Minimum Data Processing Agreement

This Data Processing Agreement (“DPA”) forms Part C of the Minimum Terms and Conditions, between Minimum Limited (“Minimum”, “Supplier”, “Service Provider” or “Processor”) and Customer (or “Controller”) unless Customer has entered into a separate written services agreement with Minimum, in which case this DPA forms part of such written agreement, in either case, the “Agreement.” This DPA is effective as of the date the Agreement was signed by both parties (“Effective Date”).

1.   DEFINITIONS

The following definitions and rules of interpretation apply to this DPA. Capitalised terms used in this DPA and not otherwise defined in the Agreement shall have the meaning given to them in the Data Protection Legislation.

1.1.

“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and its implementing regulations.

1.2.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

1.3.

“Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.

1.4.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

1.5.

“Data Subject Request” means a request from a Data Subject to access, correct, amend, transfer, or delete that Data Subject's Personal Data consistent with their rights under the Data Protection Legislation.

1.6.

“Customer Personal Data” means the Personal Data described under Annex I to this DPA. This DPA applies to Minimum’s Processing of Customer Personal Data, which is Customer provided data that (i) constitutes Personal Data, and (ii) is electronic data and information submitted by or for Customer to the Services.

1.7.

“Personal Data” means any information relating to an identified or identifiable natural person as defined under Data Protection Legislation that Customer provides or makes available to Minimum as part of the Services.

1.8.

“Processing” or “Process” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.9.

“Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.

1.10.

“Security Incident” means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data being Processed by Minimum. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.

1.11.

“Services” means the services provided by Minimum as specified in the ordering document and Agreement executed by the parties.

1.12.

“Standard Contractual Clauses” means, as applicable, (i) means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj; or (ii) the International Data Transfer Addendum to the EU Standard Contractual Clauses adopted by the UK Information Commissioner’s Office effective March 21, 2022.

1.13.

“Subprocessor” means any natural or legal person, public authority, agency, or other body which Processes Customer Personal Data on behalf of a data Controller or a data Processor.

1.14.

“UK Addendum” means the UK Addendum to the EU Standard Contractual Clauses.

1.15.

“US State Privacy Laws” means all state laws relating to the protection and Processing of Personal Data in effect in the United States, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), and the Virginia Consumer Data Protection Act (“VCDPA”).

2.   ROLE, SCOPE AND DETAILS OF PROCESSING

2.1.

Relationship. Minimum and Customer acknowledge and agree that for the purposes of the Data Protection Legislation, the Customer is the Data Controller and Minimum is the Data Processor of the Customer Personal Data.

2.2

Details of Processing. The subject-matter of Processing of Customer Personal Data by Minimum is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Annex I to this DPA.

2.3.

Compliance. Each party will comply with its obligations under applicable Data Protection Legislation with respect to its Processing of Customer Personal Data.

2.4.

Minimum’s Processing obligations. To the extent that Minimum processes any Customer Personal Data on behalf of the Customer in connection with the Services, Minimum shall:

2.4.1.

only Process such Customer Personal Data in accordance with the purposes set out in this Agreement and notify Customer immediately if in its opinion the Customer’s instructions infringe applicable law;

2.4.2.

provide reasonable cooperation to Customer in connection with any data protection impact assessment (at Customer’s expense only if such reasonable cooperation will require Minimum to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with applicable Data Protection Legislation;

2.4.3.

provide reasonable and timely assistance to Customer in complying with Customer's data protection obligations with respect to Data Subject Requests under applicable Data Protection Legislation. Minimum shall not respond to a Data Subject Request itself, except that Customer authorizes Minimum to redirect the Data Subject Request as necessary to allow Customer to respond directly;

2.4.4.

ensure that access to any Customer Personal Data is restricted to those of its personnel who need to have access in order to perform the Services and who are subject to confidentiality obligations in respect of the Customer Personal Data; and

2.4.5.

ensure that it has implemented appropriate technical and organisational measures, taking into account the nature of Processing and the information available to Minimum, including the measures set forth in Annex II of this DPA, without prejudice to Minimum’s right to make future replacements or updates to the measures that do not lower the level of protection of Customer Personal Data.

2.5.

Customer’s Processing obligations. Customer shall ensure that:

2.5.1.

its instructions comply with applicable Data Protection Legislation, and that Minimum’s processing of Customer Personal Data, when done in accordance with Customer’s instructions, will not cause Minimum to violate any applicable Data Protection Legislation.

2.5.2.

that it has all necessary rights in relation to the Customer Personal Data and/or has collected all necessary consents from Data Subjects to Process Customer Personal Data to the extent required by applicable Data Protection Legislation.

3.   SUB-PROCESSORS

3.1.

Customer acknowledges and agrees that Minimum may engage sub-processors to Process any of the Customer Personal Data on Customer’s behalf in connection with the provision of Services. By agreeing to this DPA, Customer provides general written authorization to Minimum to engage the Sub-Processors listed in Annex I(C) of this DPA.

3.2.

The Supplier shall ensure that such Sub-processor is subject to a written agreement which imposes on it binding contractual obligations which are equivalent to the terms imposed on the Supplier under this DPA to the extent applicable to the nature of the services provided by the Sub-processor.

3.3.

When any new Sub-processor is engaged, Minimum shall notify Customer of the engagement at least ten (10) calendar days before the new Subprocessor Processes any Customer Personal Data, except that if Minimum reasonably believes engaging a new Sub-processor on an expedited basis is necessary to protect the confidentiality, integrity or availability of the Customer Personal Data or avoid material disruption to the Services, Minimum will give such notice as soon as reasonably practicable. If, within five (5) calendar days after such notice, Customer notifies Minimum in writing that Customer objects to Minimum’s appointment of a new Sub-processor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and Minimum will use reasonable efforts to make available a change in the Services or Customer’s use of the Services to avoid Processing of Customer Personal Data by the new Sub-processor objected to by Customer. If Minimum is unable to make available such change within a reasonable time, and if the parties are not able to mutually agree to a resolution of such concerns, either party may terminate this Agreement. Customer is deemed to consent to the new Sub-processor if Customer does not timely object to the new Sub-processor.

3.4.

Minimum remains liable for its Sub-processors’ acts and omissions from or related to this DPA to the same extent Minimum is liable for its own, consistent with the limitations of liability set forth in the Agreement.

4.   SECURITY INCIDENTS

4.1.

Upon becoming aware of a confirmed Security Incident, Minimum will notify Customer without undue delay, and in no event later than seventy-two (72) hours after Minimum’s discovery of a Security Incident impacting Customer Personal Data, unless prohibited by applicable law. A delay in giving such notice requested by law enforcement and/or in light of Minimum’s legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay.

4.2.

Such notice will describe, to the extent possible, details of the Security Incident based on Minimum’s then-current assessment, including steps taken to mitigate the potential risks and steps Minimum recommends Customer take to address the Security Incident.

4.3.

Without prejudice to Minimum’s obligations under this section, Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Security Incidents. Minimum’s notification of or response to a Security Incident will not be construed as an acknowledgement by Minimum of any fault or liability with respect to the Security Incident.

5.   CROSS-BORDER DATA TRANSFERS

5.1.

Data processing location. Customer acknowledges that in order for Minimum to provide customers with service level continuity and to optimize both organization and management of the quality of its products and services, Minimum reserves the right to have Customer Personal Data transferred and processed anywhere else in the world where Minimum’s Sub-processors maintain data processing operations.   For the transfers of Customer Personal Data to a sub-processor located in a third country which does not provide adequate protection for Personal Data, Minimum and the applicable sub-processor have entered into the Standard Contractual Clauses Clauses (as applicable) in order to provide appropriate safeguards for the transfer of such Customer Personal Data in accordance with the European, UK and Swiss Data Protection Laws. Where Customer is located in the EEA, UK and/or Switzerland and transfers Customer Personal Data to Minimum's relevant sub-processors located in non-adequacy approved third countries, sections 5.2, 5.3 and 5.4 of this DPA shall apply, as applicable.

5.2.

EEA Data transfers. To the extent that Minimum’s sub-processor is a recipient of Customer Personal Data protected by GDPR in a country outside of EEA that is not recognized as providing an adequate level of protection (as described in applicable Data Protection Legislation), the parties agree to abide by and process such Customer Personal Data in compliance with the Standard Contractual Clauses, which shall be incorporated into and form an integral part of this DPA as follows:

5.2.1

the Module Two (Controller to Processor) terms apply to the extent the Customer is a Controller of Customer Personal Data and the Module Three (Processor to Sub-processor) terms apply to the extent the Customer is a Processor of Customer Personal Data;

5.2.2.

in Clause 7, the optional docking clause does not apply;

5.2.3.

in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with the ‘Sub-Processors’ section of this DPA;

5.2.4.

in Clause 11, the optional language is deleted;

5.2.5.

in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be the laws and courts of the Republic of Ireland;

5.2.6.

the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; and

5.2.7.

the supervisory authority that will act as competent supervisory authority will be the Irish Data Protection Commissioner.

5.3.

UK Data Transfers. With respect to transfers to Minimum’s sub-processors to which the UK Data Protection Laws apply, the SCCs shall apply and shall be deemed amended as specified by the UK Addendum. The UK Addendum shall be deemed executed by the parties and incorporated into and form an integral part of this DPA as follows:

5.3.1.

The “exporter” is the Customer, and the exporter’s contact information is set forth in Annex I(A) below;

5.3.2.

The “importer” is Minimum, and Minimum’s contact information is set forth in Annex I(A) below;

5.3.3.

The UK Information Commissioner is the exclusive Supervisory Authority for the transfers of UK Personal Data under this Agreement;

5.3.4.

Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out in Annexes of the relevant SCCs; and

5.3.5.

Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party".

5.4.

Swiss Data Transfers. With respect to transfers to Minimum’s sub-processors to which the Swiss DPA apply, the SCCs shall apply in accordance with Section 5.2 with the following modifications:

5.4.1.

References to “Member State” in the 2021 Standard Contractual Clauses refer to Switzerland, and data subjects may exercise and enforce their rights under the 2021 Standard Contractual Clauses in Switzerland;

5.4.2.

References to GDPR in the 2021 Standard Contractual Clauses refer to the Swiss Federal Act on Data Protection (as amended and replaced);

5.4.3.

Under Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commission to the extent that the transfer is governed by the Swiss Federal Act on Data Protection;

5.4.4.

Clause 17 shall be replaced to state "The Clauses are governed by the laws of Switzerland"; and

5.4.5.

Clause 18 shall be replaced to state "Any dispute arising from these Clauses shall be resolved by the applicable courts of Switzerland. The parties agree to submit themselves to the jurisdiction of such courts".

6.   PROCESSING SUBJECT TO U.S STATE PRIVACY LAWS

6.1.

This Section 6 applies to the extent that the Processing is subject to the Data Protection Legislations of the U.S. states that have enacted Consumer Privacy Bills (“U.S. State Privacy Laws”). Minimum will Process Customer Personal Data solely (i) to fulfill its obligations to Customer under the Agreement, including this DPA, (ii) on Customer’s behalf and (iii) in compliance with U.S. State Privacy Laws.

6.2.

Minimum will:

6.2.1

not retain, use or disclose the Customer Personal Data outside of the direct business relationship between Customer and Minimum;

6.2.2.

not “sell” or “share” any Customer Personal Data, as such terms are defined in applicable U.S. State Privacy Laws, to any third party;

6.2.3.

not attempt to re-identify any pseudonymized, anonymized, aggregate or de-identified Customer Personal Data without Customer’s express written permission;

6.2.4.

not combine Customer Personal Data with other Personal Data received or collected from or on behalf of other legal or natural persons for a purpose outside of the “business purpose” as that term is defined in the US State Privacy Laws;

6.2.5.

provide the same level of protection for the Customer Personal Data as is required under the U.S. State Privacy Laws applicable to Customer;

6.2.6.

not otherwise engage in any Processing of the Customer Personal Data that is prohibited or not permitted by “processors” or “service providers” under U.S. State Privacy Laws; and

6.2.7.

promptly notify Customer if Minimum determines that it (i) can no longer meet its obligations under this DPA or U.S. State Privacy Laws; or (ii) has breached this DPA, and shall cooperate to remediate such breach.

7.   AUDITS AND COMPLIANCE VERIFICATION

7.1.

Audit rights. Minimum shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA with respect to Customer Personal Data (“Audit”). Customer acknowledges and agrees that it shall exercise its audit rights under this DPA (including this Section 7.1 and where applicable, the SCCs) and any audit rights granted by applicable Data Protection Legislation, by instructing Minimum to comply with the audit measures described in Sections 7.2 and 7.3 below.

7.2.

Security reports. Customer acknowledges that Minimum is regularly audited against industry leading standards by independent third party auditors. Upon written request, Minimum shall supply (on a confidential basis) a summary copy of its most current audit report(s) (“Report”) to Customer, so that Customer can verify Minimum’s compliance with the audit standards against which it has been assessed and this DPA.

7.3.

Security due diligence. To the extent that Minimum’s provision of a Report does not provide sufficient information for Customer to verify Minimum’s compliance with this DPA or Customer is required to respond to a regulatory authority audit, Customer agrees, to the extent possible, audit Minimum’s compliance with its obligations under this DPA through reasonable requests for information, including documentation, data, and records (“Records”) and/or responses to security and audit questionnaires, not more than once during any consecutive 12 month period. Minimum will provide written responses to the extent the requested information is necessary to confirm Minimum’s compliance with this DPA. Any information provided by Minimum under this section constitutes Minimum’s confidential information under the Agreement.

7.4.

Limitations. For the avoidance of doubt, this provision does not grant Customer any right to conduct an on-site audit of Minimum’s premises. Customer shall reimburse Minimum for any time expended for an Audit at a mutually agreeable reimbursement rate. Nothing herein will require Minimum to disclose or make available: (a) any data of any other customer of Minimum; (b) access to systems; (c) Minimum’s internal accounting or financial information; (d) any trade secret of Minimum; (e) any information or access that, in Minimum’s reasonable opinion, could (i) compromise the security of Minimum’s systems or premises; or (ii) cause Minimum to breach its obligations under applicable law or applicable contracts. If any material non-compliance is identified by an Audit, Minimum shall take prompt action to correct such non-compliance.

8.   RETURN AND DELETION. Upon termination or expiry of the Agreement, or on reasonable request from the Customer, Minimum shall, at the choice of Customer, return or  delete all such Customer Personal Data in accordance with its requirements under applicable Data Protection Legislation, unless applicable law prevents Minimum from returning or deleting all or part of the Customer Personal Data. In such a case, Minimum agrees to preserve the confidentiality of the Customer Personal Data retained by it that it will only Process such Customer Personal Data in order to comply with applicable law. Notwithstanding the foregoing, this provision will not require Minimum to delete Customer Personal Data from archival and back-up files except as provided by Minimum’s internal data deletion practices or as required by applicable law. For avoidance of doubt, Minimum may continue to Process Customer Personal Data that has been anonymized or aggregated in a manner that does not identify individuals.

9.   MISCELLANEOUS

9.1.

Conflict: In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (i) the applicable terms in the Standard Contractual Clauses, (ii) the terms of this DPA; and (iii) the Agreement.

9.2.

Limitation of Liability: Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.

ANNEX I

A.     LIST OF PARTIES

Data exporter(s):

Name: Customer
Address: As specified in the Agreement.
Contact person’s name, position, and contact details: As specified in the Agreement.
Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter in accordance with the Agreement.
Signature and accession date: As specified in the Agreement.
Role: Controller.

Data importer(s):

Name: Minimum Ltd
Address: 10 Monkwell Square, London, England, EC2Y 5BN
Contact person’s name, position, and contact details: Charlie Bridge, VP Operations, charlieb@minimum.com
Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter in accordance with the Agreement.
Signature and accession date: As specified in the Agreement.
Role: Processor.

B.     DESCRIPTION OF DATA PROCESSING

Categories of data subjects: The Customer may submit or generate Customer Personal Data to Minimum through its use of the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to the following categories of data subjects: employees and contractors of the Customer.

Categories of personal data transferred: The Customer may submit or generate Customer Personal Data to the Supplier through its use of the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data: first name, last name, email address, country, profession.  

Sensitive data transferred: n/a.

Frequency of the transfer: continuous.

Nature and purpose of the processing: Minimum will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement. This may include operations such as collecting, recording, organising, storing, use, alteration, disclosure, transmission, combining, retrieval, consultation, archiving and/or destruction of Personal Data contained within the Customer Data.

Duration of the processing:  Minimum will Process Customer Personal Data for the duration of the Agreement.

C.     SUB-PROCESSORS: Minimum’s current Sub-processors are listed below:

Subprocessor
Purpose of Processing
Location of Processing
Amazon Web Services (AWS)
Infrastructure hosting
United Kingdom
Auth0
Authentication services
Germany
Sendgrid (owned by Twilio)
Email service provider for user messaging
United States
Explo
Dashboarding and reporting
United States

D.     COMPETENT SUPERVISORY AUTHORITY: as set out in Section 5 of this DPA.

ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Organizational Security Measures
Security Management

Security Governance: Minimum has a dedicated team with regular involvement from senior leadership to oversee information security. Responsibilities of the team include defining policies, enforcing security practices, and monitoring overall security.

Risk Management: A structured program for ongoing identification, measurement, and management of IT-related risks is in place and overseen by relevant personnel and senior leadership.

Roles and Responsibilities: Responsibilities for processing personal data are clearly defined in line with security policies.

Resource/Asset Management: Minimum maintains registers of assets and resources used for personal data processing, including hardware, software, and network. Designated personnel are responsible for maintaining and updating the registers.

Incident Response and Business Continuity

Incident Handling/Personal Data Breaches:

Incident procedures are in place to ensure effective responses to security incidents, including those involving personal data.

Minimum promptly reports any security incident leading to the loss, misuse, or unauthorized access to personal data to affected data controller(s).

Business Continuity: Minimum has established procedures and controls to ensure the required level of service continuity and availability for processing personal data in case of an incident or data breach.

Multiple Availability Zones to provide improved redundancy and fault tolerance.

Periodic Disaster Recovery and/or Business Continuity exercises are conducted.

Human Resource Security

Verification: Minimum verifies and validates all candidates prior to hiring, including background checks, to assess their suitability and manage risk.

Policy Compliance: Minimum ensures that all employees understand their responsibilities and obligations regarding personal data processing and compliance with security policies.

Onboarding and Offboarding: Minimum maintains clear procedures for management of access rights for new joiners and during termination. Processes are also defined for transferring rights and responsibilities during internal reorganizations or other changes in employment.

Training: Minimum trains employees about security controls and requirements relevant to their work. Employees are regularly educated on data protection requirements and legal obligations through awareness campaigns and recurring training on general security topics.

Technical Security Measures
Access Control and Authentication

Least Privilege: Access control rights are specifically assigned to roles involved in personal data processing, following the principle of least privilege. Access is granted following the “need-to-know” principle to limit access to personal data to those who require it. Periodic reviews of all access levels are conducted.

Authentication: An access control system applicable to all service users is implemented, allowing for user account creation, approval, review, and deletion. Multi-factor authentication (MFA) is enforced where possible.

Unique Accounts: The use of common user accounts is prohibited, and if necessary, users with common accounts have the same roles and responsibilities.

Passwords: Where passwords are used, they are required to be at least 12 characters long, meet strong password control parameters (length, complexity, non-repeatability), and are never transmitted over the network unprotected.

Logging and Monitoring

Log Creation: Log files are enabled for systems and applications used in personal data processing, tracking data access (view, modification, deletion) and other security and system events.

Log Monitoring: Minimum has implemented comprehensive logging and monitoring mechanisms to track data access and system activities. Minimum personnel also perform periodic reviews and analysis of logs to identify and mitigate security incidents and anomalies.

Data Protection and Security

Data Protection: Database(s) and application servers run in separate environments and separate systems to ensure data protection. Personal data is only processed as required to fulfill the service’s intended purpose.

Data Access Controls: Database access is highly restricted to database administrators and only granted on a need-to-know basis.

Data Disposal: Stored personal data is only stored in cloud storage where secure deletion assurance is provided by the cloud hosting provider. Policies are in place prohibiting the storage of personal data on paper or local drives to prevent data loss through these methods.

Data Encryption: Stored data is encrypted at rest using AES-256. When accessed through the Internet, communication is encrypted using TLS 1.2 or better.

Backup Security: Minimum manages a backup/snapshot service running a point in time restoration within 30 days, which is tested periodically. Backup and data restore procedures are defined, documented, and linked to specific roles and responsibilities.

Secure System Architecture

Perimeter Controls: Network traffic to and from the Minimum service is monitored and controlled using firewalls and/or security groups and other network security technologies. A Web-Application Firewall (WAF) is used to monitor web traffic and help prevent abuses.

Network Segmentation: The production service environment is divided into multiple zones and VPCs depending on the security requirements of individual services.

Application and System Lifecycle

Secure SDLC: Minimum adheres to a structured Software Development Lifecycle (SDLC) throughout its software and system development practices. Security is integrated throughout the phases of the development lifecycle.

Change Management: Minimum ensures that service platform changes are recorded and monitored by designated personnel, subjected to appropriate testing, and approved prior to release.

Vulnerability Management: Software, system components, and 3rd party dependencies are subjected to regular reviews to proactively identify and track potential security vulnerabilities, which are then tracked until addressed.

Security Testing: System components are subjected to periodic and ongoing security testing, including penetration tests, security scans, and code analysis. Findings are tracked until addressed.

Physical and Environmental Security

Data Centers: Minimum hosts all Customer Data in Amazon Web Services (AWS). Minimum regularly reviews AWS’s physical and environmental controls for relevant data centers, as audited by Amazon’s third-party auditors. Such controls include, but are not limited to:

Physical access to the facilities is controlled at the building ingress points;

Visitors are required to present ID and sign in;

Physical access to servers is managed by access control devices;

Physical access privileges are reviewed regularly;

Facilities utilize monitor and alarm procedures;

Fire detection and protection systems;

Power back-up and redundancy systems; and Climate control systems.

LinkedIn
Security
Privacy policy
2025 © Minimum Corporation