Intrro accesses only the name, current company, and job title of your 1st degree LinkedIn contacts, only if you explicitly opt-in. This information is provided for the sole purpose of matching your contacts to open positions and enabling you to make an Intrro if you agree.

Intrro will never contact anyone or do anything without your permission. Intrro does not collect sensitive information such as private mails and there are no automatic opt-ins that spam your connections. Intrro uses only the name, company name, and job title of your connections to make smart recommendations for the purposes of hiring only.

Find below a more thorough breakdown of the particulars of the data processing.

 The  web application is hosted in the Amazon Web Services eu-west-2 region located in London, United Kingdom.

We understand that many organizations have vendor risk management processes in place, and we want to be transparent in how we operate, secure, and manage our services at Intrro.

This is why we have published detailed information on topics such as product security features, infrastructure and network security, data security and privacy, business continuity and disaster recovery, corporate security, compliance, and more.

We have provided this information to assist organizations in conducting their own due diligence on the security and operation of the Intrro service, without delay or the need for your teams to work through our lengthy questionnaire responses.

Custom questionnaires

If your organization has non-standard, bespoke requirements or custom questionnaires that you want us to complete, please note that we only offer this service for those purchasing an enterprise workspace. Customers with an enterprise workspace should contact their account manager for more information.

‍

All security communication can be sent to security@intrro.com

The senior engineering team, lead by the CTO, is responsible for carrying out all security policies and procedures at Intrro. This team has a direct communication line to the CEO and can communicate with the CEO at any time.

The CTO assumes the role of Security Officer and is responsible for creating and enforcing security policies and procedures; leading the monitoring, vulnerability management, and incident detection and response initiatives; and tracking and reducing risk organization-wide.

Intrro has built-in single sign-on capabilities for Google accounts via OAuth 2.0. If a user provisions their account via OAuth 2.0, they'll never need to set a password to log in with Intrro.

Intrro includes three user role levels to help you manage permissions and access throughout your workspace.

• Admins – can manage users and billing
• Recruiters – can view all referrals and leads,  create, edit, and update projects and data
• Employees – can view and respond only to their own contacts and network data

Intrro employs industry-standard techniques for password management, encryption, storage, complexity, and reset.

Encryption and storage

The Intrro web application user authentication system uses Bcrypt to hash and salt user passwords. Each password has a uniquely generated salt, and the 'pepper' is stored independently from the database.

Complexity standard

The Intrro web application enforces a strong password complexity standard and require user passwords to have at least:

• 12 characters
• 1 lower case character
• 1 upper case character
• 1 number
• 1 special character

Failed login attempts

The Intrro web application prevents brute force attacks (for password based authentication) by locking the targeted user account after 5 failed attempts. A notification email is sent to the user that includes a link that can be used to unlock the account.

Secure reset

In the event that a user forgets their password, a user can request their password be reset via a link that is sent to the user's verified email address. This link expires within a limited amount of time if not used.

Password managers

Intrro encourages customers and users to leverage a password manager to maintain, store, and fill strong passwords when using Intrro.

Intrrol utilizes industry-standard cloud infrastructure vendors to provide the Intrro service. Intrro's infrastructure is primarily managed through Amazon Web Services, and is complemented by additional secondary infrastructure vendors to provide specific features within the Intrro web application, like machine learning and natural language processing.

Primary infrastructure

Principally, the Intrro web application leverages Amazon Web Services for infrastructure hosting.

The  web application is hosted in the Amazon Web Services eu-west-2 region located in London, United Kingdom.

Amazon Web Services has been granted formal certification, attestation, and audit reports for ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, and more – the full list of compliance resources is available on the Amazon Web Services Security page.

Feature-specific infrastructure

Intrro also makes use of secondary cloud infrastructure providers to process data for specific features of the web application. The use of these features is optional within the web application.

Data is sent to these providers temporarily and stored for a brief period of time in order to perform the functionality of the feature, and is subsequently permanently deleted after the functionality has been performed. No data is permanently stored or hosted within these infrastructure providers.

Machine Learning and Natural language processing

Intrro utilizes Google Cloud Platform for machine learning and natural language processing. Upon use of the Intrro web application’s network analysis feature, the text content to be  analyzed is sent to Google Cloud Platform. All communication with Google Cloud Platform is encrypted in transit using HTTPS and Transport Layer Security 1.2.

Google Cloud Platform stores the text sent to the Cloud Natural Language API for a short period of time in order to perform text analysis and then returns the results to the Intrro web application.

Google warrants that the stored text is typically deleted within a few hours. Google asserts that they do not use the content they process to train and improve their Cloud Natural Language features or machine analysis model.

The Intrro web application utilizes Google Cloud Platform computation located in South Carolina, United States in the us-east1 region.

Google Cloud Platform has been granted formal certification, attestation, and audit reports for ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, and more – the full list of compliance resources is available on the Google Cloud Platform Security page.

Intrro has vulnerability management policies and procedures in place to describe how we monitor for new vulnerabilities, enforce timelines and processes for remediation.

Scanning and detection

Intrro utilizes a number of services to perform internal vulnerability scanning and package monitoring on a continuous basis.

Netsparker

Intrro employs automated and integrated security scans of the web application through Netsparker. Automated scans occur at least daily and any detected vulnerabilities immediately notify the engineering team.

Security advisories

Intrro subscribes to GitHub's security alerts program. If GitHub detects a vulnerability from the GitHub Advisory Database or WhiteSource in one of the web application's dependencies, the engineering team is notified.

AWS Systems Manager

Intrro utilizes AWS Systems Manager for fleet management and endpoint security. AWS Systems Manager automatically scans and detects vulnerabilities on employee hardware and alerts the user on known vulnerabilities and provides guidance on remediation.

Image scanning

Intrro utilizes Amazon ECR image scanning to identify vulnerabilities in container images. Amazon ECR image scanning uses the Common Vulnerabilities and Exposures (CVEs) from the open-source Clair project to scan and alert on known container vulnerabilities.

Vanta

Intrro utilizes Vanta to scan and monitor for package vulnerabilities. Vanta enforces compliance with vulnerability SLAs based on severity.

Severity and timing

Intrro defines the severity of an issue via industry-recognized Common Vulnerability Scoring System (CVSS) scores, which all modern scanning and continuous monitoring systems utilize. The CVSS provides a way to capture the characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

Low Severity - 0.1 - 3.9

Low severity vulnerabilities are likely to have very little impact on the business, perhaps because they require local system access.

Medium Severity - 4.0 - 6.9

Medium severity vulnerabilities usually require the same local network or user privileges to be exploited.

High Severity - 7.0 - 8.9

High severity vulnerabilities are typically difficult to exploit but could result in escalated privileges, significant data loss, and/or downtime.

Critical Severity - 9.0 - 10.0

Critical severity vulnerabilities likely lead to root level compromise of servers, applications, and other infrastructure components. If a critical vulnerability cannot be addressed within timelines as defined, an incident response ticket will be opened, documenting what interim remediation has been made.

Remediation process

When a vulnerability is detected and verified, the engineering team will remediate vulnerabilities within the SLA depending on the severity. Compliance of vulnerability SLAs is enforced via Vanta and tracked using JIRA {Atlassian product},

Intrro employs industry-standard techniques for detecting and preventing possible intrusions. Detected intrusions can result in escalation through incident response procedures.

IDS & IPS

Intrro utilizes Amazon GuardDuty as an Intrusion Detection System (IDS) and as an Intrusion Prevention System (IPS).

GuardDuty continuously monitors for malicious activity and unauthorized behavior to protect Amazon Web Services accounts, workloads, and data stored in Amazon S3. GuardDuty employs machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.

Firewall

Intrro is protected by Amazon's web application firewall (WAF) and assists in blocking common web exploits and attack patterns. Intrro manages a number of firewall rules, including rules that address issues like the OWASP Top 10 security risks.

Brute force prevention

The Intrro web application employs log in attempt rate limited with automated account lockout and secure password reset practices to prevent against brute force attacks. We also maintain a large email domain blacklist to prevent malicious actors and spam.

Logging and monitoring

Intrro has implemented multiple layers of logging with the application and infrastructure and uses industry-standard tooling to monitor application health and alert the engineering team when the application is not optimally operating.

Application logging

Intrro utilizes Sentry and Amazon CloudWatch Logs for application logging and monitoring to help diagnose and fix issues within the Intrro web application. Application error logs are stored in Sentry for 30 days and are used to help investigate issues raised from automatic alarms raised via Sentry and Cloudwatch. 

Infrastructure logging

Intrro utilizes Amazon CloudWatch to log, monitor and alert on resource allocation and operational performance of the infrastructure of the Intrro web application. Infrastructure logs are stored for 365 days.

Audit logging

Intrro utilizes Amazon CloudTrail to enable governance, compliance, and operational risk auditing of operations and actions taken on Amazon infrastructure and services. Audit logs are stored indefinitely. 

Intrro also utilizes Vanta to help monitor security related events and misconfigurations. Examples include, new user accounts in our IdP, employee account permission changes, publicly accessible infrastructure, IP based rate limits and logging not enabled on relevant resources.

Intrro utilizes a multi-tenant architecture where all customers share the same computing resources.

Logical separation of data between customers and correct access is enforced through PostgreSQL Row Level Security (RLS). Transaction-scoped configuration variables are leveraged in RLS policies to ensure the correct access permissions.

Incident response plan

Intrro has a documented incident response plan that establishes the procedures to be undertaken in response to information security incidents.

This incident response plan includes:

• Escalation procedures
• Incident severity identification and classification
• Roles, responsibilities, and communication strategies in the event of a compromise
• Containment and remediation strategies
• Communication protocols, both internally and externally
• A retrospective analysis to determine the root cause and implement improvements to incident response procedures

Monitoring and alerting

Intrro has continuous monitoring, logging, and alerting in place that will automatically escalate any issues. Depending on severity, these incidents may trigger an incident to dedicated on-call engineering 24 hours a day, 7 days a week, 365 days a year. Potential catalysts that may trigger an incident include:

• severe vulnerabilities
• vulnerabilities disclosed by a security researcher
• intrusion detections
• elevated errors, operational performance, and suspicious operations
• data breach discovery

This policy governs how security researchers should raise security concerns with us, and how we will respond.

Data security is a top priority for Intrro, and we believe that working with skilled security researchers can identify weaknesses in any technology.

If you believe you’ve found a security vulnerability in our service, please notify us; we will work with you to resolve the issue promptly.

Disclosing a weakness

• If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@intrro.com. We will acknowledge your email within ten business days.
• Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within one week of disclosure.
• Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Intrro service. Please only interact with accounts you own or for which you have explicit permission from the account holder.

Exclusions

While researching, we’d like you to refrain from:

• Distributed Denial of Service (DDoS).
• Spamming.
• Automated penetration tests or vulnerability scans.
• Social engineering or phishing of Intrro employees or contractors.
• Any attacks against Intrro’s physical property or data centers.

Intrro maintains documented Software Development Life Cycle (SDLC) policies and procedures to guide developers in implementing and documenting application and infrastructure changes.

Development environments

All code is deploy and tested in a staging (development) environment that is functionality equivalent to production environments. Intrro performs testing and quality assurance procedures in this staging environment before releasing to the production environment that is used by customers. No customer data is ever used or accessible from staging or local development environments.

Version control

Intrro employs Git version control to maintain source code versions and manage the migration of source code through the development process through to release. Using a decentralized version control allows multiple developers to work simultaneously on features, bug fixes, and new releases; it also allows each developer to work on their own local code branches in a local environment. Git maintains a history of code changes, supports rollback capabilities and tracks changes to individually identifiable developers.

All code is written, tested, and saved in a local repository before being synced to the origin repository. Writing code locally decouples the developer from the production version of the Intrro code base and insulates Intrro from accidental code changes that could affect users. Any changes involving the persistence layer (database) are performed locally when developing new code, where errors or bugs can be spotted before the change is deployed to users.

Code review

Code changes are managed and reviewed through Git pull requests. Every pull request is manually reviewed and approved by two developers before it can be merged. Automatic and integrated testing is also performed with each pull request, and all tests must pass before a code change can be merged.

Developers are trained in evaluating code for security defects as part of code review, and automatic testing is employed to test against common security defects.

Security bugs

Security bugs represent key issues and should be resolved quickly to maintain the security, confidentiality, privacy, processing integrity, and availability of the Intrro service. Intrro has SLAs in place to enforce compliance with resolving security bugs within reasonable timelines.

Intrro utilizes industry-standard practices concerning the encryption of data when stored and while in transmission. Intrro also has a documented cryptography policy that outlines the requirements for encrypting data and transmissions.

Encryption at rest

All data, including backups, is encrypted at-rest using AES-256 encryption.

Encryption in transit

Data is encrypted while moving between us and the browser with Transport Level Security (TLS) 1.2.

Secure Sockets Layer

Secure Sockets Layer (SSL) certificates are issued and managed through Amazon Web Services, and HTTP Strict Transport Security (HSTS) is enabled. 

Key management

Amazon Web Services (AWS) stores and manages data cryptography keys in its redundant and globally distributed Key Management Service (KMS). AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys.

Data retention

Deleting data

Users can delete projects and project data within Intrro if they have the correct access rights. Deleted project data is kept in a "trash" facility within the application and can be restored for up to 30 days before it is permanently deleted. It can take up to 60 days for all data to be removed from backups.

Deleting workspaces

Users can delete their entire Intrro workspace if they have the correct access rights. This will delete all data that you have provided to Intrro. It can take up to 60 days for all data to be removed from backups.

Subscription cancellation

Following the cancellation of a Intrro subscription, you will have at least 30 days to request a  download your customer data from Intrro. After this period, we have no obligation to maintain or provide any customer data to you. We may delete all customer data provided to us after this period.

Trial workspaces

If you sign up for a trial workspace, we may keep any data you input for 30 days after your trial workspace period has ended so that the data may still be available if you later sign up for a paid workspace subscription. After these 30 days all data during your trial will be permanently deleted. It can take up to 60 days for all data to be removed from backups.

To support delivery of our Services, Intrro may engage and use data processors with access to certain Customer Data or Personal Information (each, a “Subprocessor”). This page provides information about each Subprocessor. Please email security@intrro.com if you have any questions.

Amazon Web Services

• Location: Seattle, United States.
• Security certifications: Privacy Shield, ISO27001, SOC3.
• Data processed: Anonymized content, email address, IP address.
• Use: Data storage, backups, CDN, DNS, SSL, domain management, emails.

Slack

• Location: Palo Alto, United States.
• Security certifications: SOC 2, SOC 3, ISO 27001, ISO 27018, ISO 27017
• Data processed: User name, user email address, survey responses.
• Use: Customer communications.

Google Cloud

• Location: Mountain View, United States.
• Security certifications: Privacy Shield, ISO27001, SOC3.
• Data processed: User-added content.
• Use: Natural language processing.

Customer.io

• Location: San Francisco, United States.
• Security certifications: SOC 2, HIPAA, GDPR
• Data processed: User-added content (when using transcription).
• Use: Full name, job title, email address, IP address, customer communications, customer activities and analytics

Segment

• Location: San Francisco, United States.
• Security certifications: Privacy Shield, ISO 27001, ISO 27017, ISO 27018, SOC 2.
• Data processed: User name, email address, IP address, analytics.
• Use: Product analytics.

Zapier 

• Location: San Francisco, United States.
• Security certifications: SOC 2, SOC 3
• Data processed: User name, email address.
• Use: Automations of tasks 

In light of the new Standard Contractual Clauses adopted and approved by the European Commission, Intrro has revised our Data Processing Agreement to incorporate the SCCs.

In addition to our new Data Processing Agreement, we are also updating our internal privacy compliance program to meet the requirements of the new SCCs, by the 28 December 2022 deadline.

As we approach this regulatory deadline, we will communicate with our existing customers and provide information on how they can execute new agreements with the new SCCs. Existing customers contact us to enter into a new agreement that utilizes the new EU SCCs.

If you have any questions regarding data privacy and protection, the new SCCs, or our commitment to the GDPR, you can contact us.

The California Consumer Privacy Act (CCPA) gives consumers more control over the personal information that businesses collect about them.

Intrro does not currently meet the criteria described that would have the CCPA apply to our business operations. Namely because we do not:

• Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
• Derive 50% or more of our annual revenue from selling California resident's personal information.

However, we understand that some Intrro customers may want to ensure that their use of our services, and any California resident's personal information that we process on behalf on our customers, is compliant with their own obligations under the CCPA.

This page helps to clarify how we process any personal information on behalf of our customers as it relates to the CCPA.

Processing of personal information

You do not sell personal information to us. We will not:

1. Sell any personal information,
2. Retain, use, or disclose the personal information for a commercial purpose, other than for providing the services, as further described in our Master Subscription Agreement and in our Privacy Policy; and
3. further retain, use, or disclose the personal information except for business purposes or as otherwise authorized by the CCPA.

Our obligations to you

Consumer rights requests

We will provide reasonable assistance to you in facilitating compliance with consumer rights requests.

Personal information deletion

On termination, you have the option to request the return or deletion of personal information. This request must be made within 30 days of termination. We will make the data available for download by you in a machine readable format. Thereafter we will permanently delete the personal information from the live systems in any event.

Following permanent deletion from the live systems, partial data resides on the our archival and backup systems for a period of up to 14 days.

For more information, please read our data retention documentation.

Confidentiality

We will ensure that all employees, agents, officers and contractors involved in the handling of personal information are aware of the confidential nature of the personal information and are contractually bound to keep the personal information confidential.

For more information, please read about our employee confidentiality agreements.

High availability infrastructure

Intrro uses properly-provisioned, redundant infrastructure with multiple load balancers, web servers, and replicant databases in case of failure.

24 / 7 / 365 monitoring

We have continuous monitoring, logging, and alerting in place that will automatically escalate any issues to dedicated on-call engineering 24 hours a day, 7 days a week, 365 days a year.

Uptime and status

All updates regarding system uptime and status are posted to our status page. You can subscribe to be notified of updates affecting the status and uptime of the Intrro service. Historical uptime and previous incidents can be viewed on this status page. 

System maintenance

From time to time, Intrro may undertake routine scheduled maintenance to perform required upgrades to the Intrro service.

Scheduled maintenance is infrequent and we will provide at least 5 days notice before undertaking any scheduled maintenance. Scheduled maintenance notices are made available on our status page where you can subscribe to be notified of upcoming maintenance.

To minimize the affect of downtime during scheduled maintenance, we aim to perform maintenance during timeframes that are least likely to affect most customers.

Our window for scheduled maintenance is from Sunday midnight GMT to Sunday 3am GMT.

Business continuity plan

Intrro has a structured business continuity plan in place in the event of vendor and service outages that could affect business operations.

This this plan identifies:

• key resources and needs to ensure that business may continue, perhaps in a limited capacity, in the event of a disaster
• information such as key suppliers and contingency plans for any service outages
• an alternative business location if the primary Intrro office is unavailable

Disaster recovery plan

Intrro has a structured disaster recovery plan that establishes procedures to recover service operations from a disruption resulting from a disaster. The types of disasters contemplated by this plan include natural disasters, political disturbances, man-man disasters, external human threats, and internal malicious activities.

Critical systems and services

From a disaster recovery perspective, Intrro defines two categories of systems:

Non-critical systems

These are all systems not considered critical by the definition below. These systems, while they may affect the performance and overall security of critical systems, do not prevent critical systems from functioning and being accessed appropriately. Non-critical systems are restored at a lower priority than critical systems.

Critical systems

These systems host application servers and database servers or are required for the functioning of systems that host application servers and database servers. These systems, if unavailable, affect the integrity of data and must be restored, or have a process begun to restore them, immediately upon becoming unavailable.

Recovery time and recovery point objectives

Intrro aims for zero data loss and high availability, however we also understand that systems can go wrong and that such targets usually unattainable or highly expensive. As a part of our business continuity plan, we set recovery time objectives (RTO) and recovery point objectives (RPO) that aim to strike a balance between cost and benefit.

RTO is the amount of time it takes to restore Intrro during a period of unavailability. While we aim to keep this period of time as minimal as possible, there might be anticipated scenarios where it may take longer that expected. As a result, we advise a RTO within than 48 hours of failure.

RPO is the amount of time that an organisation accepts it may lose in a recovery operation. At Intrro, we perform full database backups every 24 hours and we also keep the database transaction logs. This means in an ideal scenario we can restore our database to within minutes of when service is interrupted, resulting in minimal data loss if any. Failing that, we expect to be able to restore to a full database backup. As a result, we revise a RPO of 24 hours.

Testing and rehearsal

Intrro performs coordinated testing and rehearsals of the disaster recovery plan annually. This includes a retrospective and tabletop reenactment in order to identify lessons learned and improvements to playbooks and operating procedures.

Intrro has a documented backup policy that describes how often backups occur, backup storage, and maintenance.

Database backups

All data is backed up utilizing Amazon Web Services (AWS) Relation Database Service (RDS) backup solution. RDS data is automatically backed up daily, and backups and stored for 30 days. RDS backups are encrypted at rest.

File storage

All files are stored utilizing Amazon Simple Storage Service (S3) are backed up daily. All S3 backups are stored for 30 days. S3 backups are encrypted at rest.

Logging backups

The backup period for different types of logging is described in our Logging and monitoring documentation.

Intrro has taken steps to ensure the security of the physical office environment and continuity of business operations in the event of a disaster. Intrro’s web application infrastructure, and customer data, is not located or stored within any physical Intrro office environment.

Environment

Access to Intrro's office is restricted using physical locks which only Intrro employees can access. Intrro's office remains locked throughout the entire day.

Intrro's office environment also has security safeguards including:

• Security alarms – the office building has motion alarms that alert building management who respond to alarms 24 hours a day, 7 days a week, 365 days a year.
• Security video surveillance – the internal office entry / exit points and network room have continuous video surveillance. The office building has external video surveillance and an agreement is in place with building management to access surveillance footage in the event that it is needed.
• Fire alarms and sprinkler system – fire alarms are installed throughout the office. Sprinkler fire suppression systems and extinguishers are in place.

Visitor access

All visitors must sign-in and be escorted and supervised by Intrro employee at all times.

All new employees receive onboarding and systems training. This training is completed annually by employees and training compliance is monitored.

The main topics covered in security training are:

• Social engineering – primarily phishing and how to detect and report attacks.
• Passwords – background in how passwords are cracked, why strong passwords are important, and storage recommendations for passwords.
• Physical Security – guidelines for maintaining the physical security of offices and equipment.
• Data Handling – understanding data classification and how to properly handle such data.
• Compliance – its importance and how it affects operations.

Intrro has a comprehensive set of risk management principles, policies and procedures in place to identify new business and technical risks, and put plans in place to mitigate those risks.

Risk principles

Intrro believes that effective risk management involves:

• A commitment to the security, availability, and confidentiality of Intrro infrastructure and services from senior management.
• The involvement, cooperation and insight of all Intrro staff.
• A commitment to initiating risk assessments, starting with discovery and identification of risks.
• A commitment to the thorough analysis of identified risks.
• A commitment to a strategy for treatment of identified risks.
• A commitment to communicate all identified risks to the company.
• A commitment to encourage the reporting of risks and threat vectors from all Intrro staff.

Intrro maintains a comprehensive set of organizational security policies that must be agreed to by all employees annually.

All policies are reviewed and approved by management annually. Employees who violate any policies may face disciplinary consequences in proportion to their violation.

Policies are maintained on the following topics:

• Acceptable Use Policy
• Asset Management Policy
• Backup Policy
• Business Continuity Plan
• Change Management Policy
• Code of Conduct
• Cryptography Policy
• Data Classification Policy
• Data Deletion Policy
• Data Protection Policy
• Disaster Recovery Plan
• Incident Response Plan
• Information Security Policy
• Password Policy
• Physical Security Policy
• Responsible Disclosure Policy
• Risk Assessment Program
• System Access Control Policy
• Vendor Management Policy
• Vulnerability Management Policy

A copy of these policies can be made available to Intrro Enterprise customers on request.

Intrro relies on vendors to perform a variety of services, some of which are critical for operations. Intrro aims to manage its relationship with vendors and manage the risk associated with engaging third parties to perform services.

Risk assessments

Intrro conducts due diligence on an individual vendor's security, business practices, and legal commitments. Intrro's vendor management policy provides a framework for managing the lifecycle of vendor relationships.

Data subprocessors

Intrro utilizes some vendors as data subprocessors to provide the Intrro services. Intrro takes a risk-based approach to selecting data subprocessors based on the security and business practices of these vendors. To minimize our risk and the risk to our customers, we aim to utilize as few data subprocessors as possible to provide the Intrro services.

Intrro's data subprocessors are listed at Data subprocessors.

All employee and contractor agreements include a confidentiality agreement.

All employees agree during and after employment that they will:

• refrain from disclosing confidential information
• not use confidential information for purposes other than their employment
• keep confidential information secure and not disclose or publish information except when authorized or as required by law

On termination of employment, all employees must return all confidential information and must permanently erase all confidential stored on any device.

Intrro has an asset management policy in place to protect data that is stored and accessible via endpoints, such as company workstations and laptops.

Fleet management

All corporate endpoints are protected against internal threats and local vulnerabilities AWS Systems Manager and Vanta. All devices are continuously monitored for the following checks:

• Full-disk encryption
• Screen lock enabled
• Latest security updates
• Malware detection and anti-virus
• Personal firewall enabled
• Unencrypted SSH keys
• Password management software

All corporate devices are also enrolled in mobile device management (MDM) enabling Intrro to remotely manage assets to ensure compliance with configuration standards and enabling remote lock and erase in the event of a lost or stolen device.

Network security

All corporate wireless networks, including both corporate and guest networks, encrypt data in transit using WPA2-AES encryption. Guest network traffic and access is separated from corporate network traffic and access.

Corporate networks are protected with Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) to block malicious traffic and actors attempting to access Dovetail's corporate network.

Removable media and offline backups

Intrro prohibits use of removable media and offline backups to mitigate both the risk of data loss as well as the risk of malware being introduced.

Intrro has implemented the controls for SOC 2 Type II. We expect to receive a report by May 2022 that demonstrates that Intrro has the appropriate controls in place to mitigate the risks related to security, availability and confidentiality.

A SOC 2 report is designed to meet the needs of customers who need assurance about the effectiveness of controls of a software vendor, like Intrro. The report is the outcome of an audit performed by an independent third-party firm certified by the American Institute of CPAs (AICPA). The engagement will be performed by Prescient Assurance

Intrro will be assessed against the AICPA's Trust Service Criteria of:

• Security (also known as Common Criteria)
• Availability
• Confidentiality

Our  upcoming Type II audit is the most robust type and set out to prove that we have the controls in place for a sustained period of time, exhibiting reliable and consistent safeguards in place to protect our customer's data. 

Intrro is committed to carrying out an annual SOC 2 audit.

Customers or potential customers interested in attaining a copy of our GAP assessment security report can contact us.

“Applicable Laws” means any and all governmental laws, rules, directives, regulations or orders that are applicable to a particular Party’s performance under thisDPA, which may include, as applicable, EU Data Protection Law, the California Consumer Privacy Act of 2018, sections 1798.100 through 1798.199 of the CaliforniaCivil Code (“CCPA”), and the Brazilian Federal Law 13,709 (“LGPD”).

“EEA” means the European Economic Area, which constitutes the member states of the European Union (“EU”) and Norway, Iceland and Liechtenstein, as well as for purposes of this DPA, the United Kingdom.

“EU Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to theProcessing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”); (ii) the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act2018 (the “UK GDPR”).

“Personal Data” means any information relating to an identified or identifiable individual or any other information defined as 'personal data' or 'personal information' under Applicable Laws.

“Security Documentation” means the security documents located at https://Intrro.com/help/categories/security/ as amended from time to time, or as otherwise made available by Intrro;

“Standard Contractual Clauses” means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of4 June 2021, available here; and (ii) where the UK GDPR applies, the standard data protection clauses for processors adopted pursuant to or permitted under Article 46 of the UK GDPR(“UK SCCs”); in each case as may be amended, superseded or replaced from time to time;

“Subsidiary” means any entity that directly or indirectly controls, is controlled by, or is under common control of a party. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of a party;

“Sub-Processor” means any person or entity engaged by us (including a Subsidiary)to process Customer Personal Data in the provision of the Services to the Customer.

As used in Sections 2 through Section 11 herein, “Customer Personal Data” shall referto Customer Data comprising Personal Data of Data Subjects located in the EEA andterms such as “Data Subject”, “Processing”, “Controller”, “Processor”, “Personal Data Breach”, and “Supervisory Authority” that are defined in the GDPR.

Other capitalized terms not otherwise defined in this DPA shall have the respective meanings assigned to them in Section 1 above.

An overview of the categories of Data Subjects, types of Customer Personal Databeing Processed and the nature and purpose of the Processing is provided inAppendix 1. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data under EU Data Protection Law and this DPA, Customer isthe Controller and Intrro is the Processor. Each Party will comply with its respectiveobligations under EU Data Protection Law with respect to the Processing of Customer Personal Data.

By entering into this DPA, Customer instructs Intrro to Process Customer Personal Data: (a) to provide the Services in accordance with the features and functionality ofthe Services and related documentation; (b) to enable Customer’s authorizeduser-initiated actions on and through the Services; (c) as set forth in the Agreement and applicable Orders; and (d) as further documented by written instructions given byCustomer. Notwithstanding the foregoing, Intrro will inform Customer promptly if itbecomes aware that Customer’s instructions may violate applicable EU Data Protection Law.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood andseverity for the rights and freedoms of Data Subjects, Intrro shall in relation to Customer Personal Data implement appropriate technical and organizational measuresto ensure a level of security appropriate to that risk (including those outlined in Annex 2of this DPA, (“Security Measures”). In assessing the appropriate level of security, Intrro shall take into account the risks that are presented by Processing Customer Personal Data including, in particular, the risks presented by a Customer Personal DataBreach (as defined in Section 6). Intrro may make such changes to the Security Measures as Intrro deems necessary or appropriate from time to time, including without limitation to comply with applicable law, but no such changes will materially reduce the overall level of protection for Customer Personal Data. Intrro will take appropriate stepsto ensure compliance with the Security Measures by its employees, agents, contract or sand Sub-Processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Customer Personal Data have agreedto appropriate obligations of confidentiality.

If Intrro receives a request from a Data Subject in relation to Customer Personal Data then, to the extent legally permissible, Intrro will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services. Customer hereby agrees that Intrro may confirm to a Data Subject that his or her requests relates to Customer. To the extent Customer is unable through its use of the Services to address a particular Data Subject request, Intrro will, upon Customer’s request and taking into account the nature of Customer Personal Data Processed, provide reasonable assistance in addressing the Data Subject request (provided Intrro is legally permitted to do so and that the Data Subject request was made in accordance with EU Data Protection Law). To the extent permitted by Applicable Law, Customer shall be responsible for any costs arising from Intrro’s provision of such assistance.

‍

The Controller acknowledges and agrees that:(a) subsidiaries of the Processor may be used as Sub-Processors; and(b) the Processor and its Subsidiaries respectively may engage Sub Processors in connection with the provision of the Services. As a condition to permitting a Sub-Processor to Process Customer Personal Data, Intrro or will enter into a written agreement with the Sub-Processor containing data protection obligations no less protective than those in this DPA with respect to Customer Personal Data. Subject to this Section 7, Intrro reserves the right to engage and substitute Sub-Processors as it deems appropriate, but shall:(a) remain responsible to Customer for the provision of the Services and (b) be liable for the actions and omissions of its Sub-Processors undertaken in connection with Intrro’s performance of this DPA to the same extent Intrro would be liable if performing the Services directly. Intrro’s current list of Sub-Processors is available at https://Intrro.com/help/data-subprocessors/.During the term of this DPA, the Intrro shall provide the Customer with at least 14 days notification, via email (or in-application notice), of any changes new Sub- Processor(s)who may process Customer Personal Data before authorizing any new or replacementSub-Processor(s) to process Customer Personal Data in connection with the provision of the Services. If the Customer objects to a new or replacement Sub-Processor within14 days of such notice, and Intrro is unable to take corrective steps to exclude suchSub-Processor, then the either party may terminate the Agreement with respect to those Services which cannot be provided by the Intrro without the use of the new or replacement Sub- Processor. Intrro will refund the Customer any prepaid fees covering the remainder of the Term of the Agreement following the effective date of termination with respect to such terminated Services. If the Customer does not provide a timely objection notice with respect to a new Sub-Processor, Customer will be deemed tohave authorized Intrro to use of the Sub-Processor and to have waived its right to object. Intrro may use a new or replacement Sub- Processor while the objection procedures under this Section 7 are in process.

The Controller acknowledges and agrees that:

(a) subsidiaries of the Processor may be used as Sub-Processors; and

(b) the Processor and its Subsidiaries respectively may engage Sub Processors in connection with the provision of the Services.

As a condition to permitting a Sub-Processor to Process Customer Personal Data, Intrro or will enter into a written agreement with the Sub-Processor containing data protection obligations no less protective than those in this DPA with respect to Customer Personal Data. Subject to this Section 7, Intrro reserves the right to engage and substitute Sub-Processors as it deems appropriate, but shall:(a) remain responsible to Customer for the provision of the Services and (b) be liable for the actions and omissions of its Sub-Processors undertaken in connection with Intrro’s performance of this DPA to the same extent Intrro would be liable if performing the Services directly.

Intrro’s current list of Sub-Processors is available here.

During the term of this DPA, the Intrro shall provide the Customer with at least 14 days notification, via email (or in-application notice), of any changes new Sub- Processor(s)who may process Customer Personal Data before authorizing any new or replacementSub-Processor(s) to process Customer Personal Data in connection with the provision of the Services. If the Customer objects to a new or replacement Sub-Processor within14 days of such notice, and Intrro is unable to take corrective steps to exclude suchSub-Processor, then the either party may terminate the Agreement with respect to those Services which cannot be provided by the Intrro without the use of the new or replacement Sub- Processor. Intrro will refund the Customer any prepaid fees cover ingthe remainder of the Term of the Agreement following the effective date of termination with respect to such terminated Services. If the Customer does not provide a timely objection notice with respect to a new Sub-Processor, Customer will be deemed to have authorized Intrro to use of the Sub-Processor and to have waived its right to object. Intrro may use a new or replacement Sub- Processor while the objection procedures under this Section 7 are in process.

Where required by EU Data Protection Law, Intrro will allow Customer (directly or through a third-party auditor subject to written confidentiality obligations) to conductan audit of Intrro’s procedures relevant to the protection of Customer Personal Data to verify Intrro’s compliance with its obligations under this DPA. In such case, any audit conducted under this DPA shall consist of examination of the most recent reports, certificates and/or extracts prepared by an independent auditor bound by confidentiality provisions similar to those set out in the Agreement. In the event that provision of the same is not sufficient under EU Data Protection Law, the Customer may at its own expense conduct a more extensive audit which will be:

(a) limited in scope to matters specific to the Customer and agreed in advance with the Intrro;

(b) carried out during EU business hours and upon reasonable notice which shall be not less than 4 weeks unless an identifiable material issue has arisen; and

(c) conducted in a way which does not interfere with the Intrro’s day-to-daybusiness;

(d) undertaken no more than once in any 12-month period, except where required by a competent Supervisory Authority or where an audit is required due to a Customer Personal Data Breach.

To that end and before the commencement of any such audit, Customer and Intrro shall mutually agree upon the audit’s participants, schedule and scope, which shall in no event permit Customer or its third-party auditor to access the Services’ hosting sites, underlying systems or infrastructure. Representatives of Customer performing an audit shall protect the confidentiality of all information obtained through such audits in accordance with the Agreement, may be required to execute an enhanced mutually agree able nondisclosure agreement and shall abide by Intrro’s security policies while on Intrro’s premises. Upon completion of an audit, Customer agrees to promptly furnish to Intrro any written audit report or, if no written report is prepared, to promptly notify Intrro of any non-compliance discovered during the course of the audit. Customer shall reimburse Intrro for its time expended in connection with an audit at Intrro’sthen-current professional service rates, which shall be made available to Customer upon request and shall be reasonable taking into account the time and effort required by Intrro.

Intrro will provide Customer with reasonable cooperation, information and assistance as needed to fulfill Customer’s obligation under EU Data Protection Law, including as needed to carry out a data protection impact assessment related to Customer’s use of the Services (in each case to the extent Customer does not otherwise have access to the relevant information, and such information is in Intrro’s control). Without limiting the foregoing, Intrro shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section to the extent required by EU Data Protection Law.

Customer may delete Customer Personal Data using the functionality provided by the Services. For certain deletions, a recovery feature is offered by Intrro to enable recovery from accidental deletions for up to 30 days. This recovery period may be overridden by Intrro upon request by Customer. After any recovery period, Intrro will permanently delete the Customer Personal Data from the live systems. On termination of any applicable Order, the Customer has the option to request the return or deletion of Customer Personal Data. This request must be made within 30 days of termination. Intrro will make the data available for download by the Customer using functionality provided by the Services in a machine-readable format. Thereafter the Intrro will permanently delete the Customer Personal Data from the live systems in any event. Following permanent deletion of Customer Personal Data from the live systems, partial data resides on the Intrro’s archival and backup systems for a period of up to 14 days.

Subject to the terms and conditions of the Agreement and EU Data Protection Law,Intrro currently makes available the Standard Contractual Clauses as a transfer mechanism. The Standard Contractual Clauses apply to any transfer of CustomerPersonal Data under this DPA from the EEA to a country which is not deemed tohave Adequacy (to the extent such transfers are subject to EU Data Protection Law).The Standard Contractual Clauses and the terms of this Section 11 apply to the legalentity that executed the Standard Contractual Clauses as “data exporter” and its Participating Affiliates, all of which shall be deemed “data exporters.” For the purposes of the EU SCCs:

(i) the module two (controller to processor) terms shall apply to the extent Customer is a Controller of Customer Personal Data and the module three (processor to processor) terms shall apply to the extent Customer is a Processor of the Customer Personal Data;

(ii) Clause 9, Option 2 of the applicable module of the EU SCCs shall apply and Intrro may engage Sub-Processors as described in Section 7 of this DPA;

(iii) in Clause 11, the optional language shall be deleted;

(iv) the audits described in Clauses 8.3 and 8.9 of the applicable module of the EU SCCs shall be carried out as set out in and subject to the requirements of Section 8 of this DPA;

(v) pursuant to Clauses8.5 and 16(d), upon termination of this DPA, Customer Personal Data will be returned and/or destroyed in accordance with Section 11 of this DPA;

(vi) in Clause17, Option 1 shall apply and the EU SCCs shall be governed by Irish law;

(vii) in Clause 18(b), disputes shall be resolved before the courts of Ireland;

(viii) the Annexes of the EU SCCs shall be populated with the information set out in the Annexes to this Addendum. For the purposes of the UK SCCs:

(ix) the Appendices or Annexes of the UK SCCs shall be populated with the relevant information set out in the Annexes to this Addendum; and

(x) the UK SCCs shall be governed by the laws of and disputes shall be resolved before the courts of England and Wales. If and to the extent the Standard Contractual Clauses conflict with any provision of this Add end um regarding the transfer of Customer Personal Data from Customer to Intrro, the Standard Contractual Clauses shall prevail to the extent of such conflict.

As used in this Section 12, “Commercial Purpose”, “Consumer”, “Persona lInformation”, “Sell”, and “Service Provider” have the meanings assigned to them in the CCPA.

If Customer Data comprises Personal Data subject to the CCPA (“CCPA Covered Data”), Intrro is the Service Provider and, consistent with the requirements of the CCPA, shall not (a) Sell the CCPA Covered Data or (b) retain, use or disclose the CCPA Covered Data: (i) for any purpose, including any Commercial Purpose, other than for the specific purpose of providing and supporting the Services or (ii) outside of the Parties’ direct business relationship. Intrro certifies that it understands these restrictions and will comply with them. Customer acknowledges nothing in this Paragraph removes or lessens Customer’s obligations with respect to Personal Data under the Agreement or this DPA.

Customer will be responsible for responding to Consumer requests in relation to CCPA Covered Data (each, a “Consumer Request”). If Intrro receives a Consumer Request then, to the extent legally permissible, Intrro will advise the Consumer to submit the Consumer Request to Customer, and Customer agrees that Intrro may confirm to a Consumer that the Consumer Request relates to Customer. To the extent Customer is unable through its use of the Services to address a particular Consumer Request, Intrro will, upon Customer’s request and taking into account the nature of the CCPA Covered Data, provide reasonable assistance in addressing the Consumer Request(provided Intrro is legally permitted to do so and that Customer has verified the request in accordance with the CCPA).

If Customer Data comprises Personal Data subject to the LGPD (“LGPD Covered Data”), then Customer Personal Data, as the term is used in Sections 2 through 10 ofthis DPA above, shall be deemed to include LGPD Covered Data.

Without limiting its responsibilities under the Agreement, Customer is solely responsible for: (a) Account Data, Customer Credentials (including activities conducted with login credentials), and Customer Data, subject to Intrro’s Processing obligations under the Agreement and this DPA; (b) providing any notices required by Applicable Laws to, and receiving any required consents and authorizations required by Applicable Laws from, persons whose Personal Data may be included in Account Data, Customer Credentials, and Customer Data; and(c) ensuring no Personal Data relating to criminal convictions and offenses (GDPRArticle 10) are submitted for Processing by the Services. Further, no provision of this DPA includes the right to, and Customer shall not, directly or indirectly, enable any person or entity other than its authorized users to access and use the Services or use(or permit others to use) the Services other than as described in the applicable Order, the Agreement and this DPA, or for any unlawful purpose.

Each Party’s (and each of its Affiliate’s) liability taken together in the aggregate, arising out of or related to this DPA, including without limitation under the StandardContractual Clauses, whether in contract, tort, or under any other theory of liability, issubject to the limitation of liability provisions of the Agreement, except to the extentsuch liability cannot be limited under Applicable Law.

Unless earlier terminated as provided herein, this DPA shall terminate automatically together with termination or expiry of the Agreement

This DPA may be executed in counterparts, each of which shall be deemed anoriginal, but all of which together shall be deemed to be one and the sameagreement. Delivery of an executed counterpart of a signature page to this DPA byfax or by email of a scanned copy, or execution and delivery through an electronic signature service (such as Panda Doc), shall be effective as delivery of an original executed counterpart of this DPA.

List of Parties

Data exporter(s)

• Name: The Customer entity identified in the Agreement or on an applicable Order
• Address: The Customer’s address specified on the Order.
• Contact person’s name, position and contact details: The Customer’s contact nominated for receiving notifications, as set forth above in the DPA.
• Activities relevant to the data transferred under the Standard Contractual Clauses:
  The data exporter is a customer of the data importer and utilizing the data importer’s services as described in more detail in the Agreement
• Role (controller/processor): Controller and/or Processor.

Data importer(s)

• Name: Intrro Holding a proprietary limited company registered in USA with USA Business Number (ABN) 84 615 270 025.
• Address: 256 Chapman Road STE 105-4, Newark, New Castle, 19702.
• Contact person’s name, position and contact details: Nasser Oudjidane, Chief Executive Officer, nasser@Intrro.com
• Activities relevant to the data transferred under these Clauses: The data importer is providing certain services to the data exporter, as described in more detail in the Agreement.
• Role (controller/processor): Processor.

Description of the Transfer

Categories of data subjects:

Individuals about whom data is uploaded to the Services by (or at the direction of) the data exporter or by its authorized users, Subsidiaries, and other participants whom the data exporter has granted the right to access the Services in accordance with the provisions of the Agreement.

Categories of personal data:

The Personal Data transferred may include but is not limited to the following categories of data:

Any data uploaded to the Services by (or at the direction of)the data exporter or by its authorized users, Subsidiaries and other participants whom the data exporter has granted the right to access the Services in accordance with the provisions of the Agreement.

Sensitive data transferred (if applicable) and applied restrictions or safeguards:

Special categories of data, if any, may be uploaded to the Services, by (or at the direction of) the data exporter or by its authorized users, Subsidiaries and other participants whom the data exporter has granted the right to access the Services in accordance with the provisions of the Agreement, in compliance with Applicable Law, and may include:

• race or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade-union membership;
• health;
• sex life; and
• sexual orientation.

Frequency of the transfer (the term of the Agreement):

At data exporter’s discretion in using the Services, during

Nature of the processing:

Customer Personal Data transferred will be processed in accordance with the Agreement and any Order, and may be subject to the following basic processing activities:

(a) Customer Personal Data will be processed to the extent necessary to provide the Services in accordance with both the Agreement and the data exporter’s instructions. The data importer processes Personal Data only on behalf of the data exporter. Processing operations include, but are not limited to the provision of the Services– this operation relates to all aspects of Personal Data processed.

(b) Technical support, issue diagnosis and error correction to ensure the efficient and proper running of the system sand to identify, analyze and resolve technical issues both generally in the provision of the Services and specifically in answer to a data exporter query. This operation may relate to all aspects of Personal Data processed but will be limited to metadata where possible.

(c) URL scanning for the purposes of the provision of targeted threat protection and similar service which maybe provided under the Agreement. This operation relates to attachments and links in emails and will relate to any Personal Data within those attachments or links which could include all categories of Personal Data.

(d) Disclosures in accordance with the Agreement, as compelled by Applicable Law.

Purpose(s) of the data transfer and further processing:

Personal Data is processed for the purposes of providing the Services in accordance with the Agreement and any applicable Order.

Period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:

Personal Data will be retained until termination or expiry of the Agreement, in accordance with Section 10 of this DPA.

Competent Supervisory Authority

Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2)without however having to appoint a representative pursuant to Article 27(2) of Regulation(EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located shall act as competent supervisory authority.

Technical and Organizational Measures

Data importer has implemented and will maintain the technical and organizational security measures identified in the Security Documentation, which is posted to: https://Intrro.com/help/categories/security/.

These security measures are applicable to Customer Personal Data processed in the Services.

List of Sub-Processors

The data exporter has authorized the use of the Sub-Processors identified in Section 7 of the DPA.

This document is designed to help Intrro customers and users understand, and where applicable, comply with the General Data Protection Regulation (“GDPR”). The GDPR is the most significant change to European data privacy legislation in the last 20 years and went into effect on May 15, 2018.

GDPR is designed to give European Union (“EU”) citizens more control over their data and seeks to unify a number of existing privacy and security laws under one comprehensive law.

Intrro has made information security and data privacy foundational principles of everything we do, and we recognize the importance of adhering to regulations to advance information security and data privacy for citizens of the EU.

We follow GDPR principles, including explicit consent, purpose limitation, security, the right to be forgotten, and more. You can read our Privacy Policy to learn more about how we use and safeguard privacy and data.

We appreciate that our customers have requirements under the GDPR that are directly impacted by their use of our services. Below are several GDPR initiatives that have been implemented across our services.

GDPR strengthens rights of data subjects in many ways by including rights to request access to, correct, restrict, object, and/or erase personal data processed about them. Intrro has put a process in place to support data subject access requests that we receive which will assist our clients with compliance in supporting the right to object, and the rights of access, rectification and erasure.

GDPR places a much higher threshold on controllers that rely on consent as a basis for processing personal data. It will be dependent on our clients to determine the purpose and means of processing and to ensure it provides instruction on the lawful processing of personal data it sends to Intrro. For your employees that refuse to allow their personal data to be processed or withdraw their consent and you have no other lawful reason to process their data, we can try and offer alternative ways to use our services. This way, employees have a genuine choice without jeopardizing their ability to realize the value of their awards. For data which Intrro receives directly from your employees, Intrro has updated its Privacy Policy which can be found here.

GDPR implements new notification requirements on both controllers and processors for data breaches that lead to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data. While Intrro has a comprehensive Incident Response Policy in place already, we have updated this Policy to align with the new notification requirements which will ensure that we can update our clients without undue delay, to further allow our clients to meet their obligations under GDPR in the unlikely event of a personal data breach.