Data Protection Commitments

Data Protection Commitments

Effective Date: November 24, 2021

Slashdot Media is a marketing and technology company that provides marketing & advertising services that allow businesses and IT professionals to evaluate and make decisions on software & IT solutions. This statement of Data Protection Commitments (these “DPCs” or “Commitments”) describe:

  • Our overall commitment to the security and protection of our clients’ personal data and sensitive business information such as financial institution account information stored in or processed by our software and services solutions; and
  • Certain additional commitments we make to secure and protect those portions of our clients’ personal data that are governed by Comprehensive Data Protection Laws (defined below).

Certain words and phrases in these DPCs have special meanings. Such words and phrases are defined where they first appear, or otherwise where designated, as indicated by bold text. Our performance of the obligations described in these DPCs remains subject to the contract between us and each client, referencing these Commitments. These DPCs and the obligations under our Data Security Program (defined below) will, however, supersede any conflicting data protection and/or privacy-related terms or conditions in such contract as well as any document or policy posted on our clients’ websites, supplier portals or similar locations. The English language version of these DPCs is the controlling version.

We review and, as necessary, update our Data Security Program at least annually or whenever there is a material change in our business practices or applicable law. We similarly update these DPCs for the same reasons, and will provide you notice, typically via our support portal, that we have done so.

OUR COMMITMENT TO PROTECTING ALL TYPES OF CLIENT DATA PROCESSED BY OUR SOFTWARE AND SERVICES

We have adopted and implemented an enterprise-wide corporate information security and privacy program that includes physical, technical, organizational, administrative measures designed to protect, in a manner consistent with accepted industry standards and applicable law, against anticipated or actual threats or hazards to the confidentiality, security or integrity of such data, as well as destruction, loss, unauthorized access to or unauthorized use thereof (“Data Security Program”).

Our Data Security Program applies to our clients’ personal data and sensitive business information stored in or processed by Slashdot’s software and services solutions. We will maintain our Data Security Program for the duration of each of our client contracts, and thereafter for so long as we have access to, or store such client data (e.g., for any post termination archiving or disengagement services).

Our Data Security Program was designed by reference to recognized industry standards such as the ISO 270xx series and the AICPA’s SOC2. Consequently, it includes standards and controls for:

  • Data Categorization and Management
  • Asset Management
  • Access Controls and Monitoring
  • Vulnerability Prevention, Detection and Testing
  • Third Party Oversight
  • Incident Response and Management
  • Workforce Member Awareness
  • Data Retention and Destruction
  • Business Continuity and Disaster Recovery

Our Data Security Program is applicable to all of our employees, onsite contractors and those of our off-site contractors who we anticipate will have access to our clients’ data.

In delivering our software and services solutions, we use both a cloud platform and a data storage infrastructure provider (the “Cloud Providers”). The Cloud Providers are responsible for protecting their respective overall computing infrastructures and physical facilities on and from which Slashdot’s software applications operate, and store and retrieve data. Those infrastructures comprise all the hardware, software, networking, and facilities necessary for us to deliver our services and make the Slashdot applications and data loaded to them available to our clients remotely, but exclude our own internal use systems, which internal use systems include software we may load onto and use within the Cloud Providers’ infrastructures for reasons other than processing client data.

Security for those internal systems remains our responsibility, which we fulfill through our Data Security Program and these Commitments. We pass through the benefits of the Cloud Providers’ security and privacy practices and procedures.

Vulnerability Testing and Audits

Vulnerability Testing. Our clients may, at their cost and expense, perform penetration testing and other vulnerability assessments of our Cloud Providers by following their published procedures. As we do not typically store material amounts of client data in electronic form outside of the Cloud Providers’ infrastructure, we do not permit vulnerability testing of our own internal systems.

Regulatory Audits. We will cooperate with clients’ regulators having competent authority and sufficient legal basis to request that we complete questionnaires about our security and privacy controls as they relate to our clients’ data. If, after completing such questionnaire, a regulator reasonably believes a site visit and review in the nature of an audit of those controls is necessary, we will reasonably cooperate in those activities upon written request from the regulator, including as such written request may be made to our affected client and passed on to us. Our Cloud Providers do not permit Slashdot or any of our clients or their regulators to visit the Cloud Providers’ data centers or facilities. We will, however, reasonably cooperate with our clients’ requests to obtain security and privacy information from the Cloud Provider.

Client Audits. If we are unable to produce an ISO 27001, SOC 2 Type 2 or equivalent or similar certification or report for our cloud infrastructure, or, if applicable, an annual confirmation thereof, then our clients may conduct reasonable security reviews used to deliver the Slashdot software and services to them once per year, and additionally following any notification of an event described below. Clients can schedule such reviews and audits by contacting their assigned Slashdot relationship manager who will work with them on a mutually agreed timeline and audit plan inclusive of plans for discussion and remediation of any purported security concerns contained in the final audit report provided to us. Clients may conduct the review or audit through a reputable third party designee that is not a Slashdot competitor and is subject to confidentiality obligations at least as protective of Slashdot as the underlying contract between the applicable client and Slashdot. Audits are at the applicable client’s cost and expense.

Incident Response and Management

We evaluate and respond to events that create suspicion of a possible Data Security Breach, where “Data Security Breach” means the confirmed unauthorized access, acquisition, disclosure or use of the client data protected under our Security Program. The goal of our incident response is to identify and contain the unauthorized activity and restore the confidentiality, integrity, and availability of the affected Slashdot software or service as well as to establish root causes and remediation steps. Our information security team is informed of all events that may have been or result in material incidents that could potentially lead to a Data Security Breach and, depending on the nature of the incident, defines escalation paths and response teams to address those events.

Data Security Breach Notification

If we determine that the event actually was, or resulted in a Data Security Breach, we will, as relevant information is collected or otherwise becomes available to us, provide you with a description of the Security Breach, the type of data adversely affected, and other information you may reasonably request, unless we are prohibited by law from doing so. In any event, we will notify you as soon as practical and without any unreasonable delay following our determination that a Data Security Breach occurred, but in no event later than would allow you a reasonable period of time to meet your own reporting or notice obligations under applicable law. Typically, this means we will notify you no more than 24 hours after we have confirmed that personal data has been subject to a Security Breach and thus been unlawfully accessed, acquired or used or unlawfully or accidentally destroyed, lost or altered without the ability to restore from back-up or disaster recovery.

Additionally, the Slashdot information security team will work with you, with our lines of business, and, where necessary, with outside forensics investigators and regulatory and law enforcement authorities to respond to and mitigate the adverse effects of the Data Security Breach. We agree to coordinate in good faith on developing the content of any related public statements or any required notices to data subjects resulting from a Data Security Breach.

ADDITIONAL COMMITMENTS TO PROTECT PERSONAL DATA GOVERNED BY COMPREHENSIVE DATA PROTECTION LAWS

If we receive personal data under a client contract, and the data privacy or security law applicable to such personal data is a so-called “Comprehensive Data Protection Law,” such as the various General Data Protection Regulations adopted by the United Kingdom, and by the European Union for use in the European Economic Area (collectively the “GDPR”), the California Consumer Privacy Act (and its successor the CPRA) and/or similar laws in other United States jurisdictions, then we further undertake the commitments described in this section with respect to our affected clients’ personal data.

1. Capacity, Duration; Nature and Purpose. In delivering our software and services solutions to clients governed by Comprehensive Data Protection Laws, we act in the capacity of our clients’ “service provider” or “processor”, as applicable under such laws. The duration of our processing is at their discretion, commensurate with the duration of our contractual relationship with them. The nature and purpose of our processing is limited to what is needed to provide the software and services solutions described in each specific client contract. The types of personal data processed and categories of data subjects will be determined and disclosed in the applicable contract. All of our processing of such personal data will further be subject to the obligations described in Sections 2 through 10 below.

2. Client Instruction; No Sale. We will never sell any personal data provided to us. We will process personal data only on our clients’ instructions as documented in the governing contract between us and each client. If we are required by law to process personal data in a manner not covered by the instruction we received from a client, we will, unless prohibited by law, inform the affected client before processing. We further will promptly inform affected clients if, in our opinion, their instruction violates the applicable protection law.

3. Cross-border Transfers. To the extent we need to transfer a client’s personal data from the jurisdiction of origin (defined below), but the applicable Comprehensive Data Protection Law restricts such transfer, we will conduct a transfer impact assessment (in such manner and form we believe necessary based on the relative risks) to determine if appropriate safeguards are present in the destination jurisdiction (defined below). If the result of that assessment supports the transfer, it will occur only as permitted under the applicable Comprehensive Data Protection Law and this Section and disclosed to you. Where such transfer is governed by GDPR, that means Articles 46 through 49 thereof. If Article 46 of the European Economic Area’s GDPR is used, we will bind the data recipient to the applicable Standard Contractual Clauses module appropriate to the roles of the parties in each transfer, as such clauses will be permissibly modified to account for the content already present in these Commitments. As used herein “jurisdiction of origin” means the country in which Slashdot first received the applicable personal data and “destination jurisdiction” means the country, and if applicable, territory, province or state, to which Slashdot is transferring the personal data. Client acknowledges that except as otherwise expressly stated in the contract between Slashdot and client, Slashdot’s jurisdictions of origin is the United States and that client is, as between Slashdot and client, solely responsible for ensuring it is authorized to deliver its data to Slashdot in the jurisdictions of origin and for fulfilling the obligations of a data controller/collector under the applicable Comprehensive Data Protection Law.

4. Appropriate Measures; Security of Processing. Our Data Security Program, which we will maintain for the duration of each client contract, is designed to satisfy the requirement under Comprehensive Data Protection Laws that we adopt appropriate technical and organizational measures to protect our clients’ affected personal data. We will apply our Data Security Program to our clients’ personal data including as necessary to permit them to comply with applicable law such as the measures required under GDPR Article 32.

5. Workforce Confidentiality Obligations. We will require members of our workforce, including contractors, who are authorized to process our clients’ personal data to have committed themselves to the confidentiality thereof, or are under an appropriate statutory obligation of confidentiality.

6. Sub-processors. If we engage a subprocessor to carry out personal data processing activities that are otherwise part of our obligation to our clients, we will conduct due diligence to confirm they are capable of protecting our clients’ personal data to the same extent as we are under these DPCs including by way of a contract or other legal act under applicable law and, to the extent required by applicable law (such as GDPR Article 28, paragraphs (2) and (4)) we will obtain our affected clients’ consent prior to such engagement and notify those clients, with a reasonable opportunity to object, should we change a previously approved sub-processor; provided that by entering into a contract with us, our clients are giving general consent to our use of sub-processors in the roles of the Cloud Providers.

7. Data Subject Requests. Taking into account the nature of our processing, we assist our clients by taking appropriate technical and organizational measures, insofar as possible, in fulfilling their obligation to respond to requests from data subjects to exercise their rights under applicable law including, where a data subject whose personal data we are processing contacts us instead of our client, we will, to the extent legally permitted, promptly notify the applicable client and reasonably cooperate with that client to fulfill its obligations subject to the fact that such client is responsible for any reasonable costs arising therefrom.

8. Verification; Assistance with Compliance. We will assist our clients in ensuring compliance with their obligations to consult with certain regulatory authorities regarding the processing of personal data including, where applicable, such obligations as are enumerated under GDPR Article 28 with respect to GDPR Articles 32 through 34 and 36, taking into account the nature of processing and the information available to us. As described above, we will make available to our affected clients information reasonably necessary to demonstrate our compliance with these Commitments.

9. Deletion or Return. We will, at our clients’ election, delete or return all personal data at the end of our contractual relationship under, and delete existing copies unless applicable law requires otherwise. We will, however, avail ourselves of any right applicable law provides permitting us to retain archival copies of personal data or to delete such data in the ordinary course of our documented back-up, retention and destruction procedures. In those situations, we acknowledge that these Commitments continue to govern all such retained personal data.

10. Breach Notification. We will notify our clients of and respond to any Security Breach as described above. If the applicable Comprehensive Data Protection Law requires that such notification contain specific information (as is the case under GDPR Article 33(3)), we will provide the same to the affected client to the extent such information is reasonably available to us.

EXCLUSIONS AND CONDITIONS

Following the majority of Comprehensive Data Protection Laws, business contact information (such as name, title and corporate domain email address) exchanged between the parties to administer their contractual relationship and receive credentials to our software is not treated as personal data under these DPCs. In addition, we are not responsible under these Commitments for any event arising out of: (a) modifications or alterations of the Slashdot software or services made by any individual or entity other than us or our designees; (b) unauthorized access to the Slashdot software or services or the data thereon including (i) under otherwise valid client log-in credentials that were not previously reported to us, in writing, as having been compromised; or (ii) occurring via client’s connection to the Public Network (defined below); (c) our clients’ negligence; (d) any breach of our contract with the applicable client; (e) our clients’ use of an un-supported version of the affected Slashdot software or service; (f) failure to comply with published documentation for the affected Slashdot software or service; (g) any third party integration our clients may request; (h) failures beyond our reasonable control; and/or (i) an applicable client’s failure to provide and maintain the required client-side operating environment. “Public Network” means the circuits, overland and/or submarine cabling, and other telecommunications and connectivity infrastructure from a point of demarcation starting immediately after the ingress/egress router or similar appliance for our clients’ network to the point immediately before the ingress/egress router or similar appliance at the facilities we use for our own networks and communications infrastructure including those operating on the Cloud Providers’ infrastructure.

CCPA ADDENDUM

  1. In the course of this Agreement Media Company may disclose personal information, as that term is defined within the California Consumer Privacy Act (“CCPA”) (and its successor the CPRA) to Client including any such personal information that is present within Lead Data, as that term is defined within the Agreement. Client understands that it will be a third party, as provided by the CCPA as to this data transfer, and thus must abide by any statutory restrictions provided therein.
  2. Client certifies that it understands and will comply with the requirements set forth in this CCPA Addendum.
  3. Client agrees not to further sell, as that term is defined by the CCPA, any personal information sold to it by Media Company, unless in accordance with the CCPA, it has caused any consumers to which said personal information pertains to receive explicit notice of the proposed sale and an opportunity to exercise their right to opt out.
  4. Client further agrees to take such actions as directed by Media Company where required for compliance with the CCPA, including providing records regarding the processing of any such Personal Information.

COMPANY

About Us

Our Brands

Our Story

SourceForge

Slashdot

Passport

SOLUTIONS

Lead Generation

Display Advertising

Native Advertising

Business Software Listings

Email Marketing

Custom Content

POLICIES & TERMS

Terms of Use

Privacy Policies & Choices

Cookies / Opt-out

Privacy Choices

Do Not Sell or Share My Personal Information

OPT OUT

QUICK LINKS

Contact Us

Careers

Software Vendors

Resources

FOLLOW

Facebook Instagram LinkedIn