DATA PROCESSING AGREEMENT

This Data Processing Agreement (DPA) forms part of the Insertion Order (IO) between SMADEX (the “Processor”) and the Client, (hereinafter “Company” or the “Controller”).

Hereinafter, the Processor and the Company will be jointly referred to as the “Parties”.

WHEREAS

  1. The Company acts as a Controller.
  2. The Company wishes to subcontract certain Services to the Processor, which imply the processing of personal data.
  3. For this purpose, the Parties entered an IO which is governed by the Interactive Advertising Bureau Standard Terms and Conditions for Internet Advertising for Media Buys One Year or Less, Version 3.0 (“IAB Agreement”).
  4. The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) and to ensure that the Client’s information security requirements regarding the processing of personal data are met
  5. The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

  1. DEFINITIONS & INTERPRETATION.

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1.1.1 “CCPA means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq., and its implementing regulations.

1.1.2 “Company Personal Data” means any Personal Data processed by Contracted Processor on behalf of the Company, for the purpose of the provision of the Services, pursuant to or in connection with the IO and the details specified in Annex 1, which forms an integral part of this DPA.

1.1.3 “Contracted Processor” means the Processor and/or Subprocessor(s).

1.1.4 “DPA” means this Data Processing Agreement and all its Annexes.

1.1.5 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.

1.1.6 “EEA” means the European Economic Area.

1.1.7 “EU Data Protection Laws” means the GDPR and laws implementing or supplementing the GDPR, and any laws which replace, extend, re-enact, consolidate, or amend any of the foregoing (whether or not before or after the date of this DPA).

1.1. 8 “GDPR” means EU General Data Protection Regulation 2016/679.

1.1.9 “Restricted Transfer” means any transfer of Personal Data between the Parties where such transfer would be prohibited by the GDPR in the absence of adequate safeguards approved by the European Union.

1.1.10 “Services” means the Services which the Processor provides to the Company.

1.1.11 “Standard Contractual Clauses” means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

1.1.12 “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.

1.1.13“UK Restricted Transfer” means any transfer of Personal Data between the parties where such transfer would be prohibited by the UK GDPR in the absence adequate safeguards.

1.1.14 “UK Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses, issued by the Information Commissioner, and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022, as set forth at: https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf

  1. 2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processor”, “Processing” and “Supervisory Authority” (both in capital and lowercase letters) shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
  1. PROCESSING OF COMPANY PERSONAL DATA.

By means of this clause, the Processor is authorized to process, on behalf of the Company, the necessary personal data for the execution of the IO.

In accordance with the provisions of art. 28 of the GDPR, and the rest of the data protection regulations, as well as to establish the minimum requirements in terms of information security in the provision of the Services and in the access and/or processing of the Company information:

2.1 Processor shall:

2.1.1 Comply with all applicable Data Protection Laws in the Processing of Company Personal Data.

2.1.2 Use the personal data processed, or those collected for inclusion, only for the purpose of this IO.

2.1.3 Follow the instructions of the Company in the Processing of Company Personal Data. Hereby, the Processor undertakes to process the Company’s data in accordance with its instructions and for the sole purpose of performing the Services agreed with the Company, and undertakes not to use them in any way that exceeds this purpose, except when expressly authorized to do so by the Company.

In the event that the Processor considers that the fulfilment of a specific instruction from the Company may entail a breach of the GDPR or of any other applicable laws and regulations, the Processor shall immediately notify the Company thereof.

2.1.4 Assist the Company in its maintenance of records of processing activities pursuant to Art. 30 GDPR and provide the Company with the necessary information in an appropriate manner.

2.1.5 Keep its records of processing activities with respect to all processing activities carried out on behalf of the Company, as required under Art. 30 (2) GDPR, which will contain: (i) the name and contact details of the Processor and the Company on behalf of the person acting; (ii) the categories of processing activities carried out on behalf of the Company; (iii) where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and the documentation for the appropriate safeguards; (iv) a general description of the technical and organizational security measures related to pseudo-animation and encryption of personal data, the ability to guarantee the confidentiality, integrity, availability and permanent resilience of processing activities systems and services, the ability to restore availability and access to personal data quickly, in case of physical or technical incident, as well as the process of regular verification and evaluation of the effectiveness of technical and organizational measures to ensure the safety of the processing activity

2.1.6 Undertake to keep under their control and custody, the personal data provided by the Company to which they have access in connection with the provision of the Services, and not to disclose them, transfer them or communicate them in any other way, not even for their conservation of third parties.

  1. PROCESSOR PERSONNEL.

3.1 The Processor shall take reasonable steps to ensure the reliability of any employee, agent, contractor or any other person acting on its behalf, or any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Insertion Order, and to comply with Data Protection Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

3.2 The Processor shall ensure that all its employees engaged in performing the IO and Processing Personal Data are reliable and have the appropriate skills, training, and qualifications to perform the tasks allocated to them (including training on compliance with this DPA and the Data Protection Laws).

3.3 The Processor shall immediately revoke the access privileges of all personnel who cease their activity or terminate their assignment to the Services.

3.4 The Processor shall conduct periodic reviews of users with authorized access to ensure that all permissions assigned are appropriate, based on a need-to-know basis, and that there are no obsolete users.

  1. SECURITY.

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR and other Data Protection Laws (if any). In particular, the Processor shall implement the security measures and mechanisms set out in Article 32 of the GDPR to:

  1. Ensure the permanent confidentiality, integrity, availability and resilience of the processing systems and services.
  2. Restore availability and access to personal data quickly in the event of a physical or technical incident.
  3. Regularly verify, evaluate and assess the effectiveness of the technical and organisational measures implemented to ensure the security of the processing.
  4. Pseudonymise and encrypt personal data, where appropriate.

4.2 In accordance with Article 32(2) of the GDPR, in assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

4.3 In addition, the Company and the Processor have agreed that measures described in Annex 2, attached to this DPA and being integral part of it, together with any applicable data security requirements that are directly incumbent on the Processor by Data Protection Laws, including the data security requirements in the country of establishment of the Company, are considered appropriate.

  1. SUBPROCESSING.

5.1. The Processor shall not permit, allow, or otherwise facilitate Subprocessors to process Company Personal Data without the prior written consent of Company and unless Processor enters into a binding written agreement with the Subprocessor which imposes the same obligations on the Subprocessor with regard to their Processing of Company Personal Data, as are imposed on the Processor under this DPA.

5.2 If any Subprocessor or Contracted Processor is not subject to the GDPR, the Processor shall conclude with them the Standard Contractual Clauses.

5.3 Processor makes available to the Company, in Annex 3 which forms an integral part of the Clauses, a current list of those Subprocessors which are used by Processor to undertake processing of Data.

  1. DATA SUBJECT RIGHTS.

6.1 Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company’s obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

6.2 Processor shall:

6.2.1 Promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data.

6.2.2 Ensure that it does not respond to that request except on the documented instructions of the Company or as required by Data Protection Laws to which the Processor is subject, in which case Processor shall to the extent permitted by such Data Protection Laws inform Company of that legal requirement before the Contracted Processor responds to the request.

6.2.3 Provide such information and cooperation and take such action as the Company reasonably requests in relation to each data subject request or other communication, within the timescales reasonably required by the Company.

6.3 Processor and its Subprocessors may retain Company Personal Data to the extent required by Data Protection Laws and only to the extent and for such period as required by Data Protection Laws and always provided that the Processor shall ensure the confidentiality of all such Company Personal Data and shall ensure that such Company Personal Data is only Processed as necessary for the purpose(s) specified in the Data Protection Laws requiring its storage and for no other purpose.

  1. PERSONAL DATA BREACH.

7.1 The Processor shall notify Company without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

In particular, and pursuant to the provisions set out in Article 33.3 of the GDPR, the Processor shall provide the Company with complete information relating to a Data Breach, including, without limitation, the nature of the Data Breach, the nature of the personal data affected, the categories and number of data subjects concerned, the number of personal data records concerned, measures taken to address the Data Breach and the possible consequences and adverse effect of the Data Breach. Nevertheless, if and to the extent that it is not possible to provide the information simultaneously, the information shall be provided gradually by the Processor and without undue delay.

7.2 The Processor shall co-operate with the Company and take reasonable commercial steps as directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

  1. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION.

The Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors. The Processor shall support the Company in carrying out data protection impact assessments when appropriate and under the terms established by law.

  1. DELETION OR RETURN OF COMPANY PERSONAL DATA.

The Processor shall promptly and in any event within ten (10) business days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.

Alternatively, and in the event that the Company indicates so, once the provision of the Services covered by the IO has been completed, the Processor undertakes to return any information containing personal data transmitted by the Company to the Processor in connection with the provision of those Services. The return of information must involve the total erasure of the existing data in the computer equipment used by the Processor.

Notwithstanding the provisions of the preceding paragraphs, the Processor may keep the data and information processed, duly blocked, in the event that responsibilities may arise from the relationship with the Company as well as for making them available to Public Administrations, Judges and Courts, for the attention of possible responsibilities arising from the processing and only during the period of prescription of said responsibilities.

  1. AUDIT RIGHTS.

10.1 Subject to this section 10, the Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement and shall allow, at Company´s cost, for and contribute to audits, including inspections, by the Company or an auditor mandated by the latter in relation to the Processing of the Company Personal Data by the Contracted Processors.

10.2 Information and audit rights of the Company only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

  1. CCPA STANDARD OF CARE; NO SALE OF PERSONAL INFORMATION.

This Clause applies to Company Personal Data of natural persons who are California residents, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier. The Processor acknowledges and confirms that it does not receive or process any Company Personal Data as consideration for any services or other items that Processor provides to the Company under the IO. The parties agree that for the purposes of the CCPA, Processor acts as a Service Provider for Company Personal Data and that Company is a Business, as defined under the CCPA. The Processor acknowledges that the Company is disclosing Company Personal Data for a Business Purpose, as defined under the CCPA. The Processor will not: (i) sell Company Personal Data, (ii) retain, use, or disclose Company Personal Data for any purpose other than for the specific purpose of performing the Services specified in the DPA and IO, including collecting, retaining, using, or disclosing Personal Data for any commercial purpose other than providing the Services specified in the DPA and IO unless otherwise permitted under the CCPA, (iii) retain, use, or disclose Company Personal Data outside of the direct business relationship between the Parties. The Processor certifies that it has read and understands the rules, requirements and definitions of the CCPA, as well as the restrictions set forth herein and will comply with them, including by avoiding any action that would cause the Company to be deemed to have sold Company Personal Data under the CCPA.

  1. DURATION.

The duration of this DPA shall correspond with the duration of the IO. The expiry or termination of the latter shall not relieve the parties of their respective obligations regarding the privacy and data protection of Personal Data for as long as such Processing is performed after such expiration or termination.

  1. COMPANY OBLIGATIONS

The Company in its capacity as data controller, undertakes to:

  1. Provide personal data to the Processor according to Section 2 of this Agreement.
  2. To carry out a data protection impact assessment of the processing operations to be carried out by the Processor, as well as carry out the corresponding prior consultations.
  3. Ensuring, prior to and throughout the processing, compliance with applicable legislation on the protection of personal data by the Processor.
  4. Supervise the data processing, including inspections and audits in accordance with the provisions of the Agreement.
  1. CONFIDENTIALITY.

Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

  1. disclosure is required by law;
  2. the relevant information is already in the public domain.

The parties also undertake to not preserve any copy of the Confidential Information after the extinction of this Agreement.

The obligations of confidentiality laid down in this clause shall remain in force after the end of the relation between the parties for any reason.

  1. DATA TRANSFER.

(a) Standard Contractual Clauses. For any Restricted Transfer between the Parties, the applicable Standard Contractual Clauses (“SCCs”) shall apply. In the event of any conflict or inconsistency between the terms of this DPA and the SCCs, the SCCs shall prevail.

(b) UK Addendum. For any UK Restricted Transfer between the parties, the UK Addendum shall apply and is incorporated herein by reference. In the event of any conflict or inconsistency between the terms of this DPA and the UK Addendum, the UK Addendum shall prevail.

(c) Countries with an adequate level of protection. The SCCs and UK Addendum shall not apply to Personal Data that is transferred to a country that has been recognized by the European Commission as providing an adequate level of protection for Personal Data.

(d) Forward transfers. Each Party shall ensure that any forward transfers to third parties of Personal Data subject to this DPA comply with Data Protection Laws and Regulations, including, but not limited to, restrictions on cross-border data transfers under GDPR.

(e) Invalidation of Transfer Mechanism. To the extent that the Parties rely upon a specific statutory mechanism to normalize international data transfers and such mechanism is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Parties agree to cooperate in good faith to promptly terminate applicable transfers or to pursue a suitable alternate mechanism that can lawfully support these transfers.

  1. LIABILITY

Each of the parties appearing in this Agreement shall be fully responsible for the consequences that may derive from non-compliance with the obligations contracted by virtue of this Agreement and shall assume, in this case, the reparation of damages that such non-compliance may cause to the other party.

The non-performing party shall indemnify the other party for all the damages caused to the latter by the breach of this Agreement and the regulations in force regarding the protection of personal data attributable to the aforementioned entity. By way of illustration, the non-performing party shall pay the other party:

  1. The expenses incurred in the defense against possible sanctioning procedures initiated by the corresponding Data Protection Authority and its appeals before the competent courts.
  2. The amount of the sanction, if any, that could be imposed by the corresponding Data Protection Authority.
  3. The expenses caused by their defense against possible legal actions that could be promoted by the data owners. Such expenses shall include, in any case, the fees of the lawyers involved in the defense.
  1. NOTICES

All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post, or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.

  1. TRANSFER OF RIGHTS AND OBLIGATIONS.

Neither Party shall transfer, assign, or otherwise deal in the DPA, or any of its rights and obligations under this DPA, other than to an assignee of that Party’s rights and obligations under the Agreement.

  1. MISCELLANEOUS

The personal data of the parties’ representatives will be processed respectively by the entities identified in the heading, which will act independently as data controllers. Such data will be processed in compliance, as independent data controllers respectively, with the rights and obligations contained in this Agreement, without any automated decisions affecting the aforementioned representatives. Consequently, the legal basis for the processing is to comply with the contractual relationship between the parties.

The personal data of the representatives of the parties will be maintained as long as the contractual relationship stipulated herein is in force, and will only be processed by the parties and those third parties to whom they are legally or contractually obliged to communicate them (as is the case of third party service providers who have been entrusted with any service related to the management or execution of the IO). Upon its termination, data may be retained for the period of limitation of possible legal liabilities of any kind. At the expiry of said period of limitation, the Personal Data shall be destroyed.

Personal Data shall not be transferred to third parties except in those cases where it is required by law, although it may be accessed by suppliers providing services to the Parties in order to fulfil the purpose of the Processing. In that latter case, personal data may be processed on servers within or outside the European Union. Possible international transfers of personal data will always be carried out in accordance with Chapter V of the GDPR.

The rights of access, rectification, erasure and objection, restriction of processing, portability of Personal Data and the right to object automated individual decision-making may be exercised by means of a letter addressed to the party carrying out the processing at its registered office. In processing activities based on the legitimate interest of the Controller, and notwithstanding with the foregoing, they also have a right to request information on the balancing test carried out. Likewise, if they consider that their Personal Data has not been processed in accordance with the data protection, regulations, they may contact the Data Protection Officer, for SMADEX at the following address: privacy@smadex.com and in for the Company at the address provided in the header of the IO and/or file a complaint with the Spanish Data Protection Agency (www.aepd.es) Further information on how SMADEX process Personal Data can be found in its Privacy Policy

IN WITNESS WHEREOF, this Agreement is entered into effect from the date first set out below.

The Company  

 

SMADEX
Signature:     Signature:  
Name:     Name: Philip Gontier
Title:     Title: Chief Revenue Officer
Date:     Date:  

ANNEX 1
DATA DESCRIPTION AND PROCESSING ACTIVITIES

1.1. Details of the Parties

Controller: As stipulated in the header.

Processor:

SMADEX, S.L.U.
C/ Diputació 303 First floor
08009 Barcelona
Spain
privacy@smadex.com

1.2. Categories of data subjects

  • Users of mobile devices.

1.3. Categories of personal data

  • Online identifiers, namely: (a) device identifiers, (b) cookie identifiers, (c) IP addresses.
  • Contextual data provided by Real Time Bidding Markets and other advertising suppliers in the auction process, namely: (a) geolocation data, (b) navigation data, (c) device type data, (d) auction-related data, and (e) demographic information, such as gender, and age-range. SMADEX shall never process data that falls under the special categories described in Article 9 GDPR.
  • Conversion data, concerning the potential conversion of data subjects impacted by Company campaigns.
  • Generally, SMADEX shall not process Online Behavioural Advertising data. However, as an exception to that, SMADEX may use audience segmenting and/or Online Behavioural Advertising data provided by third party Data Management Platforms. SMADEX shall only engage the services of Data Management Platforms at the explicit request of the Company, and provided that a proper data transfer agreement is entered into with the relevant Data Management Platform.

Neither Party shall process data concerning children, or any other category of data that is regarded as special under Article 9 GDPR.

1.4. Frequency of the processing

Continuous

1.5. Nature of the processing

Structuring, storage, retrieval, consultation, use, restriction and erasure.

1.6. Purpose(s) of the data processing

  • Running the SMADEX platform. SMADEX will process/transfer Company Data with the purpose of buying online advertising inventory in Real Time Bidding markets or in other forms of programmatic advertising supply. In that regard, Company Data will be processed/transferred in order to bid in such markets, and to serve advertisements whenever such bidding has been successful.
  • Retargeting. At Company’s request, SMADEX will create and process/transfer lists of device identifiers with the aim to target Company campaigns to certain audiences. Such lists might be created by SMADEX by serving cookie identifiers to data subjects that have been impacted by Company campaigns, and/or that have visited Company’s websites or applications.
  • Retargeting Company audiences. At Company’s requests, SMADEX will process/transfer lists of device identifiers provided by Company, to target Company campaigns to certain audiences. When that is the case, Company represents and warrants that (a) it has obtained and is processing/transferring such Company Origin Data in full compliance with the applicable data protection laws; and that (b) Company Origin Data shall never contain Online Behavioural Advertising data, or data that can be regarded as sensitive under Article 9 GDPR.

1.7. Period for which the personal data will be retained.

Data processed will be retained for a period of one (1) year.

ANNEX 2

TECHNICAL AND ORGANISATIONAL MEASURES

Protective measures for physical access control

Physical access control is ensured by our cloud provider Amazon Web Services for all datacenters. It has a solid controlling process which involves several policy securities. Access authorization should be previously requested and approved by AWS employees, who must apply for third-party access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data centre the individual needs access and are time-bound. These requests are approved by authorized personnel, and access is revoked after request time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. Anyone granted visitor badge access must present identification when arriving on site and are signed in and escorted by authorized staff.

Authorized accesses are conducted by the SMADEX Technology Team Lead.

  • Protective measures for system access control and Protective measures for data access control

1.1 Protective measures for system Access

A. Data protection and privacy for employees

A.1) Storage Options

Most of the data produced by employees is stored in the cloud. Other secured areas for SMADEX data are local servers on site. Finally, files can also be stored on employees’ local computer.

A.2) Storage Access

The cloud specifications also ensure that the data is transmitted through the HTTPS protocol. The same applies to email access, which can only be retrieved through secured access.

The cloud environment is particularly advantageous, especially with regards to storage redundancy. The automated versioning of files also allows for data security in the event that an unexpected edition is made, and a previous version of a document must be restored.

Local server data can only be accessed through wire.

Access rights are implemented to ensure that documents are made available only to the appropriate people / teams for all the above technologies.

A.3) Backup Policies

Cloud storage helps ensure that files are replicated and that SMADEX will not suffer any data loss.

Local storage on local computers is currently not subject to any backup policy. Therefore, it is the employee’s responsibility to rely on one of the two above solutions to secure his/her work.

A.4) Local Copies of Sensitive Files

If an employee is in a situation where he or she should copy files to his or her local system, he or she is encouraged to use disk encryption technology like FileVault on Mac OS X or BitLocker on Windows 10. Employee may ask office management for help with configuring this option.

In case of loss of theft of a laptop, the activation of this option will prevent the disclosure of sensitive data that may be stored locally.

B. Workstation Access

In the context of a tech-oriented company, users are made local administrators of their workstation so that they can install necessary tooling and software on demand. The anti-virus agent running on each computer and in the email, software makes sure that attachments and executables are not Trojans, horses, or viruses.

All workstations are operated in Windows, Linux and MacOS and a secure login/password is required to login.

C. Workstation Protection

Every workstation comes with a pre-installed anti-virus agent.

To avoid unintended access to your workstation while employees are away, they must lock their session as soon as they leave their desk (shortcut: Windows +L on Windows, CTRL+SHIFT+Power on MacBook). A pre-configured screensaver protected by password will be configured on their workstation.

It is strongly encouraged to update workstations as the OS editor (Microsoft, Apple) publishes security fixes to known breaches.

D. Smartphones

Professional smartphones should have the auto-lock policy activated with a relatively complex code so as to avoid data leakage / identity spoofing.

In the situation where a professional smartphone is lost or stolen, the concerned employee must contact the COO as soon as possible so that the device can be locked, and e-mail and application passwords reset.

E. Virtual Private Network (VPN)

The development and operations teams can access data centre resources through a secured VPN tunnel. The tunnel is secured with a dedicated login/password.

F. Wireless Internet

Wireless Internet is available in the office. It is completely separated from the production network. It is generally a good practice to connect to the Internet via one source at a time —either wireless and/or Ethernet. It is preferable to use the Ethernet connection when available.

SMADEX has a unique wireless password which is periodically changed. The office also provides a public wireless access reserved for visitors.

1.2. Physical Access

A. Access to facilities

A.1) Access to the office

Employees can access the building from 7:00 am until 10:00 pm. Outside of these hours, access is granted only to those with a personal key. After 10:00 pm and before 7:00 am, the doors are manually locked by key.

The attribution of keys to newcomers is a part of the integration process that will be initiated by managers upon the employee arrival.

A.2) IT local Access

Equipment and servers that are running on site are stored in a technical room secured by a key that is provided to a specific list of people in the Infra team.

B. Security Control

Visitors can be welcomed by any employee, who should introduce or put in contact with the right person. Currently, visitors do not get a temporary badge, neither are identified while being at SMADEX offices.

1.3. Protective measures for data Access

Within our applications, we use a custom authentication management with groups, rights, and different access levels, with at least: normal user and super admin (SA).

Access to data contained within cloud provider is protected using best practices of the cloud provider such as two-key authentication login and personal ssh keys together with low level granularity permissions.

    • Protective measures for transfer control

Access to the internal systems is secured by a VPN. Each employee has its own account and specific rights.

General access to public services is protected by hardware firewalls on each site. Our offices are also equipped with protections that limit/control transfer to specific protocols.

Production data are stored on servers that benefit from limited physical access. Removable storage is allowed on these servers, but the storage is fully emptied/deleted in the vent of detachment.

Data at-rest in cloud’s hardware is not yet encrypted, however it is made sure that all data in backups is stored in a read-only area once it has been generated. A plan to encrypt all at-rest data is in place, and all changes are expected to be applied shortly. Access to these servers can only be done using severe.

Data in-transit between cloud’s hardware is encrypted using SSL/HTTPS protocols when available. A plan to assure encryption of all in-transit data between cloud servers is in place, and all changes are expected to be applied shortly.

When data is deleted, it cannot be recovered.

    • Protective measures for input control

Data input for a large set of the features is ensured by controlled UI interfaces or backend servers receiving such data.

Most sensitive operations implement an historization logging that allows to retrieve change history and get the identity of the person or entity that did the input.

In the near future, SMADEX will leverage low-level historization features for most critical data stored on all our storage engines.

    • Protective measures for job control

For contractors scoped on sensitive areas (finance audit, legal audit or technical audit) that would lead that contractor to get a close-to access to these data, a Data Processing Agreement is signed, and strict rules are emitted.

SMADEX provided information security policy procedure for employees responsible for processing of personal data to ensure that data is processed in accordance with data exporter instructions.

    • Protective measures for availability control

SMADEX maintains documented business continuity, incident response, data backup, and disaster recovery procedures designed to maintain business operations and redundancy of critical systems and data. SMADEX performs regular testing to ensure that availability supporting systems function properly in almost all services.

SMADEX contained in its roadmap a plan to implement measures to prevent disasters happening on non-already covered SPOFs (single point of failures).

    • Protective measures for purpose control

Development, staging and production/live systems are separated instances.

Employees have clear guidelines and work instructions on when to use the development, staging or the production/live environment

ANNEX 3

LIST OF SUBPROCESSORS

Name subject-matter/service
Amazon Web Services Inc. Cloud server’s provider (hosting of platform)
Google Inc.

Cloud business provider

(Google Suite of business apps, email, Drive, Calendar, etc).

CONTROLLER TO CONTROLLER ADDENDUM

This Addendum to the DPA addresses data optimization, a process based on campaign management processing activities integral to our Services. This entails the transfer of personal data from SMADEX to the Advertiser, with these activities performed for the following purposes:

(a) fulfilling its obligations under the Insertion Order.

(b) measuring the performance of Company campaigns.

(c) campaign optimization.

Please note, the comprehensive details of these activities can be found at www.smadex.com/privacy-policy.

In such a case, both Parties will be Controllers of the personal data and to such extent, they expressly agree that they will comply with the responsibilities contemplated in article 24 of the GDPR.

Likewise, if the Advertiser is located outside the EEA, the Parties will enter the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council and Module 1 will apply.

EU SCC (Controller to Controller Transfers):

  1. Module 1 will apply;
  2. Clause 7: the “Docking Clause” will apply;
  3. Clause 9: N/A
  4. Clause 11: the optional “Redress” language will not apply;
  5. Clause 13: Option a) will apply
  6. Clause 17: the EU SCC will be governed by the law of Spain.
  7. Clause 18(b): disputes arising from the EU SCC will be resolved by the Courts of Barcelona;
  8. Annex I of the EU SCC will be completed with the information set forth in Annex 1 to this DPA;
  9. Annex II of the EU SCC will be completed with the technical and organisational measures set forth in Annex 2 to this DPA; and
  10. Annex III of the EU SCC will be completed with the list of Approved Sub-Processors set forth in Annex 1 to this DPA.