Security Program

Last Modified: February 10, 2023

The following describes AdPipe’s Security Program as of the Effective Date. The following terms may be updated from time to time, however, for each Order Form, terms effective as of execution of the Order Form shall apply for the duration of the applicable Subscription Term.

1. Organizational Access Control.

• Control Environment. AdPipe employees are required to sign a confidentiality agreement agreeing not to disclose proprietary or confidential information, including customer information, to unauthorized parties.

• Access Administration. AdPipe employees will have direct access to data provided by Customers (“Customer Data”), for Technical Support, system management, maintenance, backups and to support the Services. When an employee or contractor is terminated, his or her access is revoked in a timely manner, even if he or she continues to be an employee or contractor of AdPipe. AdPipe’s policies require AdPipe personnel to report any known security incidents to AdPipe management for investigation and action.

• Security Awareness and Training. AdPipe maintains a security awareness program that includes training of AdPipe personnel on AdPipe’s security program. Training is conducted at the time of hire and periodically in accordance with AdPipe’s information security policies.

• Subprocessors and Data Transfer. AdPipe may engage Subprocessors and other Third-Party Suppliers (each as defined below) to perform some of its obligations under the Agreement. AdPipe shall require that Subprocessors only access and use Customer Data in a manner consistent with the terms of the Agreement and bind Subprocessors to written obligations to protect Customer Data. At the written request of Customer, AdPipe shall provide additional information regarding Subprocessors and their locations. Customer may send such requests to AdPipe’s Data Privacy Officer at dan@adpipe.com. “Third-Party Suppliers” means third-party contractors and suppliers engaged by AdPipe in the context of the provision of the Services. “Subprocessors” means those AdPipe Affiliates and Third-Party Suppliers that have access to, and process, Customer Data. As part of providing the Services, AdPipe and its Subprocessors may transfer, store and process Customer Data in the European Economic Area, United States, India or any other country in which AdPipe and its Subprocessors maintain facilities.

• Business Continuity Management Process. AdPipe shall maintain a business continuity plan (BCP) that defines the processes and procedures for the company to follow in the event of a disaster and shall review and shall regularly test AdPipe’s disaster recovery plan to ensure that it is capable of recovering AdPipe assets and continuing key AdPipe business processes in a timely manner.

• Disaster Recovery. AdPipe shall maintain a Disaster Recovery Policy that defines the procedures to recover information technology infrastructure and Services within set deadlines in the case of a disaster or other disruptive incidents.

2. Technical Security Measures.

• Database Protection. Database infrastructure is segregated from the application servers and the Internet via firewalls.

• Encryption. All communications are encrypted between the data exporter and the data centers using high-grade encryption (AES-256). Access to AdPipe’s on-demand applications and services is only available through secure sessions (https) and only available with an authenticated login and password. Passwords are never transmitted or stored in their original form.

• Intrusion Protection. The application infrastructure is protected against intrusion by industry standard protection technology (such as regular penetration testing, firewalls at the network, host, and application levels, and intrusion prevention systems) across all servers. Unless otherwise agreed by AdPipe in writing, Customer is prohibited from performing its own penetration on any system of AdPipe.

• Customer Data Isolation. The Services use application or process level segmentation to accomplish data isolation.

• Malicious Platform Protection. The Platform shall include reasonably up-to-date versions of system security Platform (including malware and anti-virus protection).

3. Exclusions. If Customer installs, uses, or enables third party services that interoperate with the Platform, then the Platform may allow such third-party services to access, use, or otherwise process and transmit Customer Data. AdPipe’s Security Program does not apply to any processing, storage, or transmission of data outside the Platform, and AdPipe is not responsible for the security practices (or any acts or omissions) of any third-party service providers engaged by or on behalf of Customer. The AdPipe Security Program excludes: (i) data or information shared with AdPipe that is not stored in the Platform; or (ii) data in Customer’s virtual private network (VPN) or a third-party network other than one that is under a subcontract with AdPipe to assist AdPipe in fulfilling its obligations in the Agreement. Additionally, AdPipe shall not be liable for any data (including where part of Customer Data) used, processed, stored or transmitted by Customer or Users in violation of this Agreement.