DATA PROTECTION ADDENDUM FOR SUPPLY PARTNERS

Last updated: April 15, 2024

This Data Protection Addendum (this “DPA”) is entered into between the applicable Amagi entity identified in the Agreement (“Company”) and the entity identified as Customer in the Agreement (“Customer”) and forms a part of and is incorporated by reference into the Agreement. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement. Company and Customer are referred to individually as a “Party” and collectively as the “Parties”.

  1. Definitions. 
    1. Agreement” means the master services or other services agreement between Company and Customer. 
    2. “Amagi Ads Services” means Company’s advertising-related products and services, such as advertising insertion services within media made available by Customer, advertising sales services whereby Company (directly or through its partner network) sells advertising to fill advertising inventory within media made available by Customer, and related analytics and reports.
    3.  “Data Controller”, “Controller” or “Business” means an entity that determines the purposes and means of Processing of Personal Data.
    4. Data Protection Laws” means all applicable laws, rules and regulations governing privacy, data protection, security and/or the Processing of Personal Data, including but not limited to EC Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) and the EU e-Privacy Directive (Directive 2002/58/EC) (the “e-Privacy Directive”), data protection and privacy laws of the United Kingdom in effect from time to time (collectively with the GDPR, “EU Data Protection Law”), the local law of the place(s) where Processing by a party and its Personnel takes place, the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act (the “CPRA”), the Virginia Consumer Data Protection Act (the “VCDPA”), the Colorado Privacy Act (the “CPA”), the Connecticut Data Protection Act (the “CTDPA”) and the Utah Consumer Privacy Act (the “UCPA”) (collectively “US State Privacy Laws”), and the Federal Trade Commission’s FTC Act Section 5, in each case, all of the foregoing as applicable, and as amended, replaced or supplemented from time to time, and all subordinate legislation made under them, together with any binding codes of practice, regulations or other guidance issued by the governments, agencies, data protection regulators, or other authorities in the relevant countries, states or other jurisdictions.
    5.  “Data Processor”, “Processor” or “Service Provider”, means an entity that Processes Personal Data on behalf of a Business or Controller.
    6. Data Subject” or “Consumer” means a natural person to whom any Personal Data Processed under the Agreement pertains.
    7. “IAB Privacy Frameworks” means the Interactive Advertising Bureau (IAB)’s signals and contractual frameworks, rules and guidelines for processing Personal Data as follows: (i) for Data Subjects in the EU and U.K, the IAB Europe Transparency & Consent Framework (“IAB EU TCF”), (b) for Consumers in the US, the IAB Global Privacy Platform (“GPP”) and the corresponding IAB Multi-State Privacy Agreement (MSPA”), and (c) for Data Subjects in Canada, the IAB Canada’s Transparency & Consent Framework (“IAB CA TCF”), and (d) the IAB Guide to Navigating COPPA (“IAB COPPA Guide”), as each of the foregoing may be modified by IAB from time to time, and any successors to the foregoing. 
    8. “Notice and Choice Mechanisms” means for (i) Data Subjects of the EU and UK, prior notice and consent and/or other lawful basis requirements in compliance with EU Data Protection Law; (i) for Consumers in the US but excluding California, a clear and conspicuous method that enables the Consumer to opt-out of the Sale of Personal Information and to opt-out of the Processing of Personal Information for the purpose of targeted advertising, and (ii) for Consumers in California, a clear and conspicuous “Do Not Sell or Share My Personal Information” link or alternate opt-out link that enables the Consumer to opt-out of both Sales and Sharing of their Personal Information.  
    9. Other Services” means Amagi Services ordered by Customer under the Agreement other than the Amagi Ads Services.
    10. Personal Data” means information provided by Customer to Company or collected by Company’s on Customer’s behalf that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, or as otherwise defined under Data Protection Laws (including any equivalent terminology such as “Personal Information” or “Personally Identifiable Information”), limited to Personal Data that the applicable party collects or Processes pursuant to the Agreement.
    11. Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, by Company for Customer.
    12. Process”, “Processing”, “Sell”, “Selling”, “Sales”, “Share”, “Sharing”, “special categories of personal data”, “Sensitive Information” and “Sensitive Personal Information” shall have the meanings assigned to them in Data Protection Laws. 
    13. Sub-Processor” or “Subprocessor” means an entity engaged by Company that will Process Personal Data on behalf of Customer, or as otherwise defined in Data Protection Laws. 
    14. Third Party” shall have the meaning assigned to in in Data Protection Laws.

  2. Compliance and Cooperation. Each Party represents, warrants and covenants that it shall comply with Data Protection Laws.

  3. Role of the Parties.
    1. Amagi Ads Services. With respect to Personal Data Processed in connection with Customer’s use of the Amagi Ads Services, each Party is an independent Controller of the Personal Data that it collects or Processes pursuant to the Agreement. Each Party may use such Personal Data for its lawful business purposes in compliance with Data Protection Laws, and each Party shall be individually and separately responsible for complying with the obligations that apply to it as a Controller under Data Protection Laws with respect to such Personal Data. The Parties agree that they are not joint Controllers of any Personal Data. Each Party will individually determine the purposes and means of its Processing of the Personal Data. For purposes of the CCPA and CPRA, the Customer is considered to be the “Business” and Company is considered to be a “Third Party” with respect to such Personal Data.
    2. Restricted Processing. Where Customer uses Amagi Ads Services, for Personal Data processing for which a Data Subject has signaled to Customer that such Data Subject exercised their rights under an applicable Notice and Choice Mechanism, Customer shall communicate the appropriate signal to Company in the applicable ad requests and/or bid requests sent by Customer to Company through the Amagi Ads Services. In such cases, the Customer is considered to be the “Business” or “Controller” and Company is considered to be a “Service Provider” or “Processor” (or if applicable, Customer is a “Service Provider” or Processor” and Company is a “sub-service provider” or “Subprocessor”). 
    3. Other Services. With respect to Personal Data Processed in connection with Customer’s use of Other Services (“Other Personal Data”), as between Customer and Company, with respect to all such Other Personal Data, Customer is a “Controller” or “Business”, and Company is a “Processor” or “Service Provider”, or if applicable, Customer is a “Processor” or “Service Provider” and Company is a “sub-service provider” or “Subprocessor”. 
    4. Instructions. Customer instructs Company to process Other Personal Data as reasonably necessary for the performance of the Other Services, and which may be supplemented from time to time by Customer’s written instructions that are consistent with the Agreement and this DPA. 
    5. Modifications to DPA; Entire Agreement. Company may modify this DPA from time to time by posting the modified version at https://www.amagi.com/data-protection-addendum or a successor page. Customer is responsible for checking such page for updates periodically. Such modifications shall be binding upon being posted. This DPA supersedes all data protection agreements and addenda previously entered into by the Parties with respect to its subject matter.
    6. Company Responsibilities. Company agrees that: (i) all personnel engaged in processing Personal Data are and will remain committed to confidentiality; (ii) Company shall take industry appropriate technical and organizational measures designed to ensure the security of processing, which may include as appropriate: (a) encryption and pseudonymization; (b) ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services and to restore access to Personal Data in the event of an incident; and (c) processes for regularly testing and assessing the effectiveness of its security measures. Without limiting the foregoing, Company shall encrypt Personal Data in storage and in transit. Company shall not disclose Other Personal Data to third parties (including Subprocessors and subcontractors) unless such disclosure is reasonably necessary to perform the Services. Prior to any such disclosure, Company will enter into a written agreement with such third party that includes terms no less restrictive those contained in this DPA, and Company will be responsible for the third party’s compliance therewith.
    7. Company Assistance. With respect to Other Personal Data, Company will assist Customer in responding to requests for exercising Data Subjects’ rights, and will endeavor to assist Customer with its obligations pursuant to Articles 32-36 of GDPR, including data security, data protection impact assessments, and breach notifications. Company will promptly inform Customer if it is asked to do something which to its knowledge violates Data Protection Laws. The Parties will make available all information reasonably necessary available to each other as may be required to demonstrate compliance with Data Protection Laws, and Company may allow for and contribute to audits and inspection in this regard. 
    8. Restricted Transfers. Where the Services involve the transfers of Personal Data out of the European Economic Area or the UK to a jurisdiction that is not the beneficiary of an adequacy decision under EU Data Protection Laws (“Transferred Personal Data”), both Parties agree that such transfers shall be governed as follows: (i) for Data Subjects located in the EEA, by the unchanged version of the standard contractual clauses in Commission Decision 2021/914/EU as can be found at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN) (the “EU SCC”). The applicable Module therein shall be deemed selected based upon the Parties’ respective roles in accordance with Section 3 of this DPA. Clause 7 (Docking Clause), but not the option under Clause 11 (independent dispute resolution) of the EU SCC, shall apply; (ii) for Data Subjects located in the UK, by the EU SCC plus the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as can be found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (or as it may be amended or replaced) (the “UK Addendum”). The EU SCC and if applicable the UK Addendum shall be incorporated into this DPA by reference and form an integral part of this DPA. For the purposes of the descriptions in the EU SCC and only as between the Parties, Customer agrees that it is a “data exporter” and Company is the “data importer”. The Annexes attached to this DPA provide the information required by Annexes I, II and III of the EU SCC and by the UK Addendum as set out in Annex I.B to this DPA. The Parties may store and Process Transferred Personal Data in the United States of America, the United Kingdom and/or any other country in which either Party or any of its Processors maintains facilities so long as such Party and any of its Processors: (1) transfer such data via a valid legal mechanism such as the appropriate EU SCC and/or UK Addendum, or a UK International Data Transfer Agreement; and (2) provides at least the same level of protection to such Transferred Personal Data as is required by such mechanism to ensure an adequate level of protection for such Transferred Personal Data in accordance with the requirements of European Data Protection Laws. In the event of inconsistencies between the provisions of the EU SCC or UK Addendum and this DPA or other agreements between the Parties, then the terms of the EU SCC or UK Addendum as applicable shall prevail.

  4. Customer Responsibility.
    1. Compliance. Customer represents and warrants that either: (x) it is a participant in the applicable IAB Privacy Framework(s) for each territory in which it processes or makes available Personal Data to Company and that Customer will adhere to the rules and guidelines of the applicable IAB Privacy Framework(s), or (y) Customer has otherwise provided Consumers with such Notice and Choice Mechanisms as are required under Data Protection Law, and (z) in any event, that Customer has obtained any legally required consent and/or the necessary lawful basis to the collection, use and disclosure of Personal Data to allow Company to Process such Personal Data on behalf of Customer, Company and all advertising partners with respect to collection and processing of Personal Data for the purposes of provision of the Services (including without limitation for serving advertising, which may include interest-based, targeted or relevant ads).  
    2. Customer represents and warrants that: (i) the media and ad inventory with respect to which any Amagi Ads Services are utilized are not directed to children under 16 years old and that no portion of the Personal Data has been or will be, to Customer’s knowledge, collected in connection with any site, application, advertisement or other online service directed towards children under 16 years old, unless Customer either: (1) ensures that all such media and inventory contains the IAB COPPA flag in accordance with the IAB COPPA Guide, or unless Customer has otherwise agreed in writing with Company on alternative means of flagging such media and inventory as child-directed; and (ii) no Sensitive Information or special categories of Personal Data will be collected or passed to Company under the Agreement. 
    3. Customer shall implement appropriate technical and organizational measures to ensure, and to be able to demonstrate, that Customer is in compliance with Data Protection Laws with respect to Customer making Personal Data accessible to, or providing it to, Company. Customer shall, and if Customer is not the owner or operator of the media for which Company’s Services are used, Customer shall cause the owner or operator of such media (each, a “Publisher”) to, conspicuously post a link to and abide by, a privacy policy that complies with all Data Protection Laws, as well as pertinent guidelines of any self-regulatory organizations, and that: (i) discloses its data collection, sharing, and use practices; (ii) discloses the use of third parties for ad serving activities and the use of technologies such as cookies; (iii) provides the ability to opt-out of interest-based advertising, targeted advertising and profiling; and (iv) provides, where required by Data Protection Laws, the ability to opt-out of Personal Data Sales or Sharing.

  5. Personal Data Breach. Company shall provide Customer written notice of any Personal Data Breach without undue delay and in no event later than one (1) business day following the occurrence of such Personal Data Breach. Such notice shall summarize in reasonable detail, to the extent known, the nature of the incident, number of Data Subjects affected, the number of Personal Data records involved, the likely consequences, and the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

  6. US State Privacy Law Compliance.
    1. The Parties acknowledge that where Company acts as a Service Provider and/or a Processor under US State Privacy Laws: (i) it will not Sell or Share any such Personal Information, (ii) will not use, retain or disclose such Personal Information outside of the direct business relationship between Company and Customer; (iii) Company acknowledges that the Personal Information is disclosed by Customer only for limited and specified purposes set forth in the Agreement; and (iv) it will comply with applicable obligations under US State Privacy Laws and provide the same level of privacy protection as is required under same. Company hereby certifies that it understands the restrictions on Company’s processing of Personal Information hereunder and will comply with them.
    2. Company grants Customer the right to take reasonable and appropriate steps to help to ensure that Company uses Personal Information in a manner consistent with the Customer’s obligations under US State Privacy Laws. Company shall notify Customer if it makes a determination that it can no longer meet its obligations under US State Privacy Laws. Company grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use Personal Information Processed under the Agreement. In the event that Customer notifies Company of any verified request by a consumer to exercise its rights under US State Privacy Laws, Company shall fulfil its obligations under Data Protection Laws with respect to same.

ANNEX I

  1. LIST OF PARTIES

    1. Data Exporter

      Name Address Contact person’s name address and contact details Activities relevant to the data transferred under these clauses Role
      The Customer set forth in the Agreement As set forth in the Agreement As set forth in the Agreement Making personal data available to enable provision of the Services

      Controller (if using Amagi Ads Services)


      Controller or Processor (if using Other Services)

    2. Data Importer

      Name Address Contact person’s name address and contact details Activities relevant to the data transferred under these clauses Role
      Company As set forth in the Agreement

      DPO, Venkatesha KS

      venkatesha.ks@amagi.com

      Amagi Ads Services: Processing to enable digital advertisement inventory monetization services; providing advertising inventory availability data to Ad Partners, reporting on engagement and effectiveness of Ads, and optimizing or allowing Ad Partners to optimize and personalize data subjects’ advertising experience on advertising inventory owned, operated, managed or acquired by the Customer, and the use of information for service improvement.

       

      Other Services: The provision of the Other Services selected by the Customer, the provision of related reports and analytics, and the use of aggregated and anonymized information for service improvement.

      Controller (except where an opt-out has been exercised and signaled to Company in accordance with a Notice and Choice Mechanism in which case Company’s role shall be that of a Processor)






       

       

       

       

       

      Processor

  2. DESCRIPTION OF TRANSFER / PROCESSING ACTIVITIES

    Categories of data subjects whose Personal Data is transferred

    (a) end users of websites, mobile websites, channels, connected TVs, platforms and/or applications on which the Services are utilized; 

    (b) the Parties’ employees, contractors and representatives.

    Categories of Personal Data transferred

    (a) pseudonymous data collected through or in relation to the Services (e.g. IP addresses, device identifiers, cookie identifiers and/or mobile advertising identifiers). The above may be accompanied by other information about the data subjects whose Personal Data is being transferred, such as browser or device type and version, contextual metadata, time stamp, device operating system and platform, and country associated with the data subject; 

    (b) names and contact details.

    Sensitive data transferred (if applicable)

    • None.

    The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

    • Continuous.

    Nature of the processing

    • As set out in the Agreement.

    Purpose(s) of the data transfer and further processing

    • The Parties will process the Personal Data as part of the Services in accordance with the Agreement.

    The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period

    • The later of 12 months from the date of collection, or for the Term of the Agreement (unless earlier deletion is required by the data exporter).

    For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

    • As above.

  3. COMPETENT SUPERVISORY AUTHORITY 

    The Irish Data Protection Commissioner.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Company will implement and maintain a comprehensive written information security program designed to protect Personal Data from unauthorized access, use, modification, disclosure or destruction.  Without limiting the generality of the foregoing, as part of its information security program, Company will:

  • limit access to Personal Data to the minimum number of its personnel who require such access in order to perform its obligations under the Agreement;
  • provide appropriate training to its personnel who process Personal Data;
  • use multi-factor authentication for access to any systems storing Personal Data;
  • use reputable services and/or tools to continuously monitor for malicious or unauthorized behavior; and
  • encrypt Personal Data at rest and in transit.

Where Customer makes use of the Amagi Ads Plus Service, Customer shall implement and maintain the same security measures set out in the preceding paragraph.

ANNEX III

LIST OF SUB-PROCESSORS

Ad Servers SpringServe
Infrastructure/Cloud Storage

AWS

Google Cloud Platform

ANNEX I.B (UK Addendum)

UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

Part 1: Tables

Table 1: Parties

Start Date As set out in the Agreement
The Parties As set out in Annex I

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
Module Module in operation Clause 7 (Docking Clause) Clause 11 (Option) Clause 9a (Prior Authorisation or General Authorisation) Clause 9a (Time Period) Is personal data received from the Importer combined with personal data collected by the Exporter?

For Amagi Ads Plus Service:

Module 1

YES YES NO n/a n/a YES

For Other Amagi Services:

Module 2 or 3, as applicable

      General Authorisation 14 days  

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex I Part A: List of Parties: ANNEX I
Annex I Part B: Description of Transfer: ANNEX I
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: ANNEX II

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes Which Parties may end this Addendum as set out in Section 19:


- Importer or Exporter

Part 2: Mandatory Clauses

Mandatory Clauses Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18 of those Mandatory Clauses.