Rokt Supplier Minimum Security Measures

Except as set forth in Section 1 below, capitalised terms not otherwise defined in this document have the meanings assigned to them in the Agreement or DPA.

1. Definitions

• 1.1 Data Breach: Any confirmed or reasonably suspected unauthorized access, disclosure, alteration, or destruction of data.
• 1.2 Applicable Law: All applicable laws, regulations, and industry standards regarding data security and privacy.
• 1.3 Rokt Data: All data or other information supplied from time to time by Rokt to Supplier in relation to the services provided under the Agreement.

2. Supplier Minimum Security Requirements

• 2.1. Security & Privacy Governance: Supplier shall implement and maintain reasonable administrative, technical, and physical security measures to protect Rokt Data.
• 2.2. Identification & Authentication: Supplier shall restrict access to Rokt Data to authorized personnel only, using role-based access controls.
• 2.3. Cryptographic Protections: Data in transit and at rest must be encrypted using industry-standard encryption techniques.
• 2.4. Security Operations: Supplier shall perform regular vulnerability assessments and promptly remediate any identified security vulnerabilities.
• 2.5. Technology Development & Acquisition: Supplier shall follow secure coding practices and conduct security testing for any custom software that interacts with Rokt Data.
• 2.6. Business Continuity & Disaster Recovery: Supplier shall implement and maintain business continuity and disaster recovery plans for critical infrastructure, and shall test said plans for their suitability and effectiveness at minimum on an annual basis.
• 2.7. Third Party Management: Supplier shall assess the security posture of their material service providers.
• 2.8. Endpoint Security: Supplier shall implement and maintain reasonable security controls on their workstations in line with industry best practices.
• 2.9. Human Resource Security: Supplier shall conduct thorough background checks on all employees, contractors, and subcontractors (collectively, “Personnel”) who will have access to Rokt’s data, systems, or facilities.

3. Incident Response

• 3.1. Notification: Supplier shall notify Rokt within 48 hours of a confirmed Data Breach or security incident with an impact to Rokt.
• 3.2. Investigation and Remediation: Supplier shall cooperate with Rokt in investigating and mitigating any security incident.
• 3.3. Documentation: Supplier shall provide a detailed incident report including root cause analysis, scope, impact, and remediation steps within a mutually agreed timeframe of the incident.

4. Security Assessments and Audits

• 4.1. Right to Supplier Risk Assessments: Rokt or its designees shall have the right to assess the Supplier’s security controls, policies, and procedures related to Rokt Data, upon reasonable notice. Rokt will attempt to limit such assessments to no more than once per calendar year unless there is material breach of the Agreement or reported incidents to Rokt.
• 4.2. Third-Party Assessments:
  • 4.2.1. Supplier shall conduct an annual penetration test by an independent third party and provide summary results to Rokt upon request.
  • 4.2.2. Supplier shall obtain and maintain a current SOC 2 Type II report, conducted by an independent, qualified third-party auditor, on an annual basis and provide a copy to Rokt upon request.
    • 4.2.2.3 In lieu of a SOC 2 Type II report, the Supplier shall complete security self-assessments at Rokt’s request and provide attestations of compliance.
• 4.3. Remediation of Material Findings and Vulnerabilities:
  • 4.3.1. Any findings from these assessments that indicate potential risks to Rokt’s data or systems shall be documented and communicated to the Supplier.
  • 4.3.2. Upon notification of these findings, Supplier will work with Rokt to mutually agree upon the applicability of the issue identified.
  • 4.3.3. For agreed-upon findings, Supplier shall develop and submit a remediation plan to Rokt within a mutually agreed-upon timeframe. This plan must include specific corrective actions, timelines for implementation, and any interim risk mitigations to address the identified risks.

5. Data Handling and Deletion

• 5.1. Data Retention: Supplier shall retain Rokt Data only as long as necessary for the purposes defined in the Agreement unless otherwise required by Applicable Law.
• 5.2. Secure Deletion: Upon termination of the Agreement, Supplier shall promptly securely delete or return all Rokt Data and provide certification of deletion.
• 5.3 Data Location & Transfer: Supplier shall disclose to Rokt all geographic locations where Rokt’s data is stored, processed, or maintained. Supplier agrees to provide prior written notice of any planned data transfers to new locations and shall collaborate with Rokt to determine and approve suitable locations based on security, regulatory, and compliance standards. Data shall not be stored or processed outside the approved jurisdictions without Rokt’s prior written consent.

6. Compliance with Law and Industry Standards

• 6.1. Supplier shall comply with all Applicable Laws and relevant industry standards, including but not limited to GDPR, CCPA, ISO 27001, applicable to Supplier’s processing of Rokt Data.

7. Flow-Down Security Requirements for Subcontractors

• 7.1. Supplier shall ensure that any subcontractors, third parties, or other suppliers (“Subcontractors”) engaged in the performance of services related to the Agreement implement security measures comparable to those outlined in this Security Addendum. The level of security controls applied to each Subcontractor shall be based on the Subcontractor’s access to, and handling of, Rokt’s data and systems, as well as the associated risk level of their services.

8. Termination

• 8.1. Material Breach: Any failure by Supplier to comply with this Security Addendum shall be considered a material breach of the Agreement.
• 8.2. Termination Rights: Rokt reserves the right to terminate the Agreement with immediate effect and without penalty upon any such breach.

‍