Khoros Schrems II & New SCC Statement

Last Update: September 29, 2021

COMPLIANCE WITH EUROPEAN UNION DATA TRANSFER REQUIREMENTS & THE NEW STANDARD CONTRACTUAL CLAUSES

Khoros is committed to protecting the data that you entrust to us and safeguarding the transfer of personal data transferred from the European Union (EU), European Economic Area (EEA) and United Kingdom (UK) to our facilities and subprocessors in the United States (US) and other countries.

The Legal Landscape for Personal Data Transfer

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its judgment in Case C-311/18, Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (Schrems II). The CJEU held that US laws do not ensure an essentially equivalent level of protection for personal data compared to the EU, citing the breadth of US surveillance programs (particularly Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333). Consequently, the court invalidated Privacy Shield (a certification program through the US government for data transfers from the EU to the US). Although the CJEU noted some concerns with the Standard Contractual Clauses (SCCs) as a means to transfer European personal data, the CJEU maintained the SCCs’ validity so long as there were effective mechanisms in place to ensure an “essentially equivalent level of protection.”

Nearly a year later, on June 4, 2021, the European Commission finalized and adopted a new set of standard contractual clauses (“New SCCs”). The New SCCs replace prior versions of the SCCs (the “Old SCCs”). The New SCCs contain additional requirements aimed at addressing the concerns raised in Schrems II.

Although the New SCCs address concerns announced in Schrems II, on June 18, 2021, the European Data Protection Board (EDPB) adopted final recommendations on supplemental technical and organization measures to supplement transfer tools and ensure compliance with EU data protection requirements (the “EDPB Recommendations”).

Finally, due to the ruling in Schrems II and Brexit, on August 11, 2021, the UK Commissioner’s Office (ICO) launched a consultation on its draft international data transfer agreement (IDTA) and guidance for organizations on international transfers (Guidance). Once finalized, the IDTA will replace the Old SCCs in the UK. The New SCCs do not apply in the UK. As such, Khoros will continue to rely on the Old SCCs for UK Customers until the UK publishes its IDTA. Khoros will update its agreements and documentation once the UK finalizes its IDTA and Guidance.

Khoros Agrees to Be Bound By The New SCCs

If applicable to a particular Customer, Khoros agrees to be bound by the New SCCs. For new Customers, it will enter into the New SCCs as of September 27, 2021, and for existing Customers, it will transition from the Old SCCs to the New SCCs within the transition period, but no later than December 27, 2022.

Neither Section 702 Nor EO 12333 Apply To Khoros’s Data Transfers

Khoros, in consultation with its Legal Department, Data Protection Officer, and outside counsel, has determined that Section 702 and EO 12333 do not practically apply to its data transfers. First, Khoros does not provide internet backbone services. Second, the personal data Khoros processes is highly unlikely to be relevant to the foreign intelligence or surveillance activities governed by Section 702 and EO 12333 given that Khoros processes public data and data relating to consumer interactions with consumer brands. To underscore these points, Khoros has never received a FISA or EO 12333 request. That said, even though Khoros deems Section 702 and EO 12333 almost irrelevant to our business, we have, nonetheless, chosen to provide supplementary measures technical and organization measures to protect our data transfers.

Supplementary Measures Khoros Uses Alongside SCCs To Protect EU Personal Information

Supplemental Measure

Description of What Khoros Does

Measures of pseudonymisation and encryption of personal data

We use a variety of masking and redaction technologies in our platforms

Where appropriate, sensitive data is masked from unauthorized users or redacted from our data set

We also use encryption to protect the data sets and data transfers

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

We use firewalls, access control lists, and Identity Access Management systems to limit access to processing systems and services

We use Web Application Firewalls and Intrusion Detection Systems to protect processing systems and services

We have denial of service protections to assure availability

We have multiple availability zones to improve resilience

We make regular backups to assure the integrity of the data

We conduct annual Disaster Recovery tests

We employ application level monitoring to detect if systems operate outside of normal parameters

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

We backup data at least once per day
We review, update, and test our disaster recovery plan annually

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

We conduct regular Static Security Scans of all source code
We perform regular Dynamic Security Scans of all customer facing applications
We train our employees on the OWASP Top 10 security vulnerabilities
We deploy regular internal and external vulnerability scans
We engage with third parties to conduct annual network and application penetration tests

We complete an annual SOC 2 audit
We complete an annual ISO27001 audit
We complete an annual PCI audit
We complete an annual TRUSTe Privacy audit

Measures for user identification and authorization

We support the integration of any SAML 2.0 compliance Single Sign On system
We support multi-factor authentication
When local passwords are used, the passwords are salted and hashed before being stored

Measures for the protection of data during transmission

All data is encrypted in transit using TLS 1.2

Measures for the protection of data during storage

All data is encrypted at rest using AES 256

Measures for ensuring events logging

All application and infrastructure related security events are captured in our log aggregation system and are reviewed daily

Measures for ensuring system configuration, including default configuration

We use automation to assure that all systems are configured to standard
We update our system images regularly to assure that they have the latest security patches

Measures for internal IT and IT security governance and management

We have a dedicated team that manages Security Risk, Compliance and Audit
We conduct regular internal audits to confirm adherence to security policies
We conduct regular security audits of all our vendors and subprocessors

Measures for ensuring data minimization

We strive to collect and maintain data necessary for our software and services, and for other reasons (e.g., security) that are aligned with industry custom and practice

Measures for ensuring limited data retention Measures for ensuring accountability

When customer data is no longer required, it is purged from our systems

We delete backups after 90 days

When the underlying infrastructure is decommissioned, it is done following the NIST 800-88 standard

Measures for allowing data portability and ensuring erasure

We provide a Data Access Request Form on our website (https://khoros.com/legal/data-...)

Other protection measures

We maintain a law enforcement policy that describes how we will handle requests for personal information transferred from the EU