GDPR Compliance Datasheet OneSpot InBox™ OneSpot engaged independent data privacy risk management provider TrustArc™ to review and document the data flows and practices described in this datasheet. The purpose of this document is to provide customers of OneSpot with information needed to assess the impact of the InBox solution on their overall privacy posture by detailing how personal information may be captured, processed and stored by and within the InBox solution.

+

www.onespot.com/compliance Page 2

Privacy by Design Inbox was designed and built with privacy in mind. We created a service to deliver relevant content to users anonymously, without personally identifying users. Our privacy by design1 approach keeps end-user privacy at the center of what we do. We believe we have a responsibility to safeguard privacy and support anonymity in user behavior analysis, so that trust between email marketers, subscribers and customers can be assured and maintained. Commitment to GDPR Our top priority is ensuring that our customers can use InBox in a GDPR-compliant manner, and the data that we collect is processed securely. Well before the European Union’s GDPR was adopted, we made the commitment to collect only non-personally identifiable information in our tracking and logging data. Through a combination of controls on people, process and tools, OneSpot ensures that none of the data that is automatically collected, stored or handled can be used to identify a person either directly or indirectly. This is consistent with the guiding principle of privacy by design and default as stated under GDPR Article 25. We’re excited to welcome the GDPR and are committed to ensuring that our customers have full confidence in their privacy posture when adding the InBox product to their website and in their emails. We have retained TrustArc to do a full GDPR assessment of InBox, producing both an Article 35 Data Protection Impact Assessment (DPIA) report, and an Article 30 report outlining data processing activities. Information Processed OneSpot does not handle any personal data about visitors that browse our customers' websites as part of our InBox product. Our focus is on what website visitors and email subscribers do, not who those individuals are. We use anonymous cookie identifiers stored in a visitor’s web browser to track browsing activity on your website. If the visitor uses multiple web browsers across various devices, the visitor will have multiple cookies for each device and browser. These cookie IDs cannot identify a data subject, either directly or indirectly. We do not send email for you, do not store your contact lists and do not accept email addresses as identifiers. When customers make InBox API requests, they identify the recipient either (a) using a non-PII contact id or (b) a hashed email address, which takes an email address and applies a one-

1 Privacy by Design: https://gdpr-info.eu/issues/privacy-by-design

www.onespot.com/compliance Page 3

way cryptographic function (such as MD5 or SHA). OneSpot is unable to identify any data subject, either directly or indirectly from these email identifiers. We do not collect, accept or store any other information that could be combined with these cookie identifiers or email identifiers and subsequently used to identify a visitor. InBox constructs user histories through the use of non-personally identifiable information such as cookie id, email id (described above), emails opened, emails clicked, page visited, browser version, date and time. These histories are processed so that our customers' email subscribers can receive personalized content recommendations via email, and so you can understand the performance of these recommendations without personally identifying individual subscribers. InBox provides content recommendation services to your email recipients globally. The data is collected through the inclusion of a OneSpot JavaScript tag, which gets embedded on the customer's site and stores data in first and third-party cookies on the visitor’s browser. Customers also add an ‘open pixel’ to their emails to track email opens as well as click redirects to track clicks on recommended content. Through the combination of company procedures and technical controls, we ensure that we do not enrich, accept or store any information that would enable us to identify a data subject in the EU or anywhere else as part of its InBox product. A list of data elements that are collected and processed by OneSpot is documented in Article 30 report. These reports are available upon request. We make reasonable efforts to scrub any data items that may be considered identifiable information. For example, we obfuscate all IP-addresses (replacing the final octet from the IP address with a zero) as part of our data ingestion process. We also log non-personally identifiable information about which content recommendations were presented, which were clicked, and which AB test variants belongs to a visitor. These are all used for performance reporting and system diagnostics. After completing a thorough review of our data practices and policies, TrustArc has determined that none of the data that we collect, accept or store as part of delivering our InBox product would be classified as personal data as defined by GDPR Article 4.1. * Customer and Consumer Privacy Options Even though data collected is non-personally identifiable, OneSpot is committed to the principal of consumer choice and provides options for both the website visitor and our customers to control what data gets collected by the JavaScript on the site. When a visitor’s browser is set to do-not-track, the JavaScript will respect this setting and not send tracking events from that browser to OneSpot.

www.onespot.com/compliance Page 4

Additionally, OneSpot provides the technical capability for customers (website owner) to turn off tracking on a visitor-by-visitor basis. This enables the website owner to implement any privacy or consent policies for their respective website. Data Retention Data is stored in our data centers that are hosted by Amazon Web Services. Historical data is important to the task of detecting long-term patterns of content engagement; therefore, by default OneSpot retains non-personally identifiable log data indefinitely. Occasionally, OneSpot will delete data that has come to the end of its useful life; these decisions are made on a case-by-case basis. OneSpot will set first party cookies on the customers’ website domain. The expiration of these cookies can be modified according to specific data protection laws and customer expectations. Security OneSpot employs state-of-the-art technical and administrative measures to exceed expectations outlined in GDPR Article 32. Below are the key measures taken with our data processing activities. Network Level

• All OneSpot data center infrastructure is hosted by Amazon Web Services (AWS). • AWS has compliance certification2 with every major security standard including ISO, FIPS,

and DoD. • All system and security patches are managed by AWS. • All systems are firewalled using AWS security groups. • All managed server resources live inside OneSpot’s own AWS Virtual Private Cloud (VPC),

limiting connectivity from the outside. • Direct access to systems are through secure transport protocols. • Access to systems inside of the VPC is tunneled through a server in our DMZ that is locked

down. Access Control

• OneSpot requires 2-factor authentication on all AWS developer accounts. • We limit system access through AWS IAM (identity and access management) using IAM roles

and policies based on the principle of least privilege. • Developers have tiered access privileges based on their role and the principle of least

privilege. • Clients and non-contracted third parties are not granted direct access to OneSpot back-end

systems. • OneSpot rotates AWS keys periodically.

2 AWS Compliance Programs: https://aws.amazon.com/compliance/programs/

www.onespot.com/compliance Page 5

• OneSpot staff is educated on preventing common targeted hacks (spear phishing, social engineering).

• Physical access to OneSpot office space (Austin and NYC) is controlled with NFC cards. Vulnerability Monitoring

• OneSpot’s continuous integration pipelines monitors software artifacts for potential vulnerabilities.

• Pipeline performs static analysis to uncover potential common security exploits in our code. • Automated checks against the NIST National Vulnerability Database. • OneSpot monitors the feed of published AWS security bulletins.

More detailed documentation on OneSpot data security and availability is available upon request. Dataflow Map Below is a dataflow map of all relevant data flows and processing by the product.

A description of the dataflow map is included below:

Website owners will embed the InBox JavaScript in the HTML of pages on their site that they wish OneSpot to track. When a visitor is viewing such a web page, the JavaScript will report back to OneSpot, through tracking pixels and cookies, non-personally identifiable information. This will associate an anonymous and randomly assigned cookie identifier to the user. This sends a random and anonymous session identifier and a page view identifier, with

A

www.onespot.com/compliance Page 6

information such as the page the visitor was on, how long they dwelled on the page, how far they scrolled, the type of browser and device they are using, page load time and various other log data. This information is processed by OneSpot’s data center and, when an email being sent by the customer contains InBox recommendation units, content recommendations are delivered back to the user from the OneSpot data center via an API interface. Recommendations will either be delivered at “send-time”, where the HTML which contains personalized recommendations is inserted directly into the email by the email server before sending, or “open time” where the email server includes an HTML image tag that references a dynamic image hosted by OneSpot; when the recipient opens the email the recommended content will be displayed to the user as an image. The decision on whether to use “open time” versus “send time” personalization is a choice based on email server capabilities and customer preference. When an email recipient opens the email, OneSpot will receive a notification via the open-pixel embedded in the email. All InBox content recommendation requests, content recommendations made, and content recommendation clicks are logged in the OneSpot data center. When a recipient clicks on an email link and arrives on the site, the JavaScript will correlate the cookie id to the email id for the subscriber. None of this information contains personally identifiable information about the email recipient. OneSpot will sync cookie identifiers with third party systems such as Data Management Platforms (DMP). This cookie-sync enables OneSpot to receive data from DMPs about cookies. Neither the OneSpot cookie id or the third-party ID will contain any personally identifiable information and it is OneSpot’s policy to not accept any personally identifiable information from DMPs or third-party systems that can be combined with the cookie id that would enable OneSpot to identify a data subject. OneSpot data analysts have access to the OneSpot data center to perform analytics and prepare business intelligence reports that are then delivered to OneSpot customers as part of regular business reviews or custom data analysis assignments. OneSpot’s analytics dashboard (Insights™) contains aggregate information collected from the InBox JavaScript-based tracking described above. No personally identifiable information about visitors that browse the customers website is included in the Insights dashboard. There are a series of InBox product performance dashboards that are available to customers. Again, these dashboards do not expose any personally identifiable information about the visitors who browse the customer’s website.

B

C

D

E

F

G

www.onespot.com/compliance Page 7

About this Datasheet The information contained herein is based upon document reviews and interviews with relevant subject matter experts involved in the development and operation of the services described. The discovery process relied upon the good faith accuracy of the information provided; TrustArc has not undertaken an independent audit and does not certify the information contained in this datasheet. However, the information contained herein was believed to be accurate and complete as of the time this datasheet was first published. Please note that the information provided with this paper, concerning technical or professional subject matters, is for general awareness only, may be subject to change and does not constitute legal or professional advice, nor warranty of fitness for a particular purpose or compliance with applicable laws.