1.3 Details of Data Processing.
Confidentiality of Customer Data. Lofty will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Lofty a demand for Customer Data, Lofty will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Lofty may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then Lofty will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Lofty is legally prohibited from doing so.
Security Incident Notification.
6.3Unsuccessful Security Incidents. Customer agrees that:
Audits and Inspections.
11.2Sub-processor Obligations. Where Lofty authorizes a Sub-processor:
Requests, Demands, And Inquiries from Governmental or Regulatory Bodies.
As of the date of this agreement, Lofty engages the following sub-processors that may process Personal Data:
|Sub-processor (Entity Name)||Service Provider's Location||Provided Service|
|Amazon Web Services (AWS)||USA||Infrastructure as a Service and Platform as a Service|
|Google Cloud Platform (GCP)||USA||Natural Language Understanding|
|Vonage||USA||Cloud Communication Service Provider|
|Bandwidth||USA||Communication Platform for Messaging Service|
|Lob||USA||Automated direct mail and postal service provider|
|MailParser||USA||Mail Parsing Service|
|National Processing||USA||Payment Gateway|
|HubSpot||USA||Marketing and Analytics|
|Atlassian - Jira||USA||Ticketing System|
|Office 365||USA||Business Communication and Collaboration|
|Twilio||USA||Cloud Communication Service Provider|
|Productboard||USA||Product Tracking and feedback collection|
|Home Junction / Attom Data||USA||Listing Data Analysis|
Security Program. Lofty has developed, implemented, and will consistently update and maintain as needed: (i) a written and comprehensive information security program in compliance with applicable Data Protection Law; and (ii) reasonable policies and procedures designed to detect, prevent, and mitigate the risk of data security breaches or identify theft. Lofty will maintain appropriate measures to protect the integrity, security and confidentiality of all Customer Personal Data against any anticipated threats or hazards, and/or unauthorized access to or use of such data, which measures shall include the following:
Access. Lofty shall reasonably update all access rights based on personnel or computer system changes and shall periodically review all access rights at an appropriate frequency to ensure current access rights to Customer Personal Data are appropriate and no greater than are required for an individual to perform his or her functions necessary to fulfill the purposes of the Agreement. Access controls include:
Changes. The Parties acknowledge that security requirements are constantly changing, and that effective security requires frequent evaluation and regular improvements of outdated security measures. Lofty will therefore evaluate the measures on a periodic basis and will take reasonable measures to maintain compliance with the requirements. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in applicable data protection law or by data protection authorities of competent jurisdiction.
Where an amendment to the Service Agreement is necessary in order to execute a Customer instruction to Lofty to improve security measures as may be required by changes in applicable data protection law from time to time, the Parties shall negotiate an amendment to the underlying agreement in good faith.
Physical Security Measures. Lofty shall maintain appropriate physical security measures for any facility used to Process Customer Personal Data and continually monitor any changes to the physical infrastructure, business, and known threats.
Lofty maintains physical security standards designed to prohibit unauthorized physical access to Lofty facilities and equipment by using the following practices:
Technical Security Measures. Lofty shall: