Data Processing Agreement
Last updated and effective: April 17, 2025.
This Data Processing Addendum (“DPA”) forms part of and is incorporated into a Digital Advertising Services Agreement, a Master Services Agreement, the StackAdapt Platform Terms of Use or any other written or electronic agreement (the “Agreement”) between StackAdapt Inc. or one of its affiliates (“StackAdapt”) and you, as the customer(“Client”, and collectively, the “Parties”) for the services made available through the StackAdapt platform (identified either as the “Services”, or the “Platform” herein, as the context requires). This DPA reflects the Parties’ agreement with regard to the Processing of Personal Data.
1. DEFINITIONS
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. In this DPA, the following terms shall have the meanings set out below:
“Data Protection Laws” means any and all applicable data protection, security, or privacy-related laws, statutes, directives, or regulations in full force and effect in the United States, Canada, Singapore, the European Economic Union (“EEA”) or the United Kingdom to the extent they apply to the Personal Data Processed under Agreement, including but not limited to: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”) together with any amending or replacement legislation, and any EU Member State laws and regulations promulgated or incorporated thereunder; (b) the UK Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (c) the Singapore Personal Data Protection Act, (d) the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 and any regulations promulgated thereunder, as each may be amended, extended or re-enacted from time to time. For the avoidance of doubt, if a Party’s activities involving Personal Data are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this DPA.
“Data Subject” means an identified or identifiable natural person whose Personal Data is being Processed. Where applicable, the term “Data Subject” shall refer to “Consumer” as that term is defined under Data Protection Laws.
“Online Tracking Technologies” means any technology, tool, or code (including cookies, tags, pixels, SDKs, APIs, local shared objects, and scripts) that enables access to or storage of information on a device, including but not limited to, as embedded on Client’s digital properties, servers, advertisements or creative materials.
“Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, with a particular individual or household, or is otherwise defined as “personal data,” “personal information,” or “personally identifiable information” by applicable Data Protection Laws.
“Regulatory Authority” means the applicable public authority or government agency responsible for supervising compliance with Data Protection Laws, but not limited to: the UK Information Commissioner’s Office; EU Member State supervisory authorities; Singapore Personal Data Protection Commission; the California Privacy Protection Agency; and U.S. state attorneys general.
“Prohibited Data” means: (i) any information revealing race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (ii) an individual’s full date of birth; (iii) maiden name of an individual’s mother; (iv) an individual’s digitized or other electronic signature’ (v) genetic data; (vi) biometric data; (vii) data concerning health, which includes all individually identifiable health information that is subject to the Health Insurance Portability and Accountability Act; (viii) data concerning a natural person’s sex life or sexual orientation; (ix) any personal data regarding a minor under the age of 17, or if Applicable Laws of any jurisdiction otherwise define a child or a minor as another age, then personal data regarding a child as thereby defined by the Applicable Laws; (x) any financial account numbers, including financial institution or bank account number, credit or debit card number security or access code, password, expiration date, PIN associated with financial or customer account information, regardless of whether such information is combined with or stored separately from the financial information or any other information subject to the Payment Card Industry Data Security Standards, the Gramm-Leach-Bliley Act, or the Fair Credit Reporting Act; (xi) a user name, email address or other unique electronic identifier or routing code, which is sent in combination with a personal identification code, password, or security question and answer that would permit access to an online account; (xii) insurance plan numbers that can be used to identify an individual; (xiii) any government-issued identifiers or identification; (xiv) any information about individuals domiciled outside the United States or Canada; (xv) any data subject to the Family Educational Rights and Privacy Act;,or (xvi) any other “Sensitive Personal Data”, “Special Categories of Data” or substantially similar categories of Personal Data, as defined under Data Protection Laws.
“Standard Contractual Clauses” means (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where the UK GDPR applies, the EU SCCs as amended by the UK Addendum.
“Subprocessor” means, when StackAdapt is acting as a Processor, any third party appointed by StackAdapt to Process Personal Data in connection with the Agreement.
The terms “Business,” “Business Purpose,” “Controller,” “Process,” “Processor,” “Sale,” “Service Provider,” “Share,” and “Third Party” shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The Parties acknowledge and agree that, for the purposes of Data Protection Laws, with regard to the Processing of Personal Data described in Appendix 1 to this DPA:
- Where the Parties jointly determine the purposes and means of the Processing of Personal Data, in accordance with Data Protection Laws, the Parties shall be considered joint Controllers.
- where StackAdapt Processes Customer’s Personal Data solely on Client’s behalf and in accordance with Client’s instructions, Client shall be the Controller and StackAdapt shall be a Processor. Where StackAdapt acts as a Processor, section 4 of this DPA shall also apply.
- Where StackAdapt shares StackAdapt Data with Client, the Parties shall be considered independent Controllers.
2.2 Compliance with Data Protection Laws. Each Party shall use all efforts necessary to comply with the obligations imposed on it by applicable Data Protection Laws with regard to Personal Data Processed in connection with Services. Each Party shall inform the other Party promptly if, in its opinion, any development or change of the Processing of such Personal Data breaches the Data Protection Laws. In the event of a material change to Data Protection Laws, such as any change that results in a different classification of a Party in relation to the Services, data localization, or if a transfer mechanism is deemed invalid, the Parties will negotiate a suitable resolution in good faith.
2.3 Notice and Choice. Client warrants that for the purposes of the Agreement and the provision of the Services: (i) it has notified Data Subjects through appropriate means reasonably designed to satisfy the obligations under Data Protection Laws about the Processing of Personal Data by Client and StackAdapt, including the use of Online Tracking Technologies; (ii) it is lawfully permitted to share the relevant Personal Data with StackAdapt in connection with the provision of the Services; (iii) where required by Data Protection Laws it has implemented a mechanism to obtain consent or facilitate opt-outs from Data Subjects, including from any digital properties on which Client deploys Online Tracking Technologies to collect Personal Data and (iv) it will not disclose or make available to StackAdapt any Personal Data relating to Data Subjects that have not consented, or have opted-out of, or otherwise exercised other rights that bar the Processing performed under Agreement (as applicable) unless this is for the purpose of suppressing such Data Subjects from marketing. Where requested by StackAdapt, required pursuant to Data Protection Laws, or by order, request or other instruction by a Regulatory Authority, Client agrees to provide documentation evidencing that such consent has in fact been obtained from Data Subjects.
2.4 Prohibited Data. The Client shall not provide Prohibited Data to StackAdapt.
2.5. California Personal Data Processing. To the extent the Parties Process Personal Data subject to the CCPA, the following terms shall also apply:
- The receiving Party (acting as the “Third Party”) will provide the same level of privacy protection to the Personal Data as required of the disclosing Party (acting as the “Business”) by the CCPA.
- The Personal Data is made available to the Third Party solely for the purposes specified in the Agreement and Appendix 1.
- Subject to Section 6 of this DPA, the Business shall be permitted to take reasonable and appropriate steps to ensure the Third Party’s compliance with the CCPA and this DPA, including any reasonable steps to stop and remediate any unauthorized use of Personal Data.
- The Third Party shall promptly notify the Business in writing if at any time the Third Party makes a determination that it can no longer meet its obligations under the CCPA.
- With respect to Services for which StackAdapt acts as a Processor, the Parties agree that Client is acting as the Business and StackAdapt is acting solely as a Service Provider with respect to the Processing of Client’s Personal Data. When StackAdapt is a Processor, StackAdapt will not: (i) Sell or Share Client’s Personal Data; (ii) retain, use, or disclose Client’s Personal Data (a) except as necessary to perform the Business Purpose or (b) outside the direct business relationship between StackAdapt and Client; or (iii) combine Client’sPersonal Data received from Client with Personal Data that StackAdapt receives from or on behalf of another person or persons, or collects from its own interaction with a Data Subject, provided that StackAdapt may combine such information to perform any Business Purpose.
2.6 Third Party Partners. If Client directs StackAdapt to either: (i) disclose Personal Data to certain third party partners of Client or; (ii) Process Personal Data received from a third party partner at Client’s direction, Client represents and warrants that it has an executed an agreement that contemplates such data sharing with each third party partner for such Personal Data disclosure and Processing.
3. RIGHTS OF DATA SUBJECTS
3.1 To the extent the Parties are joint or independent Controllers, each Party will process its own requests for Data Subjects to exercise their rights. With respect to requests from, or on behalf of Data Subjects to the Processing of Personal Data that is shared between the Parties, including requests to opt-out from the Sale/Share of Personal Data pursuant to CCPA, the parties will collaborate to honor such objections or opt-out requests.
3.2 When StackAdapt is a Processor, if a Data Subject makes a lawful request directly to StackAdapt seeking to exercise any right available to it under Data Protection Laws that references Client, StackAdapt shall not respond to such communication directly without Client’s prior authorization, unless required by applicable law. To the extent Client does not have direct access to Personal Data through its use of the Services, and therefore does not have the ability to address such Data Subject request itself, StackAdapt shall, upon Client’s request, provide commercially reasonable cooperation to assist Client to respond, to the extent required under Data Protection Law.
4. PROCESSOR REQUIREMENTS.
The following provisions shall apply where StackAdapt Processes Client’s Personal Data as a Processor.
4.1 Client Instructions. StackAdapt will Process the Client’s Personal Data in accordance with Client’s instructions in the Agreement, unless prohibited from doing so by law to which StackAdapt is subject; in such a case, StackAdapt shall inform Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
4.2 Confidentiality. StackAdapt shall ensure that its personnel engaged in the Processing of Client’s Personal Data are informed of the confidential nature of the Personal Data, and are under a duty of confidentiality.
4.3 Limitation of Access. StackAdapt shall ensure that StackAdapt’s access to Client’s Personal Data is limited to those personnel performing Services in accordance with the Agreement.
4.4 Cooperation. To the extent that the required information is reasonably available to StackAdapt, and Client does not otherwise have access to the required information, StackAdapt will provide reasonable assistance to Client with any data protection impact assessments, and prior consultations with Regulatory Authorities to the extent required by applicable Data Protection Laws.
4.5 Subprocessors. StackAdapt may entrust Subprocessor with Processing of Client’s Personal Data under this DPA for the purposes of performing Services in accordance with the Agreement. StackAdapt may provide notification of any new Processors before authorizing such new Subprocessors to Process Client’s Personal Data in connection with the provision of the Services and Client shall be responsible for receipt and review of such notification. Client may object to the Processing of Client’s Personal Data by the new Subprocessor, for reasonable and explained grounds. The Parties will use good-faith efforts to resolve Client’s objection. In the absence of a resolution, StackAdapt will use commercially reasonable efforts to provide Client with the same level of service, without using the Subprocessor to Process Client’s Personal Data.
5. SECURITY
5.1 Controls for the Protection of Personal Data. In the context of the Processing of Personal Data, the Parties shall maintain appropriate technical and organizational measures designed to protect the security (including against unauthorized or unlawful Processing of, and against accidental or unlawful destruction, loss or alteration, unauthorized disclosure of, or access to data), confidentiality, and integrity of Personal Data. The Parties shall monitor compliance with these measures in accordance with their respective internal information security programs (as to StackAdapt, as set forth in Appendix 2 of this DPA).
5.2 Data Security Incident Management and Notification. Each Party shall maintain security incident management policies and procedures, and shall notify the other without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data that is transmitted or stored by the Party or its Subprocessors which results in any actual loss or unauthorized use of Personal Data (a “Data Security Incident”). The Party responding to the Data Security Incident shall make reasonable efforts to identify the cause of such Data Security Incident and take those steps as it deems reasonably necessary in order to remediate the cause of any such Data Security Incident, to the extent the remediation is within its reasonable control and is required by Data Protection Laws. In the event of a Data Security Incident, the Party responding to the Data Security Incident shall cooperate in a reasonable manner with the other Party to allow the other Party to notify the relevant data protection authority within 48 (forty-eight) hours (or any other time limit required under Data Protection Laws) from the time the Party responding to the Data Security Incident becomes aware of the Data Security Incident. Before any such notification is made, the other Party shall consult with and provide the Party responding to the Data Security Incident an opportunity to comment on any notification made in connection with the Data Security Incident. Neither Party shall make any such Data Security Incident public without the other Party’s prior consent. Nothing in this DPA shall be construed to require either Party to violate, or delay compliance with, any legal obligation it may have with respect to the Data Security Incident.
6. AUDIT
Each Party shall provide the other Party with all relevant information relating to the Processing of Personal Data in connection with the performance of the Agreement (means, storage and country of origin and/or destination of such Personal Data) to enable the other Party to demonstrate compliance with the obligations laid down under the Data Protection Laws. Upon reasonable request, each Party shall reasonably cooperate with the other Party in relation to any audit necessary and reasonably required for the Processing of Personal Data in connection with the performance of the Agreement. Any Audit shall be: (i) at the requesting Party’s expense; (ii) subject to a mutually agreed upon scope; (iii) conducted by the requesting Party or a mutually agreed upon third-party auditor who has signed a nondisclosure agreement with the audited Party; and (iv) subject to the confidentiality obligations set forth in the Agreement. The auditing Party shall use reasonable endeavours to minimize any disruption caused to the audited Party’s business activities as a result of an audit. Audits shall take place no more than once in any calendar year unless and to the extent that the auditing Party (acting reasonably and in good faith) has reasonable grounds to suspect any material breach of this DPA.
7. CROSS-BORDER DATA TRANSFERS
7.1 Transfers of EEA, Swiss, or UK Personal Data. Where the Processing of Personal Data includes transfers from the European Economic Area (“EEA”), Switzerland, or the United Kingdom to countries which are deemed to provide inadequate levels of data protection (“Other Countries”), if required by Data Protection Laws, the Parties agree to: (i) execute the model clauses adopted by the relevant data protection authorities of the European Commission or the UK Secretary of State as set forth in this Section 7 (if applicable); or (ii) comply with any of the other mechanisms provided for under Data Protection Laws for transferring Personal Data to such Other Countries. Additional information required by the Standard Contractual Clauses is set forth in Appendix 1 and 2 attached hereto.
7.2 EU SCCs Modules. The Parties agree that for transfers of Personal Data from the EEA, the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as annexed to Commission Implementing Decision 2021/914 of 4 June 2021 (the “EU SCCs“), are hereby incorporated by reference into this DPA as follows:
- Where the disclosing Party is located in non-adequacy approved third countries, and the receiving Party is established in the EEA or is otherwise transferring the Personal Data of EEA Data Subjects (either directly or via onward transfer) (“Restricted Transfer”); where the Parties are Controllers Module 1: Transfer controller to controller, Clauses 1 to 8, and 10 to 18 apply, and where StackAdapt is a Processor Module 2: transfer controller to processor, Clauses 1 to 18 shall apply. Both modules with the following exceptions: (i) in Clause 7 (Docking Clause) – the Optional provision shall NOT apply; (ii) in Clause 11(a) (Redress) – the Optional provision shall NOT apply; (iii) in Clause 17 (Governing Law) – Option 1 shall apply, and the laws of Republic of Ireland shall govern; and (iv) in Clause 18 (Choice of forum and jurisdiction) – the courts of the Republic of Ireland shall have jurisdiction.
- The EU SCCs shall come into effect under Section 7.2 on the later of: (i) the data exporter becoming a Party to them; (ii) the data importer becoming a Party to them; and (iii) commencement of the relevant Restricted Transfer.
7.3 UK Model Clauses. The Parties agree that for transfers of Personal Data from the United Kingdom, the International Data Transfer Addendum to the EU SCCs, issued by the UK ICO under S119A(1) Data Protection Act 2018 and in force March 21, 2022 (the “UK Addendum”), shall apply. The start date in Table 1 of the UK Addendum shall be the date that the Parties have executed Appendix 1. The selection of modules and optional clauses shall be as described in Sections 7.1 and 7.2 above, subject to any revisions or amendments required by the UK Addendum. All other information required by Tables 1-3 is set forth in Appendix 1 and 2. For the purposes of Table 4, the parties agree that both the importer and exporter may end the UK Addendum as set out in Section 19 of the UK Addendum.
7.4 Swiss Data Transfers. The Parties agree that for transfers of Personal Data from Switzerland, the terms of the EU SCCs shall be amended and supplemented as specified by the relevant guidance of the Swiss Federal Data Protection and Information Commissioner, and the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner.
8. LIMITATION OF LIABILITY.
The “Limitation of Liability” terms under the Agreement shall apply to all claims, demands, suits, causes of action, awards, judgments and liabilities, including reasonable attorneys’ fees and costs, arising out of or alleged to have arisen out of either Party’s breach of its obligations under this DPA.
9. PRIOR AGREEMENT.
Unless a prior agreement precludes the Parties from entering into this DPA, this DPA and the Agreement shall supersede all prior discussions and agreements and constitutes the entire agreement and understanding between the Parties with respect to its subject matter.
10. MODIFICATIONS.
If necessitated by amendments in Data Protection Laws or any other applicable laws or regulations or by developments in StackAdapt’s Services or Platform, StackAdapt may modify this DPA unilaterally to the extent it is reasonably necessary.
11. GOVERNING LAW.
Without prejudice to the relevant provisions of any applicable transfer mechanisms identified in Section 7 of this DPA, including the EU SCCs and UK Addendum, the Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and this DPA and is governed by the laws of the country or territory stipulated for this purpose in the Agreement.
Appendix 1
Description of Processing
CONTROLLER (CUSTOMER) TO CONTROLLER (STACKADAPT)
Parties | Disclosing Controller/Business (Importer) is Client; Recipient Controller/Third Party (Exporter) is StackAdapt |
Categories of Data Subjects | Clients or prospects of ClientUsers and visitors to Client’s digital properties (websites, mobile applications)Individuals responding to Client’s advertisementsClient’s employees and/or users of the Services |
Nature and Purpose(s) of the Processing | Performance of Services as described in the Agreement, including marketing, cross-context behavioral/targeted advertising and measurement. |
Categories of Personal Data | ☒ Personal identifiers: online identifiers; IP address; cookie ID, device ID. At the request of the Company: Email, First name, Last name, Phone, Address.☒ Internet or other electronic network activity information: e.g., referral URL; user agent; and information on a consumer’s interaction with a website, application, or advertisement. |
Duration of Processing | As agreed between the Parties in this DPA or the Agreement. Additional permitted purposes may include legal, regulatory, backup, archival, accounting, and/or audit purposes. |
2. CONTROLLER (CUSTOMER) TO PROCESSOR (STACKADAPT)
Parties | Controller (Importer) is Client; Processor (Exporter) is StackAdapt |
Instructions for Processing | As described in the Agreement and relevant insertion order |
Categories of Data Subjects | Clients or prospects of ClientUsers and visitors to Client’s digital properties (websites, mobile applications)Individuals responding to Client’s advertisements |
Nature and Purpose(s) of the Processing | Sending email campaigns on behalf, for the benefit and under instructions of the Client.Onboarding Personal Data for identity resolution. |
Categories of Personal Data | ☒ Personal identifiers: e.g., name; alias; postal address; online identifiers; IP address; email address; account name; or hashed identifiers. |
Duration of Processing | As agreed between the Parties in this DPA or the Agreement. Additional permitted purposes may include legal, regulatory, backup, archival, accounting, and/or audit purposes |
3. CONTROLLER (STACKADAPT) TO CONTROLLER (CUSTOMER)
Parties | Disclosing Controller/Business (Importer) is StackAdapt; Recipient Controller/Third Party (Exporter) is Client |
Instructions for Processing | As described in the Agreement and relevant insertion order |
Categories of Data Subjects | Individuals responding to Client’s advertisements |
Nature and Purpose(s) of the Processing | Measurement and analytics of campaigns activated via the StackAdapt services |
Categories of Personal Data | ☒ Personal identifiers: online identifiers; IP address; cookie ID, device ID. |
Duration of Processing | As agreed between the Parties in this DPA or the Agreement. Additional permitted purposes may include legal, regulatory, backup, archival, accounting, and/or audit purposes |
Appendix 2
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE PERSONAL DATA
This Appendix outlines the technical and organizational measures implemented by StackAdapt to safeguard Personal Data. StackAdapt’s security measures include, but are not limited to:
Security Program
StackAdapt’s security program and control environment are aligned with elements of both the ISO 27001 standard and the NIST Cybersecurity Framework (CSF). StackAdapt has established a formal set of security policies, standards and guidelines which govern how security controls and mechanisms are implemented throughout the organization. Responsibility for maintaining policies lies with the Directory of Information Security. Policy reviews take place on a periodic basis (typically annually). Information security policies are available to StackAdapt employees via a shared knowledge base software. Information security policies and plans relate to the following:
Policies and Plans:
- Acceptable Use Policy
- Access Management Policy
- Change Management Policy
- Cryptographic Controls and Key Management Policy
- Backup Policy
- Disaster Recovery and Business Continuity Plan
- Enterprise Asset Management Policy
- Information Security Policy
- Information Security Risk Management Policy
- Password Policy
- Security Awareness Training Management Policy
- Security Incident Response Plan
- Security Logging & Monitoring Policy
- Software Asset Management Policy
- Social Media Policy
- Threat & Vulnerability Management Policy
- Vendor Security Policy
Standards:
- Data Classification Standard
- Endpoint Patch Management Standard
- Identity and Access Management Standard
- Security Incident and Event Standard
Guidelines:
- Data Handling Guidelines
- Password Construction Guidelines
- Public Wi-Fi Security Guidelines
- User Phishing Guidelines
- Vulnerability and Patch Management Guidelines
Technical Security Controls
StackAdapt implements and maintains reasonable industry-standard technical security controls designed to protect Personal Data against accidental or unlawful access, disclosure, alteration, loss and destruction. StackAdapt employs a number of technical security controls, including but not limited to:
- Product Security: StackAdapt leverages modern and secure open-source frameworks along with security controls to limit exposure to the most critical security risks to web applications outlined within the ‘OWASP Top 10’. These controls reduce exposure to security risks such as SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF), among others. StackAdapt’s code is also audited using automated static analysis software, tested, and manually peer-reviewed prior to being deployed to production environments.
- Credential Security: StackAdapt does not store customer passwords in plaintext; StackAdapt selects password hashing algorithms to strike a balance between user experience and password cracking complexity.
- Authentication: Users authenticate to the StackAdapt Platform via two-factor authentication [2FA – also known as multi-factor authentication (MFA)], using a Username and Password combination (i.e. something you know), as well as a second factor in the form of a time-based one-time password (TOTP), whereby codes are generated locally using an application on users’ mobile devices or else users can choose to receive the TOTP via SMS (i.e. something you have). 2FA is mandatory for all internal StackAdapt staff accessing the Platform. For clients, 2FA is a freely available feature, but not currently mandatory. StackAdapt recommends that customers enable this feature for added protection.
- Authorisation: Authorisation within the StackAdapt Platform is controlled via role and permission-based access, whereby application roles and permissions enable users to access the required features and information necessary (and restrict access to unauthorized areas). Role and permission tiers exist both for end users (customers) and internal StackAdapt users. For end users (customers), account admins may grant/change access for their team. For StackAdapt employees, key managers may grant/change access. Employee access is restricted to the minimum required to fulfill their role (i.e. following the principle of ‘least privilege’). User access rights are formally reviewed by management at periodic intervals (typically on a quarterly basis).
- Privileged Access: Access to sensitive IT infrastructure is limited to appropriate individuals and is managed and audited via an industry-standard proxy solution. Users are required to be initially connected via Virtual Private Network (VPN), which requires multi-factor authentication, in order to connect to sensitive IT infrastructure resources via the proxy gateways.
- Encryption: Data in transit is typically encrypted via HTTPS (i.e. HTTP over TLS/SSL). For data at rest, sensitive data (for example, ‘UserIDs’, ‘Passwords’, ‘API Keys’ and other ‘personal identifiers’) are secured using hashing algorithms. StackAdapt also makes use of full disk encryption for company laptops.
- Data Retention: StackAdapt has established controls and mechanisms to protect Personal Data at each stage of the data lifecycle, from collection / creation through to disposal. At the end of retention periods, where applicable, we delete all data from its computer systems, retrieval systems and databases.
- Event logging: Access logs and object read and write logs are continuously recorded, with active reviews conducted in the event of suspicious activity or detection of a security event or incident.
Physical Security
StackAdapt is a fully remote organisation, meaning that StackAdapt does not currently operate any physical office or data center premises. StackAdapt leverages the Amazon Web Services’ (AWS’) public cloud-based platform to support the delivery of key services to its customers. Physical security at AWS data centre facilities is the responsibility of the cloud service provider (i.e. AWS). AWS has been audited / accredited / certified against industry-leading security compliance requirements, including: ISO 27001, ISO 27017, ISO 27018, ISO 22301, SOC1 (Type II), SOC 2 (Type II), SOC3, CSA-STAR (Level 1, Level 2 and Level 3), etc. Refer to ‘AWS Compliance Programs’ for a full list of Security Compliance Certifications and Accreditations: https://aws.amazon.com/compliance/programs/.
IT Resilience
StackAdapt has a formally documented Disaster Recovery and Business Continuity Plan, which governs StackAdapt’s approach to ensuring resilience within its IT systems, as well as responding effectively when facing a Disaster Event. Testing of the plan is carried out annually. In addition, StackAdapt has a data backup program which involves continuously performing backups of key data residing within StackAdapt’s cloud-based environment. This is achieved by leveraging AWS’ native backup solutions.
Security Incident Response
StackAdapt’s Security Incident Response Plan (SIRP) governs how StackAdapt detects, analyzes, contains, eradicates and/or responds to a security incident, as well as conducting post-incident activities (e.g. ‘lessons learned’ activities). The SIRP outlines the key individuals involved in responding to a security incident, as well as the specific roles & responsibilities in each case. The SIRP also outlines the procedures for determining whether formal notification to customers and regulatory bodies is required, along with specific timelines to adhere to in each case.
Vendor Security
StackAdapt performs risk assessments in order to identify and manage information security risks associated with StackAdapt’s vendors. Currently, vendor information security risk assessments are conducted during the onboarding stage (or at the contract renewal stage for existing vendors). Assessments of vendors’ information security controls and processes are conducted by issuing ‘Security Questionnaires’ and assessing the vendors’ responses, as well as reviewing supporting evidence requested as part of the questionnaires. Any key information security risks will be identified as part of these assessments and communicated to product owners, as well as being managed internally.
Independent Assessments
StackAdapt is compliant with the SOC 2 standard, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage and secure Personal Data. StackAdapt is subject to a recurring annual audit of our Internal Controls over Financial Reporting, which are currently conducted by independent audit specialists Deloitte; as part of this review, IT General Controls (i.e. controls related to change management, logical access and IT Operations) supporting key IT systems involved in the financial reporting process are assessed.
For the StackAdapt Platform, attack and penetration testing exercises (PEN tests) are conducted by a specialist independent third party organisation on an annual basis.