Slidebank: Website Privacy Policy

Digital Image Limited ("we", “us”, “our”) are committed to protecting and respecting your privacy.

This privacy policy (“Privacy Policy”) together with our Universal Terms (or our Trial Terms if you have requested a free Trial) and any other documents referred to therein, sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting http://www.slidebank.com/PrivacyPolicy, (“Site”) you are accepting and consenting to the practices described in this Privacy Policy.

For the purpose of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, (“GDPR”) or any subsequent amendment or replacement or supplementary legislation (together “Data Protection Law”), the data controller is Digital Image Limited of 8 Park Drive, Bingley, BD16 3DF, UK.

LEGAL BASIS FOR PROCESSING

We collect and use the personal data described below in order to provide you with access to our website and services in a reliable and secure manner. We also collect and use personal data:

For our legitimate business needs.
To fulfil our contractual obligations to you.
To comply with our legal obligations.

To the extent we process your personal data for any other purposes, we ask for your consent in advance or require that our partners obtain such consent.

INFORMATION WE MAY COLLECT FROM YOU
We may collect and process the following data about you:

Information you give us. You may give us information about you by filling in forms on our Site or by corresponding with us by phone, e-mail or otherwise. This includes information you provide when you register to use our Site, apps, subscribe to our service or newsletter, search for a product, request information or a product demonstration, place an order on our Site, participate in discussion boards or other social media functions on our Site, enter a competition, promotion or survey, send us a question or request and when you report a problem with our Site. The information you give us may include your Company name and address and phone number, your own name, job description, address, e-mail address and phone and FAX numbers, financial and credit card information, personal description and photograph.

Information we collect about you. With regard to each of your visits to our Site we may automatically collect the following information:

technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our Site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number;
We will record any product demos we give to you for training purposes;
We monitor email opens and link clicks within emails that are sent to you, as per the industry standard for email delivery tools.

Information we receive from other sources. We may receive information about you if you use any of the other websites we operate or the other services we provide. In this case we will have informed you when we collected that data that it may be shared internally and combined with data collected on this Site. We are also working closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, email service providers, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.

COOKIES

We use cookies on our Site to distinguish you from other users of our Site. This helps us to provide you with a good experience when you browse our Site and also allows us to improve the Site. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the Site.

We use persistent cookies and session cookies on our Site. We use persistent cookies to save your login information for future logins to the Site. We use session cookies to enable certain features of the Site, to better understand how you interact with the Site and to monitor aggregate usage by users and web traffic routing on the Site. Unlike persistent cookies, session cookies are deleted from your computer when you log off from the Site and then close your browser.

The cookies we use and why we use each of them is set out at:

www.slidebank.com/website-cookies

You can set up your browser options, to stop your computer accepting cookies or to prompt you before accepting a cookie from the websites you visit. If you do not accept cookies, however, you may not be able to use the whole of the Site or all functionality of the services.

To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org. To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.

USES MADE OF THE INFORMATION
We use information held about you in the following ways.

Information you give to us. We will use this information:

to carry out our obligations arising from any contracts entered into between you and us;
to provide you with the information, products and services that you request from us;
to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about;
to provide you, or permit selected third parties to provide you, with information about goods or services we feel may interest you. If you are an existing customer, we will only contact you by electronic means (e-mail or SMS) with information about goods and services similar to those which were the subject of a previous sale or negotiations of a sale to you. If you are a new customer, and where we permit selected third parties to use your data, we (or they) will contact you by electronic means only if you have consented to this by ticking the relevant box situated on the form on which we collect your data;
to notify you about changes to our service;
to ensure that content from our Site is presented in the most effective manner for you and for your computer.

Information we collect about you.
We will use this information:

to administer our Site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
to improve our Site to ensure that content is presented in the most effective manner for you and your computer;
to allow you to participate in interactive features of our service, when you choose to do so;
as part of our efforts to keep our Site safe and secure;
to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;
to make suggestions and recommendations to you and other users of our Site about goods or services that may interest you or them.
to send you electronic marketing communications about similar goods and services which you may be interested in. If you do not wish to receive such electronic marketing communications, please click on the opt out options contained in such communications and we will remove you from our mailing lists.

Information we receive from other sources. We may combine this information with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).

DISCLOSURE OF YOUR INFORMATION
Information that we share with third parties. We may share your information with selected third parties including:

Any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
Business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you.
Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others. We do not disclose information about identifiable individuals to our advertisers, but we may provide them with aggregate information about our users (for example, we may inform them that 250 women aged over 25 have clicked on their advertisement on any given day). We may also use such aggregate information to help advertisers reach the kind of audience they want to target (for example, men living in London). We may make use of the personal data we have collected from you to enable us to comply with our advertisers' wishes by displaying their advertisement to that target audience.
Analytics and search engine providers that assist us in the improvement and optimisation of our Site.
Credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you.

Information we disclose to third parties. We may disclose your personal data to third parties:

In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
If Digital Image Limited or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Universal Terms, Trial Terms and/or any other agreements; or to protect our rights, property, safety, our customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

WHERE WE STORE YOUR PERSONAL DATA
The personal data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers or partners. Such staff or subcontractors may be engaged in, among other things, the fulfilment of your order, the processing of your payment details or the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing outside of the EEA.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy. In particular, this means that your personal data will only be transferred to a country that provides an adequate level of protection (for example, where the European Commission has determined that a country provides an adequate level of protection) or where the recipient is bound by standard contractual clauses according to conditions provided by the European Commission (“EU Model Clauses”).

Our Site is accessible via the internet and may potentially be accessed by anyone around the world. Other users may access the Site from outside the EEA. This means that where you chose to post your data on our Site, it could be accessed from anywhere around the world and therefore a transfer of your data outside of the EEA may be deemed to have occurred. You consent to such transfer of your data for and by way of this purpose.

PROTECTION OF INFORMATION
All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Site, you are responsible for keeping this password confidential. We ask you not to share any password with anyone.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will endeavour to protect your personal data, we cannot guarantee the security of your data transmitted to our Site. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

LINKS TO OTHER WEBSITES
Our Site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

YOUR RIGHTS
You have the right under the Act, free of charge, to request:

Access to your personal data.
Rectification or deletion of your personal data.
A restriction on the processing of your personal data.
Object to the processing of your personal data.
A transfer of your personal data (data portability).

You can make a request in relation to any of the above rights by writing to us at the contact address given at the end of this Privacy Policy. We will respond to such queries within 30 days and deal with requests we receive from you, in accordance with the provisions of Data Protection Law.

CONSENT
You have the right to withdraw your consent to us processing your personal data, at any time, by writing to us at the contact address given at the end of this Privacy Policy or by exercising the unsubscribe “opt out” in any electronic marketing communication.

Where we process your personal data for marketing purposes, we will inform you and obtain your opt in consent (before collecting your personal data) if we intend to use your personal data for such purposes or if we intend to disclose your information to any third party for such purposes. If you change your mind about being contacted in the future, please click on the opt out options and we will remove you from our mailing lists.

DATA RETENTION
We retain personal data for as long as necessary for the relevant activity for which it was provided or collected. This will be for as long as we provide access to the Site to you, your account with us remains open or any period set out in any relevant contract you have with us. However, we may keep some data after your account is closed or you cease using the Site for the purposes set out below.

After you have closed your account, or ceased using the Site for a period of at least 30 days, we usually delete personal data, however we may retain personal data where reasonably necessary to comply with our legal obligations (including law enforcement requests), meet regulatory requirements, maintain security, prevent fraud and abuse, resolve disputes, enforce our Universal Terms, Trial Terms or fulfil your request to “unsubscribe” from further messages from us.

We will retain de-personalised information after your account has been closed.

Please note: After you have closed your account or deleted information from your account, any information you have shared with others will remain visible. We do not control data that other users may have copied from the Site. Your profile may continue to be displayed in the services of others (e.g. search engine results) until they refresh their cache.

COMPLAINTS
If you have any complaints about our use of your personal data please contact us as set out at the end of this Privacy Policy or contact our supervisory authority in the UK:
The Information Commissioner’s Office at, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England (“ICO”).

AGE OF USERS
This Website is not intended for and shall not be used by anyone under the age of 16.

CHANGES TO OUR PRIVACY POLICY
Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our Privacy Policy. This Privacy Policy was last updated on 24th May, 2018 and replaces any other Privacy Policy previously applicable from this date.

CONTACT
Questions, comments and requests regarding this Privacy Policy are welcomed and should be addressed to:

By Post: Digital Image Ltd., 8 Park Drive, Bingley, BD16 3DF, UK; or

Online at www.slidebank.com/privacy

Slidebank Website Privacy Policy 24th May, 2018

Slidebank Website Cookies

The Slidebank website uses a number of cookies to aid visitor convenience and to help us deliver the best possible user experience. They comprise cookies that are local to the Slidebank Domain, and Third Party Cookies.

These are different from the cookies used to deliver the Slidebank Service.

Local Cookies on the Slidebank Domain

Name	Domain	Description	Expiry
_ga	.slidebank.com	Google Analytics. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports.	2 years
_gid	.slidebank.com	Google Analytics. Used to distinguish users.	Temporary
__atuvc	www.slidebank.com	This cookie is associated with the AddThis social sharing widget which is commonly embedded in websites to enable visitors to share content with a range of networking and sharing platforms. It stores an updated page share count.	1 year
crumb	www.slidebank.com	Squarespace cookie to ensure site security	Persistent
ss_cid	www.slidebank.com	This Squarespace cookie is used to identify a unique user for Squarespace Metrics. The value assigned is a random GUID, and no personally identifying information is associated with this cookie. It's purpose is to determine uniqueness of the user (unique visitor).	2 years
ss_cpvisit	www.slidebank.com	This SquareSpace cookie is used to identify a user’s session (visit). The value assigned is the timestamp of the initial page view for a session. This does not collect personally identifying information.	30 minutes
ss_cvr	www.slidebank.com	This cookie is equivalent to the ss_cid cookie with the exception that it stores the values of the current and ss_cvisit ss_cpvisit cookies.	2 years
_gat	www.slidebank.com	Google Analytics. Used to throttle request rate.	1 minute

Third Party Cookies

These relate to services we use to deliver and maintain the Slidebank website.

Name	Domain	Description	Expiry
loc	.addthis.com	Geolocation, which is used to help providers determine how users who share information with each other are geographically located (state level).	13 months
mus	.addthis.com	Unclassified AddThis cookie.	1 year
uid	.addthis.com	These cookies are used to track usage of the Addthis.com service. Addthis allows the user to share a webpage with many social sites.	1 year
uvc	.addthis.com	The uvc cookie is one of the cookies used to track usage of the Addthis.com service. It allows a user to share a webpage with many social sites.	1 year
BizoID	.ads.linkedin.com	LinkedIn Ad analytics for Linkedin insights and ad tags.	6 months
lang	.ads.linkedin.com	LinkedIn Ads cookie to track the success of LinkedIn advertising	Persistent
UserMatchHistory	.ads.linkedin.com	LinkedIn Ad analytics, LinkedIn insights and ads tags	6 months
IDE	.doubleclick.net	These cookies set by a third party (DoubleClick) and are used for serving targeted advertisements that are relevant to you across the web. Targeted advertisements may be displayed to you based on your previous visits to this website. For example, advertisements about a topic you have expressed an interest in while browsing our site may be displayed t you across the web. In addition, these cookies measure the conversion rate of ads presented to the user. For more information, please visit www.google.com/policies/privacy/partners/ If you wish to disable DoubleClick cookies on your browser please visit this website	1 month
fr	.facebook.com	Encrypted Facebook ID and Browser ID for advertising.	3 months
CONSENT	.google.co.uk	Google cookie for tracking success of Google Advertising	Persistent
NID	.google.co.uk	Most Google users will have a preferences cookie called ‘NID’ in their browsers. A browser sends this cookie with requests to Google’s sites. The NID cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language (e.g. English), how many search results you wish to have shown per page (e.g. 10 or 20), and whether or not you wish to have Google’s SafeSearch filter turned on.	6 months
lidc	.linkedin.com	Used for routing, Share buttons and ad tags, 1 day expiry	1 day
_pinterest_cm	.pinterest.com	Social sharing of blog content on Pinterest.	1 year
m-b	.quora.com	Quora ad tracking	Persistent
bscookie	.www.linkedin.com	Secure browser ID cookie for tracking LinkedIn ad traffic.	1 year
DYNSRV	webdev123.co.uk	Strictly necessary cookie used for load balancing to manage server traffic demand.	Persistent

Slidebank: Service Privacy Policy

Digital Image Limited ("we", “us”, “our”) are committed to protecting and respecting your privacy.

This privacy policy (“Privacy Policy”) together with our Universal Terms (or our Trial Terms if you have requested a free Trial) and any other documents referred to therein, sets out the basis on which any personal data we collect from you or your users, or that you or your users provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding such personal data and how we will treat it. By using the Slidebank Services (“Service”) you are accepting and consenting to the practices described in this Privacy Policy. on behalf of yourself and the company you are acting for.

LEGAL BASIS FOR PROCESSING
We collect and use the personal data described below in order to provide you with access to our website and services in a reliable and secure manner. We also collect and use personal data:

For our legitimate business needs.
To fulfil our contractual obligations to you.
To comply with our legal obligations.

To the extent we process your personal data for any other purposes, we ask for your consent in advance or require that our partners obtain such consent.

INFORMATION WE MAY COLLECT FROM YOU
We may collect and process the following data about you and your users:

Information you give us.
You may give us information about you and your users by filling in forms, corresponding with us by phone, e-mail or otherwise. This includes information you provide when you use the Services, send us a question or request and when you report a problem with the Service. The information you give us may include your Company name and address and phone number, your own name, job description, address, e-mail address and phone and FAX numbers, financial and credit card information, personal description and photograph.

Information we collect about you.
With regard to your use of the Service we may automatically collect the following information:

technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
information about your visit to the website through which the Service is accessed including the full Uniform Resource Locators (URL) clickstream to, through and from the website (including date and time); content you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number. Within the Services we may track the searches you conduct; content selected, re-purposed or emailed, time, date, frequency of visit; file uploads, downloads and shares; any comments or ‘likes’ you make via the Slidebank system and other data that can be logged in the Slidebank audit trails. This is purely for the purposes of delivering the Services to you and to allowing proper functioning of our website;
information you give to us during training or support webinars, which will be recorded for training purposes;
we monitor email opens and link clicks within emails that are sent to you, as per the industry standard for email delivery tools.

Information we receive from other sources. We may receive information about you if you use any of the other websites we operate or the other services we provide in connection with the Services. In this case we will have informed you when we collected that data that it may be shared internally and combined with data collected from use of the Service. We are also working closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, analytics providers, email service providers, search information providers, credit reference agencies) and may receive information about you from them.

USES MADE OF THE INFORMATION
We use information held about you in the following ways.

Information you give to us. We will use this information:

to carry out our obligations arising from contracts entered into between you and us;
to provide you with the information, products and services that you request from us;
to notify you about changes to our Service;
to ensure that content in the Service is presented in the most effective manner for you and for your computer.
to send you Service messages designed to help you get the most out of the Services.

Information we collect about you.
We will use this information:

to administer the Service and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
to improve the Service to ensure that content is presented in the most effective manner for you and your computer;
to allow you to participate in interactive features of our Service, when you choose to do so;
as part of our efforts to keep our Service safe and secure;
to make suggestions and recommendations to you and other users of the Service about goods or services that may interest you or them.

COOKIES
We use cookies within the Services to distinguish you from other users of our Services. This helps us to provide you with a good experience when you use our Services and also allows us to improve the Services. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of a website.

We use persistent cookies and session cookies. We use persistent cookies to save your login information for future logins to the Services. We use session cookies to enable certain features of the Services, to better understand how you interact with the Services and to monitor aggregate usage by users and web traffic. Unlike persistent cookies, session cookies are deleted from your computer when you log off from the Services and then close your browser.

The cookies we use and why we use each of them is set out at:

www.slidebank.com/service-cookies

DISCLOSURE OF YOUR INFORMATION
Information that we share with third parties. We may share your information with selected third parties including:

Any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
Business partners, suppliers and sub-contractors for the performance of the contract we enter into with them or you.
Credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you.

Information we disclose to third parties. We may disclose your personal data to third parties:

In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
If Digital Image Limited or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Universal Terms, Trial Terms and/or any other agreements; or to protect our rights, property, safety, our customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

PROTECTION OF INFORMATION
All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Service, you are responsible for keeping this password confidential. We ask you not to share any password with anyone.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will endeavour to protect your personal data, we cannot guarantee the security of your data transmitted via the Service. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

YOUR RIGHTS
You have the right under Data Protection Law, free of charge, to request:

Access to your personal data.
Rectification or deletion of your personal data.
A restriction on the processing of your personal data.
Object to the processing of your personal data.
A transfer of your personal data (data portability).

CONSENT
The Service may include certain communications from us, such as service announcements, administrative messages and newsletters and you agree that these communications shall be considered an integral part of using the Services. You may opt out from receiving newsletters from us. However, you cannot opt-out from receiving service announcements and administrative messages as these are required in order for us to fulfil our contractual obligation to you of providing the Services to you.

You have the right to withdraw your consent to us processing your personal data, at any time, by writing to us at the contact address given at the end of this Privacy Policy.

You can opt out of any marketing emails by clicking on the unsubscribe button in the footer of every marketing email, or by amending your preferences.

We may send certain push notifications from time to time in order to update you about user activity via the Service or Service updates. If you no longer wish to receive these communications, you may be able to disable some of them in your Service settings.

DATA RETENTION
We retain personal data for as long as necessary for the relevant activity for which it was provided or collected. This will be for as long as we provide the Service to you, your account with us remains open or any period set out in any relevant contract you have with us. However, we may keep some data after your account is closed or you cease using the Service for the purposes set out below.

After you have closed your account or ceased using the Service for a period of at least 30 days, we usually delete personal data, however we may retain personal data where reasonably necessary to comply with our legal obligations (including law enforcement requests), meet regulatory requirements, maintain security, prevent fraud and abuse, resolve disputes, enforce our Universal Terms, Trial Terms or fulfil your request to “unsubscribe” from further messages from us.

We will retain de-personalised information after your account has been closed.

AGE OF USERS
The Service is not intended for and shall not be used by anyone under the age of 18.

CHANGES TO OUR PRIVACY POLICY
Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our Privacy Policy. This Privacy Policy was last updated on 24th of May, 2018 and replaces any other Privacy Policy previously applicable from this date.

CONTACT
Questions, comments and requests regarding this Privacy Policy are welcomed and should be addressed to:

By Post: Digital Image Ltd., 8 Park Drive, Bingley, BD16 3DF, UK; or

Or online at www.slidebank.com/privacy

Data Processing Agreement (DPA)

This DPA is entered into between the Company and Digital Image Ltd. and is incorporated into and governed by the terms of the Slidebank Service Agreement.

1. DEFINITIONS

Any capitalised term not defined in this DPA shall have the meaning given to it in the Agreement.

“Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control of a party. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of a party;

“Agreement” means the agreement between the Company and Digital Image Ltd. for the provision of the Services;

“Controller” means the Company;

“Data Protection Law” means the GDPR and/or any subsequent amendment or replacement or supplementary legislation;

“Data Subject” shall have the same meaning as in Data Protection Law;

“DPA” means this data processing agreement together with Exhibits A and B;

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;

“Personal Data” shall have the same meaning as in Data Protection Law;

“Processor” means Digital Image;

“Security Policy” means Digital Image’s security document as updated from time to time, and made reasonably available by Digital Image;

“Standard Contractual Clauses” means the EU model clauses for personal data transfer from controllers to processors c2010-593 - Decision 2010/87EU;

“Sub-Processor” means any person or entity engaged by Digital Image or its Affiliate to process Personal Data in the provision of the Services to the Company.

2. PURPOSE

2.1 The Processor has agreed to provide the Services to the Controller in accordance with the terms of the Agreement. In providing the Services, the Processor shall process Customer Data on behalf of the Controller. Customer Data may include Personal Data. The Processor will process and protect such Personal Data in accordance with the terms of this DPA.

3. SCOPE

3.1 In providing the Services to the Controller pursuant to the terms of the Agreement, the Processor shall process Personal Data only to the extent necessary to provide the Services in accordance with both the terms of the Agreement and the Controller’s instructions documented in the Agreement and this DPA.

4. PROCESSOR OBLIGATIONS

4.1 The Processor may collect, process or use Personal Data only within the scope of this DPA.

4.2 The Processor confirms that it shall process Personal Data on behalf of the Controller and shall take steps to ensure that any natural person acting under the authority of the Processor who has access to Personal Data shall only process the Personal Data on the documented instructions of the Controller.

4.3 The Processor shall promptly inform the Controller, if in the Processor’s opinion, any of the instructions regarding the processing of Personal Data provided by the Controller, breach any Data Protection Law.

4.4 The Processor shall ensure that all employees, agents, officers and contractors involved in the handling of Personal Data: (i) are aware of the confidential nature of the Personal Data and are contractually bound to keep the Personal Data confidential; (ii) have received appropriate training on their responsibilities as a data processor; and (iii) are bound by the terms of this DPA.

4.5 The Processor shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

4.6 The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

4.7 The technical and organisational measures detailed in Exhibit B shall be at all times adhered to as a minimum security standard. The Controller accepts and agrees that the technical and organisational measures are subject to development and review and that the Processor may use alternative suitable measures to those detailed in the attachments to this DPA.

4.8 The Controller acknowledges and agrees that, in the course of providing the Services to the Controller, it may be necessary for the Processor to access the Personal Data to respond to any technical problems or Controller queries and to ensure the proper working of the Services. All such access by the Processor will be limited to those purposes.

4.9 Where Personal Data relating to an EU Data Subject is transferred outside of the EEA it shall be processed in accordance with the provisions of the Standard Contractual Clauses, unless the processing takes place: (i) in a third country or territory recognised by the EU Commission to have an adequate level of protection; or (ii) by an organisation located in a country which has other legally recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules.

4.10 Taking into account the nature of the processing and the information available to the Processor, the Processor shall assist the Controller by having in place appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights and the Controller’s compliance with the Controller’s data protection obligations in respect of the processing of Personal Data.

5. CONTROLLER OBLIGATIONS

5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and Data Protection Law.

5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA, and that it shall provide proof of such authority to the Processor immediately upon request.

5.3 The Controller is responsible for compliance with Data Protection Law, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement.

5.4 All Affiliates of the Controller who use the Services shall comply with the obligations of the Controller set out in this DPA.

5.5 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

5.6 The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data only processes the Personal Data on the documented instructions of the Controller.

5.7 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible.

5.8 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, assisting with audits, inspections or DPIAs by the Processor, may result in additional fees. In such case, the Processor will notify the Controller of its fees for providing such assistance in advance, unless otherwise agreed.

6. SUB-PROCESSORS

6.1 The Controller acknowledges and agrees that: (i) Affiliates of the Processor may be used as Sub-processors; and (ii) the Processor and its Affiliates respectively may engage Sub-processors in connection with the provision of the Services.

6.2 All Sub-processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor set out in this DPA.

6.3 Where Sub-processors are located outside of the EEA, the Processor confirms that such Sub-processors: (i) are located in a third country or territory recognised by the EU Commission to have an adequate level of protection; or (ii) have entered into Standard Contractual Clauses with the Processor; or (iii) have other legally recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules.

6.4 The Processor shall make available to the Controller a current list of Sub-processors at http://www.slidebank.com/sub-processors which shall include the identities of Sub-processors and their country of location. During the term of this DPA, the Processor shall provide the Controller, with prior notification via email, with any changes to the list of Sub-processor(s) who may process Personal Data before authorising any new or replacement Sub-processor(s) to process Personal Data in connection with the provision of the Services.

6.5 The Controller may object to the use of a new or replacement Sub-processor, by notifying the Processor promptly in writing within ten (10) Business Days after receipt of the Processor’s notice. If the Controller objects to a new or replacement Sub-processor, and that objection is not unreasonable, the Controller may terminate the Agreement or applicable Order Form with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub-processor. The Processor will refund the Controller any unused prepaid fees covering the remainder of the Term of the Agreement (or applicable Order Form) following the effective date of termination with respect to such terminated Services.

7. LIABILITY

7.1 The limitations on liability set out in the Agreement apply to all claims made pursuant to any breach of the terms of this DPA.

7.2 The parties agree that the Processor shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of its Sub-processors to the same extent the Processor would be liable if performing the services of each Sub-processor directly under the terms of the DPA, subject to any limitations on liability set out in the terms of the Agreement.

7.3 The parties agree that the Controller shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of its Affiliates as if such acts, omissions or negligence had been committed by the Controller itself.

7.4 The Controller shall not be entitled to recover more than once in respect of the same claim.

8. AUDIT

8.1 The Processor shall make available to the Controller and at the Controller’s expense all information reasonably necessary to demonstrate compliance with its processing obligations and allow for and contribute to audits and inspections.

8.2 Any audit conducted under this DPA shall consist of examination of the most recent reports, certificates and/or extracts prepared by an independent auditor bound by confidentiality provisions similar to those set out in the Agreement. In the event that provision of the same is not deemed sufficient in the reasonable opinion of the Controller, the Controller may conduct a more extensive audit which will be: (i) at the Controller’s expense; (ii) limited in scope to matters specific to the Controller and agreed in advance; (iii) carried out during UK business hours and upon reasonable notice which shall be not less than 4 weeks unless an identifiable material issue has arisen; and (iv) conducted in a way which does not interfere with the Processor’s day-to-day business.

8.3 This clause shall not modify or limit the rights of audit of the Controller, instead it is intended to clarify the procedures in respect of any audit undertaken pursuant thereto.

9. DATA BREACH

9.1 The Processor shall notify the Controller without undue delay after becoming aware of (and in any event within 72 hours of discovering) any accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access to any Personal Data (“Data Breach”).

9.2 The Processor will take all commercially reasonable measures to secure the Personal Data, to limit the effects of any Data Breach, and to assist the Controller in meeting the Controller’s obligations under applicable law.

10. COMPLIANCE, COOPERATION AND RESPONSE

10.1 In the event that the Processor receives a request from a Data Subject in relation to Personal Data, the Processor will refer the Data Subject to the Controller unless otherwise prohibited by law. The Controller shall reimburse the Processor for all costs incurred resulting from providing reasonable assistance in dealing with a Data Subject request. In the event that the Processor is legally required to respond to the Data Subject, the Controller will fully cooperate with the Processor as applicable.

10.2 The Processor will notify the Controller promptly of any request or complaint regarding the processing of Personal Data, which adversely impacts the Controller, unless such notification is not permitted under applicable law or a relevant court order.

10.3 The Processor may make copies of and/or retain Personal Data in compliance with any legal or regulatory requirement including, but not limited to, retention requirements.

10.4 The Processor shall reasonably assist the Controller in meeting its obligation to carry out data protection impact assessments (DPIAs), taking into account the nature of processing and the information available to the Processor.

10.5 The parties acknowledge that it is the duty of the Controller to notify the Processor within a reasonable time, of any changes to applicable data protection laws, codes or regulations which may affect the contractual duties of the Processor. The Processor shall respond within a reasonable timeframe in respect of any changes that need to be made to the terms of this DPA or to the technical and organisational measures to maintain compliance. If the parties agree that amendments are required, but the Processor is unable to accommodate the necessary changes, the Controller may terminate the part or parts of the Services which give rise to the non-compliance. To the extent that other parts of the Services provided are not affected by such changes, the provision of those Services shall remain unaffected.

10.6 The Controller and the Processor and, where applicable, their representatives, shall cooperate, on request, with a supervisory data protection authority in the performance of their respective obligations under this DPA.

11. TERM AND TERMINATION

11.1 The Processor will only process Personal Data for the term of the DPA. The term of this DPA shall coincide with the commencement of the Agreement and this DPA shall terminate automatically together with termination or expiry of the Agreement.

11.2 The Processor shall at the choice of the Controller, upon receipt of a written request received within 30 days the end of the provision of the Services relating to processing, delete or return Personal Data to the Controller. The Processor shall in any event delete all copies of Personal Data in its systems within 60 days of the effective date of termination of the Agreement unless: (i) applicable law or regulations require storage of the Personal Data after termination; or (ii) partial personal data of the Company is stored in backups, then such personal data shall be deleted from backups up to 1 year after the effective date of termination of the Agreement.

12. GENERAL

12.1 This DPA sets out the entire understanding of the parties with regards to the subject matter herein.

12.2 Should a provision of this DPA be invalid or become invalid then the legal effect of the other provisions shall be unaffected. A valid provision is deemed to have been agreed which comes closest to what the parties intended commercially and shall replace the invalid provision. The same shall apply to any omissions.

12.3 This DPA shall be governed by the laws of England and Wales. The courts of England shall have exclusive jurisdiction for the settlement of all disputes arising under this DPA.

The parties agree that this DPA is incorporated into and governed by the terms of the Agreement.

Exhibit A

Overview of data processing activities to be performed by the Processor

1. CONTROLLER

The Controller transfers Personal Data identified in sections 3, 4 and 5 below, as it relates to the processing operations identified in section 6 below.

The Controller is the Company.

2. PROCESSOR

The Processor received data identified in sections 3, 4 and 5 below, as it relates to the processing operations identified in section 6 below.

The Processor is Digital Image.

3. DATA SUBJECTS

The Personal Data transferred includes but is not limited to the following categories of Data Subjects:

Employees, freelancers and contractors of the Controller and other users added by the Controller from time to time.
Users, Affiliates and other participants from time to time to whom the Controller has granted the right to access the Services in accordance with the terms of the Agreement.
Clients of the Controller and individuals with whom those end users communicate with by email and/or instant messaging.
Service providers of the Controller.
People who are at least 16 years old.
Other individuals to the extent identifiable in the content of emails or their attachments or in archiving content.

4. CATEGORIES OF DATA

The Personal Data transferred includes but is not limited to the following categories of data:

Personal details, names, user names, passwords, email addresses, job titles, phone and FAX numbers and the Company names and addresses of Users.
Personal Data derived from the Users use of the Services such as records and business intelligence information.
Personal Data within email and messaging content which identifies or may reasonably be used to identify, data subjects.
Meta data including sent, to, from, date, time, subject, which may include Personal Data.
Data concerning education and profession.
Data revealing political opinions, image and sound recordings.
Survey, feedback and assessment messages.
Information offered by users as part of support enquiries.
Other data added by the Controller from time to time.

5. SPECIAL CATEGORIES OF DATA

No sensitive data or special categories of data are permitted to be transferred and shall not be contained in the content of or attachments to, emails.

6. PROCESSING OPERATIONS

The Personal Data transferred will be subject to the following basic processing activities:

Personal Data will be processed to the extent necessary to provide the Services in accordance with both the Agreement and the Controller’s instructions. The Processor processes Personal Data only on behalf of the Controller.
Processing operations include but are not limited to: web-based presentation management and sales enablement systems. This operation relates to all aspects of Personal Data processed.
Technical support, issue diagnosis and error correction to ensure the efficient and proper running of the systems and to identify, analyse and resolve technical issues both generally in the provision of the Services and specifically in answer to a Controller query. This operation may relate to all aspects of Personal Data processed but will be limited to metadata where possible.
Virus, anti-spam and Malware checking in accordance with the Services provided. This operation relates to all aspects of Personal Data processed.

Exhibit B

Technical and Organisational Security Measures

Processor utilises third party data centres that maintain current ISO 9001, ISO 27001, ISO27017, ISO 27018, SOC1, SOC2, SOC3, PCI DSS Level 1, SSAE 16, ISAE 3402 certifications and/or SSAE 16 SOC 1 Type II or SOC 2 Attestation Reports. The Processor will not utilise third party data centres that do not maintain the aforementioned certifications and/or attestations, or other substantially similar or equivalent certifications and/or attestations.

Upon the Controller’s written request (no more than once in any 12-month period), the Processor shall provide within a reasonable time, a copy of the most recently completed 3rd-party certification and/or attestation reports (to the extent that to do so does not prejudice the overall security of the Services). Any audit report submitted to the Controller shall be treated as Confidential Information and subject to the confidentiality provisions of the Agreement between the parties.

The following descriptions provide an overview of the technical and organisational security measures implemented. It should be noted however that, in some circumstances, in order to protect the integrity of the security measures and in the context of data security, detailed descriptions may not be available, however additional confidential information regarding technical and organisational measures may be made available upon request. It is acknowledged and agreed that the Security Policy and the technical and organisational measures described therein will be updated and amended from time to time, at the sole discretion of the Processor. Notwithstanding the foregoing, the technical and organisational measures will not fall short of those measures described in the Security Policy in any material, detrimental way.

1. DATA CENTRE ENTRANCE CONTROL

Technical or organisational measures regarding access control, especially regarding legitimation of authorised persons at our 3rd-party data centres.

The aim of the entrance control is to prevent unauthorised people from physically accessing such data processing equipment which processes or uses Personal Data.

Due to their respective security requirements, data centre business premises and facilities are subdivided into different security zones with different access authorisations. They are monitored by security personnel. Access for employees is only possible with an encoded ID. All other persons have access only after having registered before (e.g. at the main entrance).

Access to special security areas for remote maintenance is additionally protected by a separate access area. The constructional and substantive security standards comply with the security requirements for data centres.

2. DATA CENTRE SYSTEM ACCESS CONTROL

Technical and organisational measures regarding the user ID and authentication:

The aim of the system access control is to prevent unauthorised use of data processing systems used for the processing of Customer Data.

User access to the data processing systems is only possible through a Secure Socket Layer (SSL) encrypted connection provided by the Processor. Authorisation is permitted by i) users providing a unique user name and password combination with optional IP address screening, or ii) using Single Sign-On (SSO) user authentication via authenticated encrypted tokens provided by a User’s IT systems. All access attempts, successful and unsuccessful are logged and monitored.

Additional technical protections are in place using firewalls and industry-standard encryption technology

3. DATA ACCESS CONTROL

Technical and organisational measures regarding the on-demand structure of authorisation, data access rights and monitoring and recording of the same:

Measures regarding data access control are targeted on the basis that only such data can be accessed for which an access authorisation exists and that data cannot be read, copied, changed or deleted in an unauthorised manner during the processing and after the saving of such data.

Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorisation concept. In accordance to the “least privilege” and "need-to-know" principles, each role has only those rights which are necessary for the fulfilment of the task to be performed by the individual person.

To maintain data access control, state of the art encryption technology is applied to the Personal Data itself where deemed appropriate to protect sensitive data based on risk.

4. TRANSMISSION CONTROL

Technical and organisational measures regarding the transport, transfer, transmission, storage and subsequent review of Personal Data on data media (manually or electronically).

Transmission control is implemented so that Personal Data cannot be read, copied, changed or deleted without authorisation, during transfer or while stored on data media, and so that it can be monitored and determined as to which recipients a transfer of Personal Data is intended for.

The measures necessary to ensure data security during transport, transfer and transmission of Personal Data as well as any other company or Customer Data are detailed in the Security Policy. This standard includes a description of the protection required during the processing of data, from the creation of such data to deletion, including the protection of such data in accordance with the data classification level.

For the purpose of transfer control, encryption technology is used (e.g. the transfer of encrypted and password-protected zip files using an encrypted secure SFTP connection). The suitability of an encryption technology is measured against the protective purpose.

The transfer of Personal Data to a third party (e.g. customers, sub-contractors, service providers) is only made if a corresponding contract exists, and only for the specific purposes. If Personal Data is transferred to companies located outside the EEA, the Processor provides that an adequate level of data protection exists at the target location or organisation in accordance with the European Union's data protection requirements, e.g. by employing contracts based on the Standard Contractual Clauses.

5. DATA ENTRY CONTROL

Technical and organisational measures regarding recording of data entry to enable retroactive review.

System inputs are recorded in the form of log files therefore it is possible to review retroactively whether and by whom Personal Data was entered, altered or deleted.

6. DATA PROCESSING CONTROL

Technical and organisational measures to differentiate between the competences of principal and contractor:

The aim of the data processing control is to provide that Personal Data is processed by a commissioned data processor in accordance with the Instructions of the principal.

Details regarding data processing control are set forth in the Agreement and DPA.

7. AVAILABILITY CONTROL

Technical and organisational measures regarding data backup (physical/logical):

Data is stored in 2 mirrored data centres to provide geographical redundancy. The data centres are selected automatically by load-balancer to provide protection in the event of non-availability; for example: due to flooding, earthquake, fire or other physical destruction or power outage to protect Personal Data against accidental destruction and loss.

If Personal Data is no longer required for the purposes for which it was processed, it should be deleted promptly by the Controller.

8. SEPARATION CONTROL

Technical and organisational measures regarding purposes of collection and separated processing:

Personal Data used for internal purposes only e.g. as part of the respective customer relationship, may be transferred to a third party such as a subcontractor, solely under consideration of contractual arrangements and appropriate data protection regulatory requirements.

Employees are instructed to collect, process and use Personal Data only within the framework and for the purposes of their duties (e.g. service provision). At a technical level, multi-client capability includes separation of functions as well as appropriate separation of testing and production systems.

Customer Data is stored in a way that logically separates it from other customer data.

Slidebank Sub-Processors

Slidebank takes data security and privacy very seriously. We have always taken diligent steps to protect and respect your personal and company data.

Whilst, due to our existing commitment to security and privacy, the recent GDPR rules have not required us to make major changes to the way we operate, it is our desire to provide you with greater clarity and transparency on these aspects of our operations.

Part of this compliance is to document a list of sub-processors that we use, or may consider using, in order to deliver the Slidebank service and customer support. Our current list of providers is as follows:

Service Provider	Purpose
Amazon Web Services	Secure hosting for Slidebank Services
Salesforce	CRM & Sales Administration Services
Dropbox	Secure Business administration
Stripe	Payment Processing
Chargeover	Invoice management
Xero	Accounting
Campaign Monitor	Email services provider
Get Feedback	Customer feedback provider
Zoom	Web conferencing hosting service
Rackspace	Secure Email hosting (Exchange) services
Microsoft	Office 365 software services
Squarespace	Hosting of Public Website
Typeform	Customer feedback and service requests
Intercom	Customer support
Airtable	Invoicing admin
Segment	API data management
Calendly	Customer meeting scheduling
Docusign	Slidebank contract management
Atlassian	Product management
Google	Advertising & website (sales site) analytics
LinkedIn	Advertising & engagement
Twitter	Advertising & engagement
Facebook	Advertising & engagement

Slidebank Service Cookies

The Slidebank service (not this website) uses a number of cookies to aid user experience and system functionality. They comprise persistent cookies, registration session cookies and site session cookies.

Persistent Slidebank Cookies

Cookie Purpose	Cookie Description	Data Use	Expiry
'Cookies'	Stores ‘yes’ if user has explicitly agreed to the site using cookies by clicking the ‘I Agree’ button to prevent the cookie policy box from appearing next visit.	User convenience	Persistent
'Login' cookie	Remembers user's login if Cookies option is turned on by the user	User convenience	Persistent until the ‘Remember me’ checkbox is unchecked
'Remember' cookie	Remembers user's choice of whether to remember login name for next visit	User convenience	Persistent
AWSELB	AWS Load Balancer	User convenience	Temporary
ASP.NET_SessionId	Stored by .Net, not used by Slidebank to identify user

Registration Session Cookies

These are stored after the user has logged in, they are cleared when the user logs out or closes the browser.

Cookie Purpose	Cookie Description	Data Use	Expiry
‘Slidebank_CompanyName’	Stores a token to identify the company and match with its company record in the database. Token is associated with the actual company name by extracting the first part of the URL.	User convenience	Temporary
‘slidebank_UserLogin’	Stores the user’s login name to identify the user and match with their user record in the database.	User convenience	Temporary
‘slidebank_UserToken’	Stores the session token to enable the user to have access to the web service.	User convenience	Temporary
Session Cookies, Slidebank v.8	Remembers login, user name and company name at login to match with user in database during session.	User convenience	Temporary
Session Cookies, Slidebank v.10	Remembers login, session token and company name at login to match with user in database during session.	User convenience	Temporary

Site Session Performance Cookies

These are stored after the user has logged in, and cleared when the user logs out or closes the browser. They are retrieved from the user’s account stored in the database.

Cookie Purpose	Cookie Description	Data Use	Expiry
‘SelectionGUID’	Stores a token that matches with the current slide selection created by the user, to provide the convenience of allowing a user to continue with their slide selection from a previous session or browser refresh.	User convenience	Temporary