Data Processing Addendum
This Data Processing Addendum (“DPA”) is incorporated by reference into the Agreement by and between Mediafly (“Vendor”) and Customer (the “Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of EU and UK Data Protection Laws and Regulations. This DPA includes the European Union’s Standard Contractual Clauses (Controller to Processor) incorporated herein as Schedule 1, which may be executed as necessary. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
By agreeing to the Agreement, Customer enters into this DPA on its own behalf and on behalf of its Affiliates, if and to the extent Vendor Processes Personal Data for which such Affiliates qualify as Controller.
Data Processing Terms
In the course of providing the Services to Customer pursuant to the Agreement, Vendor may Process Personal Data on behalf of Customer. Vendor agrees to comply with the following provisions with respect to any Personal Data submitted by or for Customer to the Services or collected and Processed by or for Customer using the Services.
“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq.
“Commissioner” means the UK Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018)
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Customer Personal Data” means the Personal Data which Vendor is Processing as Processor on behalf of Customer in order to provide the Services.
“Data Protection Laws and Regulations” means the EU and UK Data Protection Laws and Regulations.
“Data Subject” means the individual to whom Personal Data relates.
“EU Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their Member States, applicable to the Processing of Personal Data under the Agreement, including but not limited to: (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, including any applicable national implementations thereof (collectively the “Directive”); (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("General Data Protection Regulation" or "GDPR"), as amended, replaced or superseded, (iii) the Privacy and Electronic Communications Directive (2002/58/EC) (“ePrivacy Directive”) and any replacement law or regulation in the EU, and any applicable national implementing laws, regulations and secondary legislation in any Member State, in relation thereto; (iv) the guidelines, recommendations, best practice opinions, directions, decisions, and codes of conduct issued, adopted or approved by the European Commission, the European Data Protection Board, and/or any supervisory authority or data protection authority from time to time in relation to the Directive, the GDPR, the ePrivacy Directive, and any other applicable privacy and data protection laws; and (v) any judgments of any relevant court of law relating to the processing of personal data, data privacy, and data security
“Member State” means a country that is a member of the European Union or of the European Economic Area.
“Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification such as a name, an identification number, location data, an online identifier such as an IP or MAC Address or Mobile ID, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
“Sensitive Information” means Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information specifying the sex life of the individual. The Data Controller’s transfer of Sensitive Information to Processor is subject to the terms and conditions of the Agreement.
“Standard Contractual Clauses” means, as applicable, the agreement executed by and between Vendor and Customer and attached hereto as Attachment 1 pursuant to the European Commission’s Decision 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
“Sub-processor” means any person appointed by or on behalf of the Processor, or by or on behalf of an existing Sub- processor, to process Personal Data on behalf of Controller.
“Supervisory Authority” means the Commissioner and any other national independent public authority responsible for data protection matters and which is established pursuant to EU Data Protection Laws and Regulations.
“UK Data Protection Laws and Regulations” shall mean all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the Commissioner or other relevant regulatory authority and which are applicable to a party.
“UK GDPR” shall have the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller of Personal Data when it processes customer or end-user Personal Data. Consequently, Vendor is a Processor of such Personal Data. Vendor will engage Sub-processors pursuant to the requirements set forth in section 4, “Onward Transfers; Sub-processing,” below. Customer, as Controller, appoints Vendor as a Processor to process the Personal Data on Customer’s behalf.
2.2 Purpose Limitation. Vendor shall process Personal Data for the purposes set forth in the Agreement and only in accordance with the lawful, documented instructions of Customer, except where otherwise required by applicable law. The Agreement and this DPA set out Customer’s complete instructions to Vendor in relation to the processing of Personal Data and any processing required outside of the scope of these instructions (inclusive of the rights and obligations set forth under the Agreement) will require prior written agreement of the parties. Customer shall ensure that its instructions comply with all Data Protection Laws and Regulations, and that the Processing of Personal Data in accordance with Customer’s instructions will not cause Vendor to be in breach of any Data Protection Laws and Regulations. Vendor shall notify the Customer immediately if, in Vendor’s opinion, an instruction for the processing of Personal Data given by Customer infringes Data Protection Laws.
2.3 Training. Vendor shall ensure that its relevant employees, agents and contractors receive appropriate training regarding their responsibilities and obligations with respect to the processing, protection and confidentiality of Personal Data.
2.4 Customer agrees that (i) it will comply with its obligations under Data Protection Laws in respect of its Processing of Personal Data, including any obligations specific to its role as a Controller; and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Data Protection Laws for Vendor to Process Customer Personal Data and provide the Services pursuant to the Agreement and this DPA.
3. ROLES AND RESPONSIBILITIES
3.1 Access; Correction, Blocking and Deletion. Vendor shall rectify, erase, allow the portability of or otherwise Process Customer Personal Data and take any other measures in relation to requests from Data Subjects in relation to their rights under applicable Data Protection Laws and Regulations only in accordance with and subject to Customer’s written instructions. To the extent Customer, in its use of the Services, does not have the ability to correct, amend, block or delete Personal Data, as required by Data Protection Laws and Regulations, Vendor shall comply with any commercially reasonable request by Customer to facilitate such actions to the extent Vendor is legally permitted to do so.
3.2 Data Subject Requests. Vendor shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. Vendor shall not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer. Vendor shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent Customer does not have access to such Personal Data through its use of the Services.
3.3 Registers of Processing Activities. Customer acknowledges that Vendor is required under Data Protection Laws and Regulations to: (a) collect and maintain written records of certain information, including the name and contact details of each Processor and/or Controller on behalf of which Vendor is acting and, where applicable, of such Processor’s or Controller's local representative and data protection officer. and (b) make such information available to the Supervisory Authorities. Accordingly, Customer will, where requested, provide such information to Vendor via the Services or other means provided by Vendor, and will ensure that all information provided is kept accurate and up-to-date.
4. ONWARD TRANSFERS; SUB-PROCESSING
4.1 When transferring Personal Data to a third party acting as Vendor’s agent, Vendor will: (i) only transfer such Personal Data for the purposes of providing the Services under the Agreement; (ii) ascertain that the agent is obligated to provide at least the same level of protection as is set out in this DPA; and (iii) upon notice, take reasonable and appropriate steps to stop and remediate any unauthorized Processing.
4.2 With regard to Transfers of EEA Personal Data to Vendor, the parties shall assure adequate protection for the EEA Personal Data according to the approved EU Standard Contractual Clauses, a copy of which is attached hereto as Attachment 1.
4.3 Customer agrees that Vendor may engage third party sub-processors (collectively, "Sub-processors") to process the Personal Data on Vendor’s behalf. Vendor agrees to inform Customer, in writing, no less than ten (10) days prior to changing a Sub-processor, of any changes concerning the addition or replacement of such Sub-processors, thereby giving Customer the opportunity to object to such changes. Vendor shall impose on such Sub-processors data protection terms that protect the Personal Data to the same standard provided for by this DPA and shall remain liable for any breach of the DPA caused by a Sub-processor. List of Sub-processors utilized by Vendor provided at https://www.mediafly.com/data-protection-policy.
5.1 Security. Vendor shall implement appropriate technical and organizational measures designed to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or use (each a "Security Incident") and in accordance with Vendor’s security standards as set forth in the Agreement.
5.2 Confidentiality of Processing. Vendor shall ensure that any person that it authorizes to process the Personal Data (including its staff, agents and subcontractors) shall be subject to a duty of confidentiality (whether a contractual or a statutory duty) that shall survive the termination of their employment and/or contractual relationship.
5.3 Customer Obligations. Notwithstanding Vendor’s obligations under Sections 5.1 and 5.2 above, Customer is responsible for reviewing the information made available by Vendor relating to data security and making an independent determination as to whether the technical and organizational measures implemented by Vendor meet Customer’s requirements and legal obligations under Data Protection Laws and Regulations. Customer acknowledges that the Vendor’s security standards are subject to technical progress and further development and that Vendor may update or modify the Vendor’s security standards from time to time provided that such updates and modifications do not result in a material degradation of the overall security of the Services provided to Customer under the Agreement. Customer further agrees that, without prejudice to Vendor’s obligations under Sections 5.1 and 5.2 above: (a) Customer is responsible for its use of the Services, including making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data, securing its account authentication credentials, managing its data back-up strategies, and protecting the security of the Customer Personal Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Personal Data uploaded to the Services; and (b) Vendor has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of Vendor’s and its Sub-processors’ systems (for example, offline or on premise storage).
5.4 Security Incidents. Upon becoming aware of a Security Incident that is reasonably likely to require a data breach notification by Customer under Data Protection Laws and Regulations, Vendor shall, without undue delay, pursuant to the terms of the Agreement, notify Customer, and shall provide such timely information as Customer may reasonably require to enable Customer to fulfil any data breach reporting obligations under Data Protection Laws and Regulations, taking into account the nature of the Services, the information available to Vendor, and any restrictions on disclosing the information, such as confidentiality. Vendor will take steps to immediately identify and remediate the cause of such Security Incident. Customer agrees that: (a) an unsuccessful Security Incident will not be subject to this Section 5. An unsuccessful Security Incident is one that results in no unauthorized access to the Customer Personal Data or to any of Vendor’s equipment or facilities storing the Customer Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and (b) Vendor’s obligation to report or respond to a Security Incident under this Section 5 is not and will not be construed as an acknowledgment by Vendor of any fault or liability of Vendor with respect to the Security Incident.
6.1 Data Subjects' Rights. Vendor shall provide commercially reasonable assistance, including by appropriate technical and organizational measures as reasonably practicable, to enable Customer to respond to any inquiry, communication or request from a Data Subject seeking to exercise his or her rights under Data Protection Laws and Regulations, including rights of access, correction, restriction, objection, erasure or data portability, as applicable. In the event such inquiry, communication or request is made directly to Vendor, Vendor shall promptly inform Customer by providing the full details of the request. For the avoidance of doubt, Customer is responsible for responding to Data Subject requests for access, correction, restriction, objection, erasure or data portability of that Data Subject's Personal Data.
6.2 Data Protection Impact Assessments and Prior Consultation. Vendor shall, to the extent required by Data Protection Laws and Regulations, provide Customer with reasonable assistance with data protection impact assessments or prior consultations with supervisory authorities that Customer is required to carry out under Data Protection Laws and Regulations.
7. ADDITIONAL TERMS RELATING ONLY TO STANDARD CONTRACTUAL CLAUSES
7.1 To the extent that the Standard Contractual Clauses govern the transfer of Personal Data between Customer and Vendor, they apply only to Personal Data that is transferred from the European Economic Area (EEA) to outside the EEA, either directly or via onward transfer, to any country or recipient: (i) not recognized by the European Commission as providing an adequate level of protection for personal data, and (ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for personal data, including but not limited to Binding Corporate Rules for Processors.
7.2 The Standard Contractual Clauses apply to (i) the legal entity that has executed the Standard Contractual Clauses as a Data Exporter and, (ii) all Affiliates (as defined in the Agreement) of Customer established within the European Economic Area (EEA), the United Kingdom, and Switzerland. For the purpose of the Standard Contractual Clauses and this Section 7, the aforementioned entities shall be deemed “Data Exporters.”
8. ADDITIONAL TERMS RELATING ONLY TO CCPA
8.1 CCPA Standard of Care; No Sale of Personal Information. Vendor acknowledges and confirms that it does not receive or process any Personal Information as consideration for any services or other items that Vendor provides to Customer under the Agreement. Vendor shall not have, derive, or exercise any rights or benefits regarding Personal Information Processed on Customer’s behalf, and may use and disclose Personal Information solely for the purposes for which such Personal Information was provided to it, as stipulated in the Agreement. Vendor certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling (as such term is defined in the CCPA) any Personal Information Processed hereunder, without Customer’s prior written consent, nor taking any action that would cause any transfer of Personal Information to or from Vendor under the Agreement to qualify as “selling” such Personal Information under the CCPA. For the avoidance of doubt, Vendor will not use, retain or disclose Personal Information for any purpose other than providing the Service.
9. SECURITY REPORTS AND AUDITS
9.1 Vendor shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. Vendor shall provide a copy of its most current security attestation report (such as SOC 2, Type II or equivalent reports from the two data center vendors) upon Customer’s written request.
10. DELETION OR RETURN OF CUSTOMER DATA
10.1 Deletion or Return of Data. Upon termination or expiration of the Agreement, Vendor shall, in accordance with the terms of the Agreement, delete or make available to Customer for retrieval all relevant Personal Data (including copies) in Vendor’s possession, save to the extent that Vendor is required by any applicable law to retain some or all of the Personal Data. In such event, Vendor shall extend the protections of the Agreement and this DPA to such Personal Data and limit any further processing of such Personal Data to only those limited purposes that require the retention for so long as Vendor maintains the Personal Data.
11.1 Except as amended by this DPA, the Agreement will remain in full force and effect.
11.2 If there is a conflict between the Agreement and this DPA. the terms of this DPA will control.
11.3 Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations, set forth in the Agreement.
Commission Decision 2021/914
Standard Contractual Clauses (Module 2, Transfer Controller to Processor)
UK International Data Transfer Agreement
- Standard Contractual Clauses (Module 2, Transfer Controller to Processor)
For data transfers from the European Economic Area that are subject to the Standard Contractual Clauses, the Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) as amended or completed (as the context requires) as follows:
- in Clause 7, the optional docking clause will not apply;
- for the purposes of Clause 8.6(a), Schedule 2, Mediafly Information Security, shall apply;
- in Clause 9, Option 2 will apply. For the purposes of Clause 9(a), the data importer has the data exporter’s general authorization to engage Sub-processors.
- in Clause 11, the optional language will not apply;
- the data importer’s liability under Clause 12(b) will be limited to any damage caused by its Processing where data importer has not complied with its obligations under the GDPR, specifically directed to Processors, or where it has acted outside of or contrary to lawful written instructions of the data exporter as documented in this DPA, as specified in Article 82 GDPR;
- in Clause 13(a), Option 1 shall apply;
- for the purpose of Clause 15(a), the data importer shall notify the data exporter (only) and not the Data Subject(s) in case of government access requests. The data exporter shall be solely responsible for promptly notifying the Data Subject as necessary;
- in Clause 17, Option 2 is selected and the Standard Contractual Clauses will be governed by the law of the Member State in which the data exporter is established and in Clause 18(b), disputes will be resolved before the courts in the same jurisdiction;
- in Annex I:
- Part A “List of the Parties” shall be as follows:
- Data exporter: “Customer”, “Customer Address”, and “Client Contact” as set out in the Order. The activities relevant to the data transferred under these Clauses are the Processing of personal data in connection with the data exporter’s use of the data importer’s services under the Agreement. Signature and date are as set forth in the Order; and
- Data importer: Mediafly, Inc. of 150 N Michigan Ave, Ste 2000, Chicago, IL 60601, with contact details: TJ Patel (Data Protection Officer) with email address: email@example.com. The activities relevant to the data transferred under these Standard Contractual Clauses relate to the Revenue360 analytics engine that is used to provide analytics and related reports to advise and enhance the data exporter’s sales and marketing activities. Signature and date are as set forth in the Order;
- Part B the “Description of the transfer” is as follows:
- Categories of data subjects whose personal data is transferred: employees and other representatives of the following potential entities: data exporter, customers and sales prospects of data exporter, and third-party data providers.
- Categories of personal data transferred: email addresses, phone numbers, and other business contact information;
- Sensitive data: none / not applicable;
- The frequency of the transfer: continuous;
- Nature of the processing: all data described above will be processed to provide analytics and related reports to advise and enhance data exporter’s sales and marketing activities, via data importer’s SaaS offering;
- Purpose of the data transfer and further processing: to enable provision of the data importer’s SaaS offering to improve data exporter’s sales and marketing effectiveness;
- The period for which the personal data will be retained: the duration of performance of services under the Agreement;
- For transfers to Sub-processors: the subject matter, nature and duration of the processing is as above and as set out under Section 1(k) of this Schedule 1. Details regarding Sub-processor retention policies can be provided upon request; and
- Part C the “Competent Supervisory Authority” shall be the supervisory authority in the EU Member State in which the data exporter is established;
- Part A “List of the Parties” shall be as follows:
- in Annex II the technical and organizational security measures shall be as set out in Schedule 2, Mediafly Information Security; and
- in Annex III, the data exporter has authorized the use of the following Sub-processors by the data importer:
- Engagement, Value and iPresent:
- Amazon Web Services (AWS) for data storage, processing and distribution;
- SendGrid for email delivery service;
- Google Workspace for internal email and calendar;
- HubSpot for marketing automation;
- Salesforce for CRM;
- Gainsight for customer success management software;
- Zendesk for helpdesk; and
- FullStory for user insights.
- Amazon Web Services, Inc. – Hosting;
- Intercom.com – Support & Customer Documentation;
- Postmarkapp – Email Notifications;
- Gainsight – Product Usage Statistics;
- Datadog – Infrastructure Monitoring; and
- FullStory for user insights.
- Amazon Web Services;
- FullStory for user insights; and
- Speechmatics (optionally).
- Engagement, Value and iPresent:
- UK International Data Transfer Agreement
The Parties agree that the UK International Data Transfer Agreement will apply only to the Processing of Personal Data by the Vendor in the course of providing the Services that is transferred via the Services from the United Kingdom and the UK International Data Transfer Agreement will be deemed entered into (and incorporated into this DPA by this reference) as amended or completed as follows:
- in Table 1 of the UK International Data Transfer Agreement, the Parties’ details and key contact information is as set out in Section 1. (i) of this Schedule 1;
- in Table 2 of the UK International Data Transfer Agreement, information about the version of the Approved EU SCCs, modules and selected clauses which this UK International Data Transfer Agreement is appended to is as follows: the Standard Contractual Clauses (Module 2 (Transfer Controller to Processor) approved by the European Commission in decision 2021/914;
- in Table 3 of the UK International Data Transfer Agreement:
- the list of Parties is located in Section 1 (i) of this Schedule 1;
- the transfer is in connection with the data exporter’s use of the data importer’s services under the Agreement and relates to the Revenue360 analytics engine that is used to provide analytics and related reports to advise and enhance the data exporter’s sales and marketing activities;
- the technical and organizational measures to ensure the security of the data to be followed by the data importer are as set out at Schedule 2, Mediafly Information Security; and
- the data importer’s current list of Sub-processors is as set out in Section 1(k) of this Schedule 1 of the DPA; and
- In Table 4 of the UK International Data Transfer Agreement, both the data importer and the data exporter may end the UK International Data Transfer Agreement in accordance with the terms of the UK International Data Transfer Agreement.
Mediafly Information Security
Mediafly’s Commitment to Security & Privacy
Mediafly is committed to achieving and preserving the trust of our customers, by providing a comprehensive security and privacy program that carefully considers data protection matters across our suite of products and services, including data submitted by customers to our online service (“Customer Data”).
This documentation describes the security-related and privacy-related audits and certifications received for, and the administrative, technical, and physical controls applicable to, the Mediafly online services (collectively, the “Service”). This documentation does not apply to free trial services made available by Mediafly.
Architecture, Data Segregation, and Data Processing
The Service is operated in a multitenant architecture that is designed to segregate and restrict Customer Data access based on business needs. The Mediafly architecture provides an effective logical data separation for different customers via customer-specific ID and allows the use of customer and user role-based access privileges. Additional data segregation is ensured by providing separate environments for different functions, such as for testing and production.
Mediafly has implemented procedures designed to ensure that Customer Data is processed only as instructed by the customer, throughout the entire chain of processing activities by Mediafly and its sub- processors.
The Service includes a variety of configurable security controls that allow Mediafly customers to tailor the security of the Service for their own use. Mediafly personnel will not set a defined password for a user. Mediafly strongly encourages all customers, where applicable in their configuration of the Service’s security settings, to use the single sign on features made available by Mediafly.
Information Security Management Program (“ISMP”)
Mediafly maintains a comprehensive information security management program that contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of Mediafly’s business; (b) the amount of resources available to Mediafly; (c) the type of information that Mediafly will store and process; and (d) the need for security and protection from unauthorized disclosure of such Customer Data. The ISMP is documented and updated based on changes in legal and regulatory requirements related to privacy and data security practices and industry standards applicable to the Service.
Mediafly’s ISMP is designed to:
- Protect the integrity, availability, and prevent the unauthorized disclosure by Mediafly or its agents, of Customer Data in Mediafly’s possession or control;
- Protect against any anticipated threats or hazards to the integrity, and availability, and prevention of unauthorized disclosure of Customer Data by Mediafly or its agents;
- Protect against unauthorized access, use, alteration, or destruction of Customer Data;
- Protect against accidental loss or destruction of, or damage to, Customer Data; and
- Safeguard information as set forth in any local, state or federal regulations by which Mediafly may be regulated.
- Security Standards. Mediafly’s ISMP includes adherence to and regular testing of the key controls, systems and procedures of its ISMP to validate that they are properly implemented and effective in addressing the threats and risks identified. Such testing includes:
- Internal risk assessments;
- SSAE18 SOC2 Type 2 (“Audit Report”).
- Security Audit Report. Mediafly provides its customers, upon their request, with a copy of Mediafly’s then-current Audit Report, including information as to whether the Security Audit revealed any material findings in the Service; and if so, the nature of each finding discovered.
- Assigned Security Responsibility. Mediafly assigns responsibility for the development, implementation, and maintenance of its Information Security Management Program, including:
- Designating a security official with overall responsibility; and
- Defining security roles and responsibilities for individuals with security responsibilities.
- Relationship with Sub-processors. Mediafly conducts reasonable due diligence and security assessments of sub-processors engaged by Mediafly in the storing and/or processing of Customer Data (“Sub-processors”), and enters into agreements with Sub-processors that contain provisions similar or more stringent than those provided for in this security and privacy documentation.
- Background Check. Mediafly performs background checks on any employees who are to perform material aspects of the Service or have access to Customer Data.
- Security Policy, Confidentiality. Mediafly requires all personnel to acknowledge in writing, at the time of hire, that they will comply with the confidential data identification and protection policy and protect all Customer Data at all times.
- Security Awareness and Training. Mediafly has mandatory security awareness and training programs for all Mediafly personnel that address their implementation of and compliance with the ISMP.
- Disciplinary Policy and Process. Mediafly maintains a disciplinary policy and process in the event Mediafly personnel violate the ISMP.
- Access Controls. Mediafly has in place policies, procedures, and logical controls that are designed:
- To limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons;
- To prevent personnel and others who should not have access from obtaining access; and
- To remove access in a timely basis in the event of a change in job responsibilities or job status.
- Controls to ensure that only those Mediafly personnel with an actual need-to-know will have access to any Customer Data;
- Controls to ensure that all Mediafly personnel who are granted access to any Customer Data are based on least-privilege principles;
- Periodic (no less than quarterly) access reviews to ensure that only those Mediafly personnel with access to Customer Data still require it.
- Data Encryption.
- Encryption of Transmitted Data: Mediafly uses Internet-industry-standard secure encryption methods designed to encrypt communications between its server(s) and the customer browser(s), and between its servers and customer’s server(s).
- Encryption of At-Rest Data: Mediafly uses Internet-industry standard secure encryption methods designed to protect stored Customer Data at rest. Such information is stored on server(s) that are not accessible from the Internet.
- Encryption of Backups: All offsite backups are encrypted. Mediafly uses disk storage that is encrypted at rest.
- Disaster Recovery. Mediafly maintains policies and procedures for responding to an emergency or a force majeure event that could damage Customer Data or production systems that contain Customer Data. Such procedures include:
- Data Backups: A policy for performing periodic backups of production file systems and databases to meet the Recovery Point Objective described below;
- Disaster Recovery: A formal disaster recovery plan for the production environment designed to minimize disruption to the Service, which includes requirements for the disaster plan to be tested on a regular basis, currently daily;
- Business Continuity Plan: A formal process to address the framework by which an unplanned event might be managed in order to minimize the loss of vital resources.
- Secure Development Practices. Mediafly adheres to the following development controls:
- Development Policies: Mediafly follows secure application development policies, procedures, and standards that are aligned to industry-standard practices, such as the OWASP Top 10 and SANS Top 20 Critical Security Controls; and
- Training: Mediafly provides employees responsible for secure application design, development, configuration, testing, and deployment appropriate (based on role) training by the security team regarding Mediafly’s secure application development practices.
- Malware Control. Mediafly employs then-current industry-standard measures to test the Service to detect and remediate viruses, Trojan horses, worms, logic bombs, or other harmful code or programs designed to negatively impact the operation or performance of the Service.
- Data Integrity and Management. Mediafly maintains policies that ensure the following:
- Segregation of Data: The Service includes logical controls, including encryption, to segregate each
- customer’s Customer Data from that of other customers; and
- Back Up/Archival: Mediafly performs full backups of the database(s) containing Customer Data no less than once per day and archival storage on no less than a weekly basis on secure server(s) or on other commercially acceptable secure media.
- Vulnerability Management. Mediafly maintains security measures to monitor the network and production systems, including error logs on servers, disks and security events for any potential problems. Such measures include:
- Infrastructure Scans: Mediafly performs semi-annual vulnerability scans on all infrastructure components of its production and development environment. Vulnerabilities are remediated on a risk basis. Mediafly installs all medium, high, and critical security patches for all components in its production and development environment as soon as commercially possible;
- Application Scans: Mediafly performs semi-annual (as well as after making any major feature change or architectural modification to the Service) application vulnerability scans. Vulnerabilities are remediated on a risk basis. Mediafly installs all medium, high, and critical security patches for all components in its production and development environment as soon as commercially possible;
- External Application Vulnerability Assessment: Mediafly engages third parties to perform network vulnerability assessments and penetration testing on a semi-annual basis (“Vulnerability Assessment”)
Reports from Mediafly’s then-current Vulnerability Assessment, together with any applicable remediation plans, will be made available to customers on written request.
Vulnerabilities are remediated on a risk basis. Mediafly installs all medium, high, and critical security patches for all components in its production and development environment as soon as commercially possible.
- Change and Configuration Management. Mediafly maintains policies and procedures for managing changes to production systems, applications, and databases. Such policies and procedures include:
- A process for documenting, testing and approving the promotion of changes into production;
- A security patching process that requires patching systems in a timely manner based on a risk analysis; and
- A process for Mediafly to perform security assessments of changes into production.
- Intrusion Detection. Mediafly monitors the Service generally for unauthorized intrusions using traffic and activity-based monitoring systems. Mediafly may analyze data collected by users' web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) for security purposes, including to detect compromised browsers, to help customers detect fraudulent authentications, and to ensure that the Service functions properly.
- Incident Management. Mediafly has in place a security incident response plan that includes procedures to be followed in the event of any unauthorized disclosure of Customer Data by Mediafly or its agents of which Mediafly becomes aware to the extent permitted by law (such unauthorized disclosure defined herein as a “Security Breach”). The procedures in Mediafly’s security incident response plan include:
- Roles and responsibilities: formation of an internal incident response team with a response leader;
- Investigation: assessing the risk the incident poses and determining who may be affected;
- Communication: internal reporting as well as a notification process in the event of a Security Breach;
- Recordkeeping: keeping a record of what was done and by whom to help in subsequent analyses; and
- Audit: conducting and documenting a root cause analysis and remediation plan.
- Mediafly publishes system status information at https://mediafly.statuspage.io. Client administrators can subscribe for changes on this site. Mediafly typically notifies customers of significant system incidents through this site.
- Security Breach Management.
- Notification: In the event of a Security Breach, Mediafly notifies impacted customers of such Security Breach. Mediafly cooperates with an impacted customer’s reasonable request for information regarding such Security Breach, and Mediafly provides regular updates on any such Security Breach and the investigative action and corrective action(s) taken.
- Remediation: In the event of a Security Breach, Mediafly, at its own expense, (i) investigates the actual or suspected Security Breach, (ii) provides any affected customer with a remediation plan, to address the Security Breach and to mitigate the incident and reasonably prevent any further incidents, (iii) remediates the effects of the Security Breach in accordance with such remediation plan, and (iv) reasonably cooperates with any affected customer and any law enforcement or regulatory official investigating such Security Breach.
- Logs. Mediafly provides procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports. (i) implements commercially reasonable measures to protect such logs from unauthorized modification or erasure, and (ii) retains such logs in compliance with Mediafly’s data retention policy. If there is suspicion of inappropriate access to the Service, Mediafly has the ability to provide customers log entry records to assist in forensic analysis. This service will be provided to customers on a time and materials basis.