SmartSuite Business Partner Data Processing Agreement
This Data Processing Agreement (DPA), referred to as the “Partner DPA”, is part of the contract(s) between you (“Partner”) and SmartSuite Holdings, Inc. (“SmartSuite”). It regulates the exchange of data between you and SmartSuite, excluding any customer agreements related to the purchase and use of SmartSuite products and services (“Partner Agreement”).
The Partner DPA governs the handling of:
- Personal Data that the Partner provides to SmartSuite in relation to a Partner Agreement.
- Personal Data that SmartSuite or its customers provide to the Partner in relation to the Partner Agreement.
The Partner DPA, including the Standard Contractual Clauses (SCCs), and the Partner Agreement are collectively referred to as the “Agreement”. If there’s a conflict between any terms of the Agreement, the following documents will take precedence in this order: (a) the SCCs, (b) this Partner DPA, and © the Partner Agreement.
The purpose of this Partner DPA is to establish guidelines for scenarios where:
- Both SmartSuite and Partner, in relation to the Partner Agreement, may be Controllers of Personal Data and transfer that data to the other party, who will also act as a Controller.
- Both SmartSuite and Partner may be Controllers of Personal Data and transfer that data to the other party, who will provide certain services (e.g., acting as a Solutions Partner or completing an API call) as a Processor.
- Both SmartSuite and Partner may be Processors of a Joint Customer’s Personal Data and transfer such data to the other party for processing as directed by the Joint Customer.
1. Definitions
- “Business” and “Service Provider”: These terms are defined in the California Consumer Privacy Act (CCPA). Their specific definitions depend on the context in which they’re used within the CCPA.
- “California Personal Information”: This refers to any personal data that falls under the protection of the CCPA.
- “CCPA”: This stands for the California Civil Code Sec. 1798.100 et seq., also known as the California Consumer Privacy Act of 2018. It has been amended by the California Privacy Rights Act of 2020 or “CPRA”.
- “Controller”: This is a term used to describe a natural or legal person, public authority, agency, or other body which, either alone or jointly with others, determines the purposes and means of processing personal data.
- “Data Privacy Framework”: This refers to the self-certification programs operated by the U.S. Department of Commerce, including the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework. These may be amended, superseded, or replaced.
- “Data Privacy Framework Principles”: These are the principles and supplemental principles contained in the relevant Data Privacy Framework. They may be amended, superseded, or replaced.
- “Data Protection Laws”: These are all applicable worldwide legislation or regulations relating to data protection and privacy. They apply to the respective party in the role of processing personal data under the Agreement. This includes, but is not limited to, European Data Protection Laws, the CCPA, and the data protection and privacy laws of Australia and Singapore.
- “Europe”: This refers to the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.
- “European Data Protection Laws”: These are data protection laws applicable in Europe, including the General Data Protection Regulation (GDPR), Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, and their applicable national implementations. It also includes the GDPR as it forms part of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), and the Swiss Federal Data Protection Act of 2020 and its Ordinance (“Swiss DPA”).
- “European Personal Data”: This refers to any personal data that is protected under European Data Protection Laws.
- “Joint Customer”: This term refers to a customer who has a relationship with both the Partner and SmartSuite.
- “Joint Customer Personal Data”: This is any personal data for which a Joint Customer acts as a Controller.
- “SmartSuite Personal Data”: This is any personal data for which SmartSuite acts as a Controller.
- “Partner Personal Data”: This is any personal data for which the Partner acts as a Controller.
- “Personal Data”: This is any information relating to an identified or identifiable individual. This information is contained within SmartSuite Personal Data, Partner Personal Data, or Joint Customer Personal Data and is protected in a similar way as personal data or personally identifiable information under applicable Data Protection Laws.
- “Personal Data Breach”: This refers to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
- “Processing”: This term refers to any operation or set of operations performed on personal data. This includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, or erasure of personal data. The terms “Process”, “Processes”, and “Processed” are related to this definition.
- “Processor”: This is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.
- “Standard Contractual Clauses” or “SCCs”: These are the standard contractual clauses attached to the European Commission’s Implementing Decision 2021/914 of 4 June 2021.
- “Subprocessor”: This is any entity which provides processing services to a Processor.
- “Supervisory Authority”: This is an independent public authority established by a member state of the European Economic Area, Switzerland, or the United Kingdom.
- “UK Addendum”: This refers to the International Data Transfer Addendum (Version B.1.0) issued by the UK Information Commissioner’s Office (ICO) under Section 119A of the Data Protection Act 2018. This may be amended, superseded, or replaced.
2. Compliance With Laws
Both parties warrant and represent that they will follow the data protection laws that apply to them.
3. Joint Processor Scenarios
If both parties are handling the Joint Customer’s personal data (acting as “Processors”), they will:
- Follow the rules and instructions given in any agreements with the Joint Customer.
- Work together reasonably to help protect the data rights according to the applicable data protection laws.
Both parties understand and agree that they are each handling the Joint Customer’s data. However, neither party is hiring the other to process this data (meaning, neither is acting as a “Subprocessor”).
4. Controller-To-Controller Scenarios
If both parties are controlling the personal data (acting as “Controllers”), they will:
- Work together reasonably to help protect the data rights according to the applicable data protection laws.
Both parties understand and agree that they are each controlling the personal data independently. They are not jointly controlling the data as defined under European Data Protection Laws.
5. Controller-To-Processor Scenarios
A. Roles of the Parties:
The rights, duties, and responsibilities of both parties concerning Sections 6 to 9 of this DPA are as follows:
- When SmartSuite handles Personal Data for the Partner and under the Partner’s instructions, SmartSuite is the “Processor”, the Partner is the “Controller”, and the “Personal Data” refers to the Partner’s Personal Data.
- When the Partner handles Personal Data for SmartSuite and under SmartSuite’s instructions, the Partner is the “Processor”, SmartSuite is the “Controller”, and the “Personal Data” refers to SmartSuite’s Personal Data.
B. Processing Limits:
- In the situations described in Section 5.a, both parties agree to handle Personal Data only for the purposes outlined in the relevant Partner Agreement and/or the agreement(s) with the Joint Customer.
- To avoid confusion, the types of Personal Data handled and the categories of individuals affected by this DPA are detailed in Schedule A of this DPA.
6. Controller Obligations
The parties in their capacity as a Controller agree to:
A. When acting as a Controller, both parties agree to:
- Give instructions to the Processor and decide how and why the Processor should handle Personal Data, following the Agreement.
- Follow all the protection, security, and other rules about Personal Data set by applicable Data Protection Laws for a Controller. This includes: i. Setting up and maintaining a process for individuals to exercise their rights over their Personal Data that the Controller processes. ii. Only handling data that has been collected legally and validly, and making sure this data is relevant and proportionate to its uses. iii. Making sure that its staff and any third party who accesses or uses Personal Data on its behalf follow the provisions of this DPA.
7. Processor Obligations
A. Processing Requirements: When acting as a Processor, both parties agree to:
- Handle Personal Data only to provide, support, and improve the Processor’s products and services, using proper security measures. They will follow the Controller’s instructions and won’t use the data for any other purpose. If the Processor can’t meet the requirements under Sections 6 to 9 of this DPA, they will inform the Controller promptly. The Controller can then end the Agreement, any Partner Agreement, or take other reasonable actions, like suspending data processing operations.
- Promptly inform the Controller if, in the Processor’s opinion, an instruction from the Controller breaks applicable Data Protection Laws.
- If the Processor is collecting Personal Data from individuals for the Controller, they will follow the Controller’s instructions.
- Take reasonable steps to ensure that its employees and others working on its behalf follow the terms of the Agreement and any Partner Agreements.
- Ensure that its employees, authorized agents, and any Subprocessors are under a strict duty of confidentiality. They won’t allow anyone who isn’t under such a duty to handle the personal data.
- If the Processor plans to use Subprocessors to help meet its obligations under this DPA, they will: (i) provide the Controller with a list of current Subprocessors (for SmartSuite, this list is available online), and inform the Controller at least 30 days in advance if they plan to use any new Subprocessors, giving the Controller a chance to object; (ii) remain responsible to the Controller for the Subprocessors’ actions related to data protection if the Subprocessors are following the Processor’s instructions; and (iii) make sure any Subprocessors agree to provide the same level of data protection and information security as outlined in this DPA.
- Provide the Controller with the Processor’s privacy and security policies upon request. h. Inform the Controller if the Processor carries out an independent security review.
B. Informing the Controller: The Processor will immediately inform the Controller if it becomes aware of:
- Any failure by the Processor or its employees to follow Sections 6 to 9 of this DPA or any Data Protection Laws related to the protection of Personal Data processed under this DPA.
- Any legally required request to share Personal Data by a law enforcement or government authority, unless the law prevents the Processor from telling the Controller, such as to keep a law enforcement investigation confidential.
- Any notice, inquiry, or investigation by a Supervisory Authority about Personal Data.
- Any complaint or request (especially requests for access to, correction of, or blocking of Personal Data) received directly from the Controller’s data subjects. The Processor won’t respond to any such request without the Controller’s prior written permission.
C. Assisting the Controller:
The Processor will provide help to the Controller in a timely and reasonable manner regarding:
- Responding to any request from a person to exercise their rights under the Data Protection Laws (including rights to access, correct, object, erase, and port their data). If the Processor receives such a request directly, they will promptly inform the Controller.
- Investigating any breaches of Personal Data and notifying the Supervisory Authority and the affected individuals from the Controller’s data subjects about these breaches.
- When needed, preparing data protection impact assessments and consulting with any Supervisory Authority.
D. Required Processing:
If the Processor needs to handle any Personal Data for reasons other than those related to the Agreement, due to Data Protection Laws, the Processor will let the Controller know about this requirement before any processing. This is unless the law prevents the Processor from informing the Controller (for example, due to secrecy requirements under certain EU member state laws).
E. Security:
The Processor will:
- Keep appropriate organizational and technical security measures to protect against unauthorized or accidental access, loss, change, disclosure, or destruction of Personal Data. This includes measures related to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, and encryption of Personal Data in transit and at rest.
- Be responsible for ensuring that all of the Processor’s personnel have sufficient security, privacy, and confidentiality safeguards for Personal Data. The Processor will be liable if its personnel fail to meet the terms of this DPA.
- Take suitable steps to ensure that all of the Processor’s personnel are protecting the security, privacy, and confidentiality of Personal Data in line with the requirements of this DPA. d. Inform the Controller of any Personal Data Breach by the Processor, its Subprocessors, or any other third parties acting on the Processor’s behalf as soon as possible, and in any case within 48 hours of becoming aware of a Personal Data Breach.
F. Additional Provisions for California Personal Information.
When the Processor handles California Personal Information following the Controller’s instructions, both parties agree that, under the CCPA, the Controller is a “Business” and the Processor is a “Service Provider”. They agree that the Processor will handle California Personal Information strictly to provide, support, and improve the Processor’s services (including providing insights and other reporting) (“Business Purpose”), or as otherwise allowed by the CCPA. Also, the Processor will: i. Not sell or share California Personal Information. ii. Not handle California Personal Information outside of the direct business relationship between the parties, unless the law requires it. iii. Not mix the California Personal Information with personal information collected or received from another source, unless this information was received in connection with the Processor’s duties under the relevant Partner Agreement and/or the agreement(s) with the Joint Customer.
8. Audit, Certification
A. Supervisory Authority Audit.
If a Supervisory Authority requires an audit of data processing facilities where the Processor handles Personal Data, to check or monitor compliance with Data Protection Laws, the Processor will cooperate with this audit. The Controller will pay the Processor back for any reasonable costs incurred to cooperate with the audit, unless the audit finds that the Processor hasn’t complied with this DPA.
B. Processor Certification.
If the Controller so requests, the Processor must provide a certification of compliance to the Controller (limited to one request per calendar year) by email. If SmartSuite is the Processor, these emails should be sent to support@smartsuite.com. If the Partner is the Processor, the Partner should set up and provide a single point of contact for email correspondence about data protection to SmartSuite upon request. The Processor must certify in writing that it complies with this DPA.
9. Data Return And Deletions
Both parties agree that when the data processing services end or if the Controller so requests, the Processor will, and will ensure any Subprocessors will, either return all the Personal Data and copies to the Controller or securely destroy them. The Processor will show the Controller that it has done this, unless Data Protection Laws prevent the Processor from returning or destroying some or all of the Personal Data. If this is the case, the Processor will keep the retained Personal Data confidential and will only actively handle this Personal Data to comply with the law.
10. Data Transfers
Whenever Personal Data is moved outside its home country, all parties involved must ensure that this transfer complies with Data Protection Laws.
A. Data from European Partners: When European Personal Data is transferred from the Partner to SmartSuite for processing in a country outside Europe that doesn’t provide adequate protection for Personal Data (as defined by European Data Protection Laws), the parties agree to the following:
- Use of Data Privacy Framework: SmartSuite will use the Data Privacy Framework to legally receive European Data from the Partner in the United States. It will ensure that it provides at least the same level of protection required by the Data Privacy Framework Principles. If SmartSuite cannot comply with this requirement, it will inform the Partner.
- Standard Contractual Clauses: If European Data Protection Laws require the implementation of appropriate safeguards (for instance, if the Data Privacy Framework doesn’t cover the transfer to SmartSuite or if the Data Privacy Framework is invalidated), the parties agree to follow and process European Partner Data in accordance with the Standard Contractual Clauses (SCCs) mentioned below.
B. European SmartSuite Data. For transfers of Personal Data from SmartSuite that falls under European Data Protection Laws (“European SmartSuite Data”) to the Partner for processing in a country outside Europe that doesn’t provide adequate protection for Personal Data (as defined by European Data Protection Laws), the parties agree that the Partner will provide the same level of protection required by the Data Privacy Framework Principles. This will be done by complying with the following:
- If the Partner is self-certified to the Data Privacy Framework, the Partner will use the Data Privacy Framework to legally receive European SmartSuite Data in the United States. The Partner will ensure that it provides at least the same level of protection to the European SmartSuite Data as required by the Data Privacy Framework Principles. If the Partner is unable to comply with these requirements, it will notify SmartSuite.
- If European Data Protection Laws require the implementation of appropriate safeguards (for instance, if the Data Privacy Framework doesn’t cover the transfer to the Partner or if the Data Privacy Framework is invalidated), the parties agree to follow and process European SmartSuite Data in accordance with the Standard
C. Standard Contractual Clauses. Both parties agree that:
- For Partner European Data, the “data exporter” is the Partner and the “data importer” is SmartSuite (including its Affiliates).
- For SmartSuite European Data, the “data exporter” is SmartSuite (including its Affiliates) and the “data importer” is the Partner.
- The Module One terms apply when both parties are Controllers. The Module Two terms apply when the party receiving Personal Data under the SCCs is acting as a Processor for the other party as a Controller.
- In Clause 7, the optional docking clause applies.
- In Clause 9, Option 2 of Module Two applies. The Processor must obtain authorization for Subprocessors according to Section 7(a) of this DPA.
- In Clause 11, the optional language is removed.
- In Clauses 17 and 18(b), the SCCs are governed by the laws of, and disputes are resolved in the courts of, the Republic of Ireland or the EEA member state where the SmartSuite legal entity that entered into the Agreement is established. If such SmartSuite is not established in the EEA, the Republic of Ireland applies.
- In Annex I of the SCCs, the details of the parties are outlined in the Agreement.
- The remaining information in Annex I and Annex II of the SCCs is completed with the information in Schedule A of this DPA.
D. UK Transfers: For Personal Data under the UK GDPR, the Standard Contractual Clauses (SCCs) apply as per Section 10© with these changes:
- The SCCs are modified as outlined in the UK Addendum, which is included by reference.
- Tables 1 to 3 in Part 1 of the UK Addendum are filled with relevant information from Schedule A of this DPA.
- Table 4 in Part 1 of the UK Addendum is completed by selecting “neither”.
- Any conflict between the SCCs and the UK Addendum is resolved according to Sections 10 and 11 of the UK Addendum.
E. Swiss Transfers: For Personal Data under the Swiss DPA, the SCCs apply as per Section 10© with these changes:
- References to “Regulation (EU) 2016/679” and specific articles are interpreted as references to the Swiss DPA and equivalent sections.
- References to “EU”, “Union” and “Member State” are replaced with “Switzerland”.
- References to the “competent supervisory authority” and “competent courts” are replaced with the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”.
- In Clauses 17 and 18(b), the SCCs are governed by Swiss law and disputes are resolved in Swiss courts.
F. Compliance: Both parties must promptly inform each other if they cannot comply with Section 10’s provisions.
11. Term
This Data Processing Agreement (DPA) will stay in effect for as long as either party is processing Personal Data that has been uploaded or provided by the other party, in accordance with the Partner Agreement.
12. Indemnity
Each party agrees to defend, indemnify, and hold the other party harmless. This includes their subsidiaries, affiliates, officers, directors, employees, and agents from all losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs, or expenses of any kind. This includes reasonable attorney’s fees, the cost of enforcing any right to indemnification, and the cost of pursuing any insurance providers. This applies to any third-party claim against the other party that arises from the breaching party’s failure to comply with any of its obligations under this DPA or the applicable laws, regulations, or principles contained in European Data Protection Laws. Each party’s liability is subject to the limitation of liability in the applicable Partner Agreement.
Schedule A
DESCRIPTION OF THE TRANSFER
1. Categories of data subjects. The personal data that is transferred pertains to the following categories of individuals. The specific categories depend on the agreement between the party importing the data and the party exporting the data:
- Members of SmartSuite
- Potential and existing customers of the data exporter
- Employees of the data exporter
- Sales and marketing leads of the data exporter
- Third parties who have, or may potentially have, a business relationship with the data exporter. This includes advertisers, customers, corporate subscribers, contractors, and users of the product.
2. Categories of personal data. The transferred personal data includes the following categories:
The data that is transferred includes personal data provided by the data exporter to the data importer in accordance with the Partner Agreement. This personal data may include first names, last names, email addresses, contact information, education and work history, and other information found in SmartSuite member profiles, resumes, CRM data about sales leads and customer lists, any notes provided by the data exporter about the aforementioned items, and other activities of SmartSuite members on the SmartSuite platform.
- Sensitive Data (if applicable): The transferred personal data may include the following special categories of data: None.
- Frequency of Transfer: The personal data is transferred on a continuous basis.
- Nature and Purpose of the Processing: The data is transferred for the following purposes: The transfer is designed to facilitate the relationship between the parties as outlined in the Partner Agreement. The “Partner Agreement” refers to the agreement(s) between the data importer and the data exporter that governs data sharing between the two parties (excluding customer agreements between the Partner and SmartSuite that govern the Partner’s purchase of SmartSuite products and services).
- Retention Period for Personal Data: The transferred personal data can only be retained for the duration permitted under the Partner Agreement. The parties agree that each party will cooperate reasonably with the other party to enable the exercise of data protection rights as outlined in Data Protection Laws, to the extent that it, along with the other party, acts as a Controller with respect to Personal Data.
- Subject Matter, Nature, and Duration of the Processing: The subject matter, nature, and duration of the processing are as described in the Agreement, including this DPA.
- Competent Supervisory Authority: For the purposes of the Standard Contractual Clauses, the competent supervisory authority is the authority of the EEA member state where the Partner or the Partner’s EEA representative is established (with respect to Partner Personal Data), or the Irish Data Protection Commissioner (with respect to SmartSuite Personal Data). For UK and Swiss transfers, the competent supervisory authority is the United Kingdom Information Commissioner or the Swiss Federal Data Protection Information Commissioner (as applicable).
Schedule B
SECURITY MEASURES
SmartSuite (“we”) uses a variety of security technologies and procedures to help protect your Personal Data. All Personal Data is protected using appropriate physical, technical and organizational measures. These measures include the following:
a) Access Control
i) Preventing Unauthorized Product Access
Outsourced processing: We use cloud infrastructure providers to host our Service. We also have contracts with vendors to provide the Service according to our Data Processing Agreement (DPA). We use these contracts, privacy policies, and vendor compliance programs to protect data processed or stored by these vendors.
Physical and environmental security: Our product infrastructure is hosted with outsourced infrastructure providers. We don’t own or maintain the hardware at their data centers. Our production servers and client-facing applications are securely separated from our internal corporate information systems. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
Authentication: We have a uniform password policy for our customer products. Customers must authenticate before accessing non-public customer data through the user interface.
Authorization: Customer Data is stored in multi-tenant storage systems and can only be accessed by Customers via application user interfaces and APIs. Customers can’t directly access the underlying application infrastructure. Our authorization model ensures that only individuals with the right permissions can access relevant features, views, and customization options. Authorization to data sets is done by checking the user’s permissions against the attributes of each data set.
API access: Public product APIs can be accessed using an API key or through OAuth authorization.
ii) Preventing Unauthorized Product Use
We implement industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
Static code analysis: Code stored in our source code repositories is checked for best practices and identifiable software flaws using automated tooling.
Penetration testing: We maintain relationships with industry-recognized penetration testing service providers for penetration testing of both the SmartSuite web application and internal corporate network infrastructure at least annually. The intent of these penetration tests is to identify security vulnerabilities and mitigate the risk and business impact they pose to the in-scope systems.
iii) Limiting Access & Authorization
Product access: Only certain employees can access our products and customer data through controlled interfaces. This is to provide effective customer support, product development, research, troubleshoot potential problems, detect and respond to security incidents, and implement data security. Access is granted through “just in time” requests, which are all logged. Access is granted based on role, and high-risk privileges are reviewed daily and every six months.
Background checks: Where allowed by law, SmartSuite employees undergo third-party background or reference checks. In the U.S., job offers depend on the results of a background check. All SmartSuite employees must follow company guidelines, non-disclosure requirements, and ethical standards.
b) Controlling Data Transmission
In-transit: We require HTTPS encryption on all login interfaces and on every customer site hosted on the SmartSuite products. Our HTTPS implementation uses industry-standard algorithms and certificates.
At-rest: We store user passwords following industry-standard security practices. We use technologies to ensure that stored data is encrypted at rest.
c) Controlling Data Input
Detection: Our infrastructure logs extensive information about system behavior, received traffic, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, respond to known incidents.
Response and tracking: We keep a record of known security incidents, including description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel, and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Agreement.
d) Controlling Availability
Infrastructure availability: The infrastructure providers aim to ensure a minimum of 99.95% uptime. They maintain a minimum of N+1 redundancy for power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
Backups: All databases are backed up and maintained using at least industry-standard methods.
Disaster Recovery Plans: We maintain and regularly test disaster recovery plans to help ensure availability of information following interruption to, or failure of, critical business processes.
Product design: Our products are designed to ensure redundancy and resilience. The server instances that support the products are designed to minimize single points of failure. This design helps our operations maintain and update the product applications and backend while limiting downtime.