Activate Data Protection Addendum

DATA PROTECTION ADDENDUM

This Data Protection Addendum (“Addendum“) is entered into by and between PubMatic, Inc. (“PubMatic“) and you (“Company“), and forms part of all agreements between the parties relating to the subject matter of this Addendum (each, an “Agreement“). This Addendum is effective as of the date on which the Addendum is signed or otherwise adopted by both parties (“Effective Date“).

The terms in this Addendum shall only apply to the extent PubMatic or Company collect or otherwise process Data (including Personal Data) protected or otherwise regulated by applicable Data Protection Law. Capitalized terms used in this Addendum shall have the meaning given to them in the main body of the Agreement unless otherwise defined in this Addendum.

IT IS AGREED:

  1. Definitions
    Adequacy Mechanism” has the meaning described in Section 14.
    CCPA” means the California Consumer Privacy Act, Cal. Civ. Code. § 1798.100 et. seq., as amended by the California Privacy Rights Act 2020.
    Controller” means the entity that determines the purposes and means of the processing of Personal Data.
    Processor” means the entity that processes Personal Data on behalf of the Controller.
    Data” has the meaning given to it in Section 2 of this Addendum.
    Data Exporter” means the party sending or transferring Personal Data that which is subject to European Data Protection Law.
    Data Importer” means the party receiving the Personal Data that which is subject to European Data Protection Law.
    Data Privacy Framework” means the EU-US, UK Extension to the EU-US and Swiss-US Data Privacy Framework (“DPF“) Program as set forth by the US Department of Commerce, European Commission, UK Government, and Swiss Federal Administration, and which regards the collection, use and retention of personal information from the EU, UK and Switzerland.
    Data Protection Law” means as any international, federal, state, or local laws, regulations, or treaties applicable to a party in its Processing of Data, including but not limited to: (i) Regulation 2016/679 (the European General Data Protection Regulation (“GDPR“); (ii) the EU e-Privacy Directive (Directive 2002/58/EC) (“e-Privacy Directive”); (iii) all national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA“); and (v) in respect of the United Kingdom, GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 the (together, “UK Privacy Law“); and (v) State Privacy Laws, in each case, as may be amended, superseded or replaced from time to time.
    Partners” means PubMatic’s third-party partners including but not limited to data providers, matching partners, analytics partners, attribution partners and fraud partners.
    Europe” means, for the purposes of this DPA, the European Economic Area (EEA), the United Kingdom, and Switzerland.
    Personal Data” means any information relating to an identified or identifiable natural person to the extent that such information is protected as “personal data” under applicable Data Protection Law.
    Privacy Requirements” means: (i) Data Protection Law, as applicable to Company, PubMatic, its Partners, and their respective processing of Data under this Addendum; and (ii) any applicable self-regulatory codes, rules or guidelines, including without limitation, the rules, codes and guidelines of the European Interactive Digital Advertising Alliance (EDAA), Digital Advertising Alliance (DAA), the Network Advertising Initiative (NAI), and IAB Transparency and Consent Framework (TCF) (in each case, as amended, superseded or replaced).
    PubMatic Products” has the meaning given to it in the Agreement or if not set forth in the Agreement, means PubMatic’s online advertising services, products, and features described at https://pubmatic.com/legal/program-descriptions.
    Restricted Transfer” means: (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK Privacy Law applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
    State Privacy Laws” means the CCPA, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring of 2022, the Indiana Consumer Data Protection Act, the Iowa Act Relating to Consumer Data Protection of 2023, the Montana Consumer Data Privacy Act, the Tennessee Information Protection Act, the Utah Consumer Privacy Act of 2022, and the Virginia Consumer Data Protection Act, and other additional U.S. state privacy laws enacted, in each case as amended and including any regulations promulgated thereunder.
    Sub-processor” means any third party engaged by PubMatic to process Personal Data on behalf of Company in connection with the Agreement.
    Tracking Technologies” means technologies used to store or gain access to data stored on a user’s device, including (as applicable), cookies, mobile SDKs, browser cache, unique identifiers, web beacons, pixels and/or similar tracking technologies.
    PubMatic Privacy Policy” means the PubMatic privacy policy available on PubMatic’s public facing website, the most current version of which is available at www.pubmatic.com/privacy-policy (as updated or amended from time to time).
    Standard Contractual Clauses” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 located at https://eur-lex.europa.eu/eli/dec_impl/2021/914.
    UK Addendum” means the International Data Transfer Addendum (version B1.0) to the EU Commission Standard Contractual Clauses issued by UK Information Commissioners Office under S.119(A) of the UK Data Protection Act 2018, as amended, superseded or replaced from time to time.
    The terms “data subject“, “processing” (and “process“) shall have the meanings given to them in European Data Protection Law.
    The terms “Sell” and “Share” shall have the meanings given to them in the CCPA.
  2. Scope of processing
    Unless otherwise and separately agreed between the parties, the parties agree and understand that: (i) in connection with the PubMatic Products, PubMatic may receive data or otherwise collect Data (including Personal Data) as more particularly described in Annex A-1 of this Addendum (collectively, “Data“); (ii) PubMatic may use Tracking Technologies in order to collect certain Data; and (iii) PubMatic shall process the Data solely for the purposes described in Annex A-1 and as instructed by Company in accordance with this Addendum and the Agreement (“Processing Purposes“).
  3. Relationship of the parties
    The parties acknowledge that Company acts as the Controller of Personal Data and PubMatic acts as the Processor of Personal Data on behalf of Company. PubMatic shall process Personal Data only in accordance with Company’s documented instructions as set forth in this Addendum and the Agreement.
  4. Processing Instructions and Compliance
    1. PubMatic shall process Personal Data only on documented instructions from Company, including with regard to transfers of Personal Data to third countries or international organizations, unless required to do so by applicable law to which PubMatic is subject.
    2. PubMatic shall immediately inform Company if, in its opinion, an instruction infringes applicable Data Protection Law.
    3. Company is responsible for ensuring that all data subjects are appropriately notified about the data collection and use practices taking place through the PubMatic Products and for obtaining all necessary consents from data subjects where required by applicable Privacy Requirements.
  5. Confidentiality
    PubMatic shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  6. Security Measures
    PubMatic shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, as described in Annex B of this Addendum.
  7. Sub-processors
    1. Company provides general written authorization for PubMatic to engage Sub-processors for the processing of Personal Data, provided that PubMatic: (a) maintains a current list of Sub-processors, which shall be made available to Company upon request; (b) provides Company with at least 30 days’ prior written notice of any intended changes concerning the addition or replacement of Sub-processors; (c) ensures that any Sub-processor is bound by data protection obligations equivalent to those set out in this Addendum.
    2. Enhanced Objection Standards: Company may object to PubMatic’s use of a new Sub-processor only on reasonable and documented data protection grounds that would materially impact data protection compliance, provided that such objection is not based on competitive concerns, commercial preferences, or general business considerations. Any objection must be submitted in writing within 15 days of notice and must include specific details of the data protection concerns. If Company objects, the parties shall discuss the objection in good faith. If no resolution can be reached within 30 days, Company may terminate only the affected services, provided that Company shall compensate PubMatic for any reasonable costs incurred in connection with such termination, including transition costs and any committed Sub-processor fees.
    3. PubMatic shall remain fully liable to Company for the performance of any Sub-processor’s obligations, subject to the liability limitations set forth in the Agreement.
  8. Data Subject Rights
    1. Taking into account the nature of the processing, PubMatic shall assist Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Company’s obligation to respond to requests for exercising data subject rights.
    2. PubMatic shall promptly notify Company if it receives a request from a data subject directly and shall not respond to such request except on the documented instructions of Company.
  9. Assistance with Controller Obligations
    PubMatic shall assist Company in ensuring compliance with Company’s obligations under Data Protection Law, including: (a) security of processing; (b) notification of personal data breaches; (c) data protection impact assessments; and (d) prior consultation with supervisory authorities.
  10. Personal Data Breaches
    PubMatic shall notify Company without undue delay after becoming aware of a personal data breach affecting Personal Data processed under this Addendum, and shall provide Company with sufficient information to enable Company to meet its obligations to report or inform data subjects of the personal data breach.
  11. Data Return and Deletion
    PubMatic shall delete or return all Personal Data to Company after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the Personal Data.
  12. Processing of California Personal Data
    To the extent PubMatic processes Personal Data of California consumers as a Service Provider as defined by the CCPA, PubMatic shall: (a) process Personal Data only for the limited and specified purposes set forth in the Agreement and this Addendum; (b) not sell or share Personal Data; (c) not retain, use, or disclose Personal Data for any purpose other than the specific purposes set forth in the Agreement; (d) comply with applicable consumer rights requests forwarded by Company.
  13. Standard Contractual Clauses
    Subject to Section 14, the parties agree that when the transfer of Personal Data from Company to PubMatic is a Restricted Transfer and European Data Protection Law applies, the transfer shall be subject to Module 2 (Controller to Processor) of the Standard Contractual Clauses, which shall be deemed incorporated into and shall form part of this Addendum, as follows:
    1. in relation to transfers of Personal Data protected by the GDPR, the Standard Contractual Clauses shall apply, completed as follows: (i) in Clause 7, the optional docking clause will apply, (ii) in Clause 11, the optional language will not apply; (iii) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by laws of Ireland; (iv) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (v) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex A-1 to this Addendum; and (vi) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex B to this Addendum;
    2. in relation to transfers of Personal Data protected by UK Privacy Law, the Standard Contractual Clauses shall also apply completed in accordance with paragraph (a) above, but as modified and interpreted by Part 2: Mandatory Clauses of the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of this Addendum;
    3. in relation to transfers of Personal Data protected by the Swiss DPA, the Standard Contractual Clauses shall also apply with appropriate modifications for Swiss law.
  14. Adequacy Mechanisms
    The terms of the Standard Contractual Clauses will not apply where and to the extent the applicable transfer of Personal Data is covered by an Adequacy Mechanism.
  15. Audit
    PubMatic will make available to Company all information reasonably necessary for PubMatic to demonstrate its compliance with the obligations in this DPA, including by way of providing written responses to any audit questions raised by Company.
  16. Contact
    The individual within PubMatic authorized to respond to enquiries regarding the Data can be contacted at: dpo@pubmatic.com.
  17. Changes in Law
    In the event of changes in Privacy Requirements that materially affect the processing of Data, either party may request modifications to this Addendum with at least thirty (30) days’ prior written notice.
  18. General
    This Addendum shall survive termination or expiry of the Agreement. Upon termination, PubMatic shall return or delete Personal Data in accordance with Section 11.
  19. Transfers of Personal Data from PubMatic to Company
    1. The parties acknowledge that in connection with the provision of the PubMatic Products, PubMatic may transfer certain Personal Data to Company where PubMatic acts as an independent Controller, as mutually agreed between the parties from time to time. To the extent such transfer is a Restricted Transfer, it shall be subject to Module 1 (Controller to Controller) of the Standard Contractual Clauses, which shall be deemed incorporated into and shall form part of this Addendum, completed as follows: (a) PubMatic shall be the Data Exporter and Company shall be the Data Importer; (b) the options selected in Section 13(a) through (c) above shall apply mutatis mutandis; and (c) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex A-2 to this Addendum; and (d) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex B to this Addendum
    2. With respect to any Personal Data received by Company pursuant to this Section 19, Company shall: (a) process such Personal Data as a separate and independent Controller solely for the purposes described in Annex A-2 and in compliance with the Agreement; (b) comply with all applicable Data Protection Law in its capacity as a Controller; (c) implement appropriate technical and organizational security measures to protect such Personal Data; (d) not further disclose such Personal Data to any third party except as expressly permitted under the Agreement and in compliance with applicable Data Protection Law; and (e) not retain such Personal Data for longer than necessary for the purposes described in Annex A-2 and in compliance with the Agreement and applicable Data Protection Law.

Top of Form

Bottom of Form

Annex A-1 – Description of the Transfer (Company to PubMatic)

Controller / Data exporter:

  • Name: See Agreement
  • Address: See Agreement
  • Contact: See Agreement
  • Role: Controller

Processor / Data importer:

  • Name: PubMatic, Inc.
  • Address: 601 Marshall Street, Redwood City, CA 94063
  • Contact: DPO, contactable at dpo@pubmatic.com
  • Role: Processor

Categories of data subjects: End users and Company Personnel

Categories of personal data:

  • End users: Identifiers (cookie and mobile Ad identifiers, IP address, geolocation data); Demographic information; User agent and device information; Behavioral data
  • Company Personnel: Contact details and professional details

Sensitive data: None

Frequency of the transfer: As mutually agreed between the parties

Processing purposes: Provision of PubMatic Products as described in the Agreement, including ad serving, optimization, reporting, and fraud prevention.

Retention period: Personal Data will be retained only for so long as necessary for the processing purposes described in this Annex A-1 and will be deleted or returned to Company in accordance with Section 11 of this Addendum.

Annex A-2 – Description of the Transfer (PubMatic to Company)

Controller / Data exporter:

  • Name: PubMatic, Inc.
  • Address: 601 Marshall Street, Redwood City, CA 94063
  • Contact: DPO, contactable at dpo@pubmatic.com
  • Role: Controller

Controller / Data importer:

  • Name: See Agreement
  • Address: See Agreement
  • Contact: See Agreement
  • Role: Controller

Categories of data subjects: End users of publisher properties whose data is collected or received by PubMatic in connection with the PubMatic Products.

Categories of personal data:

  • Identifiers (cookie and mobile Ad identifiers, IP address, geolocation data); demographic information; user agent and device information; behavioral data

Sensitive data: None.

Frequency of the transfer: As mutually agreed between the parties.

Processing purposes: conversion measurement and attribution of advertising campaigns run through PubMatic’s platform; transparency and verification relating to the PubMatic Products, PubMatic’s platform, and inventory provided by PubMatic; media planning, optimization, delivery, and activation of advertising campaigns in the PubMatic Products; and ad delivery, analytics and reporting; in each case solely to the extent expressly permitted under or mutually agreed in writing pursuant to the Agreement.

Retention period: Company will not retain the Data for longer than the period during which Company has a legitimate need to retain the Data for the purposes described above and in compliance with applicable Data Protection Law.

Annex B – Technical and Organizational Measures

The technical and organizational measures implemented (including any relevant certifications) to maintain an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are as follows:

PubMatic Inc.

Type of measure

Terms

Measures of pseudonymization and encryption of personal data

Description of technical measures in place to prevent re-identification

  • PubMatic has implemented data minimization and privacy-by-design into its software development process to prevent personal data from being directly linkable to a data subject where consent is not received.
  • Advertising identifiers used by PubMatic to track devices and deliver ads are not persistent; they are designed to deprecate within a reasonable time frame.

Measures for ensuring ongoing confidentiality of processing systems and services

Description of measures in place to secure information stored on systems.

  • PubMatic has implemented and maintains a written information security program and has implemented measures to ensure the integrity, availability and security of personal information, including regular vulnerability scans and endpoint protection.
  • PubMatic limits the risk that personal data will be exposed by implementing a data retention schedule to systems that store personal data processed under the agreement.
  • Operational, technical management level controls in place that ensure end-user data processed by the platform cannot be linked to a natural person’s identity. Confidentiality terms with personnel. Security program that aligns to industry good practices.

Measures for ensuring ongoing integrity of processing systems and services

PubMatic has implemented and maintains an information security program that contains administrative, technical and physical safeguards appropriate to protect against anticipated threats to, confidentiality and integrity of, and the unauthorized or accidental destruction, loss, access, acquisition, alteration or use of, personal data, and that meets (i) reasonable security practices applicable to PubMatic’s industry; and (iii) any security requirements under the laws applicable company under applicable law.

Measures for ensuring ongoing availability and resilience of processing systems and services

PubMatic maintains personal data availability and resilience through a variety of technical, physical, and administrative measures.

Examples of these measures include: tolerant infrastructure with geographically distinct availability zones for redundant data; secured and monitored operational sites; and, processes and policies for topics such as incident response and review, and vendor review.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • See response above.
  • Further measures include regular backups, business continuity readiness plans, and disaster recovery plans.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
  • At least once annually, security measures relevant to the processing of personal data are reviewed and tested for alignment with industry good practices.
  • Security compliance has been integrated into Company’s product development practices, and the Company privacy, security and engineering teams collaborate regularly to ensure those standards are kept up to date.

Measures for user identification and authorization
  • PubMatic has in place procedures that comply with applicable law to authenticate requests from data subjects who have submitted rights request.
  • PubMatic has operational and technical controls in place to ensure that access to systems that process personal data is only granted to authorized employees with a “need to know”.
  • PubMatic has in place industry standard policies to ensure that unauthorized current and former personnel cannot improperly access systems that process personal data.

Measures for the protection of Data during storage
  • PubMatic does not process any sensitive personal information, and personal data processing is limited in scope
  • Data is only stored for as long as necessary for Company’s legitimate business purposes and is subject to a data retention schedule.

Measures for ensuring physical security of locations at which personal data are processed
  • Facilities involved in the processing of personal data are accessible only by authorized personnel. Technical controls in place to secure processing facilities include access controls, two-factor authentication, firewalls, and anti-malware. Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required in order to deliver advertising services under the Agreement.
  • PubMatic provides personnel who access personal data with appropriate information security and data protection training. PubMatic maintains appropriate physical security measures at each facility where personal data is processed, including authentication of all personnel who access data centers, IT equipment having physical barriers designed to prevent access by unauthorized individuals, and manned reception areas or logbooks with visitor entry/exit dates and times.

Measures for certification/assurance of processes and products
  • PubMatic participates in industry certification and self-regulatory programs such as DAA, NAI Code of Practice. IAB TCF 2.0, and the IAB CCPA Compliance Framework.

Measures for ensuring data minimization
  • Procedures are embedded in the system development process to minimize personal data collected and processed by the PubMatic (e.g., no data collection from unconsented or improperly consented impressions).
  • PubMatic has a dedicated technical privacy specialist whose role focuses is at least partly dedicated to reviewing the implementation of data minimization across the organization.

Measures for ensuring accountability
  • PubMatic performs a data mapping exercise that complies with Article 30 of GDPR and has created a record of processing activity to ascertain the scope of personal data processing activities performed by the organization.
  • PubMatic has implemented a privacy program that is appropriate to the scope and nature of personal data processed that includes a personal data breach policy, data protection and legitimate interest assessments (where appropriate), appointment of a data protection officer (DPO), and data protection controls such as privacy by design.
  • The foregoing measures are regularly reviewed (at least once annually) and updated to ensure alignment with applicable law and industry standards.

Measures for allowing data portability and ensuring erasure
  • PubMatic has implemented and maintains procedures to ensure data portability and erasure that comply with data protection laws. PubMatic has designated a data protection leader who is responsible for ensuring all requests from data subjects are reviewed and documented, including requests for erasure and copies of personal data, and that data subject requests are carried out timely and in accordance with law.

Company

Type of measure

Terms

Measures for ensuring ongoing confidentiality of processing systems and services

Description of measures in place to secure information stored on systems.

  • Company has implemented and maintains a written information security program and has implemented measures to ensure the integrity, availability and security of personal information, including regular vulnerability scans and endpoint protection.
  • Company limits the risk that personal data will be exposed by implementing a data retention schedule to systems that store personal data processed performed in connection with the Contract.
  • Operational, technical management level controls in place that ensure end-user data processed by the platform cannot be linked to a natural person’s identity. Confidentiality terms with personnel. Security program that aligns to industry good practices.

Measures for ensuring ongoing integrity of processing systems and services
  • Company has implemented and maintains an information security program that contains administrative, technical and physical safeguards appropriate to protect against anticipated threats to, confidentiality and integrity of, and the unauthorized or accidental destruction, loss, access, acquisition, alteration or use of, personal data, and that meets (i) reasonable security practices applicable to Company’s industry; and (iii) any security requirements under the laws applicable Company under applicable law.

Measures for ensuring ongoing availability and resilience of processing systems and services
  • Company maintains personal data availability and resilience through a variety of technical, physical, and administrative measures.
  • Examples of these measures include tolerant infrastructure with geographically distinct availability zones for redundant data; secured and monitored operational sites; and, processes and policies for topics such as incident response and review, and vendor review.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • See response above.
  • Further measures include regular backups, business continuity readiness plans and disaster recovery plans.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
  • At least once annually, security measures relevant to the processing of personal data are reviewed and tested for alignment with industry good practices.
  • Security compliance has been integrated into Company’s product development practices, and the Company privacy, security and engineering teams collaborate regularly to ensure those standards are kept up to date.

Measures for user identification and authorization
  • Company has in place procedures that comply with applicable law to authenticate requests from data subjects who have submitted rights request.
  • Company has operational and technical controls in place to ensure that access to systems that process personal data is only granted to authorized employees with a “need to know”.
  • Company has in place industry standard policies to ensure that unauthorized current and former personnel cannot improperly access systems that process personal data.

Measures for the protection of Data during storage
  • As per the Contract, personal data processed in connection with the services will not contain any sensitive personal information.
  • Data is only stored for as long as necessary for Company’s legitimate business purposes and is subject to a data retention schedule.
  • Personal data minimization procedures are in place with regard to personal data stored on Company’s systems (e.g., last octet of IP address is redacted, certain unique identifiers that are not needed for RTB are not logged, etc.)

Measures for ensuring physical security of locations at which personal data are processed
  • Facilities involved in the processing of personal data are accessible only by authorized personnel. Technical controls in place to secure processing facilities include access controls, two-factor authentication, firewalls, and anti-malware. Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required in order to deliver advertising services under the Agreement.
  • Company provides personnel who access personal data with appropriate information security and data protection training. Company maintains appropriate physical security measures at each facility where personal data is processed, including authentication of all personnel who access data centers, IT equipment having physical barriers designed to prevent access by unauthorized individuals, and manned reception areas or logbooks with visitor entry/exit dates and times.

Measures for certification/assurance of processes and products
  • Company participates in industry certification and self-regulatory programs such as DAA, NAI Code of Practice. IAB TCF 2.0, and the IAB CCPA Compliance Framework.

Measures for ensuring data minimization
  • Procedures are embedded in the system development process to minimize personal data collected and processed by the Company.
  • Company has a dedicated technical privacy specialist whose role focuses is at least partly dedicated to reviewing the implementation of data minimization across the organization.

Measures for ensuring accountability
  • Company performs a data mapping exercise that complies with Article 30 of GDPR and has created a record of processing activity to ascertain the scope of personal data processing activities performed by the organization.
  • Company has implemented a privacy program that is appropriate to the scope and nature of personal data processed that includes a personal data breach policy, data protection and legitimate interest assessments (where appropriate), appointment of a data protection officer (DPO), and data protection controls such as privacy by design.
  • The foregoing measures are regularly reviewed (at least once annually) and updated to ensure alignment with applicable law and industry standards.

Measures for allowing data portability and ensuring erasure
  • Company has implemented and maintains procedures to ensure data portability and erasure that comply with data protection laws. Company has designated a data protection leader who is responsible for ensuring all requests from data subjects are reviewed and documented, including requests for erasure and copies of personal data, and that data subject requests are carried out timely and in accordance with law.