Legal

Data Processing Addendum

Contents
Link

This Data Processing Addendum ("DPA") is between Monograph Inc, a Delaware C-Corporation company ("Company") and that certain customer party to the Terms of Service (the "Agreement") (such customer, "Customer"). This DPA amends and forms part of the Agreement. This DPA applies where Company Processes Customer Personal Data as a Processor on behalf of Customer, the Controller, in connection with providing the Services. This DPA will be effective as of the effective date of the Agreement. This DPA will terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms of this DPA. This DPA relates to how the Company Processes Customer Personal Data. Please also review the Privacy Policy available at monograph.com/privacy-policy for additional information about how we Process Personal Data other than Customer Personal Data.

1. Data Processing and Protection

1.1. Limitations on Use

Company will Process Customer Personal Data only: (a) pursuant to Customer's documented instructions as specified under Section 1.2 (Instructions), including with regard to transfers of Customer Personal Data to a third country; (b) as otherwise required by applicable laws; and (c) to improve the Services, to conduct research and development activities and to comply with Company's own legal obligations (provided such Processing does not conflict with applicable law). Where required by and except as permitted by applicable Data Protection Laws, Company will not: (x) retain, use, or disclose the Customer Personal Data (i) outside of the direct business relationship between the parties or (ii) for any purpose other than for the specific purpose of performing the Services; (y) sell or share (as defined by Data Protection Law) the Customer Personal Data; or (z) combine Customer Personal Data with Personal Data Company receives from individuals or other sources. The parties agree that Customer is not selling or sharing Customer Personal Data (as the terms sell or share are defined by CCPA).

1.2. Instructions

Customer instructs Company to Process Customer Personal Data as necessary to provide the Services and as otherwise authorized or permitted under this DPA, the Agreement, including as specified in Attachment 2 (Scope of Processing). This DPA, the Agreement, and any instructions provided by Customer through configuration tools made available by Company are Customer's documented instructions regarding Company's Processing of Customer Personal Data. Additional instructions provided by Customer (if any) may be provided through the Services or via email and Company shall confirm receipt of such additional instructions within a reasonable amount of time. Company may suspend Processing based upon any Customer instructions that Company reasonably suspects violate Data Protection Law, provided Company will promptly inform Customer if Company believes an instruction infringes Data Protection Law.

1.3. Compliance

Each party will comply with its obligations under Data Protection Law. Company shall promptly notify Customer if it determines that it cannot meet its obligations under Data Protection Law. Upon receiving written notice from Customer that Company has Processed Customer Personal Data without authorization, Company will take reasonable and appropriate steps to stop and remediate such Processing. Customer represents and warrants that: (i) where required by Data Protection Law, it has provided data subjects whose Customer Personal Data will be Processed in connection with the Agreement with a privacy notice or similar document that clearly and accurately describes Customer's practices with respect to the Processing of Customer Personal Data; (ii) it has obtained and will obtain and continue to have, during the term, all necessary rights, lawful bases, authorizations, consents, and licenses for the Processing of Customer Personal Data as contemplated herein; and (iii) Company's Processing of Customer Personal Data in accordance with the Agreement and this DPA will not violate Data Protection Law or cause a breach of any agreement or obligations between Customer and any third party.

1.4 – 1.8. Additional Obligations

1.4. Confidentiality. Company will ensure that persons authorized by Company to Process any Customer Personal Data are subject to appropriate confidentiality obligations. 1.5. Security. Company will use commercially reasonable efforts to implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against Security Incidents and provide the level of protection required by Data Protection Law in accordance with Attachment 3 (Data Security Exhibit). Company may amend the technical and organizational measures, provided the new measures do not reduce the level of security provided by Attachment 3 (Data Security Exhibit). 1.6. Disposal. At the choice of Customer, Company will (or will enable Customer via the Services to) delete all Customer Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Company's data retention schedule) after expiry or termination of the Agreement (unless Data Protection Law requires the storage of such Customer Personal Data by Company, in which case Company will only further retain and Process such Customer Personal Data for the limited duration and purposes required by such Data Protection Law). The certification of deletion contemplated by Section 8.5 of the SCCs shall be provided on Customers' written request. 1.7. Additional Uses. Where permitted by Data Protection Law, Company may Process Customer Personal Data to detect Security Incidents and to protect against fraudulent or illegal activity. 1.8. Deidentified Data. Company may Process Deidentified Data for its lawful business purposes. Company will (a) take reasonable measures to ensure the Deidentified Data cannot be associated with a Data Subject and (b) publicly commit to maintain and use Deidentified Data in deidentified form and not attempt to reidentify Deidentified Data except as permitted by Data Protection Law.

2. Data Processing Assistance

2.1. Data Subject Rights Assistance. Customer shall be responsible for responding to requests from individuals to exercise rights under Data Protection Law relating to Customer Personal Data (each a "Data Subject Request"). Company will, to the extent permitted by Data Protection Law, notify Customer if Company receives a Data Subject Request with respect to Customer Personal Data. To the extent Customer, in its use of the Services, does not have the ability to address the Data Subject Request, Company will, on Customer's request, provide commercially reasonable assistance to Customer in responding to such Data Subject Request, to the extent the response to such Data Subject Request is required under Data Protection Law. Customer shall reimburse Company for all non-negligible costs Company incurs in performing its obligations under this Section 2.1 and Section 2.4, below. 2.2. Security Assistance. Taking into account the nature of Processing and the information available to Company, Company will provide commercially reasonable efforts to assist Customer in Customer's efforts to comply with Customer's obligations to secure Customer Personal Data by providing the information and assistance described in Section 3 (Audits). 2.3. Security Incident Notice and Assistance. Company will notify Customer without undue delay and within the time frame required under Data Protection Laws after becoming aware of a Security Incident. Company will further take commercially reasonable steps to mitigate the effects and minimize any impact from the Security Incident and assist Customer in complying with any related notification obligations under Data Protection Law. Where possible, such notice will include all available details required under Data Protection Law for Customer to comply with its own notification obligations to regulatory authorities or individuals impacted by the Security Incident. 2.4. Data Protection Impact Assessment (DPIA) and Prior Consultation Assistance. Where required by Data Protection Law and taking into account the nature of Processing and the information available to Company, Company will provide commercially reasonable assistance to Customer in ensuring compliance with the obligations related to DPIAs and consulting with regulatory authorities.

3. Audits

3.1. Company Audits. Company may procure audits by third parties to assess Company's adherence to applicable standards or requirements (collectively, "Audits"). Subject to the confidentiality obligations set forth in the Agreement, Company will provide Customer with summaries of Company's then-current Audit reports ("Reports") on Customer's request, provided that Customer may not (y) use the Reports other than to conduct audits as described in this Section 3 or (z) disclose the Reports other than to its Auditor. 3.2. Customer Audits. Where Data Protection Law affords Customer an audit or assessment right, Customer (or its appointed representative) may carry out an audit or assessment of Company's policies, procedures, and records relevant to the Processing of Customer Personal Data. Customer agrees to exercise its audit rights by first requesting the Reports as described in Section 3.1. Customer will only request additional information or an on-site audit of Company to the extent the information provided by Company is not reasonably sufficient to enable Customer to evaluate Company's compliance with this DPA and/or Data Protection Law. Except in the event of a Security Incident or regulatory investigation, Customer will provide no less than 30 days' advance notice of its request for an on-site audit and will cooperate in good faith with Company to schedule any such audit on a mutually agreeable date and time. Any such on-site audit must occur during Company's normal business hours and be conducted by Customer or a nationally recognized independent auditor ("Auditor") that has agreed to confidentiality provisions reasonably acceptable to Company. Customer is responsible for ensuring that the audit will comply with Company's applicable on-site policies and procedures and will not unreasonably interfere with Company's business activities. 3.3. Confidentiality. The audit findings and the Reports will be considered Company's "Confidential Information" and Customer will take reasonable measures to protect the secrecy of the Confidential Information. Such measures shall be no less protective of the Confidential Information than those used by Customer to protect its own confidential or proprietary information. Customer will promptly notify Company of any unauthorized access or disclosure of Company's Confidential Information and Customer will delete or return the Confidential Information to Company upon termination of the Agreement. The foregoing restrictions and obligations will not apply to any information that Customer can prove by clear and convincing evidence becomes publicly known through no breach of this DPA.

4. Subprocessors

4.1. Appointment of Subprocessors. Customer authorizes Company to use subcontractors to Process Customer Personal Data in connection with providing the Services (each, a "Subprocessor"). Customer specifically consents to Company's appointment of the Subprocessors identified on Attachment 4 (the "Subprocessor List"). 4.2. Objection Right for New Subprocessors. Where required by Data Protection Law, Company will notify Customer of its intent to update the Subprocessor List at least 15 days prior to engaging a new Subprocessor. Customer may object to Company's use of a new Subprocessor within 10 days of receiving such notice by sending an e-mail to legal@monograph.com clearly indicating its desire to object to any such change. If Customer objects, Company and Customer will cooperate in good faith to resolve Customer's objection. If the parties are unable to resolve Customer's objection within 10 days, then either party may terminate the Agreement only with respect to those Services that Company indicates cannot be provided without the objected-to Subprocessor. 4.3. Liability. Company will impose data protection obligations upon any Subprocessor that are no less protective of Customer Personal Data than those included in this DPA. Company will be liable to Customer for any breach of such obligations by its Subprocessors as it would for its own acts and omissions.

5. Data Transfers

Customer authorizes Company and its Subprocessors to transfer Customer Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom ("UK") to the United States. Where required by Data Protection Law, the parties will conduct any transfers of European Economic Area, UK, and Swiss residents' Customer Personal Data to a country not subject to an adequacy decision (a "Data Transfer") pursuant to the SCCs, which are incorporated and deemed executed by this reference. If Company notifies Customer that Data Transfers can be conducted in compliance with Data Protection Law pursuant to an alternative transfer mechanism such as the Data Privacy Framework, the parties will rely on the alternative mechanism to legitimize Data Transfers instead of the provisions that follow. The parties agree to comply with the general clauses and with Module 2 (Controller to Processor) of the SCCs with Customer as the "data exporter" and Company as the "data importer." Each party's signature to the Agreement shall be considered a signature to the SCCs to the extent that the SCCs apply hereunder. Transfers Subject to Swiss Data Protection Law. If any Customer Personal Data subject to the Swiss Federal Act on Data Protection of 19 June 1992 (the "FADP") is subject to a Data Transfer, the parties will conduct such transfer pursuant to the SCCs with the following modifications: the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner; references to a "Member State" and "EU Member State" will not be read to prevent individuals in Switzerland from suing for their rights in Switzerland; and references to "GDPR" in the SCCs will be understood as references to the FADP. Transfers Subject to the UK GDPR. Any Customer Personal Data that is subject to the UK GDPR and a Data Transfer will be subject to the UK IDTA, which is incorporated and deemed executed by this reference.

6. Limitation of Liability

Each party's and all of its affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability in the Agreement. Nothing in this Section 6 is intended to restrict the rights of individuals under Data Protection Law.

7. Miscellaneous

To the extent there is any conflict between the terms of this DPA, on the one hand, and the applicable SCCs or UK IDTA, on the other hand, the SCCs or UK IDTA, as appropriate, will control. Except as specifically amended and modified by this DPA, the terms and provisions of the Agreement remain unchanged and in full force and effect. Except as expressly stated in the SCCs and the UK IDTA, the governing law and forum selection provisions of the Agreement will apply to any disputes arising out of this DPA. No supplement, modification, or amendment of this DPA will be binding unless executed in writing by each party to this DPA.

Attachment 1: Definitions

"CCPA" means the California Consumer Privacy Act of 2018, including as amended by the California Privacy Rights Act of 2020 or otherwise, and any regulations promulgated thereunder. "Controller" means "controller" and "business" (and analogous variations of such terms) under Data Protection Law. "Customer Personal Data" means Personal Data that Company Processes on behalf of Customer in connection with providing the Services as described in Attachment 2. "Data Protection Law" means the applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Customer Personal Data are subject, including but not limited to the GDPR, the UK GDPR, the FADP, the CCPA, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, and any other state, federal, or international data protection or privacy laws that apply to Company's Processing of Customer Personal Data. "Data Subject" means any individual to whom Personal Data relates. "Deidentified Data" means information that cannot reasonably be linked to or associated with Customer or any Data Subject. "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). "Personal Data" means "personal data" and "personal information" (and analogous variations of such terms) under Data Protection Law. "Process" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. "Processor" means "processor" and "service provider" (and analogous variations of such terms) under Data Protection Law. "SCCs" means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as may be replaced or superseded by the European Commission. The parties make the following choices for implementing the SCCs: (a) In Clause 7, the optional docking clause will apply; (b) Audits under Section 8.9 shall be conducted according to the audit provisions of this DPA; (c) In Clause 9, Option 2 will apply and the time period for notice of Subprocessor changes will be as set forth in this DPA; (d) In Clause 11 the optional language will not apply; (e) In Clause 17, the SCCs shall be governed by the laws of Ireland; (f) In Clause 18(b), disputes arising from the SCCs shall be resolved in the courts of Ireland. "Security Incident" means "personal data breach" and "security incident" (and analogous variations of such terms) under Data Protection Law. "Services" means the Platform Services provided by Company pursuant to the Agreement. "UK GDPR" means the GDPR as incorporated into United Kingdom law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced). "UK IDTA" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022. Neither party can terminate the UK IDTA pursuant to Table 4 and Section 19 thereof without the written consent of the other.

Attachment 2: Scope of Processing

Data exporter: Customer. Data importer: Company. Subject-Matter and Duration of Processing: Company Processes Customer Personal Data if and when provided by Customer in the course of providing the Services in accordance with the Agreement and until the Agreement terminates or expires. Nature and Purpose of Processing: Processing of Customer Personal Data in connection with and for the purpose of Company providing the Services to Customer pursuant to the Agreement. Specifically, the Customer Personal Data will, if and to the extent Customer provides it, be subject to storage and analysis, among other Processing activities. Types of Customer Personal Data: Customer may submit Customer Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion. This may include, but is not limited to: contact information like name, email address, and telephone number; device identification data and traffic data (e.g., IP addresses, MAC addresses, web logs); and information needed to provide the Services like hours worked by and W2/1099 information of employees/personnel and financial information of clients. Categories of Data Subjects: Customer's clients, employees/personnel. Special Categories of Data: The Services are not designed for special categories of Personal Data. Company does not anticipate that Customer will submit special categories to the Services. To the extent that such data is submitted to the Services, it is determined and controlled by Customer in its sole discretion. Frequency of Transfers: Company will import Customer Personal Data on a continuous basis. Period of Data Retention: Company will retain the Personal Data until the termination of the Agreement, unless otherwise agreed to by the parties.

Attachment 3: Data Security Exhibit

  • Google Analytics: Company uses Google Analytics as a web analytics tool to track user behavior on its marketing Site. Google Analytics collects anonymized information in accordance with its Privacy Policy. However, if you do not want Google Analytics to track your behavior on the Platform, you may opt-out by installing Google Analytics Opt-out Browser Add-on.
  • MixPanel: Company utilizes MixPanel for tracking user-driven events in the web application. MixPanel collects information in accordance with its MixPanel Privacy Policy. You can opt-out of MixPanel’s automatic retention of data collected by clicking here: MixPanel Opt-Out. If you get a new computer, install a new browser, erase or otherwise alter your browser's cookie file (including upgrading certain browsers) you may also clear the MixPanel opt-out cookie.

1. Program. Company will implement and maintain an information security program containing administrative, technical and organizational safeguards appropriate to the risks posed that comply with this DPA and that: (a) are designed to protect against any Security Incident; and (b) meet or exceed prevailing industry standards and requirements under Data Protection Law. 2. Company will: (a) abide by the "principle of least privilege," pursuant to which Company will permit access to Personal Data by its personnel solely on a need-to-know basis; and (b) promptly terminate its personnel's access to Personal Data when such access is no longer required for performance under the Agreement. 3. Account Management. Company will manage the creation, use, and deletion of all account credentials used to access the Company Services and any back-end systems, including by implementing: (a) a segregated account with unique credentials for each user; and (b) strict management of administrative accounts. 4. Security Segmentation. Company will monitor, detect and restrict the flow of information on a multilayered basis within its systems using tools such as firewalls, proxies, and network-based intrusion detection systems. 5. Company will use data loss prevention measures designed to identify, monitor and protect Personal Data in use, in transit and at rest. Such data loss prevention processes and tools will include automated tools to identify attempts of data exfiltration. 6. Encryption. Company transmits or sends wirelessly across public networks or within the Company Systems using encryption. Company will safeguard the security and confidentiality of all encryption keys associated with encrypted Personal Data. 7. To the extent any Personal Data includes "cardholder data," as such term is defined by the Payment Card Industry Data Security Standard ("PCI DSS"), Company will use Stripe, a PCI DSS compliant company, to comply with the PCI DSS and other applicable PCI and payment card issuer, brand or association rules and requirements. 8. Physical Safeguards. Company will maintain physical access controls designed to secure its systems.

Attachment 4: Subprocessor List

Check Inc. — Company/employee data synced for embedded payroll (USA) Stripe — Company data synced for subscription management (USA) Google Cloud Platform — Data warehousing and analytics (USA) AWS — File storage, caching (USA) Heroku — PaaS, application hosting, database storage (USA) Stitch — Data pipelining to our data warehouse (USA) Hubspot — Company/employee and summarized activity data synced (USA) Salesforce — Company/employee and summarized activity data synced (USA) QuickBooks Online — Relevant accounting data synced (USA) Segment — Event hub for company/employee and summarized activity data (USA) RedisCloud — Caching for performance, data temporarily stored (USA) Datadog — Development tools: logging, application performance (USA) Vercel — Frontend cloud-based hosting of application code (USA) ConvertAPI — Customer invoice data converted to PDF for download (USA) Metabase — Data analytics (USA) Fullstory — Event monitoring and diagnostics (USA) Clay — Company/employee and summarized activity data synced (USA) Sentry — Development tool: error handling (USA) Zapier — Development tool; support and account management (USA) OpenAI — Application AI functionality (USA) Churnzero — Support and account management (USA) Intercom — Support and account management (USA)

CREDIT OR DEBIT CARD INFORMATION

Company does not itself store debit or credit card information on its servers. Company offers Stripe as a third party payment processor to process purchases made through the Platform. For more information on its data collection and use practices of these payment processors, please review Stripe's Privacy Policy.

INTERCOM

Intercom, Inc., a third party analytics service, is utilized to help Company understand the use of our Services and to communicate with Users by sending service-related notifications. Information is collected pursuant to Intercom's Privacy Policy.

CUSTOMER SERVICE – ERROR TRACKING

Company utilizes Rollbar for services-related error monitoring, error notifications and de-bugging purposes. Customer information is processed in accordance with Rollbar's Privacy Policy.

ANONYMOUS DATA – ANALYTICS

  • Google Analytics: Company uses Google Analytics as a web analytics tool to track user behavior on its marketing Site. Google Analytics collects anonymized information in accordance with its Privacy Policy. However, if you do not want Google Analytics to track your behavior on the Platform, you may opt-out by installing Google Analytics Opt-out Browser Add-on.
  • MixPanel: Company utilizes MixPanel for tracking user-driven events in the web application. MixPanel collects information in accordance with its MixPanel Privacy Policy. You can opt-out of MixPanel’s automatic retention of data collected by clicking here: MixPanel Opt-Out. If you get a new computer, install a new browser, erase or otherwise alter your browser's cookie file (including upgrading certain browsers) you may also clear the MixPanel opt-out cookie.

SHARING SERVICES

Users may follow Company and/or share information on Facebook, Twitter, and LinkedIn, as well as other additional social media/sharing services/sites Users who follow/share on such third party sites are subject to the data collection and privacy practices of such third party sites. Users should click on the applicable Privacy Policies to review for more detail about information collected from these services.

THIRD PARTY APIS

Company may offer Customers the ability to integrate third party services (such as accounting applications) within the Platform via third party API’s. Such integration will require Customers to specifically authorize Company’s access. When authorized to access, Company will store a set of tokenized credentials to use with such third party API and exchange applicable data necessary to enhance features and functionality of the Subscription Services available to Customer.

THIRD PARTY SERVICES – INTERNAL USE

We may share Personal Data with third parties who provide services on our behalf for purposes such as accounting, facilitating the exchange of data between Company’s employees, internal reporting purposes, etc. We enter into contracts with such third parties regarding such services to ensure Personal Data is handled consistent with Company’s Privacy Policy and applicable law.

OTHER POTENTIAL THIRD PARTY DISCLOSURES

Personal Data may also be disclosed to third parties to serve our legitimate business interests as follows: (1) as required by law, such as to comply with a subpoena, or similar legal process, (2) if Company is involved in a merger, acquisition, or sale of all or a portion of its assets, (3) to investigate, prevent, or take action regarding suspected or actual illegal activities or to assist government enforcement agencies; (4) enforce our agreements with you, and/or (5) investigate and defend ourselves against any third-party claims or allegations. We will use commercially reasonable efforts to notify Users about law enforcement or court ordered requests for Personal Data unless otherwise prohibited by law.

3. HOW DOES COMPANY COMPLY WITH THE CHILDREN’S ONLINE PRIVACY PROTECTION ACT AND GDPR REGULATIONS RELATING TO CHILDREN?

The Platform is not directed to children under 18. Only persons aged 18 or older are authorized to subscribe to the Subscription Services and we do not knowingly collect Personal Data from anyone under the age of 18. If a parent or guardian becomes aware that his or her child has provided us with Personal Data without parental consent, he or she should contact Company at legal@monograph.com.

4. HOW LONG DOES COMPANY RETAIN PERSONAL DATA COLLECTED?

We will retain account and purchase data as long as it is necessary to facilitate Customer’s access and use of the Subscription Services. When a Customer’s account is terminated, Personal Data collected through the Platform will be deleted in accordance with the requirements of applicable law. Personal Data obtained from Site visitors will be maintained as long as it is necessary to provide requested communications and information-based services or until a visitor exercises its right to opt-out of requested communications or information-based services. Anonymized and Pseudo-anonymized data will be retained as long as Company determines such data is commercially necessary for it legitimate business interests.

5. EU GENERAL DATA PROTECTION REGULATION (“GDPR”) NOTICES

6. YOUR CALIFORNIA PRIVACY RIGHTS

California law permits California-resident Customers to request and obtain from Company once a year, free of charge, certain information about their Personally Identifiable Information (“PII”) (as defined by California law) disclosed to third parties for direct marketing purposes in the preceding calendar year (if any). If applicable, this information would include a list of the categories of PII that was shared and the names and addresses of all third parties with which we shared information in the immediately preceding calendar year.

7. WHAT IS COMPANY’S SECURITY POLICY?

We have implemented reasonable administrative, technical and physical security measures to protect your personal information against unauthorized access, destruction or alteration. However, although we endeavor to provide reasonable security for information we process and maintain, no security system can ever be 100% secure.

In addition, Company utilizes a PCI-DSS compliant third party payment processor to ensure the security of Subscriber’s Personal Data. Subscribers should review Stripe’s Security Policy for more information on their security practices. For information relating to data stored by Amazon Web Servers, please see the AWS Cloud Security Policy for more information on its security practices.

8. HOW DOES THE PLATFORM RESPOND TO “DO NOT TRACK” SIGNALS?

“Do Not Track” is a feature enabled on some browsers that sends a signal to request that a website disable its tracking or cross-Platform user tracking. At present, the Platform does not respond to or alter its practices when a Do Not Track signal is received.

If we make material changes to our Privacy Policy, we will notify you by (1) changing the Effective Date at the top of the Privacy Policy, (ii) sending an email to all active account holders, and (iii) add a banner/notification to the Platform itself. Express consent will be obtained when required for any material changes in Company’s collection and use practices.

10. CONTACT US

If you have any questions regarding your Personal Data or about our privacy practices, please contact us at: Monograph Inc., Attention: Privacy Department, 165 11th St., San Francisco, California 94103 and/or at legal@monograph.com.