ironSource Mobile Subprocessors

• Amazon Web Services, Inc.
• Datadog, Inc.
• Digital Envoy, Inc.
• Imply Data, Inc.

ironSource Aura Subprocessors

• Amazon Web Services, Inc.
• Google Cloud

ironSource Mobile Ltd. – Data Retention Policy

The below data retention policy describes ironSource Mobile Ltd.’s (“ironSource”) data retention policy with respect to Personal Data. Personal Data means any personal data of end users of ironSource’s publishers and advertisers within the meaning of such term under the EU General Data Protection Regulation 2016/679.

1. Storage and Network

(a) Storage.

Infrastructure. All Personal Data shall be stored on Amazon Web Services’ servers located in the United States. An overview of Amazon Web Services (AWS) Security Processes is available at http://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf.

AWS manages the physical security and external network security (i.e. networks outside ironSource servers). Please see details at http://aws.amazon.com/agreement/.

Redundancy. Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. The Services are designed to perform certain types of preventative and corrective maintenance without interruption.

Power. The data center electrical power systems are maintained by AWS.

Server Operating Systems. All servers are running on Linux Ubuntu.

Businesses Continuity. ironSource replicates data over multiple regions to help to protect against accidental destruction or loss.

Data Retention Periods. Personal Data is stored for the longer of (i) a period of up to 6 months from the date such information is first stored in our system; and (ii) 3 months following the last event received from a user.

(b) Networks & Transmission.

Data Transmission. ironSource’s servers transfer Personal Data via HTTPS to and from the SDK. This is designed to prevent Personal Data from being read, copied, altered or removed without authorization during electronic transfer or transport.

Incident Response. ironSource implements a strict policy for incident response and will react promptly to known incidents.

Encryption Technologies. All Personal Data transferred to ironSource is encrypted using advanced encryption standards.

2. Access and Site Controls

Control Activities and Processes. Control activities provide reasonable assurance that logical access to relevant applications, Personal Data and system resources is restricted to properly authorized individuals and programs. ironSource designated a specific team for configuring and administrating of the firewall and security groups to control security and access to “internal” network infrastructure. All servers implement access control and user validation according to the business requirements.

The system is deployed on Linux server instances via Amazon Elastic Compute Cloud (EC2) managed service, which provides reliable and flexible server deployment including OS level patches. Firewalls and host-based intrusion detection systems are deployed on the system. All security monitoring systems including, but not limited to, firewalls and host intrusion detection systems are deployed and enabled. All infrastructure platforms and services (operating systems, web servers, database servers, firewalls, etc.) are configured according to industry best practices. ironSources designated a specific team for configuring and administrating of the firewall using AWS security groups to control security and access to “internal” network infrastructure.

ironSource has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. ironSource’s infrastructure security personnel are responsible for the ongoing monitoring of its security infrastructure, the review of the services, and for responding to security incidents.

Access Control and Privilege Management. ironSource’s administrators and end users must authenticate themselves via a central authentication system or via a single sign on system in order to use the Services. Each application checks credentials in order to allow the display of Personal Data to an authorized End User or authorized administrator.

The granting or modification of access rights is based on: the authorized personnel’s job responsibilities, job duty requirements necessary to perform authorized tasks, and a need to know basis. Approvals are managed by ironSource’s designated team. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g. login to workstations), password policies that follow at least industry standard best practices are implemented. These standards include restrictions on password reuse and sufficient password strength.

3. Data

Data Storage. Personal Data is stored at Amazon Web Services (AWS).

Backup and Restoration. Database backups (DB) are taken using tools provided by AWS and database snapshots are taken on a regular basis.

Authentication. Every user has unique credentials when accessing the system and is limited only to Personal Data relevant to that user.

4. Personnel Security

ironSource personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. ironSource conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.

Personnel are required to sign a confidentiality agreement and must acknowledge receipt of, and compliance with, ironSource’s confidentiality and privacy policies. Personnel are provided with security training.

5. Subprocessor Security

Before onboarding Subprocessors, ironSource conducts a review of the security and privacy practices of Subprocessors.

6. ISO 27001 Certification

ironSource obtained an ISO 27001 certification with respect to its ad network and mediation platform.