DPI is committed to providing a robust and comprehensive security program for its enterprise customers ("Clients"), including the security measures set forth in this document. These security measures may change without notice, as standards evolve or as additional controls are implemented or existing controls are modified as we deem reasonably necessary.
DPI provides its Clients products and services on a subscription basis (the "Service(s)") and are governed by various contracts and agreements between DPI and its Clients (collectively, "Service Contract"). DPI's Clients offer services to their "Agents", "Distributors" or "Personnel" as defined in the Service Contract (collectively defined here as, "End-Users"))
This policy applies to electronic data, text, messages, communications or other materials submitted to and stored within the Services by our Clients ("Service Data").
DPI is considered a third-party "Data Processor" under the General Data Protection Regulation ("GDPR"), and a "Service Provider" under the California Consumer Privacy Act ("CCPA"), because it acts on the behalf of its Clients. It handles its Client's End-Users' personal data on behalf of its Clients. Additionally, where the Services are made available to you through a Client of DPI's, that enterprise is the "Data Controller" of your personal information for GDPR and CCPA purposes.
We will abide by these security measures to protect Service Data as is reasonably necessary to provide the Services:
Any third-party service providers that are utilized by DPI will only be given access to your Account and Service Data as is reasonably necessary to provide the Services. DPI maintains a vendor security review program which assesses and manages any potential risks involved in using these third-party service providers who have access to Service Data and such third-party service providers will be subject to their implementing and maintaining compliance with the following appropriate technical and organizational security measures:
Data Paradigm, Inc. ("DPI") uses certain Sub-Processors and content delivery networks to assist it in providing the DPI Services as described in the relevant Contract for Services.
A Sub-Processor is a third party data processor engaged by DPI, who has or potentially will have access to or processes Service Data (which may contain personal data). DPI engages different types of Sub-Processors to perform various functions as explained in the tables below.
DPI uses commercially reasonable selection processes by which it evaluates the security, privacy and confidentiality practices of proposed Sub-Processors that will or may have access to or otherwise process Service Data.
DPI generally requires its Sub-Processors to satisfy equivalent obligations as those required of DPI (as a Data Processor) as set forth in DPI's Data Processing Agreement ("DPA"), including but not limited to the requirements to:
Third-party service providers which incidentally have access to Service Data and are used to provide specific features or components of the product outside of the core hosting of Service Data are regularly reviewed by DPI to ensure they work towards implementing each of the standards described in this Section. However, Sub-Processors may not currently meet all of the measures identified above.
This Policy does not give Clients any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate DPI's engagement process for Sub-Processors as well as to provide the actual list of third-party Sub-Processors and content delivery networks used by DPI as of the date of this policy (which DPI may use in the delivery and support of its Services).
If you are a DPI Client and wish to enter into our DPA, please email us at [email protected]
For all Clients who have executed DPI's standard DPA, DPI will provide notice via this policy of updates to the list of Sub-Processors that are utilized, or which DPI proposes to utilize to deliver its Services. DPI undertakes to keep this list updated regularly to enable its Clients to stay informed of the scope of sub-processing associated with the DPI Services.
Pursuant to the DPA, a Client may object in writing to the processing of its personal data by a new Sub-Processor within thirty (30) days following the update of this policy and such objection shall describe Client's legitimate reason(s) for objection. If Client does not object during such time period the new Sub-Processor(s) shall be deemed accepted.
If a Client objects to the use of a new Sub-Processor pursuant to the process provided under the DPA, DPI shall have the right to cure the objection through one of the following options (to be selected at DPI's sole discretion):
Termination rights, as applicable and agreed, are set forth exclusively in the DPA.
The following is an up-to-date list (as of the date of this policy) of the names and locations of DPI Sub-Processors and content delivery networks:
DPI works with certain third parties to provide specific functionality within the Services. These providers are the Sub-Processors set forth below. In order to provide the relevant functionality these Sub-Processors access Service Data.
Twilio, Inc. is a communication service provider used within DPI's infrastructure to send and receive SMS messages. Twilio has access to Client and End-Users' information as needed to deliver text messages between Clients and End-Users. This includes Service Data contained in the messages and the personal data of Client's Agents and End-Users as needed to send and deliver the messages. United
Sendgrid, Inc. ("Sendgrid") is an email campaign service provider used within DPI's infrastructure to send emails to Clients and End-Users. The primary information Sendgrid has access to is the email addresses of recipients of the emails and the content of the emails themselves. The content of the emails may include the content that the Client has chosen to include in the email campaign. United
Cloudflare, Inc. ("Cloudflare") provides content distribution, security and DNS services for web traffic transmitted to and from the Services. This allows DPI to efficiently manage traffic and secure the Services. The primary information Cloudflare has access to is information in and associated with the DPI or Client website URL that the End-User or Agent is interacting with (which includes End-User or Agent IP address). Some information (including Service Data) contained in web traffic transmitted to and from the Services is transmitted through Cloudflare's systems. Cloudflare also processes a limited amount of personal data (specifically Agent and End-User IP addresses and browser and operating system information) for logging purposes. United
Tokenex, Inc. ("TokenEx") is a third-party provider that DPI uses to replace sensitive data with non-sensitive placeholders called tokens. DPI uses this to secure and desensitize data by replacing the original data with an unrelated value of the same length and format. TokenEx is the PCI-certified service provider we have chosen for this process. The primary information TokenEx has access to is tokenized Credit Card information associated with DPI accounts who rely on DPI for payment card data services. United
Google, Inc. ("Google Maps") is a third-party mapping platform that DPI uses to provide mapping functionality to Clients within DPI applications. United
Infrastructure Sub-Processors – Service Data Storage and Processing
DPI owns or controls access to the infrastructure that DPI uses to host and process Service Data submitted to the Services, other than as set forth herein. Currently, the DPI production systems used for hosting Service Data for the Services are located in co-location facilities in the United States and Europe and in the infrastructure Sub-Processors listed below. Client accounts are typically established in one of these regions based on where the Client is located, but may be shifted among locations to ensure performance and availability of the Services. The following table describes the countries and legal entities engaged by DPI in the storage of Service Data. DPI also uses additional services provided by these Sub-Processors to process Service Data as needed to provide the Services.
Entity Name Entity Type Entity Country Amazon Web Services, Inc. Cloud Service Provider United States, Ireland Microsoft Inc. (Azure) Cloud Service Provider United States
Content Delivery Networks
As explained above, DPI's Services may use content delivery networks ("CDNs") to provide the Services, for security purposes, and to optimize content delivery. CDNs do not have access to Service Data but are commonly used systems of distributed services that deliver content based on the geographic location of the individual accessing the content and the origin of the content provider. Website content served to website visitors and domain name information may be stored with a CDN to expedite transmission, and information transmitted across a CDN may be accessed by that CDN to enable its functions. The following describes use of CDNs by DPI's services.
CDN Provider CDN
Description of CDN Services Akamai Global Public website content served to website visitors may be stored with Akamai, and transmitted by Akamai to website visitors, to optimize delivery. Amazon Web Services, Inc. Global Public website content served to website visitors may be stored with Amazon Web Services, Inc., and transmitted by Amazon Web Services, Inc. to website visitors, to optimize delivery. Cloudflare, Inc. Global Public website content served to website visitors may be stored with Cloudflare, Inc., and transmitted by Cloudflare, Inc. to website visitors, to optimize delivery. Microsoft, Inc. Global Public website content served to website visitors may be stored with Microsoft, Inc. (Microsoft Azure) and transmitted by Microsoft, Inc. to website visitors, to optimize delivery.