Data Processing Agreement

This Data Processing Addendum (“DPA”) forms part of the Digital Advertising Services Agreement, the StackAdapt Terms of Use, as applicable, or other written or electronic agreement between StackAdapt Inc. (“StackAdapt”) and you (“Company”) (collectively, the “Parties”) for the services made available through the StackAdapt Platform (identified either as “Services” “Platform” or otherwise in the applicable agreement, and hereinafter defined as “Services”) (the “Agreement”) to reflect the Parties’ agreement with regard to the Processing of Company Personal Data.

1. Definitions

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. In this DPA, the following terms shall have the meanings set out below:

“Company Personal Data” means any Personal Data which Company provides directly to StackAdapt or which is provisioned by or through Company’s use of the StackAdapt Services pursuant to the Agreement.

“Data Protection Assessment” means an assessment of the impact of processing operations on the protection of Personal Data and the rights of Data Subjects, or is otherwise defined as a “Data Protection Assessment”, “Data Protection Impact Assessment”, or “Risk Assessment” by applicable Data Protection Laws.

“Data Protection Laws” means any and all applicable data protection, security, or privacy-related laws, statutes, directives, or regulations in full force and effect in the United States, including but not limited to: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”) together with any amending or replacement legislation, and any EU Member State laws and regulations promulgated or incorporated thereunder; (b) the UK Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (c) the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 and any regulations promulgated thereunder; (d) the Virginia Consumer Data Protection Act of 2021, Va. Code Ann. § 59.1-571 to -581; (e) the Colorado Privacy Act of 2021, Co. Rev. Stat. § 6-1-1301 et seq.; (f) Connecticut Public Act No. 22-15, “An Act Concerning Personal Data Privacy and Online Monitoring”; (g) the Utah Consumer Privacy Act of 2022, Utah Code Ann. § 13-61-101 et seq.; and (h) all other equivalent laws and regulations in any relevant jurisdiction within the United States relating to Personal Data and privacy, and as each may be amended, extended or re-enacted from time to time.

“Data Subject” means an identified or identifiable natural person whose Personal Data is being Processed. Where applicable, the term “Data Subject” shall refer to “Consumer” as that term is defined under Data Protection Laws.

“Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, with a particular individual or household, or is otherwise defined as “personal data”, “personal information”, or “personally identifiable information” by applicable Data Protection Laws.

“Regulatory Authority” means the applicable public authority or government agency responsible for supervising compliance with Data Protection Laws, but not limited to: the UK Information Commissioner’s Office; EU Member State supervisory authorities; the California Privacy Protection Agency; and U.S. state attorneys general.

“Subprocessor” means any third party appointed by StackAdapt to Process Company Personal Data in connection with the Agreement.

The terms “Business”, “Business Purpose”, “Controller”, “Process”, “Processor”, “Sale”, “Service Provider”, “Share”, and “Third Party” shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.

2. Processing of Personal Data

2.1 Roles of the Parties

The Parties acknowledge and agree that, for the purposes of Data Protection Laws, with regard to the Processing of Company Personal Data:

  1. where each party separately determines, on its own, the means of the Processing of Personal Data, in the context of the performance of the Agreement, each party shall be a Controller in its own right (i.e., an Independent Controller and not joint Controllers).
  2. where the Parties jointly determine the purposes and means of the Processing of Company Personal Data, in accordance with Article 26 of the GDPR, the Parties shall be considered joint Controllers.

2.2 Rights and Obligations

Each party shall comply with the obligations imposed on it by applicable Data Protection Laws with regard to Personal Data Processed in connection with Services. Each Party shall ensure that it is lawfully permitted to share the relevant Personal Data with the other Party in connection with the provision of the Services and shall inform the other Party promptly if, in its opinion, any development or change of the joint Processing of such Personal Data infringes the Data Protection Laws. Where the Parties are considered joint Controllers in respect of the Processing of Personal Data under this DPA:

  1. StackAdapt shall be responsible for providing notice to relevant data subjects for Company Personal Data provisioned by or through Company’s use of the StackAdapt Services satisfying the requirements of Article 14 of the GDPR;
  2. Company shall be responsible for providing notice to relevant data subjects for Company Personal Data that Company derives independently of StackAdapt satisfying the requirements of Article 13 of the GDPR; and
  3. StackAdapt shall be the designated point of contact for any data subjects who wish to exercise the data subject rights related to Company Personal Data provisioned by or through Company’s use of the StackAdapt Services as set out in Chapter 3 of the GDPR, subject to Section 3 of this DPA.

2.3 California Personal Data Processing

With respect to the CCPA, the Parties agree that Company is acting as the Business/Controller and StackAdapt is acting solely as a Third Party with respect to the Processing of Company Personal Data. The Company Personal Data is made available to StackAdapt for the advertising purposes specified in the Terms of Use or Digital Advertising Services Agreement, as applicable. StackAdapt will sell or share the Company Personal Data to achieve the purposes specified in the Terms of Use or Digital Advertising Services Agreement, as applicable. In the performance of these Services, StackAdapt shall comply with the CCPA, inclusive of all applicable security requirements. Subject to Section 6 of this DPA, Company shall be permitted to take reasonable and appropriate steps to ensure StackAdapt’s compliance with the CCPA and this DPA, including any reasonable steps to stop and remediate any unauthorized use of Company Personal Data. StackAdapt shall promptly notify Company in writing (but in no event later than 72 hours after making the relevant determination) if at any time StackAdapt makes a determination that it can no longer meet its obligations under the CCPA.

3. Rights of Data Subjects

The primary joint Controller shall be responsible for responding to Data Subject requests and the secondary joint Controller shall provide assistance in ensuring compliance with the obligation to reply to any request from Data Subjects in exercise of their rights granted under the Data Protection Laws. The responsible Controller shall be determined as follows: if the data requested by the Data Subject can be attributed to Company Personal Data, Company shall be considered the primary joint Controller. Taking into account the nature of the Processing and the Company Personal Data, StackAdapt shall assist Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Company’s obligation to respond to a Data Subject Request under Data Protection Laws. To the extent legally permitted, Company shall be responsible for any costs arising from StackAdapt’s provision of such assistance. In all other cases the Controller contacted by the Data Subject shall be the responsible Controller.

4. Personnel

4.1 Confidentiality

StackAdapt shall ensure that its personnel engaged in the Processing of Company Personal Data are informed of the confidential nature of the Company Personal Data, and are under a duty of confidentiality.

4.2 Reliability

StackAdapt shall endeavor, in the exercise of its reasonable business discretion, to ensure the reliability of any StackAdapt personnel engaged in the Processing of Company Personal Data.

4.3 Limitation of Access

StackAdapt shall ensure that StackAdapt’s access to Company Personal Data is limited to those personnel performing Services in accordance with the Agreement.

4.4 Processors

StackAdapt may entrust Processors with Processing of Personal Data under this DPA for the purposes of performing Services in accordance with the Agreement. StackAdapt may provide notification of any new Processors before authorizing such new Processor to Process Company Personal Data in connection with the provision of the Services and Company shall be responsible for receipt and review of such notification. Company may object to the Processing of Company Personal Information by the new Processor, for reasonable and explained grounds. The Parties will use good-faith efforts to resolve Company’s objection. In the absence of a resolution, StackAdapt will use commercially reasonable efforts to provide Company with the same level of service, without using the Processor to Process Company’s Personal Information.

5. Security

5.1 Controls for the Protection of Company Personal Data

In the context of the joint Processing of Company Personal Data, the Parties shall maintain appropriate technical and organizational measures designed to protect the security (including against unauthorized or unlawful Processing of, and against accidental or unlawful destruction, loss or alteration, unauthorized disclosure of, or access to data), confidentiality, and integrity of Company Personal Data. The Parties shall monitor compliance with these measures in accordance with their respective internal information security programs.

5.2 Data Security Incident Management and Notification

Each Party shall maintain security incident management policies and procedures, and shall notify the other without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company Personal Data that is transmitted or stored by the Party or its Subprocessors which results in any actual loss or unauthorized use of Company Personal Data (a “Data Security Incident”). The Party responding to the Data Security Incident shall make reasonable efforts to identify the cause of such Data Security Incident and take those steps as it deems reasonably necessary in order to remediate the cause of any such Data Security Incident, to the extent the remediation is within its reasonable control and is required by Data Protection Laws. In the event of a Data Security Incident, the Party responding to the Data Security Incident shall cooperate in a reasonable manner with the other Party to allow the other Party to notify the relevant data protection authority within 48 (forty-eight) hours (or any other time limit required under Data Protection Laws) from the time the Party responding to the Data Security Incident becomes aware of the Data Security Incident. Before any such notification is made, the other Party shall consult with and provide the Party responding to the Data Security Incident an opportunity to comment on any notification made in connection with the Data Security Incident. Neither Party shall make any such Data Security Incident public without the other Party’s prior consent. Nothing in this DPA shall be construed to require either Party to violate, or delay compliance with, any legal obligation it may have with respect to the Data Security Incident.

6. Audit

Each Party shall provide the other Party with all relevant information relating to the joint Processing of Personal Data in connection with the performance of the Agreement (means, storage and country of origin and/or destination of such Personal Data) to enable the other Party to demonstrate compliance with the obligations laid down under the Data Protection Laws. Upon reasonable request, each Party shall reasonably cooperate with the other Party in relation to any audit necessary and reasonably required for the joint Processing of Personal Data in connection with the performance of the Agreement. Any Audit shall be: (i) at the requesting Party’s expense; (ii) subject to a mutually agreed upon scope; (iii) conducted by the requesting Party or a mutually agreed upon third-party auditor who has signed a nondisclosure agreement with the audited Party; and (iv) subject to the confidentiality obligations set forth in the Agreement. The auditing Party shall use reasonable endeavours to minimize any disruption caused to the audited Party’s business activities as a result of an audit. Audits shall take place no more than once in any calendar year unless and to the extent that the auditing Party (acting reasonably and in good faith) has reasonable grounds to suspect any material breach of this DPA.

7. Cross-Border Data Transfers

7.1 Transfers of EEA, Swiss, or UK Personal Data

Where the Processing of Company Personal Data includes transfers from the EEA, Switzerland, or the United Kingdom to countries which are deemed to provide inadequate levels of data protection (“Other Countries”), if required by Data Protection Laws, the Parties agree to: (i) execute the model clauses adopted by the relevant data protection authorities of the European Commission or the UK Secretary of State as set forth in this Section 9 (if applicable); or (ii) comply with any of the other mechanisms provided for under Data Protection Laws for transferring Company Personal Data to such Other Countries. Additional information required by the Standard Contractual Clauses is set forth in Annexes I and II attached hereto.

7.2 EU SCCs Modules

The Parties agree that for transfers of Company Personal Data from the European Economic Area (“EEA”), the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as annexed to Commission Implementing Decision 2021/914 of 4 June 2021 (the “EU SCCs”), are hereby incorporated by reference into this DPA as follows:

  1. Where StackAdapt Processes Personal Data as joint Controller pursuant to the terms of the Agreement, StackAdapt is located in non-adequacy approved third countries, and Company is established in the EEA or is otherwise transferring the Personal Data of EEA Data Subjects (either directly or via onward transfer) (“Restricted Transfer”); Module 1: Transfer controller to controller, Clauses 1 to 8, and 10 to 18 apply, with the following exceptions;
  2. In Clause 7 (Docking Clause) – the Optional provision shall NOT apply;
  3. In Clause 11(a) (Redress) – the Optional provision shall NOT apply;
  4. In Clause 17 (Governing Law) – Option 1 shall apply, and the courts Republic of Ireland shall govern; and
  5. In Clause 18 (Choice of forum and jurisdiction) – the courts Republic of Ireland shall have jurisdiction.

The EU SCCs shall come into effect under Section 7.2 on the later of: (i) the data exporter becoming a Party to them; (ii) the data importer becoming a Party to them; and (iii) commencement of the relevant Restricted Transfer.

7.3 UK Model Clauses

The Parties agree that for transfers of Company Personal Data from the United Kingdom, the International Data Transfer Addendum to the EU SCCs, issued by the UK ICO under S119A(1) Data Protection Act 2018 and in force March 21, 2022 (the “UK Addendum”), shall apply. The start date in Table 1 of the UK Addendum shall be the date that the Parties have executed Annex I. The selection of modules and optional clauses shall be as described in Sections 9.2 and 9.3 above, subject to any revisions or amendments required by the UK Addendum. All other information required by Tables 1-3 is set forth in Annexes I and II. For the purposes of Table 4, the parties agree that both the importer and exporter may end the UK Addendum as set out in Section 19 of the UK Addendum.

7.4 Swiss Data Transfers

The Parties agree that for transfers of Company Personal Data from Switzerland, the terms of the EU SCCs shall be amended and supplemented as specified by the relevant guidance of the Swiss Federal Data Protection and Information Commissioner, and the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner.

8. Limitations of Liability

The “Limitation of Liability” terms under the Agreement shall apply to all claims, demands, suits, causes of action, awards, judgments and liabilities, including reasonable attorneys’ fees and costs, arising out of or alleged to have arisen out of either Party’s breach of its obligations under this DPA.

9. Modification

StackAdapt may amend any of the terms contained in this DPA in its sole discretion and without notice by posting a revised DPA online. Changes to this DPA will be effective as of the date posted unless a different date is specified. Company’s continued use of the Services following any change to this DPA will constitute binding acceptance of the changes.

10. Prior Agreement

Unless a prior agreement precludes the Parties from entering into this DPA, this DPA shall supersede all prior discussions and agreements and constitutes the entire agreement and understanding between the Parties with respect to its subject matter.

11. Governing Law

Without prejudice to the relevant provisions of any applicable transfer mechanisms identified in Section 7 of this DPA, including the EU SCCs and UK Addendum, the Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and this DPA and is governed by the laws of the country or territory stipulated for this purpose in the Agreement.

Appendix 1

Description of responsibilities between the Parties for the joint Processing of Company Personal Data.

A. Party responsible for determining the legal basis for joint Processing:

  • StackAdapt with regard to Company Personal Data provisioned by or through Company’s use of the StackAdapt Services pursuant to the Agreement;
  • Company with regard to any data Company provides directly to StackAdapt and that Company derives independently of StackAdapt (e.g., CRM data).

B. Party responsible for deciding the system to be used to provide the Services?

  • StackAdapt

C. Party responsible for determining the data categories to be Processed under the Agreement?

  • Company

D. Party primarily responsible for the management of any transfer of Personal Data in connection with the performance of the Agreement?

  • StackAdapt

E. Party primarily responsible for deciding which recipients are authorized to receive such data?

  • Company

F. Party primarily responsible for determining the security measures for the Processing of Company Personal Data under the Agreement?

  • StackAdapt

G. Party primarily responsible for the management of security measures for the Processing of Company Personal Data under the Agreement?

  • StackAdapt

H. Party primarily responsible for providing notice as defined and described in relevant Data Protection Laws (i.e., making a privacy notice available) to Data Subjects?

  • StackAdapt with regard to Company Personal Data provisioned by or through Company’s use of the StackAdapt Services pursuant to the Agreement;
  • Company with regard to any data Company provides directly to StackAdapt and that Company derives independently of StackAdapt (e.g., CRM data).

I. Party primarily responsible for hosting / storage of Company Personal Data?

  • StackAdapt

Annex I

A. List of Parties

Data exporter(s):

  • Name: As listed in the Agreement.
  • Address: As listed in the Agreement.
  • Contact person’s name, position and contact details: As listed in the Agreement.
  • Activities relevant to the data transferred under these Clauses: As described in the Agreement.
  • Role (controller/processor): Joint Controller

Data importer(s):

  • Name: StackAdapt Inc.
  • Address: 6D – 7398 Yonge St,Unit # 2161Thornhill, ON L4J 8J2Canada
  • Contact person’s name, position and contact details: Data Protection Officer, Email: legal@stackadapt.com
  • Activities relevant to the data transferred under these Clauses: As described in the Agreement.
  • Role (controller/processor): Joint Controller

B. Description of the Transfer

Categories of data subjects whose personal data is transferred:

The personal data transferred concern the following categories of data subjects:

  • Clients of Data Exporter
  • Website users and visitors of Data Exporter
  • Individuals responding to Data Exporter’s advertisement

Categories of personal data transferred:

The personal data transferred concern the following categories of data:

  • Technical data: IP address, cookie ID, device ID, referral URL, and user agent
  • At the request of Company: Email, First name, Last name, Phone, Address

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

  • The processing of sensitive data is not anticipated.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

  • Data will be transferred on a continuous basis.

Nature of the processing:

  • The nature of the processing is the performance of Services as described in the Agreement and relevant insertion order.

Purpose(s) of the data transfer and further processing:

  • The purpose of the processing is the performance of Services as described in the Agreement (e.g., Personal data is transferred for the purposes of delivering the Data Exporter’s native, display, audio, in-game, video, DOOH, and Connected TV advertisements).

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

  • As agreed between the Parties in this DPA or the Agreement. Additional permitted purposes may include legal, regulatory, backup, archival, accounting, and/or audit purposes.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

  • Processors shall only retain Personal Data as long as necessary to complete the contractually agreed services.

C. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13:

  • The Republic of Ireland

Annex II

Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data

Information Security (Security) is a key area of focus for StackAdapt and our customers. In this context, security is about ensuring that StackAdapt implements a secure environment to protect the confidentiality, integrity and availability of our information and systems. StackAdapt clients trust our platform to plan, execute and analyze their programmatic advertising campaigns. That trust is based upon us ensuring that we employ reasonable industry standard security controls, as well as managing security risks to within tolerable levels on an ongoing basis.

Security Program

We have a dedicated Security team whose mission is to enable StackAdapt to succeed in the most secure way possible by managing risk, empowering decision-making and developing a healthy security culture. Our security program and control environment are aligned with elements of both the ISO 27001 standard and the NIST Cybersecurity Framework (CSF). We have established a formal set of security policies, standards and guidelines which govern how security controls and mechanisms are implemented throughout the organization. Responsibility for maintaining policies lies with the Directory of Information Security. Policy reviews take place on a periodic basis (typically annually). Information security policies are available to StackAdapt employees via a shared knowledge base software. Information security policies and plans relate to the following:

Policies and Plans

  • Acceptable Use Policy
  • Access Management Policy
  • Change Management Policy
  • Cryptographic Controls and Key Management Policy
  • Backup Policy
  • Disaster Recovery and Business Continuity Plan
  • Enterprise Asset Management Policy
  • Information Security Policy
  • Information Security Risk Management Policy
  • Password Policy
  • Security Awareness Training Management Policy
  • Security Incident Response Plan
  • Security Logging & Monitoring Policy
  • Software Asset Management Policy
  • Social Media Policy
  • Threat & Vulnerability Management Policy
  • Vendor Security Policy

Standards

  • Data Classification Standard
  • Endpoint Patch Management Standard
  • Identity and Access Management Standard
  • Security Incident and Event Standard

Guidelines

  • Data Handling Guidelines
  • Password Construction Guidelines
  • Public Wi-Fi Security Guidelines
  • User Phishing Guidelines
  • Vulnerability and Patch Management Guidelines

Technical Security Controls

We implement and maintain reasonable industry-standard technical security controls to protect client data against accidental or unlawful access, disclosure, alteration, loss and destruction. We employ a number of technical security controls, including but not limited to:

  • Product Security: We leverage modern and secure open-source frameworks along with security controls to limit exposure to the most critical security risks to web applications outlined within the ‘OWASP Top 10’. These controls reduce our exposure to security risks such as SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF), among others. Our code is also audited using automated static analysis software, tested, and manually peer-reviewed prior to being deployed to production environments.
  • Credential Security: We never store customer passwords in plaintext; we select password hashing algorithms to strike a balance between user experience and password cracking complexity.
  • Authentication: Users authenticate to the StackAdapt Platform via two-factor authentication [2FA – also known as multi-factor authentication (MFA)], using a Username and Password combination (i.e. something you know), as well as a second factor in the form of a time-based one-time password (TOTP), whereby codes are generated locally using an application on users’ mobile devices or else users can choose to receive the TOTP via SMS (i.e. something you have). 2FA is mandatory for all internal StackAdapt staff accessing the Platform. For clients, 2FA is a freely available feature, but not currently mandatory. We recommend that customers enable this feature for added protection.
  • Authorisation: Authorisation within the StackAdapt Platform is controlled via role and permission-based access, whereby application roles and permissions enable users to access the required features and information necessary (and restrict access to unauthorized areas). Role and permission tiers exist both for end users (customers) and internal StackAdapt users. For end users (customers), account admins may grant/change access for their team. For StackAdapt employees, key managers may grant/change access. Employee access is restricted to the minimum required to fulfill their role (i.e. following the principle of ‘least privilege’). User access rights are formally reviewed by management at periodic intervals (typically on a quarterly basis).
  • Privileged Access: Access to sensitive IT infrastructure is limited to appropriate individuals and is managed and audited via an industry-standard proxy solution. Users are required to be initially connected via Virtual Private Network (VPN), which requires multi-factor authentication, in order to connect to sensitive IT infrastructure resources via the proxy gateways.
  • Encryption: Data in transit is typically encrypted via HTTPS (i.e. HTTP over TLS/SSL). For data at rest, sensitive data (for example, ‘UserIDs’, ‘Passwords’, ‘API Keys’ and other ‘personal identifiers’) are secured using hashing algorithms. We also make use of full disk encryption for company laptops.
  • Data Retention: We have established controls and mechanisms to protect data at each stage of the data lifecycle, from collection / creation through to disposal. At the end of retention periods, where applicable, we delete all data from its computer systems, retrieval systems and databases.
  • Event logging: Access logs and object read and write logs are continuously recorded, with active reviews conducted in the event of suspicious activity or detection of a security event or incident.

Physical Security

We are a fully remote organisation, meaning that we do not currently operate any physical office or data center premises. We leverage the Amazon Web Services’ (AWS’) public cloud-based platform to support the delivery of key services to its customers. Physical security at AWS data centre facilities is the responsibility of the cloud service provider (i.e. AWS). AWS has been audited / accredited / certified against industry-leading security compliance requirements, including: ISO 27001, ISO 27017, ISO 27018, ISO 22301, SOC1 (Type II), SOC 2 (Type II), SOC3, CSA-STAR (Level 1, Level 2 and Level 3), etc. Refer to ‘AWS Compliance Programs‘ for a full list of Security Compliance Certifications and Accreditations.

IT Resilience

StackAdapt has a formally documented Disaster Recovery and Business Continuity Plan, which governs StackAdapt’s approach to ensuring resilience within its IT systems, as well as responding effectively when facing a Disaster Event. Testing of the plan is carried out annually. In addition, StackAdapt has a data backup program which involves continuously performing backups of key data residing within our cloud-based environment. This is achieved by leveraging AWS’ native backup solutions.

Security Incident Response

Our Security Incident Response Plan (SIRP) governs how we detect, analyze, contain, eradicate and/or respond to a security incident, as well as conducting post-incident activities (e.g. ‘lessons learned’ activities). The SIRP outlines the key individuals involved in responding to a security incident, as well as the specific roles & responsibilities in each case. The SIRP also outlines the procedures for determining whether formal notification to customers and regulatory bodies is required, along with specific timelines to adhere to in each case.

Vendor Security

We perform risk assessments in order to identify and manage information security risks associated with our vendors. Currently, vendor information security risk assessments are conducted during the onboarding stage (or at the contract renewal stage for existing vendors). Assessments of vendors’ information security controls and processes are conducted by issuing ‘Security Questionnaires’ and assessing the vendors’ responses, as well as reviewing supporting evidence requested as part of the questionnaires. Any key information security risks will be identified as part of these assessments and communicated to Product Owners, as well as being managed internally.

Independent Assessments

StackAdapt is compliant with the SOC 2 standard, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage and secure customer data. We are subject to a recurring annual audit of our Internal Controls over Financial Reporting, which are currently conducted by independent audit specialists Deloitte; as part of this review, IT General Controls (i.e. controls related to change management, logical access and IT Operations) supporting key IT systems involved in the financial reporting process are assessed.

For the StackAdapt Platform, attack and penetration testing exercises (PEN tests) are conducted by a specialist independent third party organisation on an annual basis.

Maximize Your Programmatic Strategy

G2 Top 100 Software Products 2024
G2 Top 50 Marketing & Digital Advertising Products 2024
G2 Leader Winter 2025 Awards Badge
AdAge Best Places to Work 2024
Diversio Workplace Impact Award 2023
Great Place to Work Certified Canada
2023 Programmatic Power Players
Quartz Best Companies for Remote Workers
Best Tech Work Culture Finalist Timmy Awards

Request a Demo

Provide your first name.
Provide your last name.
  1. United States

    +1

  2. Canada

    +1

  3. United Kingdom

    +44

  4. Australia

    +61

  5. Afghanistan

    +93

  6. Albania

    +355

  7. Algeria

    +213

  8. American Samoa

    +1

  9. Andorra

    +376

  10. Angola

    +244

  11. Anguilla

    +1

  12. Antarctica

    +672

  13. Antigua and Barbuda

    +1

  14. Argentina

    +54

  15. Armenia

    +374

  16. Aruba

    +297

  17. Austria

    +43

  18. Azerbaijan

    +994

  19. Bahamas

    +1

  20. Bahrain

    +973

  21. Bangladesh

    +880

  22. Barbados

    +1

  23. Belarus

    +375

  24. Belgium

    +32

  25. Belize

    +501

  26. Benin

    +229

  27. Bermuda

    +1

  28. Bhutan

    +975

  29. Bolivia

    +591

  30. Bosnia and Herzegovina

    +387

  31. Botswana

    +267

  32. Brazil

    +55

  33. British Indian Ocean Territory

    +246

  34. British Virgin Islands

    +1

  35. Brunei

    +673

  36. Bulgaria

    +359

  37. Burkina Faso

    +226

  38. Burundi

    +257

  39. Cambodia

    +855

  40. Cameroon

    +237

  41. Cape Verde

    +238

  42. Cayman Islands

    +1

  43. Central African Republic

    +236

  44. Chad

    +235

  45. Chile

    +56

  46. China

    +86

  47. Christmas Island

    +61

  48. Cocos Islands

    +61

  49. Colombia

    +57

  50. Comoros

    +269

  51. Cook Islands

    +682

  52. Costa Rica

    +506

  53. Croatia

    +385

  54. Cuba

    +53

  55. Curacao

    +599

  56. Cyprus

    +357

  57. Czech Republic

    +420

  58. Democratic Republic of the Congo

    +243

  59. Denmark

    +45

  60. Djibouti

    +253

  61. Dominica

    +1

  62. Dominican Republic

    +1

  63. East Timor

    +670

  64. Ecuador

    +593

  65. Egypt

    +20

  66. El Salvador

    +503

  67. Equatorial Guinea

    +240

  68. Eritrea

    +291

  69. Estonia

    +372

  70. Ethiopia

    +251

  71. Falkland Islands

    +500

  72. Faroe Islands

    +298

  73. Fiji

    +679

  74. Finland

    +358

  75. France

    +33

  76. French Polynesia

    +689

  77. Gabon

    +241

  78. Gambia

    +220

  79. Georgia

    +995

  80. Germany

    +49

  81. Ghana

    +233

  82. Gibraltar

    +350

  83. Greece

    +30

  84. Greenland

    +299

  85. Grenada

    +1

  86. Guam

    +1

  87. Guatemala

    +502

  88. Guernsey

    +44

  89. Guinea-Bissau

    +245

  90. Guinea

    +224

  91. Guyana

    +592

  92. Haiti

    +509

  93. Honduras

    +504

  94. Hong Kong

    +852

  95. Hungary

    +36

  96. Iceland

    +354

  97. India

    +91

  98. Indonesia

    +62

  99. Iran

    +98

  100. Iraq

    +964

  101. Ireland

    +353

  102. Isle of Man

    +44

  103. Israel

    +972

  104. Italy

    +39

  105. Ivory Coast

    +225

  106. Jamaica

    +1

  107. Japan

    +81

  108. Jersey

    +44

  109. Jordan

    +962

  110. Kazakhstan

    +7

  111. Kenya

    +254

  112. Kiribati

    +686

  113. Kosovo

    +383

  114. Kuwait

    +965

  115. Kyrgyzstan

    +996

  116. Laos

    +856

  117. Latvia

    +371

  118. Lebanon

    +961

  119. Lesotho

    +266

  120. Liberia

    +231

  121. Libya

    +218

  122. Liechtenstein

    +423

  123. Lithuania

    +370

  124. Luxembourg

    +352

  125. Macau

    +853

  126. Macedonia

    +389

  127. Madagascar

    +261

  128. Malawi

    +265

  129. Malaysia

    +60

  130. Maldives

    +960

  131. Mali

    +223

  132. Malta

    +356

  133. Marshall Islands

    +692

  134. Mauritania

    +222

  135. Mauritius

    +230

  136. Mayotte

    +262

  137. Mexico

    +52

  138. Micronesia

    +691

  139. Moldova

    +373

  140. Monaco

    +377

  141. Mongolia

    +976

  142. Montenegro

    +382

  143. Montserrat

    +1

  144. Morocco

    +212

  145. Mozambique

    +258

  146. Myanmar

    +95

  147. Namibia

    +264

  148. Nauru

    +674

  149. Nepal

    +977

  150. Netherlands Antilles

    +599

  151. New Caledonia

    +687

  152. New Zealand

    +64

  153. Nicaragua

    +505

  154. Niger

    +227

  155. Nigeria

    +234

  156. Niue

    +683

  157. North Korea

    +850

  158. Northern Mariana Islands

    +1

  159. Norway

    +47

  160. Oman

    +968

  161. Pakistan

    +92

  162. Palau

    +680

  163. Palestine

    +970

  164. Panama

    +507

  165. Papua New Guinea

    +675

  166. Paraguay

    +595

  167. Peru

    +51

  168. Philippines

    +63

  169. Pitcairn

    +64

  170. Poland

    +48

  171. Portugal

    +351

  172. Puerto Rico

    +1

  173. Qatar

    +974

  174. Republic of the Congo

    +242

  175. Reunion

    +262

  176. Romania

    +40

  177. Russia

    +7

  178. Rwanda

    +250

  179. Saint Barthelemy

    +590

  180. Saint Helena

    +290

  181. Saint Kitts and Nevis

    +1

  182. Saint Lucia

    +1

  183. Saint Martin

    +590

  184. Saint Pierre and Miquelon

    +508

  185. Saint Vincent and the Grenadines

    +1

  186. Samoa

    +685

  187. San Marino

    +378

  188. Sao Tome and Principe

    +239

  189. Saudi Arabia

    +966

  190. Senegal

    +221

  191. Serbia

    +381

  192. Seychelles

    +248

  193. Sierra Leone

    +232

  194. Singapore

    +65

  195. Sint Maarten

    +1

  196. Slovakia

    +421

  197. Slovenia

    +386

  198. Solomon Islands

    +677

  199. Somalia

    +252

  200. South Africa

    +27

  201. South Korea

    +82

  202. South Sudan

    +211

  203. Spain

    +34

  204. Sri Lanka

    +94

  205. Sudan

    +249

  206. Suriname

    +597

  207. Svalbard and Jan Mayen

    +47

  208. Swaziland

    +268

  209. Sweden

    +46

  210. Switzerland

    +41

  211. Syria

    +963

  212. Taiwan

    +886

  213. Tajikistan

    +992

  214. Tanzania

    +255

  215. Thailand

    +66

  216. The Netherlands

    +31

  217. Togo

    +228

  218. Tokelau

    +690

  219. Tonga

    +676

  220. Trinidad and Tobago

    +1

  221. Tunisia

    +216

  222. Turkey

    +90

  223. Turkmenistan

    +993

  224. Turks and Caicos Islands

    +1

  225. Tuvalu

    +688

  226. U.S. Virgin Islands

    +1

  227. Uganda

    +256

  228. Ukraine

    +380

  229. United Arab Emirates

    +971

  230. Uruguay

    +598

  231. Uzbekistan

    +998

  232. Vanuatu

    +678

  233. Vatican

    +379

  234. Venezuela

    +58

  235. Vietnam

    +84

  236. Wallis and Futuna

    +681

  237. Western Sahara

    +212

  238. Yemen

    +967

  239. Zambia

    +260

  240. Zimbabwe

    +263

Select a country code.
Provide a valid phone number.
Provide the name of the company you work for.
Provide your job title.
Tell us the type of company you work for.
Tell us the size of your company.
Tell us what country your company is in.
Tell us what region your company is in.
Tell us your annual programmatic budget.
Tell us how you are looking to work with us.

*Please disable any ad blockers to successfully submit this form.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.