Tribelocal Data Processing Addendum
[Date Effective: May 25, 2018]

Please read the Data Processing Addendum (“DPA”) carefully as they form a contract between You (“Customer”) and Us (“Tribelocal”). As referenced in the Tribelocal Terms of Service (“Terms”), this DPA will apply where We and Our Group Companies are processors of EU personal data. The capitalized terms used in this DPA but not defined herein shall have the same meaning as defined in the Terms. In the event of a conflict between this DPA and the Terms, this DPA shall prevail.
THIS DPA INCLUDES:
Standard Contractual Clauses, attached hereto as EXHIBIT 1.

1. Appendix 1 to the Standard Contractual Clauses, which includes specifics on the Personal Data transferred by the data exporter to the data importer.
2. Appendix 2 to the Standard Contractual Clauses, which includes a description of the technical and organizational security measures implemented by the data importer as referenced.

1. Definitions
In this DPA, the following terms shall have the following meanings:

a) “controller”, “processor”, “data subject”, “personal data”, “processing” (and “process”), and “special categories of personal data” shall have the meanings given in Applicable Data Protection Law;
b) “Applicable Data Protection Law” shall mean: (i) prior to 25 May 2018,the EU Data Protection Directive (Directive 95/46/EC); and (ii) on and after 25 May 2018, the EU General Data Protection Regulation (Regulation 2016/679)
c) “Tribelocal” means REPORT GARDEN, Inc.; and
d) “Standard Contractual Clauses” means the clauses attached hereto as Exhibit 1 pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

2. Relationship of the parties.
Customer (the controller) appoints Tribelocal as a processor to process the personal data forming part of the Service Data (the “Data”) for the purposes described in the Terms (or as otherwise agreed in writing by the parties) (the “Permitted Purpose”). Each party shall comply with the obligations that apply to it under GDPR.

3. Prohibited data.
Customer shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to Tribelocal for processing.

4. International transfers.
Tribelocal will transfer the Data outside of the European Economic Area (“EEA”) in compliance with the Standard Contractual Clauses (Exhibit 1).

5. Confidentiality of processing.
Tribelocal shall ensure that any person it authorizes to process the Data (an “Authorised Person”) shall protect the Data in accordance with Tribelocal’s confidentiality obligations under the Terms.

6. Subprocessors.
Customer consents to Tribelocal engaging third-party subprocessors to process the Data for the Permitted Purpose provided that:

1. Tribelocal maintains an up-to-date list of its subprocessors at https://Tribelocal.com/sub-processors, which it shall update with details of any change in subprocessors prior to any such change;
2. Where personal data is shared with the subprocessors, Tribelocal engages with only GDPR compliant tools; and
3. Tribelocal remains liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor.

Customer may object to Tribelocal’s appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Tribelocal will either not appoint or replace the subprocessor or, if this is not possible, Customer may suspend or terminate the Terms (without prejudice to any fees incurred by Customer prior to suspension or termination).

7. Cooperation and data subjects’ rights.
Tribelocal shall provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to respond to:

1. any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, erasure and data portability, as applicable); and
2. any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data.

In the event that any such request, correspondence, enquiry or complaint is made directly to Tribelocal, Tribelocal shall promptly inform Customer providing full details of the same.

8. Data Protection Impact Assessment.
If Tribelocal believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall inform Customer and provide reasonable cooperation to Customer (at Customer’s expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.

9. Security.
The processor shall implement technical and organizational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a “Security Incident”).

10. Security incidents and Data Breach.
If Tribelocal becomes aware of a confirmed Security Incident, it shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfill any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Tribelocal shall further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident.

11. Disposal of Customer Data.
Upon the termination of Customers’ access to and use of the Service, Tribelocal will up to fifteen (15) days following such termination permit the customer to export its Service Data, at customers’ expense, in accordance with the capabilities of the Service. Following such period, Data Processor shall destroy all Service Data stored or processed by Tribelocal on behalf of the customer. In case the customer requires Tribelocal to delete the Personal Data, this will be done in accordance with Tribelocal’s data retention and disposal policies and procedures. Customer expressly consents to such deletion.
This requirement shall not apply to the extent that Tribelocal is required by applicable law to retain some or all of the Data, or to Data it has archived on backup systems, which Data Tribelocal shall securely protect from any further processing except to the extent required by such law.

12. Audit.
Customer acknowledges that Tribelocal may be audited for technical, legal or taxation purposes. This may require Tribelocal to share some personal data with the auditor, which will be bound by confidentiality clauses.

EXHIBIT 1
EU MODEL CONTRACT CLAUSES
Date Effective: May 25, 2018

The Clauses (including Appendices 1, 2, and 3) are effective from May 25, 2018 or before, as and when (i) a valid Tribelocal Online Customer Agreement is made available; (ii) a valid Data Protection Addendum is made available; and (iii) customer accepted these Clauses. “Tribelocal Online Customer Agreement” means the Tribelocal Online Customer Agreement entered into with REPORT GARDEN, Inc. Tribelocal Online Customer Agreement includes Cookie Policy, Privacy Policy, Terms of Service and Data Processing Addendum, referred to as “Entire Agreement” in Terms of Service. “Data Processing Addendum” means terms agreed between the parties that set forth certain terms in relation to the protection and processing of personal data.

Standard Contractual Clauses (Processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
Name of the data exporting organisation: __
Address: __
Tel. __ ; fax __ ; e-mail: __
Other information needed to identify the organisation
__
(the data exporter)
And
Name of the data importing organisation: REPORT GARDEN, INC
Address: 1013, CENTRE ROAD, SUITE 403-B, WILMINGTON, DELAWARE 19805, U.S.A
Tel. +1 855-777-8436 e-mail: [email protected]
Other information needed to identify the organisation:
__
(the data importer)
each a ‘party’; together ‘the parties’,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1
Definitions
For the purposes of the Clauses:

1. ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
2. ‘the data exporter’ means the controller who transfers the personal data;
3. ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
4. ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
5. ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
6. ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3
Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:

1. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State
2. that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
3. that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
4. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
5. that it will ensure compliance with the security measures;
6. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
7. to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
8. to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
9. that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
10. that it will ensure compliance with Clause 4(a) to (i).

Clause 5
Obligations of the data importer
The data importer agrees and warrants:

1. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
2. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
3. that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
4. that it will promptly notify the data exporter about:
   1. any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
   2. any accidental or unauthorized access; and
   3. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
5. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
6. at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
7. to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
8. that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
9. that the processing services by the subprocessor will be carried out in accordance with Clause 11;
10. to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6
Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
   The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7
Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
   1. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
   2. to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8
Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9
Governing law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11
Subprocessing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12
Obligation after the termination of personal data-processing services

1. The parties agree that on the termination of the provision of data-processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the Data Exporter:
Name (written out in full):
Position:
Address:
Other information necessary in order for the contract to be binding (if any):

Signature……………………………………
On behalf of the Data Importer: REPORT GARDEN, INC.
Name (written out in full): M Ashwani Chandra
Position: Privacy Officer
Address: 1013, Centre Road, Suite 403-B, Wilmington, Delaware, 19805, U.S.A
Other information necessary in order for the contract to be binding (if any):
Signature

Appendix 1 to the Standard Contractual Clauses
Details of Processing

This Appendix forms part of the Clauses. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

A. Data exporter
Data exporter is the Data controller. The data exporter is the Customer, as defined in the Tribelocal Customer Terms of Service (“Agreement”). Data exporter is the Data controller.

B. Data importer
Data importer is the Data processor. The data importer is Tribelocal, a digital marketing agency platform that helps online advertisement agencies create performance reports, invoices, manage campaign budgets, site audits and various other features that are provided on the application.

C. Data subjects
The personal data transferred concern the following categories of data subjects:

1. Users (data exporters), and
2. Customers of users (as input by users

D. Subject-Matter and Nature of the Processing
The subject-matter of Processing of Personal Data by Processor is the provision of the services to the Controller that involves the Processing of Personal Data. Personal Data will be subject to those Processing activities as may be specified in the Agreement.

E. Categories of data
The personal data transferred concern the following categories of data:

1. Contact Details: First Name, Last Name, Phone number, Profile picture
2. Transactional Data: Card details, Shipping address, Billing address
3. Digital Data: Email address, IP Address, Browse Information, Cookies and tracking pixels
4. Client-contact Details: First name, Last name, email, phone number, job title
5. Requestor data: Name, email, phone number and the details as provided by the requestor
6. Email conversations: User details, company details, attachments, location, contact details as provided by the customer via emails
7. Call and Screen recordings: Any information provided on calls with internal teams such as user’s profile information, company information
8. Integration-specific Application data: Account Number, Account Token, Account User ID
9. Social content: Facebook/Instagram user id and email, posts, personal information from instagram profile personal information

F. Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data: N/A

G. Processing operations
The personal data transferred will be subject to basic processing activities for the following activities:

1. Billing and Invoices – To maintain a record of all the transactions and the deal details between the customer and Tribelocal
2. User Experience and Design – Screen recordings to visualize the user experience while customers use the application for our learning on user onboarding and experience and to improve their experience.
3. Marketing – To show advertisements and send marketing materials to the customers for services and/or features they have expressed interest in.
4. Presales and Sales – To contact the customer for sharing product details, scheduling demos, reminders, etc.
5. After-sales Support – To support customer onboarding, training, troubleshooting and issue resolution
6. Any data processing required to offer the services and provide product and new feature updates

Appendix 2 to the Standard Contractual Clauses
Security Measures

Introduction: Tribelocal considers protection of Customer Data a top priority. As further described in these Security Measures, Tribelocal uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration or disclosure of Customer Data stored on systems under Tribelocal’s control.

1. Trusted Infrastructure
Tribelocal is a unified software for marketing agencies. Our application allows agencies to focus on their marketing strategies while Tribelocal focuses on Client Reporting & Management, Prospects Management, Lead generation, Budgets monitoring and many more. This Page gives an overview of application performance and how security is designed into the Tribelocal software. Tribelocal host it services on Heroku which is a network isolated, dedicated runtime environments for enhanced privacy, power, and performance. This infrastructure provides secure integration of clients accounts, secure storage of data with end-user privacy safeguards, secure encryption of passwords and two-factor authentication, secure and private communication with customers, and safe operation by administrators.
We will describe the security of this application in progressive layers starting from the physical and network security, continuing on to how the hardware and software that underlie the infrastructure are secured, and finally, describing the technical constraints and processes in place to support the performance of the application.

2. Reliability
Tribelocal’s computing platform assumes ongoing hardware failure, and it uses robust software failover to withstand disruption. All Tribelocal systems are inherently redundant by design, and each subsystem is not dependent on any particular physical or logical server for ongoing operation. Data is replicated multiple times across Heroku dynos(third party) so that, in the case of a machine failure, data will still be accessible through another system. We also replicate data to secondary data centers in different seismic and geographic zones to ensure protection from data center failures.
Tribelocal’s services are designed to scale to hundreds of thousands of users. We run multiple different performance tests, including load testing our applications under high load over a long period, to observe effects on factors, such as memory use and response time. Tribelocal also performs stress testing to examine system performance in unusual situations, including system functional testing while under unusually heavy loads, heavy repetition of certain actions or inputs, or input of large numerical values and large, complex queries to a database system.

3. Privacy
We do everything in our power to protect agencies from attempts to compromise their data. We vigorously resist any unlawful attempt to access or block access to our customers’ data, whether it be from a hacker or any malicious software. Whether it is an integration or client’s contact, Tribelocal does not own that data.
That means two key things:

• We use your information for the purposes specified in the policy, such as delivering you the service for which you pay.
• You have control over your data. We provide you with options to delete and export your data so that you can take your data with you at any time.

Tribelocal may only access data in your account in strict compliance with our Privacy Policy and customer agreement. For purposes of providing technical support, an administrator from your domain may choose to grant the Tribelocal Support team permission to access accounts in order to resolve a specified issue.

4. Application Security
SECURE ACCESS
Tribelocal servers can be accessed only via HTTPS using Comodo SSL Certificate. We use industry-standard encryption for data traversing to and from the application servers.
XSS
All user inputs are properly encoded when displayed to ensure XSS vulnerabilities are avoided.
CSRF
All POST requests are checked for CSRF token before processing the request.
SQL INJECTION
Tribelocal interacts with a database through ActiveRecord. The default and convenient Object Relational Mapping (ORM) layer which provides abstraction, safety and allow developers to avoid manually building SQL queries.
Tribelocal also uses Brakeman which is an open source static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
ENCRYPTED DATA STORAGE
Tribelocal does not store any sensitive details on it’s network. We store sensitive details in our database in an encrypted form.

5. Physical and Network Security
We use Heroku, Amazon’s AWS platform and infrastructure for Tribelocal. Here are more details about security setup of AWS, Heroku.
CLOUDFLARE
We use Cloudflare for increasing internet pressures. Cloudflare is a web performance and security company. Cloudflare’s WAF, DDoS protection, and SSL defend website owners and their visitors from all types of online threats.
a. CLOUDFLARE WAF
Cloudflare’s enterprise-grade web application firewall (WAF) detects and block common application layer vulnerabilities at the network edge, utilizing the OWASP Top 10, application-specific and custom rulesets. It has two-factor authentication so that the accounts get an added layer of login security, ultimately adding another layer of security to our website.
b. CLOUDFLARE IPF
Cloudflare IP Firewall avoids the most common security attacks which run over a public network, such as the Internet.
c. CLOUDFLARE RATE LIMITING
Rate Limiting protects critical resources by providing fine-grained control to block or qualify visitors with suspicious request rates.
d. CLOUDFLARE DDoS MITIGATION
DDos Mitigation resists the impact of distributed denial-of-service (DDoS) attacks on networks attached to the Internet by protecting the applications, websites, and APIs from malicious traffic targeting network and application layers and maintains the performance and availability.

6. Monitoring
Ensuring the availability of Tribelocal application is just as important as protecting them from malicious requests. We have a dedicated team working 24/7 for application monitoring. We use both internal and multiple external monitoring services to monitor Tribelocal. Our monitoring system will alert our team through emails and phone calls if there are any errors or abnormality in the request pattern. We take utmost care in picking the right external tools and here are the four tools which are woven together to monitor Tribelocal application 24 hours.
SCOUT
Tribelocal uses Scout which is a Rails monitoring app for serving: the performance metrics, a layer of analysis, and a generous helping of workflow improvements. These features reduce the stress on us in identifying the root cause of Rails app performance woes.
ROLLBAR
Tribelocal uses Rollbar which is a real-time, full-stack error monitoring and debugging tool for developers used to monitor the impact of our code changes and measures the performance, track errors and analyze our application. It integrates with GitHub to link stack traces to the underlying source code, correlate exceptions to code changes, and create GitHub issues allowing us to manage errors in the existing workflow.
INSTRUMENTAL
Tribelocal uses Instrumental for sending metrics and building graphs to monitoring servers and services. It serves us,

1. System & Service Monitoring
2. Application Monitoring

LIBRATO
Tribelocal uses Librato for monitoring and understanding the metrics that impact the software at all levels of the stack.

7. Vulnerability scanning and audits
Third party security testing of the Heroku application is performed by independent and reputable security consulting firms. Findings from each assessment are reviewed by the assessors, risk ranked and assigned to the responsible team.
Tribelocal undergoes penetration tests, vulnerability assessments, and source code reviews to assess the security of the application, architecture, and implementation. Our third-party security assessments cover all areas of our platform including testing for OWASP Top 10 web application vulnerabilities and customer application isolation. Tribelocal works closely with external security assessors to review the security of the platform and applications and applies the best practices. We also hold open bug bounty programs which allows the security researchers, report a vulnerability on Tribelocal application as long as the vulnerability is discovered without using intrusive testing techniques.

8. Performance
Tribelocal offers a 99.99% app uptime and 99.99% API uptime. Furthermore, Tribelocal hardly has downtime or maintenance windows. To minimize service interruption due to hardware failures, natural disasters or other incidents, Tribelocal, takes the data backup and save in a different server in a different and highly redundant availability zone. In case our server downs, we spin the server in an hour.

9. Indemnity Clauses
Tribelocal ensures that its platform and services do not inadvertently cause its customers to breach intellectual property rights and other laws. Our indemnification rules are governed by our Terms of Service and Privacy Policy which can be read on the given links.

10. Employee Screening and Policies
As a condition of employment, all Tribelocal employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies.

11. Disclosure
We are working continuously to make our system secure. If you find any security issues, please submit it to [email protected]. We take security as our highest priority. We will make sure the issue is fixed and updated at the earliest.