Data Processing Addendum

Application

Rev. October 9, 2023

In connection with the Services offered by E2open, LLC and its Affiliates (“e2open” or “We”), e2open may process Personal Data on behalf of its customers (“Customer” or “You”) and when it does, this Data Processing Addendum (“Addendum“) forms part of Order Form(s), Statement(s) of Work, Master Services Agreement(s), or other contracts between e2open and You (“Agreement(s)“), where e2open processes Personal Data on behalf of You pursuant to the provision of Services.

This Addendum is effective as of the earliest effective date of the Agreement(s) (“Addendum Effective Date”). Signing the Agreement shall be given the same effect as having signed this Addendum, including all signature spaces in the attached Standard Contractual Clauses. If You prefer to have a signed copy of this Addendum, please contact your representative.

Capitalized terms not otherwise defined herein have the meaning given to them in the applicable Agreement. Except as modified below, the terms of the Agreement remain in full force and effect. In the event of a conflict between this Addendum and the SCCs, the SCCs will control.

  1. DEFINITIONS.

1.1. “Authorized Person(s)” means any e2open subcontractor, officer, director, employee, or consultant who have a need to know or otherwise access Personal Data to enable e2open to perform its obligations under the Agreement.

1.2. “Controller’ means the entity which determines the purposes and means of the Processing of Personal Data.

1.3. “Data Protection Laws” means any privacy, data protection or data security laws, codes, legislative acts, regulations, ordinances, rules, rules of court, or orders which applies to a Party as result of the Services.

1.4. “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

1.5. “EEA” means the European Economic Area.

1.6. “GDPR” means General Data Protection Regulation, Regulation (EU) 2016/679.

1.7. “Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data.

1.8. “Personal Data” means any data that the Customer submits using the Services for e2open to Process on Customer’s behalf that is deemed “personal data” or “personal information” (or other analogous variations of such terms) under Data Protection Laws.

1.9. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed by e2open and/or its Sub-Processors in connection with the provision of the Services. “Personal Data Breach” does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including but not limited to unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

1.10. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.11. “Processor” means the entity which processes Personal Data on behalf of the Controller.
1.12. “SCCs”, “SCC” or “Standard Contractual Clauses” means the latest standard contractual clauses Module 2 (Transfer: Controller to Processor), Module 3 (Transfer: Processor to Processor), or Module 1 (Transfer: Controller to Controller), as applicable under the circumstances of Processing between Customer and e2open, adopted and published by the European Commission currently found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, as may be amended, superseded, or replaced.

1.13. “Services” means the products or services provided by e2open to Customer pursuant to the Agreement.

1.14. “Sub-Processor” means an entity, but excluding e2open’s officers, directors, and employees, appointed by or on behalf of e2open to Process Personal Data in connection with the Agreement.

1.15. “UK International Data Transfer Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as may be amended, superseded, or replaced.

2. E2OPEN OBLIGATIONS AS DATA PROCESSOR. To the extent e2open is acting as a Data Processor for Customer as a Data Controller, the following obligations will apply.

2.1. Compliance with Customer Instructions. e2open will protect Personal Data as confidential and will only Process Personal Data on behalf of Customer and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement; (ii) Processing initiated by Customer’s authorized users in their use of the Services; (iii) Processing to comply with other documented instructions provided by Customer where such instructions are consistent with the terms of the Agreement; and (iv) as required by Applicable Law; provided, that if e2open is required to Process Personal Data by Applicable Law, e2open will notify Customer of any such requirement before Processing the Personal Data (unless such law, regulation, or court order prohibits such information on important grounds of public interest). e2open will notify Customer if, in e2open’s reasonable opinion, Customer’s instructions do not comply with applicable law.

2.2. Restrictions on Processing. e2open is prohibited from (i) selling or sharing personal information; (ii) retaining, using or disclosing personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using or disclosing personal information for a commercial purpose other than the business purposes specified in the Agreement; (iii) retaining, using or disclosing the information outside of the direct business relationship between Customer and e2open; and (iv) combining the personal information it receives from Customer with personal information it receives from or on behalf of another person or persons or that it collects from its own interaction with the Data Subject, unless such combination is otherwise permitted by the Data Protection Laws.

2.3. Confidentiality; Authorization; Training. e2open has implemented and maintains policies and procedures to ensure that any Authorized Person who accesses Personal Data is subject to appropriate confidentiality obligations (whether a contractual or statutory duty), and has appropriate training, clearance, authorization, and supervision commensurate with the level of access granted. e2open will ensure that access to Personal Data is limited to those Authorized Persons performing Services in accordance with the Agreement.

2.4. Security Program. e2open has implemented and will maintain a written information and network security program that includes appropriate technical and organizational measures as described in Annex 2 to this Data Processing Agreement (“Security Measures”). Notwithstanding any provision to the contrary, e2open may modify or update the Security Measures at its discretion provided that such modification or update does not result in a material degradation to such Security Measures.

2.5. Personal Data Breaches. e2open will notify Customer without undue delay after becoming aware of a Personal Data Breach and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by Customer. e2open will make reasonable efforts to identify the cause of such Personal Data Breach and take reasonable steps to correct, remediate, and/or mitigate the cause of the Personal Data Breach to the extent the correction, remediation, and/or mitigation is within e2open’s control. e2open will cooperate, at its own expense, with Customer and take reasonable action as Customer may reasonably request to assist in any investigation, mitigation, remediation, and notification of a Personal Data Breach for which e2open was the cause. e2open will not communicate a Personal Data Breach to affected Data Subjects without Customer’s written authorization unless otherwise required by law.

2.6. Return & Destruction of Personal Data. e2open will promptly, but without undue delay, return to Customer, or destroy, Personal Data upon Customer’s written request or at the termination or expiration of the Agreement. e2open may retain Personal Data to the extent required by Applicable Law, contractual obligations, or if Personal Data resides in backup archives and isolating individual Personal Data is not practical. e2open will continue to protect the security and confidentiality of such retained Personal Data in accordance with the Agreement and this Addendum.

2.7. Data Protection Impact Assessment Assistance. To the extent that the required information is reasonably available to e2open and Customer does not otherwise have access to the required information, e2open will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervisory authorities, or other competent data privacy authorities which Customer reasonably considers to be required by applicable Data Protection Laws. In each case, such assistance will solely be in relation to Processing of Personal Data by and taking into account the nature of the Processing and information available to, e2open.

3. CUSTOMER OBLIGATIONS. Customer is solely responsible for the accuracy, quality and legality of Personal Data, the means by which Customer acquired Personal Data, and the lawfulness of the Processing Instructions it issues to e2open. Customer agrees to comply with all Data Protection Laws. The parties agree that the Agreement and this Addendum, together with Customer’s use of the Services in accordance with the Agreement, constitutes Customer’s complete Instructions to e2open in relation to the Processing of Personal Data.

4. SUB-PROCESSORS.

4.1. Appointment of Sub-Processors. Customer authorizes e2open to use the Sub-Processors listed in Annex 3 to this Addendum. e2open has entered into written agreements with each Sub-Processor containing data protection obligations no less protective than those in this Addendum with respect to protecting Personal Data to the extent applicable to the nature of the services provided by such Sub-Processor. e2open will provide to Customer for review, copies of such Sub-Processor agreements (which may be redacted to remove confidential and/or proprietary information not relevant to the requirements of this Addendum) as Customer may reasonably request from time to time.

4.2. Objection to New Sub-Processors. e2open will provide written notice of new Sub-Processors to Customer by publishing such update to www.e2open.com/legal/dpa-subprocessors and providing notice of such update before authorizing any new Sub-Processor to Process Personal Data. If Customer notifies e2open within 30 days of such notification of any reasonable objections of Customer to the proposed appointment: (i) e2open will work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-Processor; or (ii) where a change cannot be made within 30 days from e2open’s receipt of Customer’s objection, notwithstanding anything in the Agreement, Customer may terminate the Agreement to the extent that it relates to the Services that require the use of the proposed Sub-Processor.

5. DATA SUBJECT RIGHTS.

5.1. Notification. e2open will promptly notify Customer if it receives a request from a Data Subject to exercise such Data Subject’s rights granted by Data Protection Laws (“Data Subject Request”) and will advise such Data Subject to submit the Data Subject Request directly to Customer. Customer shall be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data. e2open will not respond to such Data Subject Request without Customer’s prior written consent or unless otherwise required by applicable Data Protection Law.

5.2. Support; Response. To the extent Customer is unable to independently address a Data Subject Request, then upon Customer’s written request, e2open will provide reasonable assistance to Customer to respond to a Data Subject Requests or such other requests from data protection authorities relating to the Processing of Personal Data under the Agreement. Customer agrees to reimburse e2open for the commercially reasonable costs arising from this assistance.

6. DATA TRANSFERS. e2open may transfer Personal Data on a global basis as necessary to provide the Services in accordance with the Agreement. Where e2open transfers Personal Data outside its country of origin to a country or recipient not recognized as having an adequate level of protection for Personal Data according to Data Protection Law, e2open will ensure such transfers are made in compliance with the requirements of Data Protection Laws.

6.1. Transfers from the EEA. Module Two (Transfer: Controller to Processor) or Module Three (Transfer: Processor to Processor) of the SCCs will apply to Personal Data that is transferred outside the EEA via the Services, either directly or via onward transfer, to any country not recognized as providing an adequate level of protection for Personal Data. The SCCs will not apply to Personal Data that is not transferred, either directly or via onward transfer, outside the EEA. For each SCC Module, where applicable, the SCCs are deemed entered into and completed as follows: (i) Customer is the “data exporter” and e2open is the “data importer”; (ii) the Module Two terms apply to the extent the Customer is a Controller and Module Three terms apply to the extent the Customer is a Processor; (iii) in Clause 7 of the SCCs, the optional docking clause shall apply; (iv) for purposes of Clause 8.1(a) of the SCCs the Processing described in this Addendum and the Agreement are Customer’s complete and final instructions by Customer to Process Personal Data and any additional or alternate instructions must be agreed upon separately in writing; (v) Customer acknowledges and agrees to exercise its audit rights under this Addendum and Clause 8.9 of the SCCs by instructing e2open to comply with the audit measures described in this Section 7 of the Addendum; (vi) in Clause 9 of the SCCs, Option 2 shall apply and the time period for prior written notice of sub-processor changes will be 30 days and shall be governed by Section 4 of this Addendum; (vii) in Clause 11 (a) of the SCCs, the optional language shall not apply; (viii) in Clause 17 of the SCCs, Option 2 shall apply and the law shall be the law of the Netherlands; (ix) in Clause 18 (b) of the SCCs, disputes will be resolved in the forum and jurisdiction of the Netherlands; (x) Annexes I, II, and III of the SCCs will be deemed completed with the information set out in Annexes 1, 2 and 3 of this Addendum; and (xi) if and to the extent the SCCs conflict with any provision of this Addendum, the SCCs will prevail to the extent of such conflict.

6.2. Transfers from the United Kingdom. The UK International Data Transfer Addendum will apply to Personal Data transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country not recognized by the competent United Kingdom regulatory authority or governmental body as providing an adequate level of protection for Personal Data. The UK International Data Transfer Addendum will not apply to Personal Data that is not transferred, either directly or via onward transfer, outside the United Kingdom. For data transfers from the United Kingdom that are subject to the UK International Data Transfer Addendum, the UK International Data Transfer Addendum will be deemed entered into and completed in accordance with sub-section (a) with the following modifications: (i) the applicable SCC Module will be modified and interpreted in accordance with the UK International Data Transfer Addendum; (ii) Tables 1, 2, and 3 of the UK International Data Transfer Addendum will be deemed completed with the information set out in the Annexes to this Addendum and Table 4 will be deemed completed by selecting “neither party”; and (iii) any conflict between the terms of the SCCs and the UK International Data Transfer Addendum will be resolved in accordance with Section 10 and Section 11 of the UK International Data Transfer Addendum.

6.3. California Privacy Rights Act.  To the extent the California Privacy Rights Act (“CPRA”) is applicable to the Services: (i) e2open shall comply with the applicable provisions of the CPRA and provide the same level of privacy protection as is required by the CPRA; (ii) e2open shall notify Customer if e2open makes a determination that e2open can no longer meet its obligations under the CPRA; and (iii) Customer shall have the right to take reasonable and appropriate steps as detailed in Section 7 to ensure that e2open uses the personal information transferred in a manner consistent with Customer’s obligations under the CPRA; and (iv) e2open grants Customer the right, upon written notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

6.4. Controller to Controller Scenarios. To the extent e2open is considered to be a Controller for purposes of the GDPR (e.g., e2open collects Personal Data from Customer for invoicing or providing customer service; e2open provides Personal Data as part of the Services), both e2open and Customer will be independent Controllers of Personal Data. Each party will, to the extent that it, along with the other party, acts as Controller, with respect to Personal Data, reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in the Data Protection Laws. Where both parties each act as Controller with respect to Personal Data, and the transfer of data between the parties’ results in a transfer of Personal Data to a jurisdiction other than a jurisdiction in the EU, the EEA, the European Commission-approved countries providing adequate data protection, or the United Kingdom, each party agrees it will use Module 1 of the SCCs, which are incorporated herein by reference. Module 1 is deemed entered into and completed as follows: (i) in Clause 7, the optional docking clause shall apply; (ii) in Clause 11 (a) the optional language shall not apply; (iii) in Clause 17 Option 2 shall apply and the law shall be the law of the Netherlands; (iv) in Clause 18 (b) disputes will be resolved in the forum and jurisdiction of the Netherlands; (v) Annexes I and II will be deemed completed with the information set out in Annexes 1 and 2 of this Addendum; and (vi) if and to the extent the SCC conflicts with any provision of this Addendum, the SCC will prevail to the extent of such conflict. For data transfers subject to the UK International Data Transfer Addendum, the UK International Data Transfer Addendum will be deemed entered into and completed in accordance with sub-section (a) with the following modifications: (i) SCC Module 1 will be modified and interpreted in accordance with the UK International Data Transfer Addendum; (ii) Tables 1, 2, and 3 of the UK International Data Transfer Addendum will be deemed completed with the information set out in the Annexes to this Addendum and Table 4 will be deemed completed by selecting “neither party”; and (iii) any conflict between the terms of the SCCs and the UK International Data Transfer Addendum will be resolved in accordance with Section 10 and Section 11 of the UK International Data Transfer Addendum. Unless otherwise agreed in writing, the parties acknowledge and agree that each is acting independently as a Controller with respect of Personal Data and the parties are not joint controllers as defined in the GDPR and Section 3 of the United Kingdom European Union (Withdrawal) Act 2018.

6.5. Governmental Data Requests. If e2open receives a request for any such Personal Data from the U.S. government or law enforcement authority, e2open will make commercially reasonable efforts to assert available defenses against making the disclosure and will minimize the scope of any legally required disclosure to only that which is necessary to meet the disclosure obligation. To the extent legally permissible, e2open will promptly notify Customer of any legally binding request for disclosure of Personal Data by law enforcement authorities.

7. DEMONSTRATION OF COMPLIANCE. Customer may request once per calendar year (unless otherwise required by Applicable Law) a copy of e2open’s SOC 2 Type 2 report on e2open’s hosting environment and Services system within e2open’s organization, or any other similar information security report regularly obtained by e2open in the normal course of business. All such reports and information contained therein shall be considered e2open’s confidential information. If the provided reports do not satisfy Customer’s requirement, Customer may request the completion of an annual security questionnaire (not to exceed one (1) request in any twelve (12) month period) responding to specific questions on Company’s information security program, as applicable. Upon receipt of any questionnaire/ assessments, it may take up to thirty (30) days for e2open to provide a response.

8. CHANGES IN APPLICABLE LAW. Either party may propose variations to this Addendum which it reasonably considers to be necessary to address the requirements of any applicable law. Upon request, the Parties will promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those, or alternative, variations designed to address the requirements identified as soon as reasonably practicable.

9. LIABILITY. The limitation of liability terms set forth in the Agreement(s) apply to any liability under this Addendum.

10. GENERAL.

10.1. Term. The term of this Addendum commences on the Addendum Effective Date and will remain in effect until the later of (i) the expiration or termination of the Agreement or; (ii) e2open’s destruction of, or return to Customer, all Personal Data.

10.2. Governing Law; Jurisdiction. The validity, interpretation, and performance of this Addendum will be controlled and governed by the laws of the territory stipulated in the Agreement, without regard to conflicts of law provisions. The Parties hereby irrevocably consent to jurisdiction and venue for any dispute concerning this Addendum in the choice of jurisdiction stipulated in the Agreement.

10.3. Compliance. Each party understands the requirements of and will comply with the Data Protection Laws.

10.4. Severability. If any term or provision of this Addendum or the application of any such provision is held by a court of competent jurisdiction to be contrary to law, invalid, illegal or unenforceable, then such term or provision will be deemed replaced by a term or provision that is valid and enforceable and that comes closest to expressing the intention of the original term or provision, and the remaining terms and provisions of this Addendum will continue in full force and effect.

10.5. Continued Obligations; Rights. Nothing in this Addendum reduces e2open’s obligations under the Agreement in relation to the protection of Personal Data or permits e2open to Process, or permit the Processing of, Personal Data in a manner which is prohibited by the Agreement.

ANNEX 1 – SCOPE OF PROCESSING

  1. LIST OF PARTIES

Data exporter(s):

Name:  Customer entity set forth in the Agreement

Address: Customer entity set forth in the Agreement

Contact person(s): As specified in the Agreement

Activities relevant to the data transferred: Customer utilizes the Services specified in the Agreement and is responsible for the use of the Services in accordance with applicable documentation.

Signature and date: As specified in the Agreement

Role: Controller

Data importer(s):

Name:  e2open entity set forth in the Agreement

Address: e2open entity set forth in the Agreement

Contact person(s): As specified in the Agreement

Activities relevant to the data transferred: e2open Processes Personal Data for the subject matter of the Agreement and until the Agreement terminates or expires, unless otherwise agreed upon by the parties in writing. In particular, the subject matter is determined by the Service(s) to which Customer subscribes and the data which Customer uploads to the Service.

Signature and date: As specified in the Agreement

Role: Processor

  1. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Parties participating in the supply chain process with Customer

Categories of personal data transferred

The personal data transferred concern the following categories of data:

Business contact information, such as name, email, address, phone number, etc. If Customer purchases certain services, such as restricted party screening, then Customer may provide additional information for processing, such as government issued ids, personal address, personal phone number, personal email, etc.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

The parties do not anticipate any sensitive data will be transferred.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

Data is transferred on a regular basis as determined by Customer’s submission of the data to the Services.

Nature and purpose of the processing

Data processing to facilitate Customer’s use of the purchased e2open services in accordance with the terms and conditions of the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal data will be retained for the duration set forth in the Agreement or as otherwise instructed by Customer.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter, nature and duration will be the same as applicable to e2open.

  1. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

Dutch Data Protection Authority

ANNEX 2 – SECURITY MEASURES

e2open currently observes the Security Measures described in this Annex 2. e2open’s practices are based on industry-leading standards, including generally accepted best practices such as being audited under the SOC framework and ISO 27001. These frameworks audit policies and procedures, asset management, access management, physical security, people security, product security, cloud and network infrastructure security, third-party security, vulnerability management, as well as security monitoring and incident response. e2open’s information security policies and standards are approved by management and distributed to its employees.

PEOPLE SECURITY

The people behind the services are an essential part in protecting the service, as the human factor has a key role in, and influence on, e2open’s organizational level of security. e2open implements stringent controls for employees.

Background Checks

The screening process is based on personal interviews with recruitment/HR managers and a prospective employee’s direct manager. Where applicable, background checks include criminal record check, credit check, education check, references, and identity. Additional checks may be performed in accordance with local law.

Security Training

New employees go through an extensive on-boarding process that include communication of security guidelines, expectations, and code of conduct. In addition, all employees undergo annual security awareness training.

Continuous Communication

e2open’s security team provides continuous communication on emerging threats, performs phishing awareness campaigns, and communicates with management regularly.

PRODUCT SECURITY

The security development lifecycle (SDLC) standard helps ensure the delivery of a highly secure platform and activities. The following activities help e2open achieve this objective.

Secure Development

The development process strictly follows industry best practices (OWASP, SANS, NIST) that are continually tested using industry leading tools and third-party review.

Penetration Testing

e2open regularly performs testing for security vulnerabilities both in-house and by independent security assessment service providers. Penetration tests are performed on at least an annual basis by an independent third party.

Change Management

e2open follows a strict change management process. Changes are tracked, reviewed and approved to ensure operational changes are aligned with business objectives and compliance requirements. A change is reviewed before being moved into a staging environment, where it is further tested before finally being deployed to production.

Encryption in Transit

e2open supports TLS1.2 or above to encrypt network traffic between the Customer application and e2open’s services.

Encryption at Rest

e2open offers customers the option to encrypt data at rest in e2open’s data centers. If ordered, the encryption is based on a 256-bit AES algorithm.

Account Security

e2open offers robust security controls that the Customer can choose to enable in the application, such as an audit trail, log-in policy password complexity, and more. e2open encourages customers to work with their account managers and use these controls.

PRIVATE CLOUD INFRASTRUCTURE

The security of e2open’s infrastructure and networks is critical. Creating a safe platform for the services and customer innovation is the paramount objective of e2open’s cloud security.

Top-tier Infrastructure

e2open uses multi-layered controls to help protect its infrastructure, and is constantly monitoring and improving its applications, systems, and processes to meet the growing demands and challenges of security.

Asset Management and Ownership

All assets are assigned with a defined owner and accountability.

Access Control

Access to production infrastructure is limited to the minimal number of employees based on least-privilege concept and need-to-work basis.

Monitoring

e2open utilizes a wide range of tools to monitor its environment across all data centers from the network, server, and application level. Parameters are collected from devices on the network and aggregated to a central location for the sake of detecting indication(s) of compromise, intrusions, anomalies, trends, threshold crossing, etc. In addition, logs are collected into a security information and event management (SIEM) platform that is monitored by a dedicated security operations center (SOC) to help ensure rapid detection and mitigation of risks.

Distributed Denial-of-Service (DDoS) and Application Attack Prevention

As part of the multi-layered protection approach, a dedicated application attack and DDoS mitigation ecosystem have been put in place. On a high level, this includes a minimum of four layers of protection, including multiple layers of firewalls, intrusion detection and prevention, SLB and DMZ protections (which includes specific configurations for DDoS mitigation), and application traffic reputation services for attack mitigation. On top of that, DDoS scrubbing center service is available.

PHYSICAL SECURITY

Physical security of e2open’s facilities is an important part of its security strategy.

Data Center Security

e2open’s production environment is hosted in data centers throughout the world and the facilities applicable to Customer will be noted to Customer upon request. The facilities comply with the highest industry standards for physical, environmental, and hosting controls. For example, this includes 24/7 security officers, facility access, biometric hand reader, exterior security, interior security, annual audits, cages, alarm monitoring/intrusion protection, video imaging, CCTV, audio intercom and two-way radio subsystem, ID requirements, intrusion testing, security personnel hiring/training, security policies, asset tracking and video surveillance.

THIRD-PARTY SECURITY

Vetting Process

Third-party vendors are checked before engagement to validate that prospective third parties meet e2open’s security standards and agree to all necessary contract terms regarding information security and data protection.

Ongoing Monitoring

Once a relationship has been established, e2open’s security team will conduct an annual review of these vendors. The annual review is done by e2open’s security team or via a third-party report (e.g., SSAE 18 SOC2 report, ISO 27001). The procedure takes into account the type of access and classification of data being accessed (if any), controls necessary to protect data and legal/regulatory requirements. e2open is committed to mitigating risk and ensuring its services meet regulatory and security compliance requirements.

SECURITY COMPLIANCE

Regulatory Environment

e2open complies with applicable legal, industry and regulatory requirements as well as industry best practices, including SOC2 COSO.

e2open has obtained SOC2 certification, which validates the strength of its security controls, shows confidence in its security program, and demonstrates its maturity within the information security space.

Data Protection Compliance (GDPR, CCPA, etc.)

As a global provider of services, e2open monitors regulatory changes throughout the world and ensures that its operations meet applicable regulatory requirements.

CONTINUOUS MONITORING AND VULNERABILITY TESTS

The security and resiliency of e2open’s products and infrastructure is a top priority. As part of the ongoing work of the security team, continuous monitoring is being done as part of the compliance and regulation program and the risk assessment. The vulnerability tests establish how e2open would identify, respond to, and triage vulnerabilities against its services. To ensure security of its platform, e2open has implemented and update on a regular basis the following:

Continuous Monitoring Program

e2open’s security team uses a centralized SIEM system to collect logs from different security tools, identify current or historical vulnerabilities, and track incidents and threats that e2open must respond to and mitigate accordingly.

Distributed Denial-of-Service (DDoS) and Application Attack Prevention

e2open’s infrastructure is protected with multiple layers of defense systems, including a dedicated, real-time, best-of-breed application attack and DDoS mitigation technology. e2open’s multiple layers of firewalls, intrusion detection systems, load balancers and DMZ servers contain dynamic mitigation and NAT to deny attack traffic. This includes advanced protection controls such as Forward and Reverse Proxies. In addition, e2open uses private ranges of IPs that deny direct access to internal networks, further reducing DDoS and application attacks. e2open has retained the services of a scrubbing center in case of DDoS attack.

ANNEX 3 – LIST OF SUB-PROCESSORS

The E2open Group personal data subprocessor list is available at www.e2open.com/legal/dpa-subprocessors.

E2open Group Affiliates – Processing on all products and services

The following E2open group entities will provide general service and support to all services. All are controlled by E2open, LLC.

Country State/Province/City Entity Name
USA Delaware E2open, LLC
USA Delaware INTTRA LLC
USA Delaware Amber Road, LLC.
USA Delaware BluJay Solutions LLC
USA Florida Raven Logistics LLC
Canada N/A E2open Canada Inc
UK N/A E2open Ltd
UK N/A BluJay Solutions Ltd
Singapore N/A INTTRA Pte Limited
Singapore N/A BluJay Solutions PTE Ltd
Malaysia Kuala Lumpur E2open Malaysia Sdn. Bhd
Malaysia Kuala Lumpur E2open Development Corp Malaysia Branch
India Karnataka E2open Software India Private Limited
India Karnataka Amber Road Software Private Limited
India N/A BluJay Solutions (India) Private Limited
Germany Baden-Württemberg E2open GmbH
Germany N/A BluJay Solutions GmbH
Switzerland N/A BluJay Solutions GmbH, Bad Homburg v.d.H., Zweigniederlassung Reinach BL
Spain N/A BluJay Solutions SA
Netherlands N/A BluJay Solutions BV
Belgium N/A BluJay Solutions Belgium NV
Denmark N/A BluJay Solutions A/S
Australia N/A BluJay Solutions Australia Pty Ltd
Australia N/A Expedient Software Pty Ltd
New Zealand N/A BluJay Solutions (New Zealand) Ltd.
China Hong Kong BluJay Solutions (Hong Kong) Ltd
China N/A BluJay Solutions Co Ltd

E2open Group Affiliates – Processing on specific products and services

The following E2open group entities will provide service, support, and data process for the specific services listed in the description field. If you do not use any of those services, then such entity will not apply. All are controlled by E2open, LLC.

Country State/Province/City Entity Name Description
USA California Birch Worldwide, LLC Only MDF, Rebates and Incentive Services
USA California Zyme CCI LLC Only MDF, Rebates and Incentive Services
USA Delaware Zyme Solutions, LLC Only Channel Marketing/Incentive Services
USA Washington Averetek, LLC Only Channel Marketing Aggregation Services
USA Delaware Logistyx Technologies, LLC Only for Logistyx software and related services
UK N/A Birch Worldwide Limited Only MDF, Rebates and Incentive Services
UK N/A Logistyx Technologies International Limited Only for Logistyx software and related services
Canada N/A Logistyx Technologies, Inc. Only for Logistyx software and related services
Spain N/A  Avantida E-Logistica S.L. Unipersonal Only Logistics Platform Services
Poland Krakow Avantida Poland z.o.o. Only Logistics Platform Services
India Karnataka Zyme Solutions Private Limited Only Channel Marketing/Incentive Services
India Chennai INTTRA Service & Support Private Limited Only Logistics Platform Services
Germany Hamburg INTTRA Germany GmbH Only Logistics Platform Services
Denmark N/A INTTRA AS Only Logistics Platform Services
Netherlands N/A Logistyx Technologies Europe BV Only for Logistyx software and related services
Singapore N/A Logistyx Technologies Asia Pte Ltd Only for Logistyx software and related services
China Hong Kong Amber Road (Hong Kong) Limited Only for China Trade Management Services; ecVision Suite
China Shanghai E2open Software (Shanghai) Co. Ltd Only for China Trade Management services; ecVision Suite; or upon customer request for other services
China Shanghai INTTRA (Shanghai) Company Limited Only Logistics Platform Services
China Shenzhen Amber Road (Shenzhen) Co. Limited Only for China Trade Management Services; ecVision Suite
China Shanghai Amber Road China Ltd Only for China Trade Management Services; ecVision Suite
Belgium N/A Avantida NV Only Logistics Platform Services

Unaffiliated Sub-Processors

The following list of processers not affiliated with E2open LLC are suppliers who provide the data processing activities listed in the processing activities column.

Country Entity Name Processing Activities
USA Simpler Postage, Inc. (d/b/a EasyPost) Parcel-related services integrated with TMS solutions
USA (Ohio) Amazon AWS US data center for certain services, primarily restricted party screening and trade automation
USA/EU Microsoft Azure US/EU data centers for Logistyx softwares
Ireland (Dublin) Amazon AWS Primary EU data center for certain services, primarily restricted party screening and trade automation
Germany (Frankfurt) Amazon AWS Secondary EU data center for certain services, primarily restricted party screening and trade automation
Shanghai, China China Telecom Data Center Nanhui Primary Data Center – China Trade Management only
Shanghai, China China Telecom Data Center Shibei Secondary Data Center – China Trade Management only
Philippines EMAPTA Customer Service
Holland Ortec International B.V. Customer Service