IX Privacy & Security

Summary of Compliance Efforts

Index Exchange is committed to protecting the privacy and data of our clients, partners and consumers. We’ve established an internal compliance team to ensure business is conducted in accordance with international regulations and recognized best practices. The compliance team minimizes organizational risk by establishing standards, policies and procedures across the company. Adherence to policies and procedures is enforced through regular audits via both internal and external parties.

JIC Webs – Digital Trading Standards Group Certificate (DTSG)

The JICWEDBS DTSG UK Good Practice Principles can be found here.

General Data Protection Regulation (GDPR)

GDPR is a new EU privacy regulation that will be enforced effective May 25, 2018, replacing the existing 95/46/EC Directive on Data Protection of 24 October 1995. Index Exchange is strengthening policies and processes to align with the regulation’s requirements.

Data protection is of the utmost importance to Index Exchange. As a part of our effort to bring greater trust and transparency to the programmatic ecosystem, Index Exchange is formalizing a Privacy by Design framework whereby we will conduct data privacy impact assessments (DPIAs) for new products and updates to existing products.

We regularly conduct due diligence assessments to evaluate the business processes and data security safeguards of our vendors and partners. Currently we are evaluating our contracts with clients and partners and issuing addendums as required to ensure protection of the rights of individuals and to confirm legal and legitimate transfer of data outside of the European Union (EU).


When will the GDPR take effect?
GDPR will be effective and enforceable on May 25, 2018.

How is personal data defined under GDPR?
Personal data is any information that may be used to directly or indirectly identify a natural person such as user ID and location data. A pivotal change under GDPR is that any online identifiers including cookie data and IP addresses are now considered personal data. However, anonymous data (data where no individual can be identified) is not regulated by GDPR.

Do you have to comply with GDPR even if you do not have an establishment in the EU?
Yes. Any entity that offers goods or services to subjects in the Union and collects data on these subjects must adhere to the regulations.

Does Index Exchange transfer any data outside of the EU?
Yes. Data is primarily stored at our Toronto, Canada data center. Data transferred internally is governed with the use of standard data protection clauses. Any applicable publisher approved sub-processing is controlled with data protection agreements (DPAs).

For more information about privacy rights, security initiatives and the responsibilities placed on businesses including Index Exchange, please contact us.