Data Processing Agreement
[Last Updated: September 16, 2024]
This Data Processing Agreement ("DPA") forms an integral part of the publisher agreement executed by and between FireArc Technologies Ltd. and its affiliates ("Company") and the Publisher ("Agreement"). Capitalized terms used herein but not defined herein shall have the meanings ascribed to them in the Agreement (each of the Company and Publisher, a “Party” and together the “Parties”).
WHEREAS, the Company is the developer and owner of the technology and platform that enables the Publisher to place interactive units and ads within the Publisher's online digital assets, apps, websites, etc. ("Publisher Assets");
WHEREAS, subject to the terms of the Agreement, the Company shall provide the Publisher with the Services, during the use of the Company Services, the Company will process certain Personal Data (as such terms are defined below) on the Publisher's, behalf subject to the terms and conditions of this DPA; and
WHEREAS, the Parties desire to supplement this DPA to achieve compliance with the UK, EU, Swiss, United States and other data protection laws and agree on the following:
1. DEFINITIONS
1.1 "Adequate Country" is a country that an adequacy decision from the European Commission.
1.2 "CCPA" means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 - 1798.199) of 2018, including as modified by the California Privacy Rights Act ("CPRA") once the CPRA takes effect as well as all regulations promulgated thereunder from time to time.
1.3 "Controller", "Processor", "Data Subject", "Personal Data", "Processing" (and "Process"), "Personal Data Breach" and "Special Categories of Personal Data" shall all have the meanings given to them in EU Data Protection Law. The terms "Business", "Business Purpose", "Consumer", "Cross Context Behavioral Advertising", "First-Party Business”, "Service Provider", "Share", "Sale", "Third-Party Business" and "Sell" shall have the same meanings as ascribed to them in the CCPA. "Data Subject" shall also mean and refer to a "Consumer". "Personal Data" shall also mean and refer to "Personal Information," as such term is defined in the CCPA.
1.4 "Consent" means an End User informed and freely given consent that meets the requirements stipulated under Article 7 of the GDPR.
1.5 "CPA" means the Colorado Privacy Act C.R.S.A. § 6-1-1301 et seq. (SB 21-190), including any implementing regulations and amendments.
1.6 "CTDPA" means the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022), including any implementing regulations and amendments thereto
1.7 "Data Protection Law" means applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law, UK Data Protection Laws, Swiss Data Protection Laws, Israeli Law and the US Data Protection Laws and the Brazilian General Data Protection Law "LGPD") as may be amended or superseded from time to time.
1.8 "EEA" means the European Economic Area.
1.9 “End User״ means an individual visiting or browsing the Publisher Assets which interacts with the Interactive Units and Ads displayed therein.
1.10 "EU Data Protection Law״ means the (i) EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) - (iii); and (iv) any legislation replacing or updating any of the foregoing.
1.11 “IAB Consent Management Framework” means the IAB tech labs’ technical specification for the GDPR transparency & consent framework.
1.12 "IAB Policy" means the (i) IAB Europe Transparency & Consent Framework – Policies Version 2020-11-18.3.2a available at: https://iabeurope.eu/wp-content/uploads/2020/11/TCF_v2-0_Policy_version_2020-11-18-3.2a.docx-1.pdf (“TCF”); (ii) IAB Global Privacy platform including the Multi State Privacy Framework (“MSPA”) available at https://www.iabprivacy.com/IAB%20First%20Amended%20and%20Restated%20Multi-State%20Privacy%20Agreement%20(MSPA).pdf
1.13 "ID" means (i) a unique identifier stored on an End-User's device; (ii) a unique identifier generated for a specific End User; (iii) an online identifier associated with a particular device; (iii) a cookie ID, agent ID, IP address, URL or RTB tag, or any online identifier identifying an End User or a specific device; (iv) a unique identifier identifying the Publisher and the Publisher Assets.
1.14 "Israeli Law" means Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 57772017 and other related privacy regulations.
1.15 "Publisher Data" means any and all Personal Data shared or otherwise processed by Company on Publisher's behalf, as detailed in ANNEX I.
1.16 "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other party's Personal Data will comprise a Security Incident.
1.17 “Privacy Signals” means the End Users’ preference signals, indicating the End Users’ preference of processing Personal Data, such as: requesting to opt-out from selling or sharing Personal Data, opt-out from processing Personal Data for Targeted Advertising, including without limitations flags or signals sent through a cookie banner, cookie manager, or other technology (“CMP”) such as: IAB Global Privacy Platform (“GPP”) or otherwise the CCPA “do not sell or share my personal information” signals, Google restricted data processing (“rdp”) signals, Global Consent Platform (“GCP”) signals, and any other opt-out from interest-based advertising signals such as the Digital Advertising Alliance (DAA) and the Network Advertising Initiative (NAI), as applicable.
1.18 "Standard Contractual Clauses” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by link reference: https://eur-ex.europa.eu/legalcontent/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.
1.19 "Swiss Data Protection Laws" or "FADP” shall mean the Swiss Federal Act on Data Protection of June 19, 1992, SR 235.1, and any other applicable data protection or privacy laws of the Swiss Confederation as amended, revised, consolidated, re-enacted or replaced from time to time, and to the extent applicable to the processing of Personal Data under the Agreement.
1.20 "Swiss SCC” shall mean the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner
1.21 "UK Data Protection Laws" shall mean the Data Protection Act 2018 (DPA 2018), as amended, and EU General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as incorporated into UK law as the UK GDPR, as amended, and any other applicable UK data protection laws, or regulatory Codes of Conduct or other guidance that may be issued from time to time.
1.22 "UK GDPR” shall mean the GDPR as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time.
1.23 “UK SCC” means the UK 'International data transfer addendum to the European Commission's standard contractual clauses for international data transfers', available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data- transfer-addendum.pdf, as adopted, amended or updated by the UK's Information Commissioner's Office, Parliament or Secretary of State.
1.24 "US Data Protection Laws" means any U.S. federal and state privacy laws effective as of the Effective Date of this DPA and applies to Company Processing of Publisher Data, and any implementing regulations and amendment thereto, including without limitation, the CCPA, the CPA, the CTDPA, and the VCDPA.
1.25 “VCDPA” means the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392), including any implementing regulations and amendments thereto.
Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Law. A reference to any term or section of US Data Protection Laws, UK Data Protection Laws or GDPR means the version as amended. Any references to the GDPR in this DPA shall mean the GDPR and/or UK GDPR depending on the applicable Law.
2. RELATIONSHIP OF THE PARTIES
2.1 US Data Protection Laws specification are further detailed in Annex VII.
2.2 Except for specifications under the US Data Protection Law Addendum each Party is an independent Controller with respect to Personal Data Processed under the Agreement. In no event will the Parties be referred to as joint Controllers.
2.3 Each party shall be individually and separately responsible to comply with applicable Data Protection Laws in connection with the Processing of Personal Data. The purpose, subject matter and duration of the Processing, the type of Personal Data and categories of Data Subjects are described in ANNEX I attached hereto.
3. REPRESENTATIONS AND WARRANTIES
3.1 Each party shall notify the other party, in writing without undue delay (unless prohibited by law) upon becoming aware of:
(a) a security incident that may affect the other party or the processing of Personal Data provided to or made available by the other party (“Security Incident Notice”). A Security Incident Notice shall include, to the extent available: (i) a description of the nature of the Security Incident, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) a description of the likely consequences of the Company; and (iii) a description of the measures taken or proposed to be taken to address the Company, including, where appropriate, measures to mitigate its possible adverse effects. ; and
(b) data subject request, consumer user right request (“DSR Notice”) or otherwise and regulatory, authority or a complaint, investigation, inquiry, warrant, subpoena or proceedings from or brought by any public, governmental, or judicial agency or authority that relates to the Personal Data processed under this Agreement (“SAR Notice”).
3.2 In the event of a Security Incident Notice, a DSR or SAR Notice, the parties undertake to cooperate in good faith to ensure compliance with applicable laws.
3.3 Unless prohibited by applicable legal, regulatory or law enforcement requirements, each party must obtain the written approval of the other party prior to the publication or communication of any filings, communications, notices, press releases or reports related to any Security Incident that expressly mentions by the applicable party, its affiliates, or its customers.
3.4 Each Party shall implement and maintain a comprehensive information security program with appropriate technical and organizational measures to ensure a level of security appropriate to the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, and taking into account the state of the art, the costs of implementation, and the nature, scope context and purposes of the processing, which includes at a minimum (i) the security measures set forth in ANNEX II; and (ii) where required by Data Protection Laws, the appointment of a Data Protection Officer to oversee the privacy program.
3.5 Each Party shall provide reasonable cooperation and assistance to the other Party in ensuring compliance with its obligation to carry out data protection impact assessments.
3.6 Each Party shall ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to Personal Data; (ii) that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.7 In addition, and if applicable based on the applicable jurisdiction, each party shall Process the Personal Data solely as provided through the Privacy Signals, including the IAB Policies and the IAB Consent Framework, and similar industry frameworks or guidelines applicable to the Agreement.
3.8 IAB TCF Specifications where applicable: Publisher acknowledges and agrees that the End User does not have a direct relationship with the Company, however, certain features of the Company Services are dependent and based upon End User’s Consent or any other demonstrated lawful bases, that shall be obtained by Publisher and which the Company relies on, amongst others, in its capacity as a Vendor under the IAB Policy. Publisher also acknowledges that it shall be able to demonstrate such Consent at any time and represents that such Consent is existed. The Company shall not be liable for obtaining Consent or with respect to the Privacy Signals, if applicable, provided by the Publisher or the Publisher’s consent management, and shall transfer the Privacy Signals "as is" and as it was provided to the Advertiser partner. Publisher acknowledges and agrees that such requests are directly transmitted to the Advertiser, and such Advertiser will respond as per Publisher’s request. Therefore, the Company, as the technical provider, has no control over such parameters or over the Privacy Signals and shall not be responsible for any parameter or Privacy Signals that was unlawfully or misleadingly sent by Publisher, nor liable for any damage or damages resulted by it. Notwithstanding the above, it is hereby clarified that: (i) in the EEA, UK and under the TCF, the Company requires Consent for Purpose 1 of the IAB Policy (storage access), and the Publisher shall ensure to call Company solely upon receiving consent for Purpose 1; (ii) in the EEA, UK or other applicable jurisdiction which requires consent for cookie access or storage (such as ePrivacy Section 5(3)), and the Publisher does not have a TCF CMP, the Publisher shall solely call or load the Interactive Unit upon receiving Consent for placing or accessing cookies.
3.9 Publisher represents, warrants, and covenants that it: (i) shall implement any needed technical capability to receive, interpret, and comply with, and if necessary re-transmit to further recipients, any and all Privacy Signals provided by the Company; (ii) it will comply with the End Users’ preference as provided through the Privacy Signals, if consent is not provided (i.e., “unknown” signals or errors) the Publisher shall not treat such Privacy Signals as Consent; and (iii) acknowledges Company transfers the Privacy Signals “as is” and as provided by Publisher or partners, and that the Company does not take any responsibility or liability for the use, transfer or share of the Privacy Signals. The Company does not warrant or take any liability to the accuracy of the Privacy Signals. It is Publisher’s sole responsibility to implement technical means to enable compliance with the preferences provided by End Users’ through such Privacy Signals.
4. DATA TRANSFER
4.1 If the processing of Personal Data includes a transfer (either directly or through an onward transfer) to a third country outside the EEA, the UK and Switzerland, that is not an Adequate Country, such transfer shall be subject to an appropriate safeguard approved by Data Protection Law: the GDPR (Article 46), UK GDPR (Article 46) or Swiss FADP (as applicable).
4.2 if the parties rely on the Standard Contractual Clauses to facilitate a transfer then:
4.2.1 transfer of Personal Data from the EEA the terms set forth in Annex IV shall apply.
4.2.2 transfer of Personal Data from the UK, the terms set forth in Annex V shall apply; and
4.2.3 transfer of Personal Data from Switzerland, the terms set forth in Annex VI shall apply.
5. CONFLICT
In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.
6. TERM AND TERMINATION
6.1 This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates. The Publisher shall be entitled to suspend the Processing of its Publisher's Data in the event that the Company is in breach of Data Protection Laws, the terms of this DPA all in accordance with a binding decision of a competent court or the competent supervisory authority.
6.2 The Company shall be entitled to terminate this DPA or terminate the Processing of Publisher Data in the event that Processing of Personal Data under the Publisher's instructions or this DPA infringe applicable legal requirements. Such termination shall be subject to informing the Publisher and the Publisher insists on compliance with the instructions.
6.3 Following the termination of this DPA, the Company shall, at the choice of the Publisher, delete all Publisher's Personal Data processed on behalf of the Publisher and certify to the Publisher that it has done so, or otherwise, return all Publisher's Data to the Publisher and delete existing copies unless applicable law or regulatory requirements requires that the Company continue to store the Publisher's Personal Data. Until the Personal Data is deleted or returned, the Company shall continue to ensure compliance with this DPA.
ANNEX I
DETAILS OF PROCESSING
This Annex I include certain details of the processing of the Publisher Data as required by Article 28(3) GDPR.
Categories of Data Subjects:
Publishers' End Users / Data Subject that viewed ads or content which are placed on the Publisher's digital assets, meaning the End Users interacting with the Publisher's app, site, game, etc. and the ads displayed by The Company.
Categories of Personal Data:
IP addresses, IDFA/ AAID or any IDs, Consent logs, cookies data, usage data, approximate location data, behavior data, referred URL, Publisher-uploaded segment data, End User behavior data- meaning, clicked the ad, viewed the ad, which is processed for reporting purposes for Publisher, impression data, optimization data, ad delivery data.
Special Categories of Personal Data:
Not Applicable
Process Frequency:
The Personal Data is transferred on a continuous basis.
Nature of the processing:
Collection, storage, organization, analysis, modification, retrieval, disclosure, communication and other uses in performance of the Services as set out in the Agreement.
Retention Period:
For as long as needed to provide the Service, comply with applicable laws. The logs tracing the event is stored between 7 to 30 days for fraud prevention purposes.
ANNEX
TECHNICAL AND ORGANISATIONSL MEASURES
1. Each party shall implement and maintain current and appropriate technical and organizational measures to protect Personal Data against accidental, unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, disclosure or access, as set forth below:Implement and maintain current and appropriate technical and organizational measures to protect Personal Data against accidental, unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, disclosure or access;
2. Provide third-party attestation of static or dynamic application security testing or penetration testing on all software processing Personal Data, remediate any identified high vulnerabilities, provide written remediation plans for medium and low vulnerabilities, and provide evidence of its remediation of any identified security vulnerabilities at Company’s request;
3. Maintain a level of security appropriate to the harm that may result from any unauthorized or unlawful Processing or accidental loss, destruction, damage, denial of service, alteration or disclosure, and appropriate to the nature of Publisher Data;
4. Oblige its employees, agents or other persons to whom it provides access to Personal Data to keep it confidential; take reasonable steps to ensure the integrity of any employees who have access to Personal Data; provide annual training to staff and subcontractors on the security requirements contained herein;
5. Maintain a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of Personal Data, regularly testing such measures to validate their appropriateness and effectiveness, and implementing corrective action where deficiencies are revealed by such testing;
6. Adhere password policies for standard and privileged accounts consistent with industry best practices;
7. Ensure that only those the Company's personnel who need to have access to Publisher Data are granted access, such access is limited to the least amount required, and only granted for the purposes of performing obligations under this DPA. The Company shall conduct access reviews upon each individual's scope of responsibility change, the Company staffing change or other change impacting the Company's personnel access to Publisher Data;
8. Maintain a physical security program that is consistent with industry best practices;
9. Ensure that any storage media (whether magnetic, optical, non-volatile solid state, paper, or otherwise capable of retaining information) that captures Personal Data is securely erased or destroyed before repurposing or disposal;
ANNEX III - EU INTERNATIONAL TRANSFERS AND SCC
1. The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Personal Data from the EEA to other countries that are not deemed as Adequate Countries.
2. Module One (Controller to Controller) of the Standard Contractual Clausesshall apply where the transfer is effectuated by Publisher as the data controller of the Personal Data and The Company is the data processor of the Personal Data.
3. The Parties agree that for the purpose of transfer of Personal Data between Publisher (as Data Exporter) and the Company (as Data Importer), the following shall apply:
a) Clause 7 of the Standard Contractual Clauses shall not be applicable.
b) In Clause 9, shall not be applicable.
c) In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
d) In Clause 17, option 1 shall apply. The parties agree that the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Publisher is established (where applicable).
e) In Clause 18(b) the parties choose the courts of the Republic of Ireland, as their choice of forum and jurisdiction.
4. Annex I.A of the Standard Contractual Clauses shall be completed as follows:
1.a.1."Data Exporter": Publisher
1.a.2."Data Importer": The Company
1. a.3.Roles: (A) With respect to Module One: (i) Data Exporter is a data controller and (ii) the Data Importer is a data controller.
1. a.4.Data Exporter and Data Importer Contact details: As detailed in the Agreement.
1.a.5.Signature and Date: By entering into the Agreement and DPA, Data Exporter and Data Importer are deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
5. Annex I.B of the Standard Contractual Clauses shall be completed as follows:
a) The purpose of the processing, nature of the processing, categories of data subjects, categories of personal data and the parties' intention with respect to the transfer of special categories are as described in Annex I (Details of Processing) of this DPA.
b) The frequency of the transfer and the retention period of the personal data is as described in Annex I (Details of Processing) of this DPA.
6. Annex I.C of the Standard Contractual Clauses shall be completed as follows: the competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 3 above.
7. Annex II of this DPA (Technical and Organizational Measures) serves as Annex II of the Standard Contractual Clauses.
ANNEX IV – UK INTERNATIONAL TRANSFERS AND SCC
1. The parties agree that the terms of the Standard Contractual Clauses as amended by the UK Standard Contractual Clauses, and as amended in this Annex IV, are hereby incorporated by reference and shall apply to transfer of Personal Data from the UK to other countries that are not deemed as Adequate Countries.
2. This Annex IV is intended to provide appropriate safeguards for the purposes of transfers of Personal Data to a third country in reliance on Article 46 of the UK GDPR and with respect to data transfers from controllers to processors or from the processor to its sub-processors.
3. Terms used in this Annex IV that are defined in the Standard Contractual Clauses, shall have the same meaning as in the Standard Contractual Clauses.
4. This Annex V shall (i) be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR, and (ii) not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.
5. Amendments to the UK Standard Contractual Clauses:
5.1. Part 1: Tables
5.1.1. Table 1 Parties: shall be completed as set forth in Annex III above.
5.1.2. Table 2 Selected SCCs, Modules and Selected Clauses: shall be completed as set forth in Annex III above.
5.1.3. Table 3 Appendix Information:
Annex 1A: List of Parties: shall be completed as set forth in Section 2 within Annex III above.
Annex 1B: Description of Transfer: shall be completed as set forth in Annex I above.
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: shall be completed as set forth in Annex II above.
5.1.4. Table 4 Ending this Addendum when the Approved Addendum Changes: shall be completed as “neither party”.
ANNEX V – SUPPLEMENTARY TERMS FOR SWISS DATA PROTECTION LAW TRANSFERS ONLY
The following terms supplement the Clauses only if and to the extent the Clauses apply with respect to data transfers subject to Swiss Data Protection Law, and specifically the FDPA:
• The term 'Member State' will be interpreted in such a way as to allow data subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.
• The clauses in the DPA protect the Personal Data of legal entities until the entry into force of the Revised Swiss FDPA.
• All references in this DPA to the GDPR should be understood as references to the FDPA insofar as the data transfers are subject to the FDPA.
• References to the “competent supervisory authority”, “competent courts” and “governing law” shall be interpreted as Swiss Data Protection Laws and Swiss Information Commissioner, the competent courts in Switzerland, and the laws of Switzerland (for Restricted Transfers from Switzerland).
• In respect of data transfers governed by Swiss Data Protection Laws and Regulations, the EU SCCs will also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws and Regulations until such laws are amended to no longer apply to a legal entity.
• The competent supervisory authority is the Swiss Federal Data Protection Information Commissioner.
ANNEX VI – US Privacy Law Addendum
This US Privacy Law Addendum (“US Addendum”) adds specification applicable to US Data Protection Laws and is in addition to the obligations set forth in the DPA. All terms used but not defined in this CCPA Addendum shall have the meaning set forth in the DPA.
ROLES:
1.1. As set forth in the DPA, parties’ shall acts as a separate independent Controllers, except when the processing is for a Restricted Purpose, in which the Company may be deemed the other parties’ Processor, as applicable.
1.2. The subject matter, duration, nature and purpose of the Processing, types of Personal Data Processed, and categories of Data Subjects are as described in Annex I.
1.3. For the purpose of this US Addendum the "Restricted Purpose(s)” means advertising-related processing that qualifies as a Business Purpose, including (i) auditing, security and integrity purposes, debugging, short-term, transient uses, and internal research or improvement of the services; (ii) technical advertising services that are not targeted, cross-contextual or profiling and include frequency capping, measurement, fraud detection and prevention, and ensuring and measuring viewability; and (iii) contextual advertising which includes first-party advertising to the extent such activity does not result in a Sale or Share of Personal Data or constitute processing of Personal Data for Targeted Advertising purposes.
2. CONTROLLER TO CONTROLLER:
In their roles as independent Controllers, each party shall, when processing End User Personal Data:
2.1. Be individually and separately responsible to comply with applicable US Data Protection Laws, and to the extent applicable with the IAB Policies.
2.2. Provide End Users with a clear and conspicuous disclosures and notices on how the Personal Data is processed, the purpose of processing, the categories of Personal Data shared and the categories of the recipients, as well as the End Users’ rights, including the right to appeal and the ability to opt out of the Sale, Share of Personal Data or from Targeted Advertising, all in compliance with and as required by the US Data Protection Laws.
2.3. Ensure that it provides an opt-out mechanism and it enables the End User to send a Privacy Signals and transfer the Privacy Signals down the advertising chain. When a Privacy Signals is received, neither party will process such End Users’ Personal Data for Targeted Advertising, or Cross Contextual Advertising purposes.
2.4. Comply with requirements for processing Deidentified Data, including by not attempting to re-identify it, using reasonable, technical and organizational measures to prevent re-identifying it, and publicly commit to such actions.
2.5. Contractually obligate other controllers from which the End User Personal Data was originated, to stand with requirements as set forth herein.
3. CONTROLLER TO PROCESSOR
In additionto complying with Section 2 above and the entire DPA, in its role as a Processor, the Company shall comply with the following, when processing End User Personal Data originated, received by the Publisher, or on behalf of the other party solely for the Restricted Purpose:
3.1. Representation and Undertaking: a party shall process the End User Personal Data only on behalf of and under the instructions of the other party and in accordance with US Data Protection Laws and shall not: (i) Sell or Share the Personal Data; (ii) retain, use or disclose the Personal Data for any purpose other than for a Business Purpose or Restricted Purpose as specified in the Agreement; (iii) combine the End User Personal Data with other Personal Data that it receives from, or on behalf of, another partner, or collects from its own; or (iv) if and to the extent applicable limit the use of its Sensitive Personal Information (“SPI”).
3.2. Sub-processors or Sub-contractors. The Controller party provides a general authorization to engage Sub-processors to the extent the Processor party undertakes it will restrict the onward sub-processor’s access only to what is strictly necessary, and will prohibit the sub-processor from processing the Personal Data for any other purpose other than for a Business Purpose or Restricted Purpose as specified in the Agreement. The Processor party shall impose contractual obligations as required by US Data Protection Laws on such sub-processors, and shall inform the other party in the event of replacing a sub-processor or engaging a new sub-processor.
3.3. Audit. A Controller party has the right to ensure the Processor party is in compliance with US Data Protection Laws. For this purpose, the Processor party, upon receiving a reasonable written request from the Controller party, will make available to the Controller party information necessary to demonstrate compliance with this DPA and US Data Protection Laws. To the extent required by applicable US Data Protection Laws, and upon receiving prior written notice, the Processor party will allow audits, including inspections, by the Controller party (or an auditor on its behalf). Any such audit must be tailored to what is reasonably necessary to verify compliance with this DPA, and must occur during normal business hours, and not more than once per calendar year. The results of the audit will be the confidential information of the Processor party. Notwithstanding the above, under US Data Protection Laws and subject to Publisher’s consent, the Processor party my alternately, in response to the Controller party on-premise audit request to initiate an independent auditing on its own, to verify its compliance with its obligations under US Data Protection Laws and provide the Publisher with the results. In any case the expenses of the audit shall be paid by the Controller party. The Processor party may refuse audit or access to certain information if it determines it may harm other partners or customers, or it may cause a security breach, or it is not related or necessary for the purpose of demonstrating compliance with US Data Protection Laws.
3.4. Certification. The Processor party certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from Selling or Sharing Personal Data. The Processor party acknowledges and confirms that it does not receive any monetary goods, payments or discounts in exchange for processing the Personal Data for a Business Purpose or Restricted Purpose as specified in the Agreement.