Data Processing Addendum

If referenced in an applicable Order Form, this Data Processing Addendum including its appendices (the "DPA") supplements the Foxglove Terms of Service (together with all Order Forms, the "Agreement") entered into by and between Customer and Foxglove. Any terms not defined in this DPA shall have the meaning set forth in the Agreement.

Data Processing Terms

1. Definitions

"Applicable Data Protection Laws" means all laws and regulations that are applicable to the processing of Personal Data under the Agreement, including European Data Protection Laws and the United States Data Protection Laws.

"Controller" means an entity that determines the purposes and means of the processing of Personal Data, and includes "controller," "business," or analogous term as defined under the Applicable Data Protection Laws.

"EU SCCs" means the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

"Data Privacy Framework" means the EU-U.S. Data Privacy Framework, the UK-U.S. extension to the EU-U.S. Data Privacy Framework and the Swiss-US Data Privacy Framework as set forth by the U.S. Department of Commerce.

"European Data Protection Laws" means all laws and regulations of the European Union, the European Economic Area, their member states, Switzerland, and the United Kingdom applicable to the processing of Personal Data under the Agreement, including, where applicable, (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (b) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (the "UK GDPR"); (c) the Swiss Federal Act on Data Protection of 1 September 2023 and its corresponding ordinances ("Swiss FADP"); (d) the EU e-Privacy Directive (Directive 2002/58/EC); and (e) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (a), (b), (c), (d).

"Personal Data" means all data which is defined as ‘personal data', ‘personal information', or ‘personally identifiable information' (or analogous term) under Applicable Data Protection Laws.

"processing", "data subject", and "supervisory authority" shall have the meanings ascribed to them in European Data Protection Law.

"Processor" means an entity which processes Personal Data on behalf of the Controller, including an entity to which another entity discloses a natural individual's personal information for a business purpose pursuant to a written contract that requires the entity receiving the information to only retain, use, or disclose Personal Data information for the purpose of providing the Services, and includes "processor," "service provider," or analogous term defined under the Applicable Data Protection Laws.

"Restricted Transfer" means: (a) where the EU GDPR or Swiss FADP applies, a transfer of Personal Data from the European Economic Area or Switzerland (as applicable) to a country outside of the European Economic Area or Switzerland (as applicable) which is not subject to an adequacy determination by the European Commission or Swiss Federal Data Protection and Information Commissioner (as applicable); and (b) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018. For the avoidance of doubt, a transfer of Personal Data to the United States pursuant to the Data Privacy Framework shall not be a Restricted Transfer.

"UK Addendum" means the International Data Transfer Addendum (Version B1.0) issued by the Information Commissioner's Office under s.119(A) of the UK Data Protection Act 2018, as updated or amended from time to time.

"United States Data Protection Laws" means all laws and regulations of the United States applicable to the processing of Personal Data under the Agreement, including (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code § 1798.100 - 1798.199, 2022) and its implementing regulations (collectively, the "CCPA"), (b) the Virginia Consumer Data Protection Act, when effective, (c) the Colorado Privacy Act and its implementing regulations, when effective, (d) the Utah Consumer Privacy Act, when effective; and (e) Connecticut SB6, An Act Concerning Personal Data Privacy and Online Monitoring, when effective.

2. Status of the parties

2.1 The type of Personal Data processed pursuant to this DPA and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects, are as described in Exhibit A.

2.2 Each party warrants in relation to Personal Data that it will comply with and provide the same level of privacy protection as required by the Applicable Data Protection Laws. As between the parties, the Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired Personal Data.

2.3 In respect of the parties' rights and obligations under this DPA regarding the Personal Data, the parties acknowledge and agree that Customer may act either as a Controller or Processor processing Personal Data on behalf of a third-party Controller, and Foxglove is a Processor.

2.4 If Customer is a Processor, Customer warrants to Foxglove that Customer's instructions and actions with respect to the Personal Data, including its appointment of Foxglove as another Processor and, where applicable, concluding the EU SCCs (including as they may be amended in clause 6.2 below), have been (and will, for the duration of this DPA, continue to be) authorized by the relevant third-party Controller.

3. Foxglove obligations

3.1 With respect to all Personal Data it processes in its role as a Processor, Foxglove warrants that it shall:

(a) only process Personal Data for the limited and specified business purpose of providing the Services and in accordance with: (i) the Customer's written instructions as set out in the Agreement and DPA, unless required to do so by applicable Union or Member State law to which Foxglove is subject, and (ii) the requirements of Applicable Data Protection Laws.

(b) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Such measures include, without limitation, the security measures set out in Exhibit B ("Security Measures"). Customer acknowledges that the Security Measures are subject to technical progress and development and that Foxglove may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Service;

(c) ensure that only authorized personnel have access to such Personal Data and that any persons whom it authorizes to have access to the Personal Data are under contractual or statutory obligations of confidentiality;

(d) without undue delay notify the Customer upon becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed for the purpose of providing the Services to Customer by Foxglove, its subprocessors, or any other identified or unidentified third party (a "Personal Data Breach") and provide the Customer with reasonable cooperation and assistance in respect of that Personal Data Breach, including all reasonable information in Foxglove's possession concerning such Personal Data Breach insofar as it affects the Personal Data;

(e) to the extent Foxglove is able to verify that a data subject is associated with the Customer, promptly notify the Customer if it receives a request from a data subject to exercise any data protection rights (including rights of access, rectification or erasure) in respect of that data subject's Personal Data (a "Data Subject Request"). Foxglove shall not respond to a Data Subject Request without the Customer's prior written consent except to confirm that such request relates to the Customer, to which the Customer hereby agrees;

(f) to the extent Foxglove is able, and in line with applicable law, provide reasonable assistance to Customer in responding to a data subject request to exercise any data protection rights under Applicable Data Protection Laws (including rights of access, rectification or erasure) in respect of that data subject's Personal Data if the Customer does not have the ability to address a Data Subject Request without Foxglove's assistance. The Customer is responsible for verifying that the requestor is the data subject in respect of whose Personal Data the request is made. Foxglove bears no responsibility for information provided in good faith to Customer in reliance on this subsection. Customer shall cover all costs incurred by Foxglove in connection with its provision of such assistance;

(g) other than to the extent required to comply with applicable law, following termination or expiry of the Agreement or completion of the Service, at the choice of Customer, delete or return all Personal Data (including copies thereof) processed pursuant to this DPA;

(h) taking into account the nature of processing and the information available to Foxglove, provide such assistance to the Customer as the Customer reasonably requests in relation to Foxglove's obligations under Applicable Data Protection Laws with respect to: (1) data protection impact assessments and prior consultations (as such terms are defined in Applicable Data Protection Laws); (2) notifications to the supervisory authority under Applicable Data Protection Laws and/or communications to data subjects by the Customer in response to any Personal Data Breach; and (3) the Customer's compliance with its obligations under Applicable Data Protection Laws with respect to the security of processing; provided that the Customer shall cover all costs incurred by Foxglove in connection with its provision of such assistance; and

(i) notify Customer if, in Foxglove's opinion, any instructions provided by the Customer under clause 3.1(a) infringe Applicable Data Protection Laws, or if Foxglove otherwise makes a determination that it can no longer meet its obligations under Applicable Data Protection Laws

3.2 To the extent that Foxglove is processing Personal Data on behalf of the Customer within the scope of the CCPA, Foxglove makes the following additional commitments to Customer: Foxglove will not retain, use, or disclose that Personal Data for any purposes other than the purposes set out in the Agreement, DPA, and as permitted under the CCPA, including under any "sale" exemption. Foxglove will not "sell" or "share" such Personal Data, as those terms are defined in the CCPA. This clause 3.2 does not limit or reduce any data protection commitments Foxglove makes to Customer in the Agreement or this DPA.

3.3 Foxglove certifies that it understands and will comply with the obligations and restrictions in clauses 2 and 3, and the Applicable Data Protection Laws.

4. Subprocessing

4.1 Foxglove will disclose Personal Data to subprocessors only for the specific purpose of providing the Services.

4.2 Foxglove will ensure that any subprocessor it engages to provide an aspect of the Service on its behalf in connection with this DPA does so only on the basis of a written contract which imposes on such subprocessor terms (i.e., data protection obligations) that are no less protective of Personal Data than those imposed on Foxglove in this DPA (the "Relevant Terms"). Foxglove shall procure the performance by such subprocessor of the Relevant Terms and shall be liable to the Customer for any breach by such subprocessor of any of the Relevant Terms.

4.3 Customer grants a general written authorization: (a) to Foxglove to appoint its Affiliates as subprocessors, and (b) to Foxglove and its Affiliates to appoint business, technical, customer support, or other providers as subprocessors to support the performance of the Service.

4.4 Foxglove will maintain a list of subprocessors at https://foxglove.dev/legal/subprocessors and will add the names of new and replacement subprocessors to the list at least ten (10) days prior to the date on which those subprocessors commence processing of Personal Data. Customer, if it wishes, can subscribe to notifications of new subprocessors at https://foxglove.dev/legal/subprocessor-changes. If Customer objects to any new or replacement subprocessor on reasonable grounds related to data protection, it shall notify Foxglove of such objections in writing within ten (10) days of the notification and the parties will seek to resolve the matter in good faith. If Foxglove is reasonably able to provide the Service to the Customer in accordance with the Agreement without using the subprocessor and decides in its discretion to do so, then Customer will have no further rights under this clause 4.4 in respect of the proposed use of the subprocessor. If Foxglove, in its discretion, requires use of the subprocessor and is unable to satisfy Customer's objection regarding the proposed use of the new or replacement subprocessor, then Customer may terminate the applicable Order Form effective upon the date Foxglove begins use of such new or replacement subprocessor solely with respect to the Service(s) that will use the proposed new subprocessor for the processing of Personal Data. If Customer does not provide a timely objection to any new or replacement subprocessor in accordance with this clause 4.4, Customer will be deemed to have consented to the subprocessor and waived its right to object.

5. Audit and records

5.1 Foxglove shall, in accordance with Applicable Data Protection Laws, make available to Customer such information in Foxglove's possession or control as Customer may reasonably request with a view to demonstrating Foxglove's compliance with the obligations of Processors under Applicable Data Protection Laws in relation to its processing of Personal Data.

5.2 Foxglove may fulfill Customer's right of audit under Applicable Protection Laws in relation to Personal Data, by providing:

(a) if available, an audit report not older than thirteen (13) months, prepared by an independent external auditor demonstrating that Foxglove's technical and organizational measures are sufficient and in accordance with an accepted industry audit standard;

(b) additional information in Foxglove's possession or control to a data protection supervisory authority when it requests or requires additional information in relation to the processing of Personal Data carried out by Foxglove under this DPA; and

(c) to the extent that Customer's Personal Data is subject to the EU SCCs and the information made available pursuant to this clause 5.2 is insufficient, in Customer's reasonable judgment, to confirm Foxglove's compliance with its obligations under this DPA or Applicable Data Protection Laws, then Foxglove shall enable Customer to request one audit per annual period during the term of the Agreement to verify Foxglove's compliance with its obligations under this DPA in accordance with clause 5.3.

5.3 The following additional terms shall apply to audits the Customer requests:

(a) Customer must send any requests for reviews of Foxglove's audit reports to privacy@foxglove.dev.

(b) Following receipt by Foxglove of a request for audit under clause 5.2(c), Foxglove and Customer will discuss and agree in advance on the reasonable start date, scope, duration of, and security and confidentiality controls applicable to any audit under clause 5.2(c). Whenever possible, evidence for such an audit will be limited to the evidence collected for Foxglove's most recent third-party audit.

(c) Foxglove may charge a fee (based on Foxglove's reasonable costs) for any audit under clause 5.2(c). Foxglove will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.

(d) Foxglove may object in writing to an auditor appointed by Customer to conduct any audit under clause 5.2(c) if the auditor is, in Foxglove's reasonable opinion, not suitably qualified or independent, a competitor of Foxglove, or otherwise manifestly unsuitable (i.e., an auditor whose engagement may have a harmful impact on Foxglove's business comparable to the aforementioned aspects). Any such objection by Foxglove will require Customer to appoint another auditor or conduct the audit itself. If the EU SCCs (including as they may be amended in clause 6.2 below) applies, nothing in this clause 5.3 varies or modifies the EU SCCs nor affects any supervisory authority's or data subject's rights under the EU SCCs.

6. Data transfers from the EEA, Switzerland, and the UK

6.1 In connection with the Service, the parties anticipate that Foxglove (and its subprocessors) may process outside of the European Economic Area ("EEA"), Switzerland, and the United Kingdom, certain Personal Data protected by European Data Protection Laws in respect of which Customer or its Affiliates may be a Controller or Processor on behalf of a third-party Controller, as applicable.

6.2 The parties agree that when the transfer of Personal Data protected by European Data Protection Laws from Customer or its Affiliates to Foxglove is a Restricted Transfer, then the appropriate standard contractual clauses and additional safeguards shall apply as follows:

(a) EU Transfers: in relation to Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:

(i) Module Two will apply where Customer (or its relevant Affiliate) is a Controller and Module Three will apply where Customer (or its relevant Affiliate) is a Processor;
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 4.4 of this DPA;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply, and the law of Ireland shall apply;
(vi) in Clause 18(b), disputes shall be resolved before the courts of the jurisdiction governing the Agreement or, if that jurisdiction is not an EU Member State, then the courts in Ireland. In any event, Clause 17 and 18(b) shall be consistent in that the choice of forum and jurisdiction shall fall on the country of the governing law;
(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Exhibit A; and
(viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Exhibit B.
‍

(b) UK Transfers: in relation to Personal Data that is protected by the UK GDPR, the EU SCCs, completed as set out above in clause 6.2(a) of this DPA, shall apply to transfers of such Personal Data, except that:

(i) The EU SCCs shall be deemed amended as specified by the UK Addendum, which shall be deemed executed between the transferring Customer (or its relevant Affiliate) and Foxglove;
(ii) Any conflict between the terms of the EU SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum;
(iii) For the purposes of the UK Addendum, Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed using the information contained in the Exhibits of this DPA; and
(iv) Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party."

(c) Swiss Transfers: in relation to Personal Data that is protected by the Swiss FADP (as amended or replaced), the EU SCCs, completed as set out about in clause 6.2(a) of this DPA, shall apply to transfers of such Personal Data, except that:

(i) the competent supervisory authority in respect of such Personal Data shall be the Swiss Federal Data Protection and Information Commissioner;
(ii) in Clause 17, the governing law shall be the laws of Switzerland;
(iii) references to "Member State(s)" in the EU SCCs shall be interpreted to refer to Switzerland, and data subjects located in Switzerland shall be entitled to exercise and enforce their rights under the EU SCCs in Switzerland; and
(iv) references to the "General Data Protection Regulation", "Regulation 2016/679" or "GDPR" in the EU SCCs shall be understood to be references to the Swiss FADP (as amended or replaced).

(d) The following terms shall apply to the EU SCCs (including as they may be amended under clauses 6.2(b)(ii) and 6.2(b)(iii) above):

(i) Customer may exercise its right of audit under the EU SCCs as set out in, and subject to the requirements of, clause 5 of this DPA; and
(ii) Foxglove may appoint subprocessors as set out in, and subject to the requirements of, clauses 4 and 6.3 of this DPA, and Customer may exercise its right to object to subprocessors under the EU SCCs in the manner set out in clause 4.4 of this DPA.

(e) In the event that any provision of this DPA contradicts, directly or indirectly, the EU SCCs (and the UK Addendum, as appropriate), the latter shall prevail.

6.3 In respect of Restricted Transfers made to Foxglove under clause 6.2, Foxglove shall not participate in (nor permit any subprocessor to participate in) any further Restricted Transfers of Personal Data (whether as an "exporter" or an "importer" of the Personal Data) unless such further Restricted Transfer is made in full compliance with Applicable Data Protection Laws and, if applicable, any EU SCCs and/or UK Addendum implemented between Customer and Foxglove.

7. Third Party Data Access Requests

7.1 If Foxglove becomes aware of any third party legal process requesting Personal Data that Foxglove processes on behalf of Customer in its role as Processor then Foxglove will: (a) immediately notify Customer of the request unless such notification is legally prohibited; (b) inform the third party that it is a Processor of the Personal Data and is not authorized to disclose the Personal Data without Customer's consent; (c) disclose to the third party the minimum necessary Customer contact details to allow the third party to contact the Customer and instruct the third party to direct its data request to Customer; and (d) to the extent Foxglove provides access to or discloses Personal Data in response to third party legal process either with Customer authorization or due to a mandatory legal compulsion, then Foxglove will disclose the minimum amount of Personal Data to the extent it is legally required to do so and in accordance with the applicable legal process.

7.2 In Foxglove's role as a Processor, it may be subject to third party legal process issued by a government authority (including a judicial authority) and requesting access to or disclosure of Personal Data. If Foxglove becomes aware of any third party legal process issued by a government authority (including a judicial authority) requesting Personal Data that Foxglove processes on behalf of Customer in its role as Processor then, to the extent that Foxglove reviews the request with reasonable efforts and as a result is able to identify that such third party legal process requesting Personal Data raises a conflict of law, Foxglove will: (a) take all actions identified in clause 7.1 above; (b) pursue legal remedies prior to producing Personal Data up to an appellate court level; and (c) not disclose Personal Data until (and then only to the extent) required to do so under applicable procedural rules.

7.3 Clauses 7.1 and 7.2 shall not apply in the event that Foxglove has a good-faith belief the government request is necessary due to an emergency involving the danger of death or serious physical injury to an individual. In such event, Foxglove shall notify Customer of the data disclosure as soon as possible following the disclosure and provide Customer with full details of the same, unless such disclosure is legally prohibited.

8. General

8.1 This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.

8.2 Foxglove's liability under or in connection with this DPA, including under the EU SCCs, is subject to the exclusions and limitations on liability contained in the Agreement. In no event does Foxglove limit or exclude its liability towards data subjects or competent data protection authorities.

8.3 Except where and to the extent expressly provided in the EU SCCs or required as a matter of Applicable Data Protection Laws, this DPA does not confer any third-party beneficiary rights; it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.

8.4 This DPA and any action related thereto shall be governed by and construed in accordance with the laws as specified in the Agreement, without giving effect to any conflicts of laws principles. The parties consent to the personal jurisdiction of, and venue in, the courts specified in the Agreement.

8.5 If any provision of this DPA is, for any reason, held to be invalid or unenforceable, the other provisions of the DPA will remain enforceable. Without limiting the generality of the foregoing, Customer agrees that clause 8.2 (Limitation of Liability) will remain in effect notwithstanding the unenforceability of any provision of this DPA.

8.6 This DPA is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter.

Exhibit A

The following includes the information required by Annex I and Annex III of the EU SCCs, and Appendix 1 of the UK SCCs.

1. The Parties

Data exporter(s):

Name: Customer, as stated and defined in the Agreement
Address: As stated in the Agreement
Contact person's name, position and contact details: As stated in the Agreement
Activities relevant to the data transferred under these Clauses: Use of the Service pursuant to the Agreement
Signature and date: This Exhibit A shall be deemed executed upon execution of the DPA
Role (controller/processor): Controller (or Processor on behalf of a third-party Controller)

Data importer(s):

Name: Foxglove Technologies Inc.
Address: 548 Market St #21536, San Francisco, CA 94104, United States
Email: privacy@foxglove.dev
Activities relevant to the data transferred under this DPA and the EU SCCs: Processing necessary to provide the Service to Customer, pursuant to the Agreement
Signature and date: This Exhibit A shall be deemed executed upon execution of the DPA
Role (controller/processor): Processor

2. Description of Data Processing and Transfer

Data Subjects	The data exporter may submit personal data to the data importer through its software, services, systems, products, and/or technologies, the extent of which is determined and controlled by the data exporter in compliance with applicable data protection laws and regulations, and which may include but is not limited to personal data relating to the following categories of data subjects: data exporter's employees, consultants, contractors, and/or agents.
Categories of Personal Data	Any Personal Data provided by Customer in order to provide the Services or as otherwise set forth in the Agreement or this DPA. Categories of Personal Data include, but are not limited to name, email, address, job title, unique identifiers, and IP address.
Special Category Personal Data (if applicable)	Customer is prohibited from providing sensitive data or special categories to Foxglove, including any data which discloses the criminal history of any persons.
Nature of the Processing	Foxglove will process Customer's Personal Data as necessary to provide the Services under the Agreement, in accordance with Customer's instructions as set forth in this DPA.
Purposes of Processing	To provide the Services under the Agreement.
Duration of Processing and Retention (or the criteria to determine such period)	As long as required (i) to provide the Services to Customer under the Agreement; (ii) for Foxglove's legitimate business needs; or (iii) by applicable law or regulation.
Frequency of the transfer	During the term of the Agreement on a periodic basis throughout the day and/or at the discretion of the customer.
Recipients of Personal Data Transferred to the Data Importer	See Authorized Subprocessors.

3. Competent Supervisory Authority

In respect of the EU SCCs, means the competent supervisory authority determined in accordance with Clause 13 of the EU SCCs.

In respect of the UK Addendum, means the UK Information Commissioner's Office.

Exhibit B

Description of the Technical and Organisational Security Measures implemented by the Data Importer

The following includes the information required by Annex II of the EU SCCs and Appendix 2 of the UK SCCs.

Technical and Organizational Security Measure	Details
Measures of pseudonymisation and encryption of personal data	Foxglove has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Databases housing sensitive Customer Data are encrypted at rest. Foxglove uses only recommended secure cipher suites and protocols to encrypt all traffic in transit and Customer Data is securely encrypted with strong ciphers and configurations when at rest.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	Foxglove's customer agreements contain strict confidentiality obligations. Additionally, Foxglove requires every downstream subprocessor to sign confidentiality provisions that are substantially similar to those contained in Foxglove's customer agreements. Foxglove has undergone a SOC 2 Type II audit that includes the Security and Processing Integrity Trust Service Criteria.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	Daily, weekly and monthly backups of production datastores are taken. Backups are periodically tested in accordance with information security and data management policies.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing	Foxglove has undergone a SOC 2 Type II audit that includes the Security and Processing Integrity Trust Service Criteria.
Measures for user identification and authorization	Foxglove uses secure access protocols and processes and follows industry best-practices for authentication, including Multifactor Authentication and Single Sign On (SSO). All production access requires the use of two-factor authentication, and network infrastructure is securely configured to vendor and industry best practices to block all unnecessary ports, services, and unauthorized network traffic.
Measures for the protection of data during transmission	Foxglove has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Foxglove uses only recommended secure cipher suites and protocols to encrypt all traffic in transit (i.e. TLS 1.2+).
Measures for the protection of data during storage	Encryption-at-rest is automated using Google Cloud Platform's transparent disk encryption, which uses industry standard AES-256 encryption to secure all volume (disk) data. All keys are fully managed by Google.
Measures for ensuring physical security of locations at which personal data are processed	All Foxglove processing occurs in physical data centers that are managed by Google.
Measures for ensuring events logging	Foxglove monitors access to applications, tools, and resources that process or store Customer Data, including cloud services. Monitoring of security logs is managed by the security and engineering teams. Log activities are investigated when necessary and escalated appropriately.
Measures for ensuring system configuration, including default configuration	Foxglove adheres to a change management process to administer changes to the production environment for the Services, including changes to its underlying software, applications, and systems. All production changes are automated through CI/CD tools to ensure consistent configurations.
Measures for internal IT and IT security governance and management	Foxglove maintains a risk-based information security governance program. The framework for Foxglove's security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data.
Measures for certification/assurance of processes and products	Foxglove undergoes annual SOC 2 Type II audits.
Measures for ensuring data minimization	Foxglove's customers unilaterally determine what Personal Data they route through the Services. As such, Foxglove operates on a shared responsibility model. Additionally, Foxglove has built in self-service functionality to the Services that allows customers to delete Personal Data at their discretion.
Measures for ensuring data quality	Foxglove has a multi-tiered approach for ensuring data quality. These measures include: (i) unit testing to ensure quality of logic used to process API calls, (ii) database schema validation rules which execute against data before it is saved to our database, (iii) a schema-first REST API design and strong typing to enforce a strict contract between official clients and APIs. Foxglove applies these measures across the board, both to ensure the quality of any Usage Data that Foxglove collects and to ensure that the Services are operating within expected parameters. Foxglove ensures that data quality is maintained from the time a Customer sends Customer Data into the Services and until that Customer Data is presented or exported.
Measures for ensuring limited data retention	Foxglove's customers unilaterally determine what Personal Data they route through the Services. As such, Foxglove operates on a shared responsibility model. If a customer is unable to delete Personal Data via the self-services functionality of the Services, then Foxglove deletes Personal Data upon the customer's written request, within the timeframe specified in the DPA and in accordance with Applicable Data Protection Law. All Personal Data is deleted from the Services or anonymized following service termination.
Measures for ensuring accountability	Foxglove has adopted measures for ensuring accountability, such as implementing data protection and information security policies across the business, recording and reporting Security Incidents involving Personal Data, and formally assigning roles and responsibilities for information security and data privacy functions. Additionally, Foxglove conducts regular third-party audits to ensure compliance with our privacy and security standards.
Measures for allowing data portability and ensuring erasure	All Personal Data in the Services may be deleted by the Customer or at the Customer's request. Personal Data is incidental to Foxglove's Services. Based on Privacy by Design and Data Minimization principles, Foxglove severely limits the instances of Personal Data collection and processing within the Services. Most use cases for porting Personal Data from Foxglove are not applicable. However, Foxglove will respond to all requests for data porting in order to address Customer needs.
Technical and organizational measures of subprocessors	Foxglove enters into Data Processing Agreements with its Authorized Subprocessors with data protection obligations substantially similar to those contained in this DPA.