Last updated: April 15, 2024

DATA PROTECTION ADDENDUM FOR SUPPLY PARTNERS

This Data Protection Addendum (this “DPA”) is entered into between the applicable Amagi entity identified in the Agreement (“Company”) and the entity identified as Customer in the Agreement (“Customer”) and forms a part of and is incorporated by reference into the Agreement. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement. Company and Customer are referred to individually as a “Party” and collectively as the “Parties”.

1. Definitions. 
   1. “Agreement” means the master services or other services agreement between Company and Customer. 
   2. “Amagi Ads Services” means Company’s advertising-related products and services, such as advertising insertion services within media made available by Customer, advertising sales services whereby Company (directly or through its partner network) sells advertising to fill advertising inventory within media made available by Customer, and related analytics and reports.
   3.  “Data Controller”, “Controller” or “Business” means an entity that determines the purposes and means of Processing of Personal Data.
   4. “Data Protection Laws” means all applicable laws, rules and regulations governing privacy, data protection, security and/or the Processing of Personal Data, including but not limited to EC Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) and the EU e-Privacy Directive (Directive 2002/58/EC) (the “e-Privacy Directive”), data protection and privacy laws of the United Kingdom in effect from time to time (collectively with the GDPR, “EU Data Protection Law”), the local law of the place(s) where Processing by a party and its Personnel takes place, the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act (the “CPRA”), the Virginia Consumer Data Protection Act (the “VCDPA”), the Colorado Privacy Act (the “CPA”), the Connecticut Data Protection Act (the “CTDPA”) and the Utah Consumer Privacy Act (the “UCPA”) (collectively “US State Privacy Laws”), and the Federal Trade Commission’s FTC Act Section 5, in each case, all of the foregoing as applicable, and as amended, replaced or supplemented from time to time, and all subordinate legislation made under them, together with any binding codes of practice, regulations or other guidance issued by the governments, agencies, data protection regulators, or other authorities in the relevant countries, states or other jurisdictions.
   5.  “Data Processor”, “Processor” or “Service Provider”, means an entity that Processes Personal Data on behalf of a Business or Controller.
   6. “Data Subject” or “Consumer” means a natural person to whom any Personal Data Processed under the Agreement pertains.
   7. “IAB Privacy Frameworks” means the Interactive Advertising Bureau (IAB)’s signals and contractual frameworks, rules and guidelines for processing Personal Data as follows: (i) for Data Subjects in the EU and U.K, the IAB Europe Transparency & Consent Framework (“IAB EU TCF”), (b) for Consumers in the US, the IAB Global Privacy Platform (“GPP”) and the corresponding IAB Multi-State Privacy Agreement (“MSPA”), and (c) for Data Subjects in Canada, the IAB Canada’s Transparency & Consent Framework (“IAB CA TCF”), and (d) the IAB Guide to Navigating COPPA (“IAB COPPA Guide”), as each of the foregoing may be modified by IAB from time to time, and any successors to the foregoing. 
   8. “Notice and Choice Mechanisms” means for (i) Data Subjects of the EU and UK, prior notice and consent and/or other lawful basis requirements in compliance with EU Data Protection Law; (i) for Consumers in the US but excluding California, a clear and conspicuous method that enables the Consumer to opt-out of the Sale of Personal Information and to opt-out of the Processing of Personal Information for the purpose of targeted advertising, and (ii) for Consumers in California, a clear and conspicuous “Do Not Sell or Share My Personal Information” link or alternate opt-out link that enables the Consumer to opt-out of both Sales and Sharing of their Personal Information.  
   9. “Other Services” means Amagi Services ordered by Customer under the Agreement other than the Amagi Ads Services.
   10. “Personal Data” means information provided by Customer to Company or collected by Company’s on Customer’s behalf that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, or as otherwise defined under Data Protection Laws (including any equivalent terminology such as “Personal Information” or “Personally Identifiable Information”), limited to Personal Data that the applicable party collects or Processes pursuant to the Agreement.
   11. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, by Company for Customer.
   12. “Process”, “Processing”, “Sell”, “Selling”, “Sales”, “Share”, “Sharing”, “special categories of personal data”, “Sensitive Information” and “Sensitive Personal Information” shall have the meanings assigned to them in Data Protection Laws. 
   13. “Sub-Processor” or “Subprocessor” means an entity engaged by Company that will Process Personal Data on behalf of Customer, or as otherwise defined in Data Protection Laws. 
   14. “Third Party” shall have the meaning assigned to in in Data Protection Laws.
       
       
2. Compliance and Cooperation. Each Party represents, warrants and covenants that it shall comply with Data Protection Laws.
   
   
3. Role of the Parties.
   1. Amagi Ads Services. With respect to Personal Data Processed in connection with Customer’s use of the Amagi Ads Services, each Party is an independent Controller of the Personal Data that it collects or Processes pursuant to the Agreement. Each Party may use such Personal Data for its lawful business purposes in compliance with Data Protection Laws, and each Party shall be individually and separately responsible for complying with the obligations that apply to it as a Controller under Data Protection Laws with respect to such Personal Data. The Parties agree that they are not joint Controllers of any Personal Data. Each Party will individually determine the purposes and means of its Processing of the Personal Data. For purposes of the CCPA and CPRA, the Customer is considered to be the “Business” and Company is considered to be a “Third Party” with respect to such Personal Data.
   2. Restricted Processing. Where Customer uses Amagi Ads Services, for Personal Data processing for which a Data Subject has signaled to Customer that such Data Subject exercised their rights under an applicable Notice and Choice Mechanism, Customer shall communicate the appropriate signal to Company in the applicable ad requests and/or bid requests sent by Customer to Company through the Amagi Ads Services. In such cases, the Customer is considered to be the “Business” or “Controller” and Company is considered to be a “Service Provider” or “Processor” (or if applicable, Customer is a “Service Provider” or Processor” and Company is a “sub-service provider” or “Subprocessor”). 
   3. Other Services. With respect to Personal Data Processed in connection with Customer’s use of Other Services (“Other Personal Data”), as between Customer and Company, with respect to all such Other Personal Data, Customer is a “Controller” or “Business”, and Company is a “Processor” or “Service Provider”, or if applicable, Customer is a “Processor” or “Service Provider” and Company is a “sub-service provider” or “Subprocessor”. 
   4. Instructions. Customer instructs Company to process Other Personal Data as reasonably necessary for the performance of the Other Services, and which may be supplemented from time to time by Customer’s written instructions that are consistent with the Agreement and this DPA. 
   5. Modifications to DPA; Entire Agreement. Company may modify this DPA from time to time by posting the modified version at https://www.amagi.com/data-protection-addendum or a successor page. Customer is responsible for checking such page for updates periodically. Such modifications shall be binding upon being posted. This DPA supersedes all data protection agreements and addenda previously entered into by the Parties with respect to its subject matter.
   6. Company Responsibilities. Company agrees that: (i) all personnel engaged in processing Personal Data are and will remain committed to confidentiality; (ii) Company shall take industry appropriate technical and organizational measures designed to ensure the security of processing, which may include as appropriate: (a) encryption and pseudonymization; (b) ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services and to restore access to Personal Data in the event of an incident; and (c) processes for regularly testing and assessing the effectiveness of its security measures. Without limiting the foregoing, Company shall encrypt Personal Data in storage and in transit. Company shall not disclose Other Personal Data to third parties (including Subprocessors and subcontractors) unless such disclosure is reasonably necessary to perform the Services. Prior to any such disclosure, Company will enter into a written agreement with such third party that includes terms no less restrictive those contained in this DPA, and Company will be responsible for the third party’s compliance therewith.
   7. Company Assistance. With respect to Other Personal Data, Company will assist Customer in responding to requests for exercising Data Subjects’ rights, and will endeavor to assist Customer with its obligations pursuant to Articles 32-36 of GDPR, including data security, data protection impact assessments, and breach notifications. Company will promptly inform Customer if it is asked to do something which to its knowledge violates Data Protection Laws. The Parties will make available all information reasonably necessary available to each other as may be required to demonstrate compliance with Data Protection Laws, and Company may allow for and contribute to audits and inspection in this regard. 
   8. Restricted Transfers. Where the Services involve the transfers of Personal Data out of the European Economic Area or the UK to a jurisdiction that is not the beneficiary of an adequacy decision under EU Data Protection Laws (“Transferred Personal Data”), both Parties agree that such transfers shall be governed as follows: (i) for Data Subjects located in the EEA, by the unchanged version of the standard contractual clauses in Commission Decision 2021/914/EU as can be found at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN) (the “EU SCC”). The applicable Module therein shall be deemed selected based upon the Parties’ respective roles in accordance with Section 3 of this DPA. Clause 7 (Docking Clause), but not the option under Clause 11 (independent dispute resolution) of the EU SCC, shall apply; (ii) for Data Subjects located in the UK, by the EU SCC plus the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as can be found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (or as it may be amended or replaced) (the “UK Addendum”). The EU SCC and if applicable the UK Addendum shall be incorporated into this DPA by reference and form an integral part of this DPA. For the purposes of the descriptions in the EU SCC and only as between the Parties, Customer agrees that it is a “data exporter” and Company is the “data importer”. The Annexes attached to this DPA provide the information required by Annexes I, II and III of the EU SCC and by the UK Addendum as set out in Annex I.B to this DPA. The Parties may store and Process Transferred Personal Data in the United States of America, the United Kingdom and/or any other country in which either Party or any of its Processors maintains facilities so long as such Party and any of its Processors: (1) transfer such data via a valid legal mechanism such as the appropriate EU SCC and/or UK Addendum, or a UK International Data Transfer Agreement; and (2) provides at least the same level of protection to such Transferred Personal Data as is required by such mechanism to ensure an adequate level of protection for such Transferred Personal Data in accordance with the requirements of European Data Protection Laws. In the event of inconsistencies between the provisions of the EU SCC or UK Addendum and this DPA or other agreements between the Parties, then the terms of the EU SCC or UK Addendum as applicable shall prevail.
      
      
4. Customer Responsibility.
   1. Compliance. Customer represents and warrants that either: (x) it is a participant in the applicable IAB Privacy Framework(s) for each territory in which it processes or makes available Personal Data to Company and that Customer will adhere to the rules and guidelines of the applicable IAB Privacy Framework(s), or (y) Customer has otherwise provided Consumers with such Notice and Choice Mechanisms as are required under Data Protection Law, and (z) in any event, that Customer has obtained any legally required consent and/or the necessary lawful basis to the collection, use and disclosure of Personal Data to allow Company to Process such Personal Data on behalf of Customer, Company and all advertising partners with respect to collection and processing of Personal Data for the purposes of provision of the Services (including without limitation for serving advertising, which may include interest-based, targeted or relevant ads).  
   2. Customer represents and warrants that: (i) the media and ad inventory with respect to which any Amagi Ads Services are utilized are not directed to children under 16 years old and that no portion of the Personal Data has been or will be, to Customer’s knowledge, collected in connection with any site, application, advertisement or other online service directed towards children under 16 years old, unless Customer either: (1) ensures that all such media and inventory contains the IAB COPPA flag in accordance with the IAB COPPA Guide, or unless Customer has otherwise agreed in writing with Company on alternative means of flagging such media and inventory as child-directed; and (ii) no Sensitive Information or special categories of Personal Data will be collected or passed to Company under the Agreement. 
   3. Customer shall implement appropriate technical and organizational measures to ensure, and to be able to demonstrate, that Customer is in compliance with Data Protection Laws with respect to Customer making Personal Data accessible to, or providing it to, Company. Customer shall, and if Customer is not the owner or operator of the media for which Company’s Services are used, Customer shall cause the owner or operator of such media (each, a “Publisher”) to, conspicuously post a link to and abide by, a privacy policy that complies with all Data Protection Laws, as well as pertinent guidelines of any self-regulatory organizations, and that: (i) discloses its data collection, sharing, and use practices; (ii) discloses the use of third parties for ad serving activities and the use of technologies such as cookies; (iii) provides the ability to opt-out of interest-based advertising, targeted advertising and profiling; and (iv) provides, where required by Data Protection Laws, the ability to opt-out of Personal Data Sales or Sharing.
      
      
5. Personal Data Breach. Company shall provide Customer written notice of any Personal Data Breach without undue delay and in no event later than one (1) business day following the occurrence of such Personal Data Breach. Such notice shall summarize in reasonable detail, to the extent known, the nature of the incident, number of Data Subjects affected, the number of Personal Data records involved, the likely consequences, and the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
   
   
6. US State Privacy Law Compliance.
   1. The Parties acknowledge that where Company acts as a Service Provider and/or a Processor under US State Privacy Laws: (i) it will not Sell or Share any such Personal Information, (ii) will not use, retain or disclose such Personal Information outside of the direct business relationship between Company and Customer; (iii) Company acknowledges that the Personal Information is disclosed by Customer only for limited and specified purposes set forth in the Agreement; and (iv) it will comply with applicable obligations under US State Privacy Laws and provide the same level of privacy protection as is required under same. Company hereby certifies that it understands the restrictions on Company’s processing of Personal Information hereunder and will comply with them.
   2. Company grants Customer the right to take reasonable and appropriate steps to help to ensure that Company uses Personal Information in a manner consistent with the Customer’s obligations under US State Privacy Laws. Company shall notify Customer if it makes a determination that it can no longer meet its obligations under US State Privacy Laws. Company grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use Personal Information Processed under the Agreement. In the event that Customer notifies Company of any verified request by a consumer to exercise its rights under US State Privacy Laws, Company shall fulfil its obligations under Data Protection Laws with respect to same.