GDPR Data Processing Agreement

DATA PROCESSING AGREEMENT

THIS DATA PROCESSING AGREEMENT (“DPA”) forms part of the Platform Provider Agreement (“Agreement”) between Affied Inc or any other entity that directly or indirectly controls, is controlled by, or is under common control with Affied Media Inc.(“Affied”), and Publisher (collectively the “Parties”) where by Affied will use commercially reasonable efforts to provide its digital advertising services to Publisher (the “Services”). This DPA reflects the Parties’ responsibilities and obligations with respect to the terms governing the processing of Personal Data during the performance of the Agreement. This DPA is incorporated into to the Agreement and is subject to its terms and conditions. In the event of any conflict between the terms of the Agreement and the terms of this DPA, the relevant terms of this DPA shall take precedence. This DPA shall be effective for the Services Period established under the Agreement. Any capitalized terms not defined here in shall have the respective meanings given to them in the Agreement.

1. DEFINITIONS

Data Controller means the entity that determines the purposes and means of the Processing of Personal Data.

Data Processor means the entity which Processes Personal Data on behalf of the Data Controller.

Data Protection Laws means all laws and regulations, including laws and regulations of the European Union, applicable to the Processing of Personal Data under the Agreement.

Data Subject means the individual to whom Personal Data relates.

Personal Data means any information relating to an identified or identifiable person. The types of Personal Data and categories of Data Subjects Processed under this DPA include but are not limited to the following: IP addresses, location data, interest segments, device data, retargeting data, advertising data, browser generated data, and online identifiers of the end users of digital properties.

Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).

Security Breach has the meaning set forth in Section 7 of this DPA.

Sub-processor means any entity engaged by Affied to Process Personal Data in connection with the Services.

TOMs, or Technical and Organizational Measures, as defined in Article 32 of the General Data Protection Regulation (GDPR).

2. PROCESSING OF PERSONAL DATA

2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Publisher is the Controller and Affied is the Data Processor.

2.2 Publisher’s Processing of Personal Data. Publisher shall, in its use of the Services and provision of instructions, Process Personal Data in accordance with the requirements of applicable Data Protection Law. Publisher shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Publisher acquired Personal Data. If Affied believes or becomes aware that any of Publisher’s instructions conflicts with any Data Protection Laws, Affied shall inform Publisher. Publisher shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Publisher obtained the Personal Data.

2.3 Affied Processing of Personal Data. As Publisher’s Processor, Affied shall only Process Personal Data for the following purposes: (i) Processing required to provide the Services in accordance with the Agreement; and (ii) Processing to comply with other reasonable instructions provided by Publisher that are consistent with the terms of the Agreement. Affied acts on behalf of and on the instructions of Publisher in carrying out all Processor responsibilities. Affied shall process Personal Data in accordance with the requirements of the Data Protection Laws and Publisher will ensure that its instructions for the Processing of Personal Data shall comply with the Data Protection Laws.

2.4 Appointment of Sub-processors. The Parties agree and acknowledge that sub-processors may be retained in the provision of the Services. A current list of all sub-processors is listed at “Sub Processors” . In addition, Publisher agrees that Affied may engage new third-party sub-processors, from time to time, in connection with the provision of the Services provided that Publisher will be given prior notice and an opportunity to object to the appointment. To the extent that Publisher objects to a proposed appointment, Affied will use reasonable efforts to provide the Publisher with opportunity of excluding such Sub-processor from the Publishers data. In addition, as a condition to permitting a third-party sub-processor to Process Personal Data, sub-processor shall (a) agree in writing to process Data in accordance with documented instructions; (b) implement appropriate TOMs to protect the Data against a Security Breach; (c) otherwise provide sufficient guarantees that they will process the Data in a manner that will meet the requirements of Data Protection Laws. Publisher may request a list of active sub-processors at any time for auditing purposes.

3. RIGHTS OF DATA SUBJECTS

Data Subject Requests. Affied shall, to the extent legally permitted and as may reasonably be expected, promptly notify Publisher if it receives any requests from a Data Subject to exercise the following Data Subject rights: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or to not be subject to an automated individual decision making (each, a “Data Subject Request”). To the extent Publisher, in its use or receipt of the Services, does not have the ability to action on a Data Subject Request, as required by Data Protection Laws, Affied shall promptly comply, if in a position to do so, with all reasonable requests by Publisher to facilitate such actions to the extent Affied is legally permitted and reasonably able to do so. To the extent legally permitted, Publisher shall be responsible for any costs arising from Affied’ provision of such assistance, including any fees associated with provision of additional functionality.

4. Affied PERSONNEL

Affied shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and are subject to obligations of confidentiality. Affied shall ensure that access to Personal Data is limited to those personnel who require such access to fulfill its obligations under the Agreement.

5. SECURITY

5.1 Controls for the Protection of Customer Data. Affied shall maintain appropriate TOMs for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data. Affied will not materially decrease the overall security of the Services during the term of the Agreement.

5.2 Third-Party Certifications and Audits. Affied may from time to time obtain a third-party certification or audit to ensure that its privacy practices meet or exceed applicable Data Protection Laws. Upon Publisher’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Affied shall make available to Publisher, verification of the most recent third-party audit or certification, as may be applicable.

6. AUDIT RIGHTS

Audit Request. Publisher may request an audit, up to once per year, of Affied’s procedures relevant to the protection of Personal Data but only as required under applicable Data Protection Laws. Publisher shall reimburse Affied for any time expended for any such audit. The amount of reimbursement shall be based on the personnel and time required to perform the audit. Before the commencement of any such on-site audit, Publisher and Affied shall mutually agree upon the scope, timing, and duration of the audit, in addition to the reimbursement for which Publisher shall be responsible. Publisher shall promptly notify Affied with information regarding any perceived noncompliance discovered during the course of an audit, and Affied shall use commercially reasonable efforts to address any confirmed non-compliance.

7. SECURITY BREACH MANAGEMENT AND NOTIFICATION

7.1 Incident Management. If Affied becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise Processed on Affied’s equipment or in Affied’s facilities (“Security Breach”), Affied will promptly: (i) notify Publisher of the Security Breach in accordance with Section 7.2 below; (ii) investigate the Security Breach and provide Publisher with all relevant information about the Security Breach; and (iii) take all steps to mitigate the effects and to minimize any damage resulting from the Security Breach. Affied documents its Security Breach Management Plan within its TOMs, which Publisher may review subject to confidentiality considerations.

7.2 Notification. Affied shall promptly provide notification of a Security Breach to Publisher’s designated contact: Notification(s) of Security Breaches, if any, will be delivered to Publisher’s business, technical or administrative contacts by any means Affied selects, including via email. It is Publisher’s sole responsibility to ensure it maintains accurate contact information with Affied’s at all times.

8. RETURN AND DELETION OF PERSONAL DATA

Upon termination of the Services for which Affied is Processing Personal Data, Affied shall, upon Publisher’s request, and subject to the limitations described in the Agreement, return all Publisher Data and copies of such data to Publisher or securely destroy them and demonstrate to the satisfaction of Publisher that it has taken such measures, unless applicable law prevents it from returning or destroying all or part of the Customer Data. In addition, upon the termination of Services, Publisher agrees to immediately remove all Affied tags (including applicable code). To the extent that Publisher fails to immediately remove this information as requested, Publisher shall be legally liable for any and all damages that may or might occur as a result of their inaction.

9. LIMITATION OF LIABILITY

Each party’s liability, taken together in the aggregate, arising out of or related to this DPA, including DPAs associated with Sub-processors, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs combined.

10. LEGALLY REQUIRED DISCLOSURES

Except as otherwise required by law, Affied will promptly notify Publisher of any subpoena, judicial, administrative or arbitral order of an executive or administrative agency, regulatory agency, or other governmental authority (“Demand”) that it receives, and which relates to the Processing of Personal Data. At Publisher’s request, Affied will provide Publisher with reasonable information in its possession that may be responsive to the Demand and any assistance reasonably required for Publisher to respond to the Demand in a timely manner. Publisher acknowledges that Affied has no responsibility to interact directly with the entity making the Demand.

11. SECURITY

Affied shall maintain administrative, physical and technical safeguards designed for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data, in accordance with best practices.

12. PARTIES TO THIS DPA

Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.

13. LEGAL AUTHORITY

Affied and Publisher mutually represent and warrant that (i) the person executing this DPA on its respective behalf has the legal authority to bind such party, and (ii) it has right, power, and authority to (a) enter into this DPA, (b) make the representations and warranties contained herein, and (c) commit to and perform the respective duties, obligations and covenants set forth hereunder. Without limiting the foregoing, the choice of law and venue clause section clause of the Master Agreement will apply to any disputes arising out this DPA.

Entire Agreement; Amendment; Severability. This Agreement constitutes the entire Agreement between the parties with respect to the subject matter of this Agreement. This Agreement supersedes all previous agreements between the parties relating to the subject matter hereof. No provision of this Agreement will be deemed waived, amended or modified by either party, unless such waiver, amendment or modification is made in writing and signed by both parties. If any provision of this Agreement is invalid or unenforceable for any reason in any jurisdiction, including but not limited to a change in law(s), such provision will be construed to have been adjusted to the minimum extent necessary to cure such invalidity or unenforceability. If any provision of this Agreement is found by a proper authority to be unenforceable or invalid, such unenforceability or invalidity will not render this Agreement unenforceable or invalid as a whole and such provision will be changed and interpreted so as to best accomplish the objectives of such unenforceable or invalid provision within the limits of applicable law or applicable court decisions.