FAQ for Tealium’s Customer Protection Package (“CPP”)
FAQ for Tealium’s Customer Protection Package (“CPP”)
Thank you for taking the time to review this FAQ. It was designed to provide you with helpful information about Tealium’s Customer Protection Package (“CPP”) which are the documents that describe the protections and commitments that Tealium offers all its Customers as part of the Master Services Agreement, or MSA. We hope this FAQ will provide you with some helpful context as you review the CPP. This FAQ is provided for informational purposes only and will not form part of the contract being contemplated between the parties. Note, all liability issues for the DSS and DPA are addressed in the TOS.
What is the structure of the CPP?
Our CPP is made up of four documents:
The Service Level Agreement (“SLA”) contains our commitment to availability across all our Services, your remedies in the unlikely event we do not meet our commitment, and how we address support issues.
The Acceptable Use Policy (“AUP”) contains standard guidelines for your use of the Services, which really boil down to not being a bad actor on the internet.
The Data Security Statement (“DSS”) contains our formalization of our organizational and technical security measures designed to protect your data.
The Data Processing Agreement (“DPA”) reflects our data processing policies in compliance with applicable privacy laws and regulations.
Our SLA is first-in-class in our industry, providing for 99.9% availability across all our Services. Tealium also provides a website for our Customers to subscribe to that will provide real-time status, as well as notifications for maintenance and emergency outages. We provide remedies in the unlikely event that we miss this availability, as well as a termination right for chronic outages. The SLA also includes information about how we address any support issue that might arise, and how to contact us in an emergency.
Since our SLA is being provided across all our products, and we are delivering a multi-tenant SaaS service, we are unable to alter our SLA for one Customer. We are confident that our SLA will more than address all our Customer’s issues.
Our AUP is a pass-through policy from Amazon Web Services (“AWS”), and contains restrictions on how people should use our Services over the internet, including related to SPAM, pornography and phishing. We are required to have all Customers agree to this policy as the Services rely on the AWS infrastructure.
Since our AUP is a pass-through policy, we are unable to agree to any modifications.
The DSS addresses all electronic data and information submitted by or for you to the Services, including enhancement and output derived from your use of the Services, which we call “Customer Data”. Our DSS reflects our security program for Customer Data, which applies to all of our customers equally. Please bear in mind that we do not access Customer Data unless you grant us access for a particular purpose (e.g., a support request). If you choose to grant us access, you control the access permissions and can terminate our access at any time.
There are specific reasons why we must use our DSS instead of using the data security documentation of customers.
- The Services are provided to our customers using a “one-for-all” model, meaning the same Services are provided to all of our customers. We do not offer a “customized” service offering that would allow us to treat one customer (or its data), differently from other customers. Even our ancillary services (such as deployment or support) are provided in a uniform manner across our customer base.
- Tealium has no visibility into the content of Customer Data, including whether or not it is pseudonymized, personal or sensitive, the particular manner in which you store or structure that Customer Data in your account, to whom the data relates, the purposes for which you process the data, the scope/volume of your processing, third parties you transmit the data to, and whether (or the degree to which) the particular data and/or processing poses risks to data subjects. As a result, we also will not have visibility necessary to determine which portions of the data may be subject to industry-specific or country-specific regulations.
- All customers benefit uniformly from Tealium’s rigorous security controls. Because the same Service is provided to all customers, you benefit from a set of shared technical and organizational security measures. Services provided in our private cloud environment have enhanced technical and organizational security measures such as an attestation of compliance with the US HIPAA regulations.
Since our DSS is being provided uniformly across all our products and customers, we are unable to alter our DSS for one Customer. We are confident that our DSS will more than address all our Customer’s security issues. Note that while there is no customized offering, you are able to select the particular geographic hosting location(s) for your account, as further defined in the MSA.
The Data Processing Addendum (“DPA”)
The DPA covers all personal data (a subset of Customer Data) you upload to our Services. Our DPA reflects our privacy program for personal data we process in the Services and addresses certain obligations each respective party has under applicable data protection laws. Our DPA also addresses additional requirements of the European Union’s Regulation 2016/679 (“GDPR”), the Australian Privacy Act 1988 (Cth.), and the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. as amended (“CCPA”). We use our DPA instead of using our customers’ data processing agreements for the same reasons that we use our DSS as stated above.
We drafted our DPA specifically to satisfy the requirements of applicable data protection laws, including those of Articles 28(3) and 46 of the GDPR. Because we do not have access or visibility to your Customer Data, you play an important role in how some of the requirements of GDPR are satisfied. For example, we are transparent about the comprehensive technical and organizational measures we implement, including the many audits and certifications we undergo and make available to you, but ultimately you play an indispensable role in determining whether the Services are appropriate for your specific use case and whether or not our Services meet requirements applicable to your particular personal data.
Since our DPA is being provided uniformly across all our products and customers, we are unable to alter our DPA for one Customer. We are confident that our DPA will more than address all our Customer’s privacy issues, including addressing compliance under applicable laws. Similarly, we rely on you to let us know if you believe you are in scope for the GDPR in terms of the data transfers from EU and we can provide supplementary terms for those transfers such as the European Standard Contractual Clauses.
Service Level Agreement (SLA)
This Service Level Agreement (“SLA”) is incorporated into, and made a part of, the Master Services Agreement (“MSA”), Terms of Service or Service Order between Tealium Inc. and Customer that references this SLA, and constitutes a part of the MSA between Tealium and Customer (as identified in such Service Order).
1. Definitions. The following defined terms are used in this SLA Addendum:
“Available” or “Availability” means the Services are in an operable state, and the Service can be accessed through programmatic access (APIs, tags, HTTP requests/responses) or user interface access as applicable to the particular Service. Solely for Delivery Network performance, “Available” means Delivery Network servers are responding to requests for libraries.
“Force Majeure” means any cause beyond such Party’s reasonable control, including but not limited to the weather, unavailability of utilities or communications services (including access to the Internet), civil disturbances, acts of civil or military authorities, or acts of God.
“Incident” means a P1, P2 or P3 problem with the Services.
“Monthly Subscription Amount” means the contracted amount for the Services for the Service Term, divided by the number of months in the Service Term (excluding fees for implementation, managed, and professional services and Additional Usage Fees).
“Monthly Uptime Percentage” means the percentage of time within a given calendar month the Services are Available. “Available” or “Availability” means the Services are in an operable state, and the Services can be accessed through programmatic access (APIs, tags, HTTP requests/responses) or user interface access as applicable to the particular Services. Solely for Delivery Network performance, “Available” means Delivery Network servers are responding to requests for Libraries.
“Priority 1” or “P1” Incident means a critical defect in which the Services has a devastating impact on Customer’s Digital Property. For example, the Digital Property is not rendering due to the Tealium tag, deployed Libraries are not being delivered by the Delivery Network directly causing business critical content to not display, the Services have widespread outages or are otherwise inaccessible, and the deployment has been “rolled back” to a previously published (and previously working) version which did not resolve the issue. Failure impacts Customer’s ability to collect or retrieve Customer Data.
“Priority 2” or “P2” Incident means a material defect in which the Services are functioning but Customer is unable to use a material portion of the Services. For example, the Delivery Network is continuing to deliver Libraries but the Service’s publish capability is unavailable, and a material component is unavailable or malfunctioning with no workaround available.
“Priority 3” or “P3” Incident means a minor defect in which the Services are functioning, however there is a non-critical error or bug that causes one or more non-critical functions of the Services not to work as intended. For example, a bug within an extension or tag that may be resolved using a workaround.
“Response Time” means the amount of time between Tealium’s learning of an Incident or Customer’s notification to Tealium of an Incident, and Tealium acknowledging notification of the Incident and assigning resources to commence resolution of the Incident.
“Service Credit” means a credit, calculated as set forth below, that Tealium may credit towards future invoices to Customer.
2. Service Uptime Commitment. Tealium will use commercially reasonable efforts to make the Services available with a Monthly Uptime Percentage of at least 99.9% during any month (the “Service Commitment”). In the event the Services do not meet the Service Commitment, Customer will be eligible to receive a Service Credit as described below.
3. Service Credits. Service Credits are calculated as a percentage of the Monthly Subscription Amount for the specific Service for the month in which the Service Commitment for a particular Service was not met in accordance with the schedule below. Tealium will apply any Service Credits only against future payments. If Customer has prepaid in full for all Services under the MSA, in the event the MSA expires and is not renewed, Customer will be entitled to a refund of the Service Credit amount upon written request to Tealium. Customer’s sole and exclusive remedy for any failure of the Services to meet the Service Commitment is the receipt of a Service Credit in accordance with the terms of this SLA. Service Credits may not be transferred or applied to any other Customer account.
If the Monthly Uptime Percentage is less than 99.9% but equal to or greater than 99%, then the Service Credit will equal 10% of the Monthly Subscription Amount.
If the Monthly Uptime Percentage is less than 99%, then the Service Credit will equal 20% of the Monthly Subscription Amount.
4. Credit Request and Payment Procedures. To receive a Service Credit, Customer must submit a request by sending an e-mail message to [email protected] To be eligible, the credit request must (a) include a reasonably detailed list of the instances of unavailability that together evidence Tealium’s failure to meet Service Commitment in a given month; (b) include, in the body of the e-mail, the dates and times of each incident that Customer claims to have experienced; (c) include Customer’s additional information (e.g. server request logs) that document and enable Tealium to corroborate Customer’s claimed outage (any confidential or sensitive information in these logs should be removed or replaced with asterisks); and (d) be received by Tealium within ten (10) business days after the end of the month in which the Service Commitment was not met. In order for Credit to be awarded, Tealium must be able to independently verify the instances of unavailability reported by Customer pursuant to this Section 4.
5. SLA Exclusions. The Service Commitment does not apply to any Services unavailability or other performance issues: (a) caused by factors outside of Tealium’s reasonable control, including any Force Majeure event or Internet access or related problems beyond the demarcation point of Tealium’s network or the Delivery Network; (b) that result from any actions or inactions of Customer or any third party; (c) that result from Customer’s equipment, software or other technology or third party equipment, software or other technology (other than third party equipment within Tealium’s direct control); (d) arising from the suspension and termination of Customer’s right to use a Service in accordance with the MSA; or (e) arising from scheduled downtime for system or network maintenance.
6. Chronic Outage Termination Right. In addition to the Service Credit remedies described in Section 3 above, if the monthly Uptime Percentage is less than 97% for (two) (2) consecutive months or any four (4) months in a rolling twelve (12) month period then Customer will have the right to terminate the Service Order for the adversely affected Services and receive a refund of any amounts paid in advance attributable to periods after the effective date of termination. In order for such termination to be effective, written notice of such termination must be received by Tealium with thirty (30) days following the month in which the right to termination arose.
7. Tealium Technical Response Time and Resolution Time Objectives. Tealium will respond to Incidents and undertake resolution of Incidents in accordance with the following:
P1 Severity Level – Tealium Response Time is two (2) hours. Tealium will have assigned resources working twenty-four by seven (around the clock work) to resolve the Incident, and will provide resolution status updates every four (4) hours.
P2 Severity Level – Tealium Response Time is four (4) hours. Tealium will have assigned resources working, at least, full-time during normal business hours to resolve the Incident, and will provide resolution status updates every business day.
P3 Severity Level – Tealium Response Time is one (1) business day. Tealium will have resources working during normal business hours to resolve the Incident, and will have resolution status updates available via Customers assigned Account Manager.
Increasing Severity Level. Incidents may be raised one level of severity at the discretion of the Account Manager based on the severity of impact on Customer.
Decreasing Severity Level. Incidents may be downgraded by Tealium for any of the following reasons:
(a) The issue is not reproducible, and is no longer impacting Customer.
(b) Analysis by Customer or by Tealium determines that the severity of the issue is low enough to warrant the downgrade.
(c) A suitable workaround is provided, whether temporary or permanent, which reduces the impact of the issue to that of a lower severity category.
(d) Tealium determines Customer is not providing the required cooperation and access necessary to enable resolution of the issue.
Root Cause Analysis (“RCA”). Tealium will perform an internal RCA for P1 Incidents within 48 hours of a P1 Incident being detected, and will be available upon request by Customer within five (5) days after resolution of the Incident.
Non-Tealium Products; Connectors. Upon notification that there is a Connector failure, either from Tealium’s receipt of error messages from the Connectors, or from Customer, Tealium will commence investigating such Connector failure within five (5) business days. Where Tealium has created the Connector, Tealium will make commercially reasonable efforts to work with the third-party provider of the Connector to remedy the Connector failure and to implement any solution or patch provided by the third-party provider in a reasonably timely manner. Any issues under this Section are specifically excluded from the Availability.
8. Customer Success Support Services. Tealium provides support services 24 hours a day, 7 days a week (24×7) for P1 Incidents, full-time assigned resources for P2 Incidents during normal business hours. P3 and other support services are available during Tealium’s normal business hours: Monday – Friday, 8:00am – 6:00pm local time (excluding holidays). Tealium’s offices are located in San Diego, CA (PST) and Reading, UK (GMT). Tealium’s support hotline is +1.877.443.5276. The Customer Success support team may also be reached through Tealium’s support portal at https://support.tealiumiq.com/. Further information about support services for a particular Service may be provided in the Service Order.
9. Tealium Team. Tealium will, throughout the Term of each Service Order, designate one or more employee(s) whose role is to liaise with the Customer and ensure successful implementation and operation of the Services. During the initial deployment of the Services, Customer will have a team assigned as described in an SOW. The Account Manager will be the main point of contact after deployment, and will partner with Customer and act as advisor on both tactical and strategic matters to help ensure Customer is seeing the benefit of the Services and help ensure mutual collaboration. The Account Manager will also advise on recommended training opportunities and act as a point of escalation when needed for technical assistance.
10. System Health Monitoring. Tealium provides, and Customer has access to, the Tealium Health and Status Dashboard available at https://status.tealium.com. Tealium will provide Customer the proper API interfaces to establish direct access into Heath and Status dashboard. This dashboard uses a “green”, “yellow”, and “red” system. Green is used to indicate the system is functioning as desired. Red is used to convey that an area of the Tealium system is being significantly impacted. Yellow is used to convey that a degradation of Services is occurring, but the issue has not been identified as causing a Service outage. Yellow is also used to indicate that a previously red status has been corrected, and is being monitored for continued stability. Planned maintenances are provided with 10-days advance notice. Emergency maintenances are posted as well, with as much advance notice as can be afforded based on the nature of the needed change. Emergency change notifications will follow the incident process.
11. Subscribing. Customer may use the Health and Status Dashboard directly, and may also subscribe to receive email notifications. Email notifications are sent for every posted change, status update, or newly scheduled maintenance window. These emails contain the same information as that available on the dashboard.
12. Business Continuity and Disaster Recovery. Throughout the Service Term Tealium will maintain a commercially reasonable and industry standard business continuity and disaster recovery plan designed, implemented and tested to guard the Tealium systems against performance failures and to return the Tealium systems to full functionality as soon as reasonably practicable in the event of performance failures including, without limitation, those arising from an event of Force Majeure.
Tealium Acceptable Use Policy “AUP”
This Acceptable Use Policy (“AUP”) is incorporated into, and made a part of, the Master Services Agreement (MSA), Terms of Service or Service Order that references this AUP Addendum, and constitutes a part of the MSA between Tealium and Customer.
Acceptable Use Policy (this “Policy“) describes prohibited uses of the Services. The examples described in this Policy are not exhaustive. If you violate the Policy or authorize or help others to do so, Tealium may suspend or terminate your use of the Services.
1. No Illegal, Harmful, or Offensive Use or Content
You may not use, or encourage, promote, facilitate or instruct others to use, the Services for any illegal, harmful or offensive use, or to transmit, store, display, distribute or otherwise make available content that is illegal, harmful, or offensive. Prohibited activities or content include:
Illegal Activities. Any illegal activities, including collecting or processing PII without necessary consents, advertising, transmitting, or otherwise making available illegal gambling sites or services or disseminating, promoting or facilitating child pornography.
Harmful or Fraudulent Activities. Activities that may be harmful to others, our operations or reputation, including offering or disseminating fraudulent goods, services, schemes, or promotions (e.g., make-money-fast schemes, ponzi, and pyramid schemes, phishing, or pharming), or engaging in other deceptive practices.
Infringing Content. Content that infringes or misappropriates the intellectual property or proprietary rights of others.
Offensive Content. Content that is defamatory, obscene, abusive, invasive of privacy, or otherwise objectionable, including content that constitutes child pornography, relates to bestiality, or depicts non-consensual sex acts.
Harmful Content. Content or other computer technology that may damage, interfere with, surreptitiously intercept, or expropriate any system, program, or data, including viruses, Trojan horses, worms, time bombs, or cancelbots or other harmful or Malicious Code.
2. No Security Violations
You may not use the Services to violate the security or integrity of any network, computer or communications system, software application, or network or computing device (each, a “System“). Prohibited activities include:
Unauthorized Access. Accessing or using any System without permission.
Interception. Monitoring of data or traffic on a System without permission.
3. No Network Abuse
You may not make network connections to any users, hosts, or networks unless you have permission to communicate with them. Prohibited activities include:
Monitoring or Crawling. Monitoring or crawling of a System that impairs or disrupts the System being monitored or crawled.
Intentional Interference. Interfering with the proper functioning of any System, including any deliberate attempt to overload a system by mail bombing, news bombing, broadcast attacks, or flooding techniques.
Avoiding System Restrictions. Using manual or electronic means to avoid any use limitations placed on a System, such as access and storage restrictions.
4. No E-Mail or Other Message Abuse
You will not use the Services or any System to facilitate the distribution, publishing, or sending of unsolicited mass e-mail or other messages, promotions, advertising, or solicitations (e.g. “spam”), in violation of any law or regulation.
5. Our Monitoring and Enforcement
We reserve the right, but do not assume the obligation, to investigate any violation of this Policy or misuse of the Services. We may: (i) Investigate violations of this Policy or misuse of the Services; or (ii) remove, disable access to, or modify any content or resource that violates this Policy or any other agreement we have with you for use of the Services.
We may report any activity that we suspect violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. Our reporting may include disclosing appropriate customer information and Customer Data. We also may cooperate with appropriate law enforcement agencies, regulators, or other appropriate third parties to help with the investigation and prosecution of illegal conduct by providing network and systems information related to alleged violations of this Policy.
6. Reporting of Violations of this Policy
If you become aware of any violation of this Policy, you will immediately notify us and provide us with assistance, as requested, to stop or remedy the violation. To report any violation of this Policy, please contact us at [email protected]
DATA SECURITY STATEMENT (DSS)
This Data Security Statement (“DSS”) is incorporated into, and made a part of, the MSA between Tealium and Customer.
1.2 Tealium will implement and maintain logical and physical security procedures with respect to its access, use, and possession of Customer Data (“Processes”) that are designed to provide appropriate technical and organizational safeguards against accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access of Customer Data at least equal to Industry Standards, but which in no event are less protective than the specific requirements of this DSS. Tealium will regularly re-evaluate and modify its security standards as Industry Standards evolve, new technologies emerge or new threats are identified. Unless otherwise agreed, all Customer Data Processing shall be in a multi-tenant environment with logical segmentation controls.
1.3 Tealium’s data centers are owned and operated by Amazon Web Services Inc. (“AWS”). Details of AWS’ security standards and programs are available at https://aws.amazon.com/security/.
“Computing Equipment” means desktop, laptop or notebook computers, mobile devices (e.g. cell phones or tablets) and any other devices used for computing functions.
“Dynamic Application Security Testing” or “DAST” means a security test of an application designed to detect conditions indicative of a security vulnerability in an application as it runs in a production environment, or in a test environment representative of the production environment in which such application will run.
“Encryption” means the process of using an algorithm to transform data into coded information in order to protect the confidentiality of the data.
“Firewall” means an integrated collection of security measures used to prevent unauthorized electronic access to the Tealium Network.
“Industry Standards” means customs and practices followed by, and representing the degree of skill, care, prudence and foresight expected from, leading providers of the types of services that are the subject matter of the MSA.
“Intrusion Detection System” or “IDS” means a method or system of reviewing system logs and processes in near real-time and escalating identified patterns of behavior that indicate an intrusion is occurring or is likely to occur soon without unreasonable delay.
“Least Privilege” means that, every module in a particular computing environment (such as a process, a user or a program) may only access the information and resources that are necessary for its legitimate purpose.
“Malicious Code” means any back door, virus, Trojan horse, worm or other software routines or equipment components) that are designed to disrupt, modify, delete, or otherwise harm software, equipment or data, to impede the operation of systems.
“Manual Penetration Testing” or “PenTest” means a manual security test of an application, executed by a combination of automated tools, a qualified tester or qualified third-party.
“Multifactor Authentication” means authentication using at least two (2) of the following factors: “Something you know” such as a password, “Something you have” such as a token, or “Something you are” such as a biometric reading.
“Processing” or “Process” means any operation or set of operations which is performed on Customer Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Removable Media” means portable or removable hard disks, floppy disks, USB memory drives, zip disks, optical disks, CDs, DVDs, digital film, memory cards (e.g., Secure Digital (SD), Memory Sticks (MS), CompactFlash (CF), SmartMedia (SM), MultiMediaCard (MMC), and xD-Picture Card (xD)), and magnetic tape.
“Secure Software Development Lifecycle Methodology” or “SDLC” means a documented process for planning, creating, testing, and deploying an information system that requires information security engagement, particularly with respect to the design, test, and deployment stages.
“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data, but does not include any Unsuccessful Security Incident.
“Separation of Duties” means dividing roles and responsibilities so that a single individual cannot subvert the security controls of a critical process
“Static Application Security Test” or “SAST” means a security test of an application’s source code designed to detect conditions indicative of a security vulnerability in an application’s code.
“Tealium Facilities” or “Facilities” means all locations where Tealium personnel work and use Tealium Network and/or where Customer Data is Processed.
“Tealium Network” means the data center facilities, servers, networking equipment, and host software systems (e.g., virtual firewalls) that are within the control of Tealium or its sub-processors and are used to provide the Services.
“Threat Model” means a process by which potential threats can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view. The purpose of threat modeling is to provide defenders with a systematic analysis of the probable attacker’s profile, the most likely attack vectors, and the assets most desired by an attacker.
“Unsuccessful Security Incident” means an unsuccessful attempt or activity that does not compromise the security of Customer Data, including (without limitation) pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.
“Root Cause Analysis” means a principle-based, systems approach for the identification of the underlying causes associated with a security event, including a Security Incident. Incident Management and Security Incident Notification.
3. Incident Management and Security Incident Notification.
3.1 Incident Management. Tealium maintains a documented incident management policy and process to detect security events, and which provides coordinated response to threats and Customer notification. The process includes a Root Cause Analysis with identified issues tracked to remediation, and evaluation and implementation of actions to prevent recurrence.
3.2 Security Incident Notification & Remediation. In the event of a Security Incident, Tealium will notify Customer and remediate the Security Incident in the manner set forth below:
3.2.1 Notification if Tealium becomes aware of a Security Incident, Tealium will without undue delay and, where feasible, no later than 48 hours after having become aware of it, notify Customer of the Security Incident. Where the notification to Customer is not made within 48 hours, it shall be accompanied by reasons for the delay.
The notification referred to above shall at least:
(1) describe the nature of the Security Incident;
(2) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; and
(3) describe the measures taken or proposed to be taken by Tealium to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
Tealium shall document any Security Incidents, comprising the facts relating to the Security Incident, its effects and the remedial action taken. That documentation shall enable Customer to verify compliance with this Section.
3.2.2 Root Cause Analysis. Tealium will promptly initiate and pursue to completion as quickly as possible a Root Cause Analysis.
3.2.3 Remediation. Tealium will promptly implement measures necessary to restore the security of Customer Data and Tealium Network. If such measures include temporarily restricting access to any information or Tealium Network in order to mitigate risks associated with further compromise, Tealium will promptly notify Customer of the restricted access, in advance of such restriction when reasonably possible. Tealium will cooperate with Customer to identify any additional steps required of Tealium to address the Security Incident and mitigate its effects.
3.2.4 Any Unsuccessful Security Incident will not be subject to this Section.
4. Independent Risk Assessments and Audits.
4.1 Service Organization Reports. Tealium will undertake at least annually, at its expense, an audit in accordance with ISO/IEC 27001, ISO/IEC 27018 and with the System and Organization Controls (SOC) Report under the SSAE-18 or their successor standard(s), covering controls related to Tealium’s provision of the Services as a services organization, the scope of which will be in accordance with Industry Standard practice.
4.2 Third-Party/Subcontractor Agreements. Tealium will conduct a detailed risk assessment on its service providers who process Customer Data with results documented and made available to Customer upon request.
4.3 Security Testing. Tealium will, at least annually, engage, at its expense, a third-party service provider to perform Manual Penetration Testing of Tealium Network related to the provision of Services. The method of test scoring and issue ratings will follow Industry Standard practices, such as the latest Common Vulnerability Scoring System (“CVSS”) published by the US National Institute of Standards and Technology (“NIST”). Tealium will remedy any validated findings deemed material (critical, high or medium risk) in a timely manner following such findings.
4.4 AWS Audits. Tealium’s storage and infrastructure provider, AWS, is certified under ISO 27001 and has agreed to maintain an information security program for the Services that complies with the ISO 27001 standards or such other alternative standards as are substantially equivalent to ISO 27001 for the establishment, implementation, control, and improvement of the security standards applicable to AWS. AWS uses external auditors to verify the adequacy of its security measures, including the security of the physical data centers from which Tealium provides the Services. This audit: (a) will be performed at least annually; (b) will be performed according to ISO 27001 standards or such other alternative standards which are substantially equivalent to ISO 27001; and (c) will be performed by independent third-party security professionals.
4.5 Customer Audits. Customer may conduct, either itself or through a third party independent contractor selected by Customer at Customer’s expense, an on-site audit and review of the Tealium Network and procedures used in connection with the Services. Such audit and review shall be conducted no more frequently than one time per year, with 30 days’ advance notice unless required to comply with applicable laws and regulations or following a Security Incident affecting Customer Data. Any audits described in this Section shall be conducted during reasonable times, shall be of reasonable duration, shall not unreasonably interfere with Tealium’s day-to-day operations, and be conducted in accordance with appropriate technical and confidentiality restrictions. In the event that Customer conducts an audit through a third-party independent contractor, such independent contractor shall be required to enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the MSA to protect Tealium’s Confidential Information. Customer must promptly provide Tealium with information and reports regarding any non-compliance discovered during the course of an audit.
5. Security Function.
5.1 Security Officer. Tealium will designate a point of contact to coordinate the continued security of all Customer Data and Tealium Network. The Tealium Security Officer can be contacted at [email protected].
5.2 Training. In addition to any training obligations in the MSA, Tealium will, at least annually, provide all Tealium personnel with responsibilities related to the Services with appropriate ongoing training regarding Tealium’s processes for which compliance is required under the MSA, including, without limitation, procedures to verify all Tealium personnel promptly report actual and/or suspected Security Incidents. All personnel involved in any part of Tealium’s SDLC are required to receive application security training. Tealium will retain documentation that such training has been completed.
6. Data Management. The following will apply to the Tealium Network Processing Customer Data:
6.1. Data Access. Customer Data will be accessible only by Tealium personnel whose responsibilities require such access and follow the principle of Least Privilege. Tealium will use Industry Standard authentication practices and secure all communications involving Customer Data.
6.2 Encryption of Information. Tealium will use Industry Standard Encryption techniques for Customer Data being stored, processed, or transmitted by Tealium in the course of providing Services. Such techniques will require (a) key length of 128 bits or more for symmetric Encryption and (b) key length of 2048 bits or more for asymmetric Encryption.
6.3 Cryptographic Key Management. Tealium will securely manage cryptographic keys and maintain documented Industry Standard control requirements and procedures. If Tealium uses public key infrastructure (“PKI”), Tealium will protect such PKI by ‘hardening’ the underlying operating system(s) to reasonably protect against unauthorized access. For third party systems, Tealium will use vendor-recommended hardening guidelines. For Tealium’s systems, Tealium will utilize Industry Standard hardening guidelines, such as checklists provided by the Center for Internet Security®.
6.4 Removable Media. Tealium does not use Removable Media in providing the Services.
6.5 Data Disposal and Servicing. In the event that any hardware, storage media, or documents containing Customer Data must be disposed of or transported for servicing, then:
6.5.1 Tealium will maintain documented policies and procedures concerning data disposal that include provisions to maintain chain of custody; and
6.5.2 Tealium will render such Customer Data inaccessible, cleaned, or scrubbed from such hardware and/or media using methods at least as protective as the minimum sanitization recommendations outlined by NIST SP 800-88 Rev.1 (or successor standard).
6.6 Data Transmission. When Customer Data is transferred by Tealium across the Internet, or other public or shared network, Tealium will protect such data using appropriate cryptography as required by Section 6(b) of this DSS.
6.7 Data Resiliency. Utilize Industry Standard safeguards to provide resiliency of Customer Data. Resiliency will be achieved by use of services or methods such as, but not limited to, database backups, file backups, server backups, or managed highly available services, fault tolerant data storage or managed database services. Any Tealium storage or retention of backup files will be subject to all terms of this DSS. Tealium will test data resiliency periodically to protect the integrity and availability of Customer Data.
7. Physical Security – Facilities. Tealium Facilities will be protected by perimeter security such as barrier access controls (e.g., the use of entry badges) that provide a physical environment secure from unauthorized access, damage, and interference. At a minimum, all Tealium Facilities are required to have the following security related characteristics:
7.1 Tealium will document, implement and maintain administrative and physical security policies, including, without limitation, a “clean desk” policy.
7.2 Tealium will install closed circuit television (“CCTV”) systems and CCTV recording systems to monitor and record access to Tealium Facilities. Logs must be retained for at least one (1) year.
7.3 All Tealium personnel will be issued and will display to gain access an identification badge allowing electronic verification of bearer’s identity.
7.4 Each location will maintain procedures for validating visitor identity and authorization to enter the premises, including but not limited to, an identification check, issuance of an identification badge or escorted, validation of host identity, purpose of visit, and recorded entry.
8. Tealium Network Security.
8.1 Asset Inventory. Tealium will maintain a comprehensive inventory of its current Tealium Network components, hardware, and software (including version numbers and physical locations) to ensure only authorized and supported components Process Customer Data. Tealium will, at least annually, review and update its system component inventory.
8.2 Tealium Network Security. All data entering the Tealium Network from any external source (including, without limitation, the Internet), must pass through Firewalls to enforce secure connections between internal Tealium Network and external sources. Such Firewalls will explicitly deny all data other than the minimum required to support Tealium business operations.
8.3 Intrusion Detection System. Intrusion Detection Systems will run on individual hosts or devices on the Tealium Network to monitor the inbound and outbound connections and will alert administrators if suspicious activity is detected. IDS will monitor file integrity of the Tealium Network and, if critical system files are modified, the IDS will log the event in Tealium’s security information and event management systems.
8.4 Scan Incoming Files. Tealium will use Industry Standard security tools including IDS to scan incoming files on any servers on which Customer Data may be Processed.
8.5 Protect Against Malicious Code. Tealium will implement appropriate technical measures designed to protect against transferring Malicious Code to Customer systems via email or other electronic transmission. Anti-malware tools are deployed on all Tealium Network providing or supporting Services to Customer, and such tools are updated to provide protection against current threats.
8.6 Vulnerability Management. Tealium will have a documented process to identify and remediate security vulnerabilities affecting Tealium Network containing Customer Data. Tealium will remediate any identified security vulnerabilities within a reasonable amount of time.
8.7 Electronic Communications. All electronic communications related to the provision of Services, including instant messaging and email services, will be protected by Industry Standard processes and technical controls.
9. Change and Patch Management.
9.1 Change Management. Changes to applications, any part of the Tealium’s information technology infrastructure, Tealium Network will be tested, reviewed, and applied using a documented change management process and adhere to the principle of Separation of Duties.
9.2 Emergency Changes. Tealium uses an emergency change approval process to implement changes and fixes to Tealium Network and Services on an accelerated basis when necessary. Tealium will notify Customer in advance if any such emergency changes could affect the functionality of the Services during normal business hours.
9.3 Software Updates. Tealium will:
9.3.1 use anti-malware and other security software in support of the delivery of Services;
9.3.2 use only supported versions of software required for the delivery of Services; and
9.3.3 where Services may be impacted, implement emergency software fixes within a reasonable time, unless in Tealium’s reasonable opinion this introduces higher business risks. All changes are undertaken in accordance with Tealium’s approved change management process.
10. Logical Access Controls.
10.1 User Authentication: Tealium will implement processes designed to authenticate the identity of all users through the following means:
10.1.1 User ID. Access to applications containing Customer Data must be traceable to one (1) user. Shared accounts accessing Customer Data are prohibited by Tealium.
10.1.2 Passwords. Each user on Tealium Network will use a unique password to access applications containing Customer Data. Passwords will be at least eight (8) alphanumeric characters. The use of passwords that are easily discerned will be avoided (i.e., passwords matching or containing User ID, users’ birthdays, street addresses, children’s names, etc.). Tealium will require users to use Multifactor Authentication for access to applications or systems containing Customer Data.
10.1.3 Multifactor Authentication. Multifactor Authentication will be required for entry on all Tealium Network access points designed to restrict entry to authorized personnel.
10.2 Session Configuration. Sessions will be configured to timeout after a maximum of 60 minutes of user inactivity. Re-authentication will be required after such timeouts or periods of inactivity
10.3 Unsuccessful Logon Attempts. The number of unsuccessful logon attempts will be limited to a maximum of five (5). User accounts will be locked for at least ten (10) minutes after the maximum number of permitted unsuccessful logon attempts is exceeded.
10.4 Remote Access. Remote access to Tealium Network containing Customer Data will be restricted to authorized users, will require Multifactor Authentication and will be logged for review.
10.5 Deactivation. User IDs for Tealium personnel with access to Customer Data will be deactivated immediately upon changes in job responsibilities that render such access unnecessary or termination of employment.
10.6 Privileged Access. Tealium will use Industry Standard methods to provide that:
10.6.1 Users with access to Tealium Network containing Customer Data will be granted the minimum amount of privileges necessary;
10.6.2 Privileged access will be restricted to authorized individual users and non-repudiation will be maintained;
10.6.3 Privileged user accounts will be used exclusively for privileged operational use and not for business as usual activities;
10.6.4 Developers will not receive privileged access to production environments; and
10.6.5 All privileged access will require Multifactor Authentication.
11. Logging & Monitoring.
11.1 Tealium Network Monitoring. Tealium will actively monitor the Tealium Networks supporting the Services where Customer Data is Processed (using Industry Standard IDS) to detect deviation from access control policies and actual or attempted intrusions or other unauthorized acts.
11.2 Event Logging. For Tealium Networks Processing Customer Data Tealium will:
11.2.1 maintain logs of key events, including access events, that may reasonably affect the confidentiality, integrity, and availability of the Services to Customer and that may assist in the identification or investigation of Security Incidents occurring on Tealium Network. Copies of such logs will be made available to Customer upon written request;
11.2.2 protect logs against modification or deletion. Tealium’s Information Security team will review the logs on a regular basis; and
11.2.3 retain logs for at least twelve (12) months.
12. Software Security Assurance.
12.1 Development Methodology. For software used in the course of providing Services, Tealium will:
12.1.1 carry out in-house development activities in accordance with a documented SDLC policy, which will be shared with Customer upon request;
12.1.2 deploy new applications and changes to existing applications to the live production environment strictly in accordance with the SDLC policy; and
12.1.3 maintain documented SDLC practices including the definition, testing, and deployment of security requirements.
12.2 Development Environments. For software used in the course of providing the Services, Tealium will:
12.2.1 perform system development and testing in distinct environments segregated from the production environment and protected against unauthorized disclosure of Customer Data; and
12.2.2 not use Customer Data within non-production environments without Customer’s prior written approval and without the documented controls required to protect such information.
12.3 Capacity and Performance Planning. Tealium will use capacity and performance planning practices and/or processes designed to minimize the likelihood and impact of Tealium Networks failures or outages. Tealium will review capacity plans and performance monitoring information on a regular basis.
12.4 Testing Process. Tealium will in the course of providing Services:
12.4.1 provide that applications undergo a formal code review process. Upon Customer’s written request, Tealium will provide evidence of this formal process to Customer.
12.4.2 provide that applications undergo a quarterly Dynamic Application Security Test (DAST) and Static Application Security Test (SAST). The method of test scoring and issue ratings will follow Industry Standard practice, such as the latest Common Vulnerability Scoring System (CVSS) published by NIST. Upon written request, Tealium will provide Customer the results of such testing with respect to any material findings, and any applicable remediation activities in the form of an executive summary attestation letter containing the testing performed, the date, and a summary of the results.
12.4.3 provide that applications undergo a Threat Model analysis at least annually. Tealium has a process to formally report the results of the Threat Model and to remediate material findings. Upon request, Tealium will evidence this activity by sharing the Threat Model executive summary.
13. Data Center Controls.
13.1 Base Requirements. Any data center supporting the Services will possess the following minimum requirements:
13.1.1 Adequate physical security and access controls as set forth in Sections 6 and 7 of this DSS;
13.1.2 Professional HVAC & environmental controls;
13.1.3 Professional network/cabling environment;
13.1.4 Professional fire detection/suppression capability; and
13.1.5 A comprehensive business continuity plan.
14. Business Continuity Plan (BCP).
14.1 BCP Planning and Testing
14.1.1 Tealium’s plan capabilities will include a data resiliency system containing all hardware, software, communications equipment, and current copies of data and files necessary to perform Tealium’s obligations under the MSA; and
14.1.2 Tealium will maintain processes for timely recovery of Services at Tealium-owned and/or hosted data centers.
14.2 BCP Plan. The plan will address the following additional standards or equivalent in all material respects:
14.2.1 The plan will reflect regulatory requirements and Industry Standards;
14.2.2 The relocation of affected Tealium personnel to one or more alternate sites and the reallocation of work to other locations that perform similar functions until such relocation is effected;
14.2.3 A full business impact analysis of the expected impacts that Tealium believes are likely to arise in the event of a disruption to or loss of Tealium’s normal operations, systems and processes;
14.2.4 The establishment and maintenance of alternate sites and systems, the capacity of which will be no less than the primary sites and systems that Tealium uses to provide the Services and perform its other obligations under this MSA;
14.2.5 A description of the recovery process to be implemented following the occurrence of a disaster. The description will detail the contingency arrangements in place to ensure recovery of Tealium’s operations, systems and processes and also the key personnel, resources, services and actions necessary to ensure that business continuity is maintained; and
14.2.6 A schedule of the objective times by which Tealium’s operations, systems and processes will be recovered following the occurrence of a disaster. Tealium agrees that its recovery processes and BCP plans provide a Recovery Time Objective (RTO) of four (4) hours and a Recovery Point Objective (RPO) of 24 hours.
14.3 Distinct Plans. If distinct plans apply to specific Tealium locations, the plans for each location from which a material part of the Services are performed by Tealium will be tested at least annually against a comprehensive scenario and the results made known to senior management of Tealium.
14.4 Notification. In case of a disaster that Tealium reasonably believes will impact its ability to perform its obligations or affect the Services under the MSA, Tealium will promptly notify Customer of such disaster. Such notification will, as soon as such details are known, describe:
14.4.1 The disaster in question and how it was detected;
14.4.2 The impact the disaster is likely to have on the Services;
14.4.3 The alternative operating strategies and the back-up systems Tealium will utilize and the timetable for their utilization; and
14.4.4 The expected timeframe in which the disaster will be resolved and Tealium expects to return to business as usual.
14.5 Subcontractors. Tealium will require its subcontractors that perform any part of the Services (other than auxiliary services that facilitate the Services (e.g., document warehousing and retrieval, print services, etc.)) to have in place and maintain a commercially reasonable business continuity program that complies with regulatory and industry best practices. Tealium’s use of subcontractors does not diminish its obligation to provide business continuity capabilities as described above for all Services provided under the MSA, regardless of their origin and regardless of notice to Customer.
TEALIUM INC. DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) forms part of, and is subject to, the Master Services Agreement or other written or electronic terms of service or subscription agreement between Tealium and Customer for Customer’s purchase of Services from Tealium that references this DPA (the “MSA”). This DPA applies where there is no transfer of Personal Data between the European Union and the USA.
1. Definitions. For the purposes of this DPA, the terminology and definitions as used by the GDPR and the CCPA (as defined herein) shall apply. In addition, unless otherwise defined in the MSA, all capitalized terms used in this DPA will have the meanings given to them below:
“AWS” means Amazon Web Services, Inc.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq.
“Data Exporter” and “Data Importer” have the meanings given them in the Standard Contractual Clauses.
“Data Protection Laws and Regulations” means all laws and regulations applicable to each respective Party in its role in the Processing of Personal Data under the MSA, including where applicable, the GDPR, the Privacy Act, and the CCPA.
“Data Security Statement” or “DSS” means Tealium’s statement of its technical and organizational security measures.
“EEA” means, for the purpose of this DPA, the European Economic Area and the UK.
“GDPR” means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Highly Sensitive Data” means personal data whose unauthorized disclosure or use could reasonably entail a serious potential security or privacy risk for a data subject, including but not limited to government issued identification numbers such as national insurance numbers, passport numbers, driver’s license numbers, or similar identifier, or credit or debit card numbers, medical or financial information, biometric data, and/or financial, medical or other account authentication data, such as passwords or PINs.
“Personal Data” has the meaning set forth in Data Protection Laws and Regulations relating to the collection, use, storage or disclosure of information about an identifiable individual, or if no definition, means information about an individual that can be used to identify, contact or locate a specific individual, or can be combined with other information that is linked to a specific individual to identify, contact or locate a specific individual. For purposes of the DPA, Personal Data is as described in the scope of Processing described in Appendix 1.
“Privacy Act” means the Australian Privacy Act 1988 (Cth.).
“Processing” or “Process” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Service Provider” shall have the meaning set forth in the CCPA.
“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data, but does not include any Unsuccessful Security Incident.
“Tealium Network” means the data center facilities, servers, networking equipment, and host software systems (e.g., virtual firewalls) that are within the control of Tealium or its sub-processors and are used to provide the Services.
“Unsuccessful Security Incident” means an unsuccessful attempt or activity that does not compromise the security of Personal Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.
“User Data” means the login details and contact information of the authorized users of the Services and will be deemed Personal Data.
Further definitions are provided throughout this DPA.
2. Data Processing.
2.1 Scope and Roles. This DPA applies where and only to the extent that Tealium Processes Personal Data on behalf of Customer as a data processor or Service Provider in the course of providing Services pursuant to the MSA. Tealium will engage sub-processors pursuant to the requirements for subcontractors set forth in Section 10 below.
2.2 Compliance with Laws. Each party will comply with all Data Protection Laws and Regulations applicable to it and binding on it in the provision or receipt of Services under the MSA, including all statutory requirements relating to data protection.
2.3 Customer Processing of Personal Data. Customer agrees that: (a) it has provided all notices and obtained all consents, permissions and rights necessary under Data Protection Laws and Regulations for Tealium to lawfully process Personal Data; (b) Customer will not transmit to Tealium nor require Tealium to process any Highly Sensitive Data; and (c) Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
2.4 Instructions for Data Processing.
2.4.1 Tealium will Process Personal Data on behalf of and only in accordance with Customer’s documented instructions, including with regard to transfers of Personal Data to a third country or an international organization, unless otherwise required by Data Protection Laws and Regulations to which Tealium is subject; in such a case, Tealium shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Tealium will not sell Personal Data.
2.4.2 Customer instructs Tealium to process Personal Data for the following purposes: (a) processing in accordance with the MSA; (b) processing in accordance with this DPA; and (c) processing to comply with any reasonable written request from Customer that are consistent with the terms of the MSA and this DPA. In particular Tealium will retain, use or disclose Personal Data only for the specific purpose of performing the Services. By entering into this DPA, Tealium certifies that it understands its contractual restrictions and shall comply with them. Processing outside the scope of this Section 2.4 (if any) will require prior written agreement between Tealium and Customer on additional instructions for processing, including agreement on any additional fees Customer will pay to Tealium for carrying out such instructions.
2.4.3 Customer shall ensure its processing instructions are lawful and that the processing of Personal Data in accordance with such instructions will not violate applicable Data Protection Laws and Regulations or cause Tealium to be in breach of Data Protection Laws and Regulations. Tealium shall immediately inform Customer if, in its opinion, an instruction infringes any provision of Data Protection Laws and Regulations. In such case, Tealium is not obliged to follow the instruction unless and until Customer has confirmed or changed such instruction.
2.5 Disclosure. Tealium will not disclose Personal Data to any third party other than as expressly permitted by the terms of the MSA, and except as necessary to comply with applicable laws and regulations or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If a law enforcement agency sends Tealium a demand for Personal Data, Tealium will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Tealium may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Personal Data to a law enforcement agency, then Tealium will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Tealium is legally prohibited from doing so.
3. Tealium Personnel.
3.1 Confidentiality, Reliability, and Limitation of Access. Tealium will ensure that its personnel authorized to Process Personal Data have committed themselves to appropriate contractual obligations, including relevant obligations regarding confidentiality, data protection and data security, or are under an appropriate statutory obligation of confidentiality. Tealium will take reasonable steps to ensure the reliability of Tealium personnel engaged in the Processing of Personal Data. Tealium restricts its personnel from Processing Personal Data without authorization by Tealium as described in the Data Security Statement.
3.2 Training. Tealium will ensure that its personnel have received appropriate training on their responsibilities concerning Personal Data.
3.3 Data Protection Officer. Tealium has appointed a data protection officer. The appointed person can be reached at [email protected].
4. Other obligations of Tealium. Tealium will:
4.1 take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures designed to provide a level of security appropriate to the risk. Such measures shall, at a minimum, meet the specifications set forth in the Data Security Statement;
4.2 respect the conditions referred to in Section 10 of this DPA for engaging a sub-processor;
4.3 take into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests regarding data subject rights under Data Protection Laws and Regulations as described in Section 5 of this DPA;
4.4 take into account the nature of processing and the information available to Tealium, assist Customer in ensuring compliance with its obligations under Data Protections Laws and Regulations with regard to security of processing, data breach notification, conducting privacy impact assessments and cooperation with supervisory authorities.
5. Customer Controls and Data Subject rights.
5.1 Customer Controls. The Services provide Customer with controls to enable Customer to retrieve, correct, delete, or block Personal Data and to respond to Data Subject Requests as defined below. Tealium makes available certain security features and functionalities that Customer may elect to use. Customer is responsible for properly (a) configuring the Services, (b) using the controls available in connection with the Services (including the security controls), and (c) taking such steps as Customer considers adequate to maintain appropriate security, protection, deletion and backup of Personal Data, which may include use of encryption technology to protect Personal Data from unauthorized access and routine archiving of Personal Data.
5.2 Data Subject Rights. Tealium shall, to the extent legally permitted, promptly notify Customer if Tealium receives a request from a data subject known to Tealium to be associated with Customer, to exercise the data subject’s right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, object to the processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Tealium will upon Customer’s request provide assistance to Customer in responding to such Data Subject Request, to the extent Tealium is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations.
6. Transfers of Personal Data.
Regions. Customer may specify the location(s) where Personal Data, not including User Data, will be hosted within the Tealium Network from the following list, as updated by Tealium from time to time: (i) California, USA; (ii) Virginia, USA; (iii) Dublin, Ireland; (iv) Frankfurt, Germany; (v) Tokyo, Japan; and (vi) Sydney, Australia (each a “Region”). Once Customer has made its choice, by properly configuring the Services, Tealium will not transfer the hosting of Personal Data from Customer’s selected Region(s) except under Customer’s further instructions or as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or court order) as described in Section 2.5. User Data will be hosted in California, USA in all cases.
7. Security Responsibilities of Tealium.
7.1 Continued Evaluation. In addition to its obligations under Section 4.1 of this DPA, Tealium will conduct periodic reviews of the security of its infrastructure, applications, and associated Services. The adequacy of Tealium’s information security program is measured against industry security standards and compliance with Tealium’s policies and procedures. Tealium will continually evaluate the security of the Tealium Network and associated Services to determine whether additional or mitigating security measures are required to respond to new security risks or findings generated by the periodic reviews. Tealium conducts ongoing vulnerability scans and annual penetration tests to identify and then remediate identified deficiencies. The Tealium Network and associated Services are continuously monitored for events and potential Security Incidents. Tealium also conducts risk assessments at least annually or when significant changes to the environment occur. These activities provide for a continually improving information security program.
7.2 Customer Independent Review. Customer is solely responsible for reviewing the information made available by Tealium relating to data security and making an independent determination as to whether the Services meet Customer’s requirements, and for ensuring that Customer’s personnel and consultants follow the guidelines they are provided regarding data security.
8. Certifications and Audits.
8.1 Tealium Audits. Tealium audits its security measures at least annually. These audits: will be performed according to ISO 27001, ISO 27018 and SOC 2 Type II standards or such other alternative standards that are substantially equivalent to such standards. These audits will be performed by independent third party security professionals at Tealium’s selection and expense.
8.2 Audit Reports. At Customer’s written request, Tealium will provide Customer with a confidential report so that Customer can reasonably verify Tealium’s compliance with its obligations under this DPA. The report constitutes Tealium’s Confidential Information.
8.3 AWS and Customer Audits. Customer audits rights are as set forth in the DSS.
9. Security Incident Notification.
9.1 Tealium Notification. If Tealium becomes aware of a Security Incident, Tealium will without undue delay and, where feasible, not later than 48 hours after having become aware of it, notify Customer of the Security Incident. Where the notification to the Customer is not made within 48 hours, it shall be accompanied by reasons for the delay.
9.2 The notification referred to in Section 9.1 shall at least:
9.2.1 describe the nature of the Security Incident;
9.2.2 communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
9.2.3 describe the measures taken or proposed to be taken by Tealium to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects.
9.3 Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
9.4 Tealium shall document any Security Incidents, comprising the facts relating to the Security Incident, its effects and the remedial action taken. That documentation shall enable Customer to verify compliance with this Section.
9.5 Tealium Assistance. To assist Customer in relation to any personal data breach notifications Customer is required to make under the Data Protection Laws and Regulations, Tealium will include in the notification under section 9.1 such information about the Security Incident as Tealium is reasonably able to disclose to Customer, taking into account the nature of the Services, the information available to Tealium, and any restrictions on disclosing the information, such as confidentiality.
9.6 Limitations. Customer agrees that:
9.6.1 An Unsuccessful Security Incident will not be subject to this Section; and
9.6.2 Tealium’s obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by Tealium of any fault or liability of Tealium with respect to the Security Incident.
9.7 Delivery. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any reasonable means Tealium selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information with Tealium all times.
10.1 Authorized Sub-processors. Customer agrees that Tealium may use AWS as a sub-processor to fulfill certain of its contractual obligations under this DPA or to provide certain services on its behalf. Tealium will inform Customer of any intended changes concerning the addition or replacement of sub-processors, thereby giving Customer the opportunity to object to such changes.
10.2 Obligations in respect of sub-processors. Where Tealium authorizes any sub-processor as described in this Section 10:
10.2.1 Tealium will restrict the sub-processor’s access to Personal Data only to what is necessary to maintain the Services or to provide the Services to Customer and Tealium will prohibit the sub-processor from accessing Personal Data for any other purpose;
10.2.2 Tealium will impose appropriate contractual obligations in writing upon the sub-processor that are no less protective than this DPA, including relevant contractual obligations regarding confidentiality, data protection, data security and audit rights; and
10.2.3 Tealium will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the sub-processor that cause Tealium to breach any of Tealium’s obligations under this DPA.
10.3 Objection to Sub-Processor. If Customer has a reasonable basis to object to Tealium’s use of a new sub-processor, Customer shall notify Tealium promptly in writing within ten (10) business days after receipt of Tealium’s notice. If Customer objects to a new sub-processor(s) Tealium will use reasonable efforts to make available to Customer a change in the affected Services or recommend a commercially reasonable change to Customer’s configuration or use of the affected Services to avoid Processing of Personal Data by the objected-to new sub-processor without unreasonably burdening Customer. If Tealium is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Customer may terminate the applicable Service Order in respect only to those Services that cannot be provided by Tealium without the use of the objected-to new sub-processor, by providing written notice to Tealium. Customer shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of such terminated Services.
11. Duties to Inform. If Personal Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by Tealium, Tealium will inform Customer without undue delay. Tealium will, without undue delay, notify all relevant parties in such action (e.g. creditors, bankruptcy trustee) that any Personal Data subjected to those proceedings is Customer’s property and area of responsibility and that Personal Data is at Customer’s sole disposition.
12. Termination of the DPA. This DPA shall continue in force until the termination of the MSA (the “Termination Date”).
13. Return and Deletion of Customer Personal Data. The Services provide Customer with controls that Customer may use to retrieve or delete Personal Data. Up to the Termination Date, Customer will continue to have the ability to retrieve or delete Personal Data in accordance with this Section. To the extent Customer is unable to retrieve or delete Personal Data itself through its use of the Services, Tealium will assist Customer in such retrieval or deletion upon Customer’s written request. Tealium will delete Personal Data within 180 days following the Termination Date.
14. Fees and Expenses. To the extent legally permitted, Customer shall be responsible for any costs and fees arising from a request by Customer to change the Region originally chosen by Customer during configuration of its account(s) pursuant to Section 6.1 above.
15. Nondisclosure. Customer agrees that the details of this DPA are not publicly known and constitute Tealium’s Confidential Information under the confidentiality provisions of the MSA.
16. Conflict. Except as amended by this DPA, the MSA will remain in full force and effect. If there is a conflict between the MSA and this DPA, the terms of this DPA will control.
17. Counterparts; Electronic Signature or Email Delivery. This DPA may be executed in two or more counterparts, each of which will be deemed an original and all of which taken together will be deemed to constitute one and the same document. The parties may sign and deliver this DPA by electronic signature or email transmission.