DATA PROCESSING AGREEMENT

This Data Processing Agreement (the "Agreement") is entered into by and between Oath (EMEA) Ltd., a company incorporated under the laws of Ireland (registration number: 426324) whose principal place of business is at 5-7 Point Square, North Wall Quay, Dublin 1, Ireland, on behalf of itself and Oath Affiliates (defined below) (collectively, "Oath") and Company, on behalf of Company Affiliates, each a "Party" and collectively, the "Parties". This Agreement amends the MSA (as defined below) entered into by and between Company and Oath for the provision of Services. "Oath Affiliate" means Oath Inc., Oath Holdings Inc., Yahoo Holdings International B.V. and any entity controlled by any of the foregoing, including Flurry, Inc. "Company Affiliate" means any entity that owns or controls, is owned by or controlled by or is under common control or ownership with Company. Any undefined terms used herein shall have the meanings set forth in the MSA.



INTRODUCTION

The Parties agree that there may be Personal Data shared between the Parties, including but not limited to, internet protocol addresses, precise location data and similar unique IDs such as cookie IDs and device IDs, in connection with the performance of each Party’s obligations under the MSA described below. This Agreement only applies to the extent that EU Data Protection Law applies to the Processing of Personal Data under this Agreement, including if (a) the Processing is in the context of the activities of an establishment of either Party in the European Economic Area (“EEA”) and/or (b) the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behaviour in the EEA by or on behalf of a Party. The Parties shall ensure that they will Process Personal Data solely for the purposes contemplated in the MSA or as otherwise agreed to in writing by the Parties. For the avoidance of doubt, this Agreement and the obligations hereunder do not apply to aggregated reporting or depersonalised statistics a Party may provide to the other Party in connection with the provision of the Services hereunder.



TERMS AND CONDITIONS

  1. Definitions and Interpretation
    1. In this Agreement, the following terms shall have the following meanings:
      1. "Applicable Data Protection Law" means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law) as may be amended or superseded from time to time.
      2. "Controller", "Processor", "Data Subject", "Personal Data", "Processing" (and "Process"), “Personal Data Breach” and "Special Categories of Personal Data" shall have the meanings given in EU Data Protection Law.
      3. "Controller to Processor Standard Clauses" in relation to the Processing of Personal Data pursuant to this Agreement means the standard clauses for the transfer of Personal Data to Processors established in third countries approved by the European Commission from time to time, the approved version of which in force at present is that set out in the European Commission's Decision 2010/87/EU of 5 February 2010, available at:
      4. http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D008
      5. Exhibit 2 to this Agreement shall apply as Appendix 1 of the Controller to Processor Standard Clauses.
      6. “Cross-App Advertising” as currently defined by the Network Advertising Initiative (“NAI”), means the collection of data through applications owned or operated by different entities on a particular device for the purpose of delivering advertising based on the preferences or interests known or inferred from the data collected, or as may be amended by the NAI from time to time.
      7. "EU Data Protection Law" means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iv) any legislation replacing or updating any of the foregoing.
      8. "ID" means: (i) a unique identifier stored on an end-user’s device, (ii) a unique identifier generated on the basis of device information, or (iii) a resettable advertising ID associated with a mobile device or an application.
      9. "MSA" means the Flurry Analytics Terms of Service.
      10. "Relevant Privacy Requirements" mean all (i) applicable advertising self-regulatory requirements, laws, governmental regulations and court or government agency orders, decrees and policies relating in any manner to the collection, use or dissemination of information from or about users, user traffic or otherwise relating to privacy rights or with respect to the sending of marketing and advertising communications; (ii) any written agreements Company or Oath may have with non-governmental certification or self-regulatory bodies and that are made available in writing by one Party to the other; (iii) posted privacy policies; and (iv) for mobile applications, the terms of service for the applicable mobile operating system.
      11. "Security Incident" shall mean any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data of the other Party. For the avoidance of doubt, any Personal Data Breach of the other Party’s Personal Data will comprise a Security Incident.
      12. "Services" means services provided to the other Party pursuant to the terms of an MSA.
      13. “Subprocessor” means any entity which provides processing services on behalf of a Processor.
    2. The Exhibits and Annexes form part of this Agreement and a reference to an Exhibit or an Annex is, unless stated otherwise, a reference to an exhibit or annex to this Agreement.
    3. In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an addendum to the MSA. Except where the context requires otherwise, references in this Agreement to the MSA are to the MSA as amended by, and including, this Agreement.
  2. Obligations of the Parties
    1. The Parties agree that Company is a Controller and Oath is a Processor, or Company is acting as a Processor on behalf of a third party Controller and Oath is a Subprocessor.
    2. The Parties shall, at all times, comply with their respective obligations under Applicable Data Protection Laws.
    3. Additionally, Oath agrees that the following email address shall be monitored for data protection enquiries and Data Subject Requests: Oath: emea-legal@oath.com.
  3. International transfers
    1. Where EU Data Protection Law applies, neither Party shall transfer or permit any Personal Data shared by the other Party to be transferred to a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data or to a recipient in the United States that has certified compliance with the EU-US Privacy Shield framework.
    2. Where a Party is the other Party’s Processor, the following terms apply. Unless the Processor transfers Personal Data pursuant to a transfer mechanism specified in Section 3.1 above, the Processor shall execute and abide by the Controller to Processor Standard Clauses which shall apply to Processing of Personal Data in countries outside the EEA that do not provide an adequate level of data protection. To the extent that the Parties transfer Personal Data in reliance on the Standard Clauses, the Standard Clauses shall be incorporated herein upon execution of this Agreement by the Parties. Where and to the extent that the Controller to Processor Standard Clauses apply pursuant to this Section 3, if there is any conflict between this Agreement and the Controller to Processor Standard Clauses the standard clauses shall prevail.
  4. Term and Concluding Provisions
    This Agreement will remain in effect until the termination or expiry of the MSA, provided however, upon termination or expiry of the MSA, each Party may continue to Process Personal Data provided that such Processing complies with the requirements of this Agreement and Applicable Data Protection Law and provided that such Processing ceases within thirty (30) days, or earlier upon written request by the other Party. Notwithstanding anything to the contrary contained herein, the Parties agree that the obligations under this Agreement that are specific to the GDPR shall not apply until the GDPR has come into full force and effect (the “GDPR Effective Date”).
  5. Miscellaneous
    This Agreement and the underlying MSA shall constitute the entire agreement between the Parties with respect to the subject matter hereof, and this Agreement supersedes all prior agreements or representations, oral or written, regarding such subject matter including any provisions in the MSA which address the processing of Personal Data. This Agreement and all disputes arising out of or relating to this Agreement shall be interpreted, construed and enforced in accordance with the laws of the Republic of Ireland. Each Party irrevocably consents to the exclusive jurisdiction of the courts situated in the Republic of Ireland over all such disputes and claims under this Agreement and all actions to enforce such claims or to recover damages or other relief in connection with such claims under this Agreement except to the extent that Applicable Data Protection Law requires otherwise.




ANNEX 1

ANNEX 1 SHALL APPLY WHERE OATH IS COMPANY’S PROCESSOR OR SUBPROCESSOR (THE “OATH PROCESSOR SERVICES”)
  1. Relationship of the Parties
    1. In relation to all Company Data, Oath acknowledges that, as between the Parties, Company is either (a) the Controller of Company Data, and that Oath, in providing the Services is acting as a Processor on behalf of the Controller; (b) or Company is a Processor of Company Data, and that Oath, in providing the Services is acting as a Subprocessor on behalf of Company. “Company Data” means any and all Personal Data (as that term is defined in EU Data Protection Law) that is processed by Oath or its sub processors on behalf of Company in the performance of the Oath Processor Services and its other obligations under the MSA.
    2. The subject-matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Exhibit 1 to this Annex 1.
    3. Company represents and warrants that: (a) its Processing instructions comply with all Applicable Data Protection Laws; and (b) it has obtained and maintains all legally required notices, consents and permissions for the Processing and transfer of all Personal Data provided to Oath. Company acknowledges that, taking into account the nature of the Processing, Oath is not in a position to determine whether Company’s instructions infringe Applicable Data Protection Laws.
  2. Protection of Personal Data
    1. In respect of the Processing of Personal Data by Oath in connection with the Oath Processor Services where EU Data Protection Law applies, Oath is responsible for and shall comply with Applicable Data Protection Law and agrees that it shall:
      1. process the Company Data only on written instructions from Company (which may, in particular, be given electronically or through the functionality of the Services), including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by European Union or Member State law to which Oath is subject; in such a case, Oath shall inform Company of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
      2. implement and maintain the technical and organisational measures set out in Exhibit 3 and take all measures required pursuant to Article 32 of the GDPR including all organisational and technical security measures necessary to protect against unauthorised or accidental access, loss, alteration, disclosure or destruction of Company Data, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing;
      3. treat all Company Data processed by it on behalf of Company as confidential and ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, even after the end of their employment contract or at the end of their assignment or engagement;
      4. cooperate as reasonably requested by Company and implement appropriate technical and organisational measures to enable Company to comply with any exercise of rights by a Data Subject under Applicable Data Protection Law in respect of Personal Data processed by Oath under the MSA (including, without limitation, in relation to the retrieval and/or deletion of a Data Subject’s Personal Data);
      5. without prejudice to Section 3 of the Terms and Conditions (International Transfers) of this Agreement, not access or transfer outside the European Economic Area (“EEA”) any Personal Data without the prior written consent of Company unless in accordance with EU Data Protection Law;
      6. provide (at no additional cost to Company) Company with all resources and assistance as are reasonably required by Company in connection with the Services performed by Oath under the MSA for Company to discharge its duties pursuant to Articles 32 to 36 of the GDPR including, but not limited to, promptly at the request of Company provide information in respect of any data protection impact assessment which Company conducts and assist Company with any prior consultations with any supervisory authority;
      7. at the choice of Company, delete or return all the Company Data to Company after the end of the provision of the Oath Processor Services, and delete existing copies unless European Union or Member State law requires storage of the Company Data;
      8. make available to Company at its request all information necessary to demonstrate compliance with the obligations laid down in this Agreement and Article 28 of the GDPR including without limitation a detailed written description of the technical and organisational methods employed by Oath and its Subprocessors (if any) for the Processing of Personal Data; and
      9. immediately inform the Controller if, in the Processor’s opinion, an instruction from the Controller infringes Applicable Data Protection Law.
    2. Company may exercise its audit right under the Applicable Data Protection Laws in relation to Company Data through a request that Oath initially provide Company with a summary copy of Oath’s audit report(s) related to Oath’s technical and organizational security measures. For the avoidance of doubt, such reports shall be subject to the confidentiality provisions of the MSA. If following Oath’s delivery of such reports, Company wishes further information necessary for Oath to demonstrate its compliance with its security obligations herein, then Oath agrees at the request of Company to submit its data processing facilities (including all equipment, documents and electronic data relating to the Processing of Company Data) and/or any location from which Company Data can be accessed by Processor for audit to ascertain and/or monitor compliance with this Agreement and Applicable Data Protection Law. Such audit shall be carried out, with reasonable notice and during regular business hours and under a duty of confidentiality, by Company and/or by a third party appointed by Company.
  3. Notification of Security Incident
    1. Oath will notify Company without undue delay (and, in any event within forty-eight (48) hours) upon becoming aware that an actual Security Incident involving the Company Personal Data in Oath’s possession or control has occurred, as Oath determines in its sole discretion. Oath’s notification of or response to a Security Incident under this Section 3 (Notification of Security Incident) shall not be construed as an acknowledgment by Oath of any fault or liability with respect to the Security Incident.
    2. Oath will, as soon as reasonably possible, provide Company with at least the following information with respect to the Security Incident affecting Company Data: (i) a description of the cause and nature of the Security Incident including the categories and approximate numbers of Data Subjects (including the number of Company Data Subjects) concerned and the categories and approximate number of Personal Data records concerned; (ii) the measures being taken to contain, investigate and remediate the Security Incident; (iii) the likely consequences and risks for Company and its Data Subjects as a result of the Security Incident; (iv) any mitigating actions taken; and (v) a proposed plan to mitigate any risks for Data Subjects and/or Company as a result of the Security Incident.
    3. Oath will, in connection with any Security Incident affecting Company Data: (i) quickly and without delay, take such steps as are necessary to contain, remediate, minimise any effects of and investigate any Security Incident (and without destroying any evidence) and to identify its cause (ii) co-operate with Company and provide Company with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation and/or mitigation of the Security Incident; and (iii) immediately notify Company in writing of any request, inspection, audit or investigation by a supervisory authority or other authority.
    4. Oath agrees that it will not communicate with any third party, including but not limited to the media, vendors, consumers and affected individuals regarding any Security Incident involving Company Data without the express written consent and direction of Company.
  4. Subprocessing
    1. Oath may, subject to compliance with Section 4.2, continue to use those Subprocessors already engaged by Oath and as identified to Company prior to commencement of the Agreement to process any Company Data. Oath may, subject to compliance with Section 4.2, engage an additional or replace an existing Subprocessor to process Personal Data provided that it notifies Company of any intended use or replacement of a Subprocessor by email to emea-legal@oath.com (“email notification”) thirty (30) days in advance of, as applicable, the engagement or replacement of the Subprocessor concerned, unless Company objects in writing to the proposed use or replacement of the relevant Subprocessor within thirty (30) days of receipt of the email notification (in which case Oath shall not, as applicable, use or replace the Subprocessor concerned).
    2. Oath shall, where it engages any Subprocessor in accordance with Section 4.1; (i) only use a Subprocessor that has provided sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR and the Agreement and ensure the protection of the rights of Data Subjects; and (ii) impose, through a legally binding contract between Oath and Subprocessor, data protection obligations no less onerous than those set out in the Agreement (including those that apply pursuant to the Controller to Processor Standard Clauses) on the Subprocessor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Oath acknowledges and agrees that if any Subprocessor fails to fulfil its obligations in the contract between Oath and Subprocessor, Oath shall remain fully liable to Company for the performance of the Subprocessor’s obligations.




    EXHIBIT 1

    DETAILS OF PROCESSING ACTIVITIES

    Subject Matter Processing carried out in connection with the provision of the Services (as defined in the MSA).
    Duration The Term plus the period from the expiration of the Term until deletion of Company Data by Oath in accordance with the terms of this Agreement.
    Nature & Purpose of the Processing Oath will process, including as applicable to the Processor Services and the instructions set forth in Section II of this Annex 1 Part III, Company Data for the purpose of providing the Processor Services and any related technical support to Company in accordance with this Agreement.
    Categories of Data Subjects Data Subjects about whom Oath collects Personal Data in its provision of the Processor Services; and Data Subjects about whom Personal Data is transferred to Oath in connection with the Processor Services by, at the direction of, or on behalf of Company.
    Types of Personal Data The Company Data may include, but shall not be limited to, the following types of Personal Data depending on the Processor Services: IP addresses and similar unique IDs such as cookie IDs and device IDs.




    EXHIBIT 2

    APPENDIX 1 TO THE CONTROLLER TO PROCESSOR

    STANDARD CONTRACTUAL CLAUSES

    This Appendix forms part of the Clauses. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

    Data exporter

    The data exporter is (please specify briefly your activities relevant to the transfer):

    The legal entity of Company that has executed the Standard Contractual Clauses as a Data Exporter and all Affiliates established in the EEA.

    Data importer

    The data importer is (please specify briefly activities relevant to the transfer):

    Oath (EMEA) Ltd. on behalf of itself and Oath Affiliates, as defined in this Agreement.

    Data subjects

    The personal data transferred concern the following categories of data subjects (please specify):

    Data Subjects about whom Oath collects Personal Data in its provision of the Processor Services; and Data Subjects about whom Personal Data is transferred to Oath in connection with the Processor Services by, at the direction of, or on behalf of Company.

    Categories of data

    The personal data transferred concern the following categories of data (please specify):

    The Company Data provided by Company to Oath in connection with its use of the Services. The Company Data may include, but shall not be limited to, the following types of Personal Data depending on the Processor Services: IP addresses and similar unique IDs such as cookie IDs and device IDs.

    Special categories of data (if appropriate)

    The personal data transferred concern the following special categories of data (please specify): N/A

    Processing operations

    The personal data transferred will be subject to the following basic processing activities (please specify):

    The objective of Processing of Personal Data by Oath is the performance of the Services under the MSA.



    APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

    This Appendix forms part of the Clauses:

    Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

    TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

    Oath will implement and maintain the following technical and organisational security measures, in particular:

    Oath Information Security Overview

    Oath takes information security seriously. This information security overview applies to Oath’s corporate controls for safeguarding personal data which is processed in connection with delivery of our services. Oath’s information security program enables the workforce to understand their responsibilities. Some customer solutions may have alternate safeguards outlined in the statement of work as agreed with each customer.

    Security Practices

    Oath has established a comprehensive information and cyber security program with an industry standard security governance framework. Oath’s Information Security organization is responsible for implementing controls and ensuring adherence to security policies and standards in conjunction with evolving business requirements, compliance guidance and an emerging threat landscape. Information Security risks are managed in accordance with ISO 27001/lSO 27005 and NIST CSF. Oath’s Information Security Policy defines the fundamentals for Information Security (lS) management and the core principles of IS risk management. Oath’s core IS documents are reviewed annually.

    Organizational Security

    It is the responsibility of the individuals across the organization to comply with these practices and standards. To facilitate the corporate adherence to these practices and standards, the function of information security provides:

    • Strategy and compliance with policies/standards and regulations, awareness and education, risk assessments and management, contract security requirements management, application and infrastructure consulting, assurance testing and drives the security direction of the company.
    • Security testing, design and implementation of security solutions to enable security controls adoption across the environment.
    • Security operations of implemented security solutions, the environment and assets, and manage incident response.

    Asset Classification and Control

    Oath’s practice is to track and manage physical and logical assets. Examples of the assets that Oath IT might track include:

    • Information Assets, such as identified databases, network resiliency and redundancy architecture, data classification, archived information.
    • Software Assets, such as identified applications and system software.
    • Physical Assets, such as identified servers, desktops/laptops, backup/archival tapes, printers and communications equipment.

    The assets are classified based on business criticality to determine confidentiality requirements. Technical, organizational and physical safeguards may include controls such as access management, encryption and monitoring.

    Personnel Security and Training

    As part of the employment process, employees undergo a screening process applicable per regional law. Employees are bound to follow Oath’s policies and procedures and breaking or not following these will result in disciplinary actions up to and including termination based on local law. Oath’s annual compliance training includes a requirement for employees to complete an online course and pass an assessment covering information security and data privacy. The security awareness program may also provide materials specific to certain job functions.

    Additionally Oath service providers with access to data or systems, undergo a screening process applicable per regional law. Also are contractually bound to adhere to the same policies and procedures as full time employees.

    Physical and Environmental Security

    Oath uses a number of technological and operational approaches in its physical security program in regards to risk mitigation. Their security team works closely with each site to determine appropriate measures are in place and continually monitor any changes to the physical infrastructure, business, and known threats. Oath balances its approach towards physical security by considering elements of control that include architecture, operations, systems, performance, compatibility and interoperability.

    Operations Management

    The IT organization manages changes to the corporate infrastructure, systems and applications through a centralized change management program, which may include, testing, business impact analysis and management approval where appropriate.

    To protect against malicious use of assets and malicious software, additional controls may be implemented based on risk. Common controls may include, but are not limited to, additional information security policies and standards, restricted access, designated development and test environments, virus detection on endpoints, email attachment scanning, system compliance scans, information handling options for the data exporter based on data type, network security, and system and application vulnerability scanning.

    Encryption

    Industry standard hashing algorithms are being used throughout the environment. Oath requires that any TLS stacks must support, offer, and prefer TLS version 1.2 or higher. Any versions that do not comply with standards must be reviewed and approved by the security department, supporting additional compensating security controls.

    Incident Response

    Oath maintains a security operations center that is staffed 24/7 which monitors and reports on potential security related events. Oath utilizes multiple scanning, investigation, and protection technologies across the enterprise to identify, track, block, and remediate vulnerabilities and potential breaches. Additionally, there is an established policy and process for incident response, as well as mandated annual security training for all employees and an internal web page with instructions for easy reference.

    Additionally, Oath has dedicated personnel to investigate new and emerging attack intelligence. Security-related incidents are logged and tracked, to include the validation of the supporting documentation following internal standards and procedures.

    Access Controls

    Access to corporate systems is restricted, based on procedures to ensure appropriate approvals. In addition, remote access and wireless computing capabilities are restricted and require that both user and system safeguards are in place.

    System Development and Maintenance

    Publicly released third party vulnerabilities are reviewed for applicability in the Oath environment. Based on risk to Oath’s business and customers, there are predetermined time frames for remediation. In addition, vulnerability scanning and assessments are performed on new and key applications and the infrastructure based on risk. Code reviews are used in the development environment prior to production. These processes enable proactive identification of vulnerabilities as well as compliance. Additionally, a public bug bounty program is available and supplements the research performed by internal security.

    Compliance

    The information security, legal, privacy and compliance departments work to identify regional laws, regulations applicable to Oath compliance. Mechanisms such as the information security program, Privacy council, internal and external review/assessments, internal and external legal counsel consultation, internal controls assessment, internal penetration testing and vulnerability assessments, contract management, security awareness, security consulting, policy exception reviews and risk management combine to drive compliance with these requirements.



    EXHIBIT 3

    TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

    Oath will implement and maintain the following technical and organisational security measures, in particular:

    Oath Information Security Overview

    Oath takes information security seriously. This information security overview applies to Oath’s corporate controls for safeguarding personal data which is processed in connection with delivery of our services. Oath’s information security program enables the workforce to understand their responsibilities. Some customer solutions may have alternate safeguards outlined in the statement of work as agreed with each customer.

    Security Practices

    Oath has established a comprehensive information and cyber security program with an industry standard security governance framework. Oath’s Information Security organization is responsible for implementing controls and ensuring adherence to security policies and standards in conjunction with evolving business requirements, compliance guidance and an emerging threat landscape. Information Security risks are managed in accordance with ISO 27001/lSO 27005 and NIST CSF. Oath’s Information Security Policy defines the fundamentals for Information Security (lS) management and the core principles of IS risk management. Oath’s core IS documents are reviewed annually.

    Organizational Security

    It is the responsibility of the individuals across the organization to comply with these practices and standards. To facilitate the corporate adherence to these practices and standards, the function of information security provides:
    • Strategy and compliance with policies/standards and regulations, awareness and education, risk assessments and management, contract security requirements management, application and infrastructure consulting, assurance testing and drives the security direction of the company.
    • Security testing, design and implementation of security solutions to enable security controls adoption across the environment.
    • Security operations of implemented security solutions, the environment and assets, and manage incident response.

    Asset Classification and Control

    Oath’s practice is to track and manage physical and logical assets. Examples of the assets that Oath IT might track include:
    • Information Assets, such as identified databases, network resiliency and redundancy architecture, data classification, archived information.
    • Software Assets, such as identified applications and system software.
    • Physical Assets, such as identified servers, desktops/laptops, backup/archival tapes, printers and communications equipment.

    The assets are classified based on business criticality to determine confidentiality requirements. Technical, organizational and physical safeguards may include controls such as access management, encryption and monitoring.

    Personnel Security and Training

    As part of the employment process, employees undergo a screening process applicable per regional law. Employees are bound to follow Oath’s policies and procedures and breaking or not following these will result in disciplinary actions up to and including termination based on local law. Oath’s annual compliance training includes a requirement for employees to complete an online course and pass an assessment covering information security and data privacy. The security awareness program may also provide materials specific to certain job functions.

    Additionally Oath service providers with access to data or systems, undergo a screening process applicable per regional law. Also are contractually bound to adhere to the same policies and procedures as full time employees.

    Physical and Environmental Security

    Oath uses a number of technological and operational approaches in its physical security program in regards to risk mitigation. Their security team works closely with each site to determine appropriate measures are in place and continually monitor any changes to the physical infrastructure, business, and known threats. Oath balances its approach towards physical security by considering elements of control that include architecture, operations, systems, performance, compatibility and inthttps://developer.yahoo.com/flurry/legal-privacy/flurry-analytics-dpa.htmleroperability.

    Operations Management

    The IT organization manages changes to the corporate infrastructure, systems and applications through a centralized change management program, which may include, testing, business impact analysis and management approval where appropriate.

    To protect against malicious use of assets and malicious software, additional controls may be implemented based on risk. Common controls may include, but are not limited to, additional information security policies and standards, restricted access, designated development and test environments, virus detection on endpoints, email attachment scanning, system compliance scans, information handling options for the data exporter based on data type, network security, and system and application vulnerability scanning.

    Encryption

    Industry standard hashing algorithms are being used throughout the environment. Oath requires that any TLS stacks must support, offer, and prefer TLS version 1.2 or higher. Any versions that do not comply with standards must be reviewed and approved by the security department, supporting additional compensating security controls.

    Incident Response

    Oath maintains a security operations center that is staffed 24/7 which monitors and reports on potential security related events. Oath utilizes multiple scanning, investigation, and protection technologies across the enterprise to identify, track, block, and remediate vulnerabilities and potential breaches. Additionally, there is an established policy and process for incident response, as well as mandated annual security training for all employees and an internal web page with instructions for easy reference.

    Additionally, Oath has dedicated personnel to investigate new and emerging attack intelligence. Security-related incidents are logged and tracked, to include the validation of the supporting documentation following internal standards and procedures.

    Access Controls

    Access to corporate systems is restricted, based on procedures to ensure appropriate approvals. In addition, remote access and wireless computing capabilities are restricted and require that both user and system safeguards are in place.

    System Development and Maintenance

    Publicly released third party vulnerabilities are reviewed for applicability in the Oath environment. Based on risk to Oath’s business and customers, there are predetermined time frames for remediation. In addition, vulnerability scanning and assessments are performed on new and key applications and the infrastructure based on risk. Code reviews are used in the development environment prior to production. These processes enable proactive identification of vulnerabilities as well as compliance. Additionally, a public bug bounty program is available and supplements the research performed by internal security.

    Compliance

    The information security, legal, privacy and compliance departments work to identify regional laws, regulations applicable to Oath compliance. Mechanisms such as the information security program, Privacy council, internal and external review/assessments, internal and external legal counsel consultation, internal controls assessment, internal penetration testing and vulnerability assessments, contract management, security awareness, security consulting, policy exception reviews and risk management combine to drive compliance with these requirements.