DATA PROTECTION ADDENDUM FOR AD PARTNERS

Last updated: May 15, 2024

Amagi Corporation (or such other Amagi entity set forth as contracting entity in the Main Agreement), on behalf of itself and its Affiliates (“Amagi”) and the counterparty agreeing to this Data Protection Addendum for Ad Partners (“Company”) have entered into an agreement, insertion order or other contract for the provision of the Controller Services, as amended from time to time (the “Main Agreement”). This Data Protection Addendum for Ad Partners (“DPA”) dated as of the effective date of the Main Agreement (“Effective Date”) is intended to comply with the parties’ obligations under Data Protection Laws with respect to the Processing of Controller Personal Data pursuant to the Main Agreement. Amagi and Company are individually referred to as a “Party” or together as “Parties”. This DPA shall supersede and replace any previous DPA in place between the parties with respect to the Controller Personal Data. In the event of a conflict between this DPA and the Main Agreement, this DPA shall prevail. All capitalized terms not defined in this DPA will have the meanings set forth in the Main Agreement.

  1. DEFINITIONS.
    1. Adequate Country” means a country or territory that is recognized under EU Data Protection Law as providing adequate protection for Personal Data.
    2. “Affiliate” means, with respect to a Party, an entity that owns or controls, is owned or controlled by or is or under common control or ownership with the Party, where “control” is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
    3. Business” or “Controller” shall mean an entity that determines the purposes and means of Processing of Personal Data
    4. “Controller Personal Data” means any Personal Data that is provided or made available by a Party to the other Party under the Main Agreement in connection with the providing Party’s provision or use (as applicable) of the Controller Services.
    5. “Controller Services” means the services as described in the Main Agreement.
    6. Data Subject” or “Consumer” means a natural person to whom any Controller Personal Data pertains.
    7. Data Protection Laws” shall mean all applicable laws governing the handling of Personal Data, including without limitation: (i) EC Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), and the EU e-Privacy Directive (Directive 2002/58/EC) (the “e-Privacy Directive”), data protection and privacy laws of the United Kingdom in effect from time to time (collectively with the GDPR and the e-Privacy Directive, “EU Data Protection Law”); (ii) the local law of the place(s) where Processing by a Party and its Personnel takes place; (iii) the California Consumer Privacy Act of 2018 (“CCPA”); the California Privacy Rights Act (the “CPRA”), the Virginia Consumer Data Protection Act (the “VCDPA”), the Colorado Privacy Act (the “CPA”), the Connecticut Data Protection Act (the “CTDPA”), and/or the Utah Consumer Privacy Act (the “UCPA”), and other applicable data protection laws and regulations in applicable U.S. states as of the date such laws take effect from time to time (collectively “US State Privacy Laws”), and (iv) the Federal Trade Commission’s FTC Act Section 5, in each case, all of the foregoing as applicable and as amended, replaced or supplemented from time to time, and all subordinate legislation made under them, together with any binding codes of practice, regulations or other guidance issued by the governments, agencies, data protection regulators, or other authorities in the relevant states, countries or jurisdictions.
    8. EEA” means the European Economic Area, the United Kingdom and Switzerland.
    9. IAB Privacy Frameworks” means the Interactive Advertising Bureau (IAB)’s signals and contractual frameworks, rules and guidelines for processing Personal Data as follows: (i) for Data Subjects in the EU and UK, the IAB Europe Transparency & Consent Framework (“IAB EU TCF”), and (ii) for Consumers in the US, the Global Privacy Platform (“GPP”) and the corresponding IAB Multi-State Privacy Agreement framework (“MSPA”), (iii) for Data Subjects in Canada, the IAB Canada’s Transparency & Consent Framework (“IAB CA TCF”), and (iv) the IAB Guide to Navigating COPPA (“IAB COPPA Guide”), as each of the foregoing may be modified by IAB from time to time, and any successors to the foregoing.
    10. “Notice and Choice Mechanisms” means for (i) Data Subjects of the EU and UK, prior notice and consent and/or other lawful basis requirements in compliance with EU Data Protection Law; (i) for Consumers in the US but excluding California, a clear and conspicuous method that enables the Consumer to opt-out of the Sale of Personal Data and to opt-out of the Processing of Personal Data for the purpose of targeted advertising, and (ii) for Consumers in California, a clear and conspicuous “Do Not Sell or Share My Personal Information” link or alternate opt-out link that enables the Consumer to opt-out of both Sales and Sharing of their Personal Data.
    11. Process, Processing and Processed” means any operation or set of operations which is performed on Controller Personal Data or on subsets thereof, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    12. Personal Data” or the equivalent ‘personal information’ means any information relating, directly or indirectly, to an identified or identifiable natural person or otherwise as defined in applicable Data Protection Laws.
    13. Personal Data Breach” means unauthorised, accidental or unlawful Processing, access, loss, or disclosure of Controller Personal Data.
    14. Personnel” means all officers, directors and employees, independent contractors or service providers of a Party or its Affiliates.
    15. Service Provider” or “Processor” shall mean an entity that Processes Personal Data on behalf of a Business or Controller.
    16. Sell”, “Sale”, “Share”, “Sharing” and “Third Party” shall have the meaning assigned to it under Data Protection Laws.

  2. Role of the Parties. Except where a Notice and Choice Mechanism applies in accordance with Section 3 below, each Party is an independent Controller of the Controller Personal Data that it collects or Processes pursuant to the Main Agreement. Each Party shall be individually and separately responsible for complying with the obligations that apply to it under Data Protection Laws. The Parties agree that they are not joint Controllers of any Controller Personal Data. Each Party will individually determine the purposes and means of its Processing of Controller Personal Data. For purposes of the CCPA, and other applicable US State Privacy Laws that have adopted “Third Party” terminology, each Party is considered to be a “Third Party”.

  3. Obligations of the Parties.
    1. Each Party represents and warrants at all times that: (i) it shall comply with all applicable requirements of Data Protection Laws; (ii) if there are amendments or updates to Data Protection Laws that are reasonably expected to affect the Parties’ roles, rights or obligations hereunder, it shall cooperate in good faith with the other Party to enter into additional or modified terms to address the same; (iii) it has the necessary right and authority to enter into this DPA and to perform its obligations herein; (iv) its execution and performance under this DPA and the Main Agreement will not violate any agreement to which it is a party; (v) it has provided, or has contractually required its data sources to, provide all required information to Data Subjects including, where required, that Personal Data that may be passed to third parties for the purposes of the Main Agreement; and (vi) in collecting Controller Personal Data and providing same to the other Party, it did not violate any applicable self-regulatory principles promulgated by the Network Advertising Initiative (“NAI”), the Digital Advertising Alliance (“DAA”) or the European Interactive Digital Advertising Alliance (“EDAA”) (such Self-Regulatory Principles, collectively, the “SRPs”).
    2. Amagi is a participant in the IAB TCF Framework and will pass signals received under the IAB TCF Framework to Company in the applicable ad requests and/or bid requests sent by Amagi to Company. In cases where a signal has been passed to Amagi by the data source that an applicable Data Subject or Consumer exercised their rights under an applicable Notice and Choice Mechanism, Amagi shall communicate such signal to Company in the applicable ad requests and/or bid requests sent by Amagi to Company. In such cases, Company is considered to be a “Service Provider” or “Processor”. The Parties acknowledge that in cases where Company acts as a Service Provider and/or a Processor under Data Protection Laws: (i) it will not Sell or Share any such Personal Data, (ii) will not use, retain or disclose such Personal Data outside of the direct business relationship between Amagi and Company; and (iii) it will comply with applicable obligations under Data Protection Laws and provide the same level of privacy protection as is required under the same. Company hereby certifies that it understands the restrictions on Company’s processing of Personal Data hereunder and will comply with them.
    3. Without limiting the foregoing, each Party will maintain a publicly-accessible privacy policy on its website that is in compliance with Data Protection Laws.
    4. Each Party will notify the other Party in writing of any action or instruction of the other Party under this DPA or the Main Agreement which, in its opinion, infringes applicable Data Protection Laws.
    5. Subject to this DPA, each Party, acting as a Controller, may Process the Controller Personal Data in accordance with, and for the purposes permitted in, the Main Agreement (the “Permitted Purposes”).
    6. A Party that has made Controller Personal Data available to the other Party under the Main Agreement (“Disclosing Party”) will have the right to: (i) take reasonable and appropriate steps to help ensure that such other Party (“Receiving Party”) uses such Controller Personal Data in a manner consistent with the Disclosing Party’s obligations under and as required by Data Protection Laws, and (ii) upon reasonable prior written notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of such Controller Personal Data under and as required by applicable Data Protection Laws. Receiving Party will notify Disclosing Party if Receiving Party determines that it can no longer meet its obligations under applicable Data Protection Laws. Receiving Party acknowledges and agrees that it is receiving Controller Personal Data only for the limited and specified purposes set forth in the Main Agreement. Receiving Party shall provide not less than the same level of privacy protection as is required by Data Protection Laws for such Controller Personal Data.

  4. Security and Confidentiality. Each Party shall implement appropriate technical and organisational measures to protect the Controller Personal Data from unauthorised, accidental or unlawful access, loss, disclosure or destruction. In the event that a Party suffers a Personal Data Breach, it shall notify the other Party without undue delay, but in any event within seventy-two (72) hours of it confirming the same, and both Parties shall cooperate in good faith to agree and take such measures as may be necessary to mitigate or remedy the effects of the Personal Data Breach. Nothing herein prohibits either Party from providing notification of the Personal Data Breach to regulatory authorities as may be required by Data Protection Laws prior to notification of the other Party so long as the notifying Party provides notification to the other Party without undue delay. Each Party shall ensure that all of its Personnel who have access to and/or Process Controller Personal Data are obliged to keep the Controller Personal Data confidential.

  5. Transfers outside the EEA.
    1. Where the Controller Services involve the storage and/or Processing of Controller Personal Data which transfers Controller Personal Data out of the European Economic Area or the UK to a jurisdiction that is not an Adequate Country, and EU Data Protection Laws apply to the transfers of such data (“Transferred Personal Data”), both parties agree that such transfers shall be governed as follows:
      1. for data subjects located in the EEA, by the unchanged version of the standard contractual clauses in Commission Decision 2021/914/EU (MODULE ONE: Transfer Controller to Controller) as can be found at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN) (the “EU SCC”). Clause 7 (Docking Clause), but not the option under Clause 11 (independent dispute resolution), shall apply;
      2. for data subjects located in the UK, by the EU SCC plus the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as can be found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (or as it may be amended or replaced) (the “UK Addendum”);
      3. the EU SCC and if applicable the UK Addendum shall be incorporated into this DPA by reference and form an integral part of this DPA. For the purposes of the descriptions in the EU SCC and only as between the Parties, Company agrees that it is a “data importer” and Amagi is the “data exporter” under the EU SCC;
      4. the Annexes to this DPA provide the information required by Annexes I, II and III of the EU SCC and by the UK Addendum as set out in Annex I.B to this DPA. The EU SCC may also be annexed to this DPA if appropriate.

    2. The Parties may store and Process Transferred Personal Data in the United States of America, the United Kingdom and/or any other country in which either Party or any of its Processors maintains facilities so long as such Party and any of its Processors:
      1. transfer such data via a valid legal mechanism such as the appropriate EU SCC and/or UK Addendum, or a UK International Data Transfer Agreement; and
      2. provide at least the same level of protection to such Transferred Personal Data as is required by such mechanism to ensure an adequate level of protection for such Transferred Personal Data in accordance with the requirements of European Data Protection Laws.

    3. In the event of inconsistencies between the provisions of the EU SCC or UK Addendum and this DPA or other agreements between the parties, then the terms of the EU SCC or UK Addendum as applicable shall prevail.
    4. If the EU SCC or UK Addendum are deemed invalid by a governmental or judicial entity with jurisdiction over Transferred Personal Data (e.g., the EU Court of Justice) or if such entity imposes additional rules and/or restrictions regarding such Transferred Personal Data, the parties agree to work in good faith to find an alternative and/or modified approach with respect to such Transferred Personal Data which is in compliance with European Data Protection Laws.
    5. Where the European Commission or other relevant supervisory authority issues new, updated or replacement EU SCC, or the UK Addendum is updated or replaced, then Amagi may notify Company in writing thereof and the parties shall replace the EU SCC or UK Addendum as appropriate and make any other necessary amendments to this DPA.

  6. Data Subject Requests. Each Party will process its own requests for Data Subjects to exercise their rights. With respect to requests from, or on behalf of Data Subjects to the Processing of Personal Data that is shared between the Parties, including requests to opt-out from the Sale or Sharing of Personal Data pursuant to applicable Data Protection Laws, the parties will reasonably cooperate to honor such objections or opt-out requests.

  7. Compliance Cooperation. Both Parties agree to reasonably cooperate and assist each other in relation to any regulatory inquiry, complaint or investigation concerning the Controller Personal Data shared between the Parties.

  8. Allocation of Costs. Each Party shall perform its obligations under this DPA at its own cost, except as otherwise specified herein.

  9. Liability. The liability of the Parties under or in connection with this Agreement will be subject to the exclusions and limitations of liability in the Main Agreement.

  10. Miscellaneous. If any provision or condition of this DPA is held or declared invalid, unlawful or unenforceable by a competent authority or court, then the remainder of this DPA shall remain valid. The provision or condition affected shall be construed to be amended in such a way that ensures its validity, lawfulness and enforceability while preserving the parties’ intentions, or if that is not possible, as if the invalid, unlawful or unenforceable part had never been contained in this DPA. This DPA shall be governed by and construed in accordance with the laws governing the Main Agreement, and any disputes shall be resolved by the courts agreed for resolution of disputes under the Main Agreement.

ANNEX I

  1. LIST OF PARTIES

    1. Data Exporter

      Name Address Contact person’s name address and contact details Activities relevant to the data transferred under these clauses Role
      The Amagi entity set forth in the Main Agreement As set forth in the Main Agreement DPO, Venkatesha KS Email: venkatesha.ks@amagi.com or subsequently notified by Amagi to Company in writing Amagi shall enable Company to collect, store and process the Controller Personal Data from websites, mobile websites, channels, connected TVs, platforms and/or applications for the purposes set out in the Main Agreement Controller
    2. Data Importer

      Name Address Contact person’s name address and contact details Activities relevant to the data transferred under these clauses Role
      Company (as defined in the DPA) As set out in the Main Agreement As set out in the Main Agreement or subsequently notified by Company to Amagi in writing Company may collect, store and process the Controller Personal Data from websites, mobile websites, channels, connected TVs, platforms and/or applications for the purposes set out in the Main Agreement, including the provision by Company of one or more of the following, as applicable based upon the services ordered by Amagi from Company: collection, processing, and analysis of Controller Personal Data for the facilitation of digital advertisement insertion by Company or by third party buyers with whom Company works, optimizing such advertisements and performing cross-context behavioral advertising or enabling the third party buyers with whom Company works to do the same (subject to any exceptions set forth in the DPA), and the development and provision of related reports. Controller
  2. DESCRIPTION OF TRANSFER / PROCESSING ACTIVITIES

    Categories of data subjects whose Personal Data is transferred

    (a) end users of websites, mobile websites, channels, connected TVs, platforms and/or applications on which the Controller Services are utilized;

    (b) the Parties’ employees, contractors and representatives.

    Categories of Personal Data transferred

    (a) pseudonymous data collected through or in relation to the Controller Services (e.g. IP addresses, cookie identifiers, mobile advertising IDs or other device IDs). The above may be accompanied by other information about the data subjects whose Personal Data is being transferred, such as browser and/or device type and version, time stamp, device operating system and platform and country associated with the data subject.

    (b) names and contact details.

    Sensitive data transferred (if applicable)

    • None.

    The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

    • Continuous.

    Nature of the processing

    • As set out in the Agreement.

    Purpose(s) of the data transfer and further processing

    • The Parties will process the Controller Personal Data as part of the Controller Services in accordance with the Agreement.

    The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period

    • The later of 6 months from the date of collection, or for the Term of the Agreement unless earlier deletion is requested by the data exporter.

    For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

    • As above.

  3. COMPETENT SUPERVISORY AUTHORITY 

    The Irish Data Protection Commissioner.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Importer will implement and maintain a comprehensive written information security program designed to protect Controller Personal Data from unauthorized access, use, modification, disclosure or destruction. Without limiting the generality of the foregoing, as part of its information security program, Importer will:

  • limit access to Controller Personal Data to the minimum number of its personnel who require such access in order to perform its obligations under the Main Agreement and the DPA
  • provide appropriate training to its Personnel who process Controller Personal Data
  • use multi-factor authentication for access to any systems storing Controller Personal Data
  • use reputable services and/or tools to continuously monitor for malicious or unauthorized behavior
  • encrypt Controller Personal Data at rest and in transit

ANNEX I.B (UK Addendum)

UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

Part 1: Tables

Table 1: Parties

Start Date As set out in the DPA
The Parties As set out in Annex I

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
Module Module in operation Clause 7 (Docking Clause) Clause 11 (Option) Clause 9a (Prior Authorisation or General Authorisation) Clause 9a (Time Period) Is personal data received from the Importer combined with personal data collected by the Exporter?
1 YES YES NO n/a n/a YES

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex I Part A: List of Parties: ANNEX I
Annex I Part B: Description of Transfer: ANNEX I
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: ANNEX II

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes Which Parties may end this Addendum as set out in Section 19:


- Importer or Exporter

Part 2: Mandatory Clauses

Mandatory Clauses Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18 of those Mandatory Clauses.