BACKGROUND

The purpose of this document is to provide an overview of the critical features of Tapad's information security program that are designed and implemented to protect information and data from unauthorized access, use, disclosure, destruction, modification, or disruption.

HIGHLIGHTS

• Tapad has established a comprehensive information security strategy to ensure the security, confidentiality, and integrity of Tapad data and, to protect such information against unauthorized access.
• Information security functions are managed by Tapad's information security program, which is organized, managed, and designed to comply with regulatory mandates and guidelines. The program's responsibilities include: compliance with applicable laws, assessing policies and guidelines, evaluation and mitigation of risks and threats, monitoring and coordination of emergency responses, and the communication of pertinent information to Tapad's relevant employees and executive leadership team.
• Tapad has full-time information security specialists dedicated to managing data security, privacy, and risk.
• Tapad uses technology solutions to meet these information security goals. Some examples of technologies in use include anti-virus management software, firewalls, and vulnerability scanning tools.
• Security awareness training is required for all Tapad employees. Recurrent training is performed annually as well as throughout the year.
• Tapad performs background checks for all new hires before onboarding a new employee.
• An internal technology team meets weekly to discuss information security topics and strategize on security issues facing Tapad, the ad tech industry, and data-driven technology as a whole.
• Tapad is proud to have the following industry attestation:
  • ISO 27001:2013 certification since 2016. As the internationally recognized standard for information security, this third-party certification holds stringent requirements for those seeking its certification and assures our customers of Tapad's commitment to the confidentiality, integrity, and availability of the data they share with Tapad and the Tapad data as a whole.
  • SOC 2 Type 2 certification since 2020. This affirms that Tapad's information security practices, policies, procedures, and operations meet the SOC 2 standards for security, availability, and confidentiality
    
• Tapad has been listed on the Cloud Security Alliance Security, Trust, and Assurance (CSA STAR) registry since 2019.
• Complete set of information security policies and processes conforming to ISO 27001:2013. The confidential list may be shared on customer request upon mutual agreement to the terms of a Non-Disclosure Agreement.
• Tapad's technology infrastructure is fully cloud-based. Our product is housed within Google Cloud Platform and Amazon Web Services (AWS). We leverage the world-class security capabilities of Google and AWS to ensure the safe storage of data.
• Security penetration tests are performed annually by an outside firm specializing in cloud security.
• Continuous security vulnerability scanning is done, and Tapad security staff review findings regularly.
• Information on Tapad's privacy and regulatory compliance may be found at:
  • Privacy Overview: https://www.tapad.com/privacy
  • Global Privacy Notice (Non-EU): https://www.tapad.com/global-privacy-notice
  • EU/EEA, UK Privacy Notice: https://www.tapad.com/eu-privacy-policy
  • California Consumer Disclosure: https://www.tapad.com/ccpa-disclosure

DATA STORAGE

• Client object storage is stored in Google Cloud Platform and Amazon Web Services.
• Geographic location for data storage is based on client requirements for the most appropriate regions and zones, based on client needs and any specific regulatory and compliance requirements.

DATA ENCRYPTION

• At rest - encryption protects your data from a system compromise or data exfiltration by encrypting data while stored. The Advanced Encryption Standard (AES) is used to encrypt data at rest.
• In transit - encryption in transit protects your data if communications are intercepted while data moves between one site and the cloud provider.
• Infrastructure - data transmitted to/from Tapad is encrypted in transit. Data stored within the Google Cloud Platform is encrypted at rest.
• Endpoints - employee devices have endpoint protection, and data is stored in an encrypted manner. In the event a laptop is lost or stolen, Tapad IT can perform a remote wipe of the laptop.
• Tapad does not store, process, or transmit credit/debit cardholder data. As such, the Payment Card Industry Data Security Standard (PCI DSS) would not apply to Tapad.
• Google handles key management for the Tapad cloud infrastructure.

PRIVACY

• Tapad is a privacy-first company and has been a member in the ad tech industry's self-regulatory organizations and guided by these organizations' best practices since Tapad's inception.
• Network Advertising Initiative (NAI) - non-profit organization that is the leading self-regulatory association dedicated to responsible data collection and its use for digital advertising.
• Digital Advertising Alliance (DAA) - independent non-profit organization that establishes and enforces responsible privacy practices across industry for relevant digital advertising
• Our legal and privacy teams are committed to ensuring Tapad's compliance with all applicable privacy laws and rules across the world, including the mandates set forth by the Federal Trade Commission, General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

SECURE SOFTWARE DEVELOPMENT

• The Tapad software product development life cycle includes steps to ensure that the underlying software code that runs the Tapad infrastructure is secure.
• Controls include software code review, application security automated testing, and more.

ADDITIONAL INFORMATION

Additional information about Tapad's information security program or any of the above topics can be shared with clients and potential clients after signing an NDA.

DATA BACK-UP IN THE TAPAD ENVIRONMENT

• Tapad utilizes fully redundant databases and backup servers with RAID disk arrays to reduce the risk of failure on live production data. In addition, Tapad performs regular, automatic, verified data backup service for every client database hourly, nightly and weekly.
• Data backups are performed multiple times a day, ensuring the reliability and security of Tapad client data.
• In the unlikely event of a server failure or loss, this means that your data will still be accessible to you.

GEOGRAPHIC REDUNDANCY

• For both our North American and International customers, we have geographic redundancy in place. This means that we have multiple servers backing up your data.
• In the unlikely event of a server failure or loss, this means that your data will still be accessible to you.

DATA ENCRYPTION

• Tapad is proud to have the following industry attestation:

• Encryption at rest protects data from a system compromise or data exfiltration by encrypting data while stored. The Advanced Encryption Standard (AES) is often used to encrypt data at rest.
• Encryption in transit protects data if communications are intercepted.

DATA RETENTION PERIODS

Tapad has defined retention periods depending on the nature of the data.

DATA RESTORATION

Procedures and timescales are involved in restoring data from backup, testing the backup capabilities, and storage location of backups.