Data Processing Agreement

Media Company Data Processing Agreement

LAST UPDATED: March 8, 2022

THIS DATA PROTECTION ADDENDUM (this “DPA“) supplements and is part of the Standard Terms and Conditions or other written or electronic agreement the “Agreement“) for the purchase of services entered into between Slashdot Media, LLC (“Slashdot“) and the entity that has purchased Slashdot’s Offerings (as defined below) pursuant to the Agreement (“Client“). Words and phrases used in this DPA, other than those capitalized for grammatical purposes, are defined in the Section of this DPA in which they first appear as indicated by bold type or, if not so defined, have the meanings given to them in the terms and conditions between Slashdot and Client. References to Articles and Sections are references to this DPA unless otherwise indicated.

1. SCOPE, PURPOSE AND INTERPRETATION.

  1. Slashdot’s Business. Slashdot is a marketing and technology company. Slashdot owns and operates a portfolio of online brands that allow businesses and IT professionals to evaluate and make purchasing decisions for software and IT solutions. Slashdot leverages those online brands to provide marketing and advertising services comprising business listings (“Business Listing“) and native and display advertising (collectively “Brand Advertising“). Slashdot also provides additional marketing services that are not tied to Slashdot’s online brands. These services consist of lead generation (“Lead Generation“), email marketing (“Email Marketing“) and custom marketing content (“Custom Marketing” together with Business Listing, Brand Advertising, Lead Generation and Email Marketing shall collectively be referred to as the “Slashdot Offerings“).
  2. Our Clients. The clients of Slashdot’s Business Listing services are software and information technology services companies or the agencies that represent them. The clients of Slashdot’s Brand Advertising, Lead Generation, E-mail Marketing and Custom Marking services are advertisers or the agencies that represent them. Slashdot does not, however, request or require that any of its clients provide their or their personnel’s personal data in order to receive Slashdot Offerings, although Slashdot does receive certain business contact information from Client as well as other information that is not personal in nature (“Client Data“). At the same time, the receipt (by collection, purchase or otherwise), transfer and monetization of personal data about third parties (“Consumer Data“) is inherent to the operation of Slashdot’s Offerings.
  3. Purpose of this DPA. The two-fold purpose of this DPA is to set forth Slashdot’s obligations with respect to:
    1. the security and protection of all Client Data processed by Slashdot in connection with its performance under the Agreement; and
    2. certain additional obligations of Slashdot to secure and protect those elements of Client Data that constitute personal data under Comprehensive Data Protection Laws (as defined in Article 3).
  4. Interpretation. This DPA shall control over any conflicting data protection and/or privacy related terms or conditions in the Agreement (excluding terms governing use and disclosure of confidential information) as well as any data security or privacy document or policy posted on Client’s websites, its supplier portals, or similar locations. Slashdot may update this DPA to reflect material changes in Slashdot’s business practices or applicable law but in no event will any such change materially reduce the level of protection afforded to Client Data when measured against Slashdot’s obligation on the DPA Effective Date. If this DPA is changed, Slashdot will provide Client advance electronic notice, typically via Slashdot’s support portal.

2. ROLES OF THE PARTIES.

2.1 For Consumer Data. With respect to Consumer Data, as between Slashdot and Client, Slashdot is either an “independent controller” or the parties are “successive independent controllers” (collectively, “Controller“). Each party shall comply with applicable data security laws, including Comprehensive Data Security Laws, with respect to Consumer Data it receives (whether collected or purchased), and processes, including by implementing opt-out and do-not-sell mechanisms where applicable. The Controller shall determine its legitimate interests or other lawful bases for processing, take reasonable steps to provide all required notices, and manage and respond to all verified data subject attempts to exercise their rights. Where both parties are Controllers, the parties will reasonably cooperate with one another to the extent required to comply with applicable data security laws, including in responding to the exercise of rights by verifiable data subjects.

For data subjects from whom Slashdot collects Consumer Data via its online brands, those brands contain links on their homepages to our published privacy statement disclosing Slashdot’s site visitor privacy practices and informing site visitors of their privacy-related rights. Slashdot does not act as the processor of Consumer Data and does not accept or agree to be bound by any separate terms published by its clients that assert otherwise. While the entirety of this DPA is governed by and subject to the Agreement, Slashdot specifically acknowledges that its failure to comply with its obligations as a Controller, and, where applicable, Client’s failure to comply with their obligations as a Controller, shall, in each respective case, be a material breach of the Agreement, permitting the non-breaching party to avail itself of all rights and remedies for breach thereunder.

2.2 For Client Data. As indicated above, Sections 3 through 5.3 of this DPA apply only to Client Data.

3. DATA SECURITY PROGRAM.

3.1 Generally; Annual Updates. Slashdot has adopted and implemented an enterprise-wide corporate information security and privacy program that includes physical, technical, organizational, and administrative measures designed to protect, in a manner consistent with accepted industry standards and applicable law, against anticipated or actual threats or hazards to the confidentiality, security, or integrity of Client Data, as well as destruction, loss, unauthorized access to or unauthorized use thereof (“Data Security Program”). Slashdot reviews and, as necessary, updates the Data Security Program at least annually and whenever there is a material change in Slashdot’s business practices or applicable law.

3.2 Duration; Standards and Controls. Slashdot will maintain the Data Security Program for the duration of the Agreement and thereafter for so long as Slashdot has access to, or stores, Client Data as part of any archival or related right at law or under the Agreement. The Data Security Program is designed by reference to recognized industry standards such as the ISO 270xx series of data security and information management standards, and the AICPA’s SOC1 and SOC2 reporting standards. Consequently, the Data Security Program includes standards and controls for:

  • Data Categorization and Management;
  • Asset Management;
  • Access Controls and Monitoring;
  • Encryption;
  • Vulnerability Prevention, Detection and Testing;
  • Third Party Oversight;
  • Incident Response and Management;
  • Workforce Member Awareness;
  • Data Retention and Destruction; and
  • Business Continuity and Disaster Recovery.

3.3 Scope of Data Security Program.

  1. Slashdot Systems and Personnel. The Data Security Program applies to all computing, networking and telecommunications systems located in the data center or computing facilities operated by Slashdot. The Data Security Program further applies to all Slashdot employees, onsite contractors, and those of Slashdot’s off-site contractors who Slashdot anticipates will have access to Client Data. Subject to Section 3.6, the Data Security Program does not apply directly to sub-processors nor does it apply to the Cloud Providers, as described in detail below.
  2. Cloud Providers. In delivering the Slashdot Offerings, Slashdot may use either or both a cloud platform and a data storage infrastructure provider (collectively, the “Cloud Providers“). As of the DPA Effective Date, Slashdot uses Amazon Web Services, Inc. and Google Cloud Platform, offered by Google, as Cloud Providers.
    1. Data Security Programs. Slashdot will pass through to Client the benefits of the Cloud Provider’s data security and privacy practices and procedures. Information about those practices and procedures can be found on the Cloud Providers’ compliance and security pages found at the following internet pages maintained by the Cloud Provider (or successor pages thereto) https://aws.amazon.com/security/, which pages include links to the third party security verifications, certifications, and reports held by the Cloud Provider such as ISO 27001:2013 and SOC2 Type 2, among many others. The Cloud Provider and not Slashdot are responsible for protecting their respective overall computing infrastructures and physical facilities on and from which the Slashdot Offerings operate, and store and retrieve data. Those infrastructures comprise all the hardware, software, networking, and facilities necessary for Slashdot to make the Slashdot Offerings, and all data loaded to them, available to Client remotely, but exclude Slashdot’s own internal use systems, which remain Slashdot’s responsibility under the Slashdot Data Security Program and this DPA.
    2. Vulnerability Testing. During the term of the Agreement, Client may, at its cost and expense, perform its own penetration testing and other vulnerability assessments of the Cloud Provider and those portions of the Slashdot Offerings loaded thereon, by following the Cloud Provider’s published procedures. As Slashdot does not typically store material amounts of Client Data in electronic form outside of the Cloud Provider’s infrastructure, Client shall not be permitted to conduct vulnerability testing of Slashdot’s internal systems unless otherwise agreed in writing.

3.4 Data Security Audits. The independent certifications and reports of Slashdot and its Cloud Provider are widely recognized and accepted by the industry and its regulators as comprehensive verifications of security controls used in the operations of technology marketing vendors such as Slashdot. As such, Slashdot limits the number, nature, and type of further data security audits that may be performed on its systems and facilities, as described in this Section below.

  1. Regulatory Inquiries. Slashdot will reasonably cooperate with Client’s regulators having competent authority and sufficient legal basis to request that Slashdot complete questionnaires about Slashdot’s security and privacy controls as they relate to Client Data. If, after completing such a questionnaire, a regulator reasonably believes a remote or in-person site visit in the nature of an audit of those controls is necessary, Slashdot will reasonably cooperate in those activities upon written request from the regulator, including as such written request may be made to Client and passed on to Slashdot. Cloud Provider does not permit Slashdot or any of Slashdot’s clients or their regulators to visit the Cloud Provider’s data centers or facilities, whether remotely or in-person, and therefore site visit rights under this Section do not extend to facilities under the control of the Cloud Provider. Amazon Web Services does, however, permit Slashdot to submit data security questionnaires on Slashdot’s clients’ behalf if required to satisfy regulatory obligations. Slashdot will do so upon written request. Slashdot shall further reasonably cooperate with Client’s request to obtain data security and privacy information from the Cloud Provider, such as copies of their ISO certifications or SOC reports.
  2. Client Questionnaires. If Client has a regulatory or reasonably documented internal governance obligation to submit questionnaires to its vendors regarding such vendors’ security standards and controls, Slashdot shall, no more than once annually, reasonably cooperate with Client’s internal security personnel to complete such questionnaires as they relate to Client Data; provided, however, that Client shall first confirm that such questionnaire obligation cannot be satisfied by reference to the above-described independent certifications and reports and, provided further, that Slashdot reserves the right to charge Client at Slashdot’s standard hourly rates if any such questionnaire requires more than 10 hours of total person effort in a calendar year. The contents of all completed questionnaires shall be the confidential information of Slashdot subject to the applicable terms of the Agreement.
  3. Client Audits. If at any time during the term of the Agreement, Slashdot is unable to produce an ISO 27001, SOC 2 Type 2, or equivalent or similar certification or report for the cloud infrastructure, or, if applicable, an annual confirmation thereof, then Client may, once in the applicable contract year, conduct reasonable remote reviews of the security controls used by Slashdot and, if reasonably necessary thereafter, an on-site audit. Client further may conduct such reviews and, if necessary, audits following resolution of a Data Security Breach (defined in Section 2.5) to confirm its causes have been reasonably remedied. Client will schedule any such permitted reviews and audits by contacting Client’s assigned Slashdot relationship manager who will work with Client on a mutually agreed timeline and audit plan inclusive of plans for discussion and remediation of any purported security concerns contained in the final audit report provided to Slashdot. Client will conduct the review or audit itself or through a reputable third party designee that is not a Slashdot competitor and who is subject to confidentiality obligations at least as protective of Slashdot under the Agreement. All audits shall be at Client’s cost and expense and their results the confidential information of Slashdot subject to the applicable terms of the Agreement.

3.5 Incident Response and Management. Slashdot will evaluate and respond to incidents that create suspicion of a possible Data Security Breach. The goal of Slashdot’s incident response is to identify and contain the unauthorized activity and restore the confidentiality, integrity, and availability of the affected Slashdot Offering as well as to establish root causes and remediation steps. Slashdot’s information security team will be informed of all known incidents that may have been, or result in, material incidents that could potentially lead to a Data Security Breach and, depending on the nature of the incident, will define escalation paths and response teams to address those incidents.

3.6 Data Security Breach Notification. If Slashdot determines that an event actually was, or resulted in a Data Security Breach, where “Data Security Breach” means the confirmed unauthorized access, acquisition, disclosure or use of Client Data protected under the Data Security Program, Slashdot will, as relevant information is collected or otherwise becomes available to Slashdot, provide Client with a description of the Data Security Breach, the type of data adversely affected, and other information Client may reasonably request, unless Slashdot is prohibited by law from doing so. In any event, Slashdot will notify Client as soon as practical and without any unreasonable delay following Slashdot’s determination that a Data Security Breach occurred, but in no event later than would allow Client a reasonable period of time to meet Client’s own reporting or notice obligations under applicable law. Typically, this means Slashdot will notify Client no more than 24 hours after Slashdot has confirmed that personal data has suffered a Data Security Breach. Additionally, the Slashdot information security team will work with Client, and, where necessary, with outside forensics investigators and regulatory and law enforcement authorities to respond to and attempt to mitigate the adverse effects of the Data Security Breach. Slashdot agrees to coordinate in good faith with Client on developing the content of any related public statements that relate to Client or any required notices to Client’s data subjects resulting from a Data Security Breach.

4. PERSONAL DATA GOVERNED BY COMPREHENSIVE DATA PROTECTION LAW.

Slashdot rarely requires use of Client’s personal data. Nonetheless, in the unlikely event Slashdot does request, or expressly agrees to accept from Client under the Agreement data meeting the definition of “personal data” under one or more Comprehensive Data Protection Laws, then Slashdot further undertakes the commitments described in this Section with respect to such personal data. As used herein, “Comprehensive Data Protection Laws” means the General Data Protection Regulations separately adopted by the United Kingdom and by the European Union for use throughout the European Economic Area (collectively, the “GDPR“), the California Consumer Privacy Act (and its successor the CPRA), and the similar laws in other United States jurisdictions (such as Colorado and Virginia) or around the world (such as The Cayman Islands).

4.1 Capacity; Duration; Nature and Purpose. If Client Data has elements of personal data governed by Comprehensive Data Protection Laws, the parties acknowledge and agree that: (a) Slashdot acts in the capacity of Client’s “service provider” or “processor”, as applicable under such laws; (b) the duration of Slashdot’s processing is at Client’s discretion, commensurate with the duration of the Agreement; (c) the nature and purpose of Slashdot’s processing is limited to what is needed to provide the Slashdot Offerings under the Agreement; and (d) the types of personal data processed and categories of data subjects will be determined and disclosed in the Agreement. All of Slashdot’s processing of such personal data will further be subject to the obligations described in Sections 4.2 through 4.10 of this DPA below.

4.2 Client Instruction; No Sale. Slashdot will never sell any personal data provided to it by Client under the Agreement. Slashdot will process personal data only on Client’s instructions as documented in the Agreement. If Slashdot is required by law to process personal data in a manner not covered by the instruction Slashdot received from Client, Slashdot will, unless prohibited by law, inform Client before processing. Slashdot will also promptly inform Client if, in Slashdot’s opinion, the Client’s instruction violates the applicable Comprehensive Data Protection Laws.

4.3 Cross-border Transfers.

  1. Generally. To the extent Slashdot needs to transfer a Client’s personal data from the jurisdiction of origin (defined below), but the applicable Comprehensive Data Protection Laws restrict such transfer, Slashdot will conduct a transfer impact assessment (in such manner and form Slashdot believes necessary based on the relative risks) to determine if appropriate safeguards are present in the destination jurisdiction (defined below). If the result of that assessment supports the transfer, it will occur only as permitted under the applicable Comprehensive Data Protection Laws and this Section and as disclosed to Client.
  2. Transfers under GDPR; SCCs. Where such transfer is governed by the GDPR, the transfer will be conducted in accordance with an approved mechanism set forth in Articles 46 through 49 thereof. If Article 46 of the European Economic Area’s GDPR is used, Slashdot will bind the data recipient to the applicable Standard Contractual Clauses module appropriate to the roles of the parties in each transfer, as such clauses will be permissibly modified to account for the content already present in this DPA. As used herein, “jurisdiction of origin” means the country in which Slashdot first received the applicable personal data, and “destination jurisdiction” means the country, and if applicable, territory, province, or state, to which Slashdot is transferring the personal data.
  3. Client Acknowledgement. Client acknowledges that except as otherwise expressly stated in the Agreement, Slashdot’s jurisdiction of origin is the United States and that Client is, as between Slashdot and Client, solely responsible for ensuring it is authorized to deliver its data to Slashdot in those jurisdictions of origin and for fulfilling the obligations of a data controller/collector under the applicable Comprehensive Data Protection Laws.

4.4 Appropriate Measures; Security of Processing. The Data Security Program is designed to satisfy the requirement under the Comprehensive Data Protection Laws that Slashdot adopt appropriate technical and organizational measures to protect Client’s affected personal data. Slashdot will apply its Data Security Program to Client’s personal data including as necessary to permit Client to comply with applicable Comprehensive Data Protection Laws such as the measures required under GDPR Article 32.

4.5 Workforce Confidentiality Obligations. Slashdot will require that members of its workforce (including contractors) who are authorized to process Client’s personal data have committed themselves to the confidentiality thereof or are otherwise under an appropriate statutory obligation of confidentiality.

4.6 Sub-processors. If Slashdot engages a sub-processor to carry out personal data processing activities that are otherwise part of Slashdot’s obligation to Client, Slashdot will conduct due diligence to confirm they are capable of protecting Client’s personal data to the same extent as Slashdot is required to under this DPA. To the extent required by applicable law (such as GDPR Article 28, paragraphs (2) and (4)), Slashdot further will obtain Client’s general or specific consent prior to such engagement. If general consent is used, Slashdot shall notify Client, providing a reasonable opportunity to object. Should Slashdot change a sub-processor previously consented by Client. By entering into the Agreement, Client is giving general consent to Slashdot’s use of its Affiliates as sub-processors, as well as the sub-processors in the roles of the Cloud Providers. In addition, specific consent is granted for each of the sub-processors listed here https://slashdotmedia.com/subprocessor-list-page/.

4.7 Data Subject Requests. Taking into account the nature of Slashdot’s processing, Slashdot will assist Client by appropriate technical and organizational measures, insofar as possible, in fulfilling Client’s obligation to respond to requests from data subjects to exercise their rights under applicable law including, where a data subject whose personal data Slashdot is processing contacts Slashdot instead of Client, Slashdot will, to the extent legally permitted, promptly notify Client and reasonably cooperate with Client to fulfil Client’s obligations subject to the fact that Client is responsible for any reasonable costs arising therefrom.

4.8 Verification; Assistance with Compliance. Slashdot will assist Client in ensuring compliance with Client’s obligations to consult with certain regulatory authorities regarding the processing of personal data including, where applicable, such obligations as are enumerated under GDPR Article 28 with respect to GDPR Articles 32 through 34 and 36, taking into account the nature of processing and the information available to Slashdot. As described in Section 2.4 of this DPA, Slashdot will make available to Client information reasonably necessary to demonstrate Slashdot’s compliance with this DPA.

4.9 Deletion or Return. Slashdot will, at Client’s election, delete or return all Client’s personal data at the end of the Agreement, and delete existing copies unless applicable law requires otherwise. Slashdot will, however, avail itself of any right applicable law provides permitting Slashdot to retain archival copes of such personal data or to delete such data in the ordinary course of Slashdot’s documented back-up, retention, and destruction procedures. In those situations, Slashdot acknowledges that this DPA continues to govern all such retained personal data.

4.10 Breach Notification. Slashdot will notify Client of and respond to any Data Security Breach as described in Section 2.6 of this DPA. If the applicable Comprehensive Data Protection Laws require that such notification contain specific information (as is the case under GDPR Article 33(3)), Slashdot will provide the same to Client to the extent such information is reasonably available to Slashdot.

5. EXCLUSIONS AND CONDITIONS.

Following the majority of Comprehensive Data Protection Laws, business contact information (such as name, title, and corporate domain email address) exchanged between the parties to administer their contractual relationship and receive credentials to Slashdot’s software is not treated as personal data under this DPA. In addition, Slashdot is not responsible under this DPA for any event arising out of: (a) modifications or alterations of the Slashdot Offerings made by any individual or entity other than Slashdot or its designees; (b) unauthorized access to the Slashdot Offerings or Client Data thereon occurring via (i) otherwise valid Client log-in credentials that were not previously reported to Slashdot, in writing, as having been compromised; or (ii) Client’s connection to the Public Network (as defined below); (c) negligence by Client, including its personnel or contractors; (d) any breach of the Agreement; (e) Client’s use of an un-supported version of the affected Slashdot Offering; (f) Client’s failure to comply with published documentation for the affected Slashdot Offering; (g) any third party integration Client may request; (h) failures beyond Slashdot’s reasonable control; and/or (i) Client’s failure to provide and maintain the required customer-side operating environment. “Public Network” means the circuits, overland and/or submarine cabling, and other telecommunications and connectivity infrastructure from a point of demarcation starting immediately after the ingress/egress router or similar appliance for Client’s network to the point immediately before the ingress/egress router or similar appliance at the facilities Slashdot uses for its own networks and communications infrastructure including those operating on the Cloud Providers’ infrastructure.

END OF DATA PROTECTION ADDENDUM