This Data Security Policy (“Policy”) applies to your (“Customer’s”) use of all Tangram Services (as defined below) offered by Tangram Flex, Inc. (“Tangram”). Tangram may modify this Policy at any time by posting a revised version on the Tangram website or via a banner notification in the Tangram software product, as applicable. If Customer violates this Policy or authorize or help others to do so, Tangram may suspend or terminate Customer’s use of the Tangram Services.


‍1. Definitions

‍Capitalized terms used herein shall have the meanings set forth in this Section 1.
‍
A. “Agreement” means the Software License Agreement and any other agreement or contract entered intobetween Tangram and Customer that is governed by or otherwise incorporates this Policy.

B. “Authorized Persons” means Tangram’s employees, contractors, agents, and auditors who have a need to know or otherwise access Personal Information to enable Tangram to perform its obligations under the Agreement, and who are bound by confidentiality and other obligations sufficient to protect Personal Information in accordance with the terms and conditions of the Agreement and this Policy.

C. “Personal Information” means information that Customer provides or for which Customer provides access to Tangram, or information which Tangram creates or obtains on behalf of Customer, in accordance with the Agreement that: (i) directly or indirectly identifies an individual; or (ii) can be used to authenticate an individual. Customer’s business contact information is not by itself Personal Information.

D. “Security Incident” means any act or omission that materially compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place by Tangram (or any Authorized Persons), or by Customer should Tangram have access to Customer’s systems, that relate to the protection of the security, confidentiality, or integrity of Personal Information, or (ii) receipt of a complaint in relation to the privacy and data security practices of Tangram (or any Authorized Persons) or a breach or alleged breach of the Agreement or this Policy relating to such privacy and data security practices.

E. “Tangram Services” means any product, software, and/or service provided by Tangram to Customer under or in connection with any Agreement.


‍2. Tangram and Customer Obligations

A. Tangram will:

• (i) comply with the terms and conditions set forth in this Policy
• (ii) be responsible for any unauthorized creation, collection, receipt, transmission, access, storage, disposal, use, or disclosure of Personal Information under its control or in its possession by all Authorized Persons.
• (iii) not disclose Personal Information to any person other than its Authorized Persons without Customer’s prior written consent unless required by applicable law.
• (iv) use and disclose Personal Information only for the purposes for which Customer provides the Personal Information, or access to it, pursuant to the terms and conditions of the Agreement, and not use or otherwise disclose or make available Personal Information for Tangram’s own purposes without Customer’s prior written consent. Tangram may aggregate, de-identify, or anonymize Personal Information and use such aggregated, de- identified, or anonymized data, which shall no longer be considered Personal Information, for its own research and development purposes.

B. Customer will:

• (i) comply with the terms and conditions set forth in the Agreement and this Policy.
• (ii) be responsible for any unauthorized creation, collection, receipt, transmission, access, storage, disposal,use, or disclosure of Personal Information under its control or in its possession.
• (iii) comply with any applicable laws and regulations and use only secure methods, according to accepted industry standards, when transferring or otherwise making available Personal Information to Tangram.
• (iv) provide written notice to Tangram if any information Customer provides to Tangram under the Agreement contains Personal Information. Tangram will not be responsible for determining on its own that any information Customer provides under the Agreement qualifies as Personal Information.
• (v) comply with all restrictions contained in the Agreement and any other restrictions imposed in connection with the Tangram’s products and/or services.
• (vi) properly configure and use Tangram’s products and/or services and take all reasonable steps to maintain appropriate security, protection, and backup of Customer’s content, information, and data, which may include the use of encryption technology to protect such content, information, and data from unauthorized access and routinely archiving such content, information, and data. Where configurable or optional, security controls (such as encryption) are offered as part of the Tangram Services, Customer is responsible for configuring or enabling those controls. Customer accepts responsibility for determining whether the security controls applied to Customer’s systems and data are sufficient for Customer’s requirements.

3. Information Security

‍A. Tangram will comply with applicable laws and regulations in its creation, collection, receipt, access, use, storage,disposal, and disclosure of Personal Information.

B. If, in the course of its performance under the Agreement, Tangram has access to or will collect, access, use, store, process, dispose of, or disclose credit, debit, or other payment cardholder information on Customer’s behalf, Tangram will comply with the Payment Card Industry Data Security Standard requirements, as applicable.


‍4. Security Incident Procedures

‍A. Tangram will notify Customer of a Security Incident as soon as reasonably practicable after Tangram becomes aware of it.

B. Immediately following Tangram’s notification to Customer of a Security Incident, the parties will coordinate with each other, as necessary, to investigate the Security Incident.

C. Tangram and Customer each agrees that it will not inform any third party of any Security Incident without the other party’s prior consent, other than to inform a complainant that the matter has been forwarded to the other party’s legal counsel.


‍5. Return or Disposal of Personal Information.

‍On the termination or expiration of the Agreement, Tangram will securely dispose of all Personal Information in its possession or in the possession of Authorized Persons. If Tangram is not reasonably able to dispose of Personal Information, including, but not limited to, Personal Information stored on backup media, Tangram will continue to protect such Personal Information in accordance with the terms of the Agreement until such time that it can reasonably return or securely dispose of such Personal Information.