Greenfly Data Protection Policy

1. Overview

Greenfly is committed to ensuring the confidentiality and integrity of all information it holds and Processes while operating its business in compliance with the requirements of relevant Data Protection Laws and Regulations.

We recognize the importance of Personal Data and respecting the privacy rights of individuals. This Data Protection Policy (“Policy”) sets out the principles which we apply to our Processing of Customer Data and use of Confidential Information.

This Policy describes Greenfly's approach to ensuring the privacy and security of Customer Data, including technical and organizational measures implemented by Greenfly applicable to the Service.

Any questions about this Policy should be raised with the Data Protection Officer.

2. Terms and Definitions

The following key terms and definitions are use throughout this Data Protection Policy:

• Confidential Information: All confidential information disclosed by customers to Greenfly that is designated as confidential or should reasonably be understood to be confidential given the nature of the information, including Personally Identifiable Information (PII).
• Customer Data: Data or information submitted by or on behalf of customers including data submitted through an API and any "Content" created by customers through use of the Greenfly Service.
• Data Controller: Entity that determines the purposes and means of the Processing of Personal Data.
• Data Processor: Entity that Processes Personal Data on behalf of the Data Controller.
• Data Protection Laws and Regulations: All laws and regulations, including laws and regulations of the United States, the European Union, the European Economic Area and their member states and the United Kingdom, applicable to the Processing of Personal Data.
• Data Subject: An identified or identifiable person from whom Personal Data is collected.
• GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
• Personal Data: Any information relating to an identified or identifiable person where such data is Customer Data. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Processing: Any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Service: The relevant Greenfly solutions provided via authenticated login to either the Greenfly iOS and/or Android App or Greenfly web portal.

3. Data Protection

Under the Data Protection Laws and Regulations, Personal Data must be Processed in accordance with data protection principles, under which said Personal Data must:

1. be Processed fairly and lawfully and in a transparent manner;
2. be obtained and Processed only for one or more specified, explicit, and lawful purposes;
3. be adequate, relevant and not excessive in relation to the purpose;
4. be accurate and, where necessary, kept up to date;
5. be kept for no longer than is necessary for the purpose;
6. be Processed in accordance with the rights of Data Subjects and in a manner, that ensures appropriate security, integrity and confidentiality of the Personal Data.

Greenfly ensures it applies appropriate technical and organizational measures to assist its customers with adhering to these principles.

3.1 Nature and Purpose of Processing

Greenfly will process Personal Data as necessary to perform the Service and as further instructed by customers in the use of the Service, as a Data Processor. Examples include the encoding of high-, medium-, and low-resolution copies for image and/or video content submitted by Data Subjects as well as the potential application of watermarks or pre- and post-roll content as specified by customers.

3.2 Categories of Data Subjects

Customer users may submit Personal Data to the Greenfly platform, the extent of which is determined and controlled by the customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

• Prospects, customers, business partners and vendors of a customer
• Employees, agents, advisors, or freelancers of a customer
• Customer's users authorized by a customer to use the platform

3.3 Types of Personal Data

Customers may submit, or allow collection of, Personal Data in the use of the Service, the extent of which is determined and controlled by a customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

• Identifying: first and last names
• Authenticating: email address and password credentials; authorized social network oauth tokens
• Social Network: profile handles; post Ids
• Tracking: connection data (IP address, mobile carrier); device data (device make & model, operating system type & version)

3.4 User Authentication

User access to the Greenfly platform requires a valid user email and password combination, which are encrypted via TLS while in transmission, as well as machine specific information for identity validation (see section 3.7 “Security Controls” below). Following a successful authentication, a random session ID (or token) is generated and stored in the user's device to maintain identity state.

3.5 Data Encryption

The Service uses industry-standard encryption products to protect Customer Data and communications during transmissions between a customer's network and the Service, including 256-bit TLS Certificates, AES-256 encryption for data storage, and one-way salted hashing of customer user credentials.

3.6 Data Segregation

The Service is operated in a multi-tenant architecture that is designed to segregate and restrict Customer Data storage and access based on business needs. The architecture provides an effective logical data separation for different customers via customer-specific unique IDs and allows the use of customer and user role based access privileges. Additional data segregation is ensured by providing separate environments for different functions, especially for testing and production.

3.7 Security Controls

Greenfly has implemented procedures designed to ensure that Customer Data is Processed only as instructed by customers, throughout the entire chain of Processing activities by Greenfly and its sub-processors. Additionally, the Service undergoes security assessments by internal personnel and third parties, which include infrastructure vulnerability assessments and application security assessments.

Greenfly implements a number of security controls, including:

• Unique user identifiers to allow customers to assign unique credentials for their users and assign and manage associated permissions and entitlements.
• Controls to ensure initial passwords must be reset on first use.
• Password length and complexity requirements.
• Greenfly personnel do not have access to nor are able to set defined passwords for customer users.
• Customers have the option to manage their application users, define roles, and apply permissions and rights within their company channels on the platform.
• User passwords are stored using a salted hash format and are transmitted in encrypted form.
• User access log entries will be maintained, containing date, time, User ID, URL executed or identity ID operated on, operation performed (accessed, created, edited, deleted, etc.).
• User access logs will be stored in a secure centralized host to prevent tampering and kept for a minimum of 90 days.
• If there is suspicion of inappropriate access to the Service, Greenfly can provide customer log entry records to assist in forensic analysis. This service will be provided to customers on a time and materials basis.

3.8 Intrusion Detection

Greenfly monitors the Service for unauthorized intrusions using network-based intrusion detection mechanisms.

3.9 Virus Protection

Greenfly systems have controls in place that are designed to prevent and detect the introduction of viruses to the respective platform services.

3.10 Security Logs

All Greenly systems used in the provision of the platform, including routers, load balancers, network switches and operating systems, log information to their respective log facility or a centralized syslog server and are then aggregated in order to facilitate security reviews and root cause analysis.

3.11 Incident Management

Greenfly maintains security incident management policies and procedures and will notify customers without delay of any unauthorized disclosure of their respective Customer Data by Greenfly or its agents of which Greenfly becomes aware to the extent required by Data Protection Laws and Regulations.

3.12 Physical Security

Production data centers used to provide the Greenfly Service have access control systems. These systems permit only authorized personnel to have access to secure areas. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, are secured by around the-clock guards, two-factor access screening, including biometrics, and escort-controlled access, and are also supported by on-site back-up generators in the event of a power failure.

3.13 Reliability and Data Backup

All platform infrastructure are configured in a high availability mode or in a redundant fashion. All Customer Data submitted to the Greenfly Service is stored on infrastructure that supports high availability and is backed up on a regular basis in encrypted form to an off-site facility. All backup data is retained for a period of at least 90 days.

3.14 Disaster Recovery

Production systems are protected by disaster recovery plans which provide for backup of critical data and services. A comprehensive system of recovery exists to bring business-critical systems back online within the briefest possible period of time. Recovery processes for database security, systems administration, and network configuration and data provide a roadmap for personnel to make processes available after an outage. Our disaster recovery plans currently guarantee restoration of the Service (RTO) within 24 hours after Greenfly's declaration of a disaster.

3.15 Analytics

Greenfly may track and analyze the usage of the platform for purposes of security and helping Greenfly improve the user experience of the Service. For example, we may use this information to understand and analyze trends or track which of our features are used most often to improve product functionality.

Greenfly may share usage data with third party service providers for the purpose of analysis and improvements. Additionally, Greenfly may share anonymous usage data on an aggregate basis in the normal course of business operations. For example, we may share information publicly to show trends about the general use of the Service. No Customer Data consisting of personally identifiable information shall be contained in the anonymized data, nor any data that would identify customers, their users, or any individual, company or organization.

3.16 Sub-Processors

Greenfly utilizes certain sub-processors to assist it in providing to its customers the Service described in Services Agreements or Terms of Service available at https://www.greenfly.com/termsofservice (as applicable, the “Agreement”). Defined terms used herein shall have the same meaning as defined in the Agreement.

A sub-processor is a third party data processor engaged by Greenfly, who has or potentially will process Customer Data (which may contain Personal Data). Greenfly engages different types of sub-processors to perform various functions as explained in the tables below.

Infrastructure: We use the following sub-processors to provide our cloud infrastructure environment and storage of Customer Data:

Processing of Customer Data: We work with various sub-processors that monitor, maintain and otherwise support the Service. In order to provide this functionality these sub-processors may, but not necessarily will, have access to Customer Data:

4. Confidentiality

Greenfly will keep Confidential Information, which extends beyond Personal Data, it receives in accordance with the relevant agreement between the customer and Greenfly and, except with prior written consent of the customer or as permitted in the relevant agreement, will:

• Not use or exploit Confidential Information in any way except for the purposes for which it has been disclosed;
• Not disclose or make available Confidential Information in whole or in part to any third party; and
• Apply the technical and organizational measures as detailed in to this Policy to Confidential Information.

5. Roles and Responsibilities

Greenfly has appointed “Data Owners” who are locally responsible for ensuring employees within their department or area receive appropriate training and are working in compliance with this Policy. The data owners undertake regular assessments of data types and ensure appropriate levels of protection are in place.

Greenfly has also designated an overall Data Protection Officer who is responsible for:

• Acting as a key point of contact for data protection inquiries and the reporting of breaches for all data owners, employees, customers and Data Subjects;
• Monitoring and ensuring the compliance with this Policy across the whole of the Greenfly organization and dealing with any disputes which may arise concerning data protection issues;
• Conducting reviews of internal procedures to ensure they continue to provide adequate protection of Customer Data and Confidential Information;
• Liaising with data owners to deliver training, improve security awareness and communicate information relating to this Policy to employees;
• Updating this Policy to reflect any changes in Data Protection Laws and Regulations;
• Registering with government agencies.

If you have any questions regarding this Policy, please contact our Data Protection Officer by email at Data Protection Officer.