NUALO’s Data Protection and Acceptable Use Policy

NUALO’s Data Protection Policy ("DPP") governs the treatment (e.g., receipt, storage, usage, transfer, and disposition) of the data collected, stored and retrieved through NUALO’s  APIs. This Policy supplements the NUALO  API License Policy and your Brand Partner Agreement and you are bound by its conditions. Failure to comply may result in suspension or termination of API Service access.

Definitions

"Application" means any software, application (‘App’), website, widget or other electronic interface with the Program Materials (i.e., the  APIs).

"NUALO  Participant" means any person or entity enrolled in, or who provides services relating to, NUALO .

"NUALO Information" means any information that is exposed by NUALO through the Program Materials.

"Developer" means any person or entity (including you, the Brand Partner) that uses the APIs for the purpose of integrating or enhancing a NUALO Participant’s use of   features and functionality permitted by NUALO to be accessed through the APIs.

"Program Materials'' means the application program interface, and related software, software development kits, libraries, databases, documentation, sample code and related materials, NUALO makes available for use in connection with NUALO . The Program Materials allow NUALO  Participants to access NUALO  through a website or other online point of presence owned and operated by you.

"Security Incident" means any actual or suspected unauthorized access, collection, acquisition, use, transmission, disclosure, corruption, or loss of NUALO Information, or breach of any environment (1) containing NUALO Information; or (2) managed by a Developer with controls substantially similar to those protecting NUALO Information.

 General Security Requirements

Consistent with industry-leading security standards--including, but not limited to, the California Consumer Privacy Act, the EC/EU Data Protection Directive, Canada’s Personal Information Protection and Electronic Documents Act and other requirements as specified by NUALO governing the classification and sensitivity of NUALO Information, Developers will maintain physical, administrative, and technical safeguards, and other security measures (i) to maintain the security and confidentiality of NUALO Information accessed, collected, used, stored, or transmitted by a Developer, and (ii) to protect that information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure, and all other unlawful forms of processing. Without limitation, the Developer will comply with the following requirements:

1.         Network Protection. Developers must implement sufficient network protection controls (Security Groups, credential validation, network firewalls, etc.) to deny access to unauthorized IP addresses; moreover, public access must be restricted only to approved users.

2.         Access Management. Developers must assign a unique ID to each person with access--via computer or other digital device--to NUALO Information. Developers shall not create or use generic, shared, or default login credentials or user accounts. Developers shall implement baselining mechanisms to ensure that at all times only the required user accounts access NUALO Information. Developers must review the list of people and services with access to NUALO Information on a regular basis (at least once every 60-90 days), and remove accounts that no longer require access. Developers must restrict developer employees from storing NUALO data on any personal device. Developers will maintain and enforce "account lockout" by detecting anomalous usage patterns and log-in attempts, and disabling accounts with access to NUALO Information as needed.

3.         Encryption in Transit. Developers must encrypt all NUALO Information in transit (e.g. using HTTP over TLS (HTTPS) when the data traverses a network; or is otherwise sent between hosts). Developers must enforce this security control on all applicable external endpoints used by customers as well as internal communication channels (e.g., data propagation channels among storage layer nodes, connections to external dependencies) and operational tooling. Developers must disable communication channels which do not provide encryption in transit even if unused (e.g., removing the related dead code, configuring dependencies only with encrypted channels, and restricting access credentials to use of encrypted channels). Developers must use data message-level encryption (e.g., using a client-side encryption library) where channel encryption (e.g. AES-256) terminates in untrusted multi-tenant hardware (e.g., untrusted proxies).

4.         Incident Response Plan. Developers must create and maintain a plan and/or runbook to detect and handle Security Incidents. Such plans must identify the incident response roles and responsibilities, define incident types that may impact NUALO, define incident response procedures for defined incident types, and define an escalation path and procedures to escalate Security Incidents to NUALO. Developers must review and verify the plan every six (6) months and after any major infrastructure or system change. Developers must investigate each Security Incident, and document the incident description, remediation actions, and associated corrective process/system controls implemented to prevent future recurrence (if applicable). Developers must maintain the chain of custody for all evidence or records collected, and such documentation must be made available to NUALO on request (if applicable).

Developers must inform NUALO (via BP HUB Help Desk) within 24 hours of detecting any Security Incidents. Developers cannot notify any regulatory authority, nor any customer, on behalf of NUALO unless NUALO specifically requests in writing that the Developer do so. NUALO reserves the right to review and approve the form and content of any notification before it is provided to any party, unless such notification is required by law, in which case NUALO reserves the right to review the form and content of any notification before it is provided to any party. Developers must inform NUALO within 24 hours when their data is being sought in response to legal process or by applicable law.

5.         Request for Deletion or Return. Developers must promptly (but within no more than 72 hours after NUALO's request), permanently and securely delete (in accordance with industry-standard sanitization processes, e.g., NIST 800-88) and/or return all NUALO Information upo--and in accordance with--NUALO's notice requiring deletion and/or return. Developers must also permanently and securely delete all live (online or network accessible) instances of NUALO Information within 90 days after NUALO's notice. If requested by NUALO, the Developer will certify in writing that all NUALO Information has been securely destroyed.

6.         Audit. Developers shall maintain all appropriate books and records reasonably required to verify compliance with the Data Protection Policy and Agreement during the period of the Agreement and for 12 months thereafter. Upon NUALO's written request, Developers must certify in writing to NUALO that they are in compliance with these policies.

Upon request, NUALO may, or may have an independent certified public accounting firm selected by NUALO, audit and inspect the books, records, facilities, operations, and security of all systems that are involved with a Developer's application in the retrieval, storage, or processing of NUALO Information. Developers must cooperate with NUALO or NUALO's auditor in connection with the audit, which may occur at the Developer's facilities and/or subcontractor facilities. If the audit reveals deficiencies, breaches, and/or failures to comply with our terms, conditions, or policies, the Developer must, at its sole cost and expense, and take all actions necessary to remediate those deficiencies within an agreed-upon timeframe.

 Acceptable Use Policy

The Acceptable Use Policy clarifies the appropriate use of NUALO  APIs. In addition to the NUALO  API Agreement, registered users of the NUALO  APIs (“Developers”) must comply with the following policies. Failure to comply may result in loss of program benefits and/or suspension or termination of  API access.

APIs are for Developers who wish to help a NUALO Brand Partner create, manage, and track their fulfillment of Brand Partner products of services, and/or other efforts with NUALO. Use APIs only to perform acceptable NUALO  Participant activities, and only for NUALO  Participants who have authorized you to perform these activities on their behalf. Do not facilitate or promote violation of NUALO  agreements, e.g., the NUALO  Agreement, the Fulfilment by NUALO Agreement or any Program-Specific Terms (the “Applicable Terms”), directly or indirectly. If you discover that a NUALO  Participant is using your service to violate the Applicable Terms, notify NUALO and block the NUALO  Participant's access to your Application. Keep up to date on NUALO policies that pertain to specific APIs or specific functionality that your tools and application provide.

In order to maintain Transparency, all Developers and Brand Partners shall:

1. Be clear and honest with NUALO about what data you are accessing and for what purpose.

2. Be explicit about any calculations and the use of models such as artificial intelligence in the service you provide, their accuracy, and data freshness.

In maintaining Transparency, all Developers and Brand Partners shall NOT:

1. Falsely advertise any tool or service.

2. Attempt to deceive NUALO Participants through deliberate modification of Program Materials, including NUALO  data.

In addition, as a Developer or Brand Partner, you must:

1. Comply with all applicable laws including data privacy and data protection laws (e.g., GDPR, CCPA, ECDPD, etc.).

2. Provide availability, performance, and support for your tool or service required to successfully perform the business task.

3.  Identify and mitigate any negative NUALO  Participant impact before launching new features, especially for business-critical tasks.

4.  Design your tool or service to respect API throttling quotas.

5.  Implement data integrity and validation checks within your tool or service for any analytical processing (e.g., AI models for insights, automated decision-making) that has material impact on a NUALO  Participant’s campaigns or business.

As a Developer or Brand Partner, you must NOT:

1. Use, offer, or promote external (non-NUALO) data services that vend NUALO data, including data retrieved from NUALO's public-facing websites.

2. Offer tools or services that infringe on the copyrights, patents, or trademarks of others.

3. Share any keys or passwords.

4. Ask for or accept a NUALO  Participant’s access credentials for any purpose.

5. Act only on behalf of NUALO or a Customer where NUALO has granted you permission through third-party authorization.

6. Apply for keys that you will not use. NUALO will periodically baseline access keys. Keys that do not make a successful call in 90 days will be deleted and the Developer will need to re-apply for keys.

7. Request or share access credentials for NUALO  interfaces and services (e.g., log-in credentials for the  Console). If necessary, ask the NUALO Participant to grant access through a secondary user permission, but do so only if the  Console or Digital signal processing (DSP) is required to provide features or services that benefit the NUALO  Participant.

Moreover, your responsibilities as a Developer or Brand Partner regarding data usage, sharing and access require that you:

1. Do not request access to or retrieve information that is not necessary for your tool’s or service’s functionality.

2.  Only grant access to data on a "need-to-know" basis within your organization and among your tool’s or service’s users.

3. Do not attempt to circumvent throttling quotas through the creation of multiple accounts within the same region.

4. Do not disclose information, individually labeled or aggregated, obtained through  APIs on behalf of a NUALO  Participant, to other tool or service users or any outside parties, unless required by law.

5.  Do not calculate or publish insights about the health of NUALO's business.

6.  Comply with the Data Protection Policy, which provides specific requirements on the receipt, storage, usage, transfer, and disposition of the data accessed through  APIs.