Get started

Data Processing Agreement

This Data Processing Agreement (the “Agreement”) is entered by and between the User, specified in the Account or Order Form and Internet Investments Group Limited, a legal entity incorporated and acting under the laws of Hong Kong, having its registered office at 9th Floor, Amtel Building,148 Des Voeux Road Central, Central, Hong Kong (“Fourth Estate”).

This Agreement is a part of the Terms of Services (as defined below). Capitalized terms used but not defined in this Agreement have the meaning given to them in the Terms of Services.

This Agreement applies where and only to the extent that Fourth Estate, acting as the Processor, processes Personal Data on behalf of the User in the course of providing the Services. Under no circumstances will Fourth Estate act, or be deemed to act, as the Controller of Personal Data under any Applicable Data Protection Law.

In the event Fourth Estate is required to process Personal Data on the request of the Affiliate of User, such Affiliate shall also be deemed as the “User”. Any reference to the User within this Agreement, unless otherwise specified, shall include User and its Affiliates.

1. DEFINITIONS

  • Applicable Data Protection Law means all data protection laws and regulations applicable to Fourth Estate in connection with the Fourth Estate’s Processing of Personal Data as a Processor to provide the Services to the User, including LGPD and PDPA as applicable. Notwithstanding the foregoing, “Applicable Data Protection Law” excludes (a) laws requiring the localisation of Personal Data and (b) laws specific to the User or the User's industry that are not generally applicable to Fourth Estate as Processor. With respect to Personal Data from California residents, “Applicable Data Protection Law” shall include, but not be limited to the California Consumer Privacy Act of 2018 (“CCPA”).
  • Controller has the meaning given in Applicable Data Protection Law. With respect to Personal Data from California residents, the Controller shall include the term “Business” according to the meaning given to that term in the CCPA.
  • Data Subject means (i) an individual who is the subject of Personal Data; or (ii) a “Consumer” as the term is defined in the CCPA.
  • EU SCCs means the standard contractual clauses for the transfer of Personal Data to Controllers and Processors established in third countries, adopted by the European Commission from time to time, the adopted version of which in force at the date of signature of this DPA is that set out in the Annex to the European Commission’s Implementing Decision 2021/914 of 4 June 2021, available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, and as may be amended or replaced from time to time.
  • FADP means the Swiss Federal Act of 19 June 1992 on Data Protection (as may be amended or superseded) and related ordinances, and, once effective, the revised FADP version of 25 September 2020, as amended or replaced and applicable.
  • GDPR means the Regulation (EU) 2016/679 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, as amended from time to time, and any applicable national laws implemented by European Economic Area (“EEA”) member states.
  • LGPD means the Lei Geral de Proteção de Dados Pessoais, Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended).
  • PDPA means the Personal Data Protection Act of 2012 of Singapore (as amended).
  • Party means any of the User or Fourth Estate, and “Parties” means the User and Fourth Estate.
  • Personnel means any employee, agent, contractor, work-for-hire or any other person working under the direct authority of Fourth Estate.
  • Processor has the meaning given in Applicable Data Protection Law. With respect to Personal Data from California residents, the Processor shall include the term “Service provider” according to the meaning given to that term in the CCPA.
  • Terms of Services means the agreement between the User and Fourth Estate for the provision of the Services.
  • Services means the services described in the Terms of Services.
  • Sub-processor means any third party data processor engaged by Fourth Estate, who receives Personal Data from Fourth Estate for the Processing on behalf of the User and in accordance with the User's instructions (as communicated by Fourth Estate) and the terms of its written subcontract.
  • UK Addendum means the UK ‘International Data Transfer Addendum to the EU Commission Standard Contractual Clauses’, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State.
  • UK Data Protection Law means the Data Protection Act (DPA 2018), as amended, and the GDPR as incorporated into UK law as the UK GDPR, as amended, and any other applicable UK data protection laws, or regulatory Code of Conduct or other guidance that may be issued from time to time.
  • The terms “Data exporter”, “Data importer”, “Personal Data”, “Personal Data Breach”, “Process”, “Processing”, “Sell”, “Share”, “Supervisory Authority” shall have the meanings set out in the Applicable Data Protection Law even if such terms are not capitalized in this Agreement.

2. PURPOSE

  • The User and Fourth Estate have entered the Terms of Services pursuant to which Fourth Estate provides the User with the Services.
  • The Parties are entering into this Agreement to ensure that the Processing by Fourth Estate of Personal Data, within the Services is done in a manner compliant with Applicable Data Protection Law and its requirements regarding the collection, use and retention of Personal Data of the Data Subjects.

3. OBLIGATIONS OF FOURTH ESTATE

  • The Parties agree that the subject matter and duration of the Processing performed by Fourth Estate under this Agreement, including the nature and purpose of the Processing, the type of Personal Data, and categories of the Data Subjects, shall be as described in Annex I of this Agreement.
  • As part of Fourth Estate providing the Services to the User under the Terms of Services, Fourth Estate shall comply with the obligations imposed upon it under Article 28-32 of the GDPR and equivalent requirements in other Applicable Data Protection Law and agrees and declares as follows:
    1. to process Personal Data in accordance with the User's documented instructions as set out in the Terms of Services and this Agreement for the specific purpose of providing the Services to the User, and also with regard to transfers of Personal Data to a third country or an international organisation in accordance with Article 28 (3)(a) of the GDPR, unless required to do otherwise by Union or Member State Law to which Fourth Estate is subject. In any such case, Fourth Estate shall inform the User of that legal requirement upon becoming aware of the same (except where prohibited by applicable laws);
    2. to not: a) retain, use, or disclose Personal Data (i) for any purpose other than for the specific purpose of providing the Services to the User as set out in the Terms of Services, this Agreement, and other relevant agreement(s); (ii) outside of the direct business relationship between Fourth Estate and the User; or (iii) as otherwise prohibited by Applicable Data Protection Law; (b) Sell or Share Personal Data; or (c) combine Personal Data that it receives from the User with Personal Data it receives from, or on behalf of, another person, or collects from its own interactions with the Data Subjects, except where both (i) expressly required to perform the Services and (ii) permitted by Applicable Data Protection Law;
    3. to ensure that all Personnel are fully aware of their responsibilities to protect Personal Data in accordance with this Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with Article 28 (3)(b) of the GDPR and;
    4. to notify the User if it determines that it can no longer meet its obligations under Applicable Data Protection Law and allow the User to take reasonable and appropriate steps to remediate unauthorised Processing of Personal Data.
    5. to implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, provided that such measures shall take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing and the risks involved in the Processing and will include those measures described in Annex II;
    6. to notify the User in accordance with Article 33(2) of the GDPR and equivalent requirements in other Applicable Data Protection Law, without undue delay, but in any event within forty-eight (48) hours, in the event of a confirmed Personal Data Breach affecting Personal Data and to take appropriate measures to mitigate its possible adverse effects;
    7. to comply with the requirements of Section 4 (Use of Sub-processors) when engaging a Sub-processor;
    8. to assist the User, taking into account the nature of the Processing and insofar as it is commercially reasonable, to fulfill the User’s obligation to respond to requests from the Data Subjects to exercise their rights under Applicable Data Protection Law (the “Data Subject Request”). In the event that Fourth Estate receives the Data Subject Request directly from the Data Subject, it shall, unless prohibited by law, direct the Data Subject to the User (to the extent Fourth Estate is able to associate the Data Subject with the User). In the event the User is unable to address the Data Subject Request, taking into account the nature of the Processing and using information made available by the User necessary to complete the Data Subject Request, Fourth Estate shall, on the User’s request and at the User’s reasonable expense (scoped prior to Fourth Estate’s response to the Data Subject Request), address the Data Subject Request, as required under Applicable Data Protection Law;
    9. upon request, provide the User with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Fourth Estate, to help the User to conduct any data protection impact assessment, data transfer impact assessment or Supervisory Authority consultation it is required to conduct under Applicable Data Protection Law;
    10. Upon termination of the Account or any User Platform, to comply with the requirements of Section 8 of this Agreement (Destruction of Personal Data);
    11. to comply with the requirements of Section 5 of this Agreement (Audit); and
    12. to appoint a data protection officer who will act as a point of contact for the User, and coordinate and control security compliance with this Agreement, including the measures detailed in Annex II.
  • Fourth Estate shall immediately inform the User if, in its opinion, the User’s Processing instructions infringe Applicable Data Protection Law. In such event, Fourth Estate is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.

4. USE OF SUB-PROCESSORS

  • The User hereby confirms its general written authorisation for Fourth Estate’s use of the Sub-processors listed at Sub-processors list (the “List of Sub-processors”) in accordance with Article 28 of the GDPR and equivalent requirements in other Applicable Data Protection Law to assist Fourth Estate in providing the Service and Processing Personal Data, provided that such Sub-processors: (i) agree to act only on Fourth Estate's instructions when Processing Personal Data, which instructions shall be consistent with the User's processing instructions to Fourth Estate; (ii) agree to protect Personal Data to a standard consistent with the requirements of this Agreement.
  • Fourth Estate shall remain liable to the User for the subcontracted processing services of any of its Sub-processors under this Agreement. Fourth Estate shall update the List of Sub-processors on its Website with any Sub-processor to be appointed at least thirty (30) days prior to such change. The User may sign up to receive email notification of any such changes as described in the List of Sub-processors.
  • In the event that the User objects to the Processing of its Personal Data by any proposed Sub-processor as described in Section 4.2. on reasonable grounds relating to data protection, it shall inform the Processor in writing by emailing [email protected] within thirty (30) days following the update of the List of Sub-processors above. In such event, the Parties shall negotiate in good faith a solution to the User's objection. If the Parties cannot reach resolution within sixty (60) days of Fourth Estater’s receipt of the User’s objection, Fourth Estate will either (a) instruct the Sub-processor to not process Personal Data, in which event this Agreement shall continue unaffected, or (b) allow the User to immediately terminate this Agreement and Terms of Services.
  • The Services enable the User to engage, connect, further develop and procure the Third Party Services (as defined in the Terms of Services) that may make their content, products or services available to the User. Fourth Estate does not endorse, is not responsible or liable for, and makes no representations as to any aspect of such Third Party Services, including, without limitation, their content or the manner in which they handle Personal Data or any interaction between the User and the provider of such Third Party Services. Fourth Estate is not liable for any damage or loss caused or alleged to be caused by or in connection with the User’s enablement, access or use of any such Third Party Services, or the User’s reliance on the privacy practices, data security processes or other policies of such Third Party Services. The providers of the Third Party Services shall not be deemed Sub-processors for any purpose under this Agreement.

5. AUDIT

  • Upon the User's reasonable written request, at reasonable intervals (no more than once every twelve (12) months), and subject to the confidentiality undertakings by the User (as defined in the Terms of Services), Fourth Estate will:
    1. make available to the User: (a) reports, certifications or extracts thereof where available from a source charged with auditing Fourth Estate’s data protection practices to enable the User to assess Fourth Estate’s compliance with the terms of this Agreement; and/or (b) information necessary to demonstrate the User’s compliance with its obligations under this Agreement and applicable Data Protection Law;
    2. allow for and contribute to audits, including inspections, conducted by the User or by an independent auditor mandated by the User (at the User’s cost); provided, that: (a) access will take place only during business hours; (b) findings shall be restricted only to data relevant to the User; (c) such audits, inspections and the results therefrom, (i) shall only be used by the User to assess compliance with this Agreement, and not for any other purpose, and (ii) shall not be disclosed to any third party without Fourth Estate’s prior written approval; and (c) upon Fourth Estate’s request, the User will return to Fourth Estate all records or documentation in the User’s possession or control provided by Fourth Estate in the context of the audit and/or the inspection. In the event of such audit or inspection, the User shall be responsible to ensure that the User (and each of the User’s mandated auditors) will not cause any damage, injury or disruption to Fourth Estate’s premises, equipment, personnel, services and business, as applicable, while conducting such audit or inspection.
  • Subject to applicable Data Protection Law, to the extent any assistance described in this Section entails material costs or expenses to Fourth Estate, the Parties shall first come to agreement on the User’s reimbursement to Fourth Estate of such costs and expenses.

6. INTERNATIONAL DATA EXPORTS

  • The User acknowledges that if Fourth Estate and its Sub-processors process Personal Data subject to the GDPR, UK Data Protection Law, or FADP (the “European Data”), Fourth Estate may process such data in countries that are outside of the EEA, United Kingdom, and Switzerland. If Fourth Estate Processes the European Data in a country that has not received an adequacy decision from the European Commission or Swiss or UK authorities, as applicable, such transfer shall take place on the basis of the EU SCCs and/or UK Addendum, as applicable. If such a transfer mechanism is not applicable, the Parties agree to work in good faith without undue delay to implement an appropriate transfer mechanism authorised under Applicable Data Protection Law.
  • Notwithstanding the foregoing, the User hereby authorizes Fourth Estate to transfer Personal Data to Personnel located outside of the EEA, United Kingdom, and Switzerland. The Processor undertakes to provide the list of such countries upon request.
  • EU SCCs Where Fourth Estate Processes Personal Data that is subject to the GDPR in a country that has not received an adequacy decision from the EU Commission, the Parties hereby incorporate the EU SCCs by reference.
    Where the EU SCCs apply, they will be deemed completed as follows:
    • Module 2 (Controller to Processor) will apply where the User is a Controller of Personal Data and Fourth Estate is the Processor of Personal Data; Module 3 (Processor to Processor) will apply where the User is the Processor of Personal Data and Fourth Estate is the Processor of Personal Data;
    • in Clause 7, the optional docking clause will not apply;
    • in Clause 9(a), Option 2 “General Written Authorisation” will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 4 of this Agreement;
    • in Clause 11, the optional language will not apply;
    • in Clause 17, Option 1 will apply and will be governed by the laws provided in the Terms of Services. If the Terms of Services is not governed by an EEA member state law, then the laws of Ireland shall govern
    • in Clause 18(b), disputes shall be resolved before the courts provided in the Terms of Services. If the Terms of Services does not provide courts in an EEA Member State, the Parties agree to the courts of Dublin;
    • Annex I.A and I.B and Annex II of the EU SCCs shall be deemed completed with the information set out in Annex I and Annex II to this Agreement; and
    • in Annex I.C of the EU SCCs, where the data exporter is established in the EEA shall be the Supervisory Authority with responsibility for ensuring compliance by the data exporter with GDPR as regards the data transfer. Where the data exporter is not established in the EEA, but is within the territorial scope of application of GDPR in accordance with Article 3(2) and has appointed a representative pursuant to Article 27(1), the Supervisory Authority shall be the member state in which the representative within the meaning of Article 27(1) is established. If the data exporter is not established in the EEA, but falls within the territorial scope of application of GDPR without having to appoint a representative pursuant to Article 27(2), the Supervisory Authority of Ireland shall act as the competent Supervisory Authority. Nothing in the interpretations in this Section 6.3. is intended to conflict with either Party's rights or responsibilities under the EU SCCs and, in the event of any such conflict, the EU SCCs shall prevail.
  • UK Addendum
    When Fourth Estate Processes Personal Data subject to UK Data Protection Law in a country that has not received an adequacy decision from the UK authorities, the Parties hereby incorporate the UK Addendum for Personal Data subject to UK Data Protection Law by this reference. Where the UK Addendum applies, it will be deemed completed as follows:
    1. Table 1 shall be deemed completed with the information set out in Annex I of this Agreement, the contents of which are hereby agreed by the Parties;
    2. Table 2, the Parties select the checkbox that reads: “Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum”, and the accompanying table shall be deemed completed according to the Parties’ preferences outlined in Section 6.3. above;
    3. Table 3, shall be deemed completed with the information set out in Annex I and Annex II and Section 4 of this Agreement; and
    4. Table 4, the Parties agree that neither Party may terminate the UK Addendum as set out in Section 19.
  • Switzerland under EU SCCs
    Where Fourth Estate processes Personal Data subject to FADP in a country that has not received an adequacy decision from Swiss authorities, the Parties hereby incorporate the EU SCCs (for Personal Data subject to FADP) by this reference. To the extent Personal Data transfers are subject to FADP, the EU SCCs shall be deemed completed with the information set forth in Section 6.3.above, as appropriate, and the following shall apply: The term “member state”, as used in the EU SCCs, shall not be interpreted to limit the Data Subjects in Switzerland from being able to sue for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs. Until the revised FADP comes into effect (the version enacted on 25 September 2020, as amended), the EU SCCs shall also protect the data of legal entities. For the purposes of Annex I.C of the EU SCCs, where the User is the data exporter and Personal Data transferred is exclusively subject to FADP, the Swiss Federal Data Protection and Information Commissioner (the “FDPIC”) shall be the competent Supervisory Authority. Where Personal Data transferred is subject to both the FADP and the GDPR: (I) parallel supervision should apply; or (II) for the (revised) FADP, the FDPIC shall be the competent Supervisory Authority insofar as the transfer is governed by the (revised) FADP and for the GDPR, the competent Supervisory Authority is as determined in Section 6.3.(VIII). References to the GDPR should be understood as references to the FADP and, once effective, the (revised) FADP, insofar as Personal Data transfers are subject to the FADP or (revised) FADP.
  • Brazil LGPD
    The EU SCCs will be used for transfers to countries not deemed adequate per the LGPD. In Clause 17, Option 1 will apply, and will be governed by the laws of Brazil; (II) in Clause 18(b), disputes shall be resolved before a court of general jurisdiction in São Paulo/SP, Brazil.
  • Singapore PDPA
    Where the PDPA applies, Fourth Estate’s obligations to the User under the Agreement are those express obligations imposed by the PDPA on a “data intermediary” (processor) when processing personal data on behalf of “organisation” (controller). Notwithstanding Section 13, any claims arising from or related to the Singapore PDPA will be governed by the laws of Singapore and disputes shall be resolved before a court of general jurisdiction in Singapore.

7. OBLIGATIONS OF THE USER

As part of the User receiving the Services under the Terms of Services, the User agrees to abide by its obligations under Applicable Data Protection Law.

8. DESTRUCTION OF PERSONAL DATA

The User should regularly and independently save and backup Personal Data. Following the termination of the Account or any User Platform, Fourth Estate will delete Personal Data unless prohibited by law or legal order.

9. DURATION

This Agreement will remain in force as long as Fourth Estate Processes Personal Data on behalf of the User under the Terms of Services.

10. CCPA

  • Fourth Estate represents and warrants that (a) it is a “service provider,” for the purposes of the Services it provides to the User pursuant to the Terms of Services, according to the meaning given to that term in Section 1798.140 of the CCPA; (b) it is a corporation, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners; and (c) Fourth Estate will Process Personal Data only on behalf of the User and pursuant to this Agreement.
  • Fourth Estate shall not (a) “sell” (as defined in § 1798.140 of the CCPA) Personal Data; (b) disclose or transfer Personal Data to a “third party” (as defined in § 1798.140 of the CCPA) or other parties that would constitute selling; or (c) retain, use, or disclose any Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing Personal Data for a commercial purpose (as defined in CCPA) other than providing the Services and for reasons permitted under the CCPA.
  • For the avoidance of doubt, the foregoing prohibits Fourth Estate from retaining, using or disclosing Personal Data outside of the direct business relationship between Fourth Estate and the User. Fourth Estate and the User acknowledge and agree that (a) the User does not “sell” Personal Data to Fourth Estate in connection with the Terms of Services; and (b) that Fourth Estate’s access to Personal Data is not part of the consideration exchanged by the Parties in respect of the Terms of Services. Fourth Estate hereby represents that it understands its obligations under the CCPA as a “Service Provider” and shall comply with them.

11. NO CONSEQUENTIAL DAMAGES; LIMITATION ON LIABILITY

For avoidance of doubt and to the extent allowed by applicable law, all liability under this Agreement, including limitations thereof, will be governed by the relevant provisions of the Terms of Services. This Section shall not be construed as limiting the liability of either Party with respect to claims brought by data subjects or under the EU SCCs’ Clause 12 and/or the UK Addendum.

12. MISCELLANEOUS

Periodically, Fourth Estate may make revisions to this Agreement. Unless expressly stated by Fourth Estate, these changes will take effect for the User upon (I) the User continued use of the Services, or (II) thirty (30) days from posting of such modified Agreement on or through the Website. Fourth Estate will make reasonable efforts to notify the User of these changes through various means. Information transferred under this Agreement are confidential and each Party agrees and represents, on behalf of itself, its employees and agents to whom it is permitted to disclose such information that it will not disclose such information to any third party; provided, however, that each Party shall have the right to disclose such information to its officers, directors, employees, auditors, attorneys and third party contractors who are under an obligation to maintain the confidentiality thereof and further may disclose such information as necessary to comply with an order or subpoena of any administrative agency or court of competent jurisdiction or as reasonably necessary to comply with any applicable law or regulation. This Agreement may be executed in counterparts. Each Party’s rights and obligations concerning assignment and delegation under this Agreement shall be as described in the Terms of Services. Subject to the foregoing restrictions, this Agreement will be fully binding upon, inure to the benefit of and be enforceable by the Parties and their respective successors and assigns. This Agreement, along with the Terms of Services constitute the entire understanding between the Parties with respect to the subject matter herein, and shall supersede any other arrangements, negotiations or discussions between the Parties relating to that subject-matter. In the event of any conflict or inconsistency between the terms of the Terms of Services and this Agreement, the terms of this Agreement shall take precedence over the Terms of Services and any other associated contractual document between the Parties, to the extent of any such conflict.

13. GOVERNING LAW AND JURISDICTION

The governing law and jurisdiction will be governed by the Terms of Services, unless otherwise stated herein. Notices under this Agreement should be sent in accordance with the notice provisions in the Terms of Services.

ANNEX I

Details of Processing

Data exporter: The User.

Name: As specified in the Account or Order Form.

Address: As specified in the Account or Order Form.

Contact Details: As specified in the Account or Order Form.

Role: Controller or Processor.

Data importer: Internet Investments Group Limited.

Address: 9th Floor, Amtel Building,148 Des Voeux Road Central, Central, Hong Kong.

Contact details: DPO, [email protected]

Role: Processor.

1. Nature and Purpose of the Processing:

Fourth Estate will process Personal Data solely to fulfill its purposes under the Terms of Services executed between the User and Fourth Estate, including Processing Personal Data: (I) to provide the Services in accordance with the Terms of Services; (II) to perform any steps necessary for the performance of the Terms of Services; (III) to perform any processing activity initiated by the User in its use of the Services; and (IV) to comply with other reasonable instructions provided by the User that are consistent with the terms of the Terms of Services.

2. The Processing Activities:

Personal Data will be subject to the hosting and processing activities of providing the Services.

3. Duration of the Processing:

Duration of the Services provision under the Terms of Services.

4. The frequency of the transfer:

Continuous basis.

5. Data Subjects:

The User's End Users.

6. Categories of Personal Data:

Any Personal Data provided by the User to Fourth Estate in the course of providing the Services, which may include, but not limited to, the following categories of Personal Data: first and last name, email address, telephone number, addresses (business or personal), date of birth, communications, IP addresses, and any Personal Data submitted by the User’s End Users.

7. Special Categories of Personal Data (if applicable):

Fourth Estate does not intentionally collect or process any Sensitive Data in the provision of its Services. However, Sensitive Data may from time to time be inadvertently processed by Fourth Estate where the User or its End Users choose to include this type of data within the Services. As such, the User is solely responsible for ensuring the legality of any Sensitive Data it or its End Users choose to process using the Services. “Sensitive Data” shall have the same meaning as special categories of personal data in Article 9 of the GDPR and be inclusive of similar concepts under Applicable Data Protection Law.

8. Retention:

Fourth Estate will process and retain Personal Data in accordance with the Section 8 (Destruction of Personal Data) of this Agreement.

ANNEX II

Technical and Organizational Security Measures

1. Security Measures:

Fourth Estate employs technical and organizational security measures to protect company and User assets and data. A dedicated security team is responsible for implementing and maintaining an information security program that:

  • aligns security activities with Fourth Estate strategies;
  • ensures data and asset confidentiality, integrity, and availability.;
  • assesses and addresses threats to Fourth Estate and the Users;
  • continuously monitors environments and enhances security measures;
  • supports secure development of infrastructure, platforms, and features;
  • conducts threat modeling and risk assessments;
  • uses industry security frameworks where relevant.

2. Data Center, Cloud Providers, and Business Continuity/Disaster Recovery:

Fourth Estate uses top-tier cloud service providers to host its infrastructure. These providers implement security measures to control, monitor, and log access. Fourth Estate also:

  • protects against DDoS attacks;
  • maintains business continuity and disaster recovery plans.

3. Encryption:

Fourth Estate uses TLS to encrypt data in transit and HSTS to ensure the User Platform is accessible only via HTTPS.

4. Application Level Security:

  • hashes the User’ passwords;
  • uses Web Application Firewall (WAF) technology;
  • conducts regular penetration testing;
  • allows Users to assign permission levels and enable clickjack protection.

5. Incident Response:

Fourth Estate follows a formal incident response process to handle security issues and assess threats.

6. Systems Access Control:

Access to systems is restricted to authorized personnel and follows a principle of least privilege, covering:

  • account provisioning/decommissioning;
  • authentication;
  • privileged account management;
  • user identification;
  • access logging and monitoring.

7. Security Risk Management:

Threat intelligence and risk assessments guide the selection and implementation of security controls. The security team collaborates with stakeholders to address and test remediation efforts.

8. Law Enforcement Request Policy:

Fourth Estate implements a robust law enforcement request policy which is designed to ensure that all law enforcement, governmental and regulatory requests are valid and made in accordance with applicable legal process. Fourth Estate does not disclose data to law enforcement, regulatory or governmental bodies unless required by applicable law and objects to unlawful requests. If Fourth Estate receives a demand for Personal Data, Fourth Estate will attempt to redirect the law enforcement agency or regulatory or government body to request such data directly from the relevant User. If compelled to disclose or provide access to Personal Data to law enforcement, regulatory or governmental bodies or agencies, Fourth Estate will notify the relevant User and provide them with a copy of the demand to allow them to seek a protective order or other appropriate remedy (except if such notification is legally prohibited, such as through a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation).