FacilityOS Data Processing Agreement

(Revised September 2025)

This Data Processing Agreement including its Appendices ("DPA"), applies to every Customer (entity signing under ‘Data Controller’) or Customer Authorized Affiliate, as applicable, who has entered into, or otherwise agreed to, the terms and conditions of the Subscription Agreement and/or the End User License Agreement (the “Principal Agreement”) governing Customer’s use of the FacilityOS (entity signing under ‘Data Processor’) facility management software platform (the “Services”).

Each FacilityOS and Customer shall be a “Party” hereunder, and collectively referred to as the “Parties”.

WHEREAS:

1. Customer wishes to subscribe to the Services provided by FacilityOS, which include the processing of Customer Data, and thereby wishes to appoint FacilityOS as a data processor under Applicable Data Protection Law;
2. FacilityOS is anticipated to act as a data processor under Applicable Data Protection Law.
3. Customer is anticipated to act as a data controller under Applicable Data Protection Law.
4. The Parties seek to implement a data processing agreement in accordance and in compliance with Applicable Data Protection Law, including but not limited to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
5. This DPA applies to the processing of personal data performed by FacilityOS in the context of FacilityOS’s provision of Services to Customer, or Customer Authorized Affiliates, as applicable, as agreed by and between the Parties under the terms and conditions of the Principal Agreement. 
6. As such, this DPA reflects the agreement of the Parties with regard to the processing of personal data performed by FacilityOS on behalf of Customer in the context of the provision of Services under the Principal Agreement.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation
   1. For the purposes of this DPA, non-capitalized terms not defined herein that are defined under Applicable Data Protection Law, such as, including but not limited to, processing, personal data, data controller and data processor as well as Data Subjects, shall have the same meaning as meant under Applicable Data Protection Law.
   2. In addition to the concepts defined in the text of this DPA, the following definitions shall apply. These terms, whether used in the singular or plural, and regardless of whether they appear in definite or indefinite form, shall have the meanings set forth below when capitalized. Unless otherwise defined in the Principal Agreement, all capitalized terms and expressions used in this DPA shall be interpreted in accordance with these definitions:
      1. “Affiliate” means an entity that a Party controls or is controlled by, or with which a Party is under common control. For the purposes of this definition, “control” means ownership of more than fifty percent (50%) of the voting stock or equivalent ownership interest in an entity;
      2. Agreement" means this DPA and all Appendices and documents incorporated by reference;
      3. “Applicable Data Protection Law” means all international, federal, state, provincial and local laws, regulations, rules, directives and governmental requirements currently in effect and as they become effective relating in any way to the privacy, confidentiality or security of personal data including but not limited to (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and (ii) regulations governing general data protection and all applicable industry standards concerning privacy, data protection, confidentiality or information security;
      4. “Applicable Law” means all laws and regulations respectively applicable to the data processing, including but not limited to Applicable Data Protection Law;
      5. “Customer Authorized Affiliate” means an Affiliate of the Customer which is authorised to receive FacilityOS’s products and/or services under the Principal Agreement or which otherwise executes a Purchase Order (as defined in the Principal Agreement);
      6. "Customer Data" means data, including personal data but excluding Sensitive Data, transmitted by Customer or its Affiliates to, and processed by, FacilityOS on behalf of Customer pursuant to or in connection with the Principal Agreement and this DPA;
      7. “Data Subject” means a natural person whose Personal Data is to be processed under this DPA.
      8. "EEA" means the European Economic Area;
      9. “Instruction” means a direction issued by Customer to FacilityOS and directing FacilityOS to process personal data. Instructions may be issued in writing or in textual form (e.g. e-mail);
      10. “Security Breach” means a security incident, understood as any act or omission that compromises the security, confidentiality or integrity of personal data and leading to the actual and proven accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
      11. “Sensitive Data” means any type of data which receives special treatment under Applicable Data Protection Law, including, without limitation, HIPAA, PCI, PIPEDA, GDPR and CCA, due to the higher risks for the privacy of individuals concerned by the processing of such data; 
      12. “Standard Contractual Clauses” means the standard contractual clauses together with the appendices thereto, as adopted by the European Commission on June 4, 2021 and contained in the annex to Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679; and
      13. "Subprocessor" means any person appointed by or on behalf of FacilityOS to process personal data in connection with the Principal Agreement and/or this DPA.
   3. In case of contradictory stipulations, this DPA and the provisions contained therein shall prevail over all former stipulations in any already concluded agreements related to the processing of personal data within the context of the Principal Agreement.
2. Appointment of Data Processor
   
   1. By entering into the Principal Agreement with FacilityOS, Customer appoints FacilityOS as data processor to process personal data, including but not limited to Customer Data, on its behalf in the context of the provision of the Services under the Principal Agreement.
      
      Customer selected FacilityOS as data processor by exercising its duties of diligence under Applicable Data Protection Law. It is the intent of the Parties that this DPA constitutes a written mandate within the meaning of Applicable Data Protection Law and governs the Parties’ rights and obligations in the context of data processing.
   2. This DPA governs any processing of personal data, including but not limited to Customer Data, undertaken by FacilityOS on behalf of Customer for the purpose of fulfilment of the Principal Agreement. As data processor, FacilityOS shall process personal data, including but not limited to Customer Data, that it receives, possesses, obtains or otherwise processes, in the context of the Principal Agreement, in accordance with Applicable Law, Applicable Data Protection Law, this DPA and Customer’s Instructions.
3. Subject Matter of the Processing
   
   1. FacilityOS shall process personal data on behalf of Customer in the context of, and for the purpose of fulfilment of, the Principal Agreement.
   2. The subject matter of the processing is described in Appendix 2 to this DPA.
4. Duration of the Data Processing
   
   1. The duration of the data processing strictly depends on the term of the Principal Agreements. It is further detailed in Appendix 2 to this DPA.
   2. Each Party can immediately terminate this DPA at any time and without prior notice if the other Party:
      1. commits a material breach of the provisions of this DPA; or 
      2. refuses to allow the exercise of its rights as set out hereunder. 
         Immediately upon termination of this DPA, any personal data processed by FacilityOS for the purposes of the Principal Agreement can no longer be processed by FacilityOS and it shall, at the Customer’s choice, destroy, delete, make available for retrieval, or return to the Customer any material, including personal data being processed under this DPA, as soon as reasonably practicable.
   3. This Section 4 shall survive the termination of the Principal Agreement and/or of this DPA. 
5. Joint Obligations
   
   1. Customer and FacilityOS shall be separately responsible for conforming with Applicable Data Protection Law and any and all obligations that rest upon each of them considering their respective roles under this DPA.
   2. Each Party hereby acknowledge that it shall not be responsible and shall not be liable for complying with the obligations which are incumbent on the other Party under Applicable Law, Applicable Data Protection Law and this DPA.
6. Data Protection Officer
   
   1. Each Party shall appoint a Data Protection Officer (DPO) if and to the extent required by Applicable Data Protection Law. The DPO shall serve as the point of contact for all data protection matters. Each Party shall notify the other Party of the contact details of its DPO (or designated representative) as required by Applicable Data Protection Law and shall promptly inform the other Party of any changes to this information.
   2. The contact details of the DPO appointed by each of the Party as of the Effective Date of this DPA are further detailed in Appendix 2 to this DPA.
7. Responsibilities of the Customer
   
   1. Customer is responsible for ensuring that the processing operations relating to personal data, including but not limited to Customer Data, as specified in the Principal Agreement and this DPA, are lawful, fair and transparent in relation to the Data Subjects.
   2. Customer shall not provide FacilityOS with Instructions in violation of this DPA and Applicable Law, including but not limited to Applicable Data Protection Law and hereby acknowledges that Instructions provided in violation of applicable laws shall be considered as a material breach of this DPA.
   3. Customer shall not collect or otherwise process Sensitive Data in the context of the Principal Agreement and/or this DPA and shall further not provide FacilityOS with Instructions relating to, directly or indirectly, Sensitive Data.
      
      Customer hereby expressly recognizes and confirms that:
      i. the processing of Sensitive Data by Customer in violation of the Principal Agreement and/or this DPA shall not create any obligation or burden on FacilityOS under Applicable Law, including, without limitation, Applicable Data Protection Law, the Principal Agreement and/or this DPA; and
      ii. Customer remains solely liable and responsible in relation to the processing of Sensitive Data processed in violation of Applicable Law, including, without limitation, Applicable Data Protection Law, the Principal Agreement and/or this DPA.
   4. Customer confirms and hereby acknowledges that the technical and organizational measures of Customer are appropriate and sufficient to protect the rights of Data Subjects.
8. Obligations of FacilityOS
   1. FacilityOS shall not process personal data, including but not limited to Customer Data, for any other purposes than as provided for in, or in a way that does not comply with, this DPA.
   2. FacilityOS shall only process personal data, including but not limited to Customer Data, to the extent, and in such a manner, as is necessary for the performance of the Services under the Principal Agreement and in accordance with Customer’s written Instructions, including but not limited to when it comes to any transfer of personal data to any Third Country (as defined under Section 9 below), unless required or permitted to do so by European Union or Member State law to which FacilityOS is subject, as applicable.
      
      In such case, FacilityOS shall inform Customer of that legal requirement before processing, unless European Union or Member State Law prohibits such information on important grounds of public interest or supports and permits such transfer as a part of its coverage. 
   3. Subject to Sections 4 and 8 of this DPA, FacilityOS must comply without undue delay with any Customer request or Instruction relating to the processing of Customer Data and requiring FacilityOS to amend, transfer or delete the personal data concerned, or to stop, mitigate or remedy any unauthorized processing.
   4. Subject to Sections 5 and 7 of this DPA, FacilityOS shall reasonably assist Customer with meeting its compliance obligations under Applicable Data Protection Law, notably under Chapter III as well as under Sections 32-36 of the GDPR (taking into consideration the nature of Customer’s processing and the information available to Customer), and shall implement and maintain all appropriate technical and organizational measures to provide the assistance required hereunder.
   5. Up until the return and/or destruction of personal data pursuant to Section 4.2. of this DPA, this Section 8 shall survive the termination of the Principal Agreement and/or of this DPA.
   6. If the Customer provides FacilityOS with new or revised Instructions, FacilityOS shall without unnecessary delay from receipt, communicate to the Customer whether the implementation of the new Instructions causes changed costs for FacilityOS. 
   7.  In the event that FacilityOS finds the Instructions to be unclear, in violation of the Data Protection Legislation or non-existent, and FacilityOS is of the opinion that new or supplementary Instructions are necessary in order to fulfil its undertakings, FacilityOS shall inform the Customer of this without delay, temporarily suspend the Processing and await new Instructions, if the Parties have not agreed otherwise.  
   8. FacilityOS shall take measures to protect the Personal Data against all types of Processing which are incompatible with this Agreement, Instructions and Data Protection Legislation.  
9. Place of Processing – Data Transfer to Third Countries
   
   1. FacilityOS shall not transfer or authorize the transfer of personal data, including Customer Data, to countries located outside the EU and/or the EEA (individually a “Third Country” and collectively the “Third Countries”) or which does not benefit from an adequacy decision adopted by the European Commission on the basis of Section 45 of the GDPR (“Adequacy Decision”), without prior written authorization from Customer. 
   2.  For the purposes of the provisions of Services under the Principal Agreement and this DPA, Customer hereby expressly authorizes FacilityOS to transfer personal data, including Customer Data, to third parties listed in Appendix 3 of this DPA, provided FacilityOS:
      • enters into the Standard Contractual Clauses, or any other appropriate safeguards listed in Section 46 of the GDPR, with any third party which is established in a Third Country which does not benefit from an Adequacy Decision; and
      • ensures on a commercial reasonable basis that substantially equivalent data protection obligations as set out in this DPA are contractually imposed on the third party.
        FacilityOS shall inform Customer of any change brought to Appendix 3.
   3. Up until the return and/or destruction of personal data pursuant to Section 4.2. of this DPA, this Section 9 shall survive the termination of the Principal Agreement and/or of this DPA.
10. Processor Personnel and Confidentiality
    
    1. FacilityOS shall take reasonable steps to ensure the reliability of its personnel, including but not limited to employees, agents and contractors, who may have access to Customer Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Customer Data, as strictly necessary for the purposes of  the Principal Agreement, and to comply with Applicable Law in the context of that individual's duties to FacilityOS, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
    2. Up until the return and/or destruction of personal data pursuant to Section 4.2. of this DPA, this Section 10 shall survive the termination of the Principal Agreement and/or of this DPA.
11. Security
    
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, FacilityOS shall implement, update and maintain appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Section 32(1) of the GDPR for the protection and security of the Customer Data.
    2. The security measures implemented by FacilityOS on Effective Date are further detailed in Appendix 1 to this DPA. In order to maintain an appropriate level of security to its data processing activities, FacilityOS may, upon its sole discretion and without authorization from Customer, update this list from to time as required.  
    3. Up until the return and/or destruction of personal data pursuant to Section 4.2. of this DPA, this Section 11 shall survive the termination of the Principal Agreement and/or of this DPA.
12. Sub-processing
    
    1. FacilityOS shall be entitled to subcontract its obligations under the Principal Agreement and this DPA to Sub-processors only with Customer’s general written authorization. 
    2. Customer hereby authorizes FacilityOS to subcontract its obligations under the Principal Agreement and this DPA and relating to the processing of personal data, including but not limited to Customer Data, with Sub-processors listed in Appendix 3 to this DPA, which, on Effective Date, are deemed authorized by Customer. 
       
       FacilityOS shall inform Customer upon adding or removing Sub-processors to Appendix 3.
    3.  Customer’s authorization under Section 12.2. of this DPA is conditional upon FacilityOS:
       
       • informing Customer of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving Customer the opportunity to object to such changes, on the understanding that Customer shall be entitled to object to any such changes for motivated and compelling reasons only and no later than fifteen (15) business days upon being informed of any such change. An objection formulated pursuant to this Section 12.3. shall be made in writing;
       • entering into written agreements with authorized Sub-processors which impose at least substantially equivalent data protection obligations on Sub-processors as are imposed on FacilityOS under this DPA; and
       • remaining fully liable towards Customer for any failure of Sub-processors to fulfil their data protection obligations.
    4. Up until the return and/or destruction of personal data pursuant to Section 4.2. of this DPA, this Section 12 shall survive the termination of the Principal Agreement and/or of this DPA.
13. Security Breach
    
    1.  FacilityOS shall notify Customer without undue delay upon becoming aware of a Security Breach affecting Customer Data (the “Notification”), providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects and/or the competent supervisory authority(ies) of the Security Breach under the Applicable Data Protection Law.
       
       The Notification shall include and summarize in reasonable details:
       •    The nature of the Security Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of personal data records concerned;
       •    The name and the contact details of the DPO or other contact point where more information can be obtained; 
       •    The immediate and/or imminent and/or future likely impact or effect on Customer, where and as this knowledge becomes available to FacilityOS, of the Security Breach; and
       •    The reasonable corrective action taken or to be taken by FacilityOS to address the Security Breach.
    2. FacilityOS shall reasonably co-operate with Customer and take reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Security Breach.
    3. FacilityOS shall not inform any third party, including but not limited to Data Subjects or any supervisory authority except and to the extent required under Applicable Law.
    4. FacilityOS acknowledges and agrees that Customer shall maintain the right, in its sole discretion, to determine:
       • whether to provide notice of the Security Breach to any Data Subjects, Supervisory Authority, regulators, law enforcement agencies or others (the “Notice”), as required by Applicable Data Protection Law or other laws or regulations;
       • the content and delivery method of any Notice; and
       • whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
    5. FacilityOS shall maintain complete and comprehensive records of any Security Breach in accordance with Applicable Data Protection Law.
14. Audit rights
    1. Subject to the terms of this Section, Customer shall have the right, and FacilityOS shall allow Customer, to monitor FacilityOS’s compliance with the terms of this DPA. 
    2. Upon the Parties mutual agreement, each of the Parties’ processing facilities and equipments may undergo an inspection under this DPA. Prior to conducting an inspection pursuant to this Section 14.2., the Parties shall determine, in good faith and in writing, the terms and conditions of the inspection, including, without limitation, the appointment of an inspector, the allocation of the costs related to an inspection and the consequences if the inspection reveals material gaps and/or weaknesses in either of the Parties security program.
    3. If Customer has compelling reasons to believe that FacilityOS is in breach of its obligations under this DPA, Customer may, up to once a year, inspect FacilityOS’s facilities and equipments, and any information or materials in its possession, custody or control, which directly relates to its obligations under this DPA. An inspection conducted pursuant to this Section 14.3. shall:
       
       • be at Customer’s own and exclusive expense;
       • take place only after a prior written notice of no less than fifteen (15) business days is given to FacilityOS; and
       • not unreasonably interfere with the normal conduct of FacilityOS’s business operations.
    4. If an inspection or audit reveals a material gap or weakness in FacilityOS’s security program, or any breach of this DPA, the following provisions shall apply: 
       • Customer shall provide FacilityOS with the opportunity to remedy such gaps and weaknesses within a period not to exceed ninety (90) days from the delivery of the notification to FacilityOS of the relevant gaps and/or weaknesses as identified by an audit;
       • In the event FacilityOS fails to remedy and/or address the gaps and/or weaknesses identified by an audit within the above referenced time frame, Customer shall be entitled to suspend the flow of personal data from and to FacilityOS and FacilityOS shall suspend the processing of such personal data, until such issues are resolved; and
       • FacilityOS shall promptly implement such changes as are necessary to address any gaps and/or weaknesses in its security or rectify any breach and prevent recurrences of the same.
15. Miscellaneous provisions
    
    1. Notices. All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the Principal Agreement.
    2. Governing Law and Jurisdiction.  This DPA is governed by, and construed in accordance with, the governing law set out in the Principal Agreement. Any dispute arising out of or based upon this DPA shall be exclusively submitted to the jurisdiction and venue of the court indicated in the Principal Agreement. 
    3. LIABILITY LIMITS. A PARTY’S LIABILITY ARISING OUT OF THIS DPA SHALL BE SUBJECT TO LIMITATION(S) PROVIDED UNDER THE PRINCIPAL AGREEMENT.
16. Where required - Standard Contractual Clauses
    1. Parties confirm and agree that, where required under Applicable Law, the Standard Contractual Clauses (“SCCs”) are hereby incorporated as the legal basis for the transfer of personal data. Specifically, the Parties incorporate all applicable modules governing transfers from Controller to Processor. In such cases, Sections 1 through 15 of this DPA shall not apply, and the SCCs, as incorporated under this Section 16, shall exclusively govern the Parties’ data processing obligations and relationship.
    2. FacilityOS agrees that any incorporation of SCCs to and under this DPA shall be accompanied by a valid and relevant Transfer Impact Assessment.

On Effective Date, FacilityOS has implemented the following technical and organizational measures:

FacilityOS Solution Overview

Introduction

FacilityOS is an enterprise-grade product developed, hosted and tested using the highest industry standards, exceeding most requirements.

FacilityOS is a cloud-based secure facility management system comprising a self-serve device or kiosk and centralized hosting. The entire solution is managed through the web-based portal which allows administrators to manage the specific features and details of each installation as well as generate reports pertaining to the visitor activity at each site.

This document serves as a review of provided technology with emphasis on the security and redundancy of the solution.

Following is a summary; detailed Technology Review document is available on request, pending executed NDA. Certain items require specific license subscriptions and/or may be subject to additional costs.

Our Employees and Workspace Environment

• All FacilityOS employees are screened with extensive background and criminal record checks prior to hiring.
• All employees are trained in the company’s privacy, safety, security and other workplace policies.
• All equipment and data handling follows common security practices:
  • Applications and hardware are inventoried.
  • Access is role based with global policies enforced (Active Directory).
  • Ports are blocked.
  • Production data is not locally stored.
  • Devices are tracked and centrally managed.

How We Built FacilityOS

• FacilityOS is designed and built in Toronto, Canada.
• We follow Agile and Scrum methodology.
• We adhere to OWASP Secure Coding Practices (www.owasp.org).
• All software development is version and source controlled.
• Three separate environments are maintained (Production, Development, Staging) with restricted access.
• Our development teams do not have access to customer data.
• Microsoft Technologies are used to control access (Azure Active Directory).

Your Data Security, Privacy and Confidentiality

• All customer data is considered private and confidential and is protected by the privacy policy.
• Custom agreements and privacy policies are available.
• Customers can elect to have the data stored in a specific geo-location.
• Customers can request custom data retention policies; expired data is deleted using automated database  procedures, DOD 5220.22M available on request.
• All data is fully encrypted at rest and during transmission.
• All access is controlled and monitored.
• Customer data is segmented, and access is limited to owner(s) only.
• Passwords are hashed and cannot be recovered.

Visitor Data Security, Privacy and Confidentiality

• Visitor data falls under the main system guidelines for data security.
• Global data privacy standards are supported (i.e. GDPR).
• FacilityOS offers a strong compliance platform which plugs into an organization’s global compliance initiatives, implementation of which is managed by the Client.
• Geo-distributed data storage is available to comply with local rules.

Product, Security, Continuity

• FacilityOS is hosted on Microsoft Azure (Multiple GEO locations available). Additional hosting options are available utilizing local vendors and our own dedicated hosting environments.
• All data centers adhere to common industry standards for data protection and policies. Certifications are geo/site specific and cover PCI DSS, ISAE 3402 Type II, SOC 2 Type II and CSAE 3416 Type II to name a few.
  Please visit Azure trust center for a list of supported certifications and standards: https://azure.microsoft.com/en-us/support/trust-center/
  Non-Azure hosted, site specific certifications are provided on request.
• Geo/region specific hosting is available.
• Data and services are fully backed and are fully redundant with an availability of 99.9%  uptime guarantee.
• Server / Platform structure is hosting dependent and available on request.
• FacilityOS supports Offline mode (no network connection).
• FacilityOS packages can be deployed with a fully redundant cellular connection.

More on Encryption

• All access to web services uses HTTPS (TLS 1.2+).
• Device to server communication is encrypted with a private key, delivered over secure channel (HTTPS) and tokenized using device unique identifier and other undisclosed variables.

• FacilityOS can be deployed using a combination of cellular, wireless, and ethernet connections. Exact configuration is dependent on each client’s redundancy and hardware requirements.
• FacilityOS uses standard ports and services which makes it a “plug ‘n play” product when connected to the client’s infrastructure. In most cases, no additional configurations are required.
• Clients managing highly restricted environments will need to ensure that traffic to *.goilobby.com bypasses proxies and is whitelisted on the firewall(s).
• In some cases, subject to client’s wireless network policies, FacilityOS may need to be provisioned with client’s wireless network certificates.
• We recommend setting up all equipment using static IPs. This makes for a more robust and stable setup. Our preference is to let the client’s DHCP server assign static IPs using provided MAC addresses.

Subcontractors and Third Parties

• FacilityOS core engineering function is completely in-house, in our Toronto office.
• The use of any subcontractors puts them in scope of our overall standards for security and privacy. Specifically:
• Each subcontractor must be classified based on their risk.
• Their policies and standards must meet our requirements.
• Their policies and standards must be reviewed as frequently as required by their classification within our policies and controls.
• FacilityOS requires the use of Third Parties for provision and delivery of some of its services. Specifically:
  • Microsoft Azure – hosting provider for the FacilityOS Platform
    • https://gallery.technet.microsoft.com/Overview-of-Azure-c1be3942 

• • Twilio – SMS and VOICE message delivery
    • https://www.twilio.com/gdpr 
    • https://www.twilio.com/security 
    • https://s3.amazonaws.com/ahoy-assets.twilio.com/Whitepapers/Twilio_Whitepaper_GDPR.pdf  
    • https://interactive.twilio.com/Global/FileLib/PDFs/Twilio_Trust_&_Security_White_Paper_FINAL_09102021.pdf 
  • Vonage – SMS message delivery
    • https://www.vonage.com/security/communication-apis/
  • Sendgrid - Email delivery
    • https://sendgrid.com/resource/general-data-protection-regulation/
    • https://sendgrid.com/policies/privacy/privacy-shield-certification/
  • Mailgun – Email delivery
    • https://www.mailgun.com/security/

We encourage customers to review the above-mentioned content for compliance with their internal requirements.

Payments

• All credit card transactions are processed in a PCI-DSS certified environment to ensure compliance and security. 

Insurance

• FacilityOS employs business continuity, data theft and breach insurances covering liability in excess of $5,000,000. Certificate available on request.

APPENDIX 2 – SUBJECT MATTER OF PROCESSING

APPENDIX 3 – LIST OF AUTHORIZED SUB-PROCESSORS

Upon Effective Date, FacilityOS has engaged and Customer and/or Customer’s Authorized Affiliates authorize(s), the following Sub-processors for the purposes of Principal Agreement and this DPA: