<br>

CORDA Pre-Production NETWORK AGREEMENT

This Agreement (this “Agreement”) is between Corda Network Foundation Stichting (“Corda Network Foundation”, “Foundation”, “we”, “us”, or “our”), and you (“you”), and sets forth the terms and conditions that govern your rights to use Corda Pre-Production Network (“Pre-Production Network”), establish a node thereon and interact with nodes operated by other participants on the Pre-Production Network (“Participants”), use the Pre-Production Services, and, to the extent applicable, the Pre-Production as defined in Section 1 below, and use any associated documentation therefor provided to you by the Corda Network Foundation (collectively, the “Services”). This Agreement shall run concurrently with any commercial agreement you enter into with the Corda Network Foundation for your use of the Services. This is a legal agreement between you and us, so please read it carefully.

1.               License to Use; Restrictions.

1.1            The Pre-Production Services are intended for testing of functionally complete and tested CorDapps in realistic network settings to simulate the real-world business environment, including the production settings of network parameters, Corda network services and supported Corda versions. The Pre-Production Services are not intended for use in any live production environments or with any commercial applications. The “Corda Networkmeans the set of infrastructure, services, standards, policies, agreements and governance mechanisms which enable users of Corda to enter into commercial transactions utilizing various applications. For the avoidance of doubt, Pre-Production Network is a discrete environment (and a discrete set of services) from the Corda Network.

The Pre-Production Services consist of the following:

(a)             Doorman Service: You will install a node, running the Corda Software, either on-premises or in a cloud environment. To join the node to the Pre-Production Environment, the node will communicate a Certificate Signing Request (CSR) to the Pre-Production Doorman service which, upon verification of the identifying details submitted in the CSR, will issue a Participation Certificate to your node which will enable it to operate within Pre-Production.

(b)             Network Map Service: a service provided by the Corda Network Foundation that accepts digitally signed documents describing network routing and identifying information from Participants and makes this information available to you and other Participants.

(c)             Notary Service: a technical service that will digitally sign a transaction presented to it by Participants prior to it being recorded on Participants’ ledgers provided no transaction referring to any of the same inputs has been previously signed by the Corda Network Foundation Notary Service and the transaction timestamp is within bounds.

The Corda Network Foundation reserves the right to make substantial changes to the Services, including the Pre-Production Services, at any time.

 

The Pre-Production Network shall operate in accordance with the terms set forth in the User Acceptance Test Environment Service Level Agreement, which you may access via the Services and which may be updated from time to time. For the avoidance of doubt, the Pre-Production Network is a discrete environment (and a discrete set of services) from TestNet and the Corda Network.

 

1.2            License. The Corda Network Foundation hereby grants you a limited, revocable, non-exclusive, non-transferable, and non-sublicensable right to access and use the Services solely for your own internal use during the period commencing on the date you accept this Agreement (the “Effective Date”) and continuing until terminated by the Corda Network Foundation (the “Term).

1.3            Restrictions.

(a)             General. You will not: (i) copy distribute, license, rent or otherwise transfer or use the Services for any purpose or in any manner other than that as expressly set forth in Section 1.2; (ii) use any confidential or proprietary information of the Corda Network Foundation or any Participants except as authorized by the owners of such information; (iii) use the Services in any way intended or calculated to damage or interfere with the functioning of any other nodes or Participants; (iv) attempt to gain unauthorized access to the Services, any other Participant’s nodes, or any other systems or networks, or (v) use the Services for the execution of any transactions or otherwise enter into any binding agreement using the Services.

(b)             Data Restrictions.  The Services may not be used with data that (i) requires a license or other permission for use in connection with the Services unless you have all necessary rights to make such data available for use in connection with the Services, (ii) is the master or only copy of real commercial data pertaining to you, your customers, or any third parties, or (iii) is otherwise subject to restrictions on distribution or transferability under any applicable laws and regulations (“Prohibited Data”). You will not introduce into the Services or share with any Participant through the Services any Prohibited Data and will cooperate with any audit or review of information provided to ensure that the data provided does not include Prohibited Data. You acknowledge that any data made available through the Services or provided by any other Participant through the Services is intended to be used for development, testing and demonstration purposes. The Corda Network Foundation makes no representations or warranties as to the accuracy or usefulness of any such data, and your use of such data is at your sole discretion and risk.

1.4            Participation Certificate. Use of the Service requires a certificate issued by the Corda Network Foundation which authenticates your node as one that is authorized to use the Service and participate in the network (“Participation Certificate”). Your Participation Certificate is non-transferable, may not be duplicated and may not be shared with any other party. You are responsible for any activity that occurs under your Participation Certificate.

1.5            Software and Equipment.

(a)             You are solely responsible, at your own expense, for acquiring, installing, maintaining and securing all hardware, software and other equipment necessary to connect to and use the Services, except as otherwise provided by the Corda Network Foundation. Access to and use of the Services requires you to download and install the current Corda software. Your use of any software or other materials and content to access the Services, including but not limited to the Corda software, is subject to the applicable license terms that accompany such software, materials, and content. Such license terms, and not this Agreement, will govern your use of such software, materials, and content.

(b)             You will maintain, patch and update the Corda software as specified by the Corda Network Foundation. You acknowledge that failure to use the most current versions of the Corda software may impact your ability to access or use the Services. You will maintain, patch and update all security software and systems for your nodes on a regular basis in accordance with industry practices.

(c)             You will configure your systems, including firewalls and security systems, in accordance with the standards and specifications set forth by the Corda Network Foundation for the System, including accepting inbound connections from any IPv4 address with a valid Participation Certificate.

1.6            Temporary Suspensions. The Corda Network Foundation may temporarily suspend your or any of your users’ access to any portion or all of the Services at any time if the Corda Network Foundation determines that: (a) there is a threat or attack (including a denial of service attack) on, or a security risk to, the Services or the Corda Network Foundation’s or its third party’s hosting network or infrastructure (“R3 Network”) or other event that may create a risk to the Services or Participants; (b) you or any of your users are using the Services for fraudulent or illegal activities or in violation of this Agreement; or (c) subject to applicable law, you have ceased to continue business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of your assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution or similar proceeding. The Corda Network Foundation will have no liability for any damage, liabilities, losses (including any loss of data or profits) or any other consequences that you or any of your users may incur or experience as a result of any service suspension.

1.7            Changes to Services. The Corda Network Foundation may revise or release subsequent versions of the Services at any time and will notify you through such method as the Corda Network Foundation may specify from time to time. The Corda Network Foundation may require you to use the most recent version of the Services. Your continued use of the Services after such release will be deemed your acceptance of the modifications.

1.8            Data Protection. Both parties acknowledge and agree that they will comply with all the provisions of the EEA Data Protection Addendum attached hereto as Exhibit A.

2.               Proprietary Rights.

R3 or its licensors own the Services and all associated patent, copyright, trade secrets and other proprietary and intellectual property rights in and to the Services. No title to or ownership of the Services or any associated proprietary or intellectual property rights are transferred or licensed to you under or by virtue of this Agreement.

3.               Evaluation and Feedback.

3.1            You may provide the Corda Network Foundation with data, information and feedback regarding the performance, features and functionality, as well as your evaluation, of the Services (collectively, “Feedback”). You hereby assign to the Corda Network Foundation, automatically upon the creation thereof without further consideration, all right, title and interest you may have in and to the Feedback and any improvements and modifications to the Services conceived or made as a result of such Feedback, including all proprietary and intellectual property rights in the foregoing. R3 may use and commercially exploit all such Feedback, improvements and modifications for any purpose, without any accounting or obligation to you.

3.2            You understand and agree that: the Corda Network Foundation may monitor your use of the Services and collect and use data relating to such use for purposes of: (i) providing the Services, (ii) ensuring compliance with this Agreement, and (iii) planning, development and improvements with respect to the Services.

4.               Termination.

Either party may terminate this Agreement at any time, with or without cause, by providing written notice of termination to the other party. Such written notice shall be given via email and addressed to: UatOperations@r3.com and legal@r3.com. Upon such termination, you must promptly cease using the Services and all information related to the Services. Section 1.3, and Sections 2 through 9 will survive the termination of this Agreement.

5.               Warranties; Disclaimer.

5.1            Your Representations and Warranties. You represent, warrant and covenant that: (a) you will not provide, transmit, distribute, disclose or otherwise provide to the Corda Network Foundation or distribute through the Service, or otherwise use, any data or information in connection with the Services (“Data”) that is Prohibited Data or is unlawful or tortious, or for which you do not own or have not procured sufficient license, right, consent and permission to copy, reproduce, store, broadcast or otherwise use; (b) your use of the Services will not violate any laws, regulations, rules, orders, licenses, permits and other governmental requirements (including privacy laws) or any obligations or restrictions imposed by third parties; (c) the Data, including the Corda Network Foundation’s use thereof in connection with this Agreement, does not and will not infringe, misappropriate or otherwise violate any intellectual property or other proprietary rights of any third party; and (d) you will be deemed the party publishing the Data to the Pre-Production ledger and have full and sole responsibility for such publication.

5.2            Joint Representations and Warranties. Each party undertakes not to take any action that is in any way intended or calculated to damage or interfere with the functioning of the other party’s node or other IT systems, including through the introduction of any Virus. For purposes of this Section 5.2, “Virus” shall mean any software intended to damage or interfere with the intended operation of IT systems or software (including by rearranging, altering or erasing a software program or data in whole or part or otherwise), or any device, method or token that permits the circumvention of any part of information technology security, including any computer viruses, worms, time bombs, logic bombs, Trojan horses, salamis, trap doors, backdoors, undocumented passwords, protect codes or other malicious computer instructions, or any devices or techniques that can, or are designed to, threaten, assault, vandalize, subvert, disrupt, damage, copy, misappropriate, disable or shutdown an IT system, a software program, or any component thereof, including its security or user data. Each party undertakes to operate its respective node and services (including the Services) within a secure environment. In furtherance of the foregoing, each party shall use commercially reasonable efforts to ensure that such nodes and services (including the Services) remain secure from malicious attacks, and security incidents are promptly reported to the other party and appropriately managed.You undertake to comply with the Corda Network Foundation’s reasonable security policies as made available by the Corda Network Foundation from time to time.

5.3            Disclaimers. You acknowledge and agree that the Services are provided “as is”, without warranty of any kind. To the maximum extent permitted by applicable law, the Corda Network Foundation hereby disclaims all warranties, obligations and liabilities of the Corda Network Foundation, its licensors, and other Participants, whether express, implied or statutory, arising by law or otherwise, with respect to any error, defect, deficiency, unavailability, or nonconformity in the Services, your use of the Services, or otherwise related in any way, directly or indirectly, to the Services, including but not limited to any implied warranty of merchantability or fitness for a particular purpose, implied warranty arising from course of performance, course of dealing or usage of trade, any obligation, liability, right, remedy or claim in tort (including negligence, whether active, passive or imputed), product liability, strict liability or other theory, and claim of infringement. The Corda Network Foundation and its licensors do not warrant that the Services will meet your needs or will be provided error-free, uninterrupted, secure, or virus-free.

You understand that the Services operate on a distributed network and the Corda Network Foundation disclaims any responsibilities with respect to your disclosure of data to, access of data from, or the functioning of nodes on the distributed network. You acknowledge that the Corda Network Foundation does not control the transfer of data over communications facilities, including the Internet, and that the Services may be subject to limitations, delays, and other problems inherent in the use of such communications facilities. You acknowledge that the entire risk arising out of the use or performance of the Services remains with you, to the maximum extent permitted by law.

5.4            Further Disclaimers. Without limiting the generality of Section 5.3, neither the Corda Network Foundation nor its licensors will have any responsibilities or liability with respect to the Services. Without limiting the foregoing:

(a)             The Services could be impacted by one or more regulatory inquiries or actions, which could prevent or limit the ability (i) of the Corda Network Foundation to continue to develop or provide the Services, (ii) certain Participants to continue to use the Services, or (iii) for you and your users to use the Services.

(b)             The Corda Network Foundation has no obligation to update the Services or its underlying platforms and networks to address, mitigate, or remediate any security or other vulnerabilities in the Services, or such platforms or networks.

(c)             The Corda Network Foundation is not responsible or liable for the actions or omissions of any Participant, whether such actions or omissions interoperate, communicate or otherwise involve or implicate your node or presence on such network or the Services. The Corda Network Foundation hereby disclaims all warranties, obligations and liabilities relating to your interaction with other nodes on the Service and other Participants, including any data shared with other Participants.

6.               Limitation of Liability.

In no event will the Corda Network Foundation or any of its licensors or other users be liable, whether in contract, warranty, tort (including negligence, whether active, passive or imputed), product liability, strict liability or other theory, for any direct, indirect, incidental, special or consequential damages, including any loss of profits or data, business interruption or other pecuniary loss, or damage, loss or other compromise of data arising out of this Agreement, including but not limited to the use or inability to use the Services, even if the Corda Network Foundation or its licensors or other users have been advised of the possibility of such damages. Further, the Corda Network Foundation will not be liable for any delay or failure to perform its obligations under this Agreement as a result of any causes or conditions beyond the Corda Network Foundation’s reasonable control. The foregoing limitations, exclusions and disclaimers shall apply to the maximum extent permitted by applicable law, even if any remedy fails of its essential purpose.

7.               Indemnity

To the maximum extent permitted by law, you will defend, indemnify and hold harmless the Corda Network Foundation and the other Participants and their respective affiliates, directors, officers, employees and agents from and against any and all third party claims, actions, suits, investigations, or proceedings, as well as any and all losses, liabilities, damages, costs, and expenses (including reasonable attorneys’ fees) arising out of, accruing from, or in any way related to your breach of the terms of this Agreement or any Data or other items you furnish or otherwise make available through the Services.

8.               Governing Law; Dispute Resolution

8.1            Governing Law. This Agreement is governed by the laws of the State of New York without reference to its choice of law principles. The provisions of the 1980 U.N. Convention on Contracts for the International Sale of Goods shall not apply.

8.2            Arbitration. Any claim, dispute, or controversy (“Claim”) arising out of or relating to this Agreement or the relationships among the parties hereto shall be resolved through binding arbitration before one arbitrator administered by the International Centre for Dispute Resolution (ICDR) of the American Arbitration Association (AAA) in accordance with its International Arbitration Rules in effect at the time the Claim is filed (“Rules”). The place of Arbitration will be New York City, New York and the arbitration will be conducted in English. The arbitrator’s decision shall be final, binding, and non-appealable. Judgment upon the award may be entered and enforced in any court having jurisdiction. This clause is made pursuant to a transaction involving interstate commerce and shall be governed by the Federal Arbitration Act. Neither party shall sue the other party other than as provided herein or for enforcement of this clause or of the arbitrator’s award. The arbitrator, and not any federal, state, or local court, shall have exclusive authority to resolve any dispute relating to the interpretation, applicability, unconscionability, arbitrability, enforceability, or formation of this Agreement including any claim that all or any part of the Agreement is void or voidable.

8.3            Governing Language. This Agreement has been prepared and executed by the parties in English. In the event any translation of this Agreement is prepared for convenience or any other purpose, the provisions of the English version shall prevail.

9.               Miscellaneous.

This Agreement constitutes the entire agreement between the Corda Network Foundation and you regarding your use and evaluation of the Services. Statements or representations made by employees, distributors, resellers or any other third party do not constitute warranties by the Corda Network Foundation, do not bind the Corda Network Foundation and should not be relied upon by you. The Corda Network Foundation may modify this Agreement from time to time upon written notice to you by email at the address associated with your account or by providing notice through our Services and posting the amended Agreement in a manner accessible through the Services. Unless otherwise stated in the notice, the amended Agreement will be effective immediately and your continued access to and use of the Services after we provide notice will confirm your acceptance of the changes. If you do not agree to the amended Agreement, you must stop accessing and using our Services.

If you have any questions concerning this Agreement, please contact us at: legal@r3.com.

ACCEPTED AND AGREED ON
BY





<br>

EXHIBIT A

EEA Data Protection Addendum

Scope

The terms in this EEA Data Protection Addendum (“Addendum”) apply to all services in Appendix A (the “Services”) which involve processing of personal data by the Corda Network Foundation which is subject to GDPR. This Addendum forms part of the principal agreement (the “Principal Agreement”) between the customer (the “Customer”) and the Corda Network Foundation. This Addendum applies to the processing of Personal Data, with subject to the EU General Data Protection Regulation 2016/679 (hereinafter “GDPR”), by the Corda Network Foundation Stichting ("Corda Network Foundation") on behalf of Customer. Terms used herein and not otherwise defined shall have the meanings ascribed to them in the GDPR.

 

Processing of Customer Personal Data; Ownership

The Corda Network Foundation and Customer agree that with regard to the processing of Customer Personal Data, Customer is Controller and the Corda Network Foundation is Processor. The Corda Network Foundation will process the personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

 

The Corda Network Foundation is not responsible for any Customer Personal Data stored or otherwise used with any Corda Network Foundation’s proprietary software or on any network provided by the Corda Network Foundation.

 

Disclosure of Customer Personal Data

The Corda Network Foundation will not disclose Customer Personal Data outside of the Corda Network Foundation and its affiliates and third-party vendors facilitating business for the Corda Network Foundation except (1) as Customer directs, (2) as set forth in the Principal Agreement, or (3) as otherwise required by law.

If a law enforcement agency or other third party contacts the Corda Network Foundation with a legally binding demand for Customer Personal Data, the Corda Network Foundation will attempt to redirect the third party to request that data directly from Customer (and for this purpose, the Corda Network Foundation may disclose Customer's basic contact information to that third party). If compelled to disclose Customer Personal Data to a law enforcement agency or other third party, the Corda Network Foundation will as soon as reasonably practicable notify Customer and provide it with a copy of the demand unless legally prohibited from doing so.

Processing Details

The parties acknowledge and agree that:

·       The subject-matter, nature and purpose of the processing is limited to Customer Personal Data as defined by and within the scope of the GDPR;

·       The duration of the processing shall be for the duration of the Customer’s right to use the Service and until all Personal Data is deleted or returned in accordance with Customer instructions or the terms of the Principal Agreement;

·       The nature and purpose of the processing shall be to provide the Service pursuant to the Principal Agreement;

·       The types of Personal Data processed by the Online Service include those expressly identified in Article 4 of the GDPR; and

·       The categories of Data Subjects are Customer’s representatives and end users, such as employees, contractors, collaborators, and customers.

 

If the Corda Network Foundation receives a communication from a Data Subject seeking to exercise any of his or her rights under articles 12 to 23 of the GDPR, the Corda Network Foundation will redirect the Data Subject to make its request directly to Customer. The Corda Network Foundation will comply with reasonable requests by Customer to assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the Processor.

 

Cooperation

The Corda Network Foundation will assist with any audits conducted by the Controller or another auditor mandated by the Controller. The Customer shall reimburse the Corda Network Foundation for any reasonable and demonstrable expenses relating to any such audit. Customer and the Corda Network Foundation shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate.

 

Data Security

Security Practices and Policies

The Corda Network Foundation will maintain appropriate technical and organizational measures to protect Customer Personal Data. The Corda Network Foundation reserves the right to amend the security measures that it has in place to protect Customer Personal Data (or equivalent), and/or its description of them, by amending the relevant web pages from time to time, provided that it does not materially reduce the level of security provided.

 

Customer Responsibilities

Customer is solely responsible for making an independent determination as to whether the technical and organizational measures set out in Appendix B ensure a level of security appropriate for the Customer Personal Data, including meeting any of Customer's security obligations under the GDPR or other applicable data protection laws and regulations. Customer will indemnify, defend, and hold harmless the Corda Network Foundation from and against any and all losses (i) in respect of or arising out of any third party claim against the Corda Network Foundation alleging that the measures set forth in Appendix B are insufficient or otherwise fail to comply in any respect with the requirements of the GDPR or (ii) arising or resulting from any breach of the GDPR by the Corda Network Foundation in connection with the measures set forth in Appendix B. Customer acknowledges and agrees that taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of its Customer Personal Data as well as the related risks to individuals the technical and organizational measures implemented and maintained by the Corda Network Foundation provide a level of security appropriate to the risk with respect to its Customer Personal Data. Customer is responsible for implementing and maintaining privacy protections and security measures for components that Customer provides or controls.

 

Security Incident Notification

If the Corda Network Foundation becomes aware of a personal data breach which are likely to result in a risk to the rights and freedom of natural persons while processed by the Corda Network Foundation (each a “Security Incident”), the Corda Network Foundation will without undue delay (1) notify Customer of the Security Incident and provide Customer with detailed information about the Security Incident; (2) investigate the cause of the Security Incident; and (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

 

Notification(s) of Security Incidents will be delivered to one or more of Customer’s administrators by any means the Corda Network Foundation selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on each applicable Service portal. Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident, but the Corda Network Foundation shall give Customer such assistance as Customer reasonably requests and the Corda Network Foundation is reasonably able to provide in relation to the performance of any such third party notification obligations which arise as a result of a breach by the Corda Network Foundation of this Addendum.

 

The Corda Network Foundation’s obligation to report or respond to a Security Incident under this section is not an acknowledgement by the Corda Network Foundation of any fault or liability with respect to the Security Incident.

 

Customer must notify the Corda Network Foundation promptly about any possible misuse of its accounts or authentication credentials or any security incident related to a Service.

 

Data Transfers and Location

Customer Personal Data that the Corda Network Foundation processes about the Customer may be transferred to, and stored and processed in, the United States or any other country in which the Corda Network Foundation or its affiliates or sub-contractors (“Subprocessors”) with access to Customer Personal Data operate. Customer appoints the Corda Network Foundation to perform any such transfer of Customer Personal Data to any such country and to store and process Customer Personal Data to provide the Services. All transfers of Customer Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR.

 

Data Retention and Deletion

After Customer disables its account and upon expiration of the applicable retention periods, unless the Corda Network Foundation is required to retain Customer Personal Data under European Union or Member State laws, the Corda Network Foundation shall delete Customer Personal Data.

 

Processor Confidentiality Commitment

The Corda Network Foundation will ensure that its personnel engaged in the processing of Customer Personal Data will be obligated to maintain the confidentiality and security of such data, including after their engagement ends.

 

Notice and Controls on use of Subprocessors

The Corda Network Foundation may hire third parties to provide certain limited or ancillary services on its behalf. Customer consents to the engagement of these third parties and the Corda Network Foundation affiliates as Subprocessors. Agreement to these terms constitutes Customer’s prior written consent to the subcontracting by the Corda Network Foundation of the processing of Customer Personal Data to its Subprocessors, if such consent is required. The Corda Network Foundation shall ensure that each Subprocessor is bound by a written contract imposing on the Subprocessor materially the same data privacy and data security obligations as are accepted by the Corda Network Foundation in this Addendum (as applicable to the Subprocessor) or other obligations which similarly meet the requirements of article 28(3) of the GDPR. A list of third party Subprocessors can be found in Appendix A.

 

From time to time, the Corda Network Foundation may engage new Subprocessors. The Corda Network Foundation will give Customer notice by updating the corda.network website and providing Customer with a mechanism to obtain notice of that update of any new Subprocessor other than an affiliate of the Corda Network Foundation at least 14-days in advance of providing that Subprocessor with access to Customer Personal Data.

 

If Customer does not approve of a new Subprocessor receiving Customer Personal Data, then Customer may terminate any subscription for the affected Online Service. If the affected Online Service is part of a suite (or similar single purchase of services), then any termination will apply to the entire suite. To terminate a service, please send a written notice to UatOperations@r3.com and legal@r3.com. All fees paid will be forfeited by Customer. Either party may terminate this Agreement at any time, with or without cause, by providing written notice of termination to the other party.


 

Appendix A. Services

 

Corda Network Foundation Corda Pre-Production Network

Description

 

The Corda Pre-Production Network and related Services are provided by the Corda Network Foundation and enable users to employ a Corda node with a network identity that enables such users to transact, for demonstration purposes, with other Corda nodes on Corda Pre-Production Network. Each includes a provisioning service that has a web application interface which allows a user to sign up with an account and use multiple node identities. The Corda Pre-Production Network also facilitates access to a doorman service, a network map service and a notary service.

 

Customer Personal data concerns the following categories:

o   Customer full name and email address

Processing operations

The following sub-processors will be used to store information relating to such support Services:

Sub-Processor            Purpose                          Applicable Data Protection

Microsoft Azure        Hosted database for customer directory EU - US Privacy Shield


 

Appendix B – Minimum Technical and Organizational Measures for Processor Services

Organizational Security Controls

The Corda Network Foundation will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described below ("Security Measures"). The Security Measures include governance around access to systems storing Customer Personal Data; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. The Corda Network Foundation will maintain such personal data according to the control framework defined by the Corda Network Foundation’s information security management framework.

Security Compliance

The Corda Network Foundation will take appropriate steps to ensure compliance with Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Data Incidents

If the Corda Network Foundation becomes aware of any data incidents, the Corda Network Foundation will follow steps outlined above in the security incident identification section.

Security Responsibility

The Corda Network Foundation’s information security manager is responsible for ensuring that any technical solutions to the protection of personal data meet the requirements of the controller, the information owner and applicable regulation.

The Corda Network Foundation has no obligation to protect Customer Personal Data outside of what is collected via website unless otherwise agreed upon with Customer.

Technical Security Controls

Access Policy

The Corda Network Foundation’s internal access control processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. The Corda Network Foundation’s information security manager ensures only authorized users have access to personal data and all users are allocated unique user IDs for access to systems processing personal information.

Data

Production systems containing personal information will be logically segregated from development systems. Appropriate authentication schemes will be maintained for systems processing personal information. Systems processing personal data will adequately protect that information at rest and in transit. Personal Data will be deleted in accordance to Data Retention and Deletion section above.

Subprocessor Security

The Corda Network Foundation reviews security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide.