Technical and Organizational Measures

TrustArc uses AWS’ cloud hosting solutions to provide hosting operations to support technology infrastructure for the TrustArc Platform. You can learn more about AWS’ comprehensive security safeguards at https://aws.amazon.com/security/. TrustArc specifically uses AWS data centers in the United States, Canada, Germany, and Ireland. As hosting locations may vary, depending on the specific subscribed-to TrustArc Solution, consult the Sub-Processor Disclosure found at https://trustarc.com/subprocessors. 

AWS provides TrustArc with the traditional services of a world-class leading hosting provider: data network connectivity, electrical power, environmental controls, and a secured facility, along with operational services to monitor and manage the equipment on an ongoing basis. AWS has further implemented the following key control activities:

• Employee User Access
• Logical Security
• Secure Data Handling
• Physical Security and Environmental Protection
• Change Management
• Data Integrity, Availability and Redundancy
• Incident Handling

TrustArc enlists the following measures, as applicable, to ensure that its workplaces are secure: 

• Entrances to buildings are controlled by security personnel at the lobby level. 
• Doors to offices are controlled by biometric systems.
• Buildings are equipped with security cameras to record activities in certain areas including the front entrances, elevators, and lobbies. 
• Use of local building codes (e.g., fire codes) are observed. Manufacturer’s recommendations on fire protection of hardware is followed.
• Telecommuting workers are required to follow all corporate, security, confidentiality, HR, and/or code of conduct policies that are applicable to other employees/contractors.
• Access to any production servers which contain Customer Data is highly restricted to those who, based on their role and function, have a need-to-know, on a role-basis, under suitable access controls and following the principle of least privilege.

TrustArc’s information security management system is annually assessed, using a qualified external third-party auditor, in accordance with the American Institute of Certified Public Accountants (“AICPA”) Service Organization Control (SOC) 2 Type II controls and standards.

Web application security assessments are performed for the purposes of maintaining the security posture, compliance, risk management, and change control of technologies in use at TrustArc. All web application security assessments are performed by designated DevOps personnel and/or QA Engineers either employed or contracted by TrustArc. All security issues that are discovered during assessments are categorized and predicated on the criticality of the risk, commensurate with documented policies on risk management, and severity, prioritized for remediation where such remediation is determined necessary. The risk levels are based on the Open Worldwide Application Security Project (“OWASP”) Risk Rating Methodology. Remediation validation testing is then performed to validate, fix, and/or mitigate any relevant discovered issues of medium risk level or greater where such issues are viewed, based on industry standard approaches, to pose risk and such risk cannot otherwise be mitigated. 

The following security assessment levels/types are used, as required and applicable: 

• Full – A full assessment consists of tests for all known web application vulnerabilities using both automated and manual tools based on the OWASP Testing Guide. A full assessment will use manual penetration testing techniques to validate discovered vulnerabilities to determine the overall risk of any and all discovered. 
• Quick – A quick assessment will consist of a (typically) automated scan of an application for the OWASP Top Ten web application security risks at a minimum. 
• Targeted – A targeted assessment is performed to verify vulnerability remediation changes or new application functionality. 

TrustArc maintains policies and procedures around logging, monitoring, and alerting, which establishes principles and controls implemented to enhance TrustArc’s capability to promptly detect suspicious activity and respond to it in a timely manner.

All application servers hosted in AWS have intrusion detection systems (“IDS”) installed. A lightweight host-based IDS client is installed on all servers and is used to detect access and changes at the system level. The IDS client performs log analysis, integrity checking, registry monitoring, rootkit detection, time-based alerting, and active response. When a change or access to the system is detected, an event will be triggered and sent to the IDS server which will emit notification to the DevOps team for assessment. Server logs are stored and retained in the IDS server for ninety (90) days. 

TrustArc appoints a number of executive leadership members who are responsible for coordinating the company’s risk analysis and identifying appropriate persons within the organization to assist with the risk analysis. This risk analysis is a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of assets held by TrustArc. It is designed to reassess the security risks to its assets and evaluate the effectiveness of its security measures and safeguards as necessary in light of changes to business practice and technological advancements. Risk analysis meetings occur on a semi-annual basis. These meetings are in addition to routine and ongoing assessment, planning, and response to actual, perceived, or possible risks as identified by the organization and its respective responsible groups (e.g., Privacy, Security, DevOps, Engineering). 

Access control procedures are in place in order to ensure that only authorized persons are able to access relevant information and to protect against possible data loss, deletion, or corruption risk. Information resources are protected by the use of access control systems. Access control systems include both internal (e.g., passwords, encryption, access control lists, constrained user interfaces, etc.) and external (e.g., port protection devices, firewalls, host-based authentication) systems. Rules for access to resources (including internal and external networks) have been established by the information/application owner or manager responsible for the resources.

TrustArc leverages a multi-tenant architecture, logically separated at the database level, based on the Customer’s account. Parties must be authenticated to gain access to an account.TrustArc has implemented controls designed to prevent a Customer or User from seeing the data of other Customers or their Users.

TrustArc uses perimeter protection tools, techniques and services to protect against unauthorized network traffic entering TrustArc infrastructure. These include, but are not limited to:

• Intrusion detection systems that monitor systems, services, networks and applications for unauthorized access.
• Critical system and configuration file monitoring.
• Application-layer DDoS prevention services that proxy TrustArc traffic.
• AWS security groups on TrustArc web servers that filter inbound and outbound connections, including internal connections between TrustArc systems.
• Internal network segmentation.

While TrustArc believes that security and privacy are each employee’s responsibility at the organization, it has established a Confidentiality/Security Team (“CST”) made up of key personnel whose responsibility it is to identify areas of concern within the company and act as the first line of defense in enhancing the appropriate security posture. The CST continuously evaluates, identifies, and takes actions to prevent and/or mitigate potential security issues, threats, or issues. As part of its duties, the CST also helps foster a “security-first” culture, working with the Legal and Privacy Teams (who similarly foster a “privacy-first” culture), to identify key areas that should be addressed for employee annual training and reviews and updates applicable security policies, as necessary.

An incident response plan is in place for the purpose of responding to potential privacy and security incidents. An Incident Response Team (“IRT”) is responsible for detecting and responding to security events as reported by any employee and developing incident response procedures, in conjunction with the Legal and Privacy Team, including a documented Incident Response Plan (“IRP”) that includes communication processes and standard operating procedures. The IRP details how employees report suspected security incidents and the escalation procedures to follow when appropriate.

In the event of an unforeseen disaster or emergency, TrustArc has the capability and plans in place to quickly restore or recover any loss of company mission-critical data and/or systems necessary to make mission critical data available in a timely manner caused by fire, vandalism, terrorism, system failure, or other emergency; and to continue operations during such time information systems are unavailable. 

At any time, Customer’s may request the return (in a machine-readable format) or deletion of their Customer Data. Requests shall be processed within thirty (30) days of receipt, however, in the unlikely event that more time is needed to process a request, notice will be provided as soon as possible of any anticipated delayed and revised completion deadline.

TrustArc maintains a comprehensive set of security policies and procedures that are routinely reviewed and updated as necessary to support TrustrArc’s security objectives, changes in applicable law, industry standards, compliance efforts and client obligations. Changes to TrustArc systems are assessed, tested, and approved before implementation to reduce the risk of disruption to TrustArc Solutions.

TrustArc’s privacy and security awareness program involves training employees about the importance of handling Customer Data, Personal Information (as defined in the Data Processing Addendum (“DPA”)) and confidential information ethically, responsibly, in compliance with applicable law, and with due care. All workforce members shall receive appropriate training concerning the company’s applicable privacy and security policies and procedures. Such training shall be provided prior to onboarding and on an ongoing annual basis for all employees. 

TrustArc’s legal and regulatory compliance programs are designed to, on ongoing and continuous-based, meet applicable law, committed-to legal frameworks, client commitments, and industry standards. These programs are routinely evaluated for risks based on changes to laws, to the business, and to the Solutions, but no less than semi-annually in order to adapt, revise, and/or adjust to continue to meet the Company’s ongoing commitments and obligations. TrustArc evaluates all business processes involving Customer Data, inclusive of any maintained Personal Information, against privacy and data protection laws, such as the General Data Protection Regulation (“GDPR”), CCPA, and LGPD.

TrustArc maintains a comprehensive privacy program designed to meet current and evolving applicable data protection and privacy laws around the world through the implementation and maintenance of internal and external policies, controls, standards, and addenda that govern the company’s practices. The Company’s program involves coordination and engagement from all functions within the company, including, but not limited to, Security, Compliance, Legal, the Knowledge Team, Product, Engineering, and Marketing. TrustArc’s program addresses numerous laws, regulations, frameworks, and requirements, including but not limited to: 

• GDPR

  
  The General Data Protection Regulation (“GDPR”) is a European Union (“EU”) law regarding data protection and privacy for individuals within the EU. TrustArc maintains a comprehensive GDPR compliance program and to the extent TrustArc engages in processing of personal data subject to the GDPR on behalf of its customers, it does so in accordance with the applicable requirements of the GDPR.
  

• CCPA

  
  The California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively referred to as “CCPA”) grants Californians additional rights and protections regarding how businesses may use their Customer Data. TrustArc maintains a comprehensive compliance program and to the extent TrustArc engages in processing of personal data subject to the CCPA on behalf of its customers, it does so in accordance with the applicable requirements of the CCPA.
  

• LGPD

  
  The Brazilian Data Protection Law (“LGPD”) regulates the processing of personal data in Brazil and/or of individuals located in Brazil at the time of collection. TrustArc maintains a comprehensive compliance program and to the extent TrustArc engages in processing of personal data subject to the LGPD on behalf of its customers, it does so in accordance with the applicable requirements of the LGPD.

These compliance efforts and others are also referenced in TrustArc’s DPA. For more information please see TrustArc’s DPA.

TrustArc offers a global DPA that is designed to aid its clients in meeting their requirements under applicable data protection laws, including but not limited to the GDPR, CCPA/CPRA, and LGPD, and includes applicable data transfer mechanisms including the 2021 revised Standard Contractual Clauses (also known as “EU Model Clauses” or “SCCs”) designed to permit lawful transfer of Customer Data under GDPR. For more information about our DPA, which is incorporated by reference into our SSA, see here.

TrustArc supports international data transfers under the following:

• The Standard Contractual Clauses (“SCCs”), sometimes referred to as EU Model Clauses, are incorporated in TrustArc’s DPA to enable lawful transfer of Customer Data out of the European Economic Area (“EEA”) in compliance with the GDPR.
• For residents of the United Kingdom, TrustArc complies with its obligations under the UK Addendum, also incorporated in our DPA.
• For residents of Switzerland, TrustArc complies with its obligations under the Swiss Federal Act on Data Protection of 19 June 1992, also incorporated into our DPA.
• TrustArc participates in the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. Data Privacy Framework (“UK Extension”), and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”), having self-certified to the U.S. Department of Commerce our adherence to the Data Privacy Framework Principles. For more information about our participation, please refer to our TrustArc’s Privacy Policy.

More Information about TrustArc’s privacy and security program can be found at the Legal Center located here, and the Trust Center located here. Should you have any questions about TrustArc’s privacy and security program that is not answered by these TOMS, the Legal Center, or the Trust Center, you may contact the Privacy Team at: [email protected].

Last updated May, 2024