TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Published: December 3, 2024

Last Edit/Review: n/a

EXPLANATORY NOTE:

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Unity’s Data Security and Privacy Governance:

Unity maintains a data security and privacy governance structure to manage risk to unauthorized access and unauthorized usage of personal data entrusted to Unity. The data governance structure involves regular reporting to top management as well as to Unity’s audit committee of its board of directors.

Unity maintains a security policy and a privacy program policy as part of its governance program.

Unity’s internal audit team may audit its privacy program or its security program as part of its enterprise risk management function.

Personnel Security and Training:

Unity requires employees to complete security and privacy training. Unity personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.

Unity conducts a reasonable background check of its employees to the extent permitted by applicable law. Personnel are required to sign a confidentiality agreement and must acknowledge receipt of, and compliance with, Unity's confidentiality and privacy policies.

Data Access and Encryption:

Unity encrypts the personal data described in Annex I using a 256 AES bit encryption method during storage to assure data is held in pseudonymous format. The data remains in pseudonymous format within its systems, unless proper permission to access personal data is obtained. Unity maintains a “restricted data access procedure” in which the employee applies for access and states specific uses of the data. Access is granted only after review and approval of the internal data owner and the privacy office.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services:

Unity maintains a site reliability engineering team to respond to indicators of issues within its system, including error rate, latency and throughput measurements. Additionally, our systems are designed to alert on database connectivity, third party dependencies, and data content appearing in an unexpected manner. Each alert is subject to an incident rating classification system that dictates resource allocation and time to resolve metrics.

Unity employs two factor authentication for its systems, including where the transferred data is stored. Each application checks credentials in order to allow the display of Personal Data to an authorized End User or authorized administrator. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities, job duty requirements necessary to perform authorized tasks, and a need to know basis. Approvals are managed by Unity’s designated team. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g. login to workstations), password policies that follow at least industry standard best practices are implemented. These standards include restrictions on password reuse and sufficient password strength.

Measures for protection of data during transmission:

Unity employs firewalls and malware detection softwareץ

Unity maintains a Security Incident and Event Management system to analyze logs for problematic behavior and events. Unity implements a strict policy for incident response and will react promptly to known incidents.

Physical Security:

Unity maintains a physical security team that oversees controlled access to its facilities, including requiring badging, cctv implementation, and alarm monitoring.

Unity monitors its infrastructure for proper configuration using a third party SaaS solution.

Measures for ensuring data minimisation:

Pseudonymization of data where possible. Unity maintains a data retention schedule for its products as part of its record retention policy.

Data Subject Rights:

Unity maintains an internal process for data subjects requesting portability of their data. Data subjects can write to dpo@unity3d.com to initiate a request.

Unity maintains systems that permit data subjects to automatically request data erasure through either their account if an employee of our Customer or through an in-app request method if they are an end user of a mobile application.

Subprocessor Security:

Unity evaluates processors’ privacy and security prior to onboarding and includes confidentiality and privacy contract terms into agreements with processors.

Description of the Security Measures of Unity’s Cloud Storage Processor:

Our cloud storage provider maintains data centers to provide for redundancy through dual circuits, switches, networks or other necessary devices to help provide redundancy. The electrical power systems are designed to be redundant, including a primary and alternate power source of equal capacity. The server operating systems use proprietary algorithms to augment data security and redundancy. Our provider has developed and maintains a business continuity plan and disaster recovery plan. Our provider considers its external attack surface and employs purpose built technologies into external facing systems to prevent attacks. Our provider uses intrusion detection systems. Additionally, our provider uses on-site security operations, data center access procedures, and has instituted a system of segmented access for its employees according to job classification. Data centers are monitored using CCTV as well as controlled access badging. Our providers have implemented access control systems, provide security training to employees, and have installed systems to ensure that personal data cannot be read, copied, altered, or removed without authorization. Data is logically isolated and logged to assure an auditable record of access. Data destruction is subject to a process involving two independent validations prior to completion. Personnel are background checked and trained in security procedures. Subprocessors are audited prior to onboarding for privacy and security practices and only onboarded with appropriate security, confidentiality and privacy contract terms.

Description of the Security Measures of Unity’s ad network and mediation platform:

Storage: All Personal Data is stored on servers managed by our cloud service provider. The provider manages physical security and external network security (i.e., networks outside Unity’s infrastructure). Infrastructure systems are designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. The platform performs preventative and corrective maintenance without interruption to services.

Business Continuity: Unity replicates data over multiple regions to help to protect against accidental destruction or loss.

Data Transmission: Unity’s servers transfer Personal Data via HTTPS to and from the SDK. This is designed to prevent Personal Data from being read, copied, altered or removed without authorization during electronic transfer or transport.

Control Activities and Processes: Control activities provide reasonable assurance that logical access to relevant applications, Personal Data and system resources is restricted to properly authorized individuals and programs. Unity designated a specific team for configuring and administrating of the firewall and security groups to control security and access to “internal” network infrastructure. All servers implement access control and user validation according to the business requirements. Firewalls and host-based intrusion detection systems are deployed on the system. All security monitoring systems including, but not limited to, firewalls and host intrusion detection systems are deployed and enabled. All infrastructure platforms and services (operating systems, web servers, database servers, firewalls, etc.) are configured according to industry best practices.

Data: Personal Data is backed up regularly using tools provided by Unity’s cloud service provider. Every user has unique credentials when accessing the system and is limited only to Personal Data relevant to that user.

Unity obtained an ISO 27001 certification with respect to the ironSource ad network and mediation platform.