Skip to content

DPA Controller

Appendix A- Data Processing Addendum


1.    APPLICABILITY AND SCOPE.

Publisher consents to the terms of this DPA upon the earlier of (a) executing the Agreement or (b) using Connatix’s Services, whichever occurs first. If Publisher wishes to opt-out of this Addendum, Publisher must not use Connatix’s Services and must immediately notify Connatix in writing. If there is a conflict between the Agreement and this DPA, this DPA will control over the terms of the Agreement.


2.    DEFINITIONS AND INTERPRETATION.

Capitalized terms used but not defined in this DPA have the meanings set forth in the Agreement. Additionally, in this DPA:

Adequate Country” means:

(a) for data processed subject to the EU GDPR: the EEA, or a country or territory recognized as ensuring adequate protection under the EU GDPR;

(b) for data processed subject to the UK GDPR: the UK, or a country or territory recognized as ensuring adequate protection under the UK GDPR and the Data Protection Act 2018; and/or

(c) for data processed subject to Swiss Data Protection Laws: Switzerland, or a country or territory that is: (i) included in the list of the states whose legislation ensures adequate protection as published by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”); or (ii) recognized as ensuring adequate protection by the Swiss Federal Council under Swiss Data Protection Laws.

"Agreement” means an insertion order (“IO”) and Connatix’s Publisher Terms and Conditions (“T&Cs”);

Alternative Transfer Solution” means a solution, other than SCCs, that enables the lawful transfer of Personal Data to a third country in accordance with the GDPR, UK GDPR or Swiss Data Protection Laws, which may include, for example, the EU-US Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and/or the Swiss-US Data Privacy Framework, or other valid data protection framework recognized as providing adequate protection under Data Protection Laws.

Business Partners” means advertisers, DSPs, SSPs, DMPs, and other adtech partners of Connatix. 

Controller” means either: (a) the definition set forth in the relevant Data Protection Laws; or (b) absent such a definition, the party that determines the purposes and means of the Processing of Personal Data. Where applicable, the term “Controller” will refer to “Business” as that term is defined under Data Protection Laws.

Data Protection Laws” means any applicable international, foreign, national, federal, state, or local, statutes, ordinances, regulations, rules, and directives, each to the extent they have the effect of law relating to the collection, use, storage, disclosure, transfer, or other Processing of Personal Data, including, without limitation: (a) the General Data Protection Regulation (“EU GDPR”) (Regulation 2016/679); (b) the European Union (“EU”) e-Privacy Directive (Directive 2002/58/EC); (c) the EU GDPR as saved into United Kingdom (“UK”) Data Protection Law by virtue of section 3 of the UK’s European Union (Withdrawal) Act, 2018 (“UK GDPR” and together with the EU GDPR, the “GDPR”); (d) US State Privacy Laws; (e) the Canadian Personal Information Protection and Electronics Documents Act; (f) the revised Swiss Federal Data Protection Act of 25 September 2020 (“Swiss Data Protection Laws”); and (g) any other relevant privacy and data protection law. References to Data Protection Laws refers to any data protection laws as amended from time to time and any successor legislation thereto and any regulations promulgated thereunder.


Data Subject” means an identified or identifiable natural person (or household, with respect to the California Consumer Privacy Act, as amended), as defined under the applicable Data Protection Laws, who can be identified, directly or indirectly (including, but not limited to, via an identifier such as a name, IP address, cookie identifier, location data, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person). Where applicable, the term “Data Subject” will refer to “Consumer” as that term is defined under Data Protection Laws.


Deidentified Data” means either: (a) the definition set forth in the relevant Data Protection Laws; or, absent such a definition, (b) information that cannot reasonably identify, relate to, describe, be linked directly or indirectly with, or be reasonably used to infer information about or be capable of being associated with an identifiable natural person.


EEA” means the European Economic Area.


European Data Protection Laws” means the GDPR and Swiss Data Protection Laws.


Industry Guideline(s)” means, as applicable, any generally recognized industry standards or self-regulatory guidelines to which a Party has agreed to be bound including, standards from the Interactive Advertising Bureau (“IAB”), the Network Advertising Initiative (“NAI”) Code of Conduct, European Digital Advertising Alliance’s (“eDAA”) Self-Regulatory Principles, the Digital Advertising Alliance (“DAA”) Self-Governing Principles, or similar industry standards, guidelines or principles, as amended or superseded from time to time.


Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, with a Data Subject (or is otherwise defined as “personal data,” “personal information,” or “personally identifiable information” by applicable Data Protection Laws) that is disclosed by a Party to the other Party pursuant to the terms of the Agreement or that is Processed by a Party under or in connection with the Agreement.


Platform” means Connatix’s online video platform as described on www.connatix.com or other documentation provided by Connatix, as may be amended from time to time. 


Process”, “Processing” or “Processed” means any operation or set of operations performed upon Personal Data, by automatic means or otherwise (e.g., collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction).


Processor” means either: (a) the definition set forth in the relevant Data Protection Laws; or, such a definition, (b) absent a third-party that Processes Personal Data on behalf of the Controller. Where applicable, the term “Processor” will refer to a “Service Provider” as that term is defined under Data Protection Laws.


Restricted Transfer” means (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the UK to any other country which is not subject to an adequacy determination by the UK Secretary of State; (iii) where the Swiss Data Protection Laws apply, a transfer of Personal Data from Switzerland to a country outside of Switzerland which is not subject to an adequacy determination by Switzerland; and (iv) where other Data Protection Laws apply, a transfer of Personal Data from one territory to another territory where such transfers are restricted, including where such Data Protection Laws require a mechanism to legally enable such transfer.


Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by a Party and that is in such Party’s possession, custody or control or for which such Party is otherwise responsible.


Sensitive Data” means any (i) data considered to be special category data or sensitive personal information/ sensitive personal data under Data Protection Laws or (ii) Personal Data of children under the age of 13 or the age specified under applicable Data Protection Laws.


Services” means the provision of the Platform and other products and services by Connatix as set forth in the Agreement.


Signal(s)” means the technical privacy signals developed by Industry Guideline bodies, including the NAI opt-out for tailored advertising, the IAB Transparency and Consent Framework (the “IAB TCF Framework”), the IAB Global Privacy Platform (the “GPP”), DAA Ad Choices, the Children's Online Privacy Protection Act (“COPPA”) flag, and any other signal(s) whether now known or hereafter created that transmit or otherwise indicate an action by a Data Subject with respect to their Personal Data Processing.


"Sites” means  Publisher’s websites, mobile applications, and other digital properties.


Standard Contractual Clauses” or “SCCs” means (i) where the EU GDPR or Swiss Data Protection Laws apply, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”); and (iii) and any similar contractual clauses that are approved under Data Protection Laws as a legal transfer mechanism for Restricted Transfers.


Visitors” means Data Subjects who use or otherwise access Publisher’s Sites.


US State Privacy Laws” means US privacy, data security and other data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including (i) California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 et seq.), as amended by the California Consumer Privacy Rights Act of 2020 (Cal. Civ. Code § 1798.100 et seq.) (“CCPA”), (ii) Virginia’s Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq.; (iii) the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq.; (iv) Connecticut’s Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015; (v) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq., and (vi) and any regulations in effect that are promulgated under any of the statutes identified above.


The terms “Business,” “Business Purpose,” “Cross-Contextual Behavioral Advertising,” “Sale,” “Service Provider,” “Share,” “Supervisory Authority,” “Sub-Processor,” and “Third Party,” whether capitalized or not, will have the same meaning as in the Data Protection Laws, and their analogous terms will be construed accordingly.


2.    PURPOSE.


In performing its obligations or exercising its rights under the Agreement, a Party may disclose Personal Data to the other Party or receive Personal Data, directly or indirectly, from the other Party. Each Party will only Process Personal Data provided by or on behalf of the other Party, or that such Party derives or otherwise receives in connection with the Agreement only: (a) for the purposes set forth in the Agreement and (b) in accordance with: (i) Data Protection Laws and Industry Guidelines and (ii) its obligations under the Agreement.


3.    ROLES AND RESTRICTIONS ON PROCESSING.


Each Party:
a.    is an independent Controller of the Personal Data and is independently responsible for complying with the obligations that apply to it as a Controller under Data Protection Laws;

 
b.    agrees that, to the greatest extent permitted by Data Protection Laws, neither Party will be deemed a joint Controller or co-Controller of the Personal Data with the other Party;


c.    to the extent Personal Data subject to European Data Protection Laws is Processed, is registered or will promptly register to participate in the IAB TCF, and any successor framework;


d.    will action any Signal it receives in accordance with an Industry Guideline that such Signal adheres to, or as required by Data Protection Laws;


e.    will not intentionally Process Sensitive Data or direct its Processing towards children under 13 or the age specified under applicable Data Protection Laws;


f.    will publish, in a conspicuous and public facing manner, all the notices and disclosures required under Data Protection Laws and Industry Guidelines, including a privacy policy and cookie policy, as applicable (“Privacy Policies”); and will only Process information in accordance with its Privacy Policies;


g.    will implement appropriate technical and organizational security measures to protect Data Subject’s Personal Data that are compliant with the Agreement, Data Protection Laws, and applicable Industry Guidelines. Each Party’s technical and organizational security measures are described in Annex II to this DPA;


h.    will ensure persons authorized to Process Personal Data receive appropriate training and commit themselves to confidentiality via a contractual or statutory obligation;


i.    will provide the other Party with such assistance as may be reasonably required to demonstrate its compliance with Data Protection Laws, including, without limitation, in respect of security, breach notifications, privacy impact assessments, transfer impact assessments, and consultations with supervisory authorities or other regulators, or other relevant obligations;


j.    will bear its own costs and expenses for its compliance with Data Protection Laws; and


k.    will promptly notify the other Party of any circumstances in which such Party is unable or becomes unable to comply with Data Protection Laws.


4.    US STATE PRIVACY LAWS.


Without limiting the obligations set forth in Section 3 of this DPA, to the extent that the Agreement involves the Processing of Personal Data subject to US State Privacy Laws, the Parties acknowledge and agree that with respect to such Personal Data:


a.    Publisher is a Business or Controller with regard to the Personal Data it discloses to Connatix and Connatix will process the Personal Data as a Third Party (under the CCPA) or independent Controller (under applicable US State Privacy Laws);


b.    Publisher will disclose Personal Data to Connatix only for the limited and specified purposes specified in the Agreement, including this DPA;


c.    each Party will comply with the requirements for Processing Deidentified Data in accordance with US State Privacy Laws, including publicly commit to maintain information in deidentified form, not attempt to reidentify deidentified information, and contractually requiring third-parties with whom a Party may share the information to do the same;


d.    Each Party will comply with applicable obligations under US State Privacy Laws and provide the same level of privacy protection as is required by US State Privacy Laws;


e.    Each Party will notify the other Party if it determines that it can no longer meet its obligations under US State Privacy Laws; and


f.    solely to the extent required by the CCPA and subject to Section 11, Publisher reserves the right, upon reasonable notice, to take reasonable and appropriate steps to help ensure that Connatix uses Personal Data transferred in a manner consistent with Publisher’s obligations under the CCPA, including reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

 
5.     ADDITIONAL PUBLISHER OBLIGATIONS


With respect to each Publisher Site, Publisher:


a.    will obtain any and all required consents from Visitors as required under Data Protection Law to allow Publisher, through Connatix as well as other third parties (including Connatix’s Sub-Processors and Business Partners), to lawfully Process the Personal Data in accordance with the Agreement (including this DPA);


b.    will implement legally sufficient notice required under Data Protection Laws and Industry Guidelines on its Sites, including: A) its Privacy Policies and B) a conspicuous link to a functional opt-out pages/tools as required by Data Protection Laws and Industry Guidelines, such as opt-out pages/tools provided by the NAI, DAA, and European Interactive Digital Advertising Alliance;

 
c.    will send appropriate Signals to allow Connatix to ensure a Data Subject’s request to opt-out of Selling or Sharing (as such terms are defined under US State Privacy Laws) of their Personal Data and other Data Subject requests are honored in compliance with US State Privacy Laws;


d.    hereby grants Connatix and its Business Partners the rights to use Personal Data consistent with their respective Privacy Policies and applicable Data Protection Law;


e.    will indicate to Connatix, through the Platform’s automated mechanisms, whether or not legally sufficient consent was obtained to permit Processing. Such indication will be a correct and accurate reflection of the status of the Visitor’s consent; and


f.    acknowledges and agrees that (i) Connatix does not have a direct relationship with Visitors and therefore, relies on Publisher to pass to Connatix all consents required under Data Protection Law; and (ii) Connatix will not have any liability for relying on Publisher’s indication of consents from Data Subjects. Publisher acknowledges that if Publisher’s indication of consents is misrepresented, this may cause Connatix irreparable harm under this DPA and Data Protection Law.

If Connatix is required to flow down to Publisher additional requirements with respect to Personal Data collected or derived from Publisher to the extent required by applicable law, including Data Protection Laws, or to meet Connatix’s contractual or legal commitments, Publisher will reasonably cooperate with Connatix to take any actions needed (including executing any additional documentation) to ensure compliance with such requirements.


6.    COOPERATION AND DATA SUBJECT RIGHTS 


Each Party will cooperate with each other in good faith under this DPA and will:


a.    enable Data Subjects to exercise their rights under Data Protection Laws (such as providing access, deletion, rectification, modification, and opt-out rights) and respond to such requests within the timeframe as determined by Data Protection Laws;


b.    reasonably cooperate with the receiving Party to respond to any Data Subject inquiries that a receiving Party is required to respond to, and requires the assistance of the non-receiving Party, under Data Protection Laws; and


c.    inform (inclusive of Signals sent electronically) the other Party (without undue delay) in the event that it receives a Data Subject request related to the other Party's respective Processing activities; and


d.    provide all reasonable assistance to ensure such Data Subject request is completed within the timeframe set out in Data Protection Laws.


7.    SECURITY INCIDENT.


In the event of a Security Incident, the breached Party will: (a) promptly notify the other Party without undue delay, but not later than 72 hours after becoming aware of a Security Incident; (b) in such notice, provide enough information about the Security Incident to enable the other Party to respond to Supervisory Authorities or Data Subjects, as required under Data Protection Laws; (c) liaise with the other Party in good faith to consider what action(s) are required to resolve the issue in accordance with the Data Protection Laws; (d) provide such reasonable assistance as is necessary for the other Party to facilitate the handling of such Security Incident in an expeditious and compliant manner; and (e) provide other reasonably requested cooperation to allow the other Party to comply with its obligations under Data Protection Laws.


8.    RESTRICTED TRANSFERS UNDER EUROPEAN DATA PROTECTION LAWS.


a.    General.


i.    Where one Party discloses Personal Data to the other Party, and such disclosure is a Restricted Transfer protected by the European Data Protection Laws, such Restricted Transfer will be made pursuant to a transfer mechanism permitted under European Data Protection Laws, including the SCCs or an Alternative Transfer Solution. If the Party attempting to make the Restricted Transfer is relying on an Alternative Transfer Solution, then such Party will inform the other Party of the relevant Alternative Transfer Solution and ensure such Restricted Transfer is made in compliance with it.


ii.    If the Party attempting to make a Restricted Transfer is not relying on an Alternative Transfer Solution, then such Restricted Transfer will be subject to Module 1 of the SCCs, as further described below and in the Annexes to this DPA. The Annexes to this DPA will then be incorporated into the DPA by this reference and the Parties will be deemed to have executed and agreed to such SCCs. The Parties’ signatures in this DPA will be construed as the Parties’ signature to the SCCs.


iii.    Neither Party will make or knowingly permit any onward Restricted Transfers of Personal Data it has received/accessed from the other Party to another person or entity unless such transfers are made in compliance with either the SCCs, an Alternative Transfer Solution, or other method permitted under applicable European Data Protection Laws.


b.    Restricted Transfers from the EU to a Non-Adequate Country.


i.    For the purposes of the EU SCCs, the following apply:


•    Connatix will be the data importer and Publisher will be the data exporter; 
•    Clause 7 (Docking clause) will be excluded;
•    Clause 11 (Redress): optional clause (optional redress mechanism before an independent dispute resolution body) will be excluded; 
•    Clause 17 (Governing law): the governing law will be the law of Ireland;
•    Clause 18 (b) (Choice of forum and jurisdiction): any dispute arising from the EU SCCs will be resolved by the courts of Ireland;
•    Any provision in the EU SCCs relating to liability of the Parties with respect to each other will be subject to the limitations and exclusions of the Agreement; and
•    Any provision in the EU SCCs relating to the right to audit will be interpreted in accordance with Section 11 of this DPA and the Agreement.


c.    Restricted Transfers from the UK to a Non-Adequate Country.


If a Party engages in a Restricted Transfer from the UK to a Non-Adequate Country, the Parties agree the UK Addendum as filled out pursuant to Appendix B, and subject to the EU SCCs and the Annexes attached to this DPA, will apply. The UK Addendum is hereby incorporated into this DPA.


d.    Restricted Transfers from Switzerland to a Non-Adequate Country.


If a Party engages in a Restricted Transfer from Switzerland to a Non-Adequate Country, the Parties agree the EU SCCs (as amended by this Section) and the Annexes attached to this DPA will apply.


Furthermore: (a) Data Subjects in Switzerland may enforce their rights in Switzerland under Clause 18c of the EU SCCs; (b) references to the GDPR will be construed as references to the Swiss Data Protection Laws; (c) references to “supervisory authorities” will be construed as references to the FDPIC.


9.    RESTRICTED TRANSFERS FROM OTHER JURISDICTIONS.


Where one Party discloses Personal Data to the other Party, and such disclosure is a Restricted Transfer protected by Data Protection Laws other than European Data Protection Laws, then such Restricted Transfer will be made pursuant to a transfer mechanism permitted under applicable Data Protection Laws. The Parties will cooperate to execute any additional documents or perform any additional actions to engage in a Restricted Transfer in accordance with Data Protection Laws.

 
10.    RESOLUTION OF DISPUTES.


If either Party is the subject of a claim by: (a) a Data Subject; (b) a Supervisory Authority; or (c) receives a notice or complaint from a Supervisory Authority relating to its respective Processing activities under the Agreement (a "DP Claim"), it will promptly inform the other Party of the DP Claim and provide the other Party with such information as it may reasonably request regarding the DP Claim. The Parties will use all reasonable endeavors to cooperate to resolve the DP Claim in an expeditious and timely manner. Neither Party is authorized to act or answer on behalf of the other Party.


11.    AUDIT.


Solely to the extent expressly required under Data Protection Law or the Standard Contractual Clauses, Connatix will allow for and contribute to audits in order to establish Connatix’s compliance with this DPA and applicable Data Protection Law with regard to the Personal Data that Connatix Processes in connection with the Agreement. This may include carrying out inspections conducted by Publisher or another auditor mandated by Publisher during normal business hours, provided such inspection is subject to Publisher providing prior written notice to Connatix of at least 30 days and limiting such inspections to no more than once per 12 month period. Connatix has the right to require that Publisher and/or its auditor enter into a reasonable confidentiality and non-disclosure agreement prior to conducting any audit and undertake all reasonable and appropriate confidentiality measures. Connatix may redact from the written opinions or audit inspection reports any confidential or proprietary information. Publisher will bear all costs and expenses relating to any such audit. Furthermore, if such audits entail material costs or expenses to Connatix, the Parties will first come to agreement on Publisher reimbursing Connatix for such costs and expenses, prior to conducting the audit.


12.    TERM
This DPA will continue in force until the later of (a) the termination of the Agreement into which this DPA is incorporated, (b) Publisher is no longer Processing Personal Data, or (c) Connatix is no longer Processing Personal Data.


13.    LIMITATION OF LIABILITY.


Each Party’s liability under this DPA will be limited by the limitation of liability provision set forth in the Agreement.


Annex I
Data Processing Description


This Annex I is part of the DPA and describes the Processing that the Parties will perform under this DPA.
 
A.    LIST OF PARTIES

Data Exporter & Controller: Publisher

Address

As set forth in the Agreement.

Contact person’s name:

 

As set forth in the Agreement.

Contact person’s position and contact details:

As set forth in the Agreement.

Activities relevant to the data transferred under these Clauses:

 

As set forth below.

Signature and date:

 

See execution pages in the underlying Agreement.

Role (controller/processor):

 

Controller

Official UK registration / company number (if any):

N/A

 

 

Data Exporter & Controller: Connatix

Name:

 

Connatix Native Exchange Inc.

Address:

 

666 Broadway. 10th Floor, New York, NY 10012

Contact person’s name, position and contact details:

 

Dor Leitman, SVP Product and R&D dor.leitman@connatix.com

 

Activities relevant to the data transferred under these Clauses:

 

The following activities:

●      Providing Connatix’s video player and other products and services.

●      Advertising and marketing, targeting, Cross-Contextual Behavioral Advertising, analytics, and development and commercialization of products and services.

●      Creating profiles and pseudonymous IDs consisting of or derived from Behaviors. Behaviors means attributes, preferences, interests, and other characteristics of a user or inferred about a user based on that user’s location, purchase data, browsing and other data.

●      Using internet log data and event data for cross-device linking.

●      Making profiles available for the purpose of creating audiences to be used for tailored behavioral advertising, content personalization, analytics, and product research and development.

 

Signature and date:

 

See execution pages in the underlying Agreement.

Role (controller/processor):

 

Controller.

Official UK registration/company number (if any):

N/A

 

B.    DESCRIPTION OF TRANSFER

 

Categories of data subjects whose Personal Data is transferred:

 

Visitors to Publisher Sites.

Categories of Personal Data transferred:

 

Cookies, IP addresses, device IDs, user agent, time stamp, browser type and version, and Connatix ID.

 

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

 

No Sensitive data is being transferred.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

 

Personal Data will be transferred continuously throughout the duration of the underlying Agreement.

Nature of the processing:

 

Providing and enabling placement of advertisements on the Publisher Sites, targeting, analytics and other activities set forth under “Activities relevant to the data transferred under these Clauses” above.

 

Purpose(s) of the data transfer and further processing:

 

For the purposes set out in the Agreement.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:

 

Data Importer will assess the Personal Data it has imported against its privacy policy commitments, retention policies, and data minimization obligations under applicable laws, including Data Protection Laws, and only retain such Personal Data in compliance with such requirements.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

 

Where the Data Importer engages (Sub-)Processors it will do so in compliance with the terms of the Standard Contractual Clauses.

 

The subject matter, nature and duration of the Processing activities carried out by such a Processor will be consistent with the Data Importer’s conspicuously available and legally compliant privacy policy.

 

C.    COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies (e.g. in accordance with Clause 13 SCCs).

Ireland

 

Annex II

Connatix’s Technical and Organizational
Security Measures

 

As required by Data Protection Laws, to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons, the following describes each Party’s technical and organizational security measures, including where the Standard Contractual Clauses apply under this DPA:

Measure

Description

Measures of pseudonymization and encryption of Personal Data

Industry standard encryption technologies for Personal Data transmitted over public networks, transmitted wirelessly, or at rest.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Security policies with clearly established accountability and dedicated staff responsible for the development, implementation, and maintenance of each Party’s information security program.

Data security controls that include restricted access to data and systems using commercially available and industry standard encryption technologies for Personal Data.

Network security controls that provide for the use of firewalls and other traffic and event correlation procedures designed to protect systems from intrusion and mitigate the scope of any successful attack.

Vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.

Business continuity and disaster recovery procedures designed to maintain service                                                                                                                                             and/or recovery from foreseeable emergency situations or disasters.

Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident

Incident management procedures designed to allow each Party to investigate, respond to, mitigate, and notify of events related to each Party’s technology and information assets.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Annually conduct external penetration testing that seeks to identify external and internal vulnerabilities.

Measures for user identification and authorization

Each Party’s access controls are designed to manage electronic access to data and system functionality based on authority levels and job functions (e.g., granting access on a need-to-know basis, use of unique IDs and passwords for all users, periodic review and changing access promptly when employment terminates or changes).

Password controls designed to manage and control password strength, expiration, and usage, including prohibiting users from sharing passwords and requiring that each Party’s passwords meet stringent requirements. Multi-factor authentication is used in both corporate and production environments where applicable.

Measures for the protection of data during transmission

Industry standard encryption technologies for Personal Data that is transmitted over the Internet.

Measures for the protection of data during storage

Industry standard encryption technologies for Personal Data that is at rest.

Measures for ensuring physical security of locations at which Personal Data are processed

The Services and Sites, respectively, are hosted in the public cloud thus environmental security of the data center is managed by the cloud provider and are designed to: (i) protect information assets from unauthorized physical access; (ii) manage, monitor, and log movement of persons into and out of the Party’s respective systems; and (iii) guard against environmental hazards such as heat, fire, and water damage.

Measures for ensuring events logging

System audit or event logging and related monitoring procedures to record user access and system activity for routine review.

Measures for ensuring system configuration, including default configuration

Operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to industry standards, including disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable as possible and in accordance with industry standards prior to final disposal or release from each Party’s possession.

Measures for internal IT and IT security governance and management

Change management procedures and tracking mechanisms designed to test, approve, and monitor changes to each Party’s technology and information assets.

Measures for certification/assurance of processes and products

Policies and procedures with clearly established accountability for security at the senior management level and dedicated staff responsible for the development, implementation, and maintenance of each Party’s information security program.

Measures for ensuring data minimization

Personal Data collection and processing is limited to what is relevant and necessary to accomplish each Party’s processing purposes or as otherwise permitted by Data Protection Laws.

Measures for ensuring limited data retention

Personal Data is deleted according to each Party’s data retention policies and legal obligations or earlier upon a consumer rights request, subject to each Party’s standard backup schedule.

Measures for ensuring accountability

Each Party keeps evidence of the steps taken to comply with Data Protection Laws and puts in place appropriate technical and organizational measures, such as: (i) adopting and implementing data protection policies (where proportionate), (ii) putting written contracts in place with organizations that process Personal Data on our behalf, (iii) maintaining documentation of each Party’s processing activities, (iv) implementing appropriate security measures, (v) recording and, where necessary, reporting Personal Data breaches, and (vi) carrying out data protection impact assessments for uses of Personal Data that are likely to result in high risk to individuals’ interests, to the extent required by Data Protection Laws. Each Party reviews and updates its accountability measures at appropriate intervals.

 

Appendix B

UK Addendum

Regarding Personal Data that is protected by the UK GDPR, the UK Addendum will apply completed as follows: (a) the EU SCCs, completed as set out above in Annex I, shall also apply to transfers of such Personal Data, as amended by Tables 1 to 3 of the UK Addendum and (b) Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out in Annex I above, and the options “importer” and “exporter” shall be deemed checked in Table 4. The start date of the UK Addendum (as set out in Table 1) shall be the date of the Agreement. Personal Data received from the importer is not combined with Personal Data collected by the exporter.