Terms & Conditions

These Terms and Conditions (together with any attachments thereto, these “T&Cs”) set forth the terms for the provision of Products and Services (each as defined below) by Monetate, Inc. (“Monetate”) for the entity (“Client”) executing a SO (as defined below). 

  1. Definitions.

Agreement” means these T&Cs, together with all SOs issued hereunder.

Applicable Law” means all applicable laws, rules and regulations.

Data Controller”/”Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by European Union or European Member State law, the Controller or the specific criteria for its nomination may be provided for by European Union or European Member State law.

Data Processor”/”Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.

Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Product(s)” means the software product offering(s), including underlying technology, as described in the applicable SO through which such Product(s) is/are purchased.

Prohibited Data” means information or data that (a) is subject to the Payment Card Information Data Security Standards or (b) constitutes a special category of data according to Art. 9 European General Data Protection Regulation (N°2016/679, “GDPR”).

Service” means both individually and collectively, the services purchased by Client in the applicable SO.

SO” means a mutually executed service order that sets forth the Products and/or Service purchased by Client and to which these T&Cs are incorporated by reference, together with all attachments thereto.

Site(s)” mean(s) the site domain(s) set forth in the applicable SO.

“Start Date” means the date set forth on the applicable SO as the “Start Date.”

SO Term” means, in respect of each SO, the period of time between the “Effective Date” and the “End Date,” as each term is set forth on the applicable SO. 

  1. Products and Service. Monetate shall provide the Products and Service set forth and described in the applicable SO. All Service hours purchased by Client shall expire upon the expiration of the then-current SO Term. Client will be responsible for and provide all graphical creative elements (e.g., background images) required in connection with Client’s use of the Products and Service.
  2. Fees and Payment.

3.1 Invoicing. All charges and fees set forth in a SO (“Fees”) shall be invoiced in accordance with the terms of the Agreement, and shall be due within the time period set forth on the applicable SO. If any payment that has not been disputed by Client in good faith prior to the applicable due date (each, an “Undisputed Payment”) has not been received by Monetate as of such due date and remains unpaid 10 days following Client’s receipt of Monetate’s written notice thereof, Monetate may suspend Client’s access to the Products and Service until such Undisputed Payment is made. All Fees will continue to be charged during any such suspension period.  

3.2 Late Fees and Collections. Monetate may assess a late fee at the rate of 1.5% per month (or the maximum interest allowable under Applicable Law, if less) on any Undisputed Payment that remains unpaid 30 days after the due date. Client is liable for all collection fees and expenses, including reasonable attorney fees, relating to any unpaid Undisputed Payments.

3.3 Travel Expenses.  Client shall reimburse Monetate for all pre-approved, reasonable, actual and documented travel, lodging, meal and other related out-of-pocket expenses that Monetate may incur in connection with the travel of Monetate personnel to any Client-requested location.  

3.4 Taxes. All Fees exclude any sales or use taxes associated with the Products and Service, which shall be Client’s sole responsibility to pay (other than taxes on Monetate’s income). Client acknowledges and agrees that it is solely responsible for any such sales and use taxes that result from the Products provided and Service purchased under a SO. Unless otherwise set forth in the applicable invoice (in which case Client shall remit such taxes to Monetate along with the applicable Fees), Client will remit any such taxes due directly to the appropriate taxing authority. Client agrees to act in compliance with all Applicable Law in connection with any such payment.

  1. Term and Termination.

4.1 Term.  These T&Cs shall commence on the effective date of the initially executed SO and shall continue for so long as any SO is in effect. Each SO will renew automatically for successive one (1) year periods immediately following the “End Date” (or anniversary of such End Date, as applicable) set forth therein unless either Client or Monetate provides written notice of termination at least 30 days prior to such End Date (or anniversary of such End Date, as applicable).

4.2 Termination for Material Breach.  Either party may terminate any SO upon prior written notice to the other party if such other party materially breaches any term or condition of the Agreement and fails to cure such breach within 30 days after receipt of written notice thereof.  In the event that any SO is terminated by Client due to an uncured breach by Monetate, Monetate shall refund to Client the pro rata portion of any amounts actually paid to Monetate that correspond to periods following the effective date of such termination.

4.3 Termination for Bankruptcy.  Either party may terminate a SO with immediate effect upon written notice to the other party if the other party becomes insolvent, is the subject of a petition for creditor protection or a petition in bankruptcy or of any other proceedings under bankruptcy, insolvent (or equivalent laws in other countries) or makes an assignment for the benefit of its creditors.

4.4 Post-Termination Access. Monetate shall permit Client to access the Products, solely for the purpose of downloading the Client Data (as defined below), for a period of 30 days following the effective date of termination or expiration of any SO.

  1. Confidentiality.

5.1 Confidential Information.  Each party shall keep confidential and shall not use or disclose for any purpose, other than to exercise rights and perform responsibilities under the Agreement, any information disclosed by the other party to such party in connection with the Agreement, whether disclosed prior to, on, or after the Effective Date of the initial SO, which is either marked as confidential (or words of similar import) or is of a nature or disclosed in such a manner as would put a reasonable person on notice as to the confidential or proprietary nature of the information (collectively, “Confidential Information”).  

5.2 Exceptions. The obligations set forth in Section 5.1 of these T&Cs shall not apply to information that: (a) is or subsequently becomes publicly known other than through a breach of an obligation under the Agreement; (b) is lawfully received from a third party not subject to confidentiality terms with the disclosing party with respect to such information; (c) was independently developed by the receiving party without reference to the disclosing party’s Confidential Information, as established by the written records of the receiving party, or (d) is required to be disclosed under Applicable Law; provided that in the case of this clause (d), the receiving party shall promptly: (i) give the disclosing party reasonable written notice prior to disclosure pursuant to such requirement (unless prohibited by such requirement); (ii) use diligent efforts to limit disclosure and to obtain confidential treatment or a protective order and allow the disclosing party to participate in the proceeding; and (iii) comply with any applicable protective order or equivalent. Client acknowledges and agrees that the pricing terms contained in any SO shall be deemed Monetate’s Confidential Information.

  1. Data Protection

6.1 Client Data. As between Client and Monetate, all data and other information processed through the Products (collectively, “Client Data”) is and shall remain Client’s property, including any modifications or derivative works thereof and, to the extent applicable, shall be deemed Client’s Confidential Information. Client shall be solely responsible for the configuration of the Products and agrees that it will provide Monetate with prior notice if it configures the Products to collect any Personal Data; provided Client agrees that it will not configure the Products to collect any Prohibited Data (or otherwise transmit any Prohibited Data to Monetate) without Monetate’s prior written consent (which consent may be withheld by Monetate at its sole discretion). 

6.2 Details of the processing. Monetate shall be deemed the “Data Processor” and Client shall be deemed the “Data Controller.” Monetate receives from Client access to Personal Data controlled by Client. Monetate shall process Personal Data only within the scope of the work to be performed under the MSA, according to Client’s documented instructions. 

6.2.1 Duration of Processing. The processing of the Personal Data shall continue during the term of this Agreement as provided in Section 4.1 and in connection with the term of the applicable SO.  

6.2.2 Nature and Purpose of Intended Processing.  The nature and purpose of the intended processing is the delivery of tailored online experiences to visitors to the Site(s), as more fully set forth on the description of the Products and/or Services purchased under the applicable SO. 

6.2.3 Types of Personal Data/Categories.  The types of Personal Data processed by Monetate are IP Address, Unique Customer ID (device-level), device and browser information associated with the Unique Customer ID, and data relating to the pages, products, and categories viewed, carted, or purchased by the visitor to the Site(s), together with additional types of Personal Data that Client may transfer to Monetate in data files that are solely within Client’s control. Examples of these additional types of Personal Data include age, gender, client rewards program number, order and order return history, preference for in-store or online purchases and other demographic data.

6.3 Obligations of Data Controller. Client shall be liable for the material legality of the processing, and safeguarding the rights of data subjects. Client shall inform Monetate about any faults or irregularities in the processing by Monetate discovered by Client.

6.4 Obligations of Data Processor. Monetate agrees and warrants:

  • to process the Personal Data only on documented instructions from Client, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by European Union or European Member State law to which Monetate is subject; in such a case, Client shall inform Monetate of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
  • that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • that it has implemented the technical and organisational security measures specified in Annex 1 before processing the Personal Data transferred;
  • that it assists Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfillment of Client’s obligation to respond to requests for exercising the data subject’s rights under GDPR.
  • that it shall support Client in the compilation of the register of processing operations, where applicable. Monetate shall support Client in the execution of data protection impact assessments where a type of processing under this Agreement is likely to result in a high risk to the rights and freedoms of natural persons. 
  • that it will notify Client immediately about any case in which Monetate or one of its employees breaches any provision regarding the protection of Client’s Personal Data or the obligations under this Agreement. Client shall be notified about any loss, or illegal transmission, or third party acquisition of Personal Data irrespective of causation. Client shall take appropriate measures in consultation with Client regarding the security of the Personal Data as well as the reduction of possible disadvantageous consequences for the data subjects. Insofar as notification obligations that apply to Client, Monetate must assist Client in fulfilling these obligations.
  • at Client’s choice, Monetate will delete or return all of Client’s Personal Data to Client after the end of the provision of services relating to processing, and delete existing copies unless European Union or European Union Member State law requires storage of all such Personal Data; 
  • to make available to Client all information necessary to demonstrate compliance with the obligations laid down in this Section 6.4 and allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client;
  • to immediately inform Client if, in Monetate’s opinion, an instruction delivered by Client infringes the applicable European Union or European Member State data protection law.

6.5 Subcontracting. Client hereby provides Monetate with a general written authorization to employ sub-processors under this Agreement. Monetate shall inform Client of any intended changes concerning the addition or replacement of sub-processors, thereby giving Client the opportunity to object to such changes.

Where Monetate subcontracts its obligations under this Agreement, Monetate shall ensure that the subcontract imposes substantially the same obligations on the subcontractor as are imposed on Monetate under this Agreement.

Monetate shall prior to and regularly during the term of the subcontract supervise the technical and organisational measures that are necessary to protect Personal Data and implemented by the sub-processor. The transmission of Personal Data is only permitted if the sub-processor has implemented technical and organisational measures comparable to the ones agreed upon in this Agreement. 

6.6 Privacy Shield. Monetate complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of Personal Data transferred from the European Union and Switzerland to the United States. Client acknowledges and agrees that Monetate may process Client’s Personal Data in accordance with the EU-US Privacy Shield Framework or the Swiss-US Privacy Shield Framework, as applicable, and this Agreement in cloud-based data centers in the United States and/or access the Personal Data stored in such data centers in the European Union from the United States solely for the purposes set out in Section 6.2.2. Client and Monetate may agree mutually upon alternative appropriate safeguards with respect to Art. 46 GDPR.

6.7 Aggregated Anonymous Data. Client acknowledges that Monetate collects and aggregates anonymous data concerning user behavior, traffic and other interactive information.  Such aggregated anonymous data neither identifies Client nor any Site visitor, and neither the identity of Client nor any such visitor can be derived from such data.  Client agrees that both during and after the term of the Agreement, Monetate may retain and use all such aggregated anonymous data to improve and market Monetate’s products and services.  

6.8 Applicable Law. The parties hereby agree to comply with all Applicable Law, in particular with applicable European Union or European Member State law, relating to the processing of Personal Data.

  1. Intellectual Property.

7.1 License Grant.  Monetate owns all intellectual property rights in and to the Products. Other than the limited license right to utilize the Products, nothing contained in the Agreement shall be construed as granting Client any rights in or to the Products.  Subject to the terms and conditions of the Agreement, Monetate hereby grants to Client a limited scope, nonexclusive, nontransferable license for Client’s employees and contractors (provided that such contractors are bound, in writing, to terms of confidentiality no less restrictive than those contained herein and that Client shall be responsible for the acts and omissions of such contractors) to use and access the Products set forth in a duly executed SO during the SO Term for Client’s business purposes and as may be further described in such SO, solely in connection with the Site(s).  Client may use any documentation provided by Monetate in connection with the Products, solely in connection with the licensed use of the Products. Client shall administer the registration and password access to the Products of its personnel. All rights (including all intellectual property rights) to and/or with respect to any items, materials or services relating to the Products not expressly licensed by Monetate hereunder, are expressly and exclusively retained by Monetate. Monetate shall have a royalty-free, worldwide, perpetual license to use or incorporate into the Products any suggestions, ideas, enhancement requests, feedback, recommendations or other information provided by or on behalf of Client, solely as such information relates to the Products, and expressly excluding any of Client’s Confidential Information.

7.2 Prohibition on Reverse Engineering. Client shall not do, attempt to do, nor permit any person or entity to do, any of the following: (a) create or recreate the source code for any underlying software and technology relating to the Products, or re-engineer, reverse engineer, decompile or disassemble any such underlying software and technology; (b) copy, modify, adapt, translate or create derivative works based upon any such underlying software and technology; (c) remove, erase or tamper with any copyright or other proprietary notice printed or stamped on, affixed to, or encoded or recorded in the Products or any associated documentation; or (d) sublicense, sell, lease, rent, timeshare or otherwise transfer, or pledge as security, the Products or its access thereto.  

7.3 EC Treaty. If this Agreement and/or the parties’ activities hereunder are subject to Article 101 of the EC Treaty (the “Treaty”), then notwithstanding anything to the contrary herein, nothing in this Agreement shall be construed to require Client to assign or exclusively license to Monetate any severable improvements (as defined in Commission Regulation (EC) No 772/2004 of 27 April 2004 on the application of Article 81(3) of the Treaty to categories of technology transfer agreements), and Client hereby grants Monetate a non-exclusive, perpetual, irrevocable, worldwide, freely sublicenseable licence under such severable improvements for all purposes in all fields.

7.4 Marketing. Client shall provide to Monetate, Client’s approved logo and associated use guidelines for use in a list of Monetate’s clients.  Client shall retain all intellectual property rights in and to such logo. Monetate shall have the right to issue a press release announcing Client as a client of Monetate, the content of which shall be subject to Client’s consent, which consent shall not be unreasonably withheld or delayed.

  2. Limitation of Liability.


9.2 Unlimited Liability.  The parties’ liability for death or personal injury caused by negligence (as such term is defined by the Unfair Contract Terms Act 1977) is unlimited.  Each party’s liability for fraudulent misrepresentation is unlimited. For the avoidance of doubt, the liability limitation set forth herein will not limit the claims of data subjects in scope of the processing of their Personal Data by Monetate. 

  1. Indemnification.

10.1 Client Indemnity. Monetate will indemnify, defend and hold harmless Client from and against all claims, suits and/or proceedings brought by any third party against Client alleging infringement of such third party’s intellectual property rights by the Products or Service, including with respect to any resulting liabilities, losses, damages and costs awarded by a court or included as part of a final settlement, as well as reasonable attorneys’ fees, in connection with the foregoing; provided, that Client: (a) promptly notifies Monetate, in writing, of any such claim, suit or proceeding for which indemnity is claimed; (b) cooperates reasonably with Monetate, at Monetate’s expense, in the defense and settlement thereof; and (c) allows Monetate to control the defense and settlement thereof.  Client will have the right to participate in any defense of a claim and/or to be represented by counsel of its own choosing at its own expense, provided that ultimate control of such defense shall remain solely with Monetate.   

If any infringement claim with respect to the Products or Service may be or has been asserted, Client will permit Monetate, at Monetate’s option and expense, to: (i) procure for Client the right to continue using or receiving the affected Product(s) and/or Service; (ii) replace or modify the affected Product(s) and/or Service to eliminate the infringement while providing functionally equivalent performance; or (iii) terminate the Agreement with respect to the affected Product(s) and/or Service in exchange for a refund of the pro-rata portion of Fees that Client actually paid to Monetate for the affected Product(s) and/or Service corresponding to periods following such termination.  

Monetate’s obligations under this Section 10.1 shall not apply to any claims based upon: (A) any materials, software or other information that have been altered by Client or any party other than Monetate; (B) other than Intended Combinations (defined below), the combination of the Product(s) with any items not provided or recommended by Monetate in writing (including in documentation provided by Monetate); or (C) use of the Products or any such materials, software or information after termination pursuant to clause (iii) above. “Intended Combination” means combinations of a Product with items that are necessary for its intended use and functionality (e.g., currently supported versions of standard web browsers and operating systems).  In the event that a claim described above arises out of an Intended Combination, Monetate shall be required to indemnify Client pursuant to this Section 10.1. Provided that Monetate complies fully with the requirements of this Section 10.1, this Section 10.1 states Client’s exclusive remedy and Monetate’s sole liability in connection with any claim of infringement or misappropriation of intellectual property rights.

10.2 Monetate Indemnity. Client will indemnify, defend and hold harmless Monetate from and against all claims, suits and/or proceedings brought by any third party against Monetate resulting from Client’s (or its subcontractor’s) failure to comply with the processing of Personal Data and the restriction on collection and/or transmission of Prohibited Data set forth in Section 6.1 of these T&Cs, including with respect to any resulting liabilities, losses, damages and costs awarded by a court or included as part of a final settlement, as well as reasonable attorneys’ fees, in connection with the foregoing; provided, that Monetate: (a) promptly notifies Client, in writing, of any such claim, suit or proceeding for which indemnity is claimed; (b) cooperates reasonably with Client, at Client’s expense, in the defense and settlement thereof; and (c) allows Client to control the defense and settlement thereof. Monetate will have the right to participate in any defense of a claim and/or to be represented by counsel of its own choosing at its own expense, provided that ultimate control of such defense shall remain solely with Client.  

  1. Miscellaneous.

11.1 Independent Parties/Third Party Beneficiaries.  Client and Monetate are independent parties. Nothing in the Agreement will be construed to make either party an agent, employee, franchisee, joint venturer or legal representative of the other party. Neither party will either have, or represent itself to have, any authority to bind the other party or act on its behalf. Nothing in the Agreement is intended or shall be construed as a third party beneficiary agreement, nor shall the Agreement confer, convey or be deemed to accord any rights to any third party.

11.2 Force Majeure.  Neither party will be liable for any failure or delay in performing an obligation under the Agreement that is due to causes beyond its reasonable control, such as natural catastrophes, or governmental acts or omissions, laws or regulations. These causes will not excuse Client from paying amounts due to Monetate.

11.3 Notices.  Any notice under or in connection with the Agreement shall be in writing and shall be sent by nationally recognized overnight courier, certified mail (return receipt requested) to the addresses for notice set forth in the applicable SO or electronic mail to Client’s contact identified on the applicable SO and to contracts@monetate.com. In the event that no Client contact is identified on a SO, Client may subsequently provide such information by written notice to Monetate, and Monetate may, prior to receipt of such information utilize any reasonable notification information to provide notice to Client. Any such failure to identify a contact by Client shall not affect the validity of the Agreement.

11.4 Assignment and Subcontracting.  Other than as set forth in Section 6.5, either party may assign or otherwise transfer the Agreement or any of its rights hereunder without the other party’s prior written approval, which will not be unreasonably withheld, provided, however, that each party may assign the Agreement, in its entirety and upon prior written notice to the other party, to an affiliate or in connection with a merger, acquisition or similar organisational transaction, unless such assignment is to a competitor of the non-assigning party.  Any assignment or attempt to do so other than as provided in this Section 11.4 will be void.  

Notwithstanding anything herein to the contrary, Client hereby agrees that Monetate may subcontract any of the Services purchased under an applicable SO to a third-party so long as such third-party has agreed to obligations of confidentiality no less restrictive than those set forth in these T&Cs.

11.5 Waiver, Amendments or Other Modification.  Except as otherwise provided herein, any waiver, amendment or other modification of the Agreement will not be effective unless in a physical writing manually executed by the parties; provided that signatures delivered electronically or by scanned .PDF format (or equivalent) file via e-mail, shall be deemed a manually executed physical writing.  No other course of conduct shall operate to waive, amend or modify the Agreement.  

11.6 Severability.  If any provision of the Agreement is held to be invalid, it shall either be: (a) reformed only to the extent necessary to make it enforceable, and such holding shall not affect the enforceability: (i) of such provision under other circumstances; or (ii) of the remaining provisions hereof under all circumstances; or (b) if such reformation is not possible, severed from the Agreement and the remainder of the Agreement shall continue in full force and effect.

11.7 Cumulative Remedies.  Except as expressly provided to the contrary herein, all remedies set forth in the Agreement are cumulative and not exclusive of any other remedies at law or in equity, statutory or otherwise.

11.8 Survival.  Sections that by their nature, or to give effect to their meaning, must survive expiration or termination of the Agreement, shall survive any expiration or termination of the Agreement.

11.9 Governing Law.  This Agreement will be governed by and interpreted, exclusively, in accordance with the laws of England and Wales.  Any controversy or claim arising out of or relating to this Agreement or the existence, validity, breach or termination hereof, whether during or after its term, shall be brought exclusively in the English courts located in London, United Kingdom.  

11.10 Entire Agreement. These T&Cs, any SOs issued hereunder, and any schedules, exhibits and other incorporated attachments, constitute the complete and entire statement of all terms, conditions and representations of the agreement between Monetate and Client with respect to its subject matter and supersede all prior agreements, writings or understandings, whether oral or in writing.  In the event of any conflict between these T&Cs and any SO, the terms and conditions set forth in the SO shall prevail. No terms or conditions stated in a Client purchase order or in any other Client order documentation shall be incorporated into, or form any part of, the Agreement, and all such terms or conditions shall be null and void.

Email Product Terms of Use

If you have ordered the Monetate Email Product the following terms shall be added after Section 6.8 of these T&Cs:

6.9 Email Terms and Conditions.

6.9.1 Transfer of E-mail Addresses.  Solely in connection with Client’s use of the email product purchased on the applicable SO (the “Email Product”), Monetate shall receive from Client (or from Client’s e-mail service provider (“ESP”) on Client’s behalf), either e-mail addresses of individuals or unique anonymous identifiers corresponding to e-mail addresses stored by Client or such ESP (in either case, the “E-mail Information”).  Client represents, warrants and covenants that the E-mail Information has been collected on behalf of Client and transferred to Monetate in accordance with Applicable Law and in a manner consistent with Client’s policies (including privacy policies) applicable at the time of such collection (collectively, “Client Policies”).  Client represents, warrants and covenants that the Client Policies are, and shall at all times during the Term be, consistent with Applicable Law. 

6.9.2 Client E-Mails Using the Email Product. Client shall, at all times, be in compliance with Applicable Law involving the sending of e-mails to individuals. Client acknowledges that Monetate has no control of, or access to, the content of any messages sent by Client utilizing the Email Product and that such control and access lies solely with Client and/or Client’s ESP.  Without application of any liability limitation set forth herein, Client shall indemnify, defend and hold harmless Monetate from and against all claims, suits and proceedings brought by third parties against Monetate and arising out of: (A) the content of the e-Mails sent by Client using the Email Product or (B) Client’s failure to comply with and adhere to Applicable Law and/or the Client Policies in connection with the collection and transfer of the E-mail Information and its use of the Email Product.

6.9.3 Certain Limitations. Client shall be solely responsible for the acts and omissions of any third party, including any ESP, engaged by Client in connection with Client’s use of the Email Product, and Client shall ensure that such third parties reasonably cooperate with Monetate, as necessary, in connection with Monetate’s provision of the Email Product hereunder.  


Annex 1 to the Terms and Conditions

Technical and Organisational Security Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Monetate shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the pseudonymisation and encryption of data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Notwithstanding the above, following specific measures shall be taken:

  1. Physical access control

Measures to prevent unauthorised persons from gaining access to data processing systems for processing or using data:

  • Monetate’s offices have an access system that controls access to the offices. This system permits only authorised personnel to have access.
  • Data centers housing Client’s data have an access system that permits only authorised personnel to have access to secure areas. Data centers are secured by around-the-clock guards, biometric access screening, and escort-controlled access for externals.   
  1. Logical access control

Measures to prevent that unauthorised persons use data processing equipment and procedures: 

  • Unique User identifiers (User IDs) to ensure that activities can be attributed to the responsible individual.
  • An authentication database that encrypts or hashes the user password. The entire database itself is stored on an encrypted volume and are never transmitted unencrypted.
  • Access to the Monetate Platform requires a valid User ID and password combination, which are encrypted via TLS or SSH while in transmission. 
  • Controls to ensure generated initial passwords must be reset on first use.
  • Written prohibition to propagate passwords
  • Regular checks of access rights
  • Privileged rights are assigned on a need-to-use basis. Usage is logged and audited to verify that the use of privileges corresponds to an event. 
  • Privileged accounts are reviewed on a quarterly basis; in addition to being reviewed upon change of staffing or architecture that could impact privilege requirements. Privileged accounts are reviewed upon change of staff responsibilities on a quarterly basis.
  • Client can see its own login activity through the Security panel of the Monetate User Interface (UI).  Changes to experiences (including activation/deactivation) are also visible within the UI. Inquiries about other log files can be filed via Monetate’s support team.
  • Data on cloud-based servers is encrypted at rest and third parties may not access it. Monetate will ask Client for written approval before sharing Client’s data with any third party.  
  • Access to data from Client’s employees only occurs when Client’s employees contact Monetate’s support team. The contact is considered as approval and will be logged by Monetate.
  1. Data access control

Measures that ensure that persons entitled to use a data processing system gain access only to such data as they are entitled to accessing in accordance with their access rights:

  • Monetate shall implement audit acceptable logging of assigned access rights. 
  • Monetate destroys any printouts using a document shredder.
  • Client may implement a granular sharing model and User permission profiles to limit data accessible to different employees of Client. 
  • Before Monetate transfers data outside of the European Economic Area (EEA), the data is pseudonymised. All such transfers are done in compliance with any applicable European Union or European Member State law, including GDPR. Monetate is a certified member of the EU-US Privacy Shield Framework and all personal data transferred outside of the EEA receives the protective benefits of this Framework.
  • Data is pseudonymised in the EEA and then sent to Monetate’s global data centers. 
  • All data is encrypted at rest (i.e. stored data) using AES with a 256 bit key method or comparable method without foregoing security and are only visible to the application. 
  • Encryption keys are securely generated using a Key Management Service.
  • The encryption keys are loaded from a Key Management Service, which stores the keys in secured HSAs.
  1. Data Transfer control

Measures to ensure that data cannot be read, copied, modified or deleted without authorisation during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of data by means of data transmission facilities can be established and verified. 

  • Monetate uses industry accepted encryption products to protect Client’s data and communications during transmissions between Client’s network and the Monetate Platform, including minimum 256-bit SSL Certificate and minimum 2048-bit RSA public keys. 
  • Monetate is a certified member of the EU-US Privacy Shield Framework and all personal data transferred outside of the EEA receives the protective benefits of this Framework. Client and Monetate may agree mutually upon alternative appropriate safeguards with respect to Art. 46 GDPR..
  1. Entry control

Measures to ensure that it is possible to check and ascertain whether Data have been entered into, altered or removed from data processing systems and if so, by whom:

  • Employee access log entries will be maintained by Monetate, containing date, time, User ID, URL executed or entity ID operated on, operation performed (viewed, edited, etc.) and source IP address. Note that source IP address might not be available if NAT (Network Access Translation) or PAT (Port Address Translation) is used by Client or its ISP (Internet Service Provider). 
  • The above logs are secured against unauthorised access, use and modification.
  1. Control of instructions

Measures to ensure that data processed on behalf of others are processed strictly in compliance with Client’s instructions:

  • Monetate shall process personal data solely in accordance with Client’s instructions, including to provide the services to Client as set forth in the Agreement and as instructed by Client’s employees in their use of the Monetate Platform.  Monetate’s employees are trained that the data is the sole property of Client and is not to be processed for any reason other than as instructed by Client. 
  • Any activity of Monetate’s associates and administrators shall also be logged in above mentioned log files.
  • For the provided services Monetate is having periodically certifications/audits for the servers hosting the services based on ISO 27001 or similar (Information Security) standard. 
  1. Availability control

Measures to ensure that data is protected against accidental destruction or loss:

  • Monetate can utilise disaster recovery facilities that are geographically remote from primary data centers, along with required hardware, software, and Internet connectivity, in the event Monetate production facilities at the primary data center were to be rendered unavailable. Monetate has disaster recovery plans in place and tests them at least once per year. 
  • The Monetate Platform is designed and implemented in a resilient manner, with redundant networking components, application, storage, and database servers. Backups are stored in multiple secure and geographically separate locations and are tested on a regular basis.
  1. Control of data separation

Measures to ensure that data collected for different purposes can be processed separately.

  • Client may implement a granular sharing model and user permission profiles to limit data accessible to different users.
  • Monetate uses the technical capabilities of the deployed software to achieve data separation among data originating from multiple Clients.
  • The Monetate Platform provides strong logical separation of the data of Monetate’s numerous clients and Monetate’s clients only have access to their own data and not the data of other Monetate clients.