Loxo Data Protection Addendum
2026-06-23
This Data Protection Addendum (“DPA”) is part of the underlying agreement between Loxo Holdings, Inc. (“Loxo”) and Customer for Loxo’s provision of Services (each, the “Agreement”). In the event of any conflict between the terms of this DPA and the other terms of this Agreement, this DPA will govern. Capitalized terms used but not defined herein shall have the meaning given such terms in the Agreement.
1. Definitions:
a. “Applicable Law” means all privacy and security laws, regulations and other legal requirements applicable to either (i) Loxo as provider of the Services or (ii) Customer as user of the Services. For example, to the extent applicable, this includes the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); equivalent requirements in the United Kingdom including the Data Protection Act 2018 and the UK General Data Protection Regulation (“UK Data Protection Law”); the Swiss Federal Act on Data Protection (“Swiss FADP”); the California Consumer Privacy Act, as amended by the California Privacy Rights Act and together with associated regulations (“CCPA”); as well as U.S. state laws similar to the CCPA (together with the CCPA, as they become effective, the “U.S. State Privacy Laws”).
b. “Customer Data” has the meaning given such term in the Agreement; provided, that for purposes of this DPA, “Customer Data” does not include data about the Customer personnel involved in administering Customer’s relationship with Loxo when Loxo receives and Processes such data in that context, such as the email address of Customer’s accounts payable contact when Processed in the context of invoicing for Loxo’s Services.
c. “Designated Contact Address” means Customer’s email address for legal notices set forth in the Agreement.
d. “Personal Data” means any information relating to an identified or identifiable individual, within the meaning of the GDPR (regardless of whether the GDPR applies), any information that qualifies as “personal information” under the CCPA (regardless of whether the CCPA applies) and any other information defined as “personal information,” “personal data,” or an analogous term in Applicable Law.
e. “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, disclosure or other Processing of, or access to, Personal Data.
f. “Process” and “Processing” mean any operation or set of operations performed on data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
g. “Standard Contractual Clauses” refers to the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in the “Data Transfers” section below.
h. “Subprocessor” means a subcontractor engaged by Loxo for the Processing of Personal Data.
i. “UK SCC Addendum” means the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of 12 April 2023 at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/), completed as described in the “Data Transfers” section below.
2. Confidentiality and Training.
Loxo will ensure that the persons Loxo authorizes to Process the Personal Data are contractually required to maintain the confidentiality of such data.
a. This DPA applies to all Personal Data in Customer Data.
b. Unless required by Applicable Law, Loxo will Process the Personal Data only to (i) provide and ensure the proper operation the Services; and (ii) carry out Customer’s reasonable written instructions that are consistent with this Agreement. Without limiting the foregoing, Loxo:
i. shall not “sell” the Personal Data, as such term is defined in the U.S. State Privacy Laws (regardless of whether such laws apply);
ii. shall not “share” the Personal Data, as such term is defined in the CCPA (regardless of whether the CCPA applies) or otherwise disclose it for targeted advertising purposes;
iii. shall not retain, use, or disclose any such data outside of the direct business relationship between Customer and Loxo, or for any purpose (including any commercial purpose) other than the limited business purposes specified in this DPA;
iv. shall comply with any applicable restrictions under Applicable Law on combining the Personal Data that Loxo receives from, or on behalf of, Customer with personal data that Loxo receives from, or on behalf of, another person or persons, or that Loxo collects from any other interaction between Loxo and a data subject;
v. shall provide the same level of protection for the Personal Data subject to the CCPA as is required under the CCPA; and
vi. hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them.
c. If Applicable Law requires Loxo to engage in Processing not permitted by the above, Loxo will first inform Customer of the relevant legal requirement unless Applicable Law prohibits such notification. Loxo will notify Customer as soon as legally permissible if, for any other reason, Loxo determines that Loxo can no longer meet its obligations under Applicable Law.
d. Nothing in this DPA shall be construed to prohibit Loxo from lawfully using information about Customer’s use of the Services to improve the Services (for example, observation of which of two Loxo algorithms is more accurate or efficient) so long as the output of such process (a) cannot, directly or indirectly, identify, be traced back to or otherwise be associated with Customer or any individual; (b) does not, and cannot be reverse-engineered to, contain or constitute Personal Data; and (c) does not, and cannot be reverse-engineered to, contain or constitute any Confidential Information of Customer.
e. Customer has the right to take reasonable and appropriate steps to (a) ensure that Loxo is using the Personal Data consistent with Customer’s obligations under Applicable Law, and (b) stop and remediate unauthorized use of the Personal Data.
f. Customer is responsible for providing any legally required notices to the individual, obtaining any legally required consents from the individual, and taking any other steps required by Applicable Law, to enable Customer to lawfully use the Services.
g. For the Personal Data, Customer is the “Controller” and Loxo is Customer’s “Processor” as such terms are defined in the U.S. State Privacy Laws and in the GDPR, and, to the extent the CCPA applies, Customer is the “business” and Loxo is Customer’s “service provider” as such terms are defined in the CCPA.
3. Confidentiality and Training.
Loxo will ensure that the persons Loxo authorizes to Process the Personal Data are contractually required to maintain the confidentiality of such data.
4. Security
Loxo will comply with its security obligations under Applicable Law. Loxo will assist Customer in Customer’s compliance with such obligations by implementing the measures set forth in Schedule B.
5. Subprocessors.
a. Loxo may subcontract the collection or other Processing of Personal Data (i) only in compliance with Applicable Law regarding subprocessing, (ii) only with Customer’s consent and (iii) only if Loxo has imposed contractual obligations on the Subprocessor that are substantially the same as, or more restrictive than, those imposed on Loxo under this DPA.
b. Current Subprocessors are listed at https://www.loxo.co/legal/subprocessors. When any new Subprocessor is engaged, Loxo will notify Customer by email to the Designated Address (“Subprocessor Notification”) at least 14 days prior to giving the Subprocessor access to the Personal Data (the “Subprocessor Notification Period”).
c. If Customer has any reasonable objection to the new Subprocessor, Customer has 10 days from the date of the Subprocessor Notification to email Loxo at support@loxo.co explaining in reasonable detail the basis of the objection and (if Customer desires) Customer’s intent to terminate Customer’s subscription to the Service if it is not resolved to Customer’s satisfaction by the end of the Subprocessor Notification Period. Loxo will give prompt attention to this objection, and, if Customer’s objection indicated an intent to terminate, and Customer and does not withdraw the termination notice in writing to support@loxo.co by the end of that period, the termination will take effect at that time. Customer is deemed to consent to the new Subprocessor if Customer does not terminate the subscription as set forth above.
d. Loxo remains liable for its Subprocessors’ acts and omissions to the same extent Loxo is liable for its own.
6. Assistance Responding to Individuals’ Requests to Exercise Rights.
a. If Loxo receives a request from an individual or their representative to exercise Personal Data-related rights under Applicable Law (a “Data Subject Request”), such as rights to access, correct, or delete their Personal Data, or a Personal Data-related complaint from an individual or their representative, and the communication identifies Customer, Loxo will forward the communication to Customer at the Designated Address:
i. as soon as commercially practicable; but
ii. no later than within 5 days of receipt if the communication arrives via ops@loxo.co or any other contact method specified in Loxo’s then-current publicly available Privacy Policy.
b. Customer will be responsible for lawfully addressing the Data Subject Request, and Loxo will provide prompt, reasonable cooperation to Customer, taking into account the nature of the Services and the information available to Loxo.
7. Personal Data Breach Notification.
a. Loxo will comply with the Personal Data Breach-related obligations applicable to it under Applicable Law. Loxo will assist Customer in complying with those applicable to Customer by informing Customer of a confirmed Personal Data Breach without undue delay and in any event within 72 hours of becoming aware and by otherwise complying with this “Personal Data Breach Notification” section of the DPA.
b. Loxo will provide such notification to Customer at the Designated Address.
c. Such notification is not an acknowledgement of fault or responsibility. The notification will include Loxo’s then-current assessment of the following:
i. The nature of the Personal Data Breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
ii. The likely consequences of the Personal Data Breach; and
iii. Measures taken or proposed to be taken by Loxo to address the Personal Data Breach including, where applicable, measures to mitigate its possible adverse effects.
8. Assistance with DPIAs and Consultation with Supervisory Authorities.
Loxo will provide reasonable assistance to and cooperation with Customer, taking into account the nature of the Services and information available to Loxo for (i) Customer’s performance of any data protection impact assessment of the Processing or proposed Processing of the Personal Data involving Loxo, and (ii) related consultation with supervisory authorities.
9. Data Return and Destruction.
Loxo shall destroy all Personal Data within 90 days after the termination of this Agreement except to the extent Applicable Law requires storage of the Personal Data .
10. Compliance Verification and Audits
a. Loxo will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to reasonable audits of such compliance, including inspections.
b. If the requested audit scope is addressed in a SOC 2 report, or other audit report issued by a third-party auditor, within the prior twelve months and Loxo provides such report to Customer and confirms in writing that there are no known material changes in the controls audited, Customer will accept the findings presented in the report in lieu of requesting an audit of the same controls covered by the report.
c. Such reports and any other information that Customer obtains under this Compliance Verification and Audits section (other than Customer Data) is confidential information of Loxo, and Customer can use such material solely to assess Loxo’s compliance with its contractual obligations to Customer and to address any related legal matters.
11. Data Transfers.
a. Customer authorizes Loxo to make international transfers of the Personal Data only if (i) Applicable Law for such transfers is respected and (ii) the transfer is otherwise permitted by this DPA.
b. To the extent legally required, the Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, and, except as set forth in the following sections, they will be deemed completed as follows:
i. Customer, the exporter, acts as a controller and Loxo, the importer, acts as Customer’s processor with respect to the Personal Data subject to the Standard Contractual Clauses, and its Module 2 and/or Module 3 applies. Their contact information is set forth in Schedule A.
ii. Clause 7 (the optional docking clause) shall not apply.
iii. Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of sub-processors is set forth at https://www.loxo.co/legal/subprocessors, and Loxo shall update that list at least 14 days in advance of any intended additions or replacements of sub-processors.
iv. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
v. Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of the Republic of Ireland.
vi. Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of the Republic of Ireland.
vii. Annexes I and II of the Standard Contractual Clauses are set forth in Schedule A of the DPA.
viii. Annex III of the Standard Contractual Clauses (List of subprocessors) is inapplicable.
c. With respect to Personal Data for which UK Data Protection Law governs the transfer, to the extent legally required, the UK SCC Addendum forms part of this DPA and takes precedence over the rest of this DPA to the extent of any conflict and shall be deemed completed as follows (with capitalized terms not defined elsewhere having the definition set forth in the UK SCC Addendum):
i. Table 1 of the UK SCC Addendum: The Parties, their details, and their contacts are those set forth in Schedule A.
ii. Table 2 of the UK SCC Addendum: the “Approved EU Standard Contractual Clauses” shall be the Standard Contractual Clauses as set forth above.
iii. Table 3 of the UK SCC Addendum: Annexes I(A), I(B), and II are in Schedule A of the DPA, and Annex III is at https://www.loxo.co/legal/subprocessors.
1. Table 4 of the UK SCC Addendum: neither party may exercise the right set forth in Section 19 of the UK SCC Addendum.
d. With respect to Personal Data for which the Swiss FADP governs the transfer, the Standard Contractual Clauses shall be deemed to have the following differences to the extent required by the Swiss FADP:
i. References to the GDPR in the Standard Contractual Clauses are to be understood as references to the Swiss FADP insofar as the data transfers are subject exclusively to the Swiss FADP and not to the GDPR.
ii. The term “member state” in Standard Contractual Clauses shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses.
iii. Under Annex I(C) of the Standard Contractual Clauses (Competent supervisory authority):
iv. Where the transfer is subject exclusively to the Swiss FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
v. Where the transfer is subject to both the Swiss FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the Swiss FADP, and the supervisory authority is as set forth in the Standard Contractual Clauses insofar as the transfer is governed by the GDPR.
12. Liability.
Each party’s liability under this DPA is subject to the limitations of liability set forth in the Agreement.
13. Survival.
This DPA survives termination of this Agreement for so long as Loxo continues to Process the Personal Data.
Schedule A to DPA
Annexes I and II of the Standard Contractual Clauses
ANNEX I
A. LIST OF PARTIES
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
1. Name: Customer, as specified in the Agreement.
Address: as specified in the Agreement
Contact person’s name, position and contact details: as set forth in the Agreement
Activities relevant to the data transferred under these Clauses: Use of the importer’s Services.
Signature and date: The Parties are deemed to have signed this Annex I by signing the Agreement.
Role (controller/processor): For the purposes of SCC Module 2 Customer is a Controller. For the purposes of SCC Module 3 Customer is a Processor.
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
1. Name: Loxo Holdings, Inc.
Address: 2121 Lohmans Crossing Road, Ste-504 #105, Austin TX, USA
Contact person’s name, position and contact details: Ilia Cheishvili, DPO, ilia@loxo.co
Activities relevant to the data transferred under these Clauses: The importer will provide the Services.
Signature and date: The Parties are deemed to have signed this Annex I by signing the Agreement.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
• Prospects, customers, business partners and vendors of Customer (who are natural persons)
• Employees or contact persons of Customer’s prospects, customers, business partners and vendors
• Employees, agents, advisors, freelancers of Customer (who are natural persons)
• Customer’s Users authorized by Customer to use the Services
Categories of personal data transferred: Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
• First and last name
• Title
• Position
• Employer
• Contact information (company, email, phone, physical business address)
• ID data
• Professional life data
• Personal life data
• Localization data
• Photograph/profile picture
• Other information including professional and personal data
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: Customer may submit special categories of data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The applicable security measures are described under the Security, Privacy and Architecture Documentation applicable to the specific Services purchased by Customer, as updated from time to time, and accessible via https://loxo.co/legal/master-subscription-terms-of-service-agreement/ or as otherwise made reasonably available by Loxo.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous basis depending on the use of the Services by Customer.
Nature of the processing: The nature of the Processing is the performance of the Services pursuant to the Agreement.
Purpose(s) of the data transfer and further processing: Loxo will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by Customer in its use of the Services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As set forth in the DPA, unless otherwise agreed upon in writing.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Provision of the Services to Customer as set forth in the DPA.
C. COMPETENT SUPERVISORY AUTHORITY
MODULE TWO: Transfer controller to processor
Identify the competent supervisory authority/ies in accordance with Clause 13:
The parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Commission nationale de l’informatique et des libertés (CNIL).
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
See Schedule B immediately below.
Schedule B to DPA
Information Security Addendum
(Also constitutes Annex II to the Standard Contractual Clauses)
1. Overview
This Schedule B describes the technical and organizational measures (“TOMs”) that Loxo Holdings, Inc. (“Loxo”) implements to protect Personal Data processed on behalf of Customer pursuant to the Data Protection Addendum (“DPA”). These measures are maintained on an ongoing basis and subject to periodic review and improvement.
Loxo holds an active SOC 2 Type II certification covering the Security trust services criteria, audited annually. Loxo will provide Customer with a copy of its most recent SOC 2 Type II report upon written request, subject to confidentiality obligations. Where the scope of a requested audit is addressed in Loxo’s most recent SOC 2 Type II report and Loxo confirms in writing that there are no known material changes to the audited controls, Customer agrees to accept that report in lieu of a separate audit of the same controls.
2. Encryption
2.1 Encryption in Transit
All data transmitted between end users and Loxo’s platform is encrypted using TLS (Transport Layer Security). This applies to:
• Web application traffic (HTTPS enforced for all sessions)
• API interactions and data imports/exports
• Email communications (TLS encryption)
• Internal service-to-service communication via API gateways
2.2 Encryption at Rest
Sensitive customer and candidate data stored within Loxo’s environment is encrypted at rest, including:
• Encryption for all datastores
• Block storage encrypted at rest
• Object storage encrypted using server-side encryption
• Portable media and employee endpoint devices encrypted via full-disk encryption
2.3 Network Encryption
Loxo’s infrastructure uses an encrypted overlay network. All remote access to production systems requires an approved encrypted connection.
3. Access Controls
3.1 Authentication
Access to Loxo’s systems requires strong authentication:
• All production system access requires unique usernames and passwords or SSH keys
• Multi-factor authentication (MFA) is required for all remote access to production systems
• Single Sign-On (SSO) is supported via Google, Microsoft, Okta, and SAML providers
• Strong password policies are enforced across all in-scope system components
3.2 Authorization and Least Privilege
Access to data and systems is restricted based on role and business need:
• Role-Based Access Control (RBAC) limits user access to what is necessary for their job function
• Access Control Lists (ACLs) enforce fine-grained permissions on specific resources
• Privileged access to databases, firewalls, operating systems, encryption keys, and production networks is restricted to authorized personnel with a documented business need
• User access to in-scope components requires a documented access request and manager approval prior to provisioning
3.3 Access Lifecycle Management
Loxo maintains formal processes for the full lifecycle of user access:
• New user provisioning requires documented approval
• Access reviews are conducted at least quarterly across all in-scope systems; required changes are tracked to completion
• Termination checklists ensure access is revoked for terminated employees within defined SLAs
• System credentials are removed when access is no longer authorized
4. Physical and Infrastructure Security
Physical access controls at data center facilities are maintained by the applicable subservice organization, each of which holds its own SOC 2 and/or ISO 27001 certifications.
Loxo’s infrastructure includes:
• Multi-region, multi-availability zone deployment to eliminate single points of failure
• Kubernetes-based container orchestration with workload isolation
• Network segmentation via Virtual Private Clouds (VPCs) and security groups
• Redundant network devices (firewalls, load balancers, routers)
• Database replication to maintain multiple copies across zones/domains
5. Network Security
Loxo implements layered network security controls:
• Perimeter and application-layer firewalls (IaaS security groups, network firewalls, and WAF)
• Web Application Firewall (WAF) protecting against XSS, SQL injection, and related attacks
• Intrusion Detection and Prevention Systems (IDS/IPS) providing continuous network monitoring
• Network segmentation to prevent unauthorized lateral movement to customer data
• Firewall rulesets reviewed at least annually; required changes tracked to completion
• Network and system hardening standards documented and reviewed at least annually
6. Vulnerability Management
Loxo operates a formal vulnerability management program:
• Automated vulnerability scanning applied continuously to systems and dependencies
• Host-based vulnerability scans performed at least quarterly on all external-facing systems
• Critical and high vulnerabilities tracked through remediation within defined SLAs
• Penetration testing conducted at least annually by qualified security professionals; findings are remediated according to a documented remediation plan
• Patches applied on a risk-prioritized basis; critical patches applied as soon as practicable
• Pre-deployment testing in segregated staging environments before production release
7. Incident Response
Loxo maintains documented security and privacy incident response policies and procedures communicated to all authorized personnel. Key elements include:
• Incidents are classified by severity (S1 Critical, S2 High, S3/S4 Low/Medium) and triaged accordingly
• A designated Incident Response Team (IRT), led by the CTO or VP of Engineering, manages response and remediation
• Engineers participate in an on-call rotation and respond to alerts in real time
• In the event of a confirmed Personal Data Breach affecting Customer’s Personal Data, Loxo will notify Customer without undue delay, as further described in the DPA
• The incident response plan is tested at least annually
• Post-incident retrospectives are conducted and used to improve controls and detection capabilities
8. Business Continuity and Disaster Recovery
Loxo maintains documented Business Continuity (BC) and Disaster Recovery (DR) plans with the following recovery objectives for Customer Data:
• Recovery Time Objective (RTO): 1 hour for standard component or service failures; in the event of a full-region failure or catastrophic infrastructure loss caused by or at a third-party provider (including loss of cloud object storage), Loxo will use commercially reasonable efforts to restore service as promptly as practicable under the circumstances
• Recovery Point Objective (RPO): ≤15 minutes across all data stores
Additional BC/DR controls include:
• Backups stored in diverse locations and formats, verified for integrity, and tested for recoverability on a periodic basis
• Disaster recovery plan tested at least annually, including tabletop exercises and backup restoration validation
• Automated failover mechanisms across availability zones to minimize downtime
• Replication and infrastructure redundancy maintained at all times
9. Monitoring and Logging
Loxo’s production environment generates comprehensive logs covering user activity, security events, system exceptions, and administrative actions. Log requirements include:
• User login/logout events and create/read/update/delete operations on application objects
• Changes to security settings and administrative access to customer data
• Log entries capture: user ID, IP address, timestamp, action performed, and object affected
• Logs are retained for a minimum of 30 days and do not contain sensitive data payloads
Loxo uses a centralized monitoring stack to:
• Monitor infrastructure health, application performance, and security events in real time
• Generate automated alerts for predefined thresholds and security events
• Support rapid incident detection and root cause analysis
• Protect log data from unauthorized access and tampering
10. Secure Development
Loxo follows a formal Secure Development Life Cycle (SDLC) methodology:
• All code changes require peer review and approval by designated code owners prior to production deployment
• Changes are tested in a segregated staging environment before release to production
• Zero-downtime deployment strategies (blue/green, canary) are used to minimize disruption
• Automated CI/CD pipelines enforce testing and security checks prior to deployment
• Anti-malware technology is deployed and kept current across endpoint and server environments
• Mobile device management (MDM) is applied to devices used to access production systems
11. Personnel Security
Loxo implements personnel security controls to support the integrity of its data handling:
• Background checks are conducted on all new employees prior to hire
• Employees and contractors are required to acknowledge a Code of Conduct and sign confidentiality agreements at onboarding
• Security awareness training is required within 30 days of hire and at least annually thereafter
• Managers are required to complete annual performance evaluations for direct reports
• Disciplinary procedures are in place for violations of security policy
12. Sub-processors
Loxo maintains a formal vendor management program covering critical third-party vendors and sub-processors. The current list of authorized sub-processors is maintained at:
• https://www.loxo.co/legal/subprocessors
Loxo’s vendor management program includes:
• Review of SOC 2 or equivalent reports for critical sub-processors at least annually
• Written agreements with vendors that include confidentiality and privacy commitments
• Ongoing monitoring of sub-processor service levels and security posture
• Customer notification of material changes to sub-processors in accordance with the DPA
13. Compliance and Certifications
Loxo’s security program is aligned with the following frameworks and regulations:
• SOC 2 Type II (Security trust services criteria): annual audit by independent third-party auditor
• NIST Cybersecurity Framework: used to guide risk management practices
• GDPR: appropriate technical and organizational measures implemented for EU personal data processing
• CCPA/CPRA: California consumer privacy rights honored
• PIPEDA, APPI, LGPD, PDPA: additional regional privacy law compliance
• PCI DSS: payment processing handled exclusively through PCI DSS-compliant third-party processors
This Schedule B forms part of, and is incorporated into, the Data Protection Addendum between Loxo Holdings, Inc. and Customer. It also constitutes Annex II (Technical and Organisational Measures) to the Standard Contractual Clauses incorporated into the DPA. Capitalized terms not defined herein have the meanings given in the DPA.
Ready to shape the future?
Your job is placing the best talent in the roles that will define their careers, their lives, and our future. Our job is making it easier for you to do it.