Last revised: October 11, 2023 Effective date: December 8, 2022

THIS EUROPEAN DATA PROCESSING ADDENDUM (“European DPA”) is entered into as of the ________ by and between: (1) Bubble Group, Inc., a Delaware corporation with its principal business address at 22 W 21st Street, 2nd Floor, New York, NY 10010 (“Bubble”); and (2) ________________________  the entity or other person who is a counterparty to the Agreement (as defined below) into which the European DPA is incorporated and forms a part (“Customer”), together the “Parties” and each a “Party”.

1. DEFINITIONS
Unless expressly stated otherwise, capitalized terms used in the European DPA have the meanings given below or, if not defined, have the meanings given in the Agreement.  References to “including” mean “including, without limitation”.

1.1 “Addendum Effective Date” means the effective date of the Agreement.

1.2 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.

1.3 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.4 “Data Subject” means the identified or identifiable natural person to whom European Customer Data relates.

1.5 “Data Subject Request” means the request of a Data Subject to exercise rights under European Data Protection Laws in respect of European Customer Data in Bubble’s possession, custody or control.

1.6 “EEA” means the European Economic Area.

1.7 “European Customer Data” means Personal Data of Data Subjects in the EEA, United Kingdom, or Switzerland Processed by Bubble or its Subprocessor(s) on behalf of Customer, or otherwise required to be Processed under and subject to European Data Protection Laws, to perform the Services under the Agreement.

1.8 “European Data Protection Laws” means the privacy, data protection and data security laws and regulations applicable to the Processing of European Customer Data in the EEA, United Kingdom and/or Switzerland under the Agreement, including the GDPR.

1.9 “FADP” means the Federal Act on Data Protection of 19 June 1992 and, as and when it enters into force on 1 January 2023, its revised version of 25 September 2020.

1.10 “FDPIC” means Swiss Federal Data Protection and Information Commissioner.

1.11 “GDPR” means, as and where applicable to Processing concerned (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”), (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii), any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any replacement, successor, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.

1.12 “Personal Data” means information that relates to an identified or identifiable Data Subject.

1.13 “Personal Data Breach” means a breach of Bubble’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, European Customer Data in Bubble’s possession, custody or control.

1.14 “Process” and inflections thereof refer to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction.

1.15 “Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.
 
1.16 “Restricted Transfer” means any disclosure, grant of access, or other transfer of European Customer Data to any person located in (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission described in Chapter 45 of the GDPR (an “EU Restricted Transfer”), (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), and (iii) in the context of Switzerland, a country or territory outside of Switzerland which does not benefit from an adequacy decision from the Swiss Government (a “Swiss Restricted Transfer”), in each case, which would be prohibited without a legal basis under the GDPR.
 
1.17 “SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.

“Services” means those services performed for Customer by Bubble pursuant to the Agreement.

“Subprocessor” means any third party engaged directly or indirectly by or on behalf of Bubble to Process European Customer Data.
 
1.18 “Supervisory Authority” means (i) in the context of the EEA and the EU GDPR, “supervisory authority” as defined in the EU GDPR; (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office; and (iii) in the context of Switzerland and the FADP, means the FDPIC.
 
1.19 “Transfer Mechanism(s)” means the SCCs, UK Transfer Addendum, and/or Swiss transfer mechanism; as applicable to the relevant Restricted Transfer.

1.20 “UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO under s119A of the Data Protection Act 2018, in force from 21 March 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).
 

2. SCOPE OF THIS DATA PROCESSING ADDENDUM
 
2.1 The Parties acknowledge and agree that the details of Bubble’s Processing of European Customer Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 to the European DPA.
 
2.2 The European DPA applies to Bubble’s Processing of European Customer Data. For the avoidance of doubt, the European DPA does not apply to Bubble’s Processing of Personal Data that does not constitute European Customer Data, and/or any other Processing of Personal Data with respect to Customer and Customer’s users conducted by Bubble as a Controller, including business relationship administration and system security.
 

3. PROCESSING OF CUSTOMER PERSONAL DATA
 
3.1 Bubble shall not Process European Customer Data other than on Customer’s instructions or as required by applicable laws.  Customer instructs Bubble to Process European Customer Data to provide the Services and as authorized by the Agreement.  The Agreement is a complete expression of such instructions, and Customer’s additional instructions will be binding on Bubble only pursuant to an amendment to the European DPA signed by both parties. Where Bubble receives an instruction from Customer that, in its reasonable opinion, infringes European Data Protection Laws, Bubble shall notify Customer.
 
3.2 The Parties acknowledge that Bubble’s Processing of European Customer Data authorized by Customer’s instructions stated in the European DPA are integral to the Services and the business relationship between the Parties. Access to Personal Data does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.
 

4. BUBBLE PERSONNEL

Bubble shall ensure that all Bubble employees or other personnel who Process European Customer Data are subject to contractual or appropriate statutory obligations of confidentiality with respect to such European Customer Data.
 

5. SECURITY

Bubble shall implement and maintain technical, organizational and physical measures designed to protect the confidentiality, integrity and availability of European Customer Data and prevent Personal Data Breaches.  Such measures shall include the measures described in Annex 2 of the European DPA (the “Security Measures”) and such other measures as are required by European Data Protection Laws. Bubble may update the Security Measures from time to time, so long as the updated measures do not decrease in the aggregate the protection of Personal Data.
 

6. RESTRICTED TRANSFERS
 
6.1 General. Where Bubble is certified under a scheme (such as the EU–U.S. Data Privacy Framework, UK Extension and/or Swiss–U.S. Data Privacy Framework (as applicable)) that benefits from an adequacy decision of the EU Commission, UK Government and/or Swiss authorities (as applicable), Bubble will rely on such scheme and corresponding adequacy decision for transfers of European Customer Data. As soon as and as long as Bubble relies on such scheme and corresponding adequacy decision for transfers of Personal Data, the Transfer Mechanism(s) and corresponding obligations, such as the performance of a transfer impact assessment, shall not apply. In case Bubble withdraws from such scheme, the corresponding adequacy decision is invalidated, and/or such scheme does not otherwise apply to a transfer of European Customer Data, Customer and Bubble shall, only if and to the extent permitted and required under the GDPR and/or FADP (if and as applicable) to establish a valid basis under the GDPR and/or the FADP in respect of a Restricted Transfer, be deemed to have automatically (i) in case of an EU Restricted Transfer, entered into Module 2 and 3 (as applicable) of the SCCs by reference and shall comply with their respective obligations set out in the SCCs; and (ii) in case of a UK Restricted Transfer, entered into the SCCs varied to address the requirements of the UK GDPR in accordance with the UK Transfer Addendum; and (iii) in case of a Swiss Restricted Transfer, entered into the SCCs varied to address the requirements under the FADP. Where requested by Bubble, Customer shall provide executed versions of the relevant set(s) of SCCs and undertakes to agree in good faith on additional supplementary measures.
 
6.2 Where the SCCs apply to a Restricted Transfer in accordance with Section 6.1, the following shall apply to the SCCs and the Clauses thereof: (i) the optional ‘Docking Clause’ in Clause 7 is not used, (ii) in Clause 9, “option 2: general written authorisation” applies and shall be populated with the respective and corresponding information from section 9 of this European DPA, (iii) in Clause 11, the optional language is not used and is deleted, (iv) in Clause 13, all square brackets are removed and all text therein is retained and for the Annexes to the SCCs the supervisory authority shall be the competent supervisory authority that has supervision over the Customer in accordance with Clause 13, (v) in Clause 17, “option 1” applies, and for Clauses 17 and 18, the laws and courts of Ireland shall be selected, and (vi) the Annexes to the SCCs are populated with the respective and corresponding information detailed in Annex 1 (Data Processing Details) and Annex 2 (Security Measures) to this European DPA and the Subprocessor Site.
 
6.3 The SCCs as completed and populated as above shall be varied with respect to:

 (a) UK Restricted Transfers by the UK Transfer Addendum in the following manner: (i) Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Section 6.2, (ii) Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked, and (iii) in Part 2 to the UK Transfer Addendum, the Parties agree to be bound by the UK Mandatory Clauses of the UK Transfer Addendum; and

 (b) Swiss Restricted Transfers by the FADP in the following manner: (i) the Swiss Federal Data Protection and Information Commissioner shall be the sole Supervisory Authority for Swiss Restricted Transfers exclusively subject to the FADP, (ii) the terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the SCCs shall be interpreted to include the FADP with respect to Swiss Restricted Transfers, (iii) references to Regulation (EU) 2018/1725 are removed, (iv) references to the “Union”, “EU” and “EU Member State” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the SCCs, (v) where Swiss Restricted Transfers are exclusively subject to the FADP, all references to the GDPR in the SCCs are to be understood to be references to the FADP, (v) where Swiss Restricted Transfers are subject to both the FDPA and the GDPR, all references to the GDPR in the SCCs are to be understood to be references to the FDPA insofar as the Swiss Restricted Transfers are subject to the FADP, (vi) the SCCs as amended by this DPA also protect the Personal Data of legal entities until the entry into force of the Revised FADP.
 

7. DATA SUBJECT REQUESTS
 
7.1 Bubble, taking into account the nature of the Processing of European Customer Data, shall provide Customer with such assistance by appropriate technical and organizational measures as Customer may reasonably request to assist Customer in fulfilling its obligations under European Data Protection Laws to respond to Data Subject Requests.
 
7.2 Bubble shall promptly notify Customer if it receives a Data Subject Request and not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except as required by European Data Protection Laws.
 

8. PERSONAL DATA BREACHES
 
8.1 Bubble shall notify Customer of a Personal Data Breach without undue delay after becoming aware of the occurrence thereof. Bubble’s notification of or response to a Personal Data Breach will not be construed as Bubble’s acknowledgement of any fault or liability with respect to the Personal Data Breach.
 
8.2 If Customer determines that a Personal Data Breach must be notified to any Supervisory Authority or other governmental authority, any Data Subject(s), the public or others under European Data Protection Laws in a manner that directly or indirectly refers to or identifies Bubble, where permitted by applicable laws, Customer agrees to notify Bubble in advance and in good faith consult with Bubble and consider any clarifications or corrections Bubble may reasonably recommend or request to any such notification.
 

9. SUB-PROCESSING
 
9.1 Customer generally authorizes Bubble to appoint Subprocessors in accordance with this Section 9. Without limitation to the foregoing, Customer authorizes the engagement of the Subprocessors listed as of the effective date of the Agreement at the URL specified in Section 9.2.
 
9.2 Information about Subprocessors, including their functions and locations, is available at: https://bubble.io/subprocessors (as may be updated by Bubble from time to time) or such other website address as Bubble may provide to Customer from time to time (the “Subprocessor Site”).
 
9.3 When engaging any Subprocessor, Bubble will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in the European DPA with respect to European Customer Data to the extent applicable to the nature of the services provided by such Subprocessor.  Bubble shall be liable for all obligations under the Agreement subcontracted to the Subprocessor or its actions and omissions related thereto.
 
9.4 When Bubble engages any Subprocessor after the effective date of the Agreement, Bubble will notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor Site or by other written means at least thirty (30) days before such Subprocessor Processes European Customer Data.  If Customer objects to such engagement in a written notice to Bubble within ten (10) days after being notified of the engagement on reasonable grounds relating to the protection of Personal Data, Customer and Bubble will work together in good faith to consider a mutually acceptable resolution to such objection.  If the Parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Bubble and pay Bubble for all amounts due and owing under the Agreement as of the date of such termination.
 

10. COMPLIANCE ASSISTANCE; AUDITS
 
10.1 Bubble, taking into account the nature of the Processing and the information available to Bubble, shall provide such information and assistance as Customer may reasonably request (insofar as such information is available to Bubble and the sharing thereof does not compromise the security, confidentiality, integrity or availability of Personal Data Processed by Bubble) to help Customer meet its obligations under European Data Protection Laws, including in relation to the security of European Customer Data, the reporting and investigation of Personal Data Breaches, the demonstration of Customer’s compliance with such obligations, and the performance of any data protection assessments and consultations with Supervisory Authorities or other government authorities regarding such assessments in relation to Bubble’s Processing of European Customer Data, including those required under Articles 35 and 36 of the GDPR.
 
10.2 Bubble shall make available to Customer such information as Customer may reasonably request for Bubble to demonstrate compliance with European Data Protection Laws and the European DPA in relation to Bubble’s Processing of European Customer Data. Without limitation of the foregoing, Customer may conduct (in accordance with Section 10.3), at its sole cost and expense, and Bubble will reasonably cooperate with, reasonable audits (including inspections, manual reviews, and automated scans and other technical and operational testing that Customer is entitled to perform under European Data Protection Laws), in each case, whereby Customer or a qualified and independent auditor appointed by Customer using an appropriate and accepted audit control standard or framework may audit Bubble’s technical and organizational measures in support of such compliance and the auditor’s report is provided to Customer and Bubble upon Customer’s request.
 
10.3 Customer shall give Bubble reasonable advance notice of any such audits.  Bubble need not cooperate with any audit (a) performed by any individual or entity who has not entered into a non-disclosure agreement with Bubble on terms acceptable to Bubble in respect of information obtained in relation to the audit; (c) outside normal business hours; or (d) on more than one (1) occasion in any calendar year during the term of the Agreement, except for any additional audits that Customer is required to perform under European Data Protection Laws.  The audit must be conducted in accordance with Bubble’s safety, security or other relevant policies, must not impact the security, confidentiality, integrity or availability of any data Processed by Bubble and must not unreasonably interfere with Bubble’s business activities.  Customer shall not conduct any scans or technical or operational testing of Bubble’s applications, websites, Services, networks or systems without Bubble’s prior approval.
 
10.4 If the controls or measures to be assessed in the requested audit are assessed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified and independent third-party auditor pursuant to a recognized industry standard audit framework within twelve (12) months of Customer’s audit request (“Audit Report”) and Bubble has confirmed in writing that there have been no known material changes to the controls audited and covered by such Audit Report(s), Customer agrees to accept provision of such Audit Report(s) in lieu of requesting an audit under Section 10.3. Bubble shall provide copies of any such Audit Reports to Customer upon request.
 
10.5 Such Audit Reports and any other information obtained by Customer in connection with an audit under this Section 10 shall constitute confidential information of Bubble, which Customer shall use only for the purposes of confirming compliance with the requirements of the European DPA or meeting Customer’s obligations under European Data Protection Laws. Nothing in this Section 10 shall be construed to obligate Bubble to breach any duty of confidentiality.
 

11. RETURN AND DELETION
 
11.1 Upon expiration or earlier termination of the Agreement, Bubble shall return and/or delete all European Customer Data in Bubble’s care, custody or control in accordance Customer’s instructions as to the post-termination return and deletion of Customer Data expressed in the Agreement, or subject to Section 12.5, Customer’s further instructions.
 
11.2 Notwithstanding the foregoing, Bubble may retain European Customer Data where required by applicable laws, provided that Bubble shall (a) maintain the confidentiality of all such European Customer Data and (b) Process the European Customer Data only as necessary for the purpose(s) and duration specified in the applicable law requiring such retention.
 

12. CUSTOMER RESPONSIBILITIES
 
12.1 Customer agrees that, without limiting Bubble’s obligations under Section 5, Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Bubble uses to provide the Services; and (d) backing up Customer Data.
 
12.2 Customer shall ensure that there is, throughout the term of the Agreement, a valid legal basis for Bubble’s Processing of European Customer Data in accordance with the Agreement for the purposes of European Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR where applicable).  Customer shall ensure (and is solely responsible for ensuring) that all required notices have been given to, and all consents and permissions have been obtained from, Data Subjects and others as are required, including under European Data Protection laws, for Bubble to Process European Customer Data as contemplated by the Agreement.
 
12.3 Customer agrees that the Service, the Security Measures, and Bubble’s commitments under the European DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under European Data Protection Laws, and provide a level of security appropriate to the risk in respect of the European Customer Data.
 
12.4 Customer shall ensure that European Customer Data made available to Bubble for Processing does not contain any (a) Social Security numbers or other government-issued identification numbers; (b) biometric information; (c) passwords to any online accounts; (d) credentials to any financial accounts; (e) tax return data; (f) any payment card information subject to the Payment Card Industry Data Security Standard; (g) Personal Data of children under 16 years of age; (h) data relating to criminal convictions and offences or related security measures; or (i) information that constitutes special categories of personal data (as defined in the GDPR) or information of a similarly sensitive character regulated by European Data Protection Laws.
 
12.5 Except to the extent prohibited by applicable law, Customer shall compensate Bubble at Bubble’s then-current professional services rates for, and reimburse any costs reasonably incurred by Bubble in the course of providing, cooperation, information or assistance requested by Customer pursuant to Sections 6, 10 and 11.1 of the European DPA beyond Bubble’s provision of any self-service tools as part of the Services that Customer can use to obtain the requested cooperation, information or assistance.
 

13. PRECEDENCE

In the event of any conflict or inconsistency between (a) the European DPA and the Agreement, the European DPA shall prevail; (b) the European DPA and any other agreement made between the parties as relates to Personal Data, the European DPA shall prevail.


Annex 1 - Data Processing Details

CUSTOMER / ‘DATA EXPORTER’ DETAILS

Name:
Customer Activities: The use and receipt of Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations
Role:
 (a) Controller – in respect of any Processing of Customer Personal Data in respect of which Customer is a Controller in its own right Module Two of the SCCs would apply; and
 (b) Processor – in respect of any Processing of Customer Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person (including its Affiliates if and where applicable) Module Three of the SCCs would apply.


BUBBLE / ‘DATA IMPORTER’ DETAILS

Name: Bubble Group, Inc.
Contact details for data protection: [email protected]
Customer Activities: Visual programming tool and cloud platform
Role: Processor


DETAILS OF PROCESSING

Categories of Data Subjects: Any individuals whose Personal Data is comprised within data submitted to the Services by or on behalf of Customer under the Agreement, which will be as determined by Customer in its sole discretion through its use of the Services – but may include Customer’s and its Affiliates’:
 
1. “Staff”, namely:
 (a) employees and non-employee workers;
 (b) students, interns, apprentices and volunteers;
 (c) directors and officers;
 (d) advisers, consultants, independent contractors, agents and autonomous, temporary or casual workers.
 
2. Customers, clients, (sub-)licensees, users and end-users, website visitors and marketing prospects.
 
3. Suppliers, service providers, consultants, advisers and other providers of goods or services.
 
4. Distributors, resellers, sales agents, introducers, sales representatives, collaborators, joint-venturers and other commercial partners.
 
5. Shareholders, partners, members and supporters.
 
6. Advisers, consultants and other professionals and experts.

Where any of the above is a business or organisation, it includes their Staff.

Each category includes current, past and prospective Data Subjects.

Categories of Personal Data: Any Personal Data comprised within data submitted to the Services by or on behalf of Customer under the Agreement, which will be as determined by Customer in its sole discretion through its use of the Services – but may include:
 
1. Personal details, including any information that identifies the Data Subject and their personal characteristics, including: name, address, contact details (including email address, telephone details and other contact information), age, date of birth, sex, and physical description.
 
2. Technological details, such as internet protocol (IP) addresses, unique identifiers and numbers (including unique identifier in tracking cookies or similar technology), pseudonymous identifiers, precise and imprecise location data, internet / application / program activity data, and device IDs and addresses.

Sensitive Categories of Data, and associated additional restrictions/safeguards:

Categories of sensitive data: None – as noted in Section 12.4 of the DPA, Customer agrees that Restricted Data, which includes ‘sensitive data’, must not be submitted to the Services.

Additional safeguards for sensitive data: N/A

Frequency of transfer: Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Services.

Nature of the Processing: Processing operations required in order to provide the Services in accordance with the Agreement.

Purpose of the Processing: European Customer Data will be Processed: (i) as necessary to provide the Services as initiated by Customer in its use thereof, and (ii) to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA.

Duration of Processing / Retention Period: For the period determined in accordance with the Agreement and DPA.

Transfers to (sub)processors: Transfers to Subprocessors are as, and for the purposes, described from time to time in the Subprocessor Site (as may be updated from time to time in accordance with Section 9.4 of the DPA).


Annex 2 – Security Measures

Bubble agrees to implement and maintain the following Security Measures:
 
1. In the software development lifecycle, a code review process for all production code changes, prior to release; code analysis tools to detect security and vulnerability defects; automated and manual vulnerability testing including OWASP top ten testing; continuous monitoring; and automatic network vulnerability detection software to catch vulnerabilities in real time.
 
2. No direct access to virtual machines for tenants, nor the ability for Bubble to host client virtual machine images.
 
3. Encryption of all data sent across public networks except as specifically requested by our users, and use of SSH for replication over public networks.
 
4. Reliance on Amazon Web Services for physical security and physical handling of servers, to which Bubble employees do not have physical access.
 
5. An annual internal audit that includes identifying and prioritizing security, privacy, legal, and business continuity risks, as well as a review of our business processes and governance, conducted by company executives representing legal, IT security, IT operations and business continuity planning concerns.
 
6. Security incident response process defining procedures for notifying customers if an incident may have impacted their data.
 
7. Documented procedures for authenticating customer access.
 
8. Logical segmentation to ensure customers can only access their own data; there are no scenarios where customers are given general systems access beyond specifically granted access to their data. In addition, for customers on dedicated Bubble clusters, physical segmentation from other customer data as well.
 
9. Classifying all data provided by our customers and their users as secure by default; users are given tools for implementing their own classification standards and enforcing appropriate levels of access controls via our Privacy Rules functionality.
 
10. Procedures governing use of production data, enforced by controls including auditing and technical safeguards; use of production data on a strictly as-needed basis for diagnosing issues as requested by clients; and policies governing the circumstances in which production data can be used in this manner.
 
11. Company policies in place around handling of employee laptops, including HR termination processes involving revoking all access and collecting all assets within 24 hours.
 
12. Training for all Bubble employees around their job duties and the security obligations inherent in those roles; and mandatory two-factor authentication for all Bubble employees.
 
13. Procedures to identify, assess and mitigate any reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of systems or files containing European Customer Data and evaluate and improve safeguards as necessary.