GuidesAPI ReferenceChangelog
GuidesAPI ReferenceChangelogLog In
Guides

Criteo API Terms and Conditions

Version 2.0, March 2025

These Criteo API Terms and Conditions (“API Terms”) are an agreement between the person or legal entity detailed in your Criteo API account registration ("you", “your” or "Partner") and Criteo Technology SAS with an address at 32 rue blanche, Paris, France ("Criteo"), and relate to Your use of Criteo's Application Programming Interfaces ("APIs"). Criteo and Partner each may be referred to as a "Party", and together, the "Parties".

Use of the APIs is conditional on your acceptance of these API Terms and is complementary to any services, data provision or any other agreement you may have with Criteo or with any Criteo Affiliate (“Main Agreement”). Should there be any conflict between these API Terms and the Main Agreement, the terms of the Main Agreement shall prevail.

By clicking "I confirm" you are agreeing to these API Terms. If Partner is a corporate entity, by accepting these API Terms, you represent and warrant that you are authorized to legally bind Partner and enter into these API Terms on Partner's behalf. If you do not, or do not have authority to, accept these API Terms, you may not access and use the APIs.

In consideration of the mutual promises contained in these API Terms and other good and valuable consideration, which the Parties acknowledge, it is agreed that:

1. DEFINITIONS

1.1. In these API Terms, the following words and expressions shall have the following meanings unless the context requires otherwise:

"Affiliate" means, in relation to a Party, any entity that directly or indirectly controls, is controlled by, or is under common control with that Party.

"API Terms" means these terms and conditions, additional terms that may be subsequently and expressly agreed between the Parties and any terms, policies, exhibits or guidelines as made available by Criteo in relation to the APIs.

"Applicable Laws" means all applicable laws, statutes, and regulations from time to time in force.

"Criteo Materials" means all documents, information, items and material in any form, whether owned by Criteo or a third party, that are provided by Criteo to you in connection with the APIs.

"Data" means all data made available via the APIs.

"Data Protection Laws" means any and all applicable international, national, federal and state laws and regulations relating to data protection and privacy, including but not limited to: (a) the General Data Protection Regulation (“EU GDPR”), (b) the UK Data Protection Act (“UK GDPR”), (c) the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act of 2020, (d) the Virginia Consumer Data Protection Act (“VCDPA”), (e) the Colorado Privacy Act (“CPA”), (f) the Connecticut Data Privacy Act (“CTDPA”), (g) the Utah Consumer Privacy Act (“UCPA”), (h) the Oregon Consumer Privacy Act (“OCPA”), (i) the Texas Data Privacy and Security Act (“TDPSA”), (j) the Montana Consumer Data Privacy Act (“MTCDPA”), (k) Delaware Personal Data Privacy Act, (l) Iowa Consumer Data Protection Act, (m) Nebraska Data Privacy Act, (n) New Hampshire Data Privacy Act, (o) New Jersey Data Privacy Law, (p) the Korean Personal Information Protection Act (“PIPA”); each as implemented in each jurisdiction, and any amending or replacement legislation (or similar) from time to time. For the sake of clarity, Data Protection Law also includes all legally binding requirements issued by the competent data protection authorities i) governing the processing and security of information relating to individuals and providing rules for the protection of such individuals’ rights and freedoms with regard to the processing of data relating to them, ii) specifying rules for the protection of privacy in relation to data processing and electronic communications, or iii) enacting rights for individuals which are enforceable towards organizations with respect to the processing of their personal data, including rights of access, rectification and erasure. Any Data Protection Law listed herein only apply to the Partner to the extent this is provided for under the criteria set by law.

"Effective Date" means the date you accept these API Terms.

"Intellectual Property Rights" means any and all patent rights and inventions (whether patentable or not), design rights, copyright (including rights in computer software), database rights, trademarks, trade names, business names, domain names, and expertise.

1.2. Words in the singular shall include the plural and vice versa and use of any gender includes all genders.


2. ACCOUNT REGISTRATION

2.1. In order to access and use the APIs, you are required to register an account with Criteo. You represent and warrant that the information provided at registration is true, accurate and current and you shall update Criteo in the event of any changes.

2.2. Criteo reserves the right to validate account registration information with you and you will cooperate with any reasonable request coming from Criteo. Furthermore, Criteo reserves the right to remove access to any part or all of the APIs, Data and/or your account after registration in Criteo's sole discretion at any time and for any reason.


3. ACCESS AND USE OF THE APIS

3.1. Subject to your compliance with these API Terms, Criteo may make the APIs available to you as further detailed at developers.criteo.com. Criteo may also make Criteo Materials available to you. You acknowledge that Criteo may modify, change or discontinue temporarily or permanently the APIs or Criteo Materials at any time.

3.2. You may use the APIs to develop, test and support "apps" and shall comply with the latest technical requirements and specifications Criteo may make available in writing from time to time. Depending on your use of the APIs, you may be required to enter into supplemental terms and conditions.

3.3. Your access to the Criteo developer dashboard will be regulated by a username and password. Your access to the APIs will be regulated by a client key and client secret or as otherwise detailed at developers.criteo.com. You are responsible for the use and storage of your personal and confidential passwords and credentials and shall immediately notify Criteo in writing of any loss or involuntary disclosure. As between Criteo and you, you shall have all responsibility for all activities that may occur using your username and password. Criteo shall have no responsibility for any unauthorized use of your account.

3.4. Upon set-up and creation of your app, you shall select the relevant Criteo platform to which you require access, to whom access should be given (which may include yourself) and the functionalities to be made available in your app via the APIs.

3.5. API access and functionality are dependent upon approval of the relevant third party, as further detailed at developers.criteo.com. Criteo shall facilitate an approval mechanism in relation to third parties but is not liable in relation to whether or not approval is granted, the extent of any such approval, or for any acts or omissions of any such third party. Should a particular third party later revoke or limit your access to their account, you shall promptly delete all Data relating to their account.

3.6. In accessing and using the APIs, you shall:

3.6.1. Use best efforts in limiting the number of calls made to the APIs;
3.6.2. Not conduct (either directly or indirectly) any stress tests (or similar) of the APIs;
3.6.3. Not compromise, break or circumvent any technical processes or security measures associated with the services that Criteo provides (including, without limitation, Criteo's own user interface solutions or platforms);
3.6.4. Not reverse engineer or otherwise derive source code, trade secrets or know-how in relation to the APIs, Criteo's services or technology;
3.6.5. Ensure that usage of the APIs is aligned with the declared purpose of your app(s);
3.6.6. Ensure that usage of the APIs is reasonable and not in excess of any guidance as may be made available by Criteo;
3.6.7. Access and use the APIs and Data only as permitted by, and on behalf of, the party that provided access to the Data being used or in accordance with the Main Agreement (“Permitted Use”);
3.6.8. Not disclose or otherwise permit access to any Data to any person or entity other than the party that provided you with access to the particular Data being disclosed.

3.7. You shall use all reasonable legal, organizational, physical, administrative and technical measures, and security procedures to safeguard and ensure the security of the Data and to protect the Data from unauthorized access, disclosure, duplication, use, modification, or loss, including without limitation, the requirements contained set forth in Exhibit B. Furthermore, you shall implement technical and organizational measures as required by the Data Protection Laws to protect personal data (i) from accidental or unlawful destruction, and (ii) unauthorized loss, alteration, disclosure of, or access to the personal data (a “Security Incident”). In the event you suffer a Security Incident related to Data, you shall notify Criteo without undue delay and both Parties shall cooperate in good faith to agree and carry out such measures as may be necessary to mitigate or remedy the effects of the Security Incident.

3.8. Criteo reserves the right to audit your app and use of the APIs to ensure that it does not violate these API Terms. You agree to reasonably cooperate with any such inquiries made in relation to an audit and provide information as reasonably requested by Criteo.

3.9. Unless authorized by a separate agreement, you shall not make any public statements, including, without limitation, in promotional materials or sales collateral, stating or otherwise implying that you or your app has access to any Criteo partner, including, without limitation, ad inventory supply sources.

3.10. Criteo reserves all rights not expressly granted to you under these API Terms.


4. INTELLECTUAL PROPERTY

4.1. Each Party remains sole owner of the Intellectual Property Rights it owned prior to the execution of these API Terms. Criteo is the sole owner of all Intellectual Property Rights in and to the APIs and Criteo Materials. Save where expressly stated, these API Terms shall not create any license in relation to Intellectual Property Rights of any party and in particular shall not grant Partner the right to use the trademark, trade name or logo of any other party, including any other Criteo partner. You shall not acquire any rights in the Data through these API Terms.

4.2. For the duration of these API Terms, Criteo grants to you a worldwide, royalty-free, non-transferable limited license to use the APIs in relation to your apps.

4.3. For the duration of these API Terms, you grant to Criteo (including Criteo Affiliates) a worldwide, royalty-free, non-transferable license to use, reproduce, distribute, adapt, modify, perform, display, publish, transmit, format, store and archive your trademarks and logos in relation to all materials and media promoting the APIs. Criteo shall seek prior authorization from you in relation to any press release using your trademarks or logos, such authorization not to be unreasonably withheld or delayed.


5. TERM

5.1. These API Terms shall apply from the Effective Date until they are terminated in accordance with this section.

5.2. Either Party may terminate these API Terms on written notice to the other Party: (i) with immediate effect if the other commits a material breach of any of its obligations which cannot be remedied, or in the case of a remediable breach, fails to remedy it within 7 days of the date of receipt of a notice from the other specifying the breach and requiring it to be remedied; (ii) if a force majeure event occurs that has continued for a minimum period of one month; (iii) to the extent permitted by Applicable Laws in the event that either Party becomes insolvent, goes into liquidation, appoints an administrative receiver or analogous proceedings under relevant local law; or (iv) at any time for any reason upon 14 days' prior notice.

5.3. In case Partner is using the APIs in connection with Main Agreement, these API Terms shall be automatically terminated upon termination of the Main Agreement.

5.4. Upon termination of these API Terms, you shall immediately cease any use of the APIs and Data and promptly delete or return any Data and Criteo Materials to Criteo.

5.5. Expiration or termination (for any reason) of this these API Terms shall not affect any accrued rights or liabilities that either Party may then have, nor shall it affect any clause that is expressly or by implication intended to continue in force after expiration or termination, nor shall if affect any other agreements you may have with Criteo.


6. CONFIDENTIALITY

6.1. "Confidential Information" means all non-public information disclosed by or for a Party in relation to these API Terms, including the APIs, Criteo Materials, and Data; and any information that a reasonable person would consider proprietary and confidential. Confidential Information does not include any information the receiving Party can demonstrate is: (a) already known by it without restriction; (b) rightfully furnished to it without restriction by a third party not in breach of any confidentiality obligation; (c) generally available to the public without breach of these API Terms; or (d) independently developed by it without reliance on such Confidential Information.

6.2. Except for the specific rights granted by these API Terms, the receiving Party shall not access, use, or disclose any of the disclosing Party's Confidential Information, and shall protect the disclosing Party's Confidential Information using at least the standard of care used to protect its own confidential information of like nature, but not less than reasonable care. The receiving Party shall ensure that its employees and contractors with access to such Confidential Information (a) have a need to know for the purposes of these API Terms and (b) have agreed to restrictions at least as protective of the disclosing Party's Confidential Information as these API Terms. Each Party shall be responsible for any breach of confidentiality by its employees and contractors.

6.3. A Party may disclose Confidential Information to comply with a court order or lawful requirement of a governmental agency, or when disclosure is required by operation of law (including disclosures pursuant to any applicable securities laws and regulations); provided that prior to any such disclosure, the receiving Party shall use reasonable efforts to: (a) promptly notify the disclosing Party in writing of such requirement to disclose; (b) cooperate with the disclosing Party in protecting against or minimizing any such disclosure or obtaining a protective order; and/or (c) otherwise limit the disclosure to the greatest extent possible under the circumstances.


7. PRIVACY

7.1. You and your app must comply with all Applicable Laws, including without limitation that You shall use and disclose Data solely in accordance with applicable Data Protection Laws.

7.2. If you provide or have access to any identifying or personal data of any end user based on any use of or interaction with your app, you will (i) provide legally adequate privacy notices to such end user; (ii) obtain any necessary consent from the end user for the collection, use, transfer, and storage of such information; (iii) use and authorize others to access and use the information only for the purposes permitted by the end user; and (iv) ensure the information is collected, used, transferred, and stored in accordance with applicable privacy notice(s) and Applicable Laws.

7.3. The Parties further acknowledge and agree each party will process personal data received from the other party in their own right as separate and independent controllers/businesses for the Permitted Use.

7.4. You shall promptly notify Criteo if you can no longer comply with its obligations under these API Terms. You shall reasonably assist Criteo in meeting its obligations under Data Protection Laws. Both Parties have the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal data. You shall keep appropriate documentation on the processing activities carried out by you and on you compliance with Data Protection Laws. In the event of an investigation, proceeding, formal request for information or documentation, or any similar event in connection with a data protection authority in relation to use of Data under these API Terms, you shall promptly and adequately deal with enquiries from Criteo.

7.5. Transfers outside of EEA. To the extent the use of the Data involves the transfer or disclosure of personal data from the European Economic Area (EEA) to outside the EEA (either directly or via onward transfer) to any country or recipient which has not been recognized as ensuring an "adequate level of protection" under Data Protection Laws, the Parties shall comply with the conditions for transfer set out in Chapter V of the GDPR. The Parties shall comply with any other requirements for international data transfers set out in Data Protection Law.

7.6. Data Protection Officers. Criteo’s data protection office may be reached at: [email protected].

7.7. Data Retention. In respect of any Data provided hereunder, and unless otherwise stipulated in the Main Agreement or in your agreement with the party that provided you access to the Data being used, you represent and warrant that you will destroy or otherwise render unusable such Data within 30 days of receipt.


8. WARRANTIES; INDEMNIFICATION

8.1. THE APIs, CRITEO MATERIALS AND DATA ARE PROVIDED "AS IS" AND CRITEO HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE. CRITEO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE OR TRADE PRACTICE. CRITEO MAKES NO WARRANTY OF ANY KIND THAT THE API CRITEO MATERIALS AND DATA, OR ANY PRODUCTS OR RESULTS OF ITS USE, WILL MEET YOUR OR ANY OTHER PERSON'S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR FREE.

8.2. Each Party warrants and represents that it has the right, power and authority to enter into these API Terms and perform its obligations as set out herein.

8.3. You warrant and represent to Criteo that: (i) the use, distribution, publication, adaption, modification, performance, display, transmission, formatting or storing of any Intellectual Property Rights pursuant to these API Terms will not infringe upon or violate any third-party rights, or cause any third-party payments to become due; (ii) you shall not, nor shall you allow any third party to, inject any software viruses, worms, Trojan horses or other harmful computer code into Criteo's systems or otherwise intentionally interfere with or disrupt the integrity or performance of Criteo's services more generally; (iii) any information provided under these API Terms is true, accurate, complete and current; and (iv) you will abide by Applicable Laws and Data Protection Laws at all times.

8.4. You agree to hold harmless, indemnify, and defend Criteo, its Affiliates, and its and their respective officers, directors, shareholders, agents, employees, licensees, successors and assigns against any and all damages, penalties, losses, liabilities, judgments, settlements, awards, costs, and expenses (including reasonable attorneys' fees and expenses) arising out of or in connection with any third-party claims, assertions, demands, causes of action, suits, proceedings, or other actions, whether at law or in equity ("Claim(s)") to the extent any Claim (i) arises out of your breach or alleged breach of these API Terms or (ii) relates to use of your app(s). You shall not make any settlement without Criteo's written consent (such consent not to be unreasonably delayed, conditioned or withheld).


9. LIMITATION OF LIABILITY

9.1. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY SHALL BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES IN CONNECTION WITH THESE API TERMS, EVEN IF SAID PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE, NEITHER PARTY SHALL BE LIABLE FOR ANY LOSS OF PROFIT, LOSS OF OR CORRUPTION TO DATA, DAMAGE TO REPUTATION OR GOODWILL OR LOSS OF OPPORTUNITY OR CONTRACT.

9.2. Neither Party shall have any liability for any failure or delay resulting from any event, beyond the reasonable control of that Party including, without limitation fire, flood, insurrection, war, terrorism, earthquake, power failure, civil unrest, explosion, embargo, strike, or any force majeure event.

9.3. For the avoidance of doubt, nothing in these API Terms excludes or limits either Party's liability for fraud, gross negligence, death or personal injury or any other matter to the extent such exclusion or limitation would be unlawful.

9.4. To the maximum extent permitted by Applicable Laws, Criteo's liability under these API Terms, for whatever cause, whether in contract or in tort, or otherwise, will be limited to direct damages and shall not exceed the amount of 10,000 United States Dollars.


10. COMPLIANCE

10.1. Each Party warrants that neither it nor any Affiliates, officers, directors, employees, and agents is the subject of any sanctions administered by the Office of Foreign Assets Control of the U.S. Department of Treasury, the European Union, or any other applicable sanctions authority. Each Party agrees to perform its obligations hereunder in compliance with all embargoes, sanctions and export control regulations of the United States, France, the United Kingdom, and any applicable jurisdiction, as well as with all applicable anti-corruption laws, anti-terrorist financing legislation, and anti-money laundering laws.


11. MISCELLANEOUS

11.1. Criteo reserves the right to modify these API Terms at any time. Updates to these API Terms are effective as soon as they are available at developers.criteo.com. They shall automatically apply to your continued use of the APIs.

11.2. These API Terms, including any additional terms that may be subsequently agreed to between the Parties and any terms, policies, exhibits or guidelines as made available by Criteo in relation to the APIs, constitute the entire agreement between the Parties and shall supersede any and all other prior understanding, commitments, representations or agreements, whether written or oral, between the Parties regarding the subject matter herein unless it has been expressly stipulated that such agreement shall prevail.

11.3. If any provision of these API Terms shall be found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, that provision will be limited or eliminated to the minimum extent necessary so that these API Terms will otherwise remain in full force and effect and enforceable.

11.4. These API Terms may be made available in various language versions. However, in the event of any dispute between different language versions of these API Terms, the English-language version shall prevail.

11.5. In no event will any delay, failure or omission (in whole or in part) in enforcing, exercising or pursuing any right, power, privilege, claim or remedy conferred by or arising under these API Terms or by law, be deemed to be or construed as a waiver of that or any other right, so as to bar the enforcement of that, or any other right, power privilege, claim or remedy, in any other instance at any time or times subsequently.

11.6. Unless specified otherwise in these API Terms, no third party shall have any rights or obligations under the API Terms.

11.7. The Parties shall be independent contractors under these API Terms, and nothing herein will constitute either Party as the employer, employee, agent, or representative of the other Party, or both Parties as joint venturers or partners for any purpose. Nothing in these API Terms shall permit either Party to legally bind the other Party to any other agreement. Nothing in these API Terms shall create any exclusivity between the Parties in relation to its subject matter.

11.8. These API Terms shall be governed by and construed in accordance with the laws of France without regard to its conflicts of laws principles, and the Parties submit to the exclusive jurisdiction of the courts of Paris, France in respect of any dispute or matter arising out of or connected with these API Terms.

11.9. You may not assign these API Terms or any of Your rights and obligations hereunder, in whole or in part, without Criteo's prior written consent. Any purported assignment, delegation, or other transfer in contravention of this section is void.


These API Terms shall be binding upon and inure to the benefit of the Parties hereto and their successors, representatives, and permitted assigns.


EXHIBIT B – IT SECURITY POLICY

The following schedule describes the security requirements and associated controls that must be maintained by Partner (including its subcontractors involved in the Data processing, if any) throughout the term of the API Terms.

Security Governance and Management

Partner must maintain an appropriate Security Management System, inclusive of other industry known privacy and security best practices and maintain appropriate security controls. This will include appropriate documentation (security policies, processes, guidelines, standards, configuration standards and associated security controls) to assure adequate protection of Data throughout the Data processing lifecycle, for the term of the API Terms.

Security Roles and Responsibilities

Partner will maintain defined responsibilities for security within their organization with a named contact, and escalation levels, to support Criteo security requirements, including answering general security questions, if required.

Security and Privacy Awareness Training

Partner shall ensure that it is sufficiently trained (at least annually) on necessary security and privacy content and supporting procedures. Such training shall include phishing simulations on a regular frequency.

Security Assessments

Criteo shall have the right, with thirty (30) business days advance notice, to perform security assessments related to Partner and associated use of Data. Criteo shall also have access to information security assessments performed by the Partner and/or any third parties on the use of Data. Additionally, Criteo may request an updated information security compliance report (“Compliance Report”) every twelve (12) months, or earlier if it reasonably considers there have been substantial changes in security requirements, to enable Criteo to assess ongoing compliance with Partner´s information security requirements set herein. If Criteo considers that the Compliance Report is not satisfactory, Partner will communicate, in timely manner, any additional information required by Criteo to demonstrate compliance with this IT Security Policy.

Security Process Compliance

Partner must report detected security incident with one (1) working day delay from the first discovery of the incident on detection to Criteo’s service desk and their assigned management and comply with Criteo security policies, processes and procedures.

Security Breach Reporting

Any detected security breach impacting Data must be immediately reported to Criteo and no more than one (1) working day after detection, with a detailed formal security incident report provided no later than two (2) working days after detection. All formal security incident reports must include root cause analysis and detailed forensic and log information, including total quantity of personal data records impacted, if applicable.

Physical and Environmental Security Controls

Partner will maintain appropriate physical and environmental security controls to protect against data security risks and to protect the confidentiality, the integrity and the availability of Data if processed, transmitted or stored within their premises. All such controls will be aligned to applicable industry, operational and security best practices protecting against physical and environmental security risk, including physical access controls, physical security monitoring and environmental protections against power disruptions, fire hazards, and related operational risks.

Access Control

Partner shall ensure that it maintains the following best practice controls for the accounts in charge of maintaining the activities within the API Terms with all granting of accounts based on defined roles and permissions:

a) All accounts and permissions granted for the express use in relation to Data processing; any use sharing of granted accounts is a security breach unless expressly approved by Criteo.
b) All accounts must apply appropriate password complexity, length and special characters. Multi-factor authentication (“MFA”) should be applied.
c) Any compromise of a granted accounts or permissions must be reported as a security incident to Criteo’s service desk on detection.
d) Use of service accounts must comply with Criteo’s application standards.
e) All use of credentials and keys related to Criteo applications and Data must comply with applicable company configurations and standards.

Device Security

The following device security controls must be maintained throughout the duration of the API Terms where Partner utilizes its own devices:

a) Device must be centrally managed by appropriate management systems to support active software and hardware security management.
b) Antivirus or Endpoint Detection and Response (“EDR”) (in this case, the EDR should include an antivirus) must be maintained on all devices with 24x7x365 security monitoring and security response with appropriate controls to actively update and protect against most recent malware threats and risks.
c) Device operating systems must be hardened with appropriate security configuration baselines maintained and regularly deployment of security updates deployed aligned to known operating system patching cycles.
d) Device data storage and backups must be maintained, applied and tested on an appropriate frequency to ensure availability of data in response to data loss, ransomware.
e) Data stored on devices must be appropriately encrypted.

Network Security

The following network security controls must be maintained if Partner accesses Criteo applications:

a) An appropriate tiered and segmented network architecture must be maintained and monitored for production network.
b) All traffic across internal or external Partner networks must be encrypted through secure protocols.
c) Networks (WAN, LAN and WIFI) must be appropriate designed and maintained ensuring appropriate authentication and encryption applied. All networking components, appliances, devices and software must be current and patched appropriately.
d) In the production network, network and network security must be monitored with appropriate levels of security event and logging present to support effective security incident detection and response.
Data Backup and Storage: Partner will maintain appropriate data storage and backup routines and activities to ensure data availability, integrity and data recovery on an appropriate frequency to minimize data loss.

Application Security and Secure Development Lifecycle (SDL) Security

The following security controls are applicable if Partner supports processing, transmission or storage of Criteo Data within its service platforms or applications:
a) Appropriate SDL controls must be maintained for software development aligned to industry recognized standards.
b) Software must be deployed through controlled SDL with appropriate security and quality assurance tests applied before deployment into production.
c) Software repositories must be secure through authenticated access controls applied to user and service accounts with code scans to ensure security monitoring and automated updates.
d) Penetration Testing must be applied on a minimum of an annual frequency with summary findings and identified corrective actions provided to Criteo if requested.

Vulnerability and Patch Management

Partner will maintain appropriate controls for regular vulnerability management scans applied to any applications processing, transmitting or storing Data. Such scans should be a least monthly to identify critical vulnerabilities and support effective mitigation. Patch Management controls must be in place and automated to effectively support security and version updates to proactively protect Data.

Business Continuity Management (BCM) System

Partner, if processing, transmitting and/or storing Data, must maintain an appropriate Business Continuity Management System with supporting continuity and disaster recovery process and controls. Such activities must be appropriately maintained and tested with clear define roles, responsibilities and escalation protocols.