Publitio Data Processing Agreement

Last updated: Feb 14, 2023

This Data Processing Agreement represents an appendix of Terms of Service concluded between Publitio doo (“Publitio”) and the user of www.publit.io website (‘Service’) and forms an integral part of ToS.

By using the Service, the user accepts to be legally bound by both ToS and this DPA, and represents a contractual party in these agreements.

Definitions

  • DPA – means this Data Processing agreement prepared in accordance with the Data Protection Laws, stipulated herein, forming an integral part of ToS;

  • Data Protection Laws – means Serbian Data Protection Act (Official Gazette of Republic of Serbia no. 87/2018), as well as Regulation (EU) 2016/679 (General Data Protection Regulation) (‘GDPR’), to the extent it is applicable to Publitio;

  • Parties – Publitio and the User;

  • Personal Data – personal data contained within User’s Content;

  • ToS – means Terms of Service – a legally binding agreement concluded between Publitio and the User;

  • User – a company or a natural person using Publitio’s service via website www.publit.io, who has entered into ToS and this DPA with Publitio, and represents a contractual party in these agreements;

  • All other expressions used in this DPA in capital letters have the same meaning as stipulated in ToS;

  • Definitions and legal terms used in this DPA have the same meaning given in Data Protection Laws.

The Parties agree as follows:

WHEREAS

1) The User has entered into a ToS with Publitio, which represents a binding legal agreement between Publitio and the User, based on which the User uploads Content using Publitio’s Service and in connection to which certain personal data contained within the Content is being processed by Publitio, on behalf of the User;

2) Data Protection Laws stipulate that in cases in which processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of Data Protection Laws and ensure the protection of the rights of the data subject;

3) Data Protection Laws stipulate that the processing by a processor shall be governed by a contract or other legal act, that is binding on the processor with regard to the controller;

4) Bearing in mind the above stated, Publitio and the User enter into this DPA, as follows.

1. DPA SUBJECT MATTER

Scope

1.1. This DPA applies where and only to the extent that Publitio processes Personal Data on behalf of the User, in the course of providing the Service and such Personal Data is subject to either Serbian Data Protection Act, or GDPR. The Parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.

Parties’ roles

1.2. The Parties acknowledge that, with respect to Personal Data contained within the User’s Content, Publitio has the position of data processor, while the User has the position of data controller, in accordance with applicable Data Protection Laws.

1.3. User agrees that: 1) it shall comply with its obligations as a controller under Data Protection Laws in respect of its processing of Personal Data and any processing instructions it issues to Publitio; and 2) it has provided notice and obtained all consents and rights necessary under Data Protection Laws for Publitio to process Personal Data and provide the Services pursuant to the Agreement and this DPA.

1.4. Publitio has no control over the type of Personal Data that User and third persons authorized by User upload to the Service, therefore Publitio has no control over the categories of data subjects that User’s Personal Data relates to.

Subject matter of processing

1.5. Publitio shall, as the processor, process Personal Data based on ToS, on behalf of the User, and solely for the purpose of providing Service to the User, in accordance with ToS. all in accordance with User’s written instructions.

1.6. This DPA is applicable to all activities in which Publitio’s employees process Personal Data on User’s behalf.

Nature and purpose of processing

1.7. As provider of the Service, Publitio handles Content provided by the User, which may contain Personal Data. Content may be subject to the following process activities: 1) storage and other processing necessary to provide, maintain and improve the Services provided to the User; 2) providing customer and technical support to User; 3) disclosures as required by law or otherwise set forth in the ToS and this DPA; or 4) other activities as per subsequent reasonable written instructions given by the User, where such instructions are consistent with ToS. User undertakes to provide to Publitio lawful instructions only. Publitio will be under no obligation to follow instruction which infringes any provision of Data Protection Laws.

1.8. Publitio will not 1) sell Personal Data, or 2) retain, use or disclose Personal Data for any purpose other than for the specific purpose of performing the Service, except required by law.

Duration of data processing

1.9. Processing of Personal data shall be carried out for an unspecified period of time during which the User remains using the Service, or, if a User is inactive for the period of more than 12 months, Publitio shall delete all of its registration data as well as its Content, in accordance with the ToS, and stop with the processing.

Technical and organizational measures

1.10. Publitio has undertaken the all the relevant technical and organizational measures to ensure the level of security appropriate to the risks involved in the respective data processing. The data protection measures may be adjusted according to the continued technical and organizational advancements. Publitio shall implement the changes required for the purposes of maintaining information security in a diligent and timely manner.

Confidentiality

1.11. Publitio will maintain strict confidentiality when processing Personal Data. Any individual who could have access to the Personal Data processed on behalf of the User will be obliged in writing to maintain confidentiality, unless they are already legally required to do so via another legal obligation.

Cooperation

1.12. To the extent that User is unable to independently access the relevant Personal Data within the Services, Publitio shall, taking into account the nature of the processing, provide reasonable cooperation to assist User by appropriate technical and organizational measures, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under this DPA. In the event that any such request is made directly to Publitio, Publitio shall not respond to such communication directly without User's prior authorization, unless legally compelled to do so. If Publitio is required to respond to such a request, Publitio shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so. Except for negligible costs, the User will reimburse Publitio with costs and expenses incurred by Publitio in connection with the provision of assistance to the User in accordance with this DPA.

1.13. Publitio shall also provide reasonable cooperation to User regarding the notification of data protection authority or data subjects in connection to data breach, in accordance with Data Protection Laws, taking into account the nature of processing and information available to Publitio.

Deletion or return of data

1.14. Upon the deactivation of the Service, Publitio shall, at User’s choice, delete or return Personal data, to the User, and will delete existing copies, unless applicable law requires storage of the respective Personal Data.

1.15. Publitio may process data based on extracts of Personal Data on an aggregated and non-identifiable forms, for Publitio's legitimate business purposes, including for testing, development, controls, and operations of the Service, and may share and retain such data at its own discretion,

Sub-processors

1.16. User grants general authorization to Publitio to engage another sub-processor to process Personal Data on User’s behalf, and the User has right to get information about their identity at any time. If Publitio wishes to add a sub-processor or a replace current sub-processor with another one, he will inform the User in advance via email, and the User may object in writing to the appointment of a sub-processor on reasonable grounds relating to data protection, by notifying Publitio within 30 days as of the receipt of Publitio’s notice on such event. In such event, the Parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If this is not possible, either party may terminate the applicable Services that cannot be provided by Publitio without the use of the objected sub-processor in question.

1.17. Where Publitio engages another sub-processor for carrying out specific processing activities on behalf of the User, Publitio shall enter into a written agreement with such sub-processor in order to secure protection of Personal Data required by Data Protection Laws, and remain responsible for any acts or omissions of the sub-processor that cause Publitio to breach its obligations under this DPA. Current sub-processors Publitio is using for the processing of Personal data are available to Users upon request:

  • Via email: info@publit.io

Data Transfer

1.18. Publitio shall, as the Service provider, transfer Personal Data it processes on behalf of the User only to countries with adequate level of data protection in accordance with Data Protection Laws, including to USA companies licensed under the Privacy Shield Framework.

1.19. If Privacy Shield is invalidated, Publitio will take such measures as required under the Data Protection Laws to continue facilitating the lawful processing of User’s Personal Data.



Exhibit A

Standard Contractual Clauses

ANNEX to the COMMISSION IMPLEMENTING DECISION on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as officially published at: https://ec.europa.eu/info/system/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf or other official publications of the European Union as updated from time to time: MODULE TWO: Transfer controller to processor OR MODULE THREE: Transfer processor to processor

ANNEX I

A. LIST OF PARTIES

Data exporter(s): Customer whose name, address and contact details are further set out in the Subscription Agreement. The Customer (in its role as a controller or processor) will provide certain personal data in order to receive the Services pursuant to the Subscription Agreement.

Data importer(s): Publitio whose name, address and contact details are further set out in the Subscription Agreement. Publitio (in its role as a processor) will process personal data in order to provide the Services pursuant to the Subscription Agreement.

B. DESCRIPTION OF TRANSFER

- Categories of data subjects whose personal data is transferred: Publitio has no control over the categories of data subjects whose personal data is transferred.

- Categories of personal data transferred:
Publitio has no control over the categories of personal data that is transferred.

- Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
Publitio has no control over the categories of personal data that is transferred.

- The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous basis.

- Nature of the processing:
All operations such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means), etc.

- Purpose(s) of the data transfer and further processing:

The provision of the Services in accordance with the Subscription Agreement. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
Personal Data will be retained during the term of the Subscription Agreement and will be deleted in accordance with the terms therein.

- For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
The subject matter of the Processing is Customer’s Personal Data, the nature of the Processing is the performance of the Services under the Subscription Agreement and as detailed above and the duration of the Processing is the term of the Subscription Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

Where the data exporter is established in an EU Member State - the supervisory authority of such EU Member State shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) – the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) – the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses, shall act as competent supervisory authority.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

These Technical and Organizational Data Security Measures articulate the security measures and controls implemented by Publitio in support of its security program as its baseline.

In the course of processing customer, Publitio will implement and maintain commercially reasonable, industry standard technical and organizational measures to protect customer data, consistent with applicable laws, that meet the measures described below, or an equivalent standard of protection appropriate to the risk of processing customer data in the course of providing Publitio’s services, and regularly carry out, test, review, and update all such measures:

1. Information Security Management System – Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Publitio has an ISMS (Information Security Management System) in place to evaluate risks to the security of data, to manage the assessment and treatment of these risks and to continually improve its information security. It includes all aspects of the company – people, processes, and systems – by applying a risk-based approach.

2. Personnel – Screening Personnel Authorized to Process Customer Data

Publitio conducts background checks (subject to local restrictions) on all personnel who may interact with customer data as part of their duties, regardless of specific client requirements. As part of the onboarding processes, Publitio provides the necessary trainings about protecting and securing customer data to such authorized personnel.

3. Physical Access – Measures for ensuring physical security of locations at which personal data are processed

Publitio platform is hosted on AWS/DigitalOcean/Azure/GCP cloud infrastructure (multi-cloud), and as part of the organizational policies, customer data is not stored at Publitio’s offices or in any location except for Publitio’s cloud-based production environment. Customer data will only be stored and processed on Publitio’s cloud-based production environment. The production infrastructure is hosted by AWS/DigitalOcean/Azure/GCP and as such is not physically accessible to Publitio personnel or anyone but AWS/DigitalOcean/Azure/GCP cloud providers.

4. System Security – Measures for user identification and authorization

Publitio’s workstation controls include the following: (i) unique user authentication (utilizing complex, regularly-rotated passwords); (ii) password-protected screen locking that activates after a specified period of inactivity; (iii) anti-malware utility that is regularly updated; (iv) disk encryption; and, (v) OS and application patching. Publitio’s corporate and production networks are segregated by multiple security measures, such as separate accounts, multi-factor authentication and strict enforcement of access patterns; Publitio monitors its systems and networks for security related events and runs, at least once a year, penetration test by a third party on its production applications. Identified vulnerabilities are remediated in a timely manner. User lifecycle management procedures have been implemented to assign and deploy user rights in alignment with the specific assign function and revocation of user rights upon termination and deactivation of the user’s account. Access is granted according to the principle of least privilege and is fully monitored, from the VPN access to database queries, end-to-end.

5. Data Access – Measures for the protection of data during storage

Role-based user and administrator access to customer data, limited to the least number of administrators necessary, and granting physical, system, and network access only to the extent necessary for users to accomplish their job function (i.e., on a “need to know”) basis, amended for role changes and revoked for terminated personnel on date of termination; Multi-factor authentication on all privileged accounts and accounts with access to sensitive data; Logging of privileged account use and access to sensitive data; Effective control operation verified at least annually by a qualified third party auditor. Passwords must adhere to Publitio’s password policy, which includes minimum length requirements, enforcing complexity and set periodic resets, all according to market standard and relevant best practices. As part of Publitio’s compliance processes user privileges reviews are being conducted for all organizational systems on a quarterly basis. By policy, shared credentials are not allowed. Publitio 's platform does not store users' passwords, but rather a secure hash.

6. Data Transfer – Measures for the protection of data during transmission

All data is encrypted in transit, at rest, and when stored in AWS/DigitalOcean/Azure/GCP backups. Remote access (including during remote maintenance or service procedures) is allowed only via VPN tunnels or other secure, encrypted connections that require multi-factor authentication; Publitio implements secure communication sessions across applications/services through strong encryption protocols and ciphers (e.g. HTTPS with Transport Layer Security (TLS); Encryption of customer data does not employ vulnerable protocols or weak ciphers. For data at rest, industry-standard AES-256 encryption is being used.

7. Instructions – Implementation of Controls Designed to Ensure Customer Data is Only Processed in Accordance with Customer’s Instructions

Publitio has in place internal policies containing formal instructions for data processing procedures; Contractors are being carefully vetted with regard to data security; Publitio personnel is being trained periodically to maintain awareness regarding data protection and security requirements.

8. Vulnerability Management and Secure Development Life Cycle (SDLC)

Publitio’s development processes follow secure software development best practices, which include formal design reviews, threat modeling, and completion of a risk assessment.

Publitio employs automated tools that monitor CVEs in dependent libraries. Publitio also maintains relationships with the open-source maintainers of cardinal libraries such as Imagemagick, to receive advance notifications and patch instructions for yet unpublished vulnerabilities, similar to the advance notifications Linux distribution maintainers receive to be prepared with patches when the vulnerability is made public.

Publitio conducts third-party penetration tests on Publitio’s systems (at least once a year) by carefully selected industry experts, to improve Publitio’s security posture on an ongoing basis.

As part of its ongoing maintenance, Publitio’s production systems are patched periodically after sufficient testing, or in an ad-hoc manner when a specific critical vulnerability that affects the systems is announced. Low-level infrastructure updates are handled by AWS/DigitalOcean/Azure/GCP. Publitio is a SaaS service that works on an agile development cycle with weekly releases. Releases include feature enhancements, bug requests, security patches, etc. There is no down time associated with releases.

Publitio puts an emphasis on writing secure, clear, highly maintainable, and well-documented code. All codes are reviewed as part of the organizational SDLC processes, to identify possible security vulnerabilities. In general, development follows security best-practices, features are considered with security in mind and all new code is carefully code-reviewed before being merged into the main codebase. Publitio’s developers are trained to follow OWASP principles and keep them in mind during code reviews. Every change is documented in an internal release notes document and every deployment is versioned and labelled. In addition to tests of specific changes, Publitio also conducts acceptance tests to identify regressions. Depending on the type and magnitude of a change, Publitio may initiate a full regression test before deploying a new version on production.

9. Incident Management, Disaster Recovery and Business Continuity – Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Publitio has designed its systems to tolerate system failures with minimal customer impact.

Publitio’s internal procedures provide guidance on how to plan and execute operations addressing potential business interruptions caused by emergency events in a manner minimizing any kind of loss. Publitio’s business continuity management process is designed and implemented to reduce the disruption caused by disasters and security failures to an acceptable level.

Publitio conducts ongoing technical DR sessions to review its related technical operations and to conduct 'fire drills' to test it in real time. As part of a holistic approach, all production related DR aspects (compute, storage, databases, site-is-down, etc.) are being covered during such drills. Publitio has datacenters in multiple locations (US, EU and APAC), that will be used according to clients’ specific requirements. Publitio’s default datacenter is based in the US. Publitio has Disaster Recovery (DR) sites that are within the same regulatory region (EU, US), except for APAC in which the primary site is Singapore.

Backups are performed to a separate cloud account protected by MFA, to a separate region. Backups are performed online in close time proximity to the data ingestion. Backups are tested regularly as part of Publitio’s internal compliance processes.

Publitio’s DevOps team employs industry-standard diagnostic procedures to drive resolution during business-impacting events. Staff operators provide 24x7x365 coverage to detect incidents and to manage the impact and resolution. An incident would receive immediate attention from all relevant personnel, every day of the week, any time of the day. Once identified and validated, incidents will be reported according to Publitio’s security and privacy policies.

10. Separation – Processing of Customer Data Separately From Other Data in a Multi-Tenant Environment

Publitio’s platform is hosted on a multi-tenant logically-separated AWS/DigitalOcean/Azure/GCP cloud infrastructure. As a multi-tenant SaaS with 60,000 customers, no single customer can affect capacity, which is designed with embedded rate limits and throttling. Customer (tenant) user account credentials are restricted, ensuring appropriate identity, entitlement, and access management and in accordance with established policies and procedures. Separation of at-rest storage to dedicated storage infrastructure is available to Enterprise customers to comply with different regulations.

11. Measures for ensuring events logging

All systems generate logs (from the VPN access to database queries, end-to-end) and alert in case of logging capabilities failure. All system logs are recorded and stored online for 90 days and in cold storage for 1 year. Running native on AWS/DigitalOcean/Azure/GCP Cloud, Publitio uses a set of Cloud-native tools that monitor activity and mitigate risks and configuration mistakes. Publitio employs 24x7 system monitoring and ops personnel on call. When a service issue is identified, Publitio updates the system status at https://status.publit.io. Publitio measures multiple metrics to scale and accommodate changes in incoming load. The system has an automatic pre-emptive scale up events feature, based on known usage patterns which are unique to each data center. Publitio employs intrusion detection systems and uses commercial and customized tools to collect and examine Publitio’s application and system logs, to detect anomalies.

12. Measures for ensuring limited data retention

Upon request and pursuant to contractual obligations, Publitio is able to completely and permanently delete specific or all customer personal information from its production environment. For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

ANNEX III

LIST OF SUB-PROCESSORS

Transfer controller to processor

The controller has authorised the use of the following sub-processors, subject to change from time to time:

Sub-processor Service Provided Data Center Location
Amazon Web Services Cloud computing and data storage United States
United Kingdom
Germany
Singapore
India
Australia
DigitalOcean Cloud computing and data storage United States
United Kingdom
Germany
Singapore
India
Australia
Microsoft Azure Cloud computing and data storage United States
United Kingdom
Germany
Singapore
India
Australia
Google Cloud Platform Cloud computing and data storage United States
United Kingdom
Germany
Singapore
India
Australia

The following Publitio controlled subsidiaries and affiliates support, operate, deliver, and maintain Publitio services and in the course of doing so, may process, store, or otherwise access customer data.


Subsidiary Affiliate Location
Publitio Inc United States
Publitio DOO Serbia