Adswerve

Adswerve Data Processing Terms

Adswerve Data Processing Terms

Adswerve, Inc. (“Adswerve”) and the counterparty agreeing to these terms (“Customer”) have entered into an agreement for the provision of certain services by Adswerve to Customer (as amended from time to time, the “Agreement”).

These Data Processing Terms (including its annexes, appendices, and schedules, “Data Processing Terms”) are entered into by Adswerve and Customer and supplement and form part of the Agreement. These Data Processing Terms will be effective and replace any previously applicable terms relating to their subject matter, from the Terms Effective Date (as defined below).

If you are accepting these Data Processing Terms on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to these Data Processing Terms; (b) you have read and understand these Data Processing Terms; and (c) you agree, on behalf of Customer, to these Data Processing Terms. If you do not have the legal authority to bind Customer, please do not accept these Data Processing Terms.

1.  Introduction.  These Data Processing Terms reflect the parties’ agreement on the terms governing the Processing and security of Customer Personal Data in connection with Data Protection Laws.

2.   Definitions and Interpretation

2.1.   As used in these Data Processing Terms, the terms below have the meanings set forth below:

Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.

Adswerve Affiliate Subprocessors” has the meaning given in Section 9.1 (Consent to Subprocessor Engagement).

CCPA” means the California Consumer Privacy Act of 2018.

Data Protection Laws” means with respect to a party, all privacy, data protection and information security-related laws and regulations applicable to such party’s Processing of Personal Data, including, where applicable, European Data Protection Legislation, the CCPA, and/or the LGPD.

Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.

Customer Personal Data” means Personal Data that is Processed by Adswerve on behalf of Customer in Adswerve’s provision of the Services. For purposes of these Data Protection Terms, Customer Personal Data does not include Personal Data of employees or representatives of Customer with whom Adswerve has a direct business relationship.

Data Incident” means a breach of Adswerve’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Adswerve. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

EEA” means the European Economic Area.

European Data Protection Legislation” means, as applicable, data protection or privacy laws in force in the EEA, Switzerland, and the United Kingdom, including, to the extent applicable: (a) Regulation (EU) 2016/679 (“EU GDPR”) and any national legislation implementing the EU GDPR; (b) the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, if in force (“UK GDPR”); and/or (c) the Federal Data Protection Act of 19 June 1992 (Switzerland).

LGPD” means the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais).

Notification Email Address” means the email address (if any) designated by Customer to receive certain notifications from Adswerve relating to these Data Processing Terms.

Personal Data” means any information that constitutes “personal data,” “personal information,” “personally identifiable information” or similar information defined in and governed by Data Protection Laws.

Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Security Documentation” means any ISO/IEC 27001:2013 certification or any comparable certifications or audit reports made available by Adswerve and/or an applicable Services Partner in connection with the Services.

Services” means the services that Adswerve has agreed to provide to Customer under the Agreement.

Services Partner” means the third party identified in the Agreement which provides certain products, services, and/or support for resale by Adswerve to Customer as part of the Services.

Subprocessors” means any third party authorized under these Data Processing Terms to Process Customer Personal Data on behalf of Customer.

Term” means the period from the Terms Effective Date until the end of Adswerve’s provision of the Services under the Agreement.

Terms Effective Date” means, the date on which Customer clicked to accept or the parties otherwise agreed to these Data Processing Terms.

Usage Data” means data derived from Customer’s use of the Services, Adswerve’s technical logs, and account and login data.

2.2.   The words “include” and “including” mean “including but not limited to”. Any examples in these Data Processing Terms are illustrative and not the sole examples of a particular concept.

2.3.   Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

3.   Duration of these Data Processing Terms.  These Data Processing Terms will take effect on the Terms Effective Date and, notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Customer Personal Data by Adswerve as described in these Data Processing Terms.

4.   Application of these Data Processing Terms

4.1.   These Data Processing Terms apply to the Processing of Customer Personal Data under the Agreement, except that:

(a)   Annex A (European Data Processing Terms) will apply only to the extent that European Data Protection Legislation applies to Adswerve’s Processing of Customer Personal Data under the Agreement;

(b)   Annex B (California Data Processing Terms) will apply only to the extent that the CCPA applies to Adswerve’s Processing of Customer Personal Data under the Agreement;

(c)   Annex C (Brazil Data Processing Terms) will apply only to the extent that the LGPD applies to Adswerve’s Processing of Customer Personal Data under the Agreement; and

(d)   Schedules I and II will each individually apply only where the Services include the products, services, or support provided by one or more Services Partners described in such Schedule and identified in the Agreement.

5.   Processing of Data

5.1.   Customer’s Instructions.  By entering into these Data Processing Terms, Customer instructs Adswerve to Process Customer Personal Data only in accordance with applicable law: (a) to provide the Services and any related technical support; (b) as further specified via Customer’s use of the Services (including in the settings and other functionality of the Services, where available) and any related technical support; (c) as documented in the form of the Agreement, including these Data Processing Terms; and (d) as further documented in any other written instructions given by Customer and acknowledged by Adswerve as constituting instructions for purposes of these Data Processing Terms.

5.2.   Adswerve’s Compliance with Instructions.  Adswerve will comply with the instructions described in Section 5.1 (Customer’s Instructions) of these Data Processing Terms (including with regard to data transfers) unless Data Protection Laws to which Adswerve or the relevant Services Partner is subject requires other Processing of Customer Personal Data, in which case Adswerve will notify Customer (unless any such law prohibits Adswerve or the relevant Services Partner from doing so on important grounds of public interest).

6.   Data Deletion.  Except as otherwise set forth in a Schedule, following termination or expiration of the Agreement Adswerve will, at Customer’s option, delete or return all Customer Personal Data (including existing copies) from Adswerve’s systems in accordance with applicable law. Adswerve will comply with this instruction as soon as reasonably practicable, unless applicable laws require storage.

7.   Data Security

7.1.   Security Measures.  Adswerve will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, including the measures described in any applicable Schedule (the “Security Measures”). Adswerve may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services.

7.2.   Security Compliance by Adswerve Staff.  Adswerve will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.3.   Data Incidents

7.3.1.   Incident Notification.  If Adswerve becomes aware of a Data Incident, Adswerve will: (a) notify Customer of the Data Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Customer Personal Data.

7.3.2.   Details of Data Incident.  Notifications made under Section 7.3.1 (Incident Notification) will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Adswerve recommends Customer take to address the Data Incident.

7.3.3.   Delivery of Notification.  Adswerve will deliver its notification of any Data Incident to the Notification Email Address or, at Adswerve’s discretion (including if Customer has not provided a Notification Email Address), by other direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for providing the Notification Email Address and ensuring that the Notification Email Address is current and valid.

7.3.4.   Third Party Notifications.  Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Data Incident.

7.3.5.   No Acknowledgement of Fault by Adswerve.  Adswerve’s notification of or response to a Data Incident under this Section 7.3 (Data Incidents) will not be construed as an acknowledgement by Adswerve of any fault or liability with respect to the Data Incident.

7.4.   Customer’s Security Responsibilities and Assessment

7.4.1.   Customer’s Security Responsibilities.  Customer agrees that, without prejudice to Adswerve’s obligations under Sections 7.1 (Security Measures), 7.2 (Security Compliance by Adswerve Staff), and 7.3 (Data Incidents):

(a)   Customer is responsible for its use of the Services, including (i) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of Customer Personal Data, (ii) securing the account authentication credentials, systems and devices Customer uses to access the Services, where applicable, and (iii) backing up its Customer Data and Customer Personal Data as appropriate; and

(b)   Adswerve has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of Adswerve’s and its Subprocessors’ systems.

7.4.2.   Customer’s Security Assessment.  Customer agrees, based on its current and intended use of the Services, that the Services, Security Measures, and Adswerve’s commitments under this Section 7 (Data Security): (a) meet Customer’s needs, including with respect to any security obligations of Customer under Data Protection Laws, as applicable, and (b) provide a level of security appropriate to the risk in respect of the Customer Personal Data or any Customer Data.

7.5.   Reviews and Audits of Compliance.  To the extent Data Protection Laws include a right for Customer to review or audit Adswerve’s Processing of Customer Personal Data, Customer will exercise such review or audit right, and Adswerve will fulfill its corresponding obligations, as follows:

7.5.1.   Reviews of Security Documentation.  Adswerve shall make available to Customer relevant information regarding Adswerve’s Processing of Customer Personal Data under these Data Protection Terms in the form of the Security Documentation.

7.5.2.   Customer’s Audit Rights.  Not more than once per calendar year and at Customer’s expense, Customer may audit Adswerve’s compliance with its obligations under these Data Processing Terms by submitting reasonable requests for information, including security and audit questionnaires. Adswerve will provide written responses to the extent the requested information is necessary to confirm Adswerve’s compliance with these Data Protection Terms. However, if the requested information is addressed in any Security Documentation, Customer agrees to accept such Security Documentation in lieu of a written response. Any information provided by Adswerve under this Section 7.5.2 constitutes Adswerve’s Confidential Information under the Agreement.

8.   Data Subject Rights

8.1.   Responses to Data Subject Requests.  If Adswerve receives a request from a data subject in relation to Customer Personal Data, Adswerve will advise the data subject to submit his/her request to Customer, and Customer will be responsible for responding to such request.

8.2.   Adswerve’s Data Subject Request Assistance.  Upon Customer’s request, Adswerve will (taking into account the nature of the Processing of Customer Personal Data) reasonably assist Customer in fulfilling any obligation of Customer to respond to requests by data subjects to exercise their rights in respect of Customer Personal Data under Data Protection Laws in cases where Customer cannot reasonably fulfill such requests independently using the functionality of the Services, where available. Adswerve may charge Customer on a time and materials basis in the event that Adswerve considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.

9.   Subprocessors

9.1.   Consent to Subprocessor Engagement.  In addition to any Subprocessors authorized under any applicable Schedule, Customer specifically authorizes the engagement of Adswerve’s Affiliates as Subprocessors (“Adswerve Affiliate Subprocessors”). In addition, Customer generally authorizes the engagement of any other third parties as Subprocessors (“Third Party Subprocessors”).

9.2.   Subprocessor List.  Customer may view a list of Subprocessors utilized by Adswerve by visiting https://adswerve.com/subprocessors/ or such other website as Adswerve may designate.

9.3.   Requirements for Subprocessor Engagement.  When engaging any Subprocessor, Adswerve will: (a) enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in these Data Protection Terms; and (b) remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.

9.4.   Opportunity to Object to Subprocessor Changes.  When any new Third Party Subprocessor is engaged during the Term, Adswerve will, at least ten (10) business days before the new Third Party Subprocessor Processes any Customer Personal Data, inform Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor list described in Section 9.2 and by either: (a) sending an email to the Notification Email Address; or (b) alerting Customer via the user interface or portal for the Services, where applicable. If, within five (5) business days after such notice, Customer notifies Adswerve in writing that Customer objects to Adswerve’s appointment of a new Third Party Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and whether they can be resolved. If the parties are not able to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the Agreement for convenience.

10.   Contacting Adswerve.  Customer may contact Adswerve in relation to the exercise of its rights under these Data Processing Terms by emailing privacy@adswerve.com.

11.   Liability.  Notwithstanding anything else in the Agreement, the total liability of either party towards the other party under or in connection with these Data Processing Terms will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (for clarity, any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the Data Protection Laws). If there is no monetary or payment-based liability cap under the Agreement, then the total liability of either party towards the other party under or in connection with these Data Processing Terms will not exceed the total amount of fees paid to Adswerve (in the case of Adswerve’s liability) or payable (in the case of Customer’s liability) to Adswerve with respect to the Services during the 12 months before the date when the liability arose.

12.   Effect of these Data Processing Terms.  If there is any conflict or inconsistency between these Data Processing Terms and the remainder of the Agreement, then these Data Processing Terms shall govern. Except as expressly set forth in these Data Protection Terms, the Agreement remains unchanged and in full force and effect.

13.   Modifications

13.1.   Changes to Data Processing Terms.  Adswerve may change these Data Processing Terms if the change:

(a)   is expressly permitted by these Data Processing Terms;

(b)   reflects a change in the name or form of a legal entity;

(c)   is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency; or

(d)   does not: (i) result in a degradation of the overall security of the Services; (ii) expand the scope of, or remove any restrictions on Adswerve’s Processing of Customer Personal Data, as described in Section 5.2 (Adswerve’s Compliance with Instructions); and (iii) otherwise have a material adverse impact on Customer’s rights under these Data Processing Terms, as reasonably determined by Adswerve.

13.2.   Notification of Changes.  If Adswerve intends to change these Data Processing Terms under Section 13.1(c) or (d), Adswerve will inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (a) sending an email to the Notification Email Address; or (b) alerting Customer via the user interface or portal for the Services, where applicable. If Customer objects to any such change, Customer may terminate the Agreement by giving written notice to Adswerve within 90 days of being informed by Adswerve of the change.


Annex A: European Data Processing Terms

1.  Definitions.  For purposes of this Annex A, the terms “controller”, “processor”, and “supervisory authority” have the meanings given in European Data Protection Legislation; “Customer Personal Data” shall mean that portion of Customer Personal Data that constitutes “personal data” as such term is defined in European Data Protection Legislation; “Model Contract Clauses” means the terms at https://adswerve.com/dpt-mcc/, which are standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the EU GDPR; and the terms “data importer” and “data exporter” have the meanings given in the Model Contract Clauses.

2.   Roles and Regulatory Compliance; Authorization

2.1.   Processor and Controller Responsibilities.  The parties acknowledge and agree that:

(a)   Adswerve is a processor of Customer Personal Data under European Data Protection Legislation;

(b)   Customer is a controller or processor, as applicable, of Customer Personal Data under European Data Protection Legislation; and

(c)   Each party will comply with the obligations applicable to it under European Data Protection Legislation with respect to the Processing of Customer Personal Data.

To the extent that Usage Data constitutes Personal Data, Adswerve is the controller with respect to such data and shall Process such data in accordance with its Privacy Policy, which can be found at https://adswerve.com/privacy-policy/.

2.2.   Subject Matter and Details of Processing.  Adswerve and Customer acknowledge and agree that Appendix 1 to this Annex A describes the subject matter and details of the Processing of Customer Personal Data.

2.3.   Authorization by Third Party Controller.  If Customer is a processor, Customer warrants to Adswerve that Customer’s instructions and actions with respect to Customer Personal Data, including its appointment of Adswerve as a sub-processor, have been authorized by the relevant controller.

3.   Data Security

3.1.   Adswerve’s Security Assistance.  Customer agrees that Adswerve will (taking into account the nature of the processing of Customer Personal Data and the information available to Adswerve) assist Customer in ensuring compliance with Customer’s obligations in respect of the security of Customer Personal Data and Data Incidents, including (if applicable) Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of European Data Protection Legislation, by:

(a)   implementing and maintaining the Security Measures in accordance with Section 7.1 (Security Measures) of the Data Processing Terms;

(b)   complying with the terms of Section 7.3 (Data Incidents) of the Data Processing Terms; and

(c)   providing Customer with the Security Documentation in accordance with Section 7.5.1 (Reviews of Security Documentation) of the Data Processing Terms and the information contained in these Data Processing Terms.

3.2.   Audits and Inspections.  In addition to the audit rights described in Section 7.5 (Reviews and Audits of Compliance) of the Data Processing Terms, to the extent required by European Data Protection Legislation or the Model Contract Clauses, Adswerve will allow Customer or a third party auditor appointed by Customer to conduct audits (including inspections) to verify Adswerve’s compliance with its obligations under these Data Processing terms in accordance with the following business terms:

(a)   Customer will send any request for an audit under this Section 3.2 to Adswerve as described in Section 10 (Contacting Adswerve) of the Data Processing Terms;

(b)   Following receipt by Adswerve of such a request, Adswerve and Customer will discuss and agree in advance on the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any audit under this Section 3.2;

(c)   Adswerve or any applicable Services Partner may charge a fee for any audit under this Section 3.2. Adswerve will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any third party auditor appointed by Customer to execute any such audit;

(d)   Adswerve or any Services Partner may object to any third party auditor appointed by Customer to conduct any audit under this Section 3.2 if the auditor is, in Adswerve’s or the Services Partner’s reasonable opinion, not suitably qualified or independent, a competitor of Adswerve or the Services Partner or otherwise manifestly unsuitable. Any such objection will require Customer to appoint another auditor or conduct the audit itself; and

(e)   Nothing in these Data Processing Terms will require Adswerve either to disclose to Customer or its third party auditor, or to allow Customer or its third party auditor to access: (i) any data of any other customer of Adswerve or a Services Partner; (ii) any internal accounting or financial information; (iii) any trade secret; (iv) any information that, in Adswerve’s or a Services Partner’s reasonable opinion, could: (A) compromise the security of any systems or premises; or (B) cause Adswerve or any Services Partner to breach its obligations under the European Data Protection Legislation or its security and/or privacy obligations to Customer or any third party; or (v) any information that Customer or its third party auditor seeks to access for any reason other than the good faith fulfilment of Customer’s obligations under the European Data Protection Legislation.

If the Model Contract Clauses apply under Section 5.2 (Transfers of Data) of this Annex A, nothing in this Section 3 varies or modifies any rights or obligations of Customer or Adswerve under the Model Contract Clauses.

4.   Impact Assessments and Consultations; Processing Records.  Customer agrees that Adswerve will (taking into account the nature of the processing and the information available to Adswerve) assist Customer in ensuring compliance with any obligations of Customer in respect of data protection impact assessments and prior consultation, including (if applicable) Customer’s obligations pursuant to Articles 35 and 36 of the EU GDPR or equivalent articles of the UK GDPR, by (a) providing the Security Documentation in accordance with Section 7.5.1 (Reviews of Security Documentation) of the Data Processing Terms; (b) providing the information contained in these Data Processing Terms; and (c) providing additional information as may be made available by the applicable Services Partner(s) for such purposes.

5.   Data Transfers

5.1.   Data Storage and Processing Facilities.  Customer agrees that Adswerve may, subject to Section 5.2 (Transfers of Data) of this Annex A, store and process Customer Personal Data in any country in which Adswerve, its Services Partners, or any of its Subprocessors maintains facilities.

5.2.   Transfers of Data.  If the storage and/or processing of Customer Personal Data involves transfers of Customer Personal Data from the EEA, Switzerland or the UK to any third country that is not subject to an adequacy decision under the European Data Protection Legislation:

(a)   Customer (as data exporter) will be deemed to have entered into the Model Contract Clauses with Adswerve (as data importer); and

(b)   the transfers will be subject to the Model Contract Clauses.

5.3.   Liability.  If the Model Contract Clauses apply under this Section 5, the total combined liability of:

(a)   Adswerve towards Customer; and

(b)   Customer towards Adswerve

under or in connection with the Agreement and the Model Contract Clauses combined will be subject to Section 11 (Liability) of the Data Processing Terms.

5.4.   Order of Precedence.  If there is any conflict or inconsistency between the Model Contract Clauses and the Data Processing Terms, the Model Contract Clauses will apply.

5.5.   Changes to Model Contract Clauses.  Adswerve may change the Model Contract Clauses in accordance with Section 13 (Modification) of the Data Processing Terms or to incorporate any new version of the Model Contract Clauses that may be adopted under the European Data Protection Legislation, in in each case in a manner that does not affect the validity of the Model Contract Clauses under European Data Protection Legislation.

6.   Processing Records.  Customer acknowledges that Adswerve and its relevant Services Partners may be required under European Data Protection Legislation to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Adswerve is acting and (if applicable) of such processor’s or controller’s local representative and data protection officer; and (b) make such information available to any Supervisory Authority. Accordingly, Customer will, where requested and as applicable to Customer, provide such information to Adswerve or the relevant Services Partner via the user interface of the Services or via such other means as may be provided by Adswerve, and will use such user interface or other means to ensure that all information provided is kept accurate and up-to-date.


Appendix 1 to Annex A: Subject Matter and Details of the Data Processing

1.   Subject Matter.  Adswerve’s provision of the Services and any related technical support to Customer.

2.   Duration of the Processing.  The Term plus the period from expiry of the Term until deletion of all Customer Personal Data by Adswerve in accordance with the Data Processing Terms.

3.   Nature and Purpose of the Processing.  Adswerve will Process (including, as applicable to the Services and the instructions described in Section 5.1 (Customer’s Instructions) of the Data Processing Terms, collecting, recording, organizing, structuring, storing, altering, retrieving, using, disclosing, combining, erasing and destroying) Customer Personal Data for the purpose of providing the Services and any related technical support to Customer in accordance with these Data Processing Terms.

4.   Types of Personal Data.  The categories of Customer Personal Data which Customer is authorized to provide to the Services under the Agreement, which may include: Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; precise location data; client identifiers; other categories which may be identified in an applicable Schedule.

5.   Categories of Data Subjects.  Data subjects include the individuals about whom data is provided to Adswerve or a Services Partner via the Services by (or at the direction of) Customer or by Customer End Users. Depending on the nature of the Services, Customer Personal Data may concern the following categories of data subjects: (a) to whom online advertising has been, or will be, directed; (b) who have visited specific websites or applications in respect of which Adswerve provides the Services; and/or (c) who are customers or users of Customer’s products or services.


Annex B: CCPA Service Provider Addendum to Adswerve Data Processing Terms

1.   Definitions.  For purposes of this Annex B, the terms “business”, “commercial purpose”, “sale”, and “service provider” have the meanings given in the CCPA and “Customer Personal Data” shall mean that portion of Customer Personal Data that constitutes “personal information” as such term is defined in the CCPA.

2.   Roles and Regulatory Compliance; Authorization

2.1.   CCPA Roles. Except as otherwise described in any Schedule applicable to the Services, with respect to Customer Personal Data, Adswerve is a service provider under the CCPA. To the extent that any Usage Data is considered Personal Data, Adswerve is the business with respect to such data and shall Process such data in accordance with its Privacy Policy, which can be found at https://adswerve.com/privacy-policy/.

2.2.   Customer Responsibility. Customer is solely liable for its compliance with the CCPA in its use of the Services.

2.3.   Business Purpose. The parties acknowledge and agree that the Processing of Customer Personal Data authorized by Customer’s instructions described in Section 5.1 (Customer’s Instructions) of the Data Processing Terms is integral to and encompassed by Adswerve’s provision of the Services and the direct business relationship between the parties.

3.   Restriction on Processing.  Adswerve will not (a) sell Customer Personal Data; (b) retain, use or disclose any Customer Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing the Customer Personal Data for a commercial purpose other than providing the Services; or (c) retain, use or disclose the Customer Personal Data outside of the direct business relationship between Adswerve and Customer.


Annex C: LGPD Processor Addendum to the Adswerve Data Processing Terms

1.   Definitions.  For purposes of this Annex C, “controller” means the “controlador” as such term is defined in the LGPD; “processor” means the “operador” as such term is defined in the LGPD; “Customer Personal Data” shall mean that portion of Customer Personal Data that constitutes personal data under the LGPD; and “Data Protection Authority” means the Autoridade Nacional de Proteção de Dados (ANPD) as defined in the LGPD.

2.   Roles and Regulatory Compliance; Authorization

2.1.   Processor and Controller Responsibilities.  The parties acknowledge and agree that:

(a)   Adswerve is a processor of Customer Personal Data under the LGPD;

(b)   Customer is a controller or processor, as applicable, of Customer Personal Data under the LGPD; and

(c)   Each party will comply with the obligations applicable to it under the LGPD with respect to the Processing of Customer Personal Data.

To the extent that Usage Data constitutes Personal Data, Adswerve is the controller with respect to such data and shall Process such data in accordance with its Privacy Policy, which can be found at https://adswerve.com/privacy-policy/.

2.2.   Authorization by Third Party Controller.  If Customer is a processor, Customer warrants to Adswerve that Customer’s instructions and actions with respect to Customer Personal Data, including its appointment of Adswerve and any relevant Services Partner as another processor, have been authorized by the relevant controller.

3.   Verifying Compliance.  Customer agrees that Adswerve will assist Customer in verifying Adswerve’s compliance with (i) Customer’s instructions; (ii) its obligations under this Annex C; and (iii) the obligations applicable to it under the LGPD with respect to the Processing of Customer Personal Data, by: (a) making the Security Documentation available for review by Customer; (b) providing the information contained in the Data Processing Terms; and (c) providing additional information as may be available from the applicable Services Partner(s).

4.   Data Transfer.  In the event that Customer transfers Customer Personal Data to Adswerve outside of Brazil in a manner that is restricted under the LGPD, the parties will reasonably cooperate to identify and implement a legal basis for any such transfer to the extent required by Data Protection Laws, including by entering into any standard contractual clauses approved for such transfers by the Data Protection Authority. Customer shall ensure that all Customer Personal Data has been collected, Processed, and transferred in accordance with the laws applicable to Customer as the exporter of Customer Personal Data.


Schedule I: Additional Data Processing Terms for Google Processor Services

This Schedule I (Additional Data Processing Terms for Google Processor Services) shall apply to any Google Processor Services (as defined below) included as part of the Services.

1.   Definitions.  For purposes of this Schedule I, the following definitions apply:

Additional Product” means a product, service or application provided by a Google Entity or a third party that: (i) is not part of the Google Processor Services; and (ii) is accessible for use within the user interface of the Google Processor Services or is otherwise integrated with the Google Processor Services.

Data Subject Tool” means a tool (if any) made available by a Google Entity to data subjects that enables Google to respond directly and in a standardized manner to certain requests from data subjects in relation to Customer Personal Data (for example, online advertising settings or an opt-out browser plugin).

Google” means the Google Entity that is party to the reseller agreement with Adswerve.

Google Entity” means Google LLC (formerly known as Google Inc.), Google Ireland Limited or any other Affiliate of Google LLC.

Google Processor Services” means any of the applicable services listed at privacy.google.com/businesses/adsservices.

ISO 27001 Certification” means a Google Entity’s ISO/IEC 27001:2013 certification or a comparable certification for the Google Processor Services.

2.   Additional Terms Regarding Data Deletion.  During the Term, if the functionality of the Google Processor Services does not include the option for Customer to delete Customer Personal Data, then Adswerve will comply with, or will request that Google comply with:

a)   any reasonable request from Customer to facilitate such deletion, insofar as this is possible taking into account the nature and functionality of the Google Processor Services and unless applicable laws require storage; and

b)   the data retention practices described at google.com/technologies/ads.

Adswerve may charge a fee (based on Adswerve’s and Google’s reasonable costs) for any data deletion under this Section 2. Adswerve will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such data deletion.

3.   Additional Terms Regarding Data Security.  In relation to the Google Processor Services, the Security Measures shall include the measures described in Exhibit A to this Schedule I. In addition to any applicable audit rights set forth in the Data Processing Terms, Customer may also review the ISO 27001 Certification (which reflects the outcome of an audit conducted by a third party auditor), information about the locations of Google’s data centers (available at www.google.com/about/datacenters/locations/) and information about Google’s Subprocessors (available at privacy.google.com/businesses/subprocessors).

4.   Additional Terms Regarding the CCPA.  Customer may enable certain in-product settings, configurations or other functionality for the Google Processor Services relating to restricted data Processing, as described in supporting documentation available at privacy.google.com/businesses/rdp, as updated from time to time (“Restricted Data Processing”). Notwithstanding the terms of Annex B to the Data Processing Terms and solely with respect to Customer Personal Information Processed while Restricted Data Processing is enabled, Adswerve will act as Customer’s service provider, and as such, will not retain, use or disclose Customer Personal Information, other than (a) for a business purpose under the CCPA on behalf of Customer and the specific purpose of performing the Google Processor Services, as further described in supporting documentation available at privacy.google.com/businesses/rdp, as updated from time to time, or as otherwise permitted under the CCPA or (b) as may otherwise be permitted for service providers or under a comparable exemption from “sale” in the CCPA, as reasonably determined by Adswerve.

5.   Additional Products.  If Customer uses any Additional Product, the Google Processor Services may allow that Additional Product to access Customer Personal Data as required for the interoperation of the Additional Product with the Google Processor Services. For clarity, this Schedule I does not apply to the Processing of Personal Data in connection with the provision of any Additional Product used by Customer, including Personal Data transmitted to or from that Additional Product.


Exhibit A to Schedule I: Google Marketing Platform Security Measures

This Exhibit A sets forth additional security information regarding the Security Measures applicable to the Google Processor Services. The Security Measures may be updated or modified from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Google Processor Services.

1.   Data Center & Network Security

1.1.   Data Centers

(a)   Infrastructure.  Google maintains geographically distributed data centers. Google stores all production data in physically secure data centers.

(b)   Redundancy.  Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy. The Google Processor Services are designed to allow Google to perform certain types of preventative and corrective maintenance without interruption. All environmental equipment and facilities have documented preventative maintenance procedures that detail the Process for and frequency of performance in accordance with the manufacturer’s or internal specifications. Preventative and corrective maintenance of the data center equipment is scheduled through a standard Process according to documented procedures.

(c)   Power.  The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, and 7 days a week. In most cases, a primary as well as an alternate power source, each with equal capacity, is provided for critical infrastructure components in the data center. Backup power is provided by various mechanisms such as uninterruptible power supply (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the data center, at full capacity, for up to 10 minutes until the diesel generator systems take over. The diesel generators are capable of automatically starting up within seconds to provide enough emergency electrical power to run the data center at full capacity typically for a period of days.

(d)   Server Operating Systems.  Google servers use hardened operating systems which are customized for the unique server needs of the business. Data is stored using proprietary algorithms to augment data security and redundancy. Google employs a code review Process to increase the security of the code used to provide the Google Processor Services and enhance the security products in production environments.

(e)   Businesses Continuity.  Google replicates data over multiple systems to help to protect against accidental destruction or loss. Google has designed and regularly plans and tests its business continuity planning/disaster recovery programs.

1.2.   Networks & Transmission

(a)   Data Transmission.  Data centers are typically connected via high-speed private links to provide secure and fast data transfer between data centers. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. Google transfers data via Internet standard protocols.

(b)   External Attack Surface.  Google employs multiple layers of network devices and intrusion detection to protect its external attack surface. Google considers potential attack vectors and incorporates appropriate purpose-built technologies into external facing systems.

(c)   Intrusion Detection.  Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Google’s intrusion detection involves:

(i)   Tightly controlling the size and make-up of Google’s attack surface through preventative measures;

(ii)   Employing intelligent detection controls at data entry points; and

(iii)   Employing technologies that automatically remedy certain dangerous situations.

(d)   Incident Response.  Google monitors a variety of communication channels for security incidents, and Google’s security personnel will react promptly to known incidents.

(e)   Encryption Technologies.  Google makes HTTPS encryption (also referred to as SSL or TLS connection) available. Google servers support ephemeral elliptic curve Diffie Hellman cryptographic key exchange signed with RSA and ECDSA. These perfect forward secrecy (PFS) methods help protect traffic and minimize the impact of a compromised key, or a cryptographic breakthrough.

2.   Access and Site Controls

2.1.   Site Controls

(a)   On-site Data Center Security Operation.  Google’s data centers maintain an on-site security operation responsible for all physical data center security functions 24 hours a day, 7 days a week. The on-site security operation personnel monitor Closed Circuit TV (“CCTV”) cameras and all alarm systems. On-site security operation personnel perform internal and external patrols of the data center regularly.

(b)   Data Center Access Procedures.  Google maintains formal access procedures for allowing physical access to the data centers. The data centers are housed in facilities that require electronic card key access, with alarms that are linked to the on-site security operation. All entrants to the data center are required to identify themselves as well as show proof of identity to on-site security operations. Only authorized employees, contractors and visitors are allowed entry to the data centers. Only authorized employees and contractors are permitted to request electronic card key access to these facilities. Data center electronic card key access requests must be made in advance and in writing and require the approval of the requestor’s manager and the data center director. All other entrants requiring temporary data center access must: (i) obtain approval in advance from the data center managers for the specific data center and internal areas they wish to visit; (ii) sign in at on-site security operations; and (iii) reference an approved data center access record identifying the individual as approved.

(c)   On-site Data Center Security Devices.  Google’s data centers employ an electronic card key and biometric access control system that is linked to a system alarm. The access control system monitors and records each individual’s electronic card key and when they access perimeter doors, shipping and receiving, and other critical areas. Unauthorized activity and failed access attempts are logged by the access control system and investigated, as appropriate. Authorized access throughout the business operations and data centers is restricted based on zones and the individual’s job responsibilities. The fire doors at the data centers are alarmed. CCTV cameras are in operation both inside and outside the data centers. The positioning of the cameras has been designed to cover strategic areas including, among others, the perimeter, doors to the data center building, and shipping/receiving. On-site security operations personnel manage the CCTV monitoring, recording and control equipment. Secure cables throughout the data centers connect the CCTV equipment. Cameras record on-site via digital video recorders 24 hours a day, 7 days a week. The surveillance records are retained for at least 7 days based on activity.

2.2.   Access Control

(a)   Infrastructure Security Personnel.  Google has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Google’s infrastructure security personnel are responsible for the ongoing monitoring of Google’s security infrastructure, the review of the Google Processor Services, and responding to security incidents.

(b)   Access Control and Privilege Management.  Customer’s administrators and users must authenticate themselves via a central authentication system or via a single sign on system in order to use the Google Processor Services.

(c)   Internal Data Access Processes and Policies – Access Policy.  Google’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Google aims to design its systems to: (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during Processing, use and after recording. The systems are designed to detect any inappropriate access. Google employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. LDAP, Kerberos and a proprietary system utilizing SSH certificates are designed to provide Google with secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. Google requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with Google’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g. login to workstations), password policies that follow at least industry standard practices are implemented. These standards include restrictions on password reuse and sufficient password strength.

3.   Data

3.1.   Data Storage, Isolation & Authentication.  Google stores data in a multi-tenant environment on Google-owned servers. Data, the Google Processor Services database and file system architecture are replicated between multiple geographically dispersed data centers. Google logically isolates each customer’s data. A central authentication system is used across all Google Processor Services to increase uniform security of data.

3.2.   Decommissioned Disks and Disk Destruction Guidelines.  Certain disks containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned (“Decommissioned Disk”). Every Decommissioned Disk is subject to a series of data destruction Processes (the “Data Destruction Guidelines”) before leaving Google’s premises either for reuse or destruction. Decommissioned Disks are erased in a multi-step Process and verified complete by at least two independent validators. The erase results are logged by the Decommissioned Disk’s serial number for tracking. Finally, the erased Decommissioned Disk is released to inventory for reuse and redeployment. If, due to hardware failure, the Decommissioned Disk cannot be erased, it is securely stored until it can be destroyed. Each facility is audited regularly to monitor compliance with the Data Destruction Guidelines.

4.   Personnel Security

4.1.   Google personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Google conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.

4.2.   Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Google’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling Customer Personal Data are required to complete additional requirements appropriate to their role. Google’s personnel will not Process Customer Personal Data without authorization.

5.   Subprocessor Security.  Before onboarding Subprocessors, Google conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Google has assessed the risks presented by the Subprocessor then the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.


Schedule II: Additional Data Processing Terms for Google Cloud Platform

This Schedule II (Additional Data Processing Terms for Google Cloud Platform) shall apply if the Google Cloud Platform (as described at https://cloud.google.com/terms/services) and related technical support to Customer is included as part of the Services.

1.   Definitions

“Additional Security Controls” means security resources, features, functionality and/or controls that Customer may use at its option and/or as it determines, including the Admin Console, encryption, logging and monitoring, identity and access management, security scanning, and firewalls.

“Audited Services” means the then-current Services indicated as being in-scope for the relevant certification or report at https://cloud.google.com/security/compliance/services-in-scope. Google may not remove a Service from this URL unless that Service has been discontinued in accordance with the Agreement.

“Customer Data” has the meaning given in the Agreement or, if no such meaning is given, means data provided by or on behalf of Customer or Customer End Users via the Services under the Account.

“Customer End Users” has the meaning given in the Agreement or, if not such meaning is given, has the meaning given to “End Users” in the Agreement.

Google” means the Google Entity that is party to the reseller agreement with Adswerve.

Google Entity” means Google LLC (formerly known as Google Inc.), Google Ireland Limited or any other Affiliate of Google LLC.

2.   Additional Terms Regarding Data Deletion

2.1.   Deletion by Customer.  Customer may delete Customer Data during the Term in a manner consistent with the functionality of the Services. If Customer uses the Services to delete any Customer Data during the Term and that Customer Data cannot be recovered by Customer, this use will constitute an instruction to delete the relevant Customer Data from the Google Cloud Platform in accordance with applicable law. In most cases, this instruction will be carried as soon as reasonably practicable and within a maximum period of 180 days, unless applicable law requires storage.

2.2.   Deletion on Termination.  On expiry of the Term, all Customer Data (including existing copies) will be deleted from the Google Cloud Platform in accordance with applicable law. After a recovery period of up to 30 days following such expiry, in most cases this instruction will be carried out as soon as reasonably practicable and within a maximum period of 180 days, unless applicable law requires storage. Without prejudice to Section 8 (Data Subject Rights) of the Data Processing Terms, Customer is responsible for exporting, before the Term expires, any Customer Data it wishes to retain.

3.   Additional Terms Regarding Data Security.  In relation to the Google Cloud Platform, the Security Measures shall include any Additional Security Controls and the measures described in Exhibit A to this Schedule II.  In addition to any applicable audit rights set forth in the Data Processing Terms, Customer may also (a) review information about the locations of Google facilities (available at https://cloud.google.com/about/locations/) (as may be updated by Google from time to time) and about Google’s Subprocessors, including their functions and locations (available at https://cloud.google.com/terms/subprocessors/) (as may be updated by Google from time to time); and (b) submit a written request to Adswerve to review Google’s (i) certificates for ISO 27001, ISO 27017 and ISO 27018, and its PCI DSS Attestation of Compliance (the “Compliance Certifications”) and (ii) SOC 2 and SOC 3 reports produced by Google’s Third Party Auditor and updated annually based on an audit performed at least once every 12 months (the “SOC Reports”). Customer shall provide all information requested by Adswerve or Google in connection with any such request and be responsible for any fee(s) charged by Google in connection with such request. Customer acknowledges and agrees that Google may add standards at any time and/or replace a Compliance Certification or SOC Report with an equivalent or enhanced alternative.


Exhibit A to Schedule II: Google Cloud Platform Security Measures

This Exhibit A sets forth additional security information regarding the Security Measures applicable to the Google Cloud Platform. The Security Measures may be updated or modified from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Google Cloud Platform.

1.   Data Center and Network Security

1.1.   Data Centers

(a)   Infrastructure.  Google maintains geographically distributed data centers. Google stores all production data in physically secure data centers.

(b)   Redundancy.  Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy. The Services are designed to allow Google to perform certain types of preventative and corrective maintenance without interruption. All environmental equipment and facilities have documented preventative maintenance procedures that detail the process for and frequency of performance in accordance with the manufacturer’s or internal specifications. Preventative and corrective maintenance of the data center equipment is scheduled through a standard change process according to documented procedures.

(c)   Power.  The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, 7 days a week. In most cases, a primary as well as an alternate power source, each with equal capacity, is provided for critical infrastructure components in the data center. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the data center, at full capacity, for up to 10 minutes until the diesel generator systems take over. The diesel generators are capable of automatically starting up within seconds to provide enough emergency electrical power to run the data center at full capacity typically for a period of days.

(d)   Server Operating Systems.  Google servers use a Linux based implementation customized for the application environment. Data is stored using proprietary algorithms to augment data security and redundancy. Google employs a code review process to increase the security of the code used to provide the Services and enhance the security products in production environments.

(e)   Businesses Continuity.  Google has designed and regularly plans and tests its business continuity planning/disaster recovery programs.

1.2.   Networks and Transmission

(a)   Data Transmission.  Data centers are typically connected via high-speed private links to provide secure and fast data transfer between data centers. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. Google transfers data via Internet standard protocols.

(b)   External Attack Surface.  Google employs multiple layers of network devices and intrusion detection to protect its external attack surface. Google considers potential attack vectors and incorporates appropriate purpose built technologies into external facing systems.

(c)   Intrusion Detection.  Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Google’s intrusion detection involves:

(i)   tightly controlling the size and make-up of Google’s attack surface through preventative measures;

(ii)   employing intelligent detection controls at data entry points; and

(iii)   employing technologies that automatically remedy certain dangerous situations.

(d)   Incident Response.  Google monitors a variety of communication channels for security incidents, and Google’s security personnel will react promptly to known incidents.

(e)   Encryption Technologies.  Google makes HTTPS encryption (also referred to as SSL or TLS connection) available. Google servers support ephemeral elliptic curve Diffie-Hellman cryptographic key exchange signed with RSA and ECDSA. These perfect forward secrecy (PFS) methods help protect traffic and minimize the impact of a compromised key, or a cryptographic breakthrough.

2.   Access and Site Controls

2.1.   Site Controls

(a)   On-site Data Center Security Operation.  Google’s data centers maintain an on-site security operation responsible for all physical data center security functions 24 hours a day, 7 days a week. The on-site security operation personnel monitor closed circuit TV (CCTV) cameras and all alarm systems. On-site security operation personnel perform internal and external patrols of the data center regularly.

(b)   Data Center Access Procedures.  Google maintains formal access procedures for allowing physical access to the data centers. The data centers are housed in facilities that require electronic card key access, with alarms that are linked to the on-site security operation. All entrants to the data center are required to identify themselves as well as show proof of identity to on-site security operations. Only authorized employees, contractors and visitors are allowed entry to the data centers. Only authorized employees and contractors are permitted to request electronic card key access to these facilities. Data center electronic card key access requests must be made through e-mail, and require the approval of the requestor’s manager and the data center director. All other entrants requiring temporary data center access must: (i) obtain approval in advance from the data center managers for the specific data center and internal areas they wish to visit; (ii) sign in at on-site security operations; and (iii) reference an approved data center access record identifying the individual as approved.

(c)   On-site Data Center Security Devices.  Google’s data centers employ an electronic card key and biometric access control system that is linked to a system alarm. The access control system monitors and records each individual’s electronic card key and when they access perimeter doors, shipping and receiving, and other critical areas. Unauthorized activity and failed access attempts are logged by the access control system and investigated, as appropriate. Authorized access throughout the business operations and data centers is restricted based on zones and the individual’s job responsibilities. The fire doors at the data centers are alarmed. CCTV cameras are in operation both inside and outside the data centers. The positioning of the cameras has been designed to cover strategic areas including, among others, the perimeter, doors to the data center building, and shipping/receiving. On-site security operations personnel manage the CCTV monitoring, recording and control equipment. Secure cables throughout the data centers connect the CCTV equipment. Cameras record on site via digital video recorders 24 hours a day, 7 days a week. The surveillance records are retained for up to 30 days based on activity.

2.2.   Access Control

(a)   Infrastructure Security Personnel.  Google has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Google’s infrastructure security personnel are responsible for the ongoing monitoring of Google’s security infrastructure, the review of the Services, and responding to security incidents.

(b)   Access Control and Privilege Management.  Customer’s administrators must authenticate themselves via a central authentication system or via a single sign on system in order to administer the Services.

(c)   Internal Data Access Processes and Policies – Access Policy.  Google’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Google designs its systems to (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access. Google employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. Google’s authentication and authorization systems utilize SSH certificates and security keys, and are designed to provide Google with secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. Google requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with Google’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include restrictions on password reuse and sufficient password strength. For access to extremely sensitive information (e.g., credit card data), Google uses hardware tokens.

3.   Data

3.1.   Data Storage, Isolation and Logging.  Google stores data in a multi-tenant environment on Google-owned servers. Subject to any Customer instructions to the contrary (for example, in the form of a data location selection), Google replicates Customer Data between multiple geographically dispersed data centers. Google also logically isolates the Customer’s data. Customer will be given control over specific data sharing policies. Those policies, in accordance with the functionality of the Services, will enable Customer to determine the product sharing settings applicable to Customer End Users for specific purposes. Customer may choose to make use of logging functionality that Google makes available via the Services.

3.2.   Decommissioned Disks and Disk Erase Policy.  Disks containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned (“Decommissioned Disk”). Every Decommissioned Disk is subject to a series of data destruction processes (the “Disk Erase Policy”) before leaving Google’s premises either for reuse or destruction. Decommissioned Disks are erased in a multi-step process and verified complete by at least two independent validators. The erase results are logged by the Decommissioned Disk’s serial number for tracking. Finally, the erased Decommissioned Disk is released to inventory for reuse and redeployment. If, due to hardware failure, the Decommissioned Disk cannot be erased, it is securely stored until it can be destroyed. Each facility is audited regularly to monitor compliance with the Disk Erase Policy.

4.   Personnel Security.  Google personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Google conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.

Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Google’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling Customer Data are required to complete additional requirements appropriate to their role (e.g., certifications). Google’s personnel will not process Customer Data without authorization.

5.   Subprocessor Security.  Before onboarding Subprocessors, Google conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Google has assessed the risks presented by the Subprocessor, then subject to the requirements described in Section 9.3 (Requirements for Subprocessor Engagement) of the Data Processing Terms, the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.

Adswerve Data Processing Terms, Version 21.1

31 December 2020

Previous Versions: