SMT Information Security & Data Privacy Documentation

Last Modified December 19, 2019

Contents

  1. Summary
  2. Information Security Overview
  3. Information Security: Key Controls
  4. Client & Partner Data
  5. Privacy
  6. GDPR & CCPA Compliance
  7. Insurance
  8. Third Party Certification & Audit


Appendix 1 - Relevant Social Network Terms
Appendix 2 - Client Privacy Policy Examples

1 Summary

Key points regarding privacy and information security at SMT:

1 Except for consented and authenticated communication between Us, client and user via SMT Platforms, which is not used for any other purpose and is only accessible by the relevant client and only based on the consent of the user

2 Information Security Overview

Like many companies, SMT faces an increasingly advanced threat environment in the area of information security. Third parties wishing to compromise the information of global companies continue to increase in number, capability, and persistence. To address this reality, SMT has established policies which set forth SMT's commitment to information security and privacy and define practices and procedures to be followed by SMT personnel.

The standards of conduct that are central to SMT’s information security and privacy policies are:

3 Information Security: Key Controls

Clients and partners entrust SMT with their most confidential and valuable information. SMT has developed an Information Security Management System (ISMS) and includes the key controls outlined below. SMT’s detailed ISMS is available to clients on request.

All client and partner data is classified as RESTRICTED information

4 Client & Partner Data

SMT services include the storage and processing of client and partner data. Background into each of these areas is set out below.

Client Data

Partner Data

Twitter: SMT only collects Twitter data directly from Twitter using their official API endpoints (https://developer.twitter.com/) and complies with the Twitter Developer Terms (https://developer.twitter.com/en/developer-terms). Twitter only provides SMT with access to “public” data via the API endpoint 1.

Facebook: SMT only collects Facebook data directly from Facebook using their official API endpoints (https://developers.facebook.com/) and complies with the Facebook Platform Policy (https://developers.facebook.com/policy/). Facebook only provides SMT with access to “public” data via the API endpoint 1.

Instagram: SMT only collects Instagram data directly from Instagram using their official API endpoints (https://www.instagram.com/developer/) and complies with the Instagram Platform Policy (https://www.instagram.com/about/legal/terms/api/). Instagram only provides SMT with access to “public” data via the API endpoint 1.

Web Content: SMT licenses web content from Webhose (https://webhose.io/), a trusted web content aggregator used by global leaders for media monitoring and big data analytics. Webhose does not provide SMT with access to any data that is encrypted or password protected.Linkage Data: SMT licences linkage data from third parties including Liveramp. https://liveramp.com/privacy/ and the TradeDesk Opensource Unified ID https://www.thetradedesk.com/industry-initiatives/unified-id-solution

Third Party Data: SMT partners with a number of third party data licensors to assist in the segmentation of client data (e.g. LiveRamp, Experian and AMZN)

Perhaps more important than explaining what we do do, is explaining what we don’t do.... SMT does not collect any information directly from a natural person 1, scrape websites, or harvest information from unsuspecting people using permissions hidden in apps or social login. The sources described above constitute 100% of the data that SMT makes available as part of the SMT services.

1 Except for consented and authenticated communication between Us, client and user via SMT Platforms, which is not used for any other purpose and is only accessible by the relevant client and only based on the consent of the user.

5 Privacy

SMT is committed to meeting the privacy obligations in each of the markets in which our clients operate. A few pertinent points are as followsRefer to our detailed Privacy Policy here: https://smartmediatech.io/privacypolicy

SMT only stores and processes PUBLIC, “generally available” web and social media content1.

1 Except for consented and authenticated communication between Us, client and user via SMT Platforms, which is not used for any other purpose and is only accessible by the relevant client and only based on the consent of the user.

6 GDPR Compliance

SMT is a Data Processor as defined by the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) because it processes Personal Data on behalf of clients and partners (the clients and partners are the Data Controllers as defined by the GDPR). SMT is not a Data Controller because the purpose of processing Personal Data is determined by SMT's clients and partners, not by SMT. SMT does not claim ownership of any Personal Data, nor does it facilitate the collection of any personal information directly from a natural person without instruction via agreement with a relevant Data Controller (i.e. a client or partner).

SMT's commitment to compliance with the GDPR as it relates to Data Processors is summarised as follows:

Definitions

‘Personal Data’ means information relating to an identified or identifiable natural person (a "Data Subject") within the borders of the European Union. A person can be identified from information such as name, ID number, location data, online identifier or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

‘Processing’ means any set of operations performed on Personal Data, such as collection, storage, use and disclosure.

7 Insurance

SMT maintains policies for Cyber Security, Professional Indemnity and Public Liability, with certificates available on request.

8 Third Party Audit & Certification

SMT regularly evaluates the operability of its information security environment as follows:

SOC 2 Audit (to be completed by PwC)

ISO 27001:2013 Certification (to be completed by SAI Global)

Penetration and vulnerability tests (to be completed) 

Internal audits (completed at least annually and reviewed as part of the SOC 2 audit and ISO Certification)

Appendix 1: Social Network Terms

Correct at the time of writing are the following Twitter, Facebook and Instagram terms that enable them to share PUBLIC data with SMT and other developer partners.

Twitter

Tweets, Following, Lists, Profile, and Other Public Information: Twitter is primarily designed to help you share information with the world. Most of the information you provide us through Twitter is information you are asking us to make public. You may provide us with profile information such as a short biography, your location, your website, date of birth, or a picture. Additionally, your public information includes the messages you Tweet; the metadata provided with Tweets, such as when you Tweeted and the client application you used to Tweet; information about your account, such as creation time, language, country, and time zone; and the lists you create, people you follow, Tweets you Like or Retweet, and Periscope broadcasts you click or otherwise engage with (such as by commenting or hearting) on Twitter. Twitter broadly and instantly disseminates your public information to a wide range of users, customers, and services, including search engines, developers, and publishers that integrate Twitter content into their services, and organizations such as universities, public health agencies, and market research firms that analyze the information for trends and insights. When you share information or content like photos, videos, and links via the Services, you should think carefully about what you are making public. We may use this information to make inferences, like what topics you may be interested in. Our default is almost always to make the information you provide through the Services public for as long as you do not delete it, but we generally give you settings or features, like protected Tweets, to make the information more private if you want. For certain profile information fields we provide you with visibility settings to select who can see this information in your profile. If you provide us with profile information and you don’t see a visibility setting, that information is public. You can change the language and time zone associated with your account at any time using your account settings, available at https://twitter.com/settings/account. (https://twitter.com/en/privacy)

Facebook

Public information is any information you share with a public audience, as well as information in your Public Profile, or content you share on a Facebook Page or another public forum. Public information is available to anyone on or off our Services and can be seen or accessed through online search engines, APIs, and offline media, such as on TV. (https://www.facebook.com/policy.php)

Instagram

Any information or content that you voluntarily disclose for posting to the Service, such as User Content, becomes available to the public, as controlled by any applicable privacy settings that you set. To change your privacy settings on the Service, please change your profile setting. Once you have shared User Content or made it public, that User Content may be re- shared by others. Subject to your profile and privacy settings, any User Content that you make public is searchable by other Users and subject to use under our Instagram API. The use of the Instagram API is subject to the API Terms of Use which incorporates the terms of this Privacy Policy. (http://instagram.com/legal/privacy/)


Appendix 2: Privacy Policy Examples

THE FOLLOWING IS NOT INTENDED TO BE COMPREHENSIVE NOR DOES IT CONSTITUTE LEGAL ADVICE. YOU SHOULD SEEK LEGAL OR OTHER PROFESSIONAL ADVICE BEFORE ACTING OR RELYING ON ANY OF THE CONTENT.

For information only, set out below are some provisions that have been included by global SMT clients in their Privacy Policies to describe how they work with SMT.“Who we work with: We work with a number of third party companies, and in certain circumstances may share personal information with them. In these circumstances, we have arrangements in place with our partners that limit their use or disclosure of your personal information to the agreed purpose only.”

“What we collect from others: We may collect personal information from other companies that are able to disclose it to us, if it’s not practical to collect it from you. For example, we buy or obtain personal information from trusted sources to help us identify people who might be interested in hearing about our products.”

“Advertising: Everyone hates being bombarded with ads for things they don’t need or have any interest in. We may use your personal information to send you advertising that is customised or more relevant to your interests, characteristics or general location. This doesn’t necessarily mean you’ll get more advertising. It just means that the advertising that you see will hopefully be more relevant to you.”

“Insights from statistics and research: We aggregate, combine and process personal information to generate new insights about our products and customers, so we can provide you with the best possible service.”