Legal
Global Data Processing Addendum
​
This Global Data Processing Addendum (“DPA”) supplements and forms part of the Enterprise Customer Master Terms or other applicable agreement referencing this DPA (the “Agreement”) between Glui Inc. (“Glui”), and Customer. Unless clearly stated otherwise, references to “Sections” in this DPA refer to sections of this DPA.
​
With respect to the Processing of Personal Data, the parties agree as follows:
​
-
Definitions. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. As used in this DPA, the capitalized terms below have the meanings set forth below.
-
“Controller” means, as applicable (i) “controller” as defined under GDPR; (ii) “business” as defined under CCPA; (iii) “controller” as defined under any other US Privacy Laws; and (iv) “controller” or materially equivalent term as defined in other Data Protection Laws.
-
“Data Breach” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Personal Data Processed by Glui or a Sub-processor.
-
“Data Protection Laws” means all data protection and privacy laws applicable to the Processing of Personal Data under this DPA, including, where applicable, GDPR and US Privacy Laws.
-
“Data Subject” means a natural person to whom Personal Data relates, including as may be described in Schedule 1 to this DPA.
-
“Deidentified Data” means data that does not identify, and cannot reasonably be used to identify, infer information about, or otherwise be linked to, a Data Subject.
-
“EEA” means the member states of the European Union, as well as Iceland, Liechtenstein, and Norway.
-
“EEA Restricted Transfer” means a transfer (or onward transfer) by Customer to Glui of Personal Data originating in the EEA or Switzerland that is subject to GDPR or the Swiss Federal Act on Data Protection, where any required adequacy means can be met by entering into the EU Standard Contractual Clauses.
-
“EU Standard Contractual Clauses” means the standard contractual clauses annexed to Commission Implementing Decision (EU) (2021/914) of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant Regulation (EU) 2016/679 of the European Parliament and of the Council, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
-
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) and any member state law implementing the same, and for the purpose of this DPA includes the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).
-
“Personal Data” means any information relating to an identified or identifiable natural person that is: (i) included in Customer Materials and that Glui Processes in the course of providing the Services, and (ii) subject to the Data Protection Laws. Personal Data does not include Deidentifed Data.
-
“Processing” has the meaning given to it in the GDPR and “Process,” “Processes” and “Processed” shall be interpreted accordingly.
-
“Processor” means (i) “processor” as defined under GDPR; (ii) “service provider” as defined under the CCPA; (iii) “processor” as defined under any other US Privacy Laws; and (iv) “processor” or materially equivalent term as set forth in other Data Protection Laws.
-
“Sensitive Personal Data” means any of the following: (i) credit, debit or other payment card data subject to the Payment Card Industry Data Security Standards (“PCI DSS”), or other personal financial account numbers; (ii) protected health information regulated by the Health Insurance Portability and Accountability Act (“HIPAA”); and (iii) government-issued personal identification numbers (including but not limited to social security numbers, driver’s license numbers, and passport numbers).
-
“Services” means the services provided by Glui to Customer under the Agreement.
-
“Sub-processor” means any Processor engaged by Glui to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA.
-
“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office under S119A(1) Data Protection Act 2018, version B1.0, in force as of 21 March 2022, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as revised by the UK Information Commissioner’s Office from time to time.
-
“UK Restricted Transfer” means a transfer (or onward transfer) by Customer to Glui of Personal Data originating in the United Kingdom that is subject to UK GDPR where any required adequacy means can be met by entering into the EU Standard Contractual Clauses and the UK Addendum.
-
“US Privacy Laws” means all U.S. laws, rules, regulations, directives, and government requirements and guidance, federal or state, currently in effect and as they become effective relating in any way to privacy, confidentiality, security ,or consumer protection that are applicable to Personal Data. US Privacy Laws include, but are not limited to, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CPRA), Cal. Civ. Code 1798.100 et seq. and any regulations and guidance that may be issued thereunder (“CCPA”); the Virginia Consumer Data Protection Act, Va. Code Ann. §§ 59.1-575 et seq.; the Colorado Privacy Act, Colo. Rev. Stat. §§ 6-1-1301 et seq.; the Connecticut Data Privacy Act, Conn. Gen. Stat. §§ 42-515 et seq.; and the Utah Consumer Privacy Act, Utah Code Ann. §§ 13-61-101 et seq., and in each case any regulations and guidance that may be issued thereunder.
-
-
Roles of the Parties; Processing of Personal Data.
-
Customer is the Controller of Personal Data, except where Customer acts as a Processor for another Controller, in which case Customer warrants to Glui that its appointment of Glui as a Processor, and its Processing instructions to Glui, have been authorized by the relevant Controller. Glui is a Processor of Personal Data.
-
Glui shall Process Personal Data only to provide the Services and for the purposes described in the Agreement and this DPA, or otherwise in accordance with Customer’s documented and agreed-upon lawful instructions, unless Processing is required by applicable law, in which case Glui shall to the extent permitted by applicable law inform Customer of that legal requirement before the relevant Processing.
-
Customer agrees that: (i) it shall comply with its obligations under the Data Protection Laws in respect of the Processing of Personal Data through the Services and any Processing instructions it issues to Glui; and (ii) Customer or, where Customer acts as a Processor, the relevant Controller, has provided all notices, and obtained all consents and rights, necessary under Data Protection Laws, including and without limitation any laws governing the privacy, confidentiality, and interception of electronic communications, for Glui to Process Personal Data and provide the Services as described in the Agreement. Customer shall promptly notify Glui and cease Processing Personal Data in the event any required authorization or legal basis for Processing is revoked or terminates.
-
Customer shall not provide to Glui any Sensitive Personal Data. Customer acknowledges that Glui is not a “Business Associate” or “Subcontractor” (as those terms are defined in HIPAA), or a payment card processor, and that the Services are not intended to comply with HIPAA or PCI DSS. Glui will have no liability under this DPA or the Agreement for Sensitive Personal Data, notwithstanding anything to the contrary herein.
-
Glui shall Process Personal Data only for limited and specified purposes as set forth in the Agreement and this DPA, and shall not otherwise:
-
“sell” or “share” Personal Data, as those terms are defined in the Data Protection Laws;
-
retain, use, or disclose Personal Data for any purpose other than for the business purposes specified in the Agreement, and this Addendum, including retaining, using, or disclosing the Personal Data for a commercial purpose other than the business purposes specified in the Agreement and this Addendum, or as otherwise permitted by the Data Protection Laws;
-
retain, use, or disclose Personal Data outside of the direct business relationship between Glui and Customer; or
-
except as permitted by Data Protection Laws, combine Personal Data that Glui receives from, or on behalf of, Customer with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with data subject.
-
-
Glui will comply with the Data Protection Laws and will provide a level of privacy protection for Personal Data consistent with the requirements of the Data Protection Laws. Glui will promptly notify Customer if it makes a determination that it can no longer meet its obligations under this Addendum or comply with the Data Protection Laws. Customer shall have the right to take reasonable and appropriate steps to help ensure that Glui uses Personal Data in a manner consistent with Customer’s obligations under the Data Protection Laws, and upon notice, including from Glui pursuant to the preceding sentence, to take reasonable and appropriate steps to stop and remediate any unauthorized Processing of Personal Data.
-
The subject matter and duration of the Processing, the nature and purposes of the Processing, and the types of Personal Data and categories of data subjects are as described in Schedule 1 to this DPA.
-
Glui may de-identify or aggregate Personal Data to create Deidentified Data as part of performing the Services, in which case Glui shall: (a) implement technical safeguards that prohibit re-identification of any Data Subject to whom the information may pertain; (b) implement business processes that specifically prohibit re-identification of the Deidentified Data and prevent the inadvertent release of Deidentified Data; and (c) make no attempt to reidentify the Deidentified Data. Glui may otherwise use or disclose Deidentified Data for any lawful purpose.
-
-
Data Security. Each party shall take appropriate technical and organizational measures against unauthorized or unlawful Processing of Personal Data or its accidental loss, destruction, or damage. Glui shall implement and maintain commercially reasonable technical and organizational security measures designed to protect Personal Data from Data Breaches, including the security measures described in Schedule 2 to this DPA. Glui may unilaterally update the technical and organizational measures from time to time, provided that such updates do not result in a material reduction of the level of protection of the Personal Data. Notwithstanding the foregoing, Customer agrees that it is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Data when in transit, and taking any appropriate steps to securely encrypt or backup Personal Data, as well as any security obligations outlined in the Agreement.
-
Data Breach Response. Glui shall notify Customer without undue delay after becoming aware of any Data Breach. Glui shall make reasonable efforts to identify the cause of the Data Breach and shall undertake such steps as Glui deems necessary and reasonable in order to remediate the cause of such Data Breach. Glui shall provide information related to the Data Breach to Customer in a timely fashion and as reasonably necessary for Customer to maintain compliance with the Data Protection Laws.
-
Confidentiality of Processing. Glui shall ensure that any person who is authorized by Glui to Process Personal Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality.
-
Sub-processing. Customer hereby authorizes Glui to engage Sub-processors to Process Personal Data on Customer’s behalf, including Glui’s affiliates and the third-party Sub-processors currently engaged by Glui and listed at www.glui.io/subprocessors. Glui shall: (i) take commercially reasonable measures to ensure that Sub-processors have the requisite capabilities to Process Personal Data in accordance with this DPA; (ii) enter into a written agreement with each Sub-processor that requires the Sub-processor to protect the Personal Data to the same standard required by this DPA; and (iii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Glui to breach any of its obligations under this DPA. Glui will notify Customer in the event that it intends to engage different or additional Sub-processors that will Process Personal Data pursuant to this DPA at least ten (10) calendar days in advance of engaging the new Sub-processor(s), which may be done by email or posting on a website identified by Glui to Customer. Customer must raise any objection to the new Sub-processor(s) within ten (10) calendar days of Glui’s notice. Customer’s objection shall only be effective if submitted to Glui in writing, specifically describing Customer’s reasonable belief that Glui’s proposed use of the Sub-processor(s) will materially, adversely affect Customer’s compliance with the Data Protection Laws. In any such case, the parties will make reasonable efforts to reconcile the matter. In the event Customer’s concern cannot be resolved, Glui may terminate the Agreement with no penalty and Customer shall immediately pay all fees and costs then due and owing and to Glui.
-
International Transfers.
-
Glui may Process Personal Data in the EEA, United States or anywhere in the world where Glui or its Sub-processors maintain data Processing operations. Glui shall at all times provide an adequate level of protection for the Personal Data Processed, in accordance with the requirements of Data Protection Laws, including, where required under the Data Protection Laws, by entering into the into EU Standard Contractual Clauses and/or UK Addendum with its Sub-processors.
-
If and to the extent Glui’s performance or Customer’s use of the Services involve an EEA Restricted Transfer from Customer (as the data exporter) to Glui (as the data importer), Glui and Customer hereby enter into the EU Standard Contractual Clauses, which are incorporated by reference herein and will apply to such EEA Restricted Transfer, as supplemented by the points below:
-
Module Two (Transfer Controller to Processor) will apply when Customer is a Controller. Module Three (Transfer Processor to Processor) will apply when Customer is a Processor.
-
Clause 7 of the EU Standard Contractual Clauses, the ‘Docking Clause – Optional,’ shall be deemed incorporated.
-
In clause 9 of the EU Standard Contractual Clauses (Modules Two and Three), the Parties select Option 2 (General Written Authorization), which shall be enforced in accordance with Section 6 of this DPA.
-
The optional wording in clause 11 of the EU Standard Contractual Clauses shall not be deemed incorporated.
-
In clause 17 of the Clauses, the Parties agree that the EU Standard Contractual Clauses shall be governed by the laws of Ireland.
-
In clause 18 of the EU Standard Contractual Clauses, the Parties agree that any dispute arising from the Clauses shall be resolved by the courts of Ireland.
-
Annex I.A, I.B and I.C of the EU Standard Contractual Clauses shall be deemed completed with the information set out in Schedule 1. Annex II of the Clauses shall be deemed completed with the information set out in Schedule 2.
-
If and to the extent the transfer involves Personal Data originating from Switzerland and is subject to the Swiss Federal Act on Data Protection of 19 June 1992 (the “FADP”), the EU Standard Contractual Clauses are deemed to be supplemented with an additional annex that provides as follows:
-
-
-
for purposes of Clause 13 and Annex I.C, the competent Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner;
-
the term “member state” as used in the EU Standard Contractual Clauses must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with clause 18.c; and
-
references in the EU Standard Contractual Clauses to the GDPR should be understood as references to the FADP.
-
Nothing in this DPA or in the Agreement is intended by the Parties to be construed as prevailing over the EU Standard Contractual Clauses.
-
-
If and to the extent Glui’s performance or Customer’s use of the Services involve a UK Restricted Transfer from Customer (as the data exporter) to Glui (as the data importer), Glui and Customer hereby enter into UK Addendum, which is incorporated by reference herein, as supplemented by the following points:
-
Table 1 is deemed to be completed with the parties’ details and contact information as set forth in Schedule 1 to this DPA.
-
For the purposes of Table 2, the Addendum EU SCCs are the EU Standard Contractual Clauses entered into between Customer and Glui under Section 7.2 of this DPA.
-
For the purposes of Table 3, the Appendix Information is set forth in Schedule 1 and Schedule 2 to this DPA.
-
In Table 4, the parties select “Importer.”
-
-
Data Protection Authority Inquiries. Glui shall provide commercially reasonable cooperation to assist Customer in its response to any requests from data protection authorities with authority relating to the Processing of Personal Data under the Agreement and this DPA. In the event that any such request is made directly to Glui, Glui shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Glui is required to respond to such a request, Glui shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
-
Individual Rights and Requests. To the extent Customer does not have the ability to independently correct, amend, or delete Personal Data, or block or restrict Processing of Personal Data, then at Customer’s written direction and to the extent required by Data Protection Laws, Glui shall comply with any commercially reasonable request by Customer to facilitate such actions. Glui shall, to the extent legally permitted, promptly notify Customer if it receives a request from an individual data subject for access to, correction, amendment or deletion of that person’s Personal Data, or a request to restrict Processing. Glui shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a data subject’s request, to the extent legally permitted and to the extent Customer does not have the ability to address the request independently.
-
Data Protection Impact Assessments; Prior Consultations with Supervisory Authorities. Upon Customer’s written request, Glui shall provide Customer with reasonable cooperation and assistance as needed to fulfil Customer’s obligation under the Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Glui. Glui shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section, to the extent required under the Data Protection Laws.
-
Audits and Inspections. Glui shall provide written responses (on a confidential basis) to all commercially reasonable requests for information made by Customer regarding Processing of Personal Data, including responses to information security reviews, that are necessary to confirm Glui’s compliance with this DPA. To the extent Glui’s responses are not sufficient to enable customer to satisfy its obligations under applicable Data Protection Laws, Glui shall cooperate with audits and inspections performed by Customer or a vendor of Customer reasonably acceptable to Glui, provided however, that any audit or inspection: (i) may not be performed unless necessary to determine Glui’s compliance with this DPA and Customer reasonably believes that Glui is not complying with this DPA, or as otherwise specifically required by applicable Data Protection Laws; (ii) must be conducted at Customer’s sole expense and subject to reasonable fees and costs charged by Glui; (iii) may be conducted on no less than sixty (60) days prior written notice from Customer, at a date and time and for a duration mutually agreed by the parties; and (iv) must be performed in a manner that does not cause any damage, injury, or disruption to Glui’s premises, equipment, personnel, or business. Notwithstanding the foregoing, Glui will not be required to disclose any proprietary or privileged information to Customer or an agent or vendor of Customer in connection with any audit or inspection undertaken pursuant to this DPA.
-
Return or Deletion of Personal Data. Upon termination or expiration of the Agreement, Glui shall (at Customer’s election) delete or return, if feasible, to Customer all Personal Data remaining in its possession or control, save that this requirement shall not apply: (i) to the extent Glui is required by applicable law to retain some or all of the Personal Data; or (ii) to Personal Data Glui has archived on back-up systems. In all such cases, Glui shall maintain the Personal Data securely and limit Processing to the purposes that prevent deletion or return of the Personal Data. The terms of this DPA shall survive for so long as Glui continues to retain any Personal Data.
-
Law Enforcement Requests. If a law enforcement or other governmental agency sends Glui a request or other lawful process for Personal Data (for example, a subpoena or court order), Glui may attempt to redirect the agency to request that data directly from Customer. As part of this effort, Glui may provide Customer’s basic contact information to the law enforcement agency. Glui will not voluntarily disclose Personal Data to a law enforcement or other governmental agency absent a legal obligation to do so, and if applicable law compels Glui to do so in response to a demand received from such agency, then Glui shall use reasonable efforts to give Customer prior notice of the demand to allow Customer to seek a protective order or other appropriate remedy, unless Glui is legally prohibited from doing so.
-
Limitation of Liability. Any claims brought under or in connection with this DPA, whether in contract, tort, or other theory of liability, are subject to the exclusions and limitations of liability set forth in the Agreement. This section is not intended to modify or limit the parties’ joint and several liability for Data Subject claims under GDPR Article 82 or the right of contribution under GDPR Article 82. Further, this section is not intended to limit either party’s responsibility to pay penalties imposed on that party by a regulatory authority for that party’s violation of Data Protection Laws.
-
Miscellaneous
-
The parties agree that this DPA shall replace any existing DPA or other contractual provisions pertaining to the subject matter contained herein the parties may previously have entered in connection with Services.
-
Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail.
-
Unless otherwise required by the Standard Contractual Clauses or other data transfer requirements, this DPA will be subject to the governing law identified in the Agreement without giving effect to conflict of laws principles.
-
Except as may be otherwise provided pursuant to the Standard Contractual Clauses, no one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
-
Glui may make changes to this DPA from time to time where (a) such change is required to comply with Data Protection Laws, or (b) the change (i) is commercially reasonable; (ii) does not result in a material reduction of the security of the Services; (iii) does not expand the scope of or remove any restrictions on Glui’s Processing of Personal Data, as set forth in the DPA, and (iv) does not otherwise have a material adverse impact on Customer's rights under the DPA. If Glui makes a material change to the DPA in accordance with this section, Glui will post the change at the webpage containing this DPA.
-
SCHEDULE 1
Details of Processing
A. LIST OF PARTIES
​
Data exporter(s):
​
Name: The entity identified as “Customer” in the Agreement.
​
Address: The address for Customer as specified in the Agreement or as otherwise provided to Glui.
​
Contact person’s name, position and contact details: The contact details for Customer as specified in the Agreement.
​
Activities relevant to the data transferred under these Clauses: Customer’s use of the Services pursuant to the Agreement and the DPA.
​
Signature and date: By entering into the Agreement, Customer will be deemed to have signed this Schedule 1.
​
Role (controller/processor): Controller or Processor, as set forth in Section 2.1 of the DPA.
​
Data importer(s):
​
Name: Glui Inc.
​
Address: The address for Glui as specified in the Agreement
​
Contact person’s name, position and contact details: Privacy Office, legal@glui.io
​
Activities relevant to the data transferred under these Clauses: Provision of the Services to Customer pursuant to the Agreement and the DPA.
​
Signature and date: By entering into the Agreement, Glui will be deemed to have signed this Schedule 1.
​
Role (controller/processor): Processor.
B. DESCRIPTION OF TRANSFER
​
Categories of data subjects whose personal data is transferred
​
Prospective and current clients, customers, and other business contacts Customer who interact with Customer’s online advertisements.
Categories of personal data transferred
​
Transaction/sales data, online behavioral data (clicks, downloads, views), or other Personal Data entered by users into Glui enabled advertisements, including but not limited to first name, last name, email address, telephone number, delivery address, transaction details, donation amounts, and ticketing requests.
​
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
​
Not Applicable.
​
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
​
Personal Data may be transferred and Processed on a continuous basis during the term of the Agreement.
​
Nature of the processing
​
The nature of the Processing is collection of Personal Data entered by users into Glui-enabled advertisements to enable Glui to create and deliver reports, to assess the effectiveness of advertising campaign performance, including attribution and analytics, and to transfer the Personal Data related to advertising campaigns to Customer, as further detailed in the Agreement.
​
Purpose(s) of the data transfer and further processing
​
The purpose of the Processing is Glui’s provision of the Services under the Agreement, including for the purposes of (a) setting up, operating, monitoring, providing, and improving the Services; and (b) executing other agreed-upon written instructions, each as part of Customer’s advertising campaigns.
​
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
​
Personal Data will be retained for the duration of the Agreement and subject to the DPA.
​
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
​
Sub-processors will Process Personal Data as necessary to perform the Service pursuant to the Agreement. Subject to the DPA, Sub-processors will Process Personal Data for the duration of the Agreement.
​
C. COMPETENT SUPERVISORY AUTHORITY
​
Identify the competent supervisory authority/ies in accordance with Clause 13
​
For the purposes of the EU Standard Contractual Clauses, the competent supervisory authority will be the supervisory authority that has supervision over Customer. If Customer is not based in the EEA but is subject to the GDPR, the country of competent supervisory authority will be the Data Protection Commission of Ireland.
SCHEDULE 2
Glui Security Measures
​
As part of Glui’s performance of the Services, Glui will implement and maintain the following technical and organizational security measures for the Processing of Personal Data:
​
-
Physical Security Controls – policies, procedures, and physical and technical controls designed to limit physical access to information systems and facilities in which they are housed to properly authorized persons, including:
-
Access control system to control physical access and movement into and throughout Glui’s facilities; and
-
Processes and procedures to promptly remove facility access rights from terminated personnel.
-
-
Access Controls – policies, procedures, and technical controls to ensure that all members of Glui’s workforce who require access to Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access, including:
-
Role-based access policies that restrict user access to systems and resources based on job responsibilities;
-
Processes to grant and revoke access rights based on business need, and to regularly review user access rights to ensure ongoing alignment with business needs;
-
Strong authentication procedures for production environments that require a username, password, and multifactor authentication; and
-
The use of firewall and intrusion detection systems to log access events for review by authorized Glui personnel.
-
-
Security Awareness and Training – a security awareness and training program for members of Glui’s workforce (including management), which includes training on how to implement and comply with Glui’s security program, and which all workforce members are required to undergo upon initial hire and annually thereafter.
-
Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including:
-
deployment of an intrusion detection system to log access events and to monitor and restrict inbound internet traffic;
-
documented procedures to identify, escalate, and respond to suspected or known security incidents, mitigate harmful effects of security incidents; and
-
documented procedures to analyze the root cause of security incidents and to implement changes to existing controls, where appropriate, to better respond to future threats.
-
-
Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Personal Data or systems that contain Personal Data, including:
-
documented business continuity and disaster recovery plans that include procedures to restore data and the functionality of affected systems, including procedures to rebuild systems, update software, install patches, and change configurations, as needed;
-
documented policies and procedures for the backup and recovery of data maintained in cloud-based environments, including periodic backups of production services, files, and databases, and the storage of backups in a separate data center; and
-
periodic testing of Glui’s business continuity and disaster recovery plans.
-
-
Device and Media Controls – policies and procedures that govern the receipt and removal of hardware and electronic media that contain Personal Data into and out of a Glui facility, and the movement of these items within a Glui facility, including policies and procedures to address the final disposition of Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Personal Data from electronic media before the media are made available for re-use.
-
Audit controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including:
-
logging of system access activity, including user authentication, failed user login attempts, and access control list changes; and
-
regular reviews of the logs for unusual or suspicious activity.
-
-
Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Personal Data and protect it from disclosure, improper alteration, or destruction.
-
Transmission Security – technical security measures to guard against unauthorized access to Personal Data that is being transmitted over an electronic communications network, including:
-
the use of encrypted VPNs to help ensure the security and integrity of the data passing over public networks;
-
protection of web-based traffic through industry-standard encryption protocols; and
-
deployment of antivirus software on servers, laptops, and desktops to detect and prevent the transmission of data or files that contain virus signatures recognized by the antivirus software.
-
-
Storage Security – technical security measures to guard against unauthorized access to Personal Data in storage, including:
-
encryption of data at rest in hosted environments;
-
use of a key management system to securely manage the lifecycle of encryption keys; and
-
use of full-device hard drive encryption to protection the confidentiality and integrity of information maintained on approved mobile devices.
-
-
Assigned Security Responsibility – designation of a security official responsible for the development, implementation, and maintenance of Glui’s security program.
-
Testing – Regular testing and monitoring of the effectiveness of Glui’s security program, including periodic vulnerability scans and risk assessments designed to identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Personal Data, and to ensure that these risks are addressed.
-
Adjustments to the Program – Monitoring, evaluation, and adjustment, as appropriate, of Glui’s security program in light of any relevant changes in technology or industry security standards, the sensitivity of the Personal Data, internal or external threats to Glui or the Personal Data, and Glui’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.
Last Updated May 17, 2024