2. SCOPE OF DPA AND ROLES OF THE PARTIES

2.1 Scope

The purpose of this DPA is to ensure that the processing of Customer Personal Data within the Service complies with Applicable Data Privacy Laws.

2.2 Parties’ Roles

a. For the Online Services, as between Us and You, We will Process Customer Personal Data only as a Processor (or Sub-processor) acting on Your behalf and, with respect to the CCPA, as a “service provider” (or, where applicable, “contractor”) as defined therein, and as otherwise similarly defined under Applicable Data Protection Laws, in each case regardless of whether You act as a Controller or Processor with respect to Customer Personal Data.

b. Each party agrees it will comply with Applicable Data Privacy Laws and this DPA in connection with the Agreement;

c. Each Party will notify the other if it reasonably believes that an instruction or Processing of Customer Personal Data violates Applicable Data Protection Laws, and the Parties will cooperate in good faith to address such concern.

d. Customer and Processor agree to cooperate in good faith to amend the Agreement or this DPA or enter into further mutually agreeable data processing agreements as may be required to comply with Applicable Data Protection Laws.

2.3 Customer

a. You will, in Your use of the Online Services, comply with Your obligations under Applicable Data Protection Laws when Processing Personal Data and when issuing Processing instructions to Us. You represent that You have provided notice and obtained (or will obtain) all necessary consents and rights under Applicable Data Protection Laws to Process Personal Data pursuant to this DPA and the Agreement.

b. You exclusively control which Personal Data is collected, uploaded, and stored in the Online Services and the access controls applicable to Your Authorized Users. If You use the Online Services to Process any categories of Personal Data not expressly authorized by the Agreement or this DPA, You assume responsibility for any resulting noncompliance with Applicable Data Protection Laws.

c. You will Process any Personal Data of Ours in accordance with Applicable Data Protection Laws and Your own privacy notices and policies. Such Personal Data disclosures may be made by Us from time to time for purposes of contract management, service management, or security purposes.

2.4 Processor

Except as otherwise required under Applicable Data Protection Laws, We and Our Sub-processors will Process Customer Personal Data in accordance with Applicable Data Protection Laws and only to: (a) perform the Online Services for You pursuant to the Agreement; (b) comply with this DPA; or (c) carry out Your documented, reasonable written instructions that are consistent with the Agreement and this DPA.

For purposes of the CCPA and other similar U.S. state laws, We will: (i) not Sell or share Customer Personal Data; (ii) not retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of performing the Online Services or as otherwise permitted by Applicable Data Protection Laws; (iii) not retain, use, or disclose Customer Personal Data outside of the direct business relationship between You and Us; and (iv) not combine Customer Personal Data with Personal Data We receive from another source, except as permitted under Applicable Data Protection Laws (for example, to detect security incidents or to improve Our services in a manner that does not involve profiling a particular Data Subject).

3. COOPERATION

3.1. If We receive a request from a Data Subject seeking to exercise rights under Applicable Data Protection Laws (“Data Subject Request”), and the Data Subject Request identifies Customer, or We are aware that the Data Subject Request pertains to Processing on behalf of Customer, We will forward the communication promptly to Customer, to the extent commercially practicable, for Customer to respond, and We will reasonably cooperate with Customer with the request as reasonably directed.

3.2. We will provide reasonable cooperation and provide reasonably requested information regarding the Online Services to enable Customer to perform Data Protection Impact Assessments or in connection with a consultation with Data Protection Authorities when required under Applicable Data Protection Laws.

6. SECURITY INCIDENT NOTIFICATION

6.1 We will implement and maintain policies and procedures to detect, respond to, and address Security Incidents, including procedures to identify and respond to Security Incidents, mitigate harmful effects, document Security Incidents and their outcomes, and restore the availability of or access to Customer Data to You in a timely manner.

6.2 We will notify You without undue delay and, in any event, within 72 hours, or sooner if required under Applicable Data Protection Laws, after confirming a Security Incident affecting Customer Personal Data. In the event of a Security Incident, We will take commercially reasonable measures and actions to remedy or mitigate the effects of the Security Incident, including performing a root cause analysis to identify the cause.

6.3 We will keep You informed as to the status of the Security Incident, periodically providing timely notices of relevant details, a point of contact, and measures taken or planned to address the Security Incident.

6.4 We will reasonably cooperate and assist You with any investigations into, and remediation of, the Security Incident (including, for Security Incidents caused by Us and if required by Applicable Data Protection Laws, the provision of information necessary for You to notify regulators or affected individuals).

9. DATA TRANSFERS

9.1 We may, in connection with the provision of the Online Services, make international transfers of Personal Data to Our Affiliates and Sub-processors. When making such transfers, We will ensure appropriate protection is in place to safeguard the Personal Data transferred under or in connection with this DPA in accordance with Applicable Data Protection Laws.

9.2 Where the provision of Online Services involves the transfer of Personal Data from the EEA to countries outside the EEA that are not subject to an adequacy decision, such transfer will be subject to appropriate safeguards, which may include intra-group agreements incorporating the Standard Contractual Clauses with any Affiliates that may have access to Personal Data, and/or agreements with Sub-processors that incorporate the Standard Contractual Clauses, as appropriate, subject to the following modifications to the SCCs:

1. Clause 2 (Effect and invariability of the Clauses) — Module Two shall apply (Controller to Processor).

2. Clause 7 (Docking clause) — The optional docking clause will apply.

3. Clause 9 (Use of Sub-processors) — For subsection (a), Option 2 will apply, in accordance with any additional requirements outlined herein.

4. Clause 11 (Redress) — The optional language will not apply.

5. Clause 13 (Supervision) — The competent Supervisory Authority shall be the Data Protection Commission of Ireland.

6. Clause 17 (Governing Law) — Option 1 will apply, and the governing law shall be the law of Ireland.

7. Clause 18 (Choice of Forum and Jurisdiction) — For subsection (b), disputes shall be resolved before the courts of Ireland.

8. Annex I shall be deemed completed with the information set out in Schedule 1 to this DPA.

9. Annex II shall be deemed completed with the information set out in Schedule 2 to this DPA.

10. Annex III shall be deemed completed with the information set out in Schedule 3 to this DPA.

9.3 To the extent that Personal Data contained within Customer Data is transferred by or on behalf of Customer (including onward transfers) from within the United Kingdom, Switzerland, Brazil, or other jurisdictions that impose additional cross-border transfer requirements, to Us in a jurisdiction outside of the same, the Parties agree to implement any required transfer mechanism (including, where applicable, the UK Addendum, IDTA, or analogous local standard contractual clauses or addenda) to provide appropriate safeguards for such transfers. For such mechanisms:

1. References to “Regulation (EU) 2016/679,” “the Regulation,” or the GDPR shall be interpreted as references to the Applicable Data Protection Law of the Transferred Jurisdiction.

2. Where required or appropriate, references to specific provisions of the GDPR shall be replaced with the equivalent article or section of the Applicable Data Protection Laws of the Transferred Jurisdiction.

3. References to “EU,” “Union,” “Member State,” or “EEA” shall be replaced with references to the Transferred Jurisdiction as applicable.

4. The “competent supervisory authority” shall be the UK Information Commissioner, the Swiss Federal Data Protection and Information Commissioner, or Brazil’s National Data Protection Authority, as applicable.

5. The “competent courts” shall mean the courts of England, Switzerland, or Brazil, as applicable.

6. For the UK, Part 2 of the UK Addendum (Mandatory Clauses of the Approved Addendum B1.0) is incorporated by reference and supplements the SCCs.

7. Annex III to the UK Addendum shall be deemed completed using the Sub-processor list made available at the URL specified in Schedule 3 or the Trust Center.

7. DATA EXPORT AND DELETION 

Upon Your written request, or upon termination or expiration of the Agreement, We will delete or return all Customer Data in Our possession or control, except to the extent that We are required to retain such data by law or Our documented retention policies or as otherwise provided for in the Agreement (in which case, We will keep the data confidential and refrain from further Processing except to the extent required by Applicable Data Protection Laws).

4. SECURITY

4.1 We will implement and maintain appropriate technical and organizational Security Measures designed to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of Customer Personal Data, in accordance with Our Security Measures described in the applicable security schedule or documentation referenced in the Agreement. We may review and update or otherwise change Our practices from time to time, provided that any such updates will not materially diminish the overall security of the Online Services or Customer Personal Data.

4.2 You are responsible for protecting and securing Your authentication credentials and for protecting Customer Personal Data when in transit to and from the Online Services. You will promptly alert Us of any reasonably suspected Security Incident affecting Your environment or credentials at privacy@ryan.com.

4.3 “Protected Third Party Information” includes Sensitive Personal Data, Personal Identification Information, Patient Health Information, Personal Financial Information, and Personal Educational Information, as each is defined in Section 4.4(a)–(d) below. Customer will be responsible for protecting Protected Third Party Information and Sensitive Customer Information from unnecessary disclosure by following the requirements of this Section. You will minimize the Processing of Protected Third Party Information by limiting Processing to what is necessary and not transferring Protected Third Party Information or Sensitive Customer Information to the Online Services unless the transfer of such information is expressly necessary to utilize the Online Services.

4.4 For purposes of this Section 4:

a. “Personal Identification Information” or “PII” includes information that can be traced to a particular individual, such as name, mailing address, phone number, and email address, when processed in combination with a social security number, driver’s license number, state ID card, or similar identifier that could be used to (1) facilitate identity theft, (2) permit access to an individual’s financial account, or (3) require notification under any data breach notification law if compromised.

b. “Patient Health Information” or “PHI” includes information regarding a particular individual’s health and medical treatment, including medical record number, account number, social security number, insurance information, claims information, payment information, patient demographic data, dates of service, date of admission, discharge, medical records, medical treatment, reports, test results, and all other information regulated by the Health Insurance Portability and Accountability Act (HIPAA).

c. “Personal Financial Information” or “PFI” includes credit or debit card information, other payment card information, bank account, investment account, and all other information considered confidential under the Payment Card Industry Data Security Standards (PCI DSS).

d. “Personal Educational Information” or “PEI” includes student records, test results, courses taken, educational records pertaining to an individual student, and all other information regulated by the Federal Family Educational Rights and Privacy Act (FERPA).

4.5 “Sensitive Customer Information” includes Customer’s sensitive non-public data, including but not limited to trade secrets, proprietary information, research and development, business plans and strategies, operating reports, manufacturing data, pricing information, marketing and sales data, information regarding litigation, techniques, formulas, source code, potential acquisitions and equity investments, personnel records, organization charts, and banking information.

5. SUB-PROCESSORS

5.1 We will engage Sub-processors under a written (including electronic) contract consistent with the terms of this DPA in relation to the Sub-processor’s Processing of Customer Personal Data. As between Us and You, We will remain responsible for Our Sub-processors’ obligations, performance, and services under the Agreement.

5.2 We will evaluate the security, privacy, and confidentiality practices of a Sub-processor before selection to establish that it can provide the level of protection of Personal Data required by this DPA, including ensuring that the Sub-processor is under an appropriate obligation of confidentiality.

5.3 Our list of Sub-processors in place on the Effective Date of the Agreement is stated in the applicable Sub-processor schedule or Trust Center page. Customer may subscribe to receive notification of any changes to Our Sub-processors, and if no written objection is made within the period specified in the Agreement or such notice, consent is deemed given.

Last Updated:

This Data Processing Addendum (“DPA”) is hereby incorporated by reference into and forms part of the Software as a Service Agreement or other master services agreement (the “Agreement”) entered into between Ryan, LLC and its tax.com™ operating division (together with their Affiliates, “Ryan,” “We,” “Our,” or “Us”) and Customer (“You” or “Your”) and sets out the obligations of the Parties with respect to the Processing of Customer Personal Data in connection with the Agreement. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. Unless otherwise defined herein, any capitalized terms will have the meanings given to them in the Agreement. Ryan and Customer may be referred to herein collectively as the “Parties” or individually as a “Party.”

1. DEFINITIONS

The following will have the meanings set out below in this DPA:

“Affiliate(s)” means, with respect to any entity, any other entity that directly or indirectly controls, is controlled by, or is under common control with such entity, where “control” refers to the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract, or otherwise.

“Applicable Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in processing Personal Data under the Agreement, including, where applicable, EU & UK Data Protection Law and the CCPA.

 means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“”), and the regulations promulgated thereunder, as amended or superseded from time to time.

8. COMPLIANCE VERIFICATION AND AUDIT

8.1 Upon Your request no more than annually, except for reasonable cause such as a regulatory request or Security Incident caused by Us, We will provide information reasonably sufficient to confirm compliance with the requirements of this DPA by providing You with one or more of the following, as applicable:

• a. Completion of an information security questionnaire, via a secure portal, which may be consolidated into a single questionnaire covering multiple product subscriptions; and/or

• b. A summary of the results of any independent third-party assessment or certification (e.g., SOC 2, ISO 27001) that We undertake and make generally available to customers with respect to the Online Services and Our data-hosting environment.

8.2 If We are unable to reasonably demonstrate compliance with the security and audit obligations under Section 8.1, We will provide additional information and reasonable access to security personnel (as generally made available to other customers), as to Our security practices, subject to the confidentiality requirements of the Agreement. The content, scope, and timing of such review will be agreed by the Parties, and any third-party auditor engaged by You must not be a competitor of Ours and must be bound by appropriate confidentiality obligations.

10. MISCELLANEOUS

10.1 To the extent permitted by Applicable Law, any claims brought under or in connection with this DPA will be subject to the exclusions and limitations of liability set forth in the Agreement.

10.2 Except as expressly permitted by the SCCs or other applicable transfer instruments, no one other than a Party to this DPA will have any right to enforce its terms, but each Party may enforce its terms on behalf of its Affiliates, if applicable.

10.3 Except as otherwise specified herein, this DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement.

10.4 This DPA will remain in force as long as We Process Customer Personal Data under the Agreement.

SCHEDULE 1

ANNEX I to the Standard Contractual Clauses 

A. LIST OF PARTIES

Module Selection

Select Applicable SCC Module

• Module One: Controller to Controller

• ✓ Module Two: Controller to Processor

• Module Three: Processor to Processor

• Module Four: Processor to Controller

Data exporter(s):

Name: The entity identified as “Customer” in the DPA.
Address: The address for Customer associated with its account or as otherwise specified in the DPA or the Agreement.
Contact person’s name, position, and contact details: The contact details associated with Customer’s account, or as otherwise specified in the DPA or the Agreement.
Activities relevant to the data transferred under these Clauses: The activities are specified in Section 2 of the DPA.
Signature and date: By using the Online Services or products the data exporter will be deemed to have signed this Annex I.
Role (controller/processor): Controller.
Data importer(s): 
Name: Ryan as identified in the DPA.
Address: The address for Ryan is specified in the Agreement.
Contact person’s name, position, and contact details: The contact details for Ryan are specified in the DPA or the Agreement.
Activities relevant to the data transferred under these Clauses: The activities are specified in Section 2 of the DPA.
Signature and date: By transferring Customer Personal Data to Third Countries on Customer’s instructions, the data importer will be deemed to have signed this Annex I.
Role (controller/processor): Processor 

B. Details of Data Processing

SCHEDULE 2

ANNEX II to the Standard Contractual Clauses 

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Ryan, LLC (“Ryan,” “We,” “Us”) offers a wide variety of business tax solutions through its tax.com™ platform and operating division. This Annex II sets forth the baseline contours of the information security posture with respect to these solutions. Online Services obtained through an Order Form may include additional security measures as appropriate for the sensitivity of the data and nature of the engagement. The definitions set forth in the Agreement will have the same meaning in this Annex II, except or as otherwise defined herein. Nothing in this Annex II alters the obligations or rights under the Agreement concerning Customer Data.

Information Security Program

• Information Security Program. We maintain an enterprise-wide information security program that utilizes documented policies, procedures, and standards to protect the confidentiality, integrity, and availability of information and data in electronic and tangible form. We designed the information security program based on ISO/IEC 27001 standards.

Organizational and Administrative Security /Risk Management

• Information Security Policies. We maintain internal, documented, comprehensive information security policies, including incident response plans, data retention plans, and segregation of duties policies, and regularly review and update them. 

• Employee Screening. Ryan ensures that all of its employees handling Customer Data have undergone a background screening, to the extent permissible under local laws and regulations.

• Awareness and Education Program. We provide security awareness and technology use training for employees, at hire and annually, including routine anti-phishing training. 

• Vendor Management. We subject vendors authorized to perform services on Our behalf involving Our systems, data, or technology to (1) a risk assessment process, (2) obligations of confidentiality, and (3) restrictions on such vendor’s access to Personal Data consistent with Applicable Data Protection Laws and Our security requirements. We remain responsible for the compliance of its subcontractors with the terms of this Annex II.

• Business Continuity/Disaster Recovery. We maintain and regularly test a business continuity and disaster recovery program designed to reduce the effects of a significant disruption in operations based on generally accepted industry practices.

• Data Disposal. We maintain internal, documented, comprehensive data retention and disposal policies.

Data Security

• Authentication. We logically segregate Customer Data by application security group access rules. Customer accounts must utilize unique usernames and complex passwords and enter them at each login to Our resources.

•  Passwords. We demand minimum password length, complexity, and expiration requirements, disabling features for failed login attempts, and rejection of previously used passwords.

• Encryption at Rest. We encrypt Our employees’ laptop full disk drives using at least AES-256 for data encryption. We encrypt all non-public Customer Data in the hosted systems using at least AES-256 for data encryption.

• Encryption in Transit. By default, Our web-accessible Online Services have Transport Layer Security (TLS) enabled to encrypt Your traffic. Our web application endpoints use TLS for secure transport.

• Access.  We operate the Online Services in a multitenant architecture designed to segregate and restrict Your data access based on business needs. We assign access controls to Personal Data in our databases, systems, and environments on a need-to-know / least privilege necessary basis. We employ multi-factor authentication (MFA) controls or similar compensating controls to limit access.

• Device Access. We limit network access to authorized devices only. We prohibit access to systems with Customer Data from mobile devices.

Physical Security

• Data Center. We host critical information systems and Our product platform in high-security data centers that meet SSAE18 and ISO 270001 standards. Data center security includes physical security measures designed to minimize disruption and prevent theft, tampering, and damage including:

  • 24×7 monitoring,

  • Cameras,

  • Visitor logs,

  • Entry requirements,

  • Climate control,

  • Fire detection systems, and

  • Dedicated cages for Ryan to separate our equipment from other tenants in the data center.

• Facilities. We protect Our public workplace facilities using entry and authentication controls as technically and commercially feasible, such as visitor logs, automated badging access controls, color-coded badges with photo ID, keyed entries, alarmed access points, and security cameras. Additional restricted access requirements exist for Our computer systems’ rooms. We maintain a documented clear desk policy.

Availability Control

• Connectivity. We maintain fully redundant IP network connections with multiple independent connections to a range of Tier 1 Internet access providers for Our data centers. 

•  Power. Our servers possess redundant internal and external power supplies. Our data centers can draw power from multiple substations on the grid, backup generators, and backup batteries in the event of power failures. 

•  Uptime. We continuously monitor uptime, with escalation to Our staff for any downtime. 

• Backup Frequency. Our system backups occur at least daily to geographically disparate sites. 

• Disaster Recovery. We establish system recovery times on a product-line basis, but at a minimum no later than 8 hours.

Network Security

•  Firewalls. We route network traffic through firewalls to restrict access to approved ports. 

• Intrusion Prevention. We use Network and Host-based Intrusion Prevention systems (NIPS/HIPS).

• End Point Controls. We protect its systems from malware/viruses utilizing enterprise-class endpoint control software.

• E-mail Systems. We scan email using an enterprise-class email security gateway system.

• Access Control. We protect workstations and laptops from unauthorized access via secure VPN and 2FA (two-factor authentication). We enforce role-based access control (RBAC) for systems management. Network devices are configured to prevent unauthorized updates via access controls and limit access to authorized individuals.

• Logging and Auditing. We maintain security audit logs on our computing systems that process and store information that captures key security events including suspicious system and /or user behaviors.

Change Management and Application Control

• Application Control. We maintain policies and procedures for managing changes and updates to production systems, applications, and databases, including processes for documenting security patching, authentication, and testing and approval of changes into production.

• Key Management. We maintain a key management program that addresses the need to promptly revoke or disable lost, corrupted, or expired keys.

• Coding Practices. We use logically or physically separate environments for development, testing, and production. Our developers undergo secure development training on best practices twice annually.

• Secure Development. We employ a secure software development methodology that incorporates security throughout the systems development lifecycle in connection with the development and maintenance of its information systems. Minimally, applications have controls to protect against known vulnerabilities and threats, and secure coding standards are employed that comply with industry standards such as the Open Web Application Security Project (OWASP).

Vulnerability Management 

•  Patching. We apply the latest security patches to all operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities. 

• Third-Party Scans. We continuously scan Our environments using industry-leading security tools. These tools provide configured network vulnerability assessments, which test for patch status and basic misconfigurations of systems and sites. 

• Penetration Testing. We perform penetration tests of Ryan applications using qualified independent third parties; Our hosting service providers perform penetration tests on their own infrastructure.

• Program. We maintain a Vulnerability Management program in which risk analyses are performed for critical systems and requirements exist for prompt response to critical incidents.

Security Incident Management

• Security Incident Management Process. Our controls include a Chief Information Security Officer (CISO) tasked with maintaining a comprehensive information security program built on a multi-layered, defense-in-depth approach to security. We maintain an internal, documented, comprehensive information security incident management process in place based on an incident framework that includes key elements (e.g., identification, response, recovery, and post-incident review) to be followed in the event of a Security Incident.

SCHEDULE 3

ANNEX III to the Standard Contractual Clauses 

SUB-PROCESSORS

I. SUB-PROCESSOR LIST

The following table identifies the sub-processors currently authorized by Ryan, LLC, its Affiliates, and its tax.com operating division to process Customer Personal Data for Our Online Services. This list is also made available at: https://ryan.com/trust-center/legal-compliance/subprocessors (or any successor URL designated by Ryan).

II. SUBSCRIPTION TO SUB-PROCESSOR UPDATES AND RIGHT TO OBJECT

1. Notice of New or Replacement Sub-Processors

Ryan may update the list of Sub-Processors from time to time as necessary to support the Online Services.
Ryan will provide Customer with advance notice of any intended addition or replacement of a Sub-Processor by:

• Email notification to the Customer contact on record;

• Posting an update on the Ryan Trust Center; or

• Any other reasonable method permitted under the Agreement.

2. Customer Right to Object

If Customer objects to a new Sub-Processor on reasonable data protection grounds:

• Customer must notify Ryan in writing within the time period specified in the Agreement or in the Sub-Processor notice;

• The Parties will work together in good faith to address Customer’s concerns through:

  • alternative technical measures,

  • avoidance of the Sub-Processor for Customer’s instance, or

  • other mutually agreed mitigation measures.

If no resolution is commercially feasible:

• Customer may terminate the affected Online Service(s) in accordance with the Agreement; and

• Ryan will refund any prepaid fees for the terminated portion, if required under the Agreement.

3. Responsibility for Sub-Processors

Ryan remains responsible for:

• ensuring Sub-Processors are bound by written agreements with obligations no less protective than those in this DPA; and

• the performance of Sub-Processors’ obligations as between Ryan and Customer.

III. ADDITIONAL INFORMATION REQUIRED BY THE SCCs

For purposes of Annex III to the Standard Contractual Clauses:

• Subject matter: Processing necessary to support the Online Services.

• Nature and duration: Same as described in Schedule 1 (Annex I) and for as long as the Sub-Processor is engaged.

• Type of Processing: Hosting, storage, transmission, backup, support, analytics, troubleshooting, logging, security monitoring, and related service operations.

• Categories of Personal Data: As described in Schedule 1 (Annex I).

• Frequency: Continuous.

• Security Measures: As described in Schedule 2 (Annex II).