IT & Data Security

Adnami ApS v 1.4

IT security and privacy are important matters to Adnami. Therefore these matters are always top of mind when building our products and delivering our services. 

We are always making our best efforts to stay up to date with the latest regulations and best practices when it comes to privacy by design. Our policies may update from time to time to be compliant with such regulations and practices. Our products and services are designed to meet the requirements by GDPR as we incorporate best in class technical and organizational safeguards throughout our business.

Adnami is a proud member of IAB’s transparency and consent framework and adheres to the policies and frameworks provided by the IAB. 

Being transparent about our use of data and IT security to both end users and our clients is essential for us. This document serves as a general foundation for understanding our safeguards and policies on those topics, so as people we can make informed decisions in our daily work lives. 

1. Personal data

Processing personal data must always be done in compliance with the law. The 8 data protection principles constitute the framework for compliance 

  1. Personal data shall be processed fairly and lawfully 

  2. Personal data shall be obtained only for one or more specified and lawful purposes (consent, legitimate interest etc), and shall not be further processed in any manner incompatible with that purpose or those purposes 

  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed 

  4. Personal data shall be accurate and, where necessary, kept up to date 

  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes 

  6. Personal data shall be processed in accordance with the rights of data subjects under this Act 

  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data 

  8. Personal data shall not be transferred to a country or territory outside the EU unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

It is a requirement in Adnami, that all employees have read and understand the content of this document as well as our privacy policy. 

This document covers our physical security measures like the office security policies, laptop and mobile device policies. It also covers Adnami’s internal internet- and email policies. You will also find our internal guideline to data protection (GDPR) which covers data subjects’ rights, overview of the data we process, our privacy policy guidelines and rules for handling SARS requests. Finally the document handles our data security breach policies as well.

2. Consent or legitimate interest

Personal data must be obtained only for one or more specified and lawful purposes (consent, legitimate interest etc). Adnami processes different categories of personal data and for different purposes. 

3. Type of data Adnami processes

When Users use the Adnami platform, we process the following types of personal data: 1) Client Data and 2) End User Data. 

3.1. Client Data

Client data is necessary for creating and providing our products and services to a client. Such data is stored in the Adnami servers. The Client data points are: 

  • Client ID

  • Client Name/Company name

  • Company Public ID (CVR, VAT etc)

  • Company Address

  • Name

  • Email

  • Phone number

  • Username

  • Password

By entering a Partnership Agreement with Adnami, Data Processor consents that Adnami can process Client Data with the single purpose of delivering the Data Processor’s Products and Services. 

3.2. End User Data

Data Processor is listed on IAB’s Transparency and Consent Framework in the global vendor list:

We do not log or store any personal End User Data, but we are subscribing to IAB’s Transparency and Consent Framework 2.0.

Adnami does not store Personal End User Data in a way that any individual person can be identified, and the purpose of Processing End User Data is to be able to detect fraudulent user behaviour and in order to be able to simply deliver ads to End Users. 

Our listed lawful purpose for processing personal data from End Users is legitimate interest. 

Client Data retention policy

The time period for which we keep information varies according to the information's use. In some cases, there are legal requirements to keep data for a minimum period. Unless there is a specific legal requirement for us to keep the information, we plan to retain it for no longer than is necessary to fulfill a legitimate business need.

4. Privacy

Privacy and online security are important matters to Adnami. Our full privacy policy can be found here:  

The Adnami Platform is a software solution allowing the management of online high impact advertising campaigns. This includes an overview of what media properties are certified for our portfolio of formats, creation of high impact advertising tags, reporting dashboards of campaign tracking etc. 

Adnami’s privacy policy, which is accessible and applies to Users of Adnami systems and Visitors of, offers an overview of what work Adnami carries out as a business, what data we process as a part of carrying out that work, what we use that data for, how we process that data and what online choices our Users or Visitors have to opt-out of having personal data processed as a part of our Service.  

Our privacy policy does not apply to third-party websites, products, or services even if they link to our Services. We do not control the privacy policies of our partners, and therefore Adnami Users and Visitors should consider the privacy practices of those third-parties carefully. 

If a user does not consent with the practices described in this policy, he or she should (a) take the necessary steps to remove cookies from the used computer after leaving our website, and (b) discontinue use of Adnami’s Services. 

5. Organizing for Information Security

5.1. Employee Responsibilities

It is the employee’s responsibility to read and understand this document in order to take up work in Adnami. It is management’s responsibility to ensure that all employees have been made aware of the existence of this document and to validate that it has been received and understood. When needed, it is management’s responsibility to provide training and education in our technical and organizational safeguards to information security. 

5.2. Screening

All employees are background screened before employment. This includes checks of professional and educational experience, professional references as well as criminal records.  

5.3. Employment Contracts

All devices provided by Adnami to employees are owned by Adnami and shall be returned to Adnami at the end of employment. 

Adnami holds all rights to IP developed during an employee’s time of employment.  

5.4. Third party consultants

In the scenario where Adnami collaborates with third party consultants, we demand those partners have read and understood our security policies and documentation as a minimum to live up to the same standards. 

5.5. Security Education

Adnami secures sufficient awareness of data security principles and operating procedures among its staff, including what a data breach and a security incident means. Staff must be informed about the personal data that is being processed on behalf of the Data Controller and what security mechanisms have been implemented to protect the data. 

5.6. Device Policy

Electronic devices such as laptops and mobile phones can obtain sensitive information to the individual person the device belongs to, to Adnami as a commercial company and potentially to third party data subjects, whose data might be accessible via the device.

Personal electronic devices as laptops and mobile phones often represent a material value in themselves, and as such they are objects for simple theft. 

The purpose of this policy is to ensure that Adnami employees and co-workers of any kind take precautions and follow best practice when it comes to IT and data security around personal electronic devices. This policy covers all Adnami employees and co-workers (i.e. consultants) 

6. Risk 

Whereas the material loss and value thereof represents a serious risk to the company in itself, the risk of sensitive information potentially being exposed by loss of a device is much bigger. 

Should sensitive information be accessed by or revealed, it may cause reputational, commercial and competitive damage to Adnami. 

6.1. Management of Assets

We keep a register of laptops and mobile phones provided to Adnami employees. This register includes: 

  • device serial number

  • device type

  • employee/username

  • date it was provided

  • date it was returned

6.2. User Responsibilities

  • Access to mobile phones and laptops must be protected by a 6-digit passcode, fingerprint or face detection functionality. 

  • Hard drives must be encrypted.

  • Mobile devices must be configured with “find my iphone” (Apple) or “find my phone” (Android) services enabled.

  • Confidential information should never be stored outside the protected work laptops or dedicated properly protected company cloud storage.

  • All laptops and mobile devices are the property of the Data Processor. 

  • When an employee ends employment in Adnami, all electric devices must be returned back to the employee’s manager. 

  • Use of unlicensed software is illegal and imposes a significant security risk to Adnami. 

  • Users are prohibited from changing security settings such as password settings and antivirus software from their devices. 

  • All logins and emails use strong password rules and Multi Factor Authentication to protect them.

  • Laptops and mobile phones should have a screen saver with login enabled when the device is inactive for more than 15 minutes. 

  • When travelling, avoid using unknown and free wifi providers. Only use approved vendors and at all times use 3LikeHome when available. 

6.3. Physical Security

All Adnami employees and co-workers are encouraged to take security precautions to prevent their devices from being lost or stolen. 

  • Devices should never be brought to cafe’s, restaurants, bars etc outside office hours. 
  • Devices must never be left in full view in a car. Devices must be locked in the boot. Devices must never be left in a car overnight (not even if locked in the boot).

  • Devices must never be left unattended in public places. Not even for a short period of time. 

  • When travelling by air, devices must be carried as hand luggage and never checked into the hold. 

6.4. Reporting the theft of a laptop or mobile device

Any loss or theft of Adnami supported mobile or laptop devices must be reported to the police and an incident number obtained. This should be done immediately when the device is realised lost or stolen. Consequently, the sim card should be blocked, and loss or theft should be reported to your manager to take account of the security risk and replacement of devices. 

7. Use of Internet and e-mail policy

7.1. Context

The purpose of this policy is to set out restrictions and responsibilities of Adnami employees and people given access to use Adnami’s internet access for internet and email purposes.

The internet is provided to enable day to day work activities, and should be used for such. It is important that the internet is used ethically and responsibly. 

All Adnami employees and users who have been granted access to the Adnami internet and emails. 

7.2. User Responsibilities - Internet

  • Users must always use the internet in a legal, ethical and responsible way. 

  • For the avoidance of doubt, Adnami does not tolerate browsing of pornography, violence encouragement, race hate material, cults, gambling, criminal skills or illegal drugs. 

  • Users may not knowingly download any sort of viruses, which can put Adnami property and information at risk. 

  • Users may not use the internet to send harassing or offensive messages to others. 

  • Use of the internet for personal reasons such as shopping, banking, social media etc must be limited to not distract from work tasks. 

7.3. User Responsibilities - Email

Adnami does not recognise any right of employees to restrict access to personal emails sent from the Adnami email client. Emails may be disclosed as part of legal and disciplinary proceedings. 

  • Using the Adnami email client for private purposes is allowed, but should be restricted and done in a responsible way. 

  • Personal emails can not harm the company’s reputation or incur liabilities against the company. 

  • Email must not be used for the creation, retention or distribution of disruptive or offensive messages, images, materials or software that include offensive or abusive comments about ethnicity or nationality, gender, disabilities, age, sexual orientation, appearance, religious beliefs and practices, political beliefs or social background. Employees or students who receive emails with this content from other employees or students of the company should report the matter to their manager.

  • Users must not upload, download, use, retain, distribute, or disseminate any images, text, materials, or software which might reasonably be considered indecent, obscene, pornographic, or illegal.

  • Users must not engage in activity that can affect or have the potential to affect the performance of damage or overload Adnami’s system, network, and/or external communications in any way. 

  • Users must not engage in activity that can be a breach of copyright or license provision with respect to both programs and data, including intellectual property rights. 

  • When an employee during normal work days is out of the office for a period longer than 1 day, it is good practice to activate “auto response” with an automated email response, making the recipient aware when you return to the office and can be expected to respond to the received email. The automated “out of office” response should also include an alternative email and phone number for Adnami staff, so the sender has the opportunity to reach out to another employee for service or support. 

  • Both received and sent emails going through Adnami’s email clients are scanned for hidden virus software, to prevent viruses from being spread via the company’s email communication. 

  • It is a disciplinary offense to disable the integrated virus checkers. 

  • Caution should be shown before opening any attachments from unknown senders. 

8. Technical and organizational security measures

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 

8.1. Physical Access and Security 

When processing personal data, the Data Processor must ensure that reasonable and appropriate measures are taken to prevent third parties from physically accessing data from documents, devices or servers. The Adnami office is located in Store Kongensgade, Copenhagen. 

To access the building each employee have the following: 

  • Personal chip to entrance gate and entrance door 

  • Personal extra code for the door when coming out of office hours

At all times we keep a log of the chip use, so we know who has been trusted with each specific entrance chip.

All access grants are reviewed every 6 months. 

At the point of employment termination, all access grants to this person must be revoked immediately, if there is no longer need for the access. 

User accounts are always individual and must never be shared between Adnami employees. 

8.2. Preventing Access to Core IT Systems

To prevent unauthorized access to the setup, all users are required to use Microsoft Multi-Factor Authentication.

Adnami IT systems and Products are built on Azure cloud computing Software Platform. Azure is a Microsoft enterprise software solution, offering the highest levels of IT security and monitoring across its infrastructure possible.

Security and privacy are built right into the Azure platform, beginning with the Security Development Lifecycle (SDL). The SDL addresses security at every development phase and ensures that Azure is continually updated to make it even more secure. Operational Security Assurance (OSA) builds on SDL knowledge and processes to supply a framework that helps provide secure operations throughout the lifecycle of cloud-based services. Azure Security Center makes Azure the only public cloud platform to offer continuous security-health monitoring.

Microsoft is committed to at all times be compliant with the GDPR and ensure that Microsoft clients can also trust that they can be compliant towards their partners and customers. See Microsoft’s promise their clients such as Adnami to GDPR:

For Azure security technical resources, visit Azure Security Documentation

Microsoft Azure SLA summary

The Adnami Systems are built specifically using the following Microsoft Azure solutions:

8.3. Backup Procedures

Adnami uses Azure Blob Storage, which is Microsoft's massively scalable cloud object store. Blob Storage is ideal for storing unstructured data such as images, videos and other creative advertising file types.

The data in Azure Blob Storage is always replicated to ensure durability and high availability. Azure Storage replication copies the stored data so that it is protected from planned and unplanned events ranging from transient hardware failures, network or power outages, massive natural disasters, and so on. 

It gives Adnami the security to at any time be able to restore all the data logged on the Azure servers. 

Read more about Azure Blob Storage here.

8.4. Preventing Fraud (Cloudflare)

Adnami uses Cloudflare as a vendor to detect bot traffic and secure optimal server allocation behind our services. 

Cloudflare is a security, performance, and reliability company headquartered in the United States (US) that delivers a broad range of network services to businesses of all sizes and in all geographies. They help Adnami become more secure, enhance the performance of our business-critical applications, and eliminate the cost and complexity of managing individual network hardware.

Cloudflare is a security, performance, and reliability company headquartered in the United States (US) that delivers a broad range of network services to businesses of all sizes and in all geographies. They help Adnami become more secure, enhance the performance of our business-critical applications, and eliminate the cost and complexity of managing individual network hardware. 

Cloudflare collects the ip-address for routing the call between the user and our services located in the MS Azure Cloud, the ip-addresses are known only while needed to fullfill the service of routing the call see Cloudflare for specifics, but in average a call lasts for 7ms to 30ms.

We proxy our communication through Cloudflare in order to provide better performance through caching and load balancing. They need the ip-adresses to route the communication.

Adnami does not permit our sub-processors to sell any personal information we share with them or to use any personal information we share with them for their own marketing purposes or for any purpose other than in connection with the services they provide to us.

8.5. Organisational Access Management and Control

On an ongoing basis, Adnami will assess who needs access to what critical IT systems and products, e.g. cloud computing services. Access to such business critical systems and products is only granted to trusted employees who are educated and trained to handle such access with best practice care and skill. 

At the point of employee contract termination, the employees passwords are all reset, and if the account will be deleted (unless it for whatever business reason needed to keep the account details).

In addition, all accounts with administrative rights to business critical IT systems and Products are reviewed for appropriate permissions once yearly. 

8.6. Data Security Breach Policy

Adnami processes different categories of data and information from various systems, and we take care to prevent incidents from happening, which could compromise security. The purpose of this Data Security Breach Policy is to ensure that all employees in Adnami know how to identify and respond correctly to a potential security breach, which will minimize any risk, confidentiality and integrity consequences related to the incident. 

Definition of an Incident

An incident in this context is an event, which has the potential to damage the reputation, revenues or assets. For example it could be: 

  • Accidental loss of theft of a device containing sensitive data, e.g. documents, ipad, USB stick, laptop or mobile phone. 

  • Unauthorized use, access to or modification of data or information systems. 

  • Unauthorized disclosure of confidential information, e.g. email sent to the wrong recipient. 

  • Compromised user account

  • Malware infection

  • Equipment failure

  • Disruption to IT services. 

Reporting an Incident

Data breach and information security breach should be reported instantly to management by personal contact, phone and email. This report should be as detailed as possible, including who is involved, what is the nature of the incident, what is the information/data at potential risk and where and when the breach happened. 

Investigation and Risk Assessment

Depending on the particular incident, management will appoint the investigation team to investigate the incident. It is management’s responsibility to initiate investigation of a reported breach no later than 24 hours after the incidence report was received. Together with management, the risk investigation team will determine the right course of action and assign appropriate resources to minimize risk. 

Steps will be taken to recover system or data losses and resume to normal business practices.  

8.7. Security in development processes

  • Secure development policy

  • Procedure for management of system changes: When any part of our system is changed it has to go through several phases of testing.

    • All changes are tracked using the version control software Git with proper branching and pull request handling.

    • First of all the compiler will automatically analyze newly added code for any syntax errors when a new version is being built.

    • Thereafter we set up local tests in Chrome browser where any unwanted behaviour can be detected before the first release to our test environment. The developer tool in the Chrome browser allows us to override files loaded into a page with files located in a folder on our computers instead. 

    • The development environment is a copy of our live environment and it allows us to test new functionality on different devices and browsers. 

    • Finally when we are ready to set new changes live to our production environment we use a staging site and make hot swap allowing for none/minimal downtime and the possibility of reverting immediately to the previous version.

We also plan and discuss changes in a weekly meeting where new suggestions are reviewed by the entire team.

  • We strive to follow the principle of least privilege which means we are continuously updating which systems and parts of systems each member of our team has access to and as far as possible we try to limit the access to only the parts strictly necessary.

  • Scheduled system security tests:

  • We perform a verification of software patch installations, firewalls, server and software security installations once every year. 

  • We test a full restore of data from the backup media at least once a year.

  • We upgrade software with patches and upgrades distributed by the software provider. This applies to all standard software, including operating systems, databases, web servers, anti virus etc. Patches must be installed no later than 30 days after release by the software provider. 

8.8. Supplier Relations Security

Microsoft Azure engages with external certifying bodies and independent auditors to provide customers with considerable information regarding the policies, processes, and controls established and operated by Microsoft Azure. 

  • GRC Assessment Reports

  • ISO reports


  • ENS Audit Reports and Certificates

  • FES Ramp Reports

  • GRC Assessment Reports

  • PCI/DSS Reports

See all relevant Azure third party audits and annotations here:

8.9 Data Minimisation - Archiving and Disposing

Adnami tracks and reports on advertising events such as impressions and clicks. As a part of doing it is unavoidable that our servers receive the following event types continued in the log line: domain/referrer, site hostname, time stamp.

The only data we store from these received events is the event type, site url, site hostname, timestamp and the creative/banner ID itself. After a few hours, that dataset is compiled down to event type, site url, site hostname, date, creative and event counts. 

The compiled data set looks like this: 


    "TimeStamp": "2019-06-07T00:00:00.0Z",

    "EventCode": "interscroll_init",

    "CreativeCode": "randomized36digitalphanumericcode",

    "CreativeSite": "",

    "Count": "223",

    "id": "randomized36digitalphanumericcode", (ID for internal use, not a User ID)

    "_rid": "I1s+APNgFZcu9fUAAAAADw==",

    "_self": "dbs/I1s+AA==/colls/I1s+APNgFZc=/docs/I1s+APNgFZcu9fUAAAAADw==/",

    "_etag": "\"1100cabf-0000-0c00-0000-5cf9a91b0000\"",

    "_attachments": "attachments/",

    "_ts": 1559865627


After the data compilation, we delete the original dataset.

9. Data subject access request

A data subject access request, also known as a DSAR, is a written request made by an employee or User/Client to Adnami for information. DSARs usually request information about whether any personal data is being processed about them;

  • a description of the personal data, 

  • the reasons it is being processed, 

  • and whether it will be given to any other organisations or people;

  • copies of information comprising the data; and

  • details of the source of the data (where is it available). 

Once Adnami have received a DSAR, we must respond to the Data Subject within 40 days. 

To delete an Adnami Client Account, a user must send an Adnami employee an email with the written request to be deleted from the platform. 

Only Account Administrators can request for a Company Account to be deleted. Deleting an account is irreversible. 

Client Data

Client data is necessary for creating and providing our products and services to a client. Such data is stored in the Adnami servers. The Client data points are: 

  • Client ID

  • Client Name

  • Company Public ID (CVR, VAT etc)

  • Company Address

To delete an account, a user must send an Adnami employee an email with the written request to be deleted from the platform. 

Only Account Administrators can request for a Company Account to be deleted. Deleting an account is irreversible. 

Campaign Data

Campaign data is needed for measuring and reporting on advertising delivery and performance of the Adnami high impact campaigns. The data points include: 

  • Campaign name

    • Tracking events (such as but not limited to impressions, clicks, viewable impressions etc). 

Deleting Campaign Data can be done by sending an email with the deletion request to an Adnami Account Manager. 

If an End User wishes to withdraw consent previously given when visiting an Adnami Client’s website or app, where the Adnami Products are implemented, she should be informed to: 

(a) take the necessary steps to remove cookies from the used computer after leaving our website, and 

(b) discontinue her use of Adnami’s and Your Services.

10. Sharing Data in and outside of the EU

Sharing data outside of the EU As a rule of thumb Adnami are not allowed to transfer personal data that we hold outside the EU unless the country or territory to which the data is to be sent ensures an ‘adequate level of personal data protection’ for data subjects. 

All European Economic Area countries (the EU Member States, plus Iceland, Liechtenstein and Norway) are assumed to have an adequate level of protection. There are thus no legal restrictions on your transfer of personal data to other EEA countries, provided you have informed research subjects that their personal data may be shared with these partners. 

However, always seek advice on appropriate formal data sharing/data controller agreements before any commitments are made. 

Sharing data outside the EEA

The European Union only considers a few countries outside the EEA to have ‘adequate protection’. These are Andorra, Argentina, Australia, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, and Uruguay. 

When we work with service providers who transfer EU data to the US, we ensure those are certified under the EU-US and Swiss-US Privacy Shield frameworks for onward transfers of EU data to the United States. See

Where you intend to share data containing personal data with partners outside the EEA, this may be possible, provided you have informed research subjects that their personal data may be shared with these institutions, if:

  • The country to which the data will be sent has been accepted as ensuring an 'adequate level of protection' by the EU Commission;

  • Your department has undertaken an adequacy assessment to determine whether there is adequate protection for the rights of individuals, in all the circumstances of the transfer;

  • The data subjects have given their informed consent to the transfer; or

    • The transfer is made on contractual terms of a kind approved by management as ensuring adequate safeguards for the rights and freedoms of data subjects. 

Determining which of the possibilities apply to your need will require an expert assessment, and thus potential transfers of personal data outside the EEA should always be referred to your manager well in advance of any transfers taking place. 

Collecting personal data from research subjects outside of the EU Personal data that is processed in the EU by a data controller, regardless of where it is collected and the nationality of the data subjects, will fall under EU regulations, and foreign data subjects are entitled to exercise the same rights over their personal data as EU citizens. 

If you are collecting personal data in other countries, you should also be aware of any national legislation that applies to your processing, including the international transfer of that data to the EU e.g. if you were collecting data from research subjects in Hong Kong, it will have its own data protection laws. 

It is good practice to make clear in the information you provide to overseas data subjects that their data will be transferred to, and processed in, the EU, and to ensure that you have their consent, ideally in writing or some other permanent form, to such a transfer. 

11. Risk Analysis and Mitigation

As a foundation for Adnami’s technical and organisational IT and security measures, once every year the IT security team will perform an overall risk assessment. The assessment is based on potential new legal requirements to security measures, security related incidents that have occured in Adnami in the past year, critical changes to Adnami’s product and IT infrastructure as well as other topics deemed relevant at the time. 

The report must also include an assessment of the risk of Adnami products and IT assets being exposed for both intentional and unintentional threats and or incidents, e.g. destruction of information, interruption of running IT services and products, network communication et cetera. 

12. Management Enforcement of Policies

This IT & Data Security Documentation document is being updated on an ongoing basis to ensure that Adnami follows best practice policies and procedures with the purpose of delivering the highest possible level of IT and Data Security. 

It is ultimately management’s responsibility to ensure that all Adnami employees and IT related partners are working towards the same or higher standards. 

As a structural way of controlling that employees adhere to the defined policies and procedures “IT security and development” is a mandatory part of the agenda in ongoing technology and development meetings.