LAST UPDATED: JANUARY 2022 / EFFECTIVE: JANUARY 2022
Contractual Changes Required by the GDPR
We refer to the Meson terms of service located at Terms of Service (“Agreement”) which You have accepted (in the capacity of a “Publisher” or “supply partner” and also referred to as “You”) to avail the Meson Platform (hereafter referred to as “Meson”) operated by Meson Mediation LLC ("Meson LLC" or "we" or "us") as set out under the Agreement.
The Rider takes account of changes brought in by the Data Protection Legislation (defined below) including the Standard Contractual Clauses.
- The Rider is incorporated into the Agreement and is made and entered into as of the Effective Date.
- Except as set out in the Rider, the Agreement and any other agreements already in place between Meson LLC and the Publisher shall continue in full force and effect.
- In the event of any conflict or inconsistency between the Agreement, the Rider and the Standard Contractual Clauses, the following order of priority shall apply: (i) the Standard Contractual Clauses, (ii) the Rider and (iii) the Agreement.
- To the extent that the Rider does not address specific data processing activities carried out between the parties, the terms of the Agreement shall apply, save that they shall be interpreted to give full effect to the provisions of the Rider.
- Any capitalised terms not defined herein shall have the respective meanings given to them in the Agreement.
- The Rider and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation (a “Claim”) shall be governed by and interpreted in accordance with the laws of Ireland. The parties irrevocably agree that the courts of Ireland have exclusive jurisdiction to settle any Claim.
Please accept or sign and return the Data Protection Rider to acknowledge your agreement of these terms.
If you do not accept these terms, we will discontinue any EEA user related transactions with your applications/mobile websites. Additionally, please do not share any EEA user personal data with us. However, if you continue to use our services, you will be deemed to have accepted these terms.
All communications to be sent to Meson Mediation LLC with a principal place of business at 15420 Laguna Canyon Rd, Irvine, CA 92618, USA and email: firstname.lastname@example.org with a copy to email@example.com.
- “Controller”, “Data Subject”, “Personal Data”, "Personal Data Breach", “Processor” and “Process / Processing” shall each have the meanings given in the Data Protection Legislation.
- “Data Protection Legislation” means all data protection and privacy legislation in force from time to time in the UK and EU as may be applicable to the data in scope, including Regulation (EU) 2016/679 ("GDPR"); the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and any other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data.
- "Permitted Purpose" means Processing in connection with:
- making available Meson and its services to Publisher;
- for sharing or transmitting (‘onward transfer’) Publisher provided user personal data to Publisher’s demand partners who integrate with Meson “Publisher’s Demand Partners”;
- providing analytics to the Publisher – Instance ID along with the data provided by Publisher such as location data, demographic information, online identifiers, etc. will be used by Meson to support use cases like cohort analysis, behaviour-based user segmentation, frequency capping, user analytics, churn prediction, etc.;
- to enforce the terms of the Agreement and/ or this Rider;
- to resolve billing disputes and/ or for fraud detection; and
- to comply with any request of a governmental or regulatory body (including subpoenas or court orders). Publisher further acknowledges that Meson may need to transfer Personal Data outside of U.K or European Economic Area (“EEA”), as the case may be, in the context of Processing.
Status of the Parties
- The parties agree to act at all times in compliance with the Data Protection Legislation.
- The parties acknowledge that for the purposes of the Data Protection Legislation, Publisher will be acting as the Controller and Meson LLC will be acting as the Processor
Controller agrees to:
- maintain Data Subject rights measures and notify the Processor of any Data Subject requests to exercise their rights, including but not limited to access, deletion and rectification.
Processor agrees to:
- process the Personal Data only for the Permitted Purpose and on Controller's written instructions. Processor will immediately notify Controller if, in its opinion, Controller's instructions would not comply with the Data Protection Legislation;
- promptly comply with any request or instruction from Controller requiring Processor to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised Processing;
- maintain the confidentiality of all Personal Data and not disclose Personal Data to third parties unless Controller or this Rider specifically authorises the disclosure, or as required by law;
- if a law, court, regulator or supervisory authority requires the Processor to process or disclose Personal Data, the Processor will first use reasonable endeavours to inform Controller of the legal or regulatory requirement and give Controller an opportunity to object or challenge the requirement, unless the law prohibits such notice;
- reasonably assist Controller with meeting Controller's compliance obligations under the Data Protection Legislation, taking into account the nature of the Processor's processing and the information available to the Processor, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation;
- promptly notify Controller of any changes to Data Protection Legislation that may adversely affect the Processor's performance of the services under the Agreement; and
- ensure that any and all employees:
- are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
- have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
- are aware both of the Processor's duties and their personal duties and obligations under the Data Protection Legislation and this Rider.
- Processor will at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in the Annex.
- If the Processor is not able to implement Controller's secure or encrypted transmission mechanisms in connection with the Personal Data, the Processor shall notify Controller as to how it will implement equivalent measures and in such a case, Processor shall remain liable for the use of such measures.
- Processor will maintain an up-to-date written record of Processor's then-current security measures, which Processor shall provide to Controller on request, and review at least on an annual basis to ensure they remain current and complete.
- Processor will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
- the encryption of Personal Data or equivalent measures;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- to the extent possible, the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of security measures.
Personal Data Breach
- Processor will promptly and without undue delay notify Controller if any of Controller's Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. Processor will restore such Personal Data at Processor's own expense.
- Processor will without undue delay notify Controller if Processor becomes aware of:
- any accidental, unauthorised or unlawful processing of Controller's Personal Data; or
- any Personal Data Breach relating to Controller's Personal Data.
- Where Processor becomes aware of an event within the scope of clause 2 (under Personal Data Breach), Processor shall, without undue delay, also provide Controller with the following information:
- a description of the nature of such event, including the categories and approximate number of both Data Subjects and Personal Data records concerned;
- the likely consequences of the event; and
- a description of the measures taken or proposed to be taken to address such event, including measures to mitigate its possible adverse effects.
- Immediately following any unauthorised or unlawful Processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Processor will reasonably co-operate with Controller in Controller's handling of the matter, including:
- assisting with any investigation;
- making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by Controller; and
- taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Processing.
- Processor will not inform any third party of any Personal Data Breach without first obtaining Controller's prior written consent, except when required to do so by law, to maintain any policy of insurance, or to maintain regulatory or equivalent certifications.
- Subject to clause 5 (under Personal Data Breach) Controller has the sole right to determine:
- whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Controller's discretion, including the contents and delivery method of the notice; and
- whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
Cross-Border Transfers of Personal Data
- If an adequate protection measure for the international transfer of Personal Data is required under the Data Protection Legislation (and has not otherwise been arranged by the parties) the Annex shall apply.
- Controller hereby acknowledges that, as per Controller’s instructions, the Processor may share as ‘onward transfer’, Personal Data of UK or EEA Data Subjects outside of the U.K. or EEA, respectively as applicable, with Controller’s Demand Partners and attribution/fraud detection partners towards the permitted purposes set out under clause 3 (under Definitions) pursuant to this Rider
- Controller consents to Processor (and its sub-processors) transferring Personal Data outside the UK and the European Economic Area (EEA) ("GDPR Territories"). Provided that where such processing occurs, Processor:
- is Processing Personal Data in a territory which is subject to a current finding by the UK's Information Commissioner's Office and/or the European Commission (as applicable) under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals;
- participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that Processor (and, where appropriate, Controller) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Data Protection Legislation; or
- otherwise ensures that the transfer complies with the Data Protection Legislation.
- In the case of any Processing of Personal Data outside of the GDPR Territories as at the date of this Rider, the parties have identified in the Annex the relevant transfer mechanism.
- Processor may only authorise a sub-processor to process the Personal Data if:
- the sub-processor falls within the permitted categories of sub-processor in the Annex or Controller otherwise provides written consent prior to the appointment of a sub-processor;
- Processor enters into a written contract with the sub-processor that contains terms substantially the same to those set out in this Rider, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon Controller's written request and at Processor's expense, provide Controller with copies of such contracts; and
- Processor maintains control over all Personal Data Processor entrusts to the sub-processor.
- The permitted categories of sub-processors approved as at the Effective Date are set out in the Annex.
- On Controller's written request, Processor will audit a sub-processor's compliance with its obligations regarding the Personal Data and provide Controller with the audit results. Where Controller concludes reasonably that the sub-processor is in default of its obligations regarding the Personal Data, Controller may in writing instruct Processor to instruct the sub-processor to remedy such deficiencies within five (5) working days.
Complaints, Data Subject Requests and Third-Party Rights
- Processor will take such technical and organisational measures as may be appropriate, and promptly provide such information to Controller as Controller may reasonably require, to enable Controller to comply with:
- the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and
- information or assessment notices served on Controller by any supervisory authority under the Data Protection Legislation.
- Processor will notify Controller immediately if Processor receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
- Processor will notify Controller without undue delay if Processor receives a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.
- Processor will give Controller Processor's full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request. Where applicable, Controller can share Data Subject Requests with the Processor for fulfilment purposes to firstname.lastname@example.org with a copy to email@example.com.
- Processor will not disclose the Personal Data to any Data Subject or to a third party other than at Controller's request or instruction, as provided for in this Rider or as required by law.
Each party shall indemnify and defend the other party against all loss, liability, damages (including reasonable legal costs) fees, claims and expenses arising from any third-party claims, which a party may incur or suffer in connection with the indemnifying party’s breach of the terms of this Rider resulting in violation of applicable Data Protection Legislation. Publisher shall indemnify and defend Meson LLC against all loss, fines, liability, damages (including reasonable legal costs) fees, claims and expenses arising from any third-party claims including claims from Publisher’s demand partners, which Meson LLC may incur or suffer in connection with onward transfer or sharing of any U.K. or EEA Data Subject’s Personal Data with Publisher’s demand partners or their attribution partners at Publisher’s request or on behalf of Publisher. The indemnifying party shall have control over the defense. IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR LOST PROFITS, INDIRECT, PUNITIVE OR CONSEQUENTIAL DAMAGES. EACH PARTY’S TOTAL AGGREGATE LIABILITY TO THE OTHER PARTY OR ANY THIRD PARTY FOR ALL CLAIMS ARISING UNDER OR IN CONNECTION WITH THIS RIDER SHALL NOT EXCEED US$50,000. THE LIMITATIONS OF THIS SECTION SHALL APPLY EVEN IF EITHER OR BOTH PARTIES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.
Term and Termination
- This Rider will remain in full force and effect for so long as Processor retains any of Controller's Personal Data related to the Agreement in Processor's possession or control.
- Any provision of this Rider that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Personal Data will remain in full force and effect.
- If a change in any Data Protection Legislation prevents either party from fulfilling all or part of the Agreement, the parties will discuss in good faith with a view to implementing any changes necessary to ensure the processing of Personal Data complies with the new requirements.
Data Return and Destruction
- At Controller's request, Processor will give Controller a copy of or access to all or part of Controller's Personal Data in Processor's possession or control in a commonly accessible and electronic format determined by Controller.
- On termination of the Agreement for any reason or expiry of its term, Processor will promptly securely delete or destroy or, if directed in writing by Controller, return and not retain, all or any Personal Data related to this Rider in Processor's possession or control. This requirement shall not apply to Personal Data which Processor has archived on Processor's backup systems which are not reasonably accessible, provided that such Personal Data is deleted promptly in the event such backups become reasonably accessible (such as by Processor using those backups to restore Processor's systems).
- Clause 2 (under Data Return and Destruction) shall not apply to the extent any law, regulation, or government or regulatory body requires Processor to retain any documents or materials that Processor would otherwise be required to return or destroy.
Processor will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data Processor carries out for Controller ("Records") and provide Controller with copies of the Records upon request.
- Processor will permit Controller and its third-party representatives to audit Processor's compliance with Processor's obligations, on at least 10 working days' written notice, during the term of the Agreement.
- Processor will give Controller and its third-party representatives all reasonable and necessary assistance to conduct such audits at no additional cost to Controller.
- The notice requirements in clause 1 will not apply if Controller reasonably believes that a Personal Data Breach has occurred or is occurring, or Processor is in material breach of any of Processor's obligations under the Agreement, the Rider or the Data Protection Legislation.
- On Controller's written request, Processor will exercise any relevant audit rights it has in connection with any sub-processors’ compliance with their obligations regarding Controller's Personal Data and provide Controller with a summary of the audit results.
- Nothing in this Rider shall prevent or is intended to undermine the rights and powers granted to Data Subjects or supervisory authorities, and accordingly Processor shall submit to any audits required by a supervisory authority or under Data Protection Legislation.
INTERNATIONAL DATA TRANSFERS (UK AND EU)
1 INCORPORATION OF UK AND EU STANDARD CONTRACTUAL CLAUSES
1.1. To the extent this Annex relates to transfers of Personal Data subject to the UK GDPR:
1.1.1 paragraphs 1.2, 1.3 and 3 of this Annex apply, and override any conflicting provision set out elsewhere in this Annex; and
1.1.2 paragraph 2 of this Annex does not apply.
1.2. This Annex shall be read and interpreted in the light of the provisions of applicable data protection laws in the United Kingdom, and so that it fulfils the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR.
1.3. To the extent the processing of personal data is subject to the UK GDPR and an international transfer mechanism is required under the UK GDPR relating to the parties' transfer of personal data:
1.1.3 in their capacity as controllers, the standard contractual clauses for the transfer of personal data to controllers established in third countries pursuant to European Commission Decision 2004/915/EC of 27 December 2004, subject to the Modifications and without any optional or illustrative clauses are incorporated into this Annex as if they had been set out in full, with the processing particulars set out in paragraph 3 of this Annex;
1.1.4 where the exporter of data is a controller and the importer is a processor, the standard contractual clauses for the transfer of data to processors established in third countries pursuant to European Commission Decision 2010/87/EU of 5 February 2010, subject to the Modifications and without any optional or illustrative clauses are incorporated into this Annex as if they had been set out in full, with the processing particulars set out in paragraph 3 of this Annex; and
1.1.5 for the purposes of this paragraph 1.3 the "Modifications" means: the modifications made by the UK's Information Commissioner to the standard contractual clauses. Such modifications being: (i) general references to Supervisory Authority and similar (such as relevant authorities of the Member State) shall be changed to Commissioner; (ii) general references to member state law and member state courts shall be changed to applicable data protection law (being the UK GDPR and the UK's Data Protection Act 2018) and UK courts respectively; (iii) general references to Directive 95/46/EC shall be changed to the UK GDPR; (iv) general references to adequacy and specific section references to Article 25(1) or Directive 95/46/EC shall be changed to UK adequacy regulations and Section 17A of the Data Protection Act 2018 or Paragraphs 4 and 5 of Schedule 21 of the Data Protection Act 2018; (v) references to Member State or European Economic Area shall be changed to UK; and (vi) the variation provisions of the UK SCCs shall be deemed to include the following: the parties are not precluded from modifying the Clauses where permitted by Paragraphs 7(3) and (4) of Schedule 21 of the Data Protection Act 2018. The modified standard contractual clauses in this paragraph 1.3 are referred to as the "UK SCCs".
1.4. To the extent this Annex relates to transfers of Personal Data to which the GDPR applies:
1.1.6 module 2 of the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 2021 EU SCCs (the "2021 EU SCCs"), and no other optional clauses unless explicitly specified, are incorporated into this Annex as if they had been set out in full in the case where the exporter is a controller, the importer is a processor and the transfer requires such additional protection;
1.1.7 module 4 of the 2021 EU SCCs, and no other optional clauses unless explicitly specified, are incorporated into this Annex as if they had been set out in full in the case where the exporter is a processor, the importer is a controller and the transfer requires such additional protection; and
1.1.8 paragraphs 1.2 and 1.3 of this Annex do not apply.
2 CLARIFICATIONS TO THE 2021 EU SCCS
2.1. Paragraphs 2.2 – 2.8 of this Annex apply to the extent module 2 of the 2021 EU SCCs apply.
2.2. Deletion of data. For the purposes of clause 8.5 of the 2021 EU SCCs (Duration of processing and erasure or return of data), the parties agree as follows: At the end of the provision of the processing services the Importer shall delete or anonymise all personal data and shall certify to the Exporter that it has done so, if requested to provide such certification by the Exporter in writing.
2.3. Auditing. The parties acknowledge that the Importer complies with its obligations under clause 8.9 of the 2021 EU SCCs (Section II to the Standard Contractual Clauses (Documentation and compliance)) by exercising its contractual audit rights it has agreed with its sub-processors.
2.4. Sub-Processors. For the purposes of clause 9 of the 2021 EU SCCs (Section II to the Standard Contractual Clauses (Use of sub-processors)), the parties agree that the process for appointing sub-Processors set out in clause 9 applies.
2.5. International Transfer Assessments. For the purposes of clause 14(c) of the 2021 EU SCCs (Local laws and practices affecting compliance with the Clauses)) the data exporter has been provided with a transfer impact assessment by the data importer which the data exporter accepts as sufficient to fulfil the data importer's obligations pursuant to clause 14(c) and 14(a). The Exporter acknowledges that it has been provided with the security measures applied to the personal data and approves such measures as being in compliance with these Clauses.
2.6. Best Efforts Obligations. For the purposes of clauses 14(c), 15.1(b) and 15.2 of the 2021 EU SCCs (Section III to the Standard Contractual Clauses (Local laws and practices affecting compliance with the Clauses)) the parties agree that "best efforts" and the obligations of the data importer under clause 15.2 shall mean exercising the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a leading practice engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.
2.7. Competent Supervisory Authority. For the purposes of clause 13 of the 2021 EU SCCs, the Competent Supervisory Authority shall be:
2.1.1 if the data exporter is established in the EU: The Irish Data Protection Commissioner;
2.1.2 where the data exporter is not established in an EU Member State and has appointed a representative pursuant to Article 27(1) regulation (EU) 2016/679, it shall notify the importer of this and the EU Member State in which the exporter's representative is appointed shall be the competent supervisory authority; and
2.1.3 where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) but has not appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: the data exporter shall notify the data importer of its chosen competent supervisory authority, which must be the supervisory authority of a Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
2.8. Governing Law & jurisdiction. For the purposes of clauses 17 and 18 of the 2021 EU SCCs, the parties agree that the governing law shall be where the exporter is established. If those laws do not allow for 3rd party rights, the law of Ireland shall apply.
2.9. Module 4 clarifications. To the extent module 4 of the 2021 EU SCCs applies as determined by paragraph 1.1.7 of this Annex: (i) paragraphs 4.1 and 4.2 of this Annex shall be modified to reflect that the exporter is a processor and the importer is a controller; (ii) for the purposes of clause 8.1(d) of the 2021 EU SCCs, at the end of the provision of the processing services the importer shall delete all personal data and shall certify to the exporter that it has done so, if requested to provide such certification by the exporter in writing; and for the purposes of clauses 17 and 18 of the 2021 EU SCCs, the laws and courts of Ireland will apply.
3 APPENDICES AND ANNEXURES TO THE SCCS
3.1. The processing details required by the UK SCCs and the 2021 EU SCCs are set out in paragraph 4:
3.1.1 the details required for Appendix 1 of the UK SCCs are set out at paragraphs 4.1 – 4.5 and 4.7;
3.1.2 the details required for Appendix 2 of the UK SCCs are set out at paragraph 4.12 and the illustrative indemnity and commercial clauses are deleted;
3.1.3 the details required at Annex 1.A of the 2021 EU SCCs is set out at paragraphs 4.1 – 4.2;
3.1.4 the details required at Annex 1.B of the 2021 EU SCCs is set out at paragraph 4.3 – 4.10; and
3.1.5 the details required at Annex 1.C of the 2021 EU SCCs is set out a paragraph 2.6; and 2.8.4 the details required at Annex 2 of the 2021 EU SCCs is set out at paragraph 4.10.
4 PROCESSING PARTICULARS FOR THE UK AND EU SCCS
4.1. Exporter: The sender of the Personal Data
4.2. Importer: The recipient of the Personal Data
Description Of Data Processing
4.3. Categories of data subjects: End users of Publisher’s applications and sites.
4.4. Categories of personal data transferred: Persistent online identifiers and user device identifiers, cookies, User agent or such device data, Clicks and impressions data, IP address, http headers, publisher details (such as site ID, partner ID, publisher name, network data about apps or sites), location data, age, demographic data and such other data sets as are agreed in writing between the parties from time to time.
4.5. Sensitive data transferred: None.
4.6. Frequency of the transfer: Continuous transfers.
4.7. Nature of the processing: As set out in the Permitted Purpose.
4.8. Purpose of the processing: For the Permitted Purpose.
4.9. Duration of the processing: For the term of the Agreement.
4.10. Sub-Processor Transfers: Data vendors.
4.11. Competent Supervisory Authority: As set out in paragraph 2.6.
4.12. Technical and Organisational Measures:
4.12.1. Restriction of access to data centres, systems and server rooms as necessary to ensure protection of Personal Data.
4.12.2. Monitoring of unauthorised access.
4.12.3. Written procedures for employees, contractors and visitors covering confidentiality and security of information.
4.12.4. Restricting access to systems depending on the sensitivity/criticality of such systems.
4.12.5. Use of password protection where such functionality is available.
4.12.6. Maintaining records of the access granted to which individuals.
4.12.7. Ensuring prompt deployment of updates, bug-fixes and security patches for all systems.
Permitted categories of sub-processors