Technical and Organizational Measures for ironSource Partners

1.     Information Security Program

Partner has implemented and maintains a comprehensive and effective written information security program appropriate to the nature of the Personal Data Processed by Partner, that:

1.1.   contains administrative, technical and physical safeguards to identify, assess and protect against any reasonably foreseeable anticipated or actual threats or hazards (whether internal or external) to the security or integrity of Personal Data (including threats of loss, theft, unauthorized access, use, disclosure or other unauthorized processing of Personal Data or any failure of security controls protecting Personal Data), whether contained in tangible or intangible records (“Safeguards”);

1.2.   meets industry best practices for such Safeguards; and

1.3.   complies with all European Data Protection Laws.

2.     Organization of Information Security

2.1.   Partner has designated one employee to be in charge of Partner’s information security program.

2.2.   Partner has taken appropriate measures to ensure Partner’s personnel and third-party contractors and service providers, as applicable, are aware of and comply with the information security program.

2.3.   Partner has implemented reasonable precautions with respect to the employment of, and access given to, Partner’s personnel, and to reduce the risk associated with outsourcing services, such as imposing security and confidentiality requirements; background checks; screening; security clearances that assign specific access privileges to individuals and training and security awareness programs (as appropriate to Partner’s operations).

3.     Assessment and Monitoring

3.1.   Partner proactively monitors and assesses risks and the sufficiency of any Safeguards in place to control such risks.

3.2.   Partner reviews the scope of security measures at least annually and when a material change in Partner’s business practices occurs that may reasonably implicate the security or integrity of records containing Personal Data.

3.3.   Partner implements and maintains Safeguards to control the risks Partner identifies through risk assessment, regular testing, and otherwise monitoring the effectiveness of the Safeguards’ key controls, systems, and procedures to confirm the information security program is operating in a manner that is reasonably calculated to prevent and detect unauthorized access to or use or disclosure of Personal Data.

3.4.   Partner monitors its personnel, contractors and service providers’ compliance with the Partner’s information security program and imposes disciplinary and/or other appropriate measures for violations of the program.

4.     Physical and Environmental Security

4.1.   Partner executes measures necessary to limit the risk of operational disturbance, theft, natural disasters, and unauthorised access to Personal Data.

4.2.   Partner maintains adequate physical security of all premises in which Personal Data is processed and/or stored, including storage of physical media containing Personal Data in locked facilities, storage areas or containers.

4.3.   Partner ensures that only authorized users have physical access to its systems, infrastructure, and work environments. Partner provides secure protection for its physical facilities (e.g., through card readers or key cards).

5.     Access Control

5.1.   Partner ensures access is only granted to individuals on a need-to-know basis as required to perform a certain role, function, or responsibility, including third-party access required for performance of outsourced services.

5.2.   Partner has controls in place to generate event logs on accessed systems and networks, review and analyse such logs, and proactively monitors and audits such logs.

5.3.   Partner ensures that remote access to its systems and applications containing Personal Data are governed by appropriate authentication, and that such access is encrypted.

5.4.   Partner employs adequate user authentication protocols to prevent unauthorized individuals from accessing Personal Data, including a reasonably secure method of assigning, selecting, and controlling passwords or identifiers, restricting access only to active user accounts and blocking access to user accounts after multiple unsuccessful attempts to gain access.

6.     Communications and Operations Management

6.1.   Partner ensures databases and repositories, including backup storage, containing Personal Data, and the connections to such databases and repositories, are encrypted using industry best practice encryption levels, and protected from unauthorized access.

6.2.   Partner encrypts Personal Data while in transit over a public network or wireless network or while stored on computing equipment that is connected to the Internet using industry best practice encryption levels.

6.3.   Partner employs up-to-date security software (including malware protections, patches, and antivirus software), which is set to receive the most current security updates on a regular basis.

6.4.   Partner has procedures in place to promptly install all security updates and patches made available by the vendors of any system, software, or equipment used in connection with the Processing of Personal Data.

6.5.   Partner employs up-to-date firewall protection.

6.6.   Partner employs appropriate vulnerability detection and vulnerability and patch management procedures.

6.7.   Appropriate data back-up procedures are in place to ensure back-up is properly performed and backup media will operate in the event of an emergency.

6.8.   Partner employs appropriate deletion procedures and techniques of electronic data.

7.     Business Continuity Management

Partner has Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP) in place, which are tested on a regular basis to ensure operational continuity (to the extent necessary and as appropriate to its operations).