Data Privacy Policy

At S2W Media, your privacy matters to us. This policy details how we manage your data using our unique S2W Media Methodology, a framework built on strong Data practices, strict Compliance, and Seamless Execution. 

1. DEFINITIONS AND INTERPRETATION

1.1 Capitalized terms have the meanings set out in Article 4 GDPR. In addition: 

  • Data Protection Laws” means the GDPR, UK GDPR, Swiss FADP, and any other data protection or privacy law applicable to the Processing (e.g., CAN-SPAM, CASL, and U.S. state privacy laws, as applicable). 
  • Company Personal Data” means Personal Data Processed by S2W Media on behalf of the Company under the Principal Agreement. 
  • Subprocessor” means any third party engaged by S2W Media that Processes Company Personal Data. 
  • Services” means S2W Media’s performance-marketing and lead generation services as described in the Principal Agreement (including content syndication, tele-qualification, email delivery, and related analytics/QA). 

2. PROCESSING OF COMPANY PERSONAL DATA

2.1 Role of the Parties. The Company is the Controller; S2W Media is the Processor. 
2.2 Documented Instructions. S2W Media shall Process Company Personal Data only on documented instructions from the Company, including with respect to international transfers, unless required by applicable law. If S2W Media is required by law to Process Personal Data beyond the Company’s instructions, it will notify the Company unless prohibited by law. 
2.3 Lawfulness. The Company is responsible for establishing a lawful basis for Processing and providing all required notices to Data Subjects. S2W Media will promptly inform the Company if it believes an instruction infringes Data Protection Laws. 
2.4 Nature and Purpose. Processing is for the purpose of delivering the Services, including: audience targeting and outreach for content offers; lead capture and validation; tele-verification and qualification (e.g., BANT/BANT+ where applicable); email delivery; campaign analytics/QA; and programmatic awareness on brand-safe inventory. 

 

3. PROCESSOR PERSONNEL AND CONFIDENTIALITY

3.1 Access is limited to personnel who need it to perform the Services and who are bound by appropriate confidentiality obligations. S2W Media trains relevant personnel on data protection and acceptable use. 

4. SECURITY (ARTICLE 32 GDPR)

4.1 S2W Media shall implement and maintain appropriate technical and organizational measures (“TOMs”) designed to protect Company Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including as appropriate: 
(a) Access Controls: role-based access; least privilege; MFA on administrative systems. 
(b) Network/Application Security: encryption in transit (TLS); secure file transfer (e.g., SFTP) for lists and deliverables. 
(c) Data Integrity/Quality: multi-layer QA for lead data, including automated and manual checks. S2W Media uses internal tools and third-party email validation services (e.g., ZeroBounce, NeverBounce) to validate deliverability and reduce bounces. 
(d) Operational Security: separation of environments; change management; vulnerability remediation practices. 
(e) Business Continuity: backup and recovery processes proportionate to Services. 
(f) Vendor/Supplier Management: Subprocessor due diligence and contractual controls. 
(g) Tele-verification QA: standardized scripts; monitored dispositions; internal QA reviews. 
4.2 S2W Media will regularly review the TOMs and may update them provided the overall level of protection is not materially diminished. 
4.3 At the Company’s written request, S2W Media will provide a summary of its TOMs and answer reasonable security questionnaires relating to the Services. 

 

5. SUBPROCESSING

5.1 Authorization. The Company authorizes S2W Media to engage Subprocessors reasonably necessary for the Services. A current list by category is provided in Annex C (and may be updated from time to time). 
5.2 Processor Obligations. S2W Media will impose data protection terms on each Subprocessor that are no less protective than those set out in this Agreement. S2W Media remains responsible for its Subprocessors’ performance. 
5.3 Notice of Changes. S2W Media will notify the Company of any intended changes to Subprocessors that materially affect the Processing, providing the Company an opportunity to object on reasonable, data-protection grounds. 

6. DATA SUBJECT RIGHTS

6.1 Assistance. Taking into account the nature of the Processing, S2W Media will assist the Company by appropriate technical and organizational measures to respond to requests to exercise rights under Data Protection Laws (e.g., access, deletion, restriction, objection). 
6.2 Requests Received Directly. If S2W Media receives a Data Subject request relating to Company Personal Data, it will promptly notify the Company and will not respond except on the Company’s documented instructions or as legally required. 

 

7. PERSONAL DATA BREACH

7.1 Notification. S2W Media will notify the Company without undue delay (and in any event promptly after confirmation) upon becoming aware of a Personal Data Breach affecting Company Personal Data. The notification will include details reasonably available to S2W Media at the time to assist the Company in meeting its breach-notification obligations. 
7.2 Cooperation. S2W Media will take reasonable steps to mitigate the effects of the breach and will reasonably cooperate with the Company’s investigation and remediation efforts. 

 

8. DATA PROTECTION IMPACT ASSESSMENTS AND CONSULTATION

8.1 S2W Media shall provide reasonable assistance to the Company with data protection impact assessments and prior consultations with supervisory authorities, in each case solely with respect to the Processing of Company Personal Data and the information available to S2W Media. 

 

9. RETURN AND DELETION

9.1 Upon cessation of the Services (or sooner upon the Company’s written request), S2W Media will delete or return Company Personal Data and delete existing copies within ten (10) business days, unless retention is required by law. Certificates of deletion will be provided upon written request. 
9.2 Aggregated/Anonymized Data. This section does not prohibit S2W Media from retaining and using de-identified or aggregated data that does not identify a Data Subject and cannot be re-identified, for statistical reporting and service improvement, provided such data contains no Personal Data. 

10. AUDITS AND INFORMATION

10.1 Upon written request no more than once annually (or following a material security incident), S2W Media will make available information necessary to demonstrate compliance with this Agreement and will allow for an audit by the Company or a mutually agreed third-party auditor, subject to reasonable confidentiality, scheduling, scope, and time limitations. Remote audits and review of security documentation are preferred where feasible. 

 

11. INTERNATIONAL TRANSFERS

11.1 S2W Media will not transfer Company Personal Data outside its originating jurisdiction unless authorized by the Company and subject to appropriate safeguards under Data Protection Laws (e.g., the EU 2021 Standard Contractual Clauses; the UK IDTA/Addendum; Swiss addenda, as applicable). Annex D applies to such transfers. 
11.2 On request, S2W Media will execute the applicable transfer mechanism(s) with the Company or provide a link to signed SCCs incorporated by reference into this Agreement. 

 

12. CONFIDENTIALITY; NOTICES

12.1 Each Party shall keep confidential all Confidential Information received from the other under or in connection with this Agreement, except as required by law. 
12.2 Notices under this Agreement shall be in writing and sent to the contacts set out above (or as otherwise notified in writing). 

 

13. GOVERNING LAW AND JURISDICTION

13.1 This Agreement is governed by the laws of New York, USA, without regard to conflict of laws rules. 
13.2 Any dispute shall be submitted to the state or federal courts located in New York County, New York, USA, and the Parties consent to such courts’ personal jurisdiction. 

 

ANNEX A – DETAILS OF PROCESSING 

A1. Subject Matter and Duration 
Subject matter: Processing of B2B contact data for demand generation and related Services. 
Duration: For the term of the Principal Agreement and any data-return/deletion period in Section 9. 

A2. Nature and Purpose 
• Content syndication and lead capture (including landing page forms on S2W-operated content hubs such as TechContentHub, MarketingContentHub, HRContentHub, and FinanceContentHub). 
• Tele-verification/qualification and campaign QA. 
• Email delivery and follow-up to fulfill content requests and confirm interest/consent where applicable. 
• Programmatic awareness and audience engagement on brand-safe inventory (S2W does not sell data). 
• Reporting and analytics for performance and pacing. 

A3. Types of Personal Data (primarily business contact data) 
• Name, employer, business title/role, department/function, seniority. 
• Business contact details (corporate email, office phone, business mobile where permitted), work location, company domain. 
• Professional interests/intent indicators derived from engagement with customer content (e.g., asset downloads, form fields, topic selection) and S2W campaign interactions (e.g., tele-verification dispositions, email engagement metadata). 
• Technical metadata associated with campaign fulfillment (e.g., timestamps, user agent, IP region/country for fraud prevention/geo validation). 

A4. Special Categories; Children’s Data 
• No special categories are intended to be Processed. No children’s data is targeted. 

A5. Data Subjects 
• Business professionals employed by the Company’s target accounts; the Company’s prospects and customers; and the Company’s personnel (limited to necessary operational contacts). 

 

ANNEX B – TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs) 

B1. Organization of Information Security 
• Designated privacy/security lead; policies covering data handling, acceptable use, and incident response. 

B2. Access and Authentication 
• Role-based access; MFA for privileged access; unique user IDs; immediate revocation on role change/termination. 

B3. Data in Transit/At Rest 
• Encryption in transit (TLS) for web and file transfer; encrypted storage where supported by underlying platforms. 

B4. Data Quality and Validation 
• Multi-layer QA prior to delivery; automated checks and manual verification. Use of third-party validation tools (e.g., ZeroBounce, NeverBounce) to improve email deliverability. 

B5. Operational/Physical Security 
• Secure office access controls for locations where data may be accessed; secure cloud-based systems for Processing and storage. 

B6. Development and Change Management 
• Changes tested prior to release; separation of production and non-production data. 

B7. Monitoring and Incident Response 
• Logging of access/events in key systems; defined incident response playbooks with customer notification workflows. 

B8. Business Continuity/Disaster Recovery 
• Backups and recovery procedures proportionate to the Services; periodic testing. 

B9. Vendor/Supplier Management 
• Risk-based due diligence; DPAs with Subprocessors; periodic reviews. 

 

ANNEX C – AUTHORIZED SUBPROCESSORS (CATEGORIES + ILLUSTRATIVE EXAMPLES) 

Note: S2W Media owns and operates its audience data and does not sell data. Subprocessors support service delivery and QA. 

  • Email Validation Services (e.g., ZeroBounce; NeverBounce) – verify deliverability and reduce hard bounces.
    Program Management/Workflow Tools (e.g., Enhancio) – quality assurance, pacing, and campaign tracking.
    Marketing/Engagement Platforms or Integrations (as applicable to a campaign) – used to fulfill content requests and manage communications as directed by the Company. 
    Cloud Hosting and Infrastructure Providers – secure hosting of applications and data. 
    Security/Monitoring Tools – protect service infrastructure. 

A complete, up-to-date Subprocessor list is available to customers upon request and may be updated with notice pursuant to Section 5. 

 

ANNEX D – INTERNATIONAL TRANSFERS AND STANDARD CONTRACTUAL CLAUSES 

D1. EU/EEA Transfers 
• Where the Company Personal Data is transferred outside the EEA, the Parties agree the EU Commission’s 2021 Standard Contractual Clauses (Controller-to-Processor) are incorporated by reference and will apply as the transfer mechanism unless an alternative valid mechanism is agreed in writing. 

D2. UK and Switzerland 
• For UK transfers, the UK IDTA or the ICO’s Addendum to the EU SCCs will apply. For Swiss transfers, the Swiss addendum or equivalent mechanism will apply. 

D3. Additional Measures 
• S2W Media implements technical and organizational measures as described in Annex B and will reasonably cooperate with the Company’s transfer impact assessments. 

 

 

>