Security

Introduction

As a self-service, cloud-based ad-buying platform provider, we take security seriously in every aspect of processing client and other personal data (“Platform Data”). We follow industry-standard practices for comprehensive risk management, secure development, and elevated risk awareness. The following details the measures we’ve taken for data protection. We regularly review and update our Information Security Program to meet evolving business needs and threat models.

The Trade Desk Platform Production Environment

The Trade Desk employs a hybrid public-cloud, managed-services, and colocation-deployment model, using both physical and virtual resources for its self-service, cloud-based ad-buying platform (the "Platform”). All maintenance and configuration activities are conducted by The Trade Desk employees or contracted managed-service providers, primarily remotely from our Corporate offices.

The Trade Desk Platform is a multi-tenant environment that uses logical access controls, such as authentication and roles, to ensure the necessary separation between data from different clients.

The Trade Desk follows guidance from the ISO/IEC 27002:2015, NIST 800-53, Sarbanes-Oxley ITGC, and SSAE18 SOC 1 and SOC 2 standards. The Trade Desk also employs industry-standard practices and relies on its experience operating highly secure Platform Solutions for security controls, such as firewall rule sets, change management, and written security policies.

Scalability

The Trade Desk’s distributed architecture for data collection, processing, and reporting allows it to scale horizontally as the number of clients and traffic volume increase. The Trade Desk uses multiple monitoring processes and tools to continuously track network resources, operating systems, applications, and capacity. Systems are load balanced and scaled up when predetermined capacity thresholds are reached.

Platform Management

The Trade Desk’s Infrastructure team, in tandem with the Engineering team (“Platform Operations”), is responsible for all aspects of the production environment for the Platform. These groups are set up separately and independently from the Corporate-network IT organization to ensure the necessary separation of duties.

Information Security and Compliance Programs

Compliance and Attestation

The Trade Desk is annually audited against AICPA’s SSAE18 SOC 2 standard by an independent auditing firm resulting in a SOC 2 Type 2 report covering the Security Trust Services Criteria implementation within their Platform. While The Trade Desk does not directly process credit card information, credit cards are accepted through a merchant services provider and The Trade Desk attests to the applicable requirements in the PCI-DSS Self Attestation Questionnaire (SAQ) Version A.

Additionally, The Trade Desk is annually audited against the AICPA’s SSAE18 SOC1 and Sarbanes-Oxley (SOX) Section 404 standards to ensure effective internal controls over financial reporting (ICFR’s).

Policies

The Trade Desk’s Information Security Program is based on ISO/IEC 27001 and includes multiple information-security policies, updated annually, that explicitly address the confidentiality, integrity, and availability of platform data and information-technology resources. These policies detail employees’ responsibilities and managements’ role in protecting The Trade Desk's information systems and the data that they process.

Comprehensive technical policies govern various aspects of The Trade Desk Platform Operations and Corporate-network operations and define security measures appropriate to the sensitivity of the data processed.

Policies are approved by senior management and communicated to all personnel to whom the policies apply. All employees must review The Trade Desk’s Information Security Policies and agree to the Acceptable Use Policy during onboarding as well as annually thereafter.

Information and Communication

The Trade Desk uses various methods of communication, including email and the Corporate intranet, to update employees on current events, Corporate policy changes, and share information relevant to employees, such as data handling, industry news, training and development materials, and employee resources. Platform Operations has dedicated intranet sections to publish information relevant to the Platform production staff, such as technical materials, policies, procedures, and calendars. Updates of key documents, such as policies, require email notifications be sent to the affected staff.

Information Security Coordination

The Trade Desk has adopted a decentralized approach to information security. The Trade Desk Information Security Officer, with support and oversight from the Product Department, and Chief Privacy and Product Counsel, coordinates all security and privacy activities within The Trade Desk. Responsibilities of this position include:

• Driving security initiatives
• Reviewing policy
• Overseeing security planning and program management
• Reviewing effectiveness of the security program
• Coordinating The Trade Desk security incident response plan
• Performing annual-security and privacy assessment and reviews

Implementation of security controls rests with the management of each relevant function. The Trade Desk separates the Platform production network and all associated functions from the general Corporate IT functions. The Trade Desk Product Security Team is responsible for managing policy and controlling implementation within the Platform environment.

Segregation of Duties

Only authorized personnel can administer systems or perform security management and operational functions. Wherever appropriate to the organization, authorization for and implementation of changes are segregated responsibilities.

Threat Assessment and Risk Management

The Trade Desk Enterprise Risk Management Program includes practices to identify and manage risks that could affect either the organization’s ability to provide reliable services to its clients (as further described below) or the privacy of data subjects. These practices are used to identify significant risks and potential threat vectors for the organization, initiate the identification and/or implementation of appropriate risk-mitigation measures, and assist management in monitoring risk and remediation activities.

The Trade Desk evaluates and manages risks related to the Platform throughout their life cycles, taking into consideration the consequences for our clients and data subjects of the loss of confidentiality, integrity, or availability of the information we collect, process, and store.

The Trade Desk maintains insurance coverage for major risks, with insurance policies from organizations that management believes to be financially sound. Policies include errors and omissions liability, commercial general liability, auto liability, commercial umbrella liability, workers’ compensation and employer’s liability, fiduciary liability, directors’ and officers’ liability, cyber breach liability and crime bond. Coverage is maintained at levels which The Trade Desk considers reasonable given the size and scope of its operations.

Human Resources Security

Employee Screening

The Trade Desk has background checks performed on all employees at the time of hire (to the extent permitted by law) and requires that non-disclosure and/or confidentiality agreements are signed by all Personnel. The Trade Desk policy prohibits employees from using confidential information (including Client Data) for anything other than legitimate business purposes, such as providing technical support. This obligation continues after their employment ends.

Background checks are performed for all full-time employees, where local laws allow.

Background checks differ by geography, to account for local laws, but in all cases, they include criminal checks, education, and employment reports. All background checks for US employees comply with the Fair Credit Reporting Act.

Terms of Employment

The Trade Desk operates an onboarding process that includes, at a minimum, the following steps:

• Communication to the new employees of policies, code of conduct, and behavioral standards
• Employee signature of the employment agreement (which includes a confidentiality agreement) and acknowledgement of The Trade Desk Acceptable Use Policy
• Background checks (subject to local laws)

General information security responsibilities are documented in The Trade Desk Information Security Policies, which all employees must review as part of their onboarding.

Termination of Employment

The Trade Desk maintains a formal termination or change of employment process that, promptly upon termination or change of employment, requires returning all The Trade Desk and Client assets, disabling or adjusting access rights, and reminding ex-employees of their remaining employment restrictions and contractual obligations. All access (logical and physical) is terminated on or before the termination date. The Trade Desk uses pre-defined checklists and automation to help ensure the consistency and completeness of the termination process.

Access expiration dates are preset for all contractors and may only be extended with appropriate management approval.

Data Classification and Handling

All data collected by The Trade Desk on behalf of its clients is the property of the respective clients and classified as highly confidential under The Trade Desk Information Classification Policy, which provides employees with the necessary guidance for the handling of all information according to its classification. Access to Platform Data is restricted to legitimate business use only.

The Trade Desk Platform processes pseudonymous data. The Trade Desk Terms of Subscription Service prohibit the use of the Platform to collect, process, and store certain types of data, such as sensitive data.

Media Handling

The Trade Desk Backup and Storage Media Policy prohibits copying Platform Data on removable media devices, including flash drives, hard drives, tapes, or other media, other than for legitimate business purposes.

All personnel who handle storage media used in The Trade Desk Platform must comply with The Trade Desk Backup and Storage Media Policy.

The Trade Desk’s decommissioning procedures are designed to prevent access to Platform Data by unauthorized persons and follow NIST guidelines for Media Sanitization (Special Pub 800-88) to destroy data. All printed Confidential Information, including Platform Data, is disposed of in secured containers for shredding.

The Trade Desk deletes all Platform Data, other than backup copies held for disaster recovery purposes, on a scheduled basis following termination of contract.

Access Control and Physical Security

The Trade Desk’s Information Technology team manages access control policies and procedures for the Corporate network, and The Trade Desk’s Platform Operations team manages access control policies and procedures for the Platform production network as well as a list of all staff authorized to access Platform Operations data centers.

User Access Management

Accounts on The Trade Desk Platform production network, including for network administrators and database administrators, are mapped directly to employees, using unique identifiers based on employee names. Generic administrative accounts are not used. Upon notification by HR, as part of the formal termination notification process, all physical and system access is immediately adjusted to the new role or revoked both on The Trade Desk Corporate network and in The Trade Desk Platform production network.

All requests for access to The Trade Desk Platform Operations network must be submitted by the requestor’s manager through the access-request system. After review and approval, the request is logged for implementation.

The Trade Desk periodically reviews employee access to internal systems. Reviews ensure that employees’ access rights and access patterns are commensurate with their current positions.

Password complexity rules and account lockouts are enforced in all environments to protect against brute-force dictionary attacks or other password threats.

All internal user accounts and customer accounts to The Trade Desk's Platform are secured using multi-factor authentication (MFA). For an added level of control, The Trade Desk offers SAML-based SSO to customers who wish to use their own identity provider to manage authentication to The Trade Desk Platform.

User Responsibilities

The Trade Desk Information Security Policy requires employees to notify the Information Security and Information Technology teams immediately if they believe that the security of their password has been compromised. Employees must abide by all The Trade Desk policies, including all sections of the Information Security and Acceptable Use policies.

System and Application Access Control

Authentication and robust access controls ensure that all clients’ information is secured against unauthorized access. Users of The Trade Desk Platform must be authenticated before they can access their data. Rights associated to their credentials control access to the logical structures containing their data. Access to resources is controlled by explicit rights in all environments.

Access to Platform Data is limited to legitimate business need, including activities required to support clients’ use of the Platform. Employees may only access resources relevant to their work duties.

Data Access by Clients

Client end users are authorized only to see data from their account and may have additional privilege restrictions placed on their access to the account by their designated account manager.

Client end users are identified with a username and password. They authenticate to the system over an HTTPS connection.

Access control to program source code

Write access to The Trade Desk Platform production source code is limited to the engineering staff.

Physical and Environmental Security

The Trade Desk Platform infrastructure is physically separated from The Trade Desk Corporate facilities and managed by an independent Platform Operations team.

Access to all facilities is controlled by electronic key systems. The Trade Desk Corporate offices have security-badge access controls as well as CCTV monitoring, and all visitors must be registered and accompanied during visits. Additional electronic access controls restrict access to critical areas to authorized personnel only.

Only authorized personnel are allowed inside any The Trade Desk data center and all accesses are logged. Any external personnel who require access to a co-location data center must be supervised while in the area.

Platform Operations Security

Documented Procedures

The Trade Desk maintains documented procedures that include, at a minimum:

• Security control measures for all systems in the environment
• System hardening measures such as the disabling of all non-essential processes and ports and removal of all default users
• Patches deployed promptly on all applicable systems per manufacturer recommendation
• Change management procedures
• Incident detection and management

Change Management

The Trade Desk maintains, communicates, and follows formal change management processes. All changes to the production environment (network, systems, platform, application, configuration, including physical changes, such as equipment moves) are tracked and implemented by a dedicated team.

All deployments into production or changes to the production environment (network, systems, platform, application, configuration, etc.) must be submitted to, reviewed, and approved by the change-management process prior to implementation.

The Trade Desk relies on well-defined processes, disciplined execution, and continual training of staff. The Trade Desk operates an automated code deployment and configuration management system for its Platform infrastructure.

All critical decisions must be approved by The Trade Desk Engineering management.

Evaluating the probability and impact of all changes drives the risk management process to protect against activities such as spoofing, tampering, disclosure or denial of services which could expose the Platform environment to attacks, compromise the accuracy and confidentiality of Platform Data, or disrupt the availability of the Platform.

Both scheduled and emergency changes are tested, reviewed, and approved by Platform Operations, Engineering, and Technical Support before deployment to the production environment. Emergency changes must be peer reviewed and may be initially made without formal authorization. The change-management process requires that all emergency changes must be documented and reviewed.

Promotion of code from engineering into production is controlled by the change management process, and the Platform Operations team manages all deployments into the production environment. Testing, other than deployment validation, is prohibited in the production environment.

Capacity Management

Provisioning, configuration, and management software is used to maintain network configuration information and to catalog changes. Application configuration is stored in a redundant location.

Protection Against Malware

The Trade Desk deploys anti-malware software with real-time scanning, automatic updates, and tamper protection on all user workstations.

The Trade Desk uses a leading commercial solution for email security, including incoming and outgoing filtering for spam, phishing attacks, and malware.

Data Backup

The Trade Desk stores all Platform Data in the Platform production environment on fully redundant storage systems and uses either a multi-tiered backup approach or replication to a separate data center. Only The Trade Desk Platform Operations employees have access to backup media.

Logging and Monitoring

The Trade Desk maintains audit information and logs for all information technology resources, applications, and network accesses, monitors these logs for abnormal patterns and unauthorized access attempts, and maintains defined processes for security alerting, escalation, and remediation. Logs are centralized in a limited access system that prevents deletion and changes.

24-7 monitoring of critical network events and log aggregation with industry-standard enterprise application management solutions give The Trade Desk Platform Operations the ability to identify and address any unauthorized access to assets (including access to client data) within the Platform production network and to perform trend analysis and risk assessment. An alert system is in place to notify The Trade Desk Platform Operations team of any issues.

Escalation procedures exist to ensure the timely communication of significant security incidents up through the management chain and, if necessary, to any affected client.

Technical Vulnerability Management

The Trade Desk subscribes to manufacturers and independent security notification services to monitor potential external threats.

Manual and automated vulnerability testing are performed during the development process as well as periodically on all production systems. The Trade Desk engages an independent third-party security firm annually to conduct network and web application penetration tests of the Platform.

Vulnerabilities are logged as defects, resolved or mitigated, and verified as fixed.

Hardening Controls

Specifically, regarding the process of ensuring that applications remain configured to build standards, The Trade Desk Platform Operations uses automated tools and documented procedures to build and configure all network equipment, systems, and servers from pre-defined build configuration procedures in accordance with industry-standard practices. All systems, platforms, and applications are configured to minimize security risks. Specifically, this involves:

• Following manufacturers’ hardening recommendations and documented standard operating procedures
• Disabling unnecessary ports, protocols, services, and features
• Including and enabling only components, scripts, drivers, and web services
• Enabling only needed physical ports
• Deploying all new systems with most recent patches
• Configuring password parameters to comply with The Trade Desk standards

Patch Management

The Trade Desk rigorously maintains network device, system, OS, and application level security patches. Reviews performed on a regular basis ensure patching is consistent and current based on industry standards. The Trade Desk deploys security patches released by the vendors as necessary, after validation is performed.

Patches are applied on a monthly schedule, unless criticality demands a quicker response. Critical patches are evaluated and deployed as promptly as possible, based on The Trade Desk review of server/workstation vulnerabilities and the risks to any operating applications. Patch applicability and urgency is evaluated based on the zone of deployment (e.g., perimeter, DMZ, applications, storage), its relevance (i.e., is the service being patched enabled in the environment), and threat severity (i.e., the combination of likelihood and impact of the threat).

Communications Security

Information Transfer and Storage

The Trade Desk clients access the Platform via the public internet. The Trade Desk makes available the latest encryption protocols to ensure the security of data transferred from clients, partners and consumer devices. The Trade Desk encrypts all Platform Data at rest using industry-standard encryption protocols.

Confidentiality and Non-Disclosure Agreements

The Trade Desk requires a non-disclosure agreement or confidentiality clauses in all contracts of third parties that access computing facilities or information assets, as well as prior to sharing or providing access to any confidential information outside of The Trade Desk.

System Acquisition, Development and Maintenance

System Security Requirements

The Trade Desk development methodology uses security significant requirements and threat modeling to ensure security concerns are considered and addressed during design. With fault tolerance and redundancy as guiding principles, The Trade Desk deploys appropriate, modern, and warranty backed servers to host the application and database environment for Platform Operations.

Security in Development and Support Process

The Trade Desk follows an agile development methodology in which products are deployed on an iterative, rapid release cycle. Security reviews are implemented throughout the software development methodology.

Code reviews are part of the application development process. The Trade Desk's Product Security team also comprehensively tests all application end points for vulnerabilities, including those identified in the OWASP Top Ten.

The development process includes a review of all embedded third-party components to ensure that security updates are incorporated. Use of open-source software is subject to technical and legal review and approval.

Supplier Relationships

The Trade Desk may use contractors for development or security validation tasks. These organizations and individuals work under the direct supervision of The Trade Desk employees and may have access to client data where contractually permitted by master service or non-disclosure agreements.

Colocation providers have access to the facility hosting the infrastructure and may provide remote hand service for hardware maintenance under The Trade Desk supervision, but they do not have direct access to Platform Data.

The Trade Desk exclusively uses third-party suppliers with thoroughly vetted backgrounds for cloud infrastructure, managed hosting and co-location data centers.

The Trade Desk reviews AICPA SSAE18 SOC 1 and SOC 2 reports and/or ISO certifications of its infrastructure providers to confirm their adherence to industry-standard security and operational requirements.

All suppliers or contractors that process or have access to Platform Data are under contractual obligations of security and confidentiality at least as stringent as our obligations to clients.

Incident Process

The Trade Desk has developed a robust Security Incident Response Process (SIRP) to address security and privacy related events in an efficient and timely manner. The SIRP framework describes how the team is deployed, documents the criteria for incident severity, defines the investigation and diagnosis workflow, details documentation and reporting requirements, and establishes contact information.

The Security Incident Response Team is composed of senior employees from various departments. This team is deployed and disbanded for each event and meets periodically in the absence of events for training and process maintenance. The SIRP identifies key roles to facilitate the effective coordination of The Trade Desk's response to a security incident and defines a secure methodology for the confidentiality of all information and communication.

The SIRP process is based on industry-standard best practices and methodology. It specifies roles and responsibilities as well as priorities for each of the six phases:

• Identification – Alerts may come from a variety of sources, which typically include our Technical Support, IT, and Platform Operations teams, or automatically from monitoring systems. These teams are trained in the identification and escalation processes.
• Triage – The team evaluates the criticality of the incident based on defined guidelines, logs the incident, and triggers the formal deployment of the SIRP, if necessary.
• Containment – The first goal of the SIRP team is to prevent the situation from getting worse and keep client data, and all personal data, safe. During this phase, the team isolates compromised systems and starts planning for the following phases.
• Eradication – Once the situation is under control, the SIRP team moves to mitigate the impact of the incident and resolve the immediate situation. It identifies the root cause of the incident and prepares for the recovery by documenting known facts and identifying impacted clients, if any.
• Recovery – The recovery phase starts as soon as possible but may require the eradication phase to be complete. Systems are returned to normal operation, patches or configuration changes are applied, documentation is finalized, and communications go out to necessary parties.
• Retrospective – This critical phase allows The Trade Desk to learn from the incident. Documentation of the incident and the response process is reviewed to identify, define, and deploy needed improvements to processes, policies, system configurations, etc.

Security incidents are managed by The Trade Desk Security Incident Response Team. All communications with clients, in case of a security or privacy incident, will be through our support team.

Business Continuity and Disaster Recovery

Disaster Recovery Planning

The Trade Desk conducts business-continuity and disaster-recovery planning that prioritizes critical functions, supporting the delivery of the Platform to clients.

Monitoring and Communication

We establish continuous monitoring of each system throughout the application and in each location where data is stored and moved. Monitoring is a critical component of our controls.

A system-level failure for any component in The Trade Desk Platform environment is easily identified and resolved by The Trade Desk’s 24-7 Platform Operations team. When monitoring detects a failure, failed systems are automatically removed from the production environment, and the Platform Operations team is alerted. The team then resolves the issue or escalates to the appropriate vendor as needed.

Redundancy

The Trade Desk maintains Platform Data within the Platform production environment on fully redundant or replicated storage systems. The Trade Desk Platform extends redundancy beyond storage to the entire infrastructure, from load balancers and processing engines to power and telecommunication providers.

Independent Review of Information Security

The Trade Desk runs regular security scans of the Platform production environment and engages annually a reputable third-party security firm to conduct a comprehensive application penetration test and network vulnerability scan of The Trade Desk Platform.

The primary objective of these scans and tests is to gain independent, third-party validation of The Trade Desk security stance and provide actionable recommendations for the mitigation of any identified risks.

Both white-box and black-box testing are used to assess both the strength of the environment and the defenses against known application vulnerabilities, through a penetration test using guidelines from OWASP.

All critical issues that are confirmed are remediated immediately. Issues of lesser severity are evaluated for resolution as part of the standard development process.