Dynamic Yield: Data Processing Addendum
Last Updated February 2022
This Data Processing Addendum ("Addendum") forms an integral part of the Agreement between Customer and the Dynamic Yield entity listed in the applicable Order Form or Agreement ("Dynamic Yield"), which govern Customer's right to use certain services designed to automatically personalize Customer's content through Dynamic Yield's Platform, and applies to the extent that Dynamic Yield or any of its trusted Sub-Processors collect or processes Personal Data, or has access to Personal Data, in the course of Dynamic Yield’s performance under the Agreement, as specified in Exhibit A, which is attached and incorporated hereto by reference.
All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
- "Approved Jurisdiction" means a member state of the EEA, or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission.
- "Breach Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
- "CCPA" means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq.
- "Data Protection Legislation" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law and the CCPA.
- “Data Controller”, “Data Processor”, “data subject”, “process” and “processing” shall have the meanings ascribed to them in the Data Protection Legislation. Where applicable, Data Controller shall be deemed to be a "Business", Data Processor shall be deemed to be the "Service Provider", and "data subject" shall be deemed to be a "Consumer" as these terms are defined under the CCPA.
- "EEA" means those countries that are member of the European Economic Area.
- “EU Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data ("Directive"); and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR").
- "Personal Data" means any information which (i) can be related to an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual, and (ii) supplied by Customer to Dynamic Yield pursuant to the Agreement or which Dynamic Yield or any of its Sub-Processors generate, collect, store, transmit, or otherwise process on behalf of Customer in connection with the Agreement. Personal Data may include information which is related to Customer’s users, employees, and other individuals (collectively, "End Users").
- “Security Measures” mean commercially reasonable security-related policies, standards, and practices commensurate with the size and complexity of Dynamic Yield’s business, the level of sensitivity of the data collected, handled and stored, and the nature of Dynamic Yield’s business activities.
- “Standard Contractual Clauses” mean the applicable module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4th 2021.
- “Sub-Processors” mean any affiliate, agent or assign of Dynamic Yield that may process Personal Data pursuant to the terms of the Agreement, and any unaffiliated processor engaged by Dynamic Yield.
Compliance with Laws
- Each Party shall comply with its respective obligations under the Data Protection Legislation.
- Dynamic Yield shall provide reasonable cooperation and assistance to Customer in relation to Dynamic Yield’s processing of Personal Data in order to allow Customer to comply with its obligations as a Data Controller under Data Protection Legislation.
- Dynamic Yield agrees to notify Customer promptly if it becomes unable to comply with the terms of this Addendum and take reasonable and appropriate measures to remedy such non-compliance.
- Throughout the duration of the Addendum, Customer agrees and warrants that: (a) it has a mechanism in place to ensure that: (i) End Users have been informed of Dynamic Yield’s use of Personal Data as required by Data Protection Legislation; (ii) End Users' consents and permits applicable to Dynamic Yield's Services are properly obtained and recorded; (iii) End Users can withdraw such consent at any time;(b) Personal Data has been and will continue to be collected, processed and transferred by it in accordance with the relevant Data Protection Legislation; (c) it will not share any special categories of Personal Data, as this term is defined in the Data Protection Legislation and (d) any instruction to Dynamic Yield in connection with the processing of Personal Data, has been and will continue to be carried out in accordance with the relevant Data Protection Legislation. Customer shall bear sole liability in any case of violation of this section.
Processing Purpose and Instructions
- The duration of the processing under the Agreement is determined by the Parties, as set forth in the Agreement.
- Dynamic Yield shall process Personal Data only to deliver the Services in accordance with Customer’s documented instructions, the Agreement and the Data Protection Legislation. Unless permitted under the Agreement or this Addendum, Dynamic Yield shall not otherwise modify, amend, disclose or permit the disclosure of any Personal Data to any third party unless authorized or directed to do by Customer.
- Dynamic Yield will not use Personal Data for any use other than as expressly provided in the Agreement or this Addendum. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Dynamic Yield and Customer by way of written amendment to the Agreement, and will include any additional fees that may be payable by Customer to Dynamic Yield for carrying out such instructions.
Reasonable Security and Safeguards
- Dynamic Yield represents, warrants, and agrees to use Security Measures as set out in set out in Exhibit B, to (i) protect the availability, confidentiality, and integrity of any Personal Data collected, accessed, used, or transmitted by Dynamic Yield in connection with this Agreement, and (ii) protect such data from Breach Incidents.
- The Security Measures are subject to technical progress and development and Dynamic Yield may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by Customer.
- Dynamic Yield shall take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who have access to and process Personal Data. Dynamic Yield shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Customer is responsible for using and configuring the Services in a manner which enables Customer to comply with Data Protection Legislation, including implementing appropriate technical and organizational measures.
Upon becoming aware of a Breach Incident, Dynamic Yield will notify Customer without undue delay and will provide information relating to the Breach Incident as reasonably requested by Customer. Dynamic Yield will use reasonable endeavors to assist Customer in mitigating, where possible, the adverse effects of any Breach Incident.
Security Assessments and Audits
Dynamic Yield audits its compliance against data protection and information security standards on a regular basis. Such audits are conducted by Dynamic Yield’s internal audit team or by third party auditors engaged by Dynamic Yield.
Dynamic Yield shall, upon reasonable and written notice of at least thirty (30) days in advance and subject to obligations of confidentiality, allow its data processing procedures and documentation to be inspected annually by Customer (or its designee) in order to ascertain compliance with this Addendum. Dynamic Yield shall cooperate in good faith with audit requests by providing access to relevant knowledgeable personnel and documentation during regular business hours.
Cooperation and Assistance
- If Dynamic Yield receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under the Data Protection Legislation, Dynamic Yield will promptly redirect the request to Customer. Dynamic Yield will not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If Dynamic Yield is required to respond to such a request, Dynamic Yield will promptly notify Customer and provide Customer with a copy of the request, unless legally prohibited from doing so.
- If Dynamic Yield receives a legally binding request for the disclosure of Personal Data which is subject to this Addendum, Dynamic Yield shall (to the extent legally permitted) notify Customer upon receipt of such order, demand, or request. Notwithstanding the foregoing, Dynamic Yield will cooperate with Customer with respect to any action taken pursuant to such order, demand or request, including ensuring that confidential treatment will be accorded to such disclosed Personal Data.
Upon reasonable notice, Dynamic Yield shall provide reasonable assistance to Customer in:
- allowing data subjects to exercise their rights under the Data Protection Legislation;
- ensuring compliance with any notification obligations of Brach Incidents to the supervisory authority and communication obligations to data subjects, as required under Data Protection Legislation;
- Ensuring compliance with its obligation to carry out Data Protection Impact Assessments (“DPIA”) or prior consultations with data protection authorities with respect to the processing of Personal Data. Any assistance to Customer with regard to DPIA or prior consultations will be solely at Customer's expense.
Use of Sub-Processors
- Customer shall be deemed to have consented to the engagement of the Sub-Processors listed in Exhibit C hereto.
- Customer provides a general consent to Dynamic Yield to engage onward Sub-Processors (including for the provision of cloud computing services and for personalized search solutions), provided that Dynamic Yield has entered into an agreement with the Sub-Processor containing data protection obligations that are as restrictive as the obligations under this Addendum (to the extent applicable to the services provided by the Sub-processor). Prior to engaging any new Sub-Processor, Dynamic Yield will notify Customer (email acceptable) and allow Customer thirty (30) days to object. If Customer has legitimate objections to the appointment of any new Sub-Processor(s), the parties will work together in good faith to resolve the grounds for the objection for no less than thirty (30) days.
- Customer acknowledges that as part of the Services which Dynamic Yield provides, it may engage with Sub-Processors which provide additional technological solutions which may be provided as part of Dynamic Yield's services to the Customer. These service providers may also collect End Users’ data (including Personal Data) from Customer’s online platform, such as country of origin, search queries performed by End Users, features of End Users’ browser and the operating system, details about pages visited, etc. The engagement with these service providers will be done in accordance with the provisions of this section.
- Dynamic Yield will be responsible for any acts, errors, or omissions of its Sub-Processors that cause Dynamic Yield to breach any of its obligations under this Addendum.
International Data Transfers
- Dynamic Yield may transfer and process Personal Data to and in other locations around the world where Dynamic Yield or its Sub-processors maintain data processing operations as necessary to provide the Services as set forth in the Agreement.
- If Dynamic Yield (or its Sub-processors) processes Personal Data from the EEA or Switzerland in a jurisdiction that is not an Approved Jurisdiction, Dynamic Yield shall ensure that it (or the relevant Sub-processor) has a legally approved mechanism in place to allow for the international data transfer. If Dynamic Yield intends to rely on the Standard Contractual Clauses, then the following shall apply: The applicable parties shall be deemed to have entered into the applicable Module of the Standard Contractual Clauses, which are incorporated to this DPA by reference, including the amendments set out in Exhibit D. If such Standard Contractual Clauses are superseded by new or modified Standard Contractual Clauses, the new or modified Standard Contractual Clauses shall be deemed to be incorporated in this Addendum and the parties will promptly begin to comply with them. Dynamic Yield will abide by the obligations set forth under the Standard Contractual Clauses for data importer.
Data Retention and Destruction
Dynamic Yield will only retain Personal Data for as long as Services are provided to Customer in accordance with this Agreement . Following expiration or termination of the Agreement, upon Customer’s request Dynamic Yield will delete or return to Customer all Personal Data in its possession as provided in the Agreement except to the extent Dynamic Yield is required by applicable law to retain some or all of the Personal Data (in which case Dynamic Yield will implement reasonable measures to prevent the Personal Data from any further processing). The terms of this Addendum will continue to apply to such Personal Data.
Obligations under the CCPA
- Dynamic Yield shall not Sell the Personal Data (as the term "Sell" is defined under the CCPA).
- Dynamic Yield is prohibited from retaining, using, or disclosing Personal Data for a commercial purpose other than providing the services to Customer under the Agreement and from retaining, using, or disclosing the Personal Data outside of the Agreement.
- Dynamic Yield understands its obligations under this Clause 11 and will comply with them.
Liability and Indemnification
Customer will indemnify, defend, and hold Dynamic Yield harmless against any claim, demand, suit or proceeding (including any damages, costs, reasonable attorney’s fees, and settlement amounts) made or brought against Dynamic Yield by a third party alleging that Personal Data received by Dynamic Yield from Customer or processed by Dynamic Yield in accordance with Customer’s instructions, is in breach of Data Protection Legislation.
- Dynamic Yield acknowledges and agrees that it has no ownership of Personal Data other than as expressly permitted under the Agreement or as authorized by Customer.
- Any claims brought under this Addendum will be subject to the terms and conditions of the Agreement, including the exclusions and limitations set forth in the Agreement, provided however that in no event will any party be deemed to have limited its liability under the Agreement with respect to any individual’s data protection rights under this Addendum or pursuant to applicable law.
- In the event of a conflict between the Agreement (or any document referred to therein) and this Addendum, the provisions of this Addendum shall prevail.
- Dynamic Yield may modify the terms of this Addendum in circumstances such as (i) if required to do so by a supervisory authority or other government or regulatory entity, (ii) if necessary to comply with Data Protection Legislation, or (iii) to implement or adhere to standard contractual clauses, approved codes of conduct or certifications, binding corporate rules, or other compliance mechanisms, which may be permitted under Data Protection Legislation. Dynamic Yield will provide notice of such changes to Customer, and the modified Addendum will become effective, in accordance with the terms of the Agreement.
(If the Standard Contractual Clauses apply, then this Exhibit A will also serve as Annex I)
A. Identification of Parties
"Data Exporter": Customer;
"Data Importer": Dynamic Yield.
B. Description of Transfer
The Personal Data transferred concern the following categories of Data Subjects (please specify):
▭ Other: __________
Categories of Personal Data
The Personal Data transferred concern the following categories of data (please specify):
⌧ Email address etc. (Sharing of email addresses is optional and is not an integral part of the services)
▭ Financial and payment data (e.g. credit card number, bank account, transactions)
▭ Governmental IDs (passport, driver's license)
⌧ Device identifiers and internet or electronic network activity (Dynamic Yield will only process IP address information for logging purposes, without any additional processing or retention of such data)
▭ Geo-location information
▭ Other: __________
Special Categories of Data (if appropriate)
The Personal Data transferred concern the following special categories of data (please specify):
▭ Genetic or biometric data
▭ Health data
▭ Racial or ethnic origin
▭ Political opinions, religious or philosophical beliefs
▭ Other: __________
The frequency of the transfer
▭ Other: __________
Nature of the processing
▭ Organization or structuring
▭ Adaptation or alteration
▭ Disclosure, dissemination or otherwise making available
▭ Erasure or destruction
▭ Other: __________
Purpose of the transfer and further processing
As defined in the Agreement.
Personal Data will be retained for the term of the Agreement, unless customer request otherwise.
The Supervisory Authority will be set in accordance with the provisions of Clause 13 of the Standard Contractual Clauses.
(If the Standard Contractual Clauses apply, then this Exhibit B will also serve as Annex II)
Technical and organizational measures
- This Exhibit B outlines the technical and organizational measures for safeguarding Personal Data undertaken by Dynamic Yield, in support of our global security framework.
- We take a systematic approach to data protection, privacy, and security. We believe a robust security and privacy program requires active involvement of stakeholders, ongoing education, internal and external assessments, and installment and enforcement of best practices within the organization.
- We hold ISO 27001, ISO 27017, ISO 27701, and 27018 certifications.
Organizational and Personnel Management
- We appointed a Chief Information Security Officer (CISO) who designs, develops, and deploys our technical architectures, security policies, standards, and awareness program along with our Security team and IT teams and can be reach at CISO@dynamicyield.com.
- We have also appointed a Data Privacy Officer (DPO), who can be reached at firstname.lastname@example.org, and who oversees our privacy program.
- Annual Risk Assessment includes an Information Security Audit, owned, operated and maintained by the CISO. Its result is presented to the steering committee and afterwards to management during management security reviews
- Dynamic Yield's physical servers are managed by Amazon Web Services (“AWS”) and overseen by Dynamic Yield’s team. AWS is widely regarded as employing highly protective and industry standard protective measures ensuring the security of physical servers managed by them, relied upon by thousands of technology providers around the world (more on AWS security measures can be found here- https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf).
- Dynamic Yield has implemented suitable measures in order to prevent unauthorized persons from gaining access
to its resources equipment, regardless of whether those resources are directly related to where Personal Data
are processed or used. These measures may include all or a combination of any of the following:
- Maintaining offices which are within facilities requiring registration for entry and accompaniment beyond the front entrance.
- Strict measures to ensure that all visitors are accompanied, and awareness among employees to challenge any exceptions.
- Restricted access to areas including any communications or other technological equipment on an employee role basis
- A high security card key system is utilized to control facility access
- CCTV video surveillance monitoring on all entry and exit points.
- Dynamic Yield personnel are trained and briefed about contractual obligations undertaken by Dynamic Yield towards its clients with respect to data security, and their compliance therewith is monitored by company management.
- All Dynamic Yield employees and contractors are required to sign confidentiality agreements (“NDAs”) that apply during their engagement with Dynamic Yield and post termination.
- New employees go through an on-boarding process that includes security guidelines, expectations, and code of conduct. All Dynamic Yield’s employees undergo annual security awareness training
- The CISO communicates with all employees on a regular basis, covering topics such as emerging threats, phishing awareness campaigns, and other industry-related security topics.
- A formal and communicated disciplinary process is in place against employees who have committed an information security breach.
Third Party Security
- Third parties used by Dynamic Yield are checked by 3rd party questionnaires and a certification review prior to engagement to validate that prospective third parties meet Dynamic Yield’s security standards.
- Once an engagement has been established, an annual review of applicable vendors is being conducted. The annual review is performed by both the DPO, the legal team and the CISO. The procedure takes into account the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal/regulatory requirements.
Logical Access Control
- Access to the AWS console is managed by personal password-protected user accounts, managed through the AWS Identity and Access Management (IAM) service.
- MFA is enforced while accessing to our production environment
- All users access the Dynamic Yield systems with a unique identifier and must authenticate via Dynamic Yield's SSO (Single Sign On) platform.
- We have established a password policy that prohibits the sharing of passwords. All passwords must fulfill defined minimum requirements and are stored in encrypted form.
- Automatic lock out of the user ID when several erroneous passwords are entered.
- Automatic time-out of the user terminal if left idle; identification and password required to reopen.
- Role-based access controls implemented in a manner consistent with the principle of least privilege.
- Granting of access according to a strict formal procedure and periodic review of the access.
- Employee’s access to production systems that contain personal data is logged, audited and reviewed on a regular basis.
Monitoring & Control
- We utilize a wide range of tools to monitor our environment across data centers on both the server and application level. Security logs are distributed into our main logging aggregation server and continuously reviewed for anomalies by our 24x7 NOC team.
- We Use of AWS config to assess, audit, and evaluate the configurations of our AWS resources.
Security in Development and Support Process
- We use an industry-standard security model in our platform development process.
- We design, review and test our platform using applicable OWASP Top 10 standards.
- Our developers and project team members receive training at least once a year in application security while focusing on secure software development.
- Our production environment is segregated from our development and staging environments with restricted access controls.
- Periodic penetration testing are carried out by rotating 3rd party companies at least annually.
Privacy by Design
- We incorporate Privacy by Design principles for systems and enhancements at the earliest stage of development as well as educate all employees on security and privacy annually
Workstation and Laptop Protection
- We use up-to-date Anti-Malware / Anti Virus software on all appropriate laptops
- We implement protections on end-user devices and monitor those devices to be in compliance with the security standard requiring password protection, screen saver, and patch management.
- We follow a strict change management process.
- Changes are tracked, reviewed and approved to ensure operational changes are aligned with our business objectives and compliance requirements.
- Our customers’ data is stored separately from all other data, and only accessed as they are required for content sent by the specific component responsible for the content composition.
- Each customer's Personal Data is encrypted with a different key, thus preventing the risk of data corruption and desegregation between Dynamic Yield customers.
Infrastructure & Network Security
- Remote access via SSL VPN using 2 Factor Authentication.
- We review our network architecture schema and data flows, including firewall rules and access restrictions on a regular basis.
- Our WiFi internal corporate LAN is separated from guest Wi-Fi, encrypted by WPA2 – PSK and protected by a complex password.
- We establish a vulnerability and patch management process for our systems which includes technical vulnerability assessments, patch testing, patch deployment and verification.
- Data in Transit - Any personal Data is encrypted during transmission using up to date versions of TLS (1.2 or higher).
- Data in Rest - Personal data is stored in encrypted RDS with strong encryption algorithm (RSA 4096 key).
- We implement protections to secure portable storage media from damage, destruction, theft or unauthorized copying.
- All Dynamic Yield data is stored on AWS which is trusted by thousands of businesses to store and serve their data and services. As Dynamic Yield data is all stored on the cloud (AWS) and nowhere on any proprietary physical servers, there is no risk of any disaster affecting Dynamic Yield’s ability to maintain business continuity or data completeness.
- We perform backups, which are tested regularly.
- Architecture which eliminates single points of failure, both with regards to AWS based production and relevant Dynamic Yield critical supporting resources, up to and including full disaster recovery.
- We have sophisticated internal procedures including release control and approvals, following security best practices.
- We established a business continuity plan that enables the company to respond quickly and remain resilient in the event of most failure modes, including natural disasters and system failures
- To ensure effective and orderly response to incidents pertaining to personal data, we defined an incident response plan with detailed procedures.
- The incident response plan includes a list of possible mitigation actions and clear assignment of roles.
- In the event of a security breach, Dynamic Yield will notify customers without undue delay after becoming aware of the security breach.
- Emphasis is placed on documentation, to support the processes and procedures noted in this document and to enable audit should the need arise, in keeping with regulatory dictates and best practices.
- Dynamic Yield conducts regular internal and external audits of its security, led by the CISO.
- Dynamic Yield has appointed a Data Privacy Officer responsible for overseeing the implementation of the privacy program at Dynamic Yield.
- We are committed to confidentiality, data privacy and security of our customers and their end-users. We are investing and will continue to invest extensive resources towards maintaining the highest levels of data protection, privacy and security standards. We are compliant with applicable laws and regulations, and are committed to compliance with the EU GDPR, the CCPA and related guidelines.
- We cannot guarantee that your information may not be disclosed, accessed, altered or destroyed by breach of any of our industry standard safeguards. No method of transmission over the Internet or electronic storage is full-proof. We cannot guarantee absolute security.
- Our security measures are constantly evolving to keep up with the changing security landscape, so we may update these measures pages from time to time to reflect these technical and organizational changes. If any security measure changes in a manner detrimental to our customers’ interests, we will notify our customers of such changes.
(If the Standard Contractual Clauses apply, then this Exhibit C will also serve as Annex III)
|Company Name||Country in (or from) which processing takes place||Scope of services provided by Subcprocessor||Appropriate safeguard if processing takes places in or from a third country|
|Dynamic Yield Ltd.*||Israel||Provision of services and Internal business processes and management, fraud detection and prevention, and compliance with governmental, legislative and regulatory bodies||Adequacy Decision|
|Dynamic Yield UK*||UK||N/A (after Brexit – Standard Contractual Clauses)|
|Dynamic Yield Inc.*||US||Standard Contractual Clauses|
|Dynamic Yield GmbH*||Germany||N/A|
|SIA Dynamic Yield||Latvia||N/A|
|JOB DONE UNIPESSOAL LDA.||Portugal||N/A|
|Amazon Web Services (AWS)||US or EU (based on customer's request)||Cloud computing services||Standard Contractual Clauses|
* Does not apply if it is the contracting entity listed in the Order Form
Standard Contractual Clauses Stipulations
- Dynamic Yield acts as a Processor of Customer's Personal Data. Accordingly, the Parties shall be deemed to enter into the Controller to Processor Standard Contractual Clauses (Module Two).
- This Exhibit D sets out the Parties' agreed interpretation of their respective obligations under Module Two of the Standard Contractual Clauses.
The Parties agree that for the purpose of transfer of Personal Data between Dynamic Yield (Data Importer) and the Customer (Data Exporter), the following shall apply:
- Clause 7 of the Standard Contractual Clauses shall not be applicable.
- In Clause 9, option 2 shall apply. The Data Importer shall inform the Data Exporter of any intended changes to the list of Sub-Processor at least thirty (30) days prior to the engagement of the Sub-Processor. Exhibit C shall be updated accordingly.
- In Clause 11, Data Subjects shall not be able to lodge a complaint with an independent dispute resolution body.
- In Clause 17, option 1 shall apply. The Parties agree that the clauses shall be governed by the law of Ireland.
- In Clause 18(b) the Parties choose the courts of Dublin, Ireland as their choice of forum and jurisdiction.
- The Parties have completed Annexes I–III above, which are incorporated in the Standard Contractual Clauses by reference.