Data Paradigm, Inc.

Service Data Protection Policy

Effective as of June 2, 2020, Data Paradigm, Inc. ("DPI"), has updated its Privacy Policy ("Policy").

DPI is committed to providing a robust and comprehensive security program for its enterprise customers ("Clients"), including the security measures set forth in this document. These security measures may change without notice, as standards evolve or as additional controls are implemented or existing controls are modified as we deem reasonably necessary.

DPI provides its Clients products and services on a subscription basis (the "Service(s)") and are governed by various contracts and agreements between DPI and its Clients (collectively, "Service Contract"). DPI's Clients offer services to their "Agents", "Distributors" or "Personnel" as defined in the Service Contract (collectively defined here as, "End-Users"))

This policy applies to electronic data, text, messages, communications or other materials submitted to and stored within the Services by our Clients ("Service Data").

DPI is considered a third-party "Data Processor" under the General Data Protection Regulation ("GDPR"), and a "Service Provider" under the California Consumer Privacy Act ("CCPA"), because it acts on the behalf of its Clients. It handles its Client's End-Users' personal data on behalf of its Clients. Additionally, where the Services are made available to you through a Client of DPI's, that enterprise is the "Data Controller" of your personal information for GDPR and CCPA purposes.

Security Measures Utilized by Us

We will abide by these security measures to protect Service Data as is reasonably necessary to provide the Services:

  1. Security Policies and Personnel. We have and will continue to maintain a managed security program to identify risks and implement preventative technology, as well as technology and processes for common attack mitigation. This program is and will be reviewed on a regular basis to provide for continued effectiveness and accuracy. We have, and will continue to maintain, an information security team responsible for monitoring and reviewing security infrastructure for our networks, systems and services, responding to security incidents, and developing and delivering training to our employees in compliance with our security policies.
  2. Data Transmission. We will maintain commercially-reasonable administrative, physical and technical safeguards to protect the security, confidentiality, and integrity of Service Data. These safeguards include encryption of Service Data at rest and in transmission with our user interfaces or APIs (using TLS or similar technologies) over the Internet.
  3. Audits and Certifications. Upon Client's request, and subject to the confidentiality obligations set forth in the Contract for Services, DPI shall make available to Clients (or Client's independent, third-party auditor) information regarding DPI's Security Audit Compliance and Reporting (under appropriate non-disclosure protections).
  4. Incident Response. We have an incident management process for security events that may affect the confidentiality, integrity, or availability of our systems or data that includes a response time under which DPI will contact its Clients upon verification of a security incident that affects Your Service Data. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. The incident response program includes centralized monitoring systems and on-call staffing to respond to service incidents. Unless ordered otherwise by law enforcement or government agency, you will be notified within seventy-two (72) hours of a Service Data Breach. "Service Data Breach" means an unauthorized access or improper disclosure that has been verified to have affected your Service Data.
  5. Access Control and Privilege Management. We restrict administrative access to production systems to approved personnel. We require such personnel to have unique IDs and associated cryptographic keys. These keys are used to authenticate and identify each person's activities on our systems, including access to Service Data. Upon hire, our approved personnel are assigned unique keys. Upon termination of personnel, or where compromise of such key is suspected, these keys are revoked. Access rights and levels are based on our employees' job function and role, using the concepts of least-privilege and need-to-know basis to match access privileges to defined responsibilities.
  6. Network Management and Security. The Sub-Processors utilized by us for hosting services maintain industry standard fully redundant and secure network architecture with reasonably sufficient bandwidth as well as redundant network infrastructure to mitigate the impact of individual component failure. Our security team utilizes industry standard utilities to provide defense against known common unauthorized network activity, monitors security advisory lists for vulnerabilities, and undertakes regular external vulnerability scans and audits.
  7. Data Center Environment and Physical Security. The Sub-Processors' environments which are utilized by us for hosting services in connection with our provision of the Services employ the following security measures:
  • A security organization responsible for physical security functions 24x7x365.
  • Access to areas where systems or system components are installed or stored within data centers is restricted through security measures and policies consistent with industry standards.
  • N+1 uninterruptible power supply and HVAC systems, backup power generator architecture and advanced fire suppression.

Technical and Organizational Security Measures for Third-Party Service Providers Who Process Service Data

Any third-party service providers that are utilized by DPI will only be given access to your Account and Service Data as is reasonably necessary to provide the Services. DPI maintains a vendor security review program which assesses and manages any potential risks involved in using these third-party service providers who have access to Service Data and such third-party service providers will be subject to their implementing and maintaining compliance with the following appropriate technical and organizational security measures:

  1. Physical Access Controls. Third-party service providers shall take reasonable measures, such as security personnel and secured buildings, to prevent unauthorized persons from gaining physical access to data processing systems in which Service Data is processed.
  2. System Access Controls. Third-party service providers shall take reasonable measures to prevent data processing systems from being used without authorization. These controls shall vary based on the nature of processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and/or logging of access on several levels.
  3. Data Access Controls. Third-party service providers shall take reasonable measures to provide that Service Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to access Service Data only have access to Service Data to which they have the privilege of access; and, that Service Data cannot be read, copied, modified, or removed without authorization in the course of Processing.
  4. Transmission Controls. Third-party service providers shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Service Data by means of data transmission facilities is envisaged so Service Data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport.
  5. Input Controls. Third-party service providers shall take reasonable measures to provide that it is possible to check and establish whether and by whom Service Data has been entered into data processing systems, modified or removed; and, any transfer of Service Data to a third-party service provider is made via a secure transmission.
  6. Data Protection. Third-party service providers shall take reasonable measures to provide that Service Data is secured to protect against accidental destruction or loss.
  7. Logical Separation. Third-party service providers shall logically segregate Service Data from the data of other parties on its systems to ensure that Service Data may be Processed separately.

DPI Sub-Processors

Data Paradigm, Inc. ("DPI") uses certain Sub-Processors and content delivery networks to assist it in providing the DPI Services as described in the relevant Contract for Services.

What is a Sub-Processor

A Sub-Processor is a third party data processor engaged by DPI, who has or potentially will have access to or processes Service Data (which may contain personal data). DPI engages different types of Sub-Processors to perform various functions as explained in the tables below.

Due Diligence

DPI uses commercially reasonable selection processes by which it evaluates the security, privacy and confidentiality practices of proposed Sub-Processors that will or may have access to or otherwise process Service Data.

Contractual Safeguards

DPI generally requires its Sub-Processors to satisfy equivalent obligations as those required of DPI (as a Data Processor) as set forth in DPI's Data Processing Agreement ("DPA"), including but not limited to the requirements to:

  • Process personal data in accordance with Data Controller's (i.e. Client's) documented instructions (as communicated in writing to the relevant Sub-Processor by DPI);
  • In connection with their sub-processing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
  • Provide regular training in security and data protection to personnel to whom they grant access to personal data;
  • Implement and maintain appropriate technical and organizational measures (including measures consistent with those to which DPI is contractually committed to adhere to insofar as they are equally relevant to the Sub-Processor's processing of personal data on DPI's behalf) and provide an annual certification that evidences compliance with this obligation. In the absence of such certification DPI reserves the right to audit the Sub-Processor;
  • Promptly inform DPI about any actual or potential security breach; and
  • Cooperate with DPI in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.

Third-party service providers which incidentally have access to Service Data and are used to provide specific features or components of the product outside of the core hosting of Service Data are regularly reviewed by DPI to ensure they work towards implementing each of the standards described in this Section. However, Sub-Processors may not currently meet all of the measures identified above.

This Policy does not give Clients any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate DPI's engagement process for Sub-Processors as well as to provide the actual list of third-party Sub-Processors and content delivery networks used by DPI as of the date of this policy (which DPI may use in the delivery and support of its Services).

If you are a DPI Client and wish to enter into our DPA, please email us at [email protected].

Process to Engage New Sub-Processors:

For all Clients who have executed DPI's standard DPA, DPI will provide notice via this policy of updates to the list of Sub-Processors that are utilized, or which DPI proposes to utilize to deliver its Services. DPI undertakes to keep this list updated regularly to enable its Clients to stay informed of the scope of sub-processing associated with the DPI Services.

Pursuant to the DPA, a Client may object in writing to the processing of its personal data by a new Sub-Processor within thirty (30) days following the update of this policy and such objection shall describe Client's legitimate reason(s) for objection. If Client does not object during such time period the new Sub-Processor(s) shall be deemed accepted.

If a Client objects to the use of a new Sub-Processor pursuant to the process provided under the DPA, DPI shall have the right to cure the objection through one of the following options (to be selected at DPI's sole discretion):

  1. DPI will cease to use the new Sub-Processor with regard to personal data;
  2. DPI will take the corrective steps requested by Client in its objection (which steps will be deemed to resolve Client's objection) and proceed to use the Sub-Processor to process personal data; or
  3. DPI may cease to provide or Client may agree not to use (temporarily or permanently) the particular aspect of a DPI Service that would involve use of the Sub-Processor to process personal data.

Termination rights, as applicable and agreed, are set forth exclusively in the DPA.

List of Sub-Processors:

The following is an up-to-date list (as of the date of this policy) of the names and locations of DPI Sub-Processors and content delivery networks:

General Sub-Processors

DPI works with certain third parties to provide specific functionality within the Services. These providers are the Sub-Processors set forth below. In order to provide the relevant functionality these Sub-Processors access Service Data.

Purpose Entity
Twilio, Inc. is a communication service provider used within DPI's infrastructure to send and receive SMS messages. Twilio has access to Client and End-Users' information as needed to deliver text messages between Clients and End-Users. This includes Service Data contained in the messages and the personal data of Client's Agents and End-Users as needed to send and deliver the messages. United
Sendgrid, Inc. ("Sendgrid") is an email campaign service provider used within DPI's infrastructure to send emails to Clients and End-Users. The primary information Sendgrid has access to is the email addresses of recipients of the emails and the content of the emails themselves. The content of the emails may include the content that the Client has chosen to include in the email campaign. United
Cloudflare, Inc. ("Cloudflare") provides content distribution, security and DNS services for web traffic transmitted to and from the Services. This allows DPI to efficiently manage traffic and secure the Services. The primary information Cloudflare has access to is information in and associated with the DPI or Client website URL that the End-User or Agent is interacting with (which includes End-User or Agent IP address). Some information (including Service Data) contained in web traffic transmitted to and from the Services is transmitted through Cloudflare's systems. Cloudflare also processes a limited amount of personal data (specifically Agent and End-User IP addresses and browser and operating system information) for logging purposes. United
Tokenex, Inc. ("TokenEx") is a third-party provider that DPI uses to replace sensitive data with non-sensitive placeholders called tokens. DPI uses this to secure and desensitize data by replacing the original data with an unrelated value of the same length and format. TokenEx is the PCI-certified service provider we have chosen for this process. The primary information TokenEx has access to is tokenized Credit Card information associated with DPI accounts who rely on DPI for payment card data services. United
Google, Inc. ("Google Maps") is a third-party mapping platform that DPI uses to provide mapping functionality to Clients within DPI applications. United

Infrastructure Sub-Processors – Service Data Storage and Processing

DPI owns or controls access to the infrastructure that DPI uses to host and process Service Data submitted to the Services, other than as set forth herein. Currently, the DPI production systems used for hosting Service Data for the Services are located in co-location facilities in the United States and Europe and in the infrastructure Sub-Processors listed below. Client accounts are typically established in one of these regions based on where the Client is located, but may be shifted among locations to ensure performance and availability of the Services. The following table describes the countries and legal entities engaged by DPI in the storage of Service Data. DPI also uses additional services provided by these Sub-Processors to process Service Data as needed to provide the Services.

Entity Name Entity Type Entity Country
Amazon Web Services, Inc. Cloud Service Provider United States, Ireland
Microsoft Inc. (Azure) Cloud Service Provider United States

Content Delivery Networks

As explained above, DPI's Services may use content delivery networks ("CDNs") to provide the Services, for security purposes, and to optimize content delivery. CDNs do not have access to Service Data but are commonly used systems of distributed services that deliver content based on the geographic location of the individual accessing the content and the origin of the content provider. Website content served to website visitors and domain name information may be stored with a CDN to expedite transmission, and information transmitted across a CDN may be accessed by that CDN to enable its functions. The following describes use of CDNs by DPI's services.

CDN Provider CDN
Description of CDN Services
Akamai Global Public website content served to website visitors may be stored with Akamai, and transmitted by Akamai to website visitors, to optimize delivery.
Amazon Web Services, Inc. Global Public website content served to website visitors may be stored with Amazon Web Services, Inc., and transmitted by Amazon Web Services, Inc. to website visitors, to optimize delivery.
Cloudflare, Inc. Global Public website content served to website visitors may be stored with Cloudflare, Inc., and transmitted by Cloudflare, Inc. to website visitors, to optimize delivery.
Microsoft, Inc. Global Public website content served to website visitors may be stored with Microsoft, Inc. (Microsoft Azure) and transmitted by Microsoft, Inc. to website visitors, to optimize delivery.