StackAdapt Cookie Notice

Our website uses cookies to ensure you get the best browsing experience. By using our website, you agree to our use of cookies. Go to our Cookie Policy to learn more.

Learn More

Data Processing Agreement

This Data Processing Addendum ("DPA") forms part of the Digital Advertising Services Agreement, the StackAdapt Terms of Use, as applicable, or other written or electronic agreement between StackAdapt Inc. ("StackAdapt") and you ("Company") (collectively, the "Parties") for the services made available through the StackAdapt Platform (identified either as "Services" "Platform" or otherwise in the applicable agreement, and hereinafter defined as "Services") (the "Agreement") to reflect the Parties' agreement with regard to the Processing of Company Personal Data.

1. Definitions

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. In this DPA, the following terms shall have the meanings set out below:

"Company Personal Data" means any Personal Data which Company provides directly to StackAdapt or which is provisioned by or through Company's use of the StackAdapt Services pursuant to the Agreement.

"Data Protection Assessment" means an assessment of the impact of processing operations on the protection of Personal Data and the rights of Data Subjects, or is otherwise defined as a "Data Protection Assessment", "Data Protection Impact Assessment", or "Risk Assessment" by applicable Data Protection Laws.

"Data Protection Laws" means any and all applicable data protection, security, or privacy-related laws, statutes, directives, or regulations in full force and effect in the United States, including but not limited to: (a) the EU General Data Protection Regulation 2016/679 ("GDPR") together with any amending or replacement legislation, and any EU Member State laws and regulations promulgated or incorporated thereunder; (b) the UK Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); (c) the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. ("CCPA"), together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 and any regulations promulgated thereunder; (d) the Virginia Consumer Data Protection Act of 2021, Va. Code Ann. § 59.1-571 to -581; (e) the Colorado Privacy Act of 2021, Co. Rev. Stat. § 6-1-1301 et seq.; (f) Connecticut Public Act No. 22-15, "An Act Concerning Personal Data Privacy and Online Monitoring"; (g) the Utah Consumer Privacy Act of 2022, Utah Code Ann. § 13-61-101 et seq.; and (h) all other equivalent laws and regulations in any relevant jurisdiction within the United States relating to Personal Data and privacy, and as each may be amended, extended or re-enacted from time to time.

"Data Subject" means an identified or identifiable natural person whose Personal Data is being Processed. Where applicable, the term "Data Subject" shall refer to "Consumer" as that term is defined under Data Protection Laws.

"Personal Data" means information that identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, with a particular individual or household, or is otherwise defined as "personal data", "personal information", or "personally identifiable information" by applicable Data Protection Laws.

"Regulatory Authority" means the applicable public authority or government agency responsible for supervising compliance with Data Protection Laws, but not limited to: the UK Information Commissioner's Office; EU Member State supervisory authorities; the California Privacy Protection Agency; and U.S. state attorneys general.

"Subprocessor" means any third party appointed by StackAdapt to Process Company Personal Data in connection with the Agreement.

The terms "Business", "Business Purpose", "Controller", "Process", "Processor", "Sale", "Service Provider", "Share", and "Third Party" shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.

2. Processing of Personal Data

2.1 Roles of the Parties

The Parties acknowledge and agree that, for the purposes of Data Protection Laws, with regard to the Processing of Company Personal Data:

  1. where each party separately determines, on its own, the means of the Processing of Personal Data, in the context of the performance of the Agreement, each party shall be a Controller in its own right (i.e., an Independent Controller and not joint Controllers).
  2. where the Parties jointly determine the purposes and means of the Processing of Company Personal Data, in accordance with Article 26 of the GDPR, the Parties shall be considered joint Controllers.

2.2 Rights and Obligations

Each party shall comply with the obligations imposed on it by applicable Data Protection Laws with regard to Personal Data Processed in connection with Services. Each Party shall ensure that it is lawfully permitted to share the relevant Personal Data with the other Party in connection with the provision of the Services and shall inform the other Party promptly if, in its opinion, any development or change of the joint Processing of such Personal Data infringes the Data Protection Laws. Where the Parties are considered joint Controllers in respect of the Processing of Personal Data under this DPA:

  1. StackAdapt shall be responsible for providing notice to relevant data subjects for Company Personal Data provisioned by or through Company's use of the StackAdapt Services satisfying the requirements of Article 14 of the GDPR;
  2. Company shall be responsible for providing notice to relevant data subjects for Company Personal Data that Company derives independently of StackAdapt satisfying the requirements of Article 13 of the GDPR; and
  3. StackAdapt shall be the designated point of contact for any data subjects who wish to exercise the data subject rights related to Company Personal Data provisioned by or through Company's use of the StackAdapt Services as set out in Chapter 3 of the GDPR, subject to Section 3 of this DPA.

2.3 California Personal Data Processing

With respect to the CCPA, the Parties agree that Company is acting as the Business/Controller and StackAdapt is acting solely as a Third Party with respect to the Processing of Company Personal Data. The Company Personal Data is made available to StackAdapt for the advertising purposes specified in the Terms of Use or Digital Advertising Services Agreement, as applicable. StackAdapt will sell or share the Company Personal Data to achieve the purposes specified in the Terms of Use or Digital Advertising Services Agreement, as applicable. In the performance of these Services, StackAdapt shall comply with the CCPA, inclusive of all applicable security requirements. Subject to Section 6 of this DPA, Company shall be permitted to take reasonable and appropriate steps to ensure StackAdapt's compliance with the CCPA and this DPA, including any reasonable steps to stop and remediate any unauthorized use of Company Personal Data. StackAdapt shall promptly notify Company in writing (but in no event later than 72 hours after making the relevant determination) if at any time StackAdapt makes a determination that it can no longer meet its obligations under the CCPA.

3. Rights of Data Subjects

The primary joint Controller shall be responsible for responding to Data Subject requests and the secondary joint Controller shall provide assistance in ensuring compliance with the obligation to reply to any request from Data Subjects in exercise of their rights granted under the Data Protection Laws. The responsible Controller shall be determined as follows: if the data requested by the Data Subject can be attributed to Company Personal Data, Company shall be considered the primary joint Controller. Taking into account the nature of the Processing and the Company Personal Data, StackAdapt shall assist Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Company's obligation to respond to a Data Subject Request under Data Protection Laws. To the extent legally permitted, Company shall be responsible for any costs arising from StackAdapt's provision of such assistance. In all other cases the Controller contacted by the Data Subject shall be the responsible Controller.

4. Personnel

4.1 Confidentiality

StackAdapt shall ensure that its personnel engaged in the Processing of Company Personal Data are informed of the confidential nature of the Company Personal Data, and are under a duty of confidentiality.

4.2 Reliability

StackAdapt shall endeavor, in the exercise of its reasonable business discretion, to ensure the reliability of any StackAdapt personnel engaged in the Processing of Company Personal Data.

4.3 Limitation of Access

StackAdapt shall ensure that StackAdapt's access to Company Personal Data is limited to those personnel performing Services in accordance with the Agreement.

4.4 Processors

StackAdapt may entrust Processors with Processing of Personal Data under this DPA for the purposes of performing Services in accordance with the Agreement. StackAdapt may provide notification of any new Processors before authorizing such new Processor to Process Company Personal Data in connection with the provision of the Services and Company shall be responsible for receipt and review of such notification. Company may object to the Processing of Company Personal Information by the new Processor, for reasonable and explained grounds. The Parties will use good-faith efforts to resolve Company's objection. In the absence of a resolution, StackAdapt will use commercially reasonable efforts to provide Company with the same level of service, without using the Processor to Process Company's Personal Information.

5. Security

5.1 Controls for the Protection of Company Personal Data

In the context of the joint Processing of Company Personal Data, the Parties shall maintain appropriate technical and organizational measures designed to protect the security (including against unauthorized or unlawful Processing of, and against accidental or unlawful destruction, loss or alteration, unauthorized disclosure of, or access to data), confidentiality, and integrity of Company Personal Data. The Parties shall monitor compliance with these measures in accordance with their respective internal information security programs.

5.2 Data Security Incident Management and Notification

Each Party shall maintain security incident management policies and procedures, and shall notify the other without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company Personal Data that is transmitted or stored by the Party or its Subprocessors which results in any actual loss or unauthorized use of Company Personal Data (a "Data Security Incident"). The Party responding to the Data Security Incident shall make reasonable efforts to identify the cause of such Data Security Incident and take those steps as it deems reasonably necessary in order to remediate the cause of any such Data Security Incident, to the extent the remediation is within its reasonable control and is required by Data Protection Laws. In the event of a Data Security Incident, the Party responding to the Data Security Incident shall cooperate in a reasonable manner with the other Party to allow the other Party to notify the relevant data protection authority within 48 (forty-eight) hours (or any other time limit required under Data Protection Laws) from the time the Party responding to the Data Security Incident becomes aware of the Data Security Incident. Before any such notification is made, the other Party shall consult with and provide the Party responding to the Data Security Incident an opportunity to comment on any notification made in connection with the Data Security Incident. Neither Party shall make any such Data Security Incident public without the other Party's prior consent. Nothing in this DPA shall be construed to require either Party to violate, or delay compliance with, any legal obligation it may have with respect to the Data Security Incident.

6. Audit

Each Party shall provide the other Party with all relevant information relating to the joint Processing of Personal Data in connection with the performance of the Agreement (means, storage and country of origin and/or destination of such Personal Data) to enable the other Party to demonstrate compliance with the obligations laid down under the Data Protection Laws. Upon reasonable request, each Party shall reasonably cooperate with the other Party in relation to any audit necessary and reasonably required for the joint Processing of Personal Data in connection with the performance of the Agreement. Any Audit shall be: (i) at the requesting Party's expense; (ii) subject to a mutually agreed upon scope; (iii) conducted by the requesting Party or a mutually agreed upon third-party auditor who has signed a nondisclosure agreement with the audited Party; and (iv) subject to the confidentiality obligations set forth in the Agreement. The auditing Party shall use reasonable endeavours to minimize any disruption caused to the audited Party's business activities as a result of an audit. Audits shall take place no more than once in any calendar year unless and to the extent that the auditing Party (acting reasonably and in good faith) has reasonable grounds to suspect any material breach of this DPA.

7. Cross-Border Data Transfers

7.1 Transfers of EEA, Swiss, or UK Personal Data

Where the Processing of Company Personal Data includes transfers from the EEA, Switzerland, or the United Kingdom to countries which are deemed to provide inadequate levels of data protection ("Other Countries"), if required by Data Protection Laws, the Parties agree to: (i) execute the model clauses adopted by the relevant data protection authorities of the European Commission or the UK Secretary of State as set forth in this Section 9 (if applicable); or (ii) comply with any of the other mechanisms provided for under Data Protection Laws for transferring Company Personal Data to such Other Countries. Additional information required by the Standard Contractual Clauses is set forth in Annexes I and II attached hereto.

7.2 EU SCCs Modules

The Parties agree that for transfers of Company Personal Data from the European Economic Area ("EEA"), the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as annexed to Commission Implementing Decision 2021/914 of 4 June 2021 (the "EU SCCs"), are hereby incorporated by reference into this DPA as follows:

  1. Where StackAdapt Processes Personal Data as joint Controller pursuant to the terms of the Agreement, StackAdapt is located in non-adequacy approved third countries, and Company is established in the EEA or is otherwise transferring the Personal Data of EEA Data Subjects (either directly or via onward transfer) ("Restricted Transfer"); Module 1: Transfer controller to controller, Clauses 1 to 8, and 10 to 18 apply, with the following exceptions;
  2. In Clause 7 (Docking Clause) - the Optional provision shall NOT apply;
  3. In Clause 11(a) (Redress) - the Optional provision shall NOT apply;
  4. In Clause 17 (Governing Law) - Option 1 shall apply, and the courts Republic of Ireland shall govern; and
  5. In Clause 18 (Choice of forum and jurisdiction) - the courts Republic of Ireland shall have jurisdiction.

The EU SCCs shall come into effect under Section 7.2 on the later of: (i) the data exporter becoming a Party to them; (ii) the data importer becoming a Party to them; and (iii) commencement of the relevant Restricted Transfer.

7.3 UK Model Clauses

The Parties agree that for transfers of Company Personal Data from the United Kingdom, the International Data Transfer Addendum to the EU SCCs, issued by the UK ICO under S119A(1) Data Protection Act 2018 and in force March 21, 2022 (the "UK Addendum"), shall apply. The start date in Table 1 of the UK Addendum shall be the date that the Parties have executed Annex I. The selection of modules and optional clauses shall be as described in Sections 9.2 and 9.3 above, subject to any revisions or amendments required by the UK Addendum. All other information required by Tables 1-3 is set forth in Annexes I and II. For the purposes of Table 4, the parties agree that both the importer and exporter may end the UK Addendum as set out in Section 19 of the UK Addendum.

7.4 Swiss Data Transfers

The Parties agree that for transfers of Company Personal Data from Switzerland, the terms of the EU SCCs shall be amended and supplemented as specified by the relevant guidance of the Swiss Federal Data Protection and Information Commissioner, and the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner.

8. Limitations of Liability

The "Limitation of Liability" terms under the Agreement shall apply to all claims, demands, suits, causes of action, awards, judgments and liabilities, including reasonable attorneys' fees and costs, arising out of or alleged to have arisen out of either Party's breach of its obligations under this DPA.

9. Modification

StackAdapt may amend any of the terms contained in this DPA in its sole discretion and without notice by posting a revised DPA online. Changes to this DPA will be effective as of the date posted unless a different date is specified. Company's continued use of the Services following any change to this DPA will constitute binding acceptance of the changes.

10. Prior Agreement

Unless a prior agreement precludes the Parties from entering into this DPA, this DPA shall supersede all prior discussions and agreements and constitutes the entire agreement and understanding between the Parties with respect to its subject matter.

11. Governing Law

Without prejudice to the relevant provisions of any applicable transfer mechanisms identified in Section 7 of this DPA, including the EU SCCs and UK Addendum, the Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and this DPA and is governed by the laws of the country or territory stipulated for this purpose in the Agreement.

Appendix 1

Description of responsibilities between the Parties for the joint Processing of Company Personal Data.

A. Party responsible for determining the legal basis for joint Processing:

  1. StackAdapt with regard to Company Personal Data provisioned by or through Company's use of the StackAdapt Services pursuant to the Agreement;
  2. Company with regard to any data Company provides directly to StackAdapt and that Company derives independently of StackAdapt (e.g., CRM data).

B. Party responsible for deciding the system to be used to provide the Services?

  1. StackAdapt

C. Party responsible for determining the data categories to be Processed under the Agreement?

  1. Company

D. Party primarily responsible for the management of any transfer of Personal Data in connection with the performance of the Agreement?

  1. StackAdapt

E. Party primarily responsible for deciding which recipients are authorized to receive such data?

  1. Company

F. Party primarily responsible for determining the security measures for the Processing of Company Personal Data under the Agreement?

  1. StackAdapt

G. Party primarily responsible for the management of security measures for the Processing of Company Personal Data under the Agreement?

  1. StackAdapt

H. Party primarily responsible for providing notice as defined and described in relevant Data Protection Laws (i.e., making a privacy notice available) to Data Subjects?

  1. StackAdapt with regard to Company Personal Data provisioned by or through Company's use of the StackAdapt Services pursuant to the Agreement;
  2. Company with regard to any data Company provides directly to StackAdapt and that Company derives independently of StackAdapt (e.g., CRM data).

I. Party primarily responsible for hosting / storage of Company Personal Data?

  1. StackAdapt

Annex I

A. LIST OF PARTIES

Data exporter(s):

  1. Name: As listed in the Agreement.
  2. Address: As listed in the Agreement.
  3. Contact person's name, position and contact details: As listed in the Agreement.
  4. Activities relevant to the data transferred under these Clauses: As described in the Agreement.
  5. Role (controller/processor): Joint Controller

Data importer(s):

  1. Name: StackAdapt Inc.

  2. Address: 6D - 7398 Yonge St,

    Unit # 2161

    Thornhill, ON L4J 8J2

    Canada

  3. Contact person's name, position and contact details: Data Protection Officer, Email: legal@stackadapt.com
  4. Activities relevant to the data transferred under these Clauses: As described in the Agreement.
  5. Role (controller/processor): Joint Controller

B. DESCRIPTION OF THE TRANSFER

Categories of data subjects whose personal data is transferred:

The personal data transferred concern the following categories of data subjects:

  1. Clients of Data Exporter
  2. Website users and visitors of Data Exporter
  3. Individuals responding to Data Exporter's advertisement

Categories of personal data transferred:

The personal data transferred concern the following categories of data:

  1. Technical data: IP address, cookie ID, device ID, referral URL, and user agent
  2. At the request of Company: Email, First name, Last name, Phone, Address

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

  1. The processing of sensitive data is not anticipated.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

  1. Data will be transferred on a continuous basis.

Nature of the processing:

  1. The nature of the processing is the performance of Services as described in the Agreement and relevant insertion order.

Purpose(s) of the data transfer and further processing:

  1. The purpose of the processing is the performance of Services as described in the Agreement (e.g., Personal data is transferred for the purposes of delivering the Data Exporter's native, display, audio, in-game, video, DOOH, and Connected TV advertisements).

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

  1. As agreed between the Parties in this DPA or the Agreement. Additional permitted purposes may include legal, regulatory, backup, archival, accounting, and/or audit purposes.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

  1. Processors shall only retain Personal Data as long as necessary to complete the contractually agreed services.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13:

  1. The Republic of Ireland

Annex II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Information Security (Security) is a key area of focus for StackAdapt and our customers. In this context, security is about ensuring that StackAdapt implements a secure environment to protect the confidentiality, integrity and availability of our information and systems. StackAdapt clients trust our platform to plan, execute and analyze their programmatic advertising campaigns. That trust is based upon us ensuring that we employ reasonable industry standard security controls, as well as managing security risks to within tolerable levels on an ongoing basis.

Security Program

We have a dedicated Security team whose mission is to enable StackAdapt to succeed in the most secure way possible by managing risk, empowering decision-making and developing a healthy security culture. Our security program and control environment are aligned with elements of both the ISO 27001 standard and the NIST Cybersecurity Framework (CSF). We have established a formal set of security policies, standards and guidelines which govern how security controls and mechanisms are implemented throughout the organization. Responsibility for maintaining policies lies with the Directory of Information Security. Policy reviews take place on a periodic basis (typically annually). Information security policies are available to StackAdapt employees via a shared knowledge base software. Information security policies and plans relate to the following:

  1. Policies and Plans:

    1. Acceptable Use Policy
    2. Access Management Policy
    3. Change Management Policy
    4. Cryptographic Controls and Key Management Policy
    5. Backup Policy
    6. Disaster Recovery and Business Continuity Plan
    7. Enterprise Asset Management Policy
    8. Information Security Policy
    9. Information Security Risk Management Policy
    10. Password Policy
    11. Security Awareness Training Management Policy
    12. Security Incident Response Plan
    13. Security Logging & Monitoring Policy
    14. Software Asset Management Policy
    15. Social Media Policy
    16. Threat & Vulnerability Management Policy
    17. Vendor Security Policy

  2. Standards:

    1. Data Classification Standard
    2. Endpoint Patch Management Standard
    3. Identity and Access Management Standard
    4. Security Incident and Event Standard

  3. Guidelines:

    1. Data Handling Guidelines
    2. Password Construction Guidelines
    3. Public Wi-Fi Security Guidelines
    4. User Phishing Guidelines
    5. Vulnerability and Patch Management Guidelines

Technical Security Controls

We implement and maintain reasonable industry-standard technical security controls to protect client data against accidental or unlawful access, disclosure, alteration, loss and destruction. We employ a number of technical security controls, including but not limited to:

  1. Product Security:

    We leverage modern and secure open-source frameworks along with security controls to limit exposure to the most critical security risks to web applications outlined within the 'OWASP Top 10'. These controls reduce our exposure to security risks such as SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF), among others. Our code is also audited using automated static analysis software, tested, and manually peer-reviewed prior to being deployed to production environments.

  2. Credential Security:

    We never store customer passwords in plaintext; we select password hashing algorithms to strike a balance between user experience and password cracking complexity.

  3. Authentication:

    Users authenticate to the StackAdapt Platform via two-factor authentication [2FA - also known as multi-factor authentication (MFA)], using a Username and Password combination (i.e. something you know), as well as a second factor in the form of a time-based one-time password (TOTP), whereby codes are generated locally using an application on users' mobile devices or else users can choose to receive the TOTP via SMS (i.e. something you have). 2FA is mandatory for all internal StackAdapt staff accessing the Platform. For clients, 2FA is a freely available feature, but not currently mandatory. We recommend that customers enable this feature for added protection.

  4. Authorisation:

    Authorisation within the StackAdapt Platform is controlled via role and permission-based access, whereby application roles and permissions enable users to access the required features and information necessary (and restrict access to unauthorized areas). Role and permission tiers exist both for end users (customers) and internal StackAdapt users. For end users (customers), account admins may grant/change access for their team. For StackAdapt employees, key managers may grant/change access. Employee access is restricted to the minimum required to fulfill their role (i.e. following the principle of 'least privilege'). User access rights are formally reviewed by management at periodic intervals (typically on a quarterly basis).

  5. Privileged Access:

    Access to sensitive IT infrastructure is limited to appropriate individuals and is managed and audited via an industry-standard proxy solution. Users are required to be initially connected via Virtual Private Network (VPN), which requires multi-factor authentication, in order to connect to sensitive IT infrastructure resources via the proxy gateways.

  6. Encryption:

    Data in transit is typically encrypted via HTTPS (i.e. HTTP over TLS/SSL). For data at rest, sensitive data (for example, 'UserIDs', 'Passwords', 'API Keys' and other 'personal identifiers') are secured using hashing algorithms. We also make use of full disk encryption for company laptops.

  7. Data Retention:

    We have established controls and mechanisms to protect data at each stage of the data lifecycle, from collection / creation through to disposal. At the end of retention periods, where applicable, we delete all data from its computer systems, retrieval systems and databases.

  8. Event logging:

    Access logs and object read and write logs are continuously recorded, with active reviews conducted in the event of suspicious activity or detection of a security event or incident.

Physical Security

We are a fully remote organisation, meaning that we do not currently operate any physical office or data center premises. We leverage the Amazon Web Services' (AWS') public cloud-based platform to support the delivery of key services to its customers. Physical security at AWS data centre facilities is the responsibility of the cloud service provider (i.e. AWS). AWS has been audited / accredited / certified against industry-leading security compliance requirements, including: ISO 27001, ISO 27017, ISO 27018, ISO 22301, SOC1 (Type II), SOC 2 (Type II), SOC3, CSA-STAR (Level 1, Level 2 and Level 3), etc. Refer to 'AWS Compliance Programs' for a full list of Security Compliance Certifications and Accreditations.

IT Resilience

StackAdapt has a formally documented Disaster Recovery and Business Continuity Plan, which governs StackAdapt's approach to ensuring resilience within its IT systems, as well as responding effectively when facing a Disaster Event. Testing of the plan is carried out annually. In addition, StackAdapt has a data backup program which involves continuously performing backups of key data residing within our cloud-based environment. This is achieved by leveraging AWS' native backup solutions.

Security Incident Response

Our Security Incident Response Plan (SIRP) governs how we detect, analyze, contain, eradicate and/or respond to a security incident, as well as conducting post-incident activities (e.g. 'lessons learned' activities). The SIRP outlines the key individuals involved in responding to a security incident, as well as the specific roles & responsibilities in each case. The SIRP also outlines the procedures for determining whether formal notification to customers and regulatory bodies is required, along with specific timelines to adhere to in each case.

Vendor Security

We perform risk assessments in order to identify and manage information security risks associated with our vendors. Currently, vendor information security risk assessments are conducted during the onboarding stage (or at the contract renewal stage for existing vendors). Assessments of vendors' information security controls and processes are conducted by issuing 'Security Questionnaires' and assessing the vendors' responses, as well as reviewing supporting evidence requested as part of the questionnaires. Any key information security risks will be identified as part of these assessments and communicated to Product Owners, as well as being managed internally.

Independent Assessments

StackAdapt is compliant with the SOC 2 standard, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage and secure customer data. We are subject to a recurring annual audit of our Internal Controls over Financial Reporting, which are currently conducted by independent audit specialists Deloitte; as part of this review, IT General Controls (i.e. controls related to change management, logical access and IT Operations) supporting key IT systems involved in the financial reporting process are assessed.

For the StackAdapt Platform, attack and penetration testing exercises (PEN tests) are conducted by a specialist independent third party organisation on an annual basis.