LoginRadius Solutions for Effective GDPR Compliance

1. EBOOK LoginRadius and GDPR Compliance LoginRadius is helping businesses across the world to obtain GDPR compliance. How is your business preparing to manage your customers data under the new regulation?

2. The LoginRadius Customer Identity and Access Management gives you access to the products and features that you need to easily allow for building customer consent and control into every step of your customer journey. The General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, and applies to any business that processes or stores the personal data of EU residents. Companies that fail to achieve compliance could be fined up to 4% of annual revenue or €20,000,000 (whichever is greater). According to Gartner, 80% of affected businesses will not be in compliance by the end of 2018. That is why LoginRadius has developed a methodology to determine your company’s readiness as well as products and features to keep your company compliant. Chart description: This chart outlines the LoginRadius products and capabilities that are being leveraged to ensure data privacy and compliance for every one of our 3,000+ customers. © LoginRadius Inc. | Confidential Information 2

3. LoginRadius GDPR Compliance: GDPR Section GDPR Requirement/Overview LoginRadius Compliance LoginRadius obtains and stores the Article 7: 7(1) Consent Documented user data gathered via the end-to- Customer Consent Businesses must provide records of end registration and login process as the customer’s consent, including evidence of user consent. The data the conditions under which each includes user registration data, TOS customer has given their consent and acceptance and email preferences. the specific purpose for which consent LoginRadius customers can attach any was obtained. information pertaining to permissions/ For example: consent to a customer’s account through the use of a ‘Custom Field’ or When creating new accounts: A ‘Custom Object’ when the customer customer clicks a “Register Now” agrees to terms of service. button, creates a new account and clicks to accept TOS The LoginRadius platform allows you to customize how this permission/ When reaccepting updated TOS: A consent is given or obtained based on customer logs out, later logs back in your UI. and is asked to accept new TOS When opting in or out: A customer clicks into “My Account” and opts in or out of newsletters, events or other available options © LoginRadius Inc. | Confidential Information 3

4. GDPR Section GDPR Requirement/Overview LoginRadius Compliance Loginradius’ registration functionality Article 7: 7(2) Consent can be customized and implemented Customer Consent Consent must be explicit and as needed. LoginRadius provides 100% unambiguous and must be obtained customized registration forms with for each different processing activity. built-in UI and UX parameters as well as a UI builder, with extensible markup If the subject’s consent for one language and Rest API access. It allows matter is presented amongst other LoginRadius’ customers to obtain explicit matters, the request must be clearly and unambiguous consent for each user. distinguishable from the rest and This consent includes: presented in clear, intelligible language. • A lawful basis for data processing Any part of such a declaration which • Privacy policy and Terms of Service constitutes an infringement of this acceptance regulation shall not be binding. • Email consent for marketing and account preferences Clients can also easily customize registration forms based on regional requirements and languages Through LoginRadius’ Identity Article 7: 7(3) Right to Withdraw Consent Management platform, clients can Customer Consent Customers must be able to easily easily allow their customers to manage withdraw consent for the collection their consent at any time to change or orprocessing of their personal data at withdraw their permission settings. any time. These changes are made in real-time The data subject has the right to and instantly reflected within the Client withdraw their consent for processing database. at any time, and the withdrawal of consent must be as easy to withdraw as it is to give. © LoginRadius Inc. | Confidential Information 4

5. GDPR Section GDPR Requirement/Overview LoginRadius Compliance The LoginRadius platform provides The GDPR prohibits businesses Article 8: several age validation options to verify the collecting and processing the Conditions Applicable user’s age. personal data of minors without To a Child’s Consent the express consent of a parent or in Relations to Customers can add the age field to the guardian. Information Society standard registration form and use it as Services a criteria to stop the registration process The regulation defines the age of for users below the legal age of consent in consent as 16 within the EU, and their country. not below 13 elsewhere. Individual Member States can legislate to This can also be accomplished through change the age threshold – although data gathering with LoginRadius’ social the threshold can never drop below 13 login product whereby persons under the years of age. restricted age would have limited access to the site and their personal data would Businesses are required to make not be requested or recorded. reasonable efforts to verify the age of online users before processing their A third method would be to leverage the data, taking into account available Roles, Permissions, and Relationship technology functions to manage access giving guardians the right to limit a child’s access. LoginRadius also offers out-of-the-box COPPA compliance that will prevent any user under the age of 13, as indicated by his or her date of birth, from completing registration. © LoginRadius Inc. | Confidential Information 5

6. GDPR Section GDPR Requirement/Overview LoginRadius Compliance Through LoginRadius’ Profile Editor, Customers must be able to be view, Article 15: customers can quickly and easily export and edit their personal data at Right of Access by access their consent preferences and any time. Data Subject change or withdraw consent at any Customers have the right to be time. Additionally, LoginRadius serves provided with information about all as a centralized consent management personal data stored by the applicable platform, as integrations with email businesses. service providers and marketing automation solutions are all synced Customers have the right to obtain to LoginRadius. This means that any information as to whether their data is changes to opt-outs on third-party being processed for the purposes for applications are reflected on the which it was collected. customer’s LoginRadius profile as well. All personal data related to a customer, including the processing of that data, can be easily accessed and exported in easy-to-read and manageable formats, edited, and separated from other users data by default. Without LoginRadius’ customer identity platform, a client would be forced to gather information and unify a customer profile from across disconnected digital tools. © LoginRadius Inc. | Confidential Information 6

7. GDPR Section GDPR Requirement/Overview LoginRadius Compliance The LoginRadius Platform includes a Article 16: Customers must be able to easily User Management Dashboard console Right to Rectification change profile and opt-in preferences for companies to administer the profile or correct inaccurate information and preferences of their customers. A stored by any business on their behalf. client administrator can easily search Customers must also be able to and make edits to any customer account request that changes be made to upon request from that customer. These their profiles and preferences by settings can also be updated by the the business on their behalf, in a customer themself, via the user account reasonable amount of time and via a preferences page within the company’s simple communication method such website. Third party platform integrations as email such as Email & Marketing Automation tools are bi-directional, facilitating updated records as per customer requests. LoginRadius provides a ‘delete’ Article 17: Customers have the “Right to be mechanism for customer accounts that Right to Be Forgotten Forgotten”. That is, have their can be included on customer forms based personal data erased by the business, on the Client UI. This function can be for reasons that include: initiated through: • The information is no longer • User action taken within Account necessary to fulfill the purposes Preferences for which it was originally collected • A Rest API • The customer withdraws • The LoginRadius Dashboard so that consent for the business to administrators can delete customer perform the activity for which accounts upon request. This the processing is based process is instantaneous. © LoginRadius Inc. | Confidential Information 7

8. GDPR Section GDPR Requirement/Overview LoginRadius Compliance • The customer objects to the purpose for personal data processing and the business cannot provide compelling, legitimate grounds to continue doing so • The customer’s personal data was collected or processed unlawfully • The customer’s personal data must be erased in order to comply with a legal obligation of that person’s country of origin The LoginRadius Platform provides Customers have the right to request Article 18: customers with functionality to easily that businesses freeze processing Right to Restriction of block or freeze any user account. This of their personal data for any of the Processing functionality can be initiated by: following reasons: • User action taken within • The customer contests the Account Preferences accuracy of their personal data. In this case, processing of the • A Rest API customer’s personal data must • The LoginRadius Dashboard so cease for the period required that administrators can block to verify the accuracy of the or freeze any user accounts information upon request. This process is • Personal data processing instantaneous. is deemed unlawful and the customer requests that their data be frozen rather than deleted © LoginRadius Inc. | Confidential Information 8

9. GDPR Section GDPR Requirement/Overview LoginRadius Compliance • The business is no longer processing the customer’s personal data, but the customer requires that the personal data continue to be stored by the business to establish, exercise or defend legal claims • The customer has objected to processing of their personal data In this case, the personal data should not be processed until the business’ grounds for processing are verified as either legitimate or illegitimate Businesses are also required to inform customers before beginning the processing of personal data after a restriction is lifted The LoginRadius platform gives clients Customers have the right to receive Article 20: the ability to include the option for the personal data concerning him or Right to Data customers to download their personal her in a structured, easily-read format Portability data in a legible industry standard format. and has the right to transfer that data directly to another controller without hindrance. © LoginRadius Inc. | Confidential Information 9

10. GDPR Section GDPR Requirement/Overview LoginRadius Compliance The LoginRadius platform gives The GDPR requires that businesses Article 28 (3)(G): clients the ability to customize scripts purge a customer’s personal data if Deletion of Inactive to automatically delete customer the customer deletes their profile, or Data records that have been inactive for a if that profile has been inactive for a predetermined amount of time. This predetermined amount of time. period of time can be customized to meet All copies of such data must be regional requirements. purged as well, unless otherwise specified by law. Associated data must also be purged from any third- party technologies, such as CRM or ESP solutions. LoginRadius has partnered with Deloitte Article 32: The processor shall assure technical to provide world-class security for our Security of Processing and organizational measures of clients data, both at rest and in transit. security appropriate to the level of LoginRadius systems are frequently risk relating to the encryption of audited to ensure customer data is personal data, insurance of data protected to the highest standard. confidentiality, and a process of regular testing for the effectiveness of the security of processing. © LoginRadius Inc. | Confidential Information 10

11. GDPR Section GDPR Requirement/Overview LoginRadius Compliance LoginRadius offers encryption in- Article 29: The GDPR introduces a new concept transit and at-rest. This ensures the Pseudonymisation in European data protection law – data of the customer is protected at “pseudonymization” – for a process every point and cannot be attributed rendering data neither anonymous nor to that customer without the proper directly identifying. Pseudonymization access and/ or encryption key, which is the separation of data from is stored separately and without direct identifiers so that linkage to connection or reference to the an identity is not possible without customer data itself. additional information that is held separately. Pseudonymization, therefore, may significantly reduce the risks associated with data processing, while also maintaining the data’s utility. For this reason, the GDPR creates incentives for controllers to pseudonymise the data that they collect. Although pseudonymous data is not exempt from the Regulation altogether, the GDPR relaxes several requirements on controllers that use the technique. © LoginRadius Inc. | Confidential Information 11

12. Organisations need to keep records of all personal data, be able to prove that consent was given, show where the data’s going, what it’s being used for, and how it’s being protected.” If companies don’t comply, they could face penalties of 20 million euros or up to 4 percent of annual global turnover (whichever is greater). About LoginRadius LoginRadius is a leading provider of cloud-based Customer Identity and Access Management solutions for mid-to-large sized companies. LoginRadius’ solution serves over 3,000 businesses with a monthly reach of 650 million users worldwide. The company has been named as an industry leader in the cIAM space by Gartner, Forrester, Kuppingercole, and Computer Weekly. LoginRadius’ platform helps companies deliver a connected customer experience, creates an integrated marketing ecosystem, and centralize customer data to define a unified profile and better manage their customer identities. Some of the key products include customer registration services, social login, profile management, integration with third party marketing applications, user management, customer insights, and more. The company is headquartered in Vancouver, Canada, with additional offices in the USA and India.

13. LoginRadius is a leading provider of cloud-based Customer Identity and Access Management solutions for mid-to-large sized companies. The LoginRadius solution serves over 3,000 businesses with a monthly reach of over 1 billion users worldwide. ©Copyright, LoginRadius Inc. All Rights Reserved.