| 1. Outline how you will implement applicable data security and privacy contract requirements over the life of the Contract. | GameSalad follows security best practices including regular security review, training, encryption of data in motion and at rest. Where available, third-party systems access has 2FA enabled. |
| 2. Specify the administrative, operational and technical safeguards and practices that you have in place to protect PII. | GameSalad encrypts data in motion and at rest. Employee administrative interfaces do not show non-email PII by default. PII usage is optional and client is given options for use of platform without providing PII. |
| 3. Address the training received by your employees and any subcontractors engaged in the provision of services under the Contract on the federal and state laws that govern the confidentiality of PII. | Employees receive quarterly training on cybersecurity best practices. |
| 4. Outline contracting processes that ensure that your employees and any subcontractors are bound by written agreement to the requirements of the Contract, at a minimum. | Employee policy include the need to comply with contracts. |
| 5. Specify how you will manage any data security and privacy incidents that implicate PII and describe any specific plans you have in place to identify breaches and/or unauthorized disclosures, and to meet your obligations to report incidents to the EA. | Security incidents are verified and reported within 48 ours of company being informed or discovering the breach via email. If investigation continues after 48 ours, customer will be informed of the extent of the breach and data included as soon as possible. Systems have alerts that automatically notify system admins of unusual activity and all activity is investigated. |
| 6. Describe how data will be transitioned to the EA when no longer needed by you to meet your contractual obligations, if applicable. | In most cased data will not be transitioned but erased. If data is requested, it will be transferred via secure FTP or an expiring Dropbox link, as per agreement with requester. |
| 7. Describe your secure destruction practices and how certification will be provided to the EA. | No special security measures are in place for data destruction. Accounts are deactivated and PII is removed from database records. PII will not be removed from database backups due to infeasibility, but data backups have a rotation schedule ensuring eventual full deletion. |
| 8. Outline how your data security and privacy program/practices align with the EA’s applicable policies. | Company regularly evaluates it’s security practices alignment with the NIST CSF v1.1 security framework. |
