Product

About us

Blog

Events

Malachyte

Get AI Playground

Product

About us

Blog

Events

Malachyte

Get AI Playground

Product

About us

Blog

Events

Malachyte

Get AI Playground

Product

About us

Blog

Events

Get AI Playground

Product

About us

Blog

Events

Malachyte

Get AI Playground

Product

About us

Blog

Events

Get AI Playground

Product

About us

Blog

Events

Malachyte

Get AI Playground

Data Processing Agreement 

This Data Processing Agreement and its Annexes (“DPA”) is incorporated into and forms part of the Terms of Service (the “Agreement”) between (“Customer” “you,” or “your”) and Malachyte, Inc. (“Malachyte” “we,” “our,” or “us”) (each, a “Party” and collectively, the “Parties”).

This DPA reflects the parties’ agreement with respect to the Processing of Personal Data by us as a Processor on your behalf. In case of any conflict or inconsistency between this DPA and the Agreement, this DPA will take precedence over other terms in the Agreement to the extent of such conflict or inconsistency. We update these terms from time to time.

  1. Interpretation and Definitions

    1. Unless otherwise defined herein, all capitalized words and expressions will have the same meanings assigned in the Agreement. In the event of any conflict or inconsistency between this DPA and the Agreement, the terms of this DPA shall control to the extent of any conflict or inconsistency.

    2. Affiliate” means with respect to any entity, any other entity that, directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with, such entity. The term “control” means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through the ownership of voting securities, by contract, or otherwise..

    3. Applicable Data Protection Laws” means, as applicable, (i) State Data Protection Laws;

(ii) European Data Protection Laws; and/or (iii) any other laws, rules, and regulations relating to the privacy, security, protection, and/or Processing of Personal Data, in each case as amended, superseded, or replaced.

  1. Authorized User” means any natural person that is authorized by Malachyte and/or a Malachyte Affiliate to Process Personal Data on Malachyte’s behalf pursuant to the Agreement and this DPA.

  2. Data Subject” means any natural person who can be identified, directly or indirectly, by reference to that person’s Personal Data including, as applicable, “Consumers” as defined under Applicable Data Protection Laws.

  3. Data Subject Rights” means certain rights granted to Data Subjects under Applicable Data

Protection Laws regarding their own Personal Data.

  1. DP Regulator” means any local, state, provincial, national or multinational governmental or supervisory authority or regulatory body with competent jurisdiction to promulgate, administer, and/or enforce Applicable Data Protection Laws.

  2. European Data Protection Law(s)” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“EU GDPR”);

(ii) all laws relating to data protection, the Processing of personal data, privacy and/or electronic communications in force from time to time in the United Kingdom including the U.K. Data Protection Act 2018, Privacy and Electronic Communications (EC Directive) Regulations 2003 and the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK GDPR”) (collectively with the EU GDPR, the

“GDPR”); (iii) the EU e-Privacy Directive (2002/58/EC); (iv) any national data protection laws made under or pursuant to (i), (ii) or (iii); and (iv) the Swiss Federal Data Protection Act (“Swiss DPA”), in each case as superseded, amended or replaced, provided that, in the event of a conflict in the meanings of defined terms in the European Data Protection Laws, the meaning from the law applicable to the location of the relevant Data Subject shall apply.

  1. Person” means, as applicable, any natural person, corporation, limited liability company, general partnership, limited partnership, proprietorship, other business organization, trust, union, association, or governmental authority.

  2. Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person, or as otherwise defined in Applicable Data Protection Laws, that is Processed by or on behalf of Malachyte in connection with the Agreement.

  3. Process,” “Processing,” or “Processed” means any operation or set of operations that is or may be performed on Personal Data (whether or not by automated means), or as otherwise defined in Applicable Data Protection Laws.

  4. Restricted Transfer” means (i) where the EU GDPR applies, a transfer of Personal Data from the European Economic Area (“EEA”) to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to the UK GDPR; (iii) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not subject to an adequacy decision by the Swiss Federal Data Protection and Information Commissioner; or (iv) as otherwise defined in Applicable Data Protection Laws.

  5. Security Incident” or “Data Breach” means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data, or as otherwise defined in Applicable Data Protection Laws.

  6. Standard Contractual Clauses” means where the EU GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Module II: Controller to Processor), (“EU SCCs”), as supplemented by this DPA.

  7. State Data Protection Laws” means, collectively, all U.S. state data protection laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the Processing of Personal Data related to Consumers and/or Households including, but not limited to, the following: (i) California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (California Civil Code §§ 1798.100 to 1798.199) (“CPRA”); (ii) Colorado Privacy Act (Colorado Rev. Stat. §§ 6-1-1301 to 6-1-1313) (“ColoPA”); (iii) Connecticut Personal Data Privacy and Online Monitoring Act (Public Act No. 22-15) (“CPOMA”); (iv) Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 to 13-61-404) (“UCPA”); and Virginia Consumer Data Protection Act (Virginia Code Ann. §§ 59.1-575 to 59.1-585) (“VCDPA”), in each case as superseded, amended, or replaced, provided that, in the event of a conflict or inconsistency in the meanings of defined terms in the State Data Protection Laws, the meaning from the law applicable to the state of residence of the relevant Consumer, or the state where the relevant Household is located, shall apply.

  8. Subprocessor” means any Person (including Malachyte Affiliate(s)) engaged directly or indirectly by Malachyte to Process any Personal Data relating to the Agreement and this DPA. The term “Subprocessor” shall also include any Person engaged directly or indirectly by a Subprocessor to Process any Personal Data relating to the Agreement and this DPA.

  9. Technical and Organizational Security Measures” means measures aimed at safeguarding Personal Data including prevention of Security Incidents, or as otherwise specified in Applicable Data Protection Laws.

  10. UK IDT Addendum” means the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version 21, March 2022) laid before Parliament in accordance with s119A of the Data Protection Act 2018, as superseded, amended, or replaced.

  11. UK International Data Transfer Agreement” means the International Data Transfer Agreement (Version A1.0, in force 21 March 2022) laid before Parliament in accordance with S119A of the Data Protection Act 2018, as superseded, amended, or replaced.

  12. The terms Notice of Collection, Business, Service Provider, Contractor, Third Party, Controller, Processor, Sell, and Share (capitalized or lowercase) have the meanings set forth in Applicable Data Protection Laws.

  1. Obligations of the Parties

    1. Both Parties shall comply with their respective obligations under the Applicable Data Protection Laws, and each Party shall be solely responsible for determining its own legal and regulatory obligations. Customer further acknowledges that Customer is responsible for its secure use of the Services, including securing its account authentication credentials and taking any appropriate steps to backup any Personal Information Processed in connection with the Agreement.

    2. Each Party shall reasonably cooperate with the other in any activities contemplated by this DPA and to enable each Party to comply with its respective obligations under Applicable Data Protection Laws.

  2. Processing Activities

    1. The Parties acknowledge and agree that under the Applicable Data Protection Laws, Customer is the Controller or Business, as applicable, and Malachyte is the Processor, Service Provider or Contractor, as applicable, for purposes of Processing the Personal Data in accordance with the Agreement and this DPA.

    2. Malachyte shall Process Personal Data in accordance with the Agreement and this DPA only as a Processor, Service Provider or Contractor as instructed by Customer, and on behalf of Customer. Customer’s instructions for the Processing of Personal Data shall comply with Applicable Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquires Personal Data and provides it to Malachyte. Annex A to this DPA describes the scope, nature, and purpose of Processing by and on behalf of Malachyte, the duration of Processing, the types of Personal Data, and the categories of Data Subjects.

    3. Malachyte shall not (i) Sell (as defined under Applicable Data Protection Laws) or Share (as defined under the CPRA) Personal Data, (ii) retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing and/or providing the Malachyte Services specified in the Agreement; (iii) retain, use, or disclose Personal Data outside of the direct business relationship between the Parties; and (iv) combine Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer (unless specific statutory or regulatory exceptions apply to Section 3.3(iv).

    4. The Parties acknowledge and agree that the transfer and/or exchange of the Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement or this DPA.

    5. Notwithstanding any provision to the contrary of the Agreement or this DPA, the terms of this DPA shall not apply to Malachyte’s Processing of Personal Data that is excluded from the Applicable Data Protection Laws

    6. Malachyte shall promptly notify Customer if it makes a determination that it cannot comply with its obligations under this DPA or Applicable Data Protection Laws, and in such event (and without prejudice to any other rights available to Customer) Malachyte shall work with Customer and take all reasonable and appropriate steps to stop and remediate (if remediable) any Processing until such time as the Processing complies with such requirements. Malachyte shall immediately cease (and instruct all Subprocessors to cease) Processing Personal Data if Customer determines that Malachyte has not or cannot correct any such non-compliance within a reasonable time frame.

  3. Technological and Organizational Security Measures

    1. Malachyte shall ensure that any Authorized Person with access to the Personal Data Processed by Malachyte for Customer is subject to a strict duty of confidentiality (contractual, statutory or otherwise) and that they Process the Personal Data only for the purpose of delivering the Services to Customer and/or its Affiliates under the Agreement and this DPA, and any third party as agreed therein.

    2. Malachyte will implement and maintain appropriate Technical and Organizational Security Measures to safeguard and preserve the security, integrity, and confidentiality of Personal Data and protect the Personal Data from Security Incidents in accordance with Applicable Data Protection Laws. At a minimum, Malachyte agrees to comply with the security measures identified in Annex

B. Customer acknowledges that the security measures are subject to technical progress and development and that Malachyte may update or modify the security measures from time to time, provided that such updates and modifications do not materially degrade or diminish the overall security of the Platform.

  1. Cooperation

    1. Malachyte shall cooperate with Customer at Customer’s expense to enable Customer to respond to any requests, complaints or other communications from Data Subjects, DP Regulators, or judicial bodies relating to the Processing of Personal Data under the Agreement, including Data Subject Requests. If any such request, complaint or communication is made directly to Malachyte, Malachyte shall promptly notify Customer, providing a copy of the relevant communication, and shall not respond to such communication without Customer's prior express written authorization unless required to do so under applicable law.

    2. If Malachyte receives a subpoena, court order, warrant or other legal demand from a third party (including law enforcement or other public or judicial authorities) seeking the disclosure of Personal Data, Malachyte shall not disclose any information but shall promptly notify Customer in writing of such request, providing a copy of the relevant communication, and reasonably cooperate with Customer if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws.

    3. To the extent Malachyte is required under Applicable Data Protection Laws, Malachyte will assist Customer at Customer’s expense to conduct a data protection impact assessment or equivalent and, where legally required, consult with applicable DR Regulators in respect of any proposed or modified Processing activity that presents a high risk to Data Subjects or requires such an assessment under Applicable Data Protection Laws.

  2. Subprocessors

    1. Customer agrees that Malachyte may engage Subprocessors to Process Personal Data on behalf of Customer. Customer provides general authorization to Malachyte’s use of the Subprocessors listed in Annex C. Customer may subscribe to receive notifications by email if Malachyte adds or replaces any SubProcessors by contacting Malachyte at eric@malachyte.com If Customer opts-in to receive such email, Malachyte will notify Customer at least thirty (30) days prior to any such change, thereby giving Customer sufficient time to be able to object to such changes prior to the engagement of the Subprocessor. If Customer objects to the engagement of a new Subprocessor within thirty

(30) days of Customer’s notification on reasonable grounds relating to the protection of Personal Data, the Parties will discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Malachyte will, at Malachyte’s sole discretion, either not appoint the new Sub-Processor, or permit Customer to suspend or terminate the affected services in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees owed to Malachyte prior to suspension or termination).

  1. For each Subprocessor engaged by Malachyte, Malachyte will impose data protection terms on the Subprocessors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such SubProcessor. Malachyte will remain fully liable for any breach of this DPA or the Agreement that is caused by an act, error or omission of such Subprocessor.

  1. Security Incidents

Malachyte shall notify Customer without undue delay after becoming aware of a Security Incident and will provide information relating to the Security Incident as it becomes known to Malachyte. At Customer’s written request, Malachyte will promptly provide Customer with such reasonable assistance as necessary to enable Customer to notify relevant Security Incident to competent authorities and/or affected Data Subjects, if Customer is required to do so under Applicable Data Protection Laws.

  1. Jurisdiction Specific Terms for Personal Data subject to European Data Protection Laws

    1. To the extent that Personal Data is subject to European Data Protection Laws, the terms in this Section 8 shall apply in addition to the terms in the remainder of this DPA. In the event of any conflict or ambiguity between the terms in this Section 8 and any other terms in this DPA, the terms

in this Section 8 shall take precedence but only to the extent they apply to the Personal Data in question.

  1. Malachyte shall notify Customer in writing, unless prohibited from doing so under Applicable Data Protection Laws, if it becomes aware or believes that any Processing instructions from Customer violate European Data Protection Laws.

  2. The Parties agree that when the transfer of Personal Data from Customer (as “data exporter”) to Malachyte (as “data importer”) is a Restricted Transfer, the Standard Contractual Clauses shall automatically be deemed incorporated into and form a part of this DPA, as follows:

    1. in relation to Personal Data protected by the GDPR, the SCCs shall apply completed as follows:

      1. Module Two (Controller to Processor) or Module Three (Processor to Processor) will apply, as appropriate;

      2. in Clause 7, the optional docking clause will not apply;

      3. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub- processor changes shall be as set out in Section 6.1;

      4. in Clause 11, the optional language will not apply;

      5. in Clause 17, Option 1 will apply, and the SCCs will be governed by the laws of Ireland;

      6. in Clause 18(b), disputes shall be resolved before the courts of the EU Member State selected above;

      7. Annex I of the SCCs shall be deemed completed with the information set out in Annex I to this DPA; and

      8. Annex II of the SCCs shall be deemed completed with the information set out in Annex II to this DPA;

    2. in relation to Personal Data protected by UK Data Protection Laws, the SCCs as implemented under sub-paragraph (a) above will apply with the following modifications:

      1. the SCCs shall be deemed amended as specified by Part 2 of the UK Addendum;

      2. tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed respectively with the information set out in Annexes I and II and Section 4.1 of this DPA (as applicable); and

      3. table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting

“neither party”.

  1. in relation to Personal Data protected by the Swiss FADP, the SCCs will also apply in accordance with sub-paragraph (a) above with the following modifications:

    1. references to “Regulation (EU) 2016/679” shall be interpreted as references to the

Swiss FADP;

  1. references to specific Articles of “Regulation (EU) 2016/679” shall be replaced

with the equivalent article or section of the Swiss FADP;

  1. references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”;

  2. the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);

  3. Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner;

  4. references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”;

  5. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland;

  6. Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland; and

  7. the SCCs shall also protect the data of legal entities until the entry into force of the revised Swiss Federal Data Protection Act.

  1. It is not the intention of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the SCCs conflict with any provision of the Agreement (including this DPA) the SCCs shall prevail to the extent of such conflict.

  1. Transfer Arrangements. To the extent Malachyte adopts an alternative lawful data export mechanism for the transfer of Personal Data not described in this DPA (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall, upon notice to Customer, apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with European Data Protection Laws and extends to the territories to which Customer Personal Information is transferred) and Customer agrees to execute such other and further documents and take such other and further actions as may be reasonably necessary to give legal effect such Alternative Transfer Mechanism.

  1. Audits

Malachyte shall provide Customer (on a confidential basis) with written responses (which may include summaries/extracts of audit reports or independent assessments) to all reasonable requests

made by Customer for information relating to Malachyte’s Processing of Personal Data that are necessary to (i) confirm Malachyte’s compliance with this DPA; and/or (ii) required of Customer under Applicable Data Protection Law. Customer shall not exercise this right more than once per calendar year or when Customer is expressly requested or required to provide this information to a supervisory authority, or Malachyte has experienced a Security Incident, or on another reasonably similar basis. Nothing herein shall be construed to require Malachyte to provide: (i) trade secrets or any proprietary information; (ii) any information that would violate Malachyte’s confidentiality obligations, contractual obligations, or applicable laws; or (iii) any information, the disclosure of which could threaten, compromise, or otherwise put at risk the security, confidentiality, or integrity of Malachyte’s infrastructure, networks, systems, or data.

  1. Effect of Termination

    1. This DPA shall (i) commence on the Effective Date and remain in effect until no Personal Data remains in the possession or control of Malachyte, its Affiliates, or any Subprocessor; and (ii) survive expiration or termination (for any reason) of the Agreement. The termination or expiry of any Processing of Personal Data by Malachyte, its Affiliates or any Subprocessor shall be without prejudice to any accrued rights or remedies of either Party under this DPA at the time of such termination or expiration.

    2. Upon Customer's request at any time, and/or at Customer’s direction upon termination or expiration of the Agreement or this DPA (in each case, for any reason), Malachyte shall destroy or return to Customer all Personal Data (including copies) in its possession or control (including any Personal Data Processed by its Affiliates or Subprocessors). This requirement shall not apply to the extent that (i) Malachyte is required by any applicable law to retain some or all of the Personal Data, and/or (ii) electronic copies of Personal Data are stored in automated backups or archives; in which event Malachyte shall isolate and protect the Personal Data using the Technological and Organizational Security Measures required by this DPA and not Process the Personal Data except to the extent required by such applicable law.

  2. General

    1. Any claim or remedy Customer or its Affiliates may have against Malachyte and its Affiliates and their respective employees, agents and Sub-processors, arising under or in connection with this DPA (including the Standard Contractual Clauses), whether in contract, tort (including negligence) or under any other theory of liability, shall be subject to the limitations and exclusions of liability in the Agreement. Accordingly, any reference in the Agreement to the liability of a Party means the aggregate liability of that Party and all of its Affiliates under and in connection with the Agreement and this DPA together.

    2. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected. This DPA may not be modified except by a subsequent written instrument signed by both Parties.

    3. To the extent required by Applicable Data Protection Laws, this DPA shall be governed by the law of the applicable jurisdiction. In all other cases, this DPA shall be governed by the law of the same jurisdiction as the Agreement.

    4. This DPA (including Terms and Conditions, Appendices, and Annexes, each hereby incorporated by reference) is the entire agreement of the Parties with respect to its subject matter.

ANNEX A

DETAILS OF THE PROCESSING

  1. LIST OF PARTIES

Data Controller:

Name: The entity identified as the “Customer” in the Agreement.

Address: Customer address as specified in the applicable Agreement

Contact person’s name, position and contact details: The contact details associated with Customer’s account, or otherwise specified in the Agreement.

Data Processor:

Name: Malachyte, Inc

Address: Malachyte address as set out in the Agreement

Contact person’s name, position and contact details: The contact details associated with Malachyte’s account, or otherwise specified in the Agreement.

  1. DESCRIPTION OF PROCESSING

Categories of Data Subjects whose personal data is transferred

Natural persons who are customers or end users of the Controller’s e-commerce platform and whose personal data is processed in connection with the provision of the Services.

Categories of personal data transferred

Order identifiers, timestamps, and value; product identifiers, titles, and quantities ordered; customer identifiers and tags; customer address metadata limited to city, province, and country.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None. No special categories of personal data are processed. Data is subject to strict purpose limitation (service provision only), role-based access controls, encryption in transit and at rest, audit logging, retention limits, and onward transfer restrictions.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

The transfer of personal data shall occur on a continuous and recurring basis, including daily synchronizations of customer and order data, as well as event-driven transfers initiated in response to changes in product availability and inventory.

Nature of the processing

The Personal Data Processed by Malachyte and/or its Subprocessors will be subject to the Processing activities described in the Agreement for the purpose of providing the Platform. Personal Data may be Processed only to comply with Customer's instructions issued in accordance with the DPA.

Purpose(s) of the data transfer and further processing

The purpose of the data Processing under this DPA is the provision of the Platform by Malachyte to Customer as set out in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The duration of the data Processing under this DPA is until the termination or expiration of the Agreement in accordance with its terms.

ANNEX B

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Information Security Program

Malachyte maintains a comprehensive security program that (a) ensures that all customer data systems are designed and developed in accordance with industry-standard security practices, (b) minimizes security risk for systems and processes involving customer data, (c) enables secure internal processes for product development, testing, maintenance and reliability through risk assessment and testing.

Access Control 

Logical: All customer data stored on Malachyte infrastructure is stored in isolated multi-tenant architecture with industry-standard security controls implemented across technology layers. Customers may only access or operate on data within their tenant. Malachyte employee access to such environments is strictly controlled via change management processes, secure access methods, least-privilege model of permission grants, monitoring and periodic removal of such access when no longer required. Customers do not have access to the underlying infrastructure powering their tenant.

Physical: All customer data processed by Malachyte is stored on cloud infrastructure physically owned by Google Cloud Platform (GCP). These systems have comprehensive logical and physical security controls implemented in accordance with standards such as NIST 800-53, SOC-2 Type-II, ISO-27001, among others. Malachyte has reviewed GCP’s controls and security posture as part of vendor risk management.

Authentication

Customer access to Malachyte’s products are maintained via a uniform password policy implementation whose storage and validation details are maintained within the context of the isolated customer environment.

Authorization

Malachyte’s product architecture and implementation ensure that customers can operate on data within their tenant and downstream integrations alone. Access to features and data within the platform may be configured by the customer and is based on role and permission checks.

Vulnerability Assessment

Malachyte performs periodic external vulnerability assessments and penetration testing of the software and infrastructure powering the product. Malachyte performs such tests against internal processes and tools as well to ensure multiple effective controls across the organization. These tests are performed according to standardized methodologies and findings are logged and remediated based on criticality.

Application Security

Malachyte performs security auditing and testing throughout the design and implementation phases for new features and systems and will mitigate issues before launch to minimize security risk for customers. Malachyte trains employees on general security practices and will ensure that secure development processes are implemented within the engineering teams.

Change Management

Malachyte maintains controls to ensure that changes to systems are authorized, reviewed, approved and tested according to internal standards before launch. Malachyte also maintains controls to detect unauthorized or invalid changes to these systems and remediates as required.

Data Integrity

Malachyte will ensure that data in transit is encrypted via TLS 1.2/1.3 standards coupled with the HTTPS protocol. Malachyte will ensure that data at rest is encrypted with industry-standard algorithms and secure key management practices.

Incident Management

Malachyte will implement a comprehensive incident response process including playbooks and standard operating procedures to detect, classify, investigate, mitigate and report on security incidents. Malachyte will inform customers of breaches affecting systems that process customer data within 72 hours of realization of incident.

Business Continuity and Disaster Recovery

Malachyte systems that store or process customer data are designed with redundancy and fault tolerance in mind at all layers of the technology stack. This includes load balancing, service scaling, data backups and fail-over mechanisms. Any potential business continuity or disaster risks discovered proactively are discussed and remediated. These controls are implemented within Malachyte’s cloud infrastructure vendor Google Cloud.

ANNEX C

List of Malachyte's Subprocessors

NameNature of ProcessingTerritory(ies)
Google Cloud Platform (Google LLC and its affiliates)Cloud hosting, storage, networking, and related infrastructure services used to process and store personal data for provision of the services,United States