Schedule 1 – Accelerate Data Privacy Addendum
The terms of the Accelerate Data Privacy Addendum (“Addendum”) shall only apply to the extent a Party processes Personal Data protected by Data Protection Laws under or in connection with the Accelerate International Insertion Order (the “IO”) which incorporates these Addendum terms by reference. Capitalized terms used in this Addendum shall have the same meaning given to them in the main body of the IO unless otherwise defined in this Addendum.
“Data Protection Laws” means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of personal data including: (a) EU Regulation 2016/679 (“GDPR”); (b) GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (c) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (d) in the UK, the Data Protection Act 2018 (“DPA”); (e) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); and (f) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time;
“EEA Standard Contractual Clauses” means the Module One standard Controller to Controller contractual clauses for the transfer of EEA Personal Data to Controllers established in Third Countries set out in the European Commission Decision 2021/914 dated 4 June 2021 (and for these purposes, the provision relating to Modules 2, 3 and 4 of the standard contractual clauses are deleted) as amended or replaced from time to time;
“EEA” means the European Economic Area;
“Ex-EEA Transfer” means a transfer of Personal Data subject to GDPR by a Party, to a Party (or its premises) in a Restricted Country;
“Ex-UK Transfer” means a transfer of Personal Data subject to UK GDPR by a Party, to a Party (or its premises) in a Restricted Country;
“Parties” means the Client and Liftoff
“Personal Data” means any information relating to an identified or identifiable natural person (which shall include for the avoidance of doubt, any personally identifiable information) or as otherwise defined in Data Protection Laws;
“Restricted Country” means (a) any country outside the UK or EEA which is not deemed adequate by (for Personal Data subject to GDPR) the European Commission pursuant to article 45 of GDPR or by (for Personal Data subject to UK GDPR) the Secretary of State in accordance with the relevant provisions of the UK GDPR and the DPA, or an adequacy decision recognised pursuant to paragraphs 4 and 5 of Schedule 21 of the DPA;
“UK” means the United Kingdom; and
“UK Addendum” means the International Data Transfer Addendum to the EEA Standard Contractual Clauses, as may be amended, replaced or superseded by the UK’s Information Commissioner’s Office (“ICO”) from time to time (including as formally issued by the ICO under section 119A(1) DPA).
2. International Transfers
2.1. Neither party shall process any Personal Data, or transfer the Personal Data (nor permit any Personal Data to be processed) in connection with the IO to any Restricted Country unless it has taken such measures as are necessary to ensure there is adequate protection and appropriate safeguards for such Personal Data in accordance with Data Protection Laws when it is transferred or accessed in a Restricted Country. Such adequate protection and appropriate safeguards may include entering into the EEA Standard Contractual Clauses and/or UK Addendum.
2.2. The Parties agree that in the event of an Ex-EEA Transfer, the transferring party shall comply with the data exporter’s obligations in the EEA Standard Contractual Clauses and the receiving party shall comply with the data importer’s obligations in the EEA Standard Contractual Clauses, and the EEA Standard Contractual Clauses are deemed to have been executed by the Parties and incorporated into (and form part of) this Addendum, with the following amendments:
2.2.1. Clause 7 (docking clause) of the EEA Standard Contractual Clauses shall be included;
2.2.2. the governing law for the purposes of Clause 17 (governing law) of the EEA Standard Contractual Clauses shall be the law of Ireland;
2.2.3. the relevant courts for the purposes of Clause 18 (choice of forum and jurisdiction) of the EEA Standard Contractual Clauses shall be the courts of Ireland
2.2.4. Annexes IA, IB and IC to the EEA Standard Contractual Clauses shall be deemed to have been completed with the information in Appendix A to this Addendum;
2.2.5. Annex II to the EEA Standard Contractual Clauses shall be deemed to have been completed with the information in Appendix B to this Addendum.
2.3. The Parties agree that in the event of an Ex-UK Transfer, such transfer shall be conducted pursuant to the EEA Standard Contractual Clauses as supplemented and amended by the UK Addendum, which will be deemed to be executed by the Parties and incorporated into and form part of this Addendum, with the Part 1 tables to the UK Addendum completed as follows:
2.3.1. Table 1 shall be deemed completed with the information from Appendix A to this Addendum, and the start date shall be the Effective Date of the IO;
2.3.2. In Table 2, the first option shall be selected and the relevant version of the “Approved EEA Standard Contractual Clauses” referenced in that option shall be the EEA Standard Contractual Clauses referenced in Clause 2.2 above (as amended in accordance with Clause 2.2);
2.3.3. Table 3 shall be deemed completed with the information from Appendix A and Appendix B to this Addendum;;
2.3.4. Table 4 shall be deemed completed such that the Importer has the right to end the UK Addendum as set out in Section 19 of Part 2 of the UK Addendum; and
2.3.5. the transferring Party shall comply with the data exporter’s obligations in the UK Addendum and the receiving Party shall comply with the data importer’s obligations in the UK Addendum, and if there is any conflict between this Addendum and the UK Addendum, the UK Addendum shall prevail.
Schedule 1 – Appendix A
Details of Transfer
Annex 1(A): List of parties
Name: Vungle, Inc. (“Liftoff“).
Address: 6 Shenton Way #38-01 OUE Downtown 1 Singapore 068809
Official registration number (if any):
Contact person’s name, position and contact details: [email protected].
Activities relevant to the data transferred: Operation, improvement, and optimisation of platform for the delivery of ads.
Signature and date: See Addendum.
Role (Controller/Processor): Controller
Name: The party identified as “Client” in the IO.
Address: As specified in the IO.
Official registration number (if any): As specified in the IO.
Contact person’s name, position and contact details: As specified in the IO.
Activities relevant to the data transferred: See Annex 1(B) below.
Signature and date: See Addendum.
Role (Controller/Processor): Controller
Annex 1(B): Description of the processing / transfer
Categories of Data Subjects whose personal data is transferred:
The personal data transferred concern the following categories of data subjects
End users of Company Sites, Client Sites and end users viewing Company Ad Units.
Categories of personal data transferred
The personal data transferred concern the following categories of data:
1. Identifiers: Data Exporter’s and Data Importer’s unique identifiers, other identifiers, hashed email address, IP Address, data that could be used for device fingerprinting, latitude and longitude;
2. Demographic information: location, age range, gender, other client-specified demographics (tied to an identifier); and
3. Behavioral data: frequency of identifiers visiting and viewing Company Sites, Client Sites and viewing and taking actions with respect to Company Ad Units.
Sensitive data transferred (if appropriate)
The personal data transferred concern the following categories of sensitive data:
Frequency of the transfer
(e.g. whether the data is transferred on a one-off or continuous basis)
Data is transferred on a continuous basis.
Nature, subject matter and duration of the processing
Processing the data consists of collecting, sorting, consulting, aggregating, and deleting the data.
Purposes of the data transfer and further processing
The transfer is made for the following purposes:
The data is processed in order to facilitate advertising to data subjects, including targeted advertising, fraud detection, Ad Inventory analysis and reporting to Company and Clients.
Period for which the personal data will be retained, or if that is not possible the criteria used to determinate that period, if applicable
The data is usually aggregated or deleted within 30-60 days, but may be retained for up to 18 months from the date of collection before aggregation or deletion.
The criteria used to determine the period is:
Annex 1(C): Competent supervisory authority
The competent supervisory authority, in accordance with Clause 13 of the New SCCs
The competent supervisory authority will be determined in accordance with the GDPR and the UK GDPR.
Schedule 1 – Appendix B
Technical and Organizational Security Measures
Each party employs a combination of policies, procedures, guidelines and technical and physical controls to protect the personal data it processes from accidental loss and unauthorised access, disclosure or destruction.
Governance and Policies
Each party assigns personnel with responsibility for the determination, review and implementation of security policies and measures.
● has documented the security measures it has implemented in a security policy and/or other relevant guidelines and documents;
● reviews its security measures and policies on a regular basis to ensure they continue to be appropriate for the data being protected.
Each party establishes and follows secure configurations for systems and software, and ensures that security measures are considered during project initiation and the development of new IT systems.
Each party has a breach response plan that has been developed to address data breach events. The plan is regularly tested and updated no less than once per year.
Intrusion, anti-virus and anti-malware defences
Each party’s IT systems used to process personal data have appropriate data security measures, including: (a) physical access controls; (b) remote access control includes firewalls on the internal network; (c) user access is logged and monitored for unusual and unauthorized access; (d) threat assessment and vulnerability scanning; (e) data is encrypted at rest.
Each party limits access to personal data by implementing appropriate access controls, including: (a) limiting administrative access privileges and use of administrative accounts; (b) changing all default passwords before deploying operating systems, assets or applications; (c) requiring authentication and authorisation to gain access to IT systems (i.e. require users to enter a user id and password before they are permitted access to IT systems); (d) only permitting user access to personal data which the user needs to access for their job role or otherwise limited to the purpose for which they are given access (i.e. Service Provider implements measures to ensure least privilege access to IT systems); (e) appropriate procedures for controlling the allocation and revocation of personal data access rights, including procedures for revoking employee access to IT systems when they leave their job or change role; (f) encouraging users to use strong passwords, such as passwords with over fourteen characters, combination of upper and lower case letters, numbers and special characters; (g) automatic timeout and locking of user terminals if left idle; (h) monitoring and logging access to IT systems.
Availability and Back-up personal data
Each party has a documented disaster recovery plan that ensures that key systems and data can be restored in a timely manner in the event of a physical or technical incident. The plan is regularly tested and updated. Service Provider regularly backs-up information on IT systems and keeps back-ups in separate locations. Back-ups of information are tested periodically.
Segmentation of personal data
Each party separates and limits access between network components and, where appropriate, implements measures to provide for separate processing (storage, amendment, deletion, transmission) of personal data collected and used for different purposes.
Disposal of IT equipment
Each party has in place processes to securely remove all personal data before disposing of IT systems, and uses appropriate technology to purge equipment of data and/or destroy hard disks.
Each party uses encryption technology where appropriate to protect personal data held electronically, including encryption of data where appropriate and encryption of company issued portable devices used to process personal data. Encryption keys are stored separately from the encrypted information, and are subject to appropriate security measures.
Transmission or transport of personal data
Appropriate controls are implemented by each party to secure personal data during transmission or transit, including, but not limited to: use of VPNs; SSL in transit; logging personal data when transmitted electronically; ensuring physical security for personal data as appropriate when transported.
Asset and Software management
Each party maintains an inventory of IT assets and the data stored on them, together with a list of owners of the relevant IT assets. Service Provider: documents and implements rules for acceptable use of IT assets; proactively monitors software vulnerabilities and promptly implements any out of cycle patches.
Each party implements physical security measures to safeguard personal data. This may include deployment of appropriate building security, including visitor logs, ID card access for staff, logs of staff access to buildings, and CCTV.
Staff training and awareness
Each party’s agreements with staff and contractors and employee handbooks set out its personnel’s responsibilities in relation to information security.
Each party requires: staff training on data security and privacy issues relevant to their job role and ensures that new starters receive appropriate training before they start their role (as part of the on boarding procedures); appropriate screening and background checks on individuals that have access to sensitive personal data; that Staff are subject to disciplinary measures for breaches of such party’s policies and procedures relating to data privacy and security.
Selection of service providers and commission of services
Each party assesses service providers’ ability to meet their security requirements before engaging them. Each party has written contracts in place with service providers which require them to implement appropriate security measures to protect the personal data they have access to and limit the use of personal data in accordance with Service Provider’s instructions.
Each party audits service providers (including subprocessors) that have access to such party’s data either through physical inspection by appropriately qualified security auditors or by reviewing its service providers’ security accreditation (such as ISO 27001 or SOC II) reports. Each party’s breach response protocol and agreements with its service providers provide for the audit of such service providers (and subprocessors) following receipt of any notice of a security incident from that service provider.
Assistance with Data Subject Rights Requests
Liftoff has implemented appropriate policies and measures to identify and address data subject rights requests, including: (a) maintaining accurate records to enable it to identify quickly all personal data processed on behalf of Client; (b) ensuring deletion and rectification requests are fully actioned.