Data Processing Agreement Data Suppliers

printer icon

Issued: August 2024

Eyeota Data Processing Agreement

Data Supply to Eyeota

Eyeota Pte. Ltd., whose registered office is at 31 Hongkong Street, #03-01, Singapore 059670 (“Eyeota”) and Company (as defined in Annex I), and collectively, the “Parties”) have entered into a Master Data Supply Agreement (the “Agreement”) that incorporates this Data Processing Agreement by reference.  
    
The Parties agree to comply with the following provisions with respect to any Personal Data of data subjects located in a jurisdiction governed by Data Protection Laws in connection with the Agreement. References to the Agreement will be construed as including this DPA. To the extent that the terms of this DPA differ from those in the Agreement, the terms of this DPA shall govern.

1. Definitions

1.1 “Affiliates” means any entity which is controlled by, controls or is in common control with one of the Parties.

1.2 “Data Protection Laws” means all privacy and data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including but not limited to, as applicable: (a) the GDPR; (b)  The UK General Data Protection Regulation; (c) the Federal Data Protection Act of 19 June 1992 (Switzerland); (d) The Personal Information Protection Act (PIPA) of South Korea; (e) The Act on the Protection of Personal Information ("APPI") of Japan; (f) the Singapore Personal Data Protection Act (PDPA); (g) The Australia Privacy Act; (h) The Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada; and/or (i) U.S. Privacy Laws and applicable to the Processing of Personal Data under the Agreement.

1.3 “Data Subject” means the individual to whom Personal Data relates.

1.4 “Effective Date” shall have the meaning ascribed to such term in Section 11.
 
1.5 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.6 “Security Breach” has the meaning set forth in Section 7 of this DPA.

1.7 “Sensitive Information” means information defined as “sensitive” or “special category” about an individual or household under Data Protection Laws, including but not limited to: financial account numbers, insurance plan numbers, precise information about health or medical conditions, medical records or pharmaceutical prescriptions, government-issued identifiers (such as a Social Security number), race, ethnicity, religion, trade union membership, sexual orientation, genetic or biometric information and precise location information such as GPS coordinates.

1.8 “Sub-processor” means any sub-processor engaged by Eyeota for the Processing of Personal Data.
 
1.9 Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR.
 
1.10 “Term” means the period from the Effective Date to the date the DPA is terminated in accordance with Section 10.1.
 
1.11 “Third Party Partner” means any entity other than a Sub-processor engaged by a Party for the Processing of Personal Data.

1.12 “U.S. Privacy Laws” means any U.S. state or federal privacy or security law and/or self-regulatory code that are in effect during the Term, and which apply to Personal Information processed pursuant to the Agreement, including but not limited to the Virginia Consumer Data Protection Act, the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Protection Act, the Utah Consumer Privacy Act, each as amended, replaced or supplemented from time to time, and all subordinate legislation made under them, together with any codes of practice, regulations or other guidance issued by the governments, agencies, data protection regulators, or other authorities in the relevant countries, states or other jurisdictions, and (to the extent applicable to the Parties) the NAI and DAA self-regulatory codes.
 
1.13 The terms "Controller", “Personal Data”, “Personal Information”, “Processor”, “Processed”,  “Processing” and “Service Provider” have the meanings given to them in Data Protection Laws.

2. Processing of Personal Data – Arrangement Between Controllers

2.1 The Parties agree that, as each determines the purposes and means of the processing of their respective data, Partner and Eyeota are Controllers with respect to the processing of Personal Data under this DPA as described in Annex I. Both Parties shall keep a record of all Processing activities with respect to Personal Data covered under this DPA where required under Data Protection Laws.

2.2 Each of the Parties represent and warrant that it understands the rules, restrictions, requirements and definitions of the Data Protection Laws and agrees to adhere to the requirements of the Data Protection Laws that applies to each Party’s processing of Personal Data and/or Personal Information for the Services stated in the Agreement, including, but not limited to: a) having a privacy policy in compliance with Data Protection Laws; and b) providing Data Subjects with a privacy notice, opt-out choice and obtaining Data Subject consent where required by Data Protection Laws. Both Parties will use reasonable attempts to avoid providing “Sensitive Information” to the other Party except as otherwise agreed in writing (e.g., to provide each other with bank details to facilitate payments between the Parties). Both Parties further agree that Eyeota is not responsible for the privacy or security practices of any of Partner’s Third Party Partners. Partner recognizes that any Personal Data provided to Eyeota in connection to the Services must have been collected pursuant to a privacy notice that clearly describes the Permitted Purposes outlined below.

2.3 The Business Purpose(s); Any Personal Data provided in connection with this Agreement is provided only for the following business purpose(s): (a) providing advertising and marketing services, (b) assigning pseudonymous identifiers to Personal Data in order to target ads via automated advertising and media purchasing technology platforms such as Demand Side Platforms (“DSPs”) and similar advertising platforms, (c) Processing to comply with other reasonable instructions provided by a Party where such instructions are acknowledged by the other Party as consistent with the terms of the Agreement. Either Party may also Process Personal Data other than on the instructions of the other Party if it is mandatory under applicable law to which such Party is subject and will notify the other Party unless the law prohibits such notification.  Each of the aforementioned purposes is deemed a “Permitted Purpose” of Personal Data. During the Term of the Agreement, both Parties shall only Process Personal Data it receives in connection with the Services on behalf of and in accordance with the Permitted Purposes as laid out in this DPA.

3. Rights of Data Subjects; Data Deletion

3.1 Each Party is separately responsible for honouring Data Subject access requests under Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) and responding to correspondence, inquiries and complaints from data subjects. Each Party shall provide reasonable and timely assistance to the other Party as necessary to help facilitate compliance with this Section 3.1. Any expense incurred in connection with any Data Subject access request shall be borne by the Party to whom which the relevant data belongs as set forth in the Agreement.

4. Eyeota and Partner Personnel

4.1 Both Parties shall ensure that their respective personnel engaged in the Processing of Personal Data under this DPA are informed of the confidential nature of the Personal Data as well as any security obligations with respect to such Data.

4.2 Eyeota will take appropriate steps to ensure compliance with the Security Measures outlined in Annex II by its personnel to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal Data covered under this DPA have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that any such obligations survive the termination of that individual’s engagement with Eyeota. With respect to any Personal Data Processed by Partner or transferred to Eyeota under this DPA, Partner hereby represents and warrants that its security measures are at least as stringent as those of Eyeota with respect to Partner’s Processing of Personal Data pursuant to this Agreement and that Partner will provide an overview of its security measures in a form comparable to Annex II which demonstrate its compliance with applicable laws.

4.3 The Parties shall ensure that access to Personal Data covered under this DPA is limited to those personnel who require such access to ensure the delivery of the Services.

5. Sub-processors

5.1  The Parties acknowledge and agree each Party may, upon written notice to the other Party, engage third-party Sub-processors in connection with the provision of the Services. Any such Sub-processors will be permitted to obtain Personal Data only in conjunction with the services or Permitted Purposes as set forth in the Agreement, and are prohibited from using Personal Data for any other purpose. A Party retaining a Sub-processor shall have a written agreement with each Sub-processor and agrees that any agreement with a Sub-processor shall include substantially the same data protection obligations as set out in this DPA.

5.2 A list of Eyeota’s Sub-processors is available on Eyeota’s website at www.eyeota.com/privacy-policy/sub-processors. Partner will provide a list of any applicable Sub-processors, in the overview of security measures or otherwise, as required by law. A Party may change the list of such other Sub-processors by no less than 10 business days’ notice. If a Party objects to the other Party’s change in such Sub-processors, the Party seeking to change Sub-Processors may, as its sole and exclusive remedy, terminate the portion of the Agreement relating to the Services that cannot be reasonably provided without the objected-to new Sub-processor by providing 30 days’ written notice to the other Party. Where a Party is processing Personal Data covered under these Terms, said Party agrees that Processors it has engaged will be treated as Sub-processors solely with respect to the requirements under this Section 6.

5.3 The Parties shall be liable for the acts and omissions of their respective Sub-processors to the same extent that each Party would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

5.4 The Parties acknowledge and agree that Third Party Partners are not Sub-processors and each Party assumes no responsibility or liability for the acts or omissions of such Third Party Partners.

6. Security; Audit Rights; Privacy Impact Assessments

6.1 Each Party shall maintain, in writing, reasonable security procedures and practices which include administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data it Processes under this DPA. Eyeota will implement and maintain technical and organizational measures to protect such Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Annex II (the "Security Measures"). Partner represents and warrants that it has implemented Security Measures that are at least as stringent as those outlined in Annex II As described in Annex II, the Security Measures include measures to encrypt Personal Data; to help ensure ongoing confidentiality, integrity, availability and resilience of Eyeota’s systems and services; to help restore timely access to Personal Data following an incident; and for regular testing of effectiveness. The Parties may update or modify their Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

6.2 Both Parties will (taking into account the nature of the processing of Personal Data under this DPA) cooperatively and reasonably assist each other in ensuring compliance with any of each other’s respective obligations with respect to the security of Personal Data and Personal Data breaches under this DPA, including (if applicable) any obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (a) implementing and maintaining the Security Measures in accordance with, or more stringent than Annex II; and (b) complying with the terms of Section 7 of this DPA.

6.3 Both Parties will (taking into account the nature of the processing of Personal Data under this DPA) cooperatively and reasonably assist each other in ensuring compliance with any each other’s respective obligations with respect to any obligations pursuant to Articles 35 of the GDPR (covering data protection impact assessments).

6.4 A Party may engage a mutually agreed upon third party to audit the other Party solely for the purposes of meeting its audit requirements pursuant to Article 28, Section 3(h) of the GDPR. To request an audit, a Party must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. 

The auditor must be approved in advance by the Party that is to be audited (such approval may not be unreasonably withheld) and execute a written confidentiality agreement acceptable to the Party that is to be audited before conducting the audit. The audit must be conducted during regular business hours, subject to the audited Party’s policies, and may not unreasonably interfere with the audited Party’s business activities. Any such audits are to be at the expense of the Party requesting the audit and any request for the audited Party to provide assistance which requires the use of resources different from or in addition to those required by law may be charged as a separate service by the audited Party under a reasonable fee structure that takes into account the resources expended by the audited Party. The Party that requested the audit shall promptly notify the audited Party with information regarding any non-compliance discovered during the course of an audit.

7. Security Breach Management and Notification

7.1 If either Party becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise Processed on the other Party’s equipment or facilities under this DPA (“Security Breach”) which, in the reasonable opinion of that Party’s Data Protection Officer, requires such notification, such Party will promptly notify the other Party of the Security Breach. Notifications made pursuant to this section will take place within a reasonable time and certainly no longer than three business days after discovery and shall describe, to the extent possible, details of the Security Breach, including steps taken to mitigate the potential risks and any recommended steps that either or both Parties should take to address the Security Breach. Each Party will promptly investigate the Personal Data Breach if it occurred on its infrastructure or in another area it is responsible for and will assist the other Party as reasonably necessary for both Parties to meet their obligations under Data Protection Laws.

7.2 Both Parties agree that an unsuccessful Security Breach attempt will not be subject to this Section 7. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Personal Data processed pursuant to this DPA or to any of either Party’s equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.

7.3 Notification(s) of Security Breaches, if any, will be delivered to one or more of the other Party’s business, technical or administrative contacts by any reasonable means, including via email. It is each Party’s responsibility to ensure it maintains accurate contact information.

7.4 Any notification of or response to a Security Breach under this Section 7 will not be construed as an acknowledgement by either Party of any fault or liability with respect to the Security Breach.

7.5 Each Party shall implement reasonable technical and organizational Security Measures to provide a level of security appropriate to the risk in respect to the Personal Data. As technical and organisational measures are subject to technological development, the Parties are entitled to implement alternative measures provided they are at least as protected as those offered by the Security Measures and they do not fall short of the level of data protection set out by Data Protection Law.

8. Return and Deletion of Personal Data

8.1 Both Parties will comply with instructions from the other Party to delete certain Personal Data as soon as reasonably practicable and within a maximum period of 30 days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage.

8.2 On expiry of the Agreement, both Parties hereby instruct the other to delete all Personal Data (including existing copies) from their respective systems and discontinue processing of such Personal Data in accordance with Data Protection Law as soon as reasonably practicable and within a maximum period of 60 days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage. This requirement shall not apply to the extent that the Personal Data has been archived on back-up systems so long as such Personal Data is isolated and protected from any further processing except to the extent required by applicable law.

9. Cross-Border Data Transfers

9.1 The Parties may, subject to this Section 9, store and process the relevant Personal Data in the European Economic Area, in addition to various locations outside of the European Economic Area. Eyeota’s data storage locations and other details about the locations of Eyeota personnel are published on Eyeota’s website at the following location www.eyeota.com/privacy-policy/data-centres. Partner will provide a summary of its data storage locations in its Security Measures.

9.2 Given that the Services involve the storage and/or Processing of Personal Data which transfers such Personal Data out of the European Economic Area or Switzerland to a jurisdiction that does not have adequate Data Protection Laws, and the Data Protection Laws apply to the transfers of such data (“Transferred Personal Data”), the Parties agree that the EU Commission Implementing Decision (EU) 2021/914 and available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (as amended or updated from time to time) ("Standard Contractual Clauses") will apply and such Standard Contractual Clauses shall be incorporated by reference and form an integral part of this DPA. Purely for the purposes of the descriptions in the Standard Contractual Clauses and only as between Partner and Eyeota, the Parties agree that: (a) Roles: the Parties agree that Eyeota is a "data importer" and Partner is the "data exporter" under the Standard Contractual Clauses. (b) Governing Law and Supervisory Authority: The Standard Contractual Clauses shall be governed by the law of the EU Member State in which the data exporter is established and enforced by the Supervisory Authority of such EU Member State; (c) Sub-Processors: the Parties select general written authorization for Sub-processors; (d) Redress: The Parties elect to omit the optional text; and (e) Annex I, II and III are provided at the end of this DPA as Appendix A and to the extent that there’s a conflict as between the DPA and the Appendix A, the Appendix A shall govern.

9.3 The Parties further agree that if Transferred Personal Data includes UK Personal Data, and the Data Protection Laws apply to the transfers of such data, both Parties agree that the Standard Contractual Clauses for transfers reflecting the roles of the Parties as described in the DPA in the form approved by the UK Information Commissioner's Office and currently available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf (as amended or updated from time to time) ("UK Standard Contractual Clauses") shall be incorporated by reference and form an integral part of this DPA. For the purposes of the UK Standard Contractual Clauses, Appendix A of these Terms shall take the place of Annex 1, Annex II and Annex III respectively of the UK Standard Contractual Clauses.

9.4 If the Standard Contractual Clauses or any other model clause transfer agreement are deemed invalid by a governmental entity with jurisdiction over Transferred Personal Data (e.g., the EU Court of Justice) or if such governmental entity imposes additional rules and/or restrictions regarding such Transferred Personal Data, the Parties agree to work in good faith to find an alternative and/or modified transfer mechanism.

10. Liability

10.1 Both Parties agree that their respective liability under this DPA shall be apportioned according to each Parties’ respective responsibility for the harm (if any) caused by each respective Party.

10.2 Liability Cap Exclusions. Nothing in this Section 10 will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).

11. Miscellaneous

11.1 This DPA will take effect on the date it is executed by Partner and Eyeota at the bottom of this Agreement (the “Effective Date”) and will remain in effect until, and automatically expire upon, the deletion of all Personal Data by Eyeota or Partner through the Services as described in this DPA.

11.2 Nothing in this DPA shall impact either Party’s intellectual property rights with respect to Personal Data provided by such Party under the Agreement except to the extent required by applicable law.

11.3 Nothing in this DPA shall confer any benefits or rights on any person or entity other than the Parties to this DPA. 

11.4 This DPA may be executed in any number of counterparts, each of which when executed shall constitute a duplicate original, but all the counterparts shall together constitute the one Agreement.

11.5 Both Parties agree to notify the other Party within five (5) business days if it (i) has reason to believe that it is unable to comply with any of its obligations under this DPA and it cannot cure this inability to comply within a reasonable timeframe; or (ii) becomes aware of any circumstances or change in Data Protection Laws that is likely to prevent it from fulfilling its obligations under this DPA.  If this DPA, or any actions to be taken or contemplated to be taken in performance of this DPA, does not or would not satisfy either Party’s obligations under such Data Protection Laws, the Parties will negotiate in good faith an amendment to this DPA. If such negotiations fail, Partner reserves the right to take reasonable and appropriate steps to stop and remediate any non-compliance or unauthorized processing of Personal Data, including by terminating the Agreement without penalty.

Appendix A

Annex I

Data Subject to Transfer Under this DPA

Data Subjects

The personal data transferred concern the following categories of data subjects:

For data exporters who are exporting data from websites and other digital mediums, the data subjects of concern are the users of these websites and other digital mediums. For data exporters who are exporting aggregated or de-identified data from offline data sources, no personal data is transferred.

Purposes of transfer(s)

The transfer is made for the following purposes:

  1. Enable data importer to license such personal data segments to advertisers, advertisers’ agents and online publishers as described in the Agreements.
  2. Supporting an advertising funded internet
  3. Providing aggregated reporting to data exporters and advertisers
  4. Facilitate cross-device mapping in order to better and measure interest-based advertising and provide a more unified advertising experience for users
  5. Provide aggregated data for data importer’s internal reporting, reporting industry trends & market research

Categories of data

The personal data transferred concern the following categories of data:

Where the data exporter is exporting data from websites and other digital mediums, the personal data transferred includes data on user behaviour or demographic information collected through pixels placed on the data exporter's website and/or digital mediums, IP addresses, cookie identifiers and other pseudonymous identifiers of the users of the data exporter's website and/or digital mediums which comprises: browser type and version, browser plug-in types and versions, device operating system and platform, device unique advertising ID, products viewed or searched for, time when event occurred, and country associated with the user.

Where the data exporter is providing aggregated or de-identified data from offline data sources, no personal data is transferred. This offline data only becomes personal data when connected to a cookie ID, IP address, or if there are sufficiently few dwellings within a postcode for the postcode itself to constitute personal data.

Recipients

The personal data transferred may be disclosed only to the following recipients or categories of recipients:

The list of organisations receiving data from data exporter can be found at the following website: www.eyeota.com/privacy-policy/integrations

Sensitive data (if appropriate)

The personal data transferred concern the following categories of sensitive data:

No personal data is transferred on users within the European Union which concern the special categories of data as defined by Article 9.1 of the GDPR.

Processing operations

The personal data transferred will be subject to the following basic processing activities:

The data importer will access, reproduce, display and store the relevant personal data, including, IP addresses, in order to provide the services as set out in the Agreement between data importer and data importer (together, the “Parties”) on the date specified below and for no other purposes whatsoever.

Contact points for data protection enquiries

Data importer
ePrivacy GmbH, represented by Christoph Bauer
Große Bleichen 21, 20354 Hamburg
info@eprivacy.eu
+49 40 609451 810 

Eyeota Pte Ltd
Privacy@eyeota.com

Data exporter
The counterparty to Eyeota in the Master Data Supply Agreement (“Company”)

Annex II

Security Measures

Description of the technical and organisational security measures implemented by the data importer (the “Security Measures”).

1. Physical Access control

Please describe measures to prevent unauthorised access to data processing systems with which the personal data is processed and used:

Eyeota utilises cloud providers for the operation of its technology platform and services. A list of Eyeota’s cloud service providers can be found at www.eyeota.com/privacy-policy/sub-processors 

All of Eyeota’s data centres have strict policies for authorisation of access into the facilities. All Eyeota’s cloud providers follow appropriate policies required by external audits. All of Eyeota’s internal personnel are vetted prior to allowing access to data centres.

In addition Eyeota also operates own servers and infrastructure housed in the Telehouse data centre in Singapore. Only key personal at Eyeota have physical access to these servers and the facility is protected by CCTV, biometric security and 24/7 on site guards. Access permissions to the facility are granted/revoked by Eyeota’s Chief Technology Officer and may be updated from time to time.
Office access to the Singapore office is permissioned by an electronic code, which is changed by Eyeota’s Singapore Office Manager whenever a Singapore-based staff member ceases their employment with Eyeota. All laptops are password secured.

2. Denial-of-use control

Please describe measures to prevent unauthorised use of data processing systems:

All systems level access is based on role-based security. Additional measures are in place such as VPN and other security measures prior to system level access being available, as described below. All end user level access to Eyeota’s systems is based on role-based security. End user shared accounts are not allowed. 

Eyeota undertakes the following actions, among others, to ensure that persons authorised to use the Eyeota platform or access data processing infrastructure can only access the data underlying their access authorisation and that stored data or data undergoing processing cannot be read, copied, altered, or removed without authorisation.

Eyeota's employees access infrastructure components with both key based authentication and password-based authentication.

Partners of Eyeota may be granted access to the Eyeota “User Interface”, an externally facing reporting tool built specifically for Eyeota’s customers. Access to the User Interface is limited via a username and a password to the customer’s authorised persons and additionally to equivalently authorised Eyeota employees. Logical infrastructure configuration prevents the access of one customer’s data by another customer.

3. Data Access control

Please describe measures to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorisation in the course of processing or use and after storage:

Eyeota controls personnel access to production servers, and only provides access to a limited number of authorised personnel. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. Eyeota requires the use of strong passwords; and carefully monitored access lists to minimise the potential for unauthorised account use. The granting or modification of access rights is based on: the authorised personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; a need-to-know basis; and must be in accordance with Eyeota’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes.

In addition, Eyeota has implemented several security related policies that govern the use of Eyeota’s technology and data including rules around acceptable use, data classification, information security, an incident response plan, and the use of passwords.

4. Data Transmission control

Please describe measures to ensure that personal data cannot be read, copied, modified or removed without authorisation during electronic transmission or transport or storage on data media, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged:

Data is encrypted by measures such as SSL or similar. Personal data shall not be transferred outside the scope as authorised under the Clauses, or as otherwise authorized by the Party transmitting the data.

5. Data Entry control

Please describe measures to ensure that it is possible to check and establish whether and by whom personal data has been input into data processing systems, modified, or removed:

Eyeota ingests personal data in a systemic manner only through the use of data management computing systems. Personal data is not entered, modified or deleted manually by data entry operators or any other staff. Interaction with data stores containing personal data is only by technical staff subject the prevailing procedures for access to these data management systems.

6. Job / sub-contractor control

Please describe measures to ensure that, in the case of commissioned processing of personal data, the data is processed strictly in accordance with the instruction of the Party that is transmitting the data:

Partner is a demand-side user of Eyeota’s technology services and therefore is to process the data in accordance with Eyeota’s instructions.

7. Availability control

Please describe measures to ensure that personal data is protected from accidental destruction or loss:

Data is kept in a storage framework with at least 2 copies natively made and stored. Additionally, Eyeota either replicates data between data centres or takes backups of the data for rapid recovery in the event of a disaster.

8. Separation control

Please describe measures to ensure that data collected for different purposes can be processed separately:

Eyeota maintains both a data collection platform which collects and processes personal data, as well as a UI platform which is used to both configure the data collection platform, as well as to run reports on data collected by that platform. The data separation policies for each are outlined below:

Eyeota’s data collection platform is for the purpose of enabling our primary business function which is the collection, creation, and distribution of our data products. As such, there is no need for Eyeota to undertake any particular data separation efforts for this data in our backend data processing systems.

The Eyeota User Interface system provides an internal and customer-facing interface which does allow authenticated and authorised users to fulfil two primary use cases:

  1. The input and maintenance of configuration data which is used by the platform to drive its operation. The data in this case is not personal in nature.
  2. Aggregated reports based on flows of personal data into the platform. This data is aggregated and hence not traceable back to a given user from the UI.

In both cases, data is segregated by a robust authorisation framework based on access control lists. This framework enables a multi-tenant environment, where users are only allowed to see and interact with the configuration data and reporting data to which they and their organization are entitled.

9. Physical location of data centre(s) and operating legal entity

Please give us a complete list of data centre(s) where the data will be stored.

A list of the data centres which store user data can be found at the following webpage: www.eyeota.com/privacy-policy/data-centres

10. Third Party Data Access

Is it excluded that an external company can access data of the data exporter?

Yes, excluding sub-contractors, or when Eyeota has explicitly given permission to a third party, data specific to a customer cannot be accessed by another customer or any third party.

A list of Eyeota’s sub-processors can be found here: www.eyeota.com/privacy-policy/sub-processors

A list of Eyeota’s buy-side distribution partners who have access to the data exporter’s data can be found here: www.eyeota.com/privacy-policy/integrations

11. Encryption of stored data

Please explain data encryption measures of stored data.

All connectivity to the data centres for administrators is through encrypted networks such as VPN. All authentication for end users ID done through SSL.

12. Certificates

Please let us know whether you have for the data centres where our data are processed any certificates.

Please refer to the following link for specifications of our Telehouse Data Centre provider: http://www.telehouse.com.sg/data-centers/apac-data-centers/singapore-data-centers/singapore-data-center/

13. Awareness and Training Measures

Eyeota has implemented a data protection and security awareness training program that requires all new hires to attend data protection awareness training.

Eyeota keeps industry standard controls such as data transfer logs in order to ensure that data is processed in accordance with its supply partners.

Eyeota’s security policies are designed based on industry best practices and are approved by Eyeota's Chief Technology Officer. Reviews and audits of such security policies are performed as reasonably necessary as determined by Eyeota’s security team or as otherwise required by applicable law or industry norms. Any reviews, audit results and applicable changes are presented to the senior technical team for approval or rejection.

Eyeota has undergone a data protection impact assessment as of Q2 2018 and will initiate additional DPIA’s as necessary to ensure privacy by design and privacy by default on the platform.

Supplemental Measures implemented pursuant to The European Data Protection Board (EDPB) Recommendations 01/2020 on measures which supplement Eyeota’s transfer tools to ensure compliance with the EU level of protection of personal data are available upon request.

Annex III

List of Sub-processors

The Partner has authorised the use of the following sub-processors listed at www.eyeota.com/privacy-policy/data-centres as of the date of execution of this DPA

 

We see that you have the Global Privacy Control enabled in your browser. We have turned off all but "Required" cookies which are necessary to enable the basic features of this site to function. If you wish to further exercise any applicable data subject rights (DSR) please complete the form available at Your Privacy Choices. For further information on how Dun & Bradstreet uses your personal information, please see our Cookie Policy.