Personal Data Protection Policy
This personal data protection policy (the “PDPP”) applies to the processing of Personal Data in the context of the Agreement. It is hereby agreed that the PDPP is incorporated into the terms of the Agreement.
Table of Content
CLAUSE 1. Definitions
Any term not defined in the PDPP has the meaning given to it in the Agreement. The terms “process”, “processing”, “processor”, “transfer”, “controller” shall have the meaning given to them under the Applicable Regulations.
CLAUSE 2. General Principles:
Pursuant to the Applicable Regulations and in the context of the Agreement:
- The Client is data controller of the Personal Data or, when applicable, data processor of its own clients;
- Verbolia is data processor of the Personal Data, processing exclusively on behalf and only on documented instructions from the Client.
The Parties recognize that the Agreement, as well as the use of the Service and its functionalities, in accordance with the Agreement, form the documented instructions of the Client.
Any additional instruction concerning the processing of Personal Data by Verbolia shall be provided by the Client in written form. The instruction specifies the purpose of processing and the operation to be performed by Verbolia, provided that the Client agrees beforehand on the estimate from Verbolia for the additional instruction.
Verbolia shall inform the Client in a period of five (5) days from the date of the receipt from Verbolia of the instruction by any means, if, in its opinion, an instruction infringes the Applicable Regulations.
The Client recognizes that it has the exclusive control and knowledge, and notably, of the origin of the Personal Data processed for the specific purpose of the Agreement. Consequently, the Client shall fulfill its obligations as data controller.
Verbolia will delete the Personal Data and copies thereof in accordance with the Agreement, unless any applicable law or the Applicable Regulations require storage of the Personal Data.
The Client shall inform Verbolia, when signing the Agreement, of the person to contact for all information, communications, notifications, or requests made in respect of the PDPP. If the Client does not provide Verbolia with this information, the signatory will be considered as the relevant contact person.
If it is strictly necessary for the performance of the Agreement, Verbolia may transfer Personal Data provided that the Client is informed beforehand of such transfer. In any case, Verbolia shall not transfer Personal Data, without implementing the appropriate safeguards in application of article 46 of the GDPR, outside:
- the European Union
- the European Economic Area
- a third country or territory recognized by the European Commission as ensuring an adequate level of protection.
In any case, the Personal Data entrusted to Verbolia is localized at one or more sites in the European Union.
CLAUSE 3. Security of Personal Data
In accordance with article 32(1) of the GDPR, the Client and Verbolia shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The measures taken by Verbolia are listed in a security measures document, an updated version of which is available to the Client upon request.
Verbolia is exclusively responsible for the security aspects of the Service falling under its control. The Client is responsible for the security and the confidentiality of its respective systems and the access it grants to the Service. The Client shall ensure that the use and the configuration of the Service meet the security requirements of the Applicable Regulations. Verbolia is not bound by any obligation to protect Personal Data which is (i) stored outside of the Service; (ii) transferred out of the Service by the Client; or (iii) transferred out of the Service by Verbolia under instruction of the Client.
Verbolia ensures that persons authorized to process the Personal Data have committed themselves to confidentiality.
CLAUSE 4. Cooperation with the Client
Verbolia shall communicate to the Client without undue delay after receiving any request, notice of investigation or complaint from any data subject concerning the processing of Personal Data under the Agreement (“Data Subject Requests”).
Acting as data controller, the Client shall remain solely responsible for the answer to be provided to Data Subject Requests and Verbolia shall not answer any Data Subject Requests. Notwithstanding the foregoing, and taking into account the nature of the processing of the Personal Data, Verbolia shall upon request assist the Client in the fulfillment of the Client’s obligations in responding to Data Subject Requests. Client acknowledges that Verbolia will use appropriate technical and organizational measures in providing any such assistance, insofar as this is reasonably possible.
Upon written request from the Client, Verbolia shall provide the Client, at the expenses of the latter, with all the useful information in its possession for the purpose of assisting the Client, as data controller, to satisfy the privacy impact assessment requirements of the Applicable Regulations. Any such privacy impact assessment shall be carried out by and under the sole responsibility of the Client.
CLAUSE 5. Notification of Data Breach
Verbolia shall notify the Client without undue delay after becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed (“Data Breach”).
Verbolia shall provide the Client without undue delay after the notification of the Data Breach and insofar as this is possible, the following information:
- the categories and approximate number of data subjects concerned
- the categories and approximate number of Personal Data records concerned;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by Verbolia to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
CLAUSE 6. Processor
Verbolia may engage a sub-processor for the processing of Personal Data that is, in Verbolia’s sole discretion, strictly necessary for the performance of the Agreement.
Verbolia shall only engage sub-processors that provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Applicable Regulations.
Verbolia shall by way of written agreement impose obligations substantively equivalent to those set out in the Agreement and in the Applicable Regulations on its sub-processors. Verbolia shall remain fully liable to the Client for the performance of that sub-processor’s obligations.
Verbolia may only engage a sub-processor which:
- is established in one of the member states of the European Union or the European Economic Area, or;
- is established in a third country or territory recognized by the European Commission as ensuring an adequate level of protection, or;
- proposes one of the appropriate safeguards pursuant to article 46 of the GDPR.
The list of the sub-processors of Verbolia shall be provided on written request. Verbolia shall inform the Client of any addition or replacement of sub-processors as soon as possible. This information constitutes the information to the Client as specified in article 2.2. of the PDPP.
The Client may object in writing to such addition or replacement within a period of ten (10) business days from receipt of the information. The absence of objection from the Client after this period shall be considered acceptance of the sub-processor.
In case of objection from the Client, Verbolia may provide the Client with elements that could lift its objections. If the Client maintains its objections, the Parties shall discuss in good faith of the continuation of the Agreement.
CLAUSE 7. Compliance and audit
On request, Verbolia will send to the Client any document reasonably necessary to demonstrate Verbolia’s compliance with its obligations as a processor under the Agreement by e-mail. Any other method for sending these documents will be at the Client’s expense.
The Client may request additional verification from Verbolia if the documents provided do not enable it to verify Verbolia’s compliance with its obligations as a processor under the Agreement. In such a case, the Client should make a written request to Verbolia, by registered letter with acknowledgement of receipt, in which Client justifies its request for further information. Verbolia shall answer the Client as soon as possible.
If, despite Verbolia’s answer, the Client questions the veracity or completeness of the information provided or, in the event of imminent risks to the security of Personal Data, the Client may carry out an on-site audit subject to compliance with the following conditions (“Audit”):
- the Client makes a written request for an on-site Audit to Verbolia, by registered letter with acknowledgement of receipt, by justifying and documenting its request;
- Verbolia shall provide a response to the Client specifying the scope and conditions of the on-site Audit. Since the security of Verbolia’s information system and data centers is subject to restricted access, the scope of an on site Audit will be limited to the operations and systems Verbolia uses for the processing of Personal Data entrusted to Verbolia by the Client under the Agreement;
- The Audit shall not exceed two (2) business days which will be invoiced by Verbolia to the Client at the rates in effect at the time the Audit is carried out;
- This Audit may be carried out by the Client’s internal auditors or may be entrusted to any service provider chosen by the Client, that is not a competitor of Verbolia;
- Auditors must make a formal commitment not to disclose information collected at Verbolia regardless of how it is obtained. A non-disclosure agreement must be signed by the auditors and communicated to Verbolia before the Audit takes place.
As part of the Audit, Verbolia will provide access to its premises, and to the documents and persons reasonably necessary for the auditors to conduct the Audit in satisfactory conditions. The Client and/or the Auditors (as the case may be) must make reasonable endeavors to minimize any disruption to Verbolia’s business operations including the operation of the Service.
The Audit report must be made available to Verbolia by the auditors before being finalized, so that Verbolia can submit any comments, and the final report must take into account and respond to these comments. The Audit report will then be sent to Verbolia and discussed at a meeting between the Parties.
In the event that the final Audit report reveals any breach of the commitments made in relation to the Service, Verbolia shall propose a corrective action plan within twenty (20) business days of the meeting between the Parties.
For the purposes of this clause, “business day” means a day between Monday and Friday which is not a public holiday in metropolitan France.
Subject to material changes of circumstances and events which justify the implementation of an Audit at shorter notice, Audits may be carried out by the Client on Verbolia’s site only once during the Initial Service Period of the Agreement, and subsequently only once per Extended Service Period.
CLAUSE 8. Description of the processing
The nature of the Personal Data processing, the purpose of the processing, the Personal Data processed, the category of data subject concerned and the duration of the processing are described in annex.
ANNEX 1: List of Personal Data and their processing
Note: on the end-user pages created by Verbolia, the customer is able to install its own Data tracker (Google Analytics for example), under its own responsibility. The Cookie Policies are also under the responsibilities of the customer.
ANNEX 2: Personal Data retention Security measures
The Verbolia production and test platforms that constitute our service to our customers only evaluates session parameters that are technically required , and do not read, store or transport anything beyond that.
Even at rest , these technically required and unlinked ID’s are not retained on any physical storage whatsoever, but only exist in RAM for as long as the caching headers define.
Any other personal data of our customer’s organisations and all affiliates are not stored in any privately hosted or owned system , and for this data at rest or in processing we can refer to regulatory compliance of our service providers and their data processor and data controller roles.
All access policies follow provider and best-practice guidelines and are reviewed yearly.
End-user computing devices are in specific cases allowed to locally retain specific sets of data within the security guidelines, and these are locally encrypted and remote scratchable , also under the provider and best-practice guidelines.
Apart from these service providers our policies and components that mitigate the 4 types of risk identified in Article 32 of GDPR regulation live across a range of dimensions.
Considering the fact that web-hosting is the basis for Verbolia’s unique functional offering, we are obsessed with adhering to the highest level of industry security standards. Internally each customer’s tenant is protected with the latest versions of antivirus and other data level protection tools like backup solutions to ensure not only the highest level of prevention, but also detection of breaches and remediation once a breach has been detected.
Currently we are employing the following set of technical products for this, but it is important to note that this collection of tools is continuously reviewed and can be subject to change at any time if another combination of tools could provide a higher level of either security , remediation or redundancy.
In addition to the per-tenant security processes and tools, there are also measures taken on a general “hosting of tenants” scale that are shared by multiple tenants in various degrees depending on the technical topic itself
- Fully redundant L2/L3 internet connections with an automatic remediation of signal loss of mere seconds through the use of redundant BGP routing across multiple internet providers and separate physical paths whenever applicable
- DDOS evaluation of all sessions across those redundant internet connections
- A fully redundant and privately managed DNS namespace across multiple geographical regions
- Integrated and synchronised logging and interpretation of operational events out of all security components for complex evaluations of attack vectors and breach attempts.
- PF openBSD main Firewall (redundant) with multiple BGP routes
- All elements of the infrastructure of the Processor are fully redundant
- Monitoring of all critical services through Centreon & Freshping
- Antivirus protection on all servers and employee laptops
The measures implemented to ensure data integrity go beyond the implementation of technical tools since it also depends heavily on implemented processes, sometimes including the owners of that data.
In addition to the aforementioned security measures, there are also several policies, processes and tools in place to be able to verify there was no unwanted alteration of data and the ways and means to remediate them in case they do occur.
Most of the integrity checks are performed by the tools mentioned in the previous chapter, on top of that we also perform:
- Monthly Critical updates of all software resources
- Monthly Web application Security check (Detectify)
- Varnish Cache server routes check (WAF-like)
As a general concept defined in all our designs and processes there is a general “zero trust” concept where every individual access attempt has to be verifiably authenticated and encrypted in transit.
Even with the combination of our security standard regarding encryption, and the security tools in place mentioned earlier , there are still specific attention points concerning confidentiality, since this has to be verified on multiple levels and in multiple places.
- Logging, monitoring and evaluating each individual instance of data access
- Physically secured devices (hosting and office environment)
- Secure disposal of any data-storing devices and virtual instances
- SSL encryption of data transfers
All the information processed by the Processor are available to the Contractor in real-time in the solution on app.verbolia.com.
On a simple request from the Controller, the Processor can provide a view on more specific potential personal information.
All such requests can be done through the Customer Success Manager that is assigned at the beginning of the collaboration between the Processor and the Contractor.
All data retrieved from the Controller’s API will systematically be deleted by the Processor within 48h. If the Controller wishes the Processor to delete specific data before that delay, e.g. for ads that have been deleted by Controller’s end-users, on a simple request in the support section of Verbolia or via email to the dedicated Customer Success Manager.
To ensure security, we are performing monthly audits on the Web applications by using Detectify.
On top of that, we allow our customers to perform security audits of our platform if they are requesting it.
If a migration is requested by the Controller, the data will be provided by the Processor as a file containing all texts from the ads initially retrieved through the API.
Every access to the data, whether it is coming from an external visitor or an internal employee or subcontractor is submitted to access logs.
At lower level, the caching servers (Varnish) and the web servers (IIS) are configured to keep track of all accesses.
At a higher application level, we keep track of all actions of the users on the platform once logged in.
Finally, in terms of the employees, each of them are subject to a Security policy requiring them to respect best practices in terms of data access and traceability of their changes on all tools, like the databases, the source control, the development tools.
Data retention and deletion
All information provided through the Controller’s API will be kept by the Controller for maximum 48h, then will be deleted
The data are hosted either on our own Servers within our WALDC, that has secured access policies: https://www.waldc.be/en/secure-access or on our hosting partner OVH which has strict policies as well: https://www.ovh.com/fr/protection-donnees-personnelles/. Some services from AWS are used as well, see compliance documentation here: https://aws.amazon.com/compliance/gdpr-center/
While we start with a setup that employs all best practices on a code level , it is not impossible that during an integration lifecycle certain technical requests are made that could potentially increase the customer’s exposure to data leakage or accidental destruction of this data.
Our development team is trained in the identification of these attack vectors, but when in doubt a security audit is initiated and the customer has to sign off on the increased risk of this functionality to their environment.
ANNEX 3: List of Suppliers