistance as requested by the Client with respect to any request from any Supervisory Authority, or any consultation between the Client and any Data Protection Supervisory Authority.
2. Fast Track shall, in accordance with its legal obligations as Data Processor and at no additional charge, expense or fee to the Client, provide all reasonable assistance to the Client in the preparation of any privacy impact assessment prior to the commencement of any processing activities. Such assistance may, at the Client’s discretion, include but may not be limited to:
   • a systematic description of the envisaged processing operations and the purpose of the processing;
   • an assessment of the necessity and proportionality of the processing operations in relation to the services;
   • an assessment of the risks posed to the rights and freedoms of the Data Subjects;
   • the measures envisaged to address the risks and ensure the protection of Personal Data, including safeguards, security measures and mechanisms.

9. Record Keeping

1. In line with their legal obligations as a Data Processor, Fast Track shall maintain complete and accurate records and information to meet the requirements of Article 30(2) of the GDPR and as evidence of meeting the requirements of Article 28 of the GDPR. Fast Track shall also provide these records to the Client upon request.

10. Audits

1. Fast Track shall allow for and contribute to audits of its Processing activity by the Client or the Client’s designated auditor.
2. The Client shall give Fast Track reasonable notice of any audit and shall reasonably avoid causing any disruption to Fast Tracks operations, equipment, premises, and personnel while the audit is being carried out.
3. Fast Track need not give access to its premises for the carrying out of such an audit:
   1. Outside normal business hours at those premises, unless the audit needs to be conducted on an emergency basis and the Client has given notice to Fast Track that this is the case prior to the commencement of the audit outside normal business hours;
   2. For the purposes of more than one audit, in respect of Fast Track, in any calendar year, except for any additional audits which:
      1. the Client reasonably considers necessary because of genuine concerns as to Fast Track’s compliance with this Agreement; or
      2. the Client is required or requested to carry out by Data Protection Legislation, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Legislation in any country or territory, or
      3. where the Client has identified its concerns or the relevant requirement or request in its notice to Fast Track of the audit.

11. Deletion and Return of Data

1. Within ten (10) days of the termination date of this Agreement the Client may, in its absolute discretion and by written notice, request Fast Track to:
   • return a complete copy of all Client Personal Data to the Client by secure file transfer in such format as is reasonably notified by the Client; and/or
   • delete and procure the deletion of all other copies of Personal Data processed by Fast Track and any other contracted Sub-processor.
2. Fast Track is to comply with such request within forty (40) days of the termination date of this Agreement and provide a certificate of destruction to confirm the deletion. Fast Track is also required to ensure that any Sub-processor that is engaged deletes or returns Personal Data.
3. Fast Track and each contracted Sub-processor may nonetheless retain Personal Data to the extent required by Data Protection Legislation and any other applicable law to the extent and for such period as required by virtue of such laws and always ensuring the confidentiality of such data. Fast Track will notify the Client if this clause applies on receipt of a written notice as detailed under 11.1.

12. Agreement

1. This Agreement expressly replaces and supersedes any and all other agreements, oral or written, between the Parties hereto with respect to the subject matter hereof.

13. Amendments

1. The Client may, at any time, with no less than thirty (30) working days’ notice, revise this addendum by replacing the terms with applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme or those set by a relevant Supervisory Authority.
2. The Parties agree to take account of any guidance issued by the European Data Protection Board (EDPB) and any other relevant Supervisory Authorities. The Client may, with no less than thirty (30) working days’ notice to Fast Track, amend this Agreement to ensure that it complies with any such guidance issued.

14. Data Protection Officer

1. Fast Track shall, where required, appoint a Data Protection Officer (DPO) and provide the Client the contact details of such person. The transmission of any communication between the Parties related to the Personal Data should be performed by e-mail.
2. If Fast Track is not required to appoint a Data Protection Officer, Fast Track will still provide details for a contact person for data protection issues.
3. The Client must appoint a DPO and forward contact details to Fast Track
4. Fast Track has appointed a DPO/responsible person for Data Protection matters, who may be contacted on [email protected].

15. Term and Termination

1. This Agreement shall enter into force concurrently with the Agreement and shall thereafter remain in force as long as the Agreement remains in force. This Agreement shall terminate, without notice, concurrently with the Agreement, regardless of the reason, save for those clauses which have been expressly stipulated to survive termination.

16. Liability

1. The Parties liability for damages as a result of breaches of this Agreement is, unless otherwise expressly stated, subject to the same limitations of liability as set forth in the Agreement. In case of multiple claims for damages under this Agreement and the Service Agreement, such liability shall be cumulative in relation to the maximum liability.
2. Nothing contained within this Agreement relieves Fast Track of their own direct responsibilities and liabilities as a Data Processor under Data Protection Legislation.

17. Costs

1. Each Party is responsible for its own costs in relation to the preparation and performance of this Agreement, including but not limited to fees and costs for its own representatives, advisors, brokers and other intermediaries and authorities.

18. Severability

1. If any provision, in whole or in part, of this Agreement shall be held by a court of competent jurisdiction to be illegal, invalid or unenforceable, then the provision in question shall be deemed null and void whilst remaining provisions shall continue in full force and effect.
2. The Parties shall, without delay, agree on a replacement provision that, as far as legally possible, achieves the same or commercially similar effect as the invalidated provision.

19. Disputes and Governing Law

1. The parties to this Agreement hereby submit to the choice of law and jurisdiction stipulated in the Agreement with respect to any disputes or claims arising under this Agreement and any dispute under this Agreement, the Agreement or under both shall be finally settled in the same proceedings and, if applicable, by the same arbitrators.
2. This Agreement has been prepared in two originals of which the Parties have each received one.

Schedule A - Instructions

Processing, Personal Data and Data Subjects

The Contractor shall comply with any further written instructions with respect to processing by the Customer.

Any such further instructions shall be incorporated into this Schedule.

Description	Details
Subject matter of the processing	Fast Track is providing a platform to the Client which provides access, in real time, to data concerning registration, deposit, log in, player bets, the result of a bet and other transactional data on its end users, to allow the Client to efficiently manage segment and communicate with such end users.
Duration of the processing	For the Term of the Agreement.
Nature and purposes of the processing	The Client will transfer the personal data to Fast Track, Fast Track will not perform any data collection. All personal data containing contact data will be transferred securely using server-to-server communication in the integration layer. New transactions and events will be transferred to Fast Track in real time. Historical data (transactions such as deposits, withdrawals, bets placed) may be migrated from time to time and will be transferred via secure FTP upload, imported once to Fast Track and then the source file will be destroyed. Fast Track will not be collecting any data on their own and will solely depend on the data provided by the Client. The Client will be using Fast Track platform to orchestrate various marketing activities, this will include but not be limited to crediting rewards, sending emails, sending SMS, sending push notifications or on site notifications. Contact data and marketing consents are required to carry out these operations. The Client will be using Fast Track platform to send information such as account changes and transactional information, this could include but not limited to email activations, reset password requests, information on changes to account, information about approved / declined transactions. Contact data such as email and phone number and marketing consents is required to carry out these operations. Fast Track platform will in real time process transactional data and the Client may act in real time, based on such data engage the customer, and/or notify internal teams. The Client will transfer marketing consent changes in real time. Fast Track may record marketing consents updates from emails, in such case Fast Track will update internal records and notify the Client about any consent changes in real time.
Type of Personal Data	Email address, phone number, marketing consent, age, birthday, first name, last name, country, physical address, transactional data (deposits and withdrawals), transactional data relating to spins or bets made, bonus and rewards information, blocked / self exclusion statuses, registration date, affiliate reference, dates of transactions, device usage, current balance.
Categories of Data Subject	Customers of the Client.
Plan for return and destruction of the Personal Data once the processing is complete	In accordance with Clause 11 of this Agreement, Fast Track shall comply with a request to return and/or delete any and all copies of Client Personal Data within 40 days of such request, ensuring the same with regard to each Sub-processor. Nonetheless, Client Personal Data may be retained to the extent required by applicable Data Protection Legislation for as long as required by such laws, ensuring the confidentiality of such data at all times and upon notice to the Client.

Schedule B

Approved sub-processors

Full Name and Details of Sub-processor	Location of Processing	Nature and Purpose of Processing
Looker Data Sciences, inc 101 Church Street 4th Floor, Santa Cruz CA 95060 United States	Dublin	Looker is used as a platform by Fast Track to show embedded dashboards inside the platform (analytics and campaign performance). The Looker platform is using a secure tunnel in to access the environment. The Looker database user can access player transactional data and campaign performance, it does not have access to any tables containing personal details or sensitive data. When embedded dashboards are requested, Looker must first establish a connection to the database, in order to do so, it must first authenticate with the Fast track platform and be granted access to perform this operation. Looker is SOC 2 certified.

Schedule C – Technical and Organisational Security Measures

General Measures

Control ID	Requirements
5.1.1. a	A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.
5.1.1. b	The Contractor shall ensure that their Personnel agree to terms and conditions concerning information security.
15.1.1 b	A formal information security risk assessment process shall be defined and implemented
15.1.1 c	An information security risk treatment process shall be implemented to select appropriate information security risk treatment options.
15.1.3 e	Contractor of cloud services should include requirements to address the information security risks associated with information and communications technology services through its product supply chain.
15.1.3 f	All structured and unstructured data shall be available to the customer and provided to them upon request in an industry-standard format
6.1.1	All information security responsibilities shall be defined and allocated
6.1.2	Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets.
6.1.3	A policy and supporting security measures shall be implemented to protect information accessed, processed or stored when using mobile computing and teleworking.
7.1.1	Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
7.2.2	All employees of the organisation and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organisational policies and procedures as relevant for their jobs
8.1.2	Ownership of an asset shall be assigned and managed during the asset's lifecycle.
8.1.3	All employees and external party users shall in a timely manner return all of Operater’s assets in their possession upon termination of their employment, contract or agreement.
8.2.1	Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification
8.2.2	An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization
8.2.3	Sensitive and removable storage media (e.g. CDs, DVDs and USB memory sticks) shall be protected against unauthorized access, misuse or corruption during transportation.
8.3.3	Media containing confidential information shall be protected against unauthorised access, misuse or corruption during transportation.
9.2.1 a	The Contractor shall protect Client's information from its other cloud customers' or unauthorized persons' access.
9.1.2 b	A formal user registration and de-registration process shall be implemented to assign or revoke access rights for all user types to all systems and services
9.2.1 b	The use of individual user identities shall be enforced.
9.2.3	The allocation and use of privileged access rights should be restricted and controlled.
9.2.4 a	Default and temporary passwords and cryptographic keys shall be kept confidential and be changed from defaults prior to use.
9.2.4 b	The allocation of secret authentication information should be controlled through a formal management process.
9.2.4.c	Passwords shall be stored and transmitted in a safe way to avoid being compromised.
9.4.2 d	A secure password reset process shall be implemented.
9.2.5	Access rights shall be reviewed and documented at regular intervals.
9.2.6	The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.
9.3.1	Users should be required to follow the organization's practices in the use of secret authentication information.
9.4.3	The use of quality passwords shall be enforced
9.4.4	The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled
9.4.2 a	Where required by the access control policy, access to systems and applications should be controlled by a secure log-on procedure.
11.1.1	Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities
11.1.2	Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access
11.1.4	Physical protection against natural disasters, malicious attack or accidents shall be designed and applied.
11.1.5	Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.
11.1.6	Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities
11.1.7	Security shall be applied to off-site assets taking into account the different risks of working outside the organisation’s premises.
12.1.1	Operating procedures shall be documented and made available to all users who need them.
12.1.2 b	Changes in system and services shall be authorized, approved and communicated by and to appropriate stakeholders according to defined rules.
12.1.2 c	A fallback procedure shall be defined and tested prior a change is performed.
12.1.2 d	The Contractor shall implement emergency changes when available and approved, unless such implementation introduces higher business risks.
12.1.4 a	Development, testing and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment.
12.1.4 b	Activities and decision points in the change process shall be logged.
12.1.4 c	Rules for the transfer of software from development to operational status shall be defined and documented.
12.1.5	Procedures for administrative operations of a cloud computing environment should be defined, documented and monitored.
12.2.1	Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.
12.3.1 a	Backups of information, software and system images shall be taken according to business requirements for recovery point objective and recovery time objective.
12.3.1 b	Backups shall be regularly tested to ensure data integrity and that business requirements for recovery point objective and recovery time objective can be met.
12.3.1 c	Backups shall have a defined retention period, after which data can be disposed.
12.4.1 a	Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly monitored.
12.4.1 b	Logging shall be enabled on all firewalls and firewall logs shall be centrally retained and appropriately protected.
12.4.2	Logging facilities and log information shall be protected against tampering and unauthorized access.
12.4.4	The clocks of all relevant information processing systems within an organisation or security domain shall be synchronized to a single reference time source.
12.5.1 a	Procedures shall be implemented to control that only supported and documented software are installed on operational systems.
12.5.1 b	Physical and virtual machines shall be hardened according to Contractor recommendations.
12.6.1 a	Vulnerabilities in systems and services shall be identified.
12.6.1 b	Vulnerabilities in system and services shall be managed.
13.1.1. a	Networks shall be managed and controlled to protect information in systems and applications
13.1.1 b	Special controls shall be enabled to protect confidentiality and integrity of data in transit according to best practice and industry standards, e.g. TLS encryption, WPA2 encryption, managed firewall etc.
13.1.3	Web application firewalls shall be in place in front of public facing web application and services.
13.2.4	Requirements for confidentiality or non-disclosure agreements reflecting the organisation’s needs for the protection of information shall be identified, regularly reviewed and documented.
14.2.1	Rules for the development of software and systems should be established and applied to developments within the organization.
14.2.5	Principles for engineering secure systems should be established, documented, maintained and applied to any information systems implementation efforts.
14.2.9	Acceptance testing programs and related criteria should be established for new information systems, upgrades and new versions.
14.2.8 a	Contractor shall, at least annually, and after any significant infrastructure or application upgrade or modification offer penetration testing.
14.2.8 b	Applications and programming interfaces (APIs) shall be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.
14.2.8 c	The Contractor shall regularly perform manual and automated security testing of the application to assure that the application is reasonable free of application security defects.
14.3.1	Confidential or sensitive information, including but not limited to Personal Data and any information that is defined as Confidential information shall never be used for testing purposes.
16.1.1 a	Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incident.
16.1.1 b	Information security events shall be reported in a standardized fashion through appropriate management channels as quickly as possible.
16.1.4	Information security events shall be assessed, and it shall be decided if they are to be classified as information security incidents
16.1.5 a	Specific Incident Response Plans (IRP) for identified and agreed Information security Incidents shall be documented to meet legal, regulatory and business demands.
16.1.5 b	There shall be yearly exercises to train, test and improve the overall process and specific incident response plans based on an agreed and documented test plan.
17.1.1	All IT systems shall have a documented restore and recovery procedure to meet recovery time objectives.
17.1.2	All IT system disaster recovery plans and recovery procedures shall be verified and tested at regular intervals.
18.1.1 a	Financial data shall be archived in accordance with applicable legislation.
18.1.1 b	Segregation of duties when processing financial data shall be defined and implemented.
18.1.1 c	Contractor shall maintain an SSL Labs rating of at least “A” for any external website used to store or access Client’s data.
18.2.1 a	The Contractor shall provide support for compliance of external and internal audits that Client is subject to from time to time. All occurrences of technical audits (i.e. vulnerability and penetration testing of infrastructure and applications in scope) are subject to a joint assessment led by the Client.
18.2.1 b	Information systems shall be regularly reviewed for compliance with the organization's information security policies and standards.

Specific Measures

Data Migration Portal

• The Client’s end user data will be migrated using a data migration portal provided by Fast Track. The portal will allow the data migration manager to select which user data to migrate (details, consents, casino, sports, approved payments etc.), which users that will be migrated and for which period (lifetime or specific days).
• Client is responsible to carry out any migration or data corrections, initiatives, and must as part of that process reconcile and sign off that the imported data is correct.
• If the data provided to Fast Track is not reconciling with Client systems, it shall be treated as a high priority incident.

Correcting Data Based on Erroneous Information

• In case there are any issues with the database or live data feed causing customer data to be incorrect, the data migration portal will be used to recover / correct such data.

Data Accuracy

1. The Client must ensure to capture and manage any and all errors from Fast Track integration API. Every transmission must be verified as received by Fast Track with an OK.
2. Client shall assume that upon receiving such verification through an OK, Fast Track is responsible to ensure that this data is processed and reflected in Fast Track platform.
3. Client can, at their own discretion, manually reconcile a specific or a group of user accounts through the data migration portal.
4. For avoidance of doubt, Client is responsible to provision the necessary monitoring to manage any failures in transmission of data, as well as any supplementary remedy of the failed data transmission. Fast Track is responsible to provision the necessary monitoring to manage any failures in the processing of such data inside Fast Track platform. Fast Track will provide a dashboard providing transparency of any related issue to Client that is updated in real time.

Data Access and Data Security

• Fast Track will only be able to access sensitive customer data (contact details) through APIs provided by Client.
• Historical transactional data, or specific data corrections of data points of non-sensitive nature (anything but contact details) may in some cases not be available in API and must then be transferred in bulk. In such case, the file including such transactions will be transferred securely using FTP (SFTP). Such file will be destroyed immediately after being processed in Fast Track’s systems.
• End points used by data migration portal, that are not operationally needed for Fast Track platform to function, will only be made available upon request and for a specific time frame for further protection.

API Security

• Client will provide Fast Track with an API key. This key is required when using the API.
• All communication should be made over encrypted channel using https.
• Whitelisting of specific IPs used by Fast Track platformto access the Client’s API.

User Access / GSuite integration

• Fast Track will provide a comprehensive portal to set up access rights, user groups and invite users.
• User access is controlled by Fast Track platform.
• Once the Integration Environment is handed over to the Client, Fast Track will set up one Super Admin account that belongs to Client. This Super Admin will be able to configure roles and access rights and invite the users and associate the correct roles, groups in the organization.
• Any user that has been invited / registered in Fast Track platform will then use GSuite Single Sign On (SSO) solution to sign in to the back-office.

Encryption of User Data

• Outside of whatever encryption Fast Track platformalready provides, the Client may suggest further encryption of fields or customer data and Fast Track may propose a solution to support this within a reasonable timeframe.

Penetration Testing / System Audit

• Fast Track has not undergone or scheduled any penetration testing to date.
• The Client can, at its own discretion, organize potential penetration testing to audit the system. Fast Track will in that case provide relevant resource to support such test. The Client should give 14 days notice before such test takes place in order for Fast Track to ensure that it has sufficient resources available.
• Fast Track shall address any critical issues that might arise out of such test.

Access to Environments

• Fast Track should have total control and relevant access rights to the environment to keep Fast Track platform operational at all times. With that said, both Parties should regularly review and ensure that minimal required access is provided.

Environments

• AWS Environment is provided by the Client and administered by Fast Track.