Data Protection Addendum

Effective as of June 14, 2023

This Data Protection Addendum is referred to and forms an integral part of, the NextRoll Terms of Service and any applicable Service Addenda between NextRoll, Inc. for and on behalf of itself and NextRoll Limited, (“NextRoll”) and Customer. It is effective upon acceptance of the Terms of Service.

Where Applicable Data Protection Law protects the personal data processed under the Agreement, Customers may enter this Data Protection Addendum (which incorporates the Standard Contractual Clauses): (i) to protect the personal data in accordance with the requirements of Applicable Data Protection Law; (ii) to comply with Applicable Data Protection Laws that require a contract to govern the processor or third party data processing procedures with respect to processing performed on behalf of the controller; and (iii) to provide appropriate safeguards with respect to Restricted Transfers of personal data outside of the European Territories.

This Data Protection Addendum reflects the Parties’ agreement with respect to the terms governing the processing of personal data under the Agreement.

1. DEFINITIONS

In this Data Protection Addendum, the following terms shall have the following meanings:

  • Business”, “consumer”, “contractor”, “controller”, “cross-context behavioral advertising”, “data subject”, “personal data”, “personal information”, “process (processing)”, “sale” (including the terms “sell,” “selling,” “sold,” and other variations thereof), “service provider”, or “third party” shall have the meanings given in the Applicable Data Protection Laws.

  • "Customer CRM Data" means any clear (i.e., plain text, unhashed) email addresses, names, titles, contact history, order history, or other CRM data about End Users that is provided by Customer, obtained through third party integrations with the services, or obtained by NextRoll on Customer’s behalf in connection with the services. Customer CRM Data does not include Service Data or Performance Reports, as set forth in the definitions in NextRoll’s Terms of Service “Terms of Service”.

  • “Customer Personal Data” refers to Personal Data that is contained within the Customer CRM Data and Service Data;

  • "Applicable Data Protection Law" means any then-effective applicable laws, rules, and regulations pertaining to privacy, data processing and use, data protection, data security, or confidentiality, including, without limitation, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); the EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); the EU e-Privacy Directive (Directive 2002/58/EC); the California Consumer Privacy Act of 2018, as amended, and any regulations promulgated thereunder (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act and related regulations (“CPA”); the Utah Consumer Privacy Act (“UCPA”); Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”), and any additional US State or Federal Data Privacy Law in effect (together, “US Data Privacy Laws”).

  • "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018;

  • "Service Data" means data that is collected by NextRoll from End Users using Technology on Customer Sites, including any data obtained from third-parties while providing the services. Service Data does not include Customer CRM Data. If Customer opts-in to cross-device or uses the RollWorks ABM services authorizing NextRoll to hash End User email addresses from Customer Sites, such hashed End User email addresses will constitute Service Data. (This is the definition set forth in the Terms of Service that govern the parties agreement).

  • "Standard Contractual Clauses" means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, the United Kingdom Information Commissioner’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force 21 March 2022 ("UK SCCs").

Any other capitalized terms not defined in this Data Protection Addendum shall have the meaning given to them in the Agreement.

2. RELATIONSHIP OF THE PARTIES

Where the Customer is the “controller” under Applicable Data Protection Law , the Customer appoints NextRoll as a processor to process the Customer CRM Data, as further described in Annex I.

Where the Customer is a “business” under Applicable Data Protection Law, Customer makes Customer CRM Data available to NextRoll for the purposes of providing cross-context behavioral advertising to Customer and NextRoll is a Third Party under Applicable Data Protection Law because cross-context behavioral advertising is not a permissible business purpose for a contractor or service provider under Applicable Data Protection Law.

Each party is a data controller as to the data comprising the Service Data, to the extent such Service Data is under its respective custody or control, provided that the foregoing is not intended to alter, modify or limit either party’s (a) obligations with respect to notices, permissions and consents related to such Service Data, as may be further set forth in the Terms of Service, (b) rights to access, use, own or modify such Service Data, as likewise may be set forth in the Terms of Service, or (c) joint controllership obligations that may be imposed by law, such as with regard to obtaining consent for purposes of Applicable Data Protection Law.

3. PROHIBITED DATA

Customer shall not disclose any special categories of personal data (as defined in Applicable Data Protection Law) to NextRoll for processing.

4. PURPOSE LIMITATION

NextRoll shall process Customer CRM Data as a processor for the purposes described in Annex I in order to perform its obligations under the Agreement, in compliance with Applicable Data Protection Law, and strictly in accordance with the documented instructions of Customer (the "Permitted Purpose"), except where otherwise required by law(s) that are not incompatible with Applicable Data Protection Law. In no event shall NextRoll process the Customer CRM Data for its own purposes or those of any third party. NextRoll shall immediately inform Customer if it becomes aware that Customer's processing instructions infringe Applicable Data Protection Law.

5. RESTRICTED TRANSFERS

5.1. The parties agree that when the transfer of Customer Personal Data from Customer to NextRoll is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as set forth in this clause 5.

5.2. In relation to the Service Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:

  • Module One will apply;
  • in Clause 7, the optional docking clause will apply;
  • in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
  • in Clause 18(b), disputes shall be resolved before the courts of Ireland;
  • Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Data Protection Addendum; and
  • Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Data Protection Addendum.

5.3. In relation to the Customer CRM Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:

  • Module Two will apply;
  • in Clause 7, the optional docking clause will apply;
  • in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in clause 8.3 of this Data Protection Addendum;
  • in Clause 11, the optional language will not apply;
  • in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
  • in Clause 18(b), disputes shall be resolved before the courts of Ireland;
  • Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Data Protection Addendum; and
  • Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Data Protection Addendum.

5.4. In relation to Customer CRM Data and Service Data that is protected by the UK GDPR, the UK SCCs will apply and will be deemed executed between the Customer and NextRoll, with the Tables in the UK SCCs completed as follows:

  • Table 1: the Parties’ details shall be the Parties as set forth in Annex I.A to this Data Protection Addendum, and their affiliates to the extent any of them is involved in such a transfer. The Key Contact for each Party shall be the contacts set forth in Annex I.A to this Data Protection Addendum.
  • Table 2: The Approved EU Standard Contractual Clauses referenced in Table 2 shall be the EU SCCs, completed as set out above in clauses 5.2 (for transfers involving Service Data) or 5.3 (for transfers involving Customer CRM Data) of this Data Protection Addendum, depending on the type of data transferred.
  • Table 3: Annexes IA, IB, and II shall be set forth in Annexes I and II to this Data Protection Addendum. Annex III is inapplicable.
  • Table 4: NextRoll may end the UK SCCs as set out in Section 19 of the UK SCCs.

5.5. To the extent that any provision of this Data Protection Addendum or the Agreement contradicts, directly or indirectly, with the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

6. CONFIDENTIALITY OF PROCESSING

NextRoll shall ensure that any person that it authorises to process the Customer Personal Data (including NextRoll's staff, agents and subprocessors) (an "Authorised Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to process the Customer Personal Data who is not under such a duty of confidentiality. NextRoll shall ensure that all Authorised Persons process the Customer Personal Data only as necessary for the Permitted Purpose.

7. SECURITY

NextRoll shall implement appropriate technical and organisational measures to protect the Customer Personal Data from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access (a "Security Incident"). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

At a minimum, such measures shall include the measures identified in Annex II.

8. SUBPROCESSING

8.1. This clause 8 applies only with respect to NextRoll’s processing of Customer CRM Data and not to NextRoll’s processing of Service Data.

8.2. Customer consents to NextRoll’s use of the subprocessors identified at the URL https://www.nextroll.com/terms/data-protection/subprocessors ("Subprocessor Page") to process Customer CRM Data..

8.3. Customer consents to NextRoll engaging additional or replacement third party subprocessors to process the Customer CRM Data provided that: (i) NextRoll updates its Subprocessor Page with details of any proposed change in subprocessors at least fourteen 14 days in advance of appointing or replacing a subprocessor (Customer can subscribe to the RSS feed for the Subprocessor Page to be automatically notified of any such changes); (ii) NextRoll imposes data protection terms on any subprocessor it appoints that protect the Customer CRM Data, in substance, to the same standard provided for by this Data Protection Addendum; and (iii) NextRoll remains fully liable for any breach of this clause that is caused by an act, error or omission of its subprocessor.

8.4. If Customer objects to NextRoll’s appointment of an additional or replacement subprocessor on reasonable grounds relating to the protection of the Customer CRM Data, then either NextRoll will not appoint the subprocessor or, if this is not possible, Customer may elect to suspend or terminate the impacted Service (without prejudice to any fees incurred by Customer prior to suspension or termination).

9. ASSISTANCE TO CUSTOMER

9.1. NextRoll shall assist Customer in meeting Customer’s obligations under Applicable Data Protection Law, to the extent required by such Applicable Data Protection Law.

9.2. If NextRoll believes or becomes aware that its processing of Customer CRM Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform Customer and NextRoll shall provide Customer with all such reasonable and timely assistance as Customer may require in order to conduct a data protection impact assessment in accordance with Applicable Data Protection Law including, if necessary, to assist Customer to consult with its relevant data protection authority.

9.3. Data Subject Requests.

  • With regard to Customer CRM Data, NextRoll shall provide all reasonable and timely assistance to Customer to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) in connection with Customer CRM Data; and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer CRM Data. In the event that any such request, correspondence, enquiry or complaint is made directly to NextRoll, NextRoll shall promptly inform Customer providing full details of the same.
  • With regard to Service Data, NextRoll shall respond to requests by data subjects as provided under Applicable Data Protection Law, and where relevant, Customer shall provide assistance to NextRoll in connection with such response.

10. SECURITY INCIDENTS

Upon becoming aware of a confirmed Security Incident, NextRoll shall inform Customer without undue delay and shall provide all such timely information and cooperation as Customer may require in order for Customer to fulfill its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. NextRoll shall further take all such measures and actions as are necessary to remedy or mitigate the effects of a confirmed Security Incident and shall keep Customer informed of all developments in connection with the confirmed Security Incident.

11. DELETION OR RETURN OF DATA

Upon termination or expiry of the Agreement, NextRoll shall destroy all Customer CRM Data (including all copies of the Customer CRM Data) in its possession or control (including any Customer CRM Data subcontracted to a third party for processing) at the Customer’s request or in accordance with the NextRoll’s data retention policy set out at https://www.nextroll.com/privacy. This requirement shall not apply to the extent that NextRoll is required by any applicable law to retain some or all of the Customer CRM Data, in which event NextRoll shall isolate and protect the Customer CRM Data from any further processing except to the extent required by such law until deletion is possible.

NextRoll may retain Service Data in accordance with its retention and deletion policies.

12. AUDIT

12.1. With respect to NextRoll’s processing of Service Data, NextRoll shall make available to Customer upon request documentation sufficient to demonstrate NextRoll’s compliance with this Data Protection Addendum and/or Applicable Data Protection Law.

12.2. With respect to NextRoll’s processing of Customer CRM Data, NextRoll shall permit Customer (or its appointed third party auditors) to audit NextRoll's compliance with this Data Protection Addendum, and shall make available to Customer all information, systems and staff necessary for Customer (or its third party auditors) to conduct such audit. NextRoll acknowledges that Customer (or its third party auditors) may enter premises owned or controlled by NextRoll only for the purposes of conducting this audit, provided that Customer gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to NextRoll’s operations. Customer will not exercise its audit rights (including submitting written audit questions to NextRoll) more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) Customer believes a further audit is necessary due to a confirmed Security Incident suffered by NextRoll. Customer shall be solely responsible for the costs of any such audit, and NextRoll shall be permitted to charge Customer for the support it provides in connection with any such audit at its then-current professional services day rates.

12.3. Customer acknowledges that NextRoll is regularly audited against SOC 2 standards by independent third auditors. Upon request, NextRoll shall supply a summary copy of its audit report(s) to Customer, which reports shall be subject to the confidentiality provisions of the Agreement.

12.4. The Customer agrees that, if and to the extent that it elects to conduct an audit with respect to NextRoll’s processing of Customer CRM Data under Clause 8.9 of Module 2 of the Standard Contractual Clauses, such audit shall be conducted in accordance with the requirements of this Clause 13.2 - 13.4.

13. ADHERENCE TO APPLICABLE LAW

13.1. NextRoll will comply with all Applicable Data Protection Law, including but not limited to providing the same level of privacy protection for Customer CRM Data as is required of a business under US Data Privacy Laws.

13.2. Customer in turn shall ensure that it has provided legally sufficient notice of the manner in which the Service Data will be collected, used and provided to NextRoll.

14. ASSURANCES, REMEDIATION AND NOTICE

14.1. Customer has the right to take reasonable and appropriate steps to ensure that NextRoll uses Customer CRM Data in a manner consistent with Customer’s obligations under Applicable Data Protection Laws.

14.2. Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer CRM Data made available to NextRoll.

14.3. NextRoll will notify Customer after it makes a determination that it can no longer meet its obligations under Applicable Data Protection Laws.

ANNEX I

DATA PROCESSING DESCRIPTION

This Annex I forms part of the Data Protection Addendum and describes the processing that NextRoll will perform on behalf of the Customer.

A. List of parties

Customer(s) / Data exporter(s):

Name:
The Customer that has entered the Agreement with NextRoll.
Address:
The address that the Customer provided when registering to use NextRoll's digital marketing platform.
Contact person’s name, position and contact details:
The contact details that the Customer provided when registering to use NextRoll's digital marketing platform.
Activities relevant to the data transferred under these Clauses:
The receipt of digital marketing services provided by NextRoll pursuant to the Agreement.
Signature and date:
This Data Protection Addendum (including Standard Contractual Clauses) shall be deemed executed upon the Customer's acceptance of the Agreement.
Role (controller/processor):
Controller or Business (for Customer CRM Data)
Controller or Business (for Service Data)

NextRoll(s) / Data importer(s)

Name:
NextRoll, Inc.
Address:
2300 Harrison Street, FL 2, San Francisco, CA 94110
Contact person’s name, position and contact details:
NextRoll Privacy Team: privacy@nextroll.com
Activities relevant to the data transferred under these Clauses:
The provision of digital marketing services to the Customer pursuant to the Agreement.
Signature and date:
This Data Protection Addendum (including Standard Contractual Clauses) shall be deemed executed upon the Customer's acceptance of the Agreement.
Role (controller/processor):
Processor or Third Party (for Customer CRM Data)
Controller (for Service Data)

В. Description of transfer

Categories of data subjects whose personal data is transferred:
  • Data subjects who are prospective and existing customers of the Customer ("Customer Data Subjects")
  • Data subjects who are employees or staff members of the Customer ("Employee Data Subjects")
  • Data subjects who view Customer websites where NextRoll pixel is placed (“Customer End Users”)
Categories of personal data transferred:
  • Customer CRM Data: contact information and any other affiliated contact information (e.g,. email address, name, address, phone number, company name, job title) about Customer Data Subjects that is provided by Customer (as data exporter) to NextRoll (as data importer), obtained through third party integrations with the services Customer allows, or obtained by NextRoll on Customer’s behalf in connection with the services.
  • Customer Employee Data: email address and IP address of Customer employee’s are transferred if and when an Employee conducts logged in activity on NextRoll’s digital marketing platform dashboard.
  • End User Data: device and browsing behavior information on Customers’ sites collected by the NextRoll pixel (e.g., cookies, device information, IP address, non-precise location data, browser data, ad pixel data) and, if permitted by Customer, hashed email addresses as entered on the Customer Site by the Customer End Users (together, “Service Data”).
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
  • None.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):
  • Continuous basis for the duration of the Agreement.
Nature of the processing:
  • The provision of digital marketing services pursuant to the Agreement.
Specific and Limited purpose(s) of the data transfer and further processing:

The digital marketing services provided by NextRoll will include processing of Customer CRM Data on behalf of the Customer for the following purposes:

  • Sending emails to Customer Data Subjects at the request of Customer.
  • Matching Customer Data Subjects' personal data (hashed emails) with NextRoll Service Data and third party advertising partners’ online data in order to recognise Customer Data Subjects when they visit third party publisher websites in order to bid on, and serve them, targeted advertising on behalf of the Customer, and to supplement Customer’s CRM Data with identified browsing behavior on Customers’ sites and interactions with Customers’ direct marketing where Customer has permission under Applicable Data Protection Law.
  • Measuring the performance of email and online advertising campaigns served to Customer Data Subjects for the purpose of providing the information to Customer.
  • Using emails belonging to Customer Employee Data Subjects as login details to access NextRoll’s digital marketing platform dashboard.
  • Recording the IP address of Customer Employee Data Subjects when logged into NextRoll’s digital marketing platform dashboard.

The digital marketing services provided by NextRoll will include processing of Service Data, where NextRoll and Customer are each data controllers to the extent such Service Data is under the Customer or NextRoll’s respective custody or control.

Service Data may be processed in NextRoll’s capacity as a data controller to provide and improve its services for all customers, including for ad targeting, reporting, measurement, analytics, insights, creating Performance Reporting for Customer, and ad selection.

The IP Addresses contained in Service Data are processed to identify the accurate company or domain associated or assigned to the IP Address and improve services to all customers.

Where hashed email addresses are contained in Service Data, these hashed email addresses are combined with cookie identifiers in order to recognise Customer Data Subjects when they visit third party publisher websites in order to bid on, and serve them, targeted advertising on behalf of the Customer, and to supplement Customer’s CRM Data with identified browsing behavior on Customers’ sites and interactions with Customers’ direct marketing where Customer has permission under Applicable Data Protection Law.

Service Data is not made available or otherwise disclosed to any party or among Customers, unless such party is (i) a sub-contractor processing Service Data for fraud prevention or the detection of technical bugs; or (ii) an independent co-controller of cookie identifiers used to cookie-match for the purpose of serving ads online or in-app through NextRoll’s ad inventory supply partners.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
  • If either Customer or NextRoll explicitly terminates the NextRoll services in accordance with the Agreement, NextRoll will delete Customer CRM Data within 90 days from the termination date.
  • If a Customer’s account has been suspended for 90 days or more, the Customer CRM Data will be deleted.
  • When a Customer has not logged in to their NextRoll account in the past 365 days and there has been no product usage in the past 30 days and no media spend has occurred in the past 30 days, the Customer CRM Data will be deleted when the 366th day of no login activity occurs for the account.
  • As a data controller for Service Data, NextRoll will retain Service Data in accordance with its data retention policies identified in Section 9 of the NextRoll Privacy Notice.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
The subject matter, nature and duration of the processing is as specified above and in the Agreement.

C. Competent supervisory authority

Identify the competent supervisory authority/ies
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses.

ANNEX II

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Description of the technical and organisational measures implemented by the processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

 
Measure
Description
1
Measures of pseudonymisation and encryption of personal data

In the design process, NextRoll aims to minimize the collection and use of Customer Personal Data whenever possible.

Where Customer Personal Data is used it will be pseudonymised using aggregation, de-identification or hashing unless the raw data is required for a legitimate business purpose. If the actual data is required it will be encrypted using current encryption standards.

2
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
See item 4 below.
3
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

NextRoll’s systems are designed to be highly available and take advantage of scalable and distributed architectures spanning multiple geographic locations in AWS.

NextRoll maintains system monitoring and a 24/7 operations center to deal with operational issues.

NextRoll has created and regularly tests disaster recovery plans. These plans include specifics of how to recover the services and have specified recovery point and time objectives as well as specific response and reporting processes for incidents that involve personal data.

4
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

NextRoll conducts an SOC 2 Type 2 audit annually.

NextRoll maintains a continuous compliance program where security controls and processes are automatically monitored, and anomalies are reported for remediation.

Additionally, NextRoll conducts vulnerability scanning, maintains an ongoing bug bounty program and conducts a penetration test using a third party every six months. Technologies such as cloud security posture management (CSPM) and asset management (CMDB) continuously perform asset discovery, assess their posture, and prioritise the findings based on the risk they pose.

5
Measures for user identification and authorisation

For each of the AdRoll and RollWorks applications, NextRoll maintains a central authentication and authorization service that supports single sign on (SSO) and multifactor authentication (MFA). Access controls are enforced based on the role the user was assigned in the application realm.

For NextRoll’s business applications including remote access, NextRoll uses a third party SaaS SSO solution which mandates MFA for all NextRoll users. Role-based access controls (RBAC) are also in place.

6
Measures for the protection of data during transmission
All connections across public networks to NextRoll’s customer-facing services are encrypted using TLS 1.2 or above with an approved set of cryptographic algorithms. CSPM technology allows continuous monitoring of enforcement and reports deviations.
7
Measures for the protection of data during storage
Customer Personal Data is encrypted using contemporary encryption standards as defined by NextRoll’s cryptographic standards. CSPM technology allows continuous monitoring of enforcement and reports deviations. Access to datastores is role based, limited to approved use cases and reviewed regularly.
8
Measures for ensuring physical security of locations at which personal data are processed
NextRoll’s data processing is hosted by AWS. As a result, the physical security is provided as part of this service by that supplier.
9
Measures for ensuring events logging

NextRoll’s applications, systems and network services create detailed logging including but not limited to: login success and failure, user creation, permissions change, data access, fraudulent transactions, and attempted attacks.

Events are forwarded to a central write only repository and are analysed to identify potential security issues. The security information and event management solution (SIEM) normalises the logs and applies threat intelligence to identify indicators of compromise (IoC).

NextRoll maintains a number of security products that provide specific security alerting based on conditional and anomaly monitoring rules. These are provided and continuously updated by vendors, together with internally developed rules.

10
Measures for ensuring system configuration, including default configuration

NextRoll stores and deploys standard system configurations. These images are scanned using tools that determine that the systems are configured using recommended best practices and do not contain serious vulnerabilities.

File integrity monitoring (FIM) capability is in place and reports changes to the CSPM. Together with the CMDB solution, NextRoll is able to identify deviations of standard configurations.

11
Measures for internal IT and IT security governance and management

NextRoll has a holistic security program that manages risk posed by users, data, systems and vendors through the entire lifecycle. This includes the following:

  • Users are created with permissions appropriate to their role, sign up to confidentiality agreements and are trained on security and privacy policies and best practices. User access is tied to employment status so accounts and rights are revoked automatically on termination
  • Users are required to utilize MFA and secure remote access technologies to access resources with a zero-trust approach.
  • Devices have standardized controls and builds.
  • Devices are protected against malware by a corporate solution that is centrally managed and integrated in the continuous security monitoring capabilities.
  • Non-corporate devices (BYOD) have conditional access to resources based on the zero-trust architecture depending on the risk score they pose, and the minimum risk score needed to access resources.
  • Vendors are vetted to ensure that they do not create unacceptable risks.
  • A corporate endpoint security standard is maintained and specifies the minimum version of critical software. Systems are updated regularly.
  • Permissions are reviewed and removed on a regular basis.
  • Systems are wiped at the end of their lifespan.
12
Measures for certification/assurance of processes and products

NextRoll bases its security program on NIST CSF and uses this to report status to the security and compliance committee.

NextRoll both audits its own processes and products and conducts an annual SOC 2 Type 2 audit using an external auditor.

CSPM and CMDB technologies also provide benchmarks based on best practices and recognized security frameworks.

13
Measures for ensuring data minimisation
NextRoll implements data minimization as a standard during its design process. All new uses of Customer Personal Data are reviewed and approved based on this requirement.
14
Measures for ensuring data quality
NextRoll processes Customer Personal Data provided to it by the Customer. As such, the Customer is responsible for ensuring the accuracy of its Customer Data.
15
Measures for ensuring limited data retention
NextRoll has instituted data retention policies based on the types of data collected that are automatically enforced using Time to Live (TTL) settings on the datastores.
16
Measures for ensuring accountability
NextRoll has a governance structure in place which includes a number of accountability measures including the appointment of a Data Protection Officer (details listed in our Privacy Notice: https://www.nextroll.com/privacy), implementation of privacy by design which involves conducting data privacy impact assessments as required, and a Security and Compliance Committee.
17
Measures for allowing data portability and ensuring erasure
NextRoll has an automated process for deleting Customer Personal Data on request within the timeframe required by Applicable Data Protection Law and enables the Customer Personal Data to be downloaded to provide to alternative service providers.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the Customer (and, for transfers from a processor to a sub-processor, to the data exporter).

Measure
Description
Self-serve data protection measures
NextRoll's digital marketing platform and privacy requests webpage (https://nextroll-privacy.relyance.ai) enables Customer to access, correct or delete Customer Personal Data as necessary to fulfill any data protection requests from data subjects.