Privacy Statement of Marketing Content Hub Introduction As a User of Marketing Content Hub you need to be informed on how your Personal Identifiable Information (or PII, hereinafter referred to as “Personal Data”) is managed. This Platform needs limited Personal Data to ensure the best User experience for you. Key Platform functionalities can only be leveraged if we have your email address, information of your role and company are needed to provide the correct access rights. This Privacy Statement explains how the Software Vendor and Managed Services Supplier of this Platform, (hereinafter referred to as “we”, “us” or “Marketing Content Hub”), collects, uses, shares, transfers and protects the Personal Information of the User, (hereinafter referred to as “you” or “User”) and the corresponding rights of the User. Personal Data/Personal information refers to any Data related to a natural person that has been identified or is identifiable. Platform Owner The Platform Owner (hereinafter referred to as “Platform Owner”). is the entity or company who initially imports the Personal Data of the Platform Users into Marketing Content Hub. The Platform Users (hereinafter referred to as “User” or “Users”) can be employees, suppliers, subcontractors, vendors, customers of the Platform Owner, as well as e-commerce Platforms or other applications, etc… authorized by the Platform Owner. The Platform Owner is the sole responsible to grant access and access rights to Users. All Data stored in this Platform is owned by Platform Owner. Administration of the User Data is governed and managed by Platform Owner. Data Processor Marketing Content Hub is the software product on which this Platform is running. Marketing Content Hub is one of the most powerful and User-friendly content marketing tools which integrates and blends boundaries between traditional marketing silos. The Software enables companies to aggregate, author, organize and publish their marketing content, across a whole range of channels, including websites, e-commerce, CRM and social media. It provides an integrated solution for Digital asset management (DAM), Digital Rights Management (DRM), Marketing portal, Web to Print, Marketing resource management (MRM) and Product information management (PIM). Marketing Content Hub is the Data processor (hereinafter referred to as “Data Processor”). The Platform Owner decides on the supplier servicing the business support for Marketing Content Hub. This supplier, as a Data Processor, does not own the Data, but needs to comply with all industry standard security measurements imposed by the Platform Owner. More details on Data Processors who deliver business support to the Platform can be requested at Platform Owner. The Software vendor, as Data Processor, does not own any of the Data stored in the Platform, but has responsibilities as the processor of this Data. The Software Vendor agrees to accept the Personal Data from the Platform Owner. The Data Processor acknowledges this Data to be exclusively intended for processing activities to be carried out on behalf of the Platform Owner and agrees to do so in accordance to the terms & conditions provided by Platform Owner, Data Sub Processors Marketing Content Hub as a Software as a Service solution uses third party software and tools. to operate and maintain the Platform: these are referred to as “Sub Processor”, and listed below. Data Processor is responsible to ensure compliance of Sub Processors with industry standard security measurements. Some of the technical components provided by Sub Processors hold Personal Data. Those components have been implemented in such fashion that they receive Personal Data exclusively intended for the processing on behalf of the Data Processor and that this Data remains managed as per the provisions of this Privacy Statement at all times. Microsoft Azure, Sendgrid, Google Analytics and Grafana (hereinafter referred to as “Data Sub Processor”), are identified as Sub Processors and in their role process Personal Data. A Data Sub Processor does not own any of the Data stored in the Platform, but has responsibilities to ensure secure storage of this Data and needs to comply to all other GDPR regulations. About your Personal Data This Privacy Statement is applicable to the collection, management, use and sharing of your Personal Data by the Product Vendor, Marketing Content Hub, as Data Processor,. This Privacy Statement is effective as of the 25th of May 2018 and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page. What Data do we collect and why do we store it? Data Processor needs the following key Personal Data to leverage full Platform capabilities: Personal Data stored Why is data stored Software component Email address - Send notifications - Send orders Sendgrid Username (if not general identifier) and password, - Authentication - Provide access to the correct Data - Enable the correct management rights (read/edit/admin) Following Oauth standards: - Auth0 - The Data Owner’s identification provider (SAML, Federation, Ping Identity,..) Profile details, sometimes including avatar - To store the user in the Database as to provide info on a need-to-know basis to all functionalities above Microsoft Azure User Name and access rights - To ensure the user to get access to the correct Data - Elastic Search - Redis User activity: searches, downloads, orders, uploads - To comply to Platform Owner’s Security Incident reporting duties - To comply to legal obligations in case of security incidents (abuse of Data, unlawful use of Data … ) - Google Analytics (potentially used) - Grafana As from MCH V3.0: User-agent info: IP address, location, browser, device - For auditing, debugging and monitoring reasons - Last 10 login attempts will be visible to User Marketing Content Hub functionality Back-up of Personal Data To ensure a records retention process and a business continuity plan for the Platform Owner. Marketing Content Hub and Microsoft Azure How do we collect your Personal Data Platform Owner manages and collects the Personal Data and imports this into the Marketing Content Hub. Platform Owner governs and decides on access rights within the Platform. Where do we store your Data Data is stored in the Platform’s Database, which is hosted in Microsoft Azure. How do we protect your Data Only Platform admins can see the full details of Personal Data of the Users. In some implementations, Usernames and company names are visible to other authorized Users. User Data is protected in both physical as well as logical ways Software safeguards are in place to ensure only authorized Users are able to perform actions or access information on the Platform servers. Tools and protocols are used for identification, authentication, authorization, and accountability. Platform infrastructure engineers have a named User and password to identify when accessing the Platform servers. Access rights are assigned per authority level. Access is monitored. Industry standard network protection and other safeguards are in place to protect the Personal Data from accidental or unlawful destruction and accidental loss, alteration, unauthorized disclosure or access and other type of unlawful processing of User Data. User Data is physically secured through physical access controls both for people managing the Data as well as the physical servers holding the Data. We refer to Azure’s SOC reports. With who do we share your Data Sub Processors Marketing Content Hub uses third party tools and services to help deliver and optimize your User experience. The gird below shows the touchpoints where Personal Data is processed and which software component is used for this. There are 2 types of software components. Technology components: these are technologies used, but no Personal Data is shared with the technology vendors. They are not subject to GDPR compliance. Service components: these components are used as a service in out-of-the-box Marketing Content Hub. These service providers process the Personal Data we store in Marketing Content Hub and are Sub Processors of the Platform. These Service components are identified in the grid below. The type of Personal Data they have access to and the reason why they process this Personal Data is clarified. Personal Data Software component Why is Personal Data used Email address Sendgrid To send a notification to the User via email (eg. When an order is ready, a task is done…) Profile details, sometimes including avatar Microsoft Azure To give people a User profile by which they can get access to the items they need to see, manage or govern and to enable the Users to collaborate and execute their tasks within the system. User activity: searches, downloads, orders, uploads Google Analytics Grafana To comply to Platform Owner’s Security Incident reporting duties For governance of the Platform To comply with legal obligations in case of security incidents (abuse of Data, unlawful use of Data … ) Retention of your Personal Data We will retain and use your Personal Data for as long as reasonably necessary to perform our agreements with the Platform Owner, to comply with legal obligations and to resolve disputes or enforce our agreements. Therefore, your Personal Data will be held during the duration of our contractual relationship with Platform Owner. Your Rights ● Right to be informed: Via this Privacy Statement, we, Marketing Content Hub as a Software Vendor, inform you on what Personal Data is collected, why it is used, who has access, how we protect it and what your rights are. ● Right to access: You have the right to see what Personal Data is stored, and thus potentially used and shared for purposes mentioned in this Privacy Statement. You can access it by checking your profile in the Platform. The following rights should be approved via the Platform Owner, since they govern and manage the access to the Platform: ● Right to rectification: If the Personal Data that we hold about you is inaccurate or incomplete, you have the right to ask the Platform Owner to update or rectify it. You can reach out to the Platform Owner. ● Right to be forgotten: You have the right to request Platform Owner to erase all your Personal Data. Consequently, it will become impossible for us to provide access to the Platform since authentication is a key necessity to keep the Platform Data secured. There might be legal obligations prohibiting us from deleting your Data from the Platform. ● Right to Data portability: You have the right to receive your Personal Data which you have provided to Platform Owner in a structured, commonly used and machine-readable format. You can file your request at Platform Owner. ● Right to object: You have the right to object to the processing of your Personal Data. You can file your request at Platform Owner. Consequently, it might become impossible for us to enable certain functionalities to the Platform since they need authentication or an identifier.