Dynamic Yield: Data Processing Addendum
Last Updated April 25, 2018
This Data Processing Addendum (“Addendum”) forms an integral part of the Agreement between Customer and Dynamic Yield (which govern Customer's right to use certain services designed to automatically personalize Customer's content through Dynamic Yield's Platform) and applies to the extent that Dynamic Yield or any of its trusted SubProcessors collect or processes Personal Data, or has access to Personal Data, in the course of Dynamic Yield’s performance under the Agreement, as specified in Exhibit A, which is attached and incorporated hereto by reference.
All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
- "Approved Jurisdiction" means a member state of the EEA, or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission.
- "Breach Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
- "Data Protection Legislation" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.
- “Data Controller”, “Data Processor”, “data subject”, “process” and “processing” shall have the meanings ascribed to them in the Data Protection Legislation.
- "EEA" means those countries that are member of the European Economic Area.
- “EU Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data (“Directive”); and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”).
- "Personal Data" means any information which (i) can be related to an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual, and (ii) supplied by Customer to Dynamic Yield pursuant to the Agreement or which Dynamic Yield or any of its Sub-Processors generate, collect, store, transmit, or otherwise process on behalf of Customer in connection with the Agreement. Personal Data may include information which is related to Customer’s users, employees, and other individuals (collectively, “End Users”).
- “Security Measures” mean commercially reasonable security-related policies, standards, and practices commensurate with the size and complexity of Dynamic Yield’s business, the level of sensitivity of the data collected, handled and stored, and the nature of Dynamic Yield’s business activities.
- “Sub-Processors” mean any affiliate, agent or assign of Dynamic Yield that may process Personal Data pursuant to the terms of the Agreement, and any unaffiliated processor engaged by Dynamic Yield.
Compliance with Laws
- Each Party shall comply with its respective obligations under the Data Protection Legislation.
- Dynamic Yield shall provide reasonable cooperation and assistance to Customer in relation to Dynamic Yield’s processing of Personal Data in order to allow Customer to comply with its obligations as a Data Controller under Data Protection Legislation.
- Dynamic Yield agrees to notify Customer promptly if it becomes unable to comply with the terms of this Addendum and take reasonable and appropriate measures to remedy such non-compliance
Processing Purpose and Instructions
- The duration of the processing under the Agreement is determined by the Parties, as set forth in the Agreement.
- Dynamic Yield shall process Personal Data only to deliver the Services in accordance with Customer’s documented instructions, the Agreement and the Data Protection Legislation. Unless permitted under the Agreement or this Addendum, Dynamic Yield shall not otherwise modify, amend, disclose or permit the disclosure of any Personal Data to any third party unless authorized or directed to do by Customer.
- Dynamic Yield will not use Personal Data for any use other than as expressly provided in the Agreement or this Addendum. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Dynamic Yield and Customer by way of written amendment to the Agreement, and will include any additional fees that may be payable by Customer to Dynamic Yield for carrying out such instructions.
Reasonable Security and Safeguards
- Dynamic Yield represents, warrants, and agrees to use Security Measures as set out in set out in Exhibit B, to (i) protect the availability, confidentiality, and integrity of any Personal Data collected, accessed, used, or transmitted by Dynamic Yield in connection with this Agreement, and (ii) protect such data from Breach Incidents.
- The Security Measures are subject to technical progress and development and Dynamic Yield may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by Customer.
- Dynamic Yield shall take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who have access to and process Personal Data. Dynamic Yield shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Customer is responsible for using and configuring the Services in a manner which enables Customer to comply with Data Protection Legislation, including implementing appropriate technical and organizational measures.
Upon becoming aware of a Breach Incident, Dynamic Yield will notify Customer without undue delay and will provide information relating to the Breach Incident as reasonably requested by Customer. Dynamic Yield will use reasonable endeavors to assist Customer in mitigating, where possible, the adverse effects of any Breach Incident.
Security Assessments and Audits
Dynamic Yield audits its compliance against data protection and information security standards on a regular basis. Such audits are conducted by Dynamic Yield’s internal audit team or by third party auditors engaged by Dynamic Yield. Dynamic Yield shall, upon reasonable and written notice and subject to obligations of confidentiality, allow its data processing procedures and documentation to be inspected annually by Customer (or its designee) in order to ascertain compliance with this Addendum. Dynamic Yield shall cooperate in good faith with audit requests by providing access to relevant knowledgeable personnel and documentation.
Cooperation and Assistance
- If Dynamic Yield receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under EU Data Protection Law, Dynamic Yield will promptly redirect the request to Customer. Dynamic Yield will not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If Dynamic Yield is required to respond to such a request, Dynamic Yield will promptly notify Customer and provide Customer with a copy of the request, unless legally prohibited from doing so.
- If Dynamic Yield receives a legally binding request for the disclosure of Personal Data which is subject to this Addendum, Dynamic Yield shall (to the extent legally permitted) notify Customer upon receipt of such order, demand, or request. Notwithstanding the foregoing, Dynamic Yield will cooperate with Customer with respect to any action taken pursuant to such order, demand or request, including ensuring that confidential treatment will be accorded to such disclosed Personal Data.
Upon reasonable notice, Dynamic Yield shall provide reasonable assistance to
- allowing data subjects to exercise their rights under the Data Protection Legislation;
- ensuring compliance with any notification obligations of Brach Incidents to the supervisory authority and communication obligations to data subjects, as required under Data Protection Legislation;
- Ensuring compliance with its obligation to carry out Data Protection Impact Assessments (“DPIA”) or prior consultations with data protection authorities with respect to the processing of Personal Data. Any assistance to Customer with regard to DPIA or prior consultations will be solely at Customer's expense.
Use of Sub-Processors
- Customer provides a general consent to Dynamic Yield to engage onward SubProcessors (including for the provision of cloud computing services and for personalized search solutions), provided that Dynamic Yield has entered into an agreement with the Sub-Processor containing data protection obligations that are as restrictive as the obligations under this Addendum (to the extent applicable to the services provided by the Sub-processor). Prior to engaging any new Sub-Processor, Dynamic Yield will notify Customer (email acceptable) and allow Customer thirty (30) days to object. If Customer has legitimate objections to the appointment of any new Sub-Processor(s), the parties will work together in good faith to resolve the grounds for the objection for no less than thirty (30) days.
- Customer acknowledges that as part of the Services which Dynamic Yield provides, it may engage with Sub-Processors which provide personalized search solutions. Search solutions’ service providers may also collect End Users’ data (including Personal Data) from Customer’s online platform, such as country of origin, search queries performed by End Users, features of End Users’ browser and the operating system, details about pages visited, etc.
- Dynamic Yield will be responsible for any acts, errors, or omissions of its Subprocessors that cause Dynamic Yield to breach any of its obligations under this Addendum.
International Data Transfers
- Dynamic Yield may transfer and process Personal Data to and in other locations around the world where Dynamic Yield or its Sub-processors maintain data processing operations as necessary to provide the Services as set forth in the Agreement.
- If Dynamic Yield (or its Sub-processors) processes Personal Data from the EEA or Switzerland in a jurisdiction that is not an Approved Jurisdiction, Dynamic Yield shall ensure that it (or the relevant Sub-processor) has a legally approved mechanism in place to allow for the international data transfer (e.g. Privacy Shield certification for US).
Data Retention and Destruction
Dynamic Yield will only retain Personal Data for as long as Services are provided to Customer in accordance with this Agreement. Following expiration or termination of the Agreement, Dynamic Yield will delete or return to Customer all Personal Data in its possession as provided in the Agreement except to the extent Dynamic Yield is required by applicable law to retain some or all of the Personal Data (in which case Dynamic Yield will implement reasonable measures to prevent the Personal Data from any further processing). The terms of this Addendum will continue to apply to such Personal Data.
Liability and Indemnification
Customer will indemnify, defend, and hold Dynamic Yield harmless against any claim, demand, suit or proceeding (including any damages, costs, reasonable attorney’s fees, and settlement amounts) made or brought against Dynamic Yield by a third party alleging that Personal Data received by Dynamic Yield from Customer or processed by Dynamic Yield in accordance with Customer’s instructions, is in breach of Data Protection Legislation.
- Dynamic Yield acknowledges and agrees that it has no ownership of Personal Data other than as expressly permitted under the Agreement or as authorized by Customer.
- Any claims brought under this Addendum will be subject to the terms and conditions of the Agreement, including the exclusions and limitations set forth in the Agreement, provided however that in no event will any party be deemed to have limited its liability under the Agreement with respect to any individual’s data protection rights under this Addendum or pursuant to applicable law.
- In the event of a conflict between the Agreement (or any document referred to therein) and this Addendum, the provisions of this Addendum shall prevail.
- Dynamic Yield may modify the terms of this Addendum in circumstances such as (i) if required to do so by a supervisory authority or other government or regulatory entity, (ii) if necessary to comply with Data Protection Legislation, or (iii) to implement or adhere to standard contractual clauses, approved codes of conduct or certifications, binding corporate rules, or other compliance mechanisms, which may be permitted under Data Protection Legislation. Dynamic Yield will provide notice of such changes to Customer, and the modified Addendum will become effective, in accordance with the terms of the Agreement.
The information concerns the following categories of Personal Data which relate to End Users:
- End User information (e.g. name);
- Email address;
- Geographical information (City, State, Country);
- Audience membership - based on real time audiencer and backend historical calculations;
- IP address;
- Online Identifiers (i.e. online data collected from End User’s devices, applications and protocols which leave traces which may identify them), such as UDID, cookie identifiers, etc;
- Device ID;
- Search queries;
- Page views and interactions.
Personal Data shall be processed by Dynamic Yield (or any of its Sub-Processors) for the following purposes:
- Automatically personalize End Users’ interaction with Customers’ online platforms across the web, mobile web, mobile apps and email.
- Build actionable End Users’ segments in real time, enabling Customer to take instant action via personalization, product/content recommendations, automatic optimization and real-time messaging.
- Implement personalized search solutions in order to learn what End Users wish to consume on Customer’s online platform.
Technical and organizational measures
- This Exhibit B outlines the technical and organizational measures for safeguarding Personal Data undertaken by Dynamic Yield, in support of our global security framework.
- We take a systematic approach to data protection, privacy, and security. We believe a robust security and privacy program requires active involvement of stakeholders, ongoing education, internal and external assessments, and installment and enforcement of best practices within the organization
- We implemented and maintain a security program that leverages the ISO/IEC 27000-series of control standards as its baseline.
Organizational and Personnel Management
- We appointed a Chief Information Security Officer (CISO) who designs, develops, and deploys our technical architectures, security policies, standards, and awareness program along with our Security and IT teams.
- We have also appointed a Data Privacy Officer (DPO), who can be reached at firstname.lastname@example.org, and who oversees our privacy program
- All Dynamic Yield employees and contractors are required to sign confidentiality agreements (“NDAs”) that apply during their engagement with Dynamic Yield and post termination.
- All employees of the organization receive formal security and privacy awareness trainings at time of hire and on a regular basis, led by our CISO and DPO.
- A formal and communicated disciplinary process is in place against employees who have committed an information security breach.
- Dynamic Yield's physical servers are managed by Amazon Web Services (“AWS”) and overseen by Dynamic Yield’s DevOps team. AWS is widely regarded as employing highly protective and industry standard protective measures ensuring the security of physical servers managed by them, relied upon by thousands of technology providers around the world (more on AWS security measures can be found here - https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf).
- Dynamic Yield has implemented suitable measures in order to prevent unauthorized persons from gaining access to its resources equipment, regardless of whether those resources are directly related to where Personal Data are processed or used. These measures may include all or a combination of any of the following:
- Maintaining offices which are within facilities requiring registration for entry and accompaniment beyond the front entrance.
- Strict measures to ensure that all visitors are accompanied, and awareness among employees to challenge any exceptions.
- Restricted access to areas including any communications or other technological equipment on an employee role basis.
- A high security card key system is utilized to control facility access.
- CCTV video surveillance monitoring.
- Dynamic Yield’s standard commercial agreements with its customers state the division of responsibility between Dynamic Yield customers as “Data Controllers” and Dynamic Yield as “Data Processors”.
- Dynamic Yield personnel is trained and briefed about contractual obligations undertaken by Dynamic Yield towards its clients with respect to data security, and their compliance therewith is monitored by company management.
- Aside for AWS (see above), and any product related partners (which, at the moment, only includes “Findify” for Search Personalization if such module is purchased), Dynamic Yield does not employ any subcontractors who have access to personal data collected by Dynamic Yield.
Logical Access Control
We have implemented suitable measures to prevent our data processing systems from being used by unauthorized persons, which is accomplished by:
- Access to the AWS console is managed by personal passwordprotected user accounts, managed through the AWS Identity and Access Management (IAM) service.
- All users access the Dynamic Yield systems with a unique identifier.
- We are working with SSH key passphrases to manage access to our personal data's machines.
- We have established a password policy that prohibits the sharing of passwords and requires passwords to be changed on a regular basis and default passwords to be altered. All passwords must fulfill defined minimum requirements and are stored in encrypted form.
- Automatic lock out of the user ID when several erroneous passwords are entered.
- Automatic time-out of user terminal if left idle; identification and password required to reopen.
- Role-based access controls implemented in a manner consistent with principle of least privilege.
- Remote access via SSL VPN using 2 Factor Authentication.
- Granting of access according to a strict formal procedure and periodic review of the access.
- Employee’s access to production systems that contain personal data is logged, audited and reviewed on a regular basis.
- We have implemented suitable measures to prevent our data processing systems from being used by unauthorized persons, which is accomplished by:
Input and Monitoring Control
Our input and monitoring controls include:
- Employment of a comprehensive logging system which allows for monitoring and auditing of any data activity (access, deletion, alteration etc.).
- Use of AWS config to assess, audit, and evaluate the configurations of our AWS resources.
- Keeping an updated list with system administrators’ identification details and responsibilities.
Security in Development and Support Process
- We use an industry-standard security model in our platform development process.
- We design, review and tests our platform using applicable OWASP Top 10 standards.
- Our developers and project team members receive training at least once a year in application security while focusing on secure software development.
- Our production environment is segregated from our development and staging environments with restricted access controls.
- Periodic penetration testing are carried out by 3rd party companies at least annually.
- Every employee has a laptop personally assigned to him/her.
- Laptops used by company personnel are password protected and are returned and wiped upon termination of employment.
- We use up-to-date Anti-Malware / Anti Virus software on all appropriate laptops.
- Our customers’ data is stored and encrypted, separately from all other data, and only accessed as they are required for content sending by the specific component responsible for the content composition.
- Each customer's data is encrypted with a different key, thus preventing the risk of data corruption and desegregation between Dynamic Yield customers.
Transmission and Network Control
- We have implemented suitable measures to prevent Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by:
- Any personal Data is encrypted during transmission using up to date versions of TLS (1.0 or higher).
- Use of integrity checks to monitor the completeness and correctness of the transfer of data.
- We review our network architecture schema and data flows, including firewall rules and access restrictions on a regular basis.
- Our WiFi internal corporate LAN is separated from guest Wi-Fi, encrypted by WPA2 – PSK and protected by complex password.
- We establish a patch management process for our systems which includes technical vulnerability assessments, patch testing, patch deployment and verification.
- We use several security monitoring tools on the production servers. Notifications from these tools are sent to the our NOC / security Team so that they can take appropriate action.
- We have implemented suitable measures to prevent Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by:
Dynamic Yield strives to maintain system availability using measures which include:
- All Dynamic Yield data is stored on AWS which is trusted by thousands of businesses to store and serve their data and services. As Dynamic Yield data is all stored on the cloud (AWS) and nowhere on any proprietary physical servers, there is no risk of any disaster affecting Dynamic Yield’s ability to maintain business continuity or data completeness.
- We perform backups, which are tested regularly.
- Architecture which eliminates single points of failure, both with regards to AWS based production and relevant Dynamic Yield critical supporting resources, up to and including full disaster recovery.
- We have sophisticated internal procedures including release control and approvals, follow-the-sun operations and support and checks and balances with regards to modifications.
- We use change control procedures for configuration of supporting infrastructure.
- To ensure effective and orderly response to incidents pertaining personal data, we defined an incident response plan with detailed procedures.
- The incident response plan includes a list of possible mitigation actions and clear assignment of roles.
- In the event of a security breach, Dynamic Yield will notify customers without undue delay after becoming aware of the security breach.
Emphasis is placed on documentation, to support the processes and procedures noted in this document and to enable audit should the need arise, in keeping with regulatory dictates and best practices.
- Dynamic Yield conducts regular internal and external audits of its security, led by the CISO.
- Dynamic Yield has appointed a Data Privacy Officer responsible for overseeing the implementation of the privacy program at Dynamic Yield.
- Dynamic Yield has adopted and is compliant with the EU-U.S. Privacy Shield Framework.
- We are committed to the confidentiality, data privacy and security of our customers and their end-users. We are investing and will continue to invest extensive resources towards maintaining the highest levels of data protection, privacy and security standards. We are compliant with applicable laws and regulations, and are committed to compliance with the EU GDPR and related guidelines.
- We cannot guarantee that your information may not be disclosed, accessed, altered or destroyed by breach of any of our industry standard safeguards. No method of transmission over the Internet or electronic storage is full-proof. We cannot guarantee absolute security.
- Our security measures are constantly evolving to keep up with the changing security landscape, so we may update these measures page from time to time to reflect these technical and organizational changes. If any security measure changes in a manner detrimental to our customers’ interests, we will notify our customers of such changes.