Schedule 1 – Direct Data Privacy Addendum
This Data Privacy Addendum, including the Standard Contractual Clauses (“Addendum“) forms part of the Direct International Insertion Order (“IO“) in place between Vungle SEA Pte. Ltd.. (“Liftoff”) and the company identified as the “Customer” in the IO. Capitalized terms used in this Addendum shall have the same meaning given to them in the main body of the IO unless otherwise defined in this Addendum. These Addendum terms shall only apply to the extent Liftoff processes Personal Data protected by Data Protection Laws as a processor under or in connection with the IO which incorporates these Addendum terms by reference.
“Advertiser Data” has the meaning given to it in Section 2 of this Addendum;
“Data Protection Laws” means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of personal data including: (a) EU Regulation 2016/679 (“GDPR“); (b) GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR“); (c) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (d) in the UK, the Data Protection Act 2018 (“DPA“); (e) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); and (f) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time.
“EEA Standard Contractual Clauses” means the Module Two standard Controller to Processor contractual clauses for the transfer of EEA Personal Data to Controllers established in Third Countries set out in the European Commission Decision 2021/914 dated 4 June 2021 (and for these purposes, the provision relating to Modules 1, 3 and 4 of the standard contractual clauses are deleted) as amended or replaced from time to time; “Europe” means, for the purposes of this Addendum, the European Economic Area (EEA) and Switzerland;
“Personal Data” means any information relating to an identified or identifiable natural person (which shall include for the avoidance of doubt, any personally identifiable information) or as otherwise defined under Data Protection Laws;
“Privacy Requirements” means all applicable privacy and data protection laws and regulations, that apply to the processing of Personal Data that is the subject of this Addendum, including but not limited to Children’s Online Privacy Protection Act and Data Protection Laws, in each case as amended, superseded or replaced;
“Subprocessor” means any third party that has access to the Personal Data and which is engaged by Liftoff to assist in fulfilling its obligations to provide the Services. Subprocessors may include Liftoff affiliates but shall exclude any Liftoff employee, contractor or consultant; and
“UK Addendum” means the International Data Transfer Addendum to the EEA Standard Contractual Clauses, as may be amended, replaced or superseded by the UK’s Information Commissioner’s Office (“ICO“) from time to time (including as formally issued by the ICO under section 119A(1) DPA).
The lower case terms “controller“, “processor“, “data subject“, “processing” (and “process“) shall have the meanings given to them under Data Protection Laws.
2. Scope of processing: Customer acknowledges and agrees that, in connection with the Advertising Services, Liftoff may receive from Customer or Customer’s third-party agents certain Personal Data relating to Liftoff’s delivery of Advertising Services under the applicable IO, including, for example, end user device information (e.g. unique device identifiers), interactions with Ads, clicks, views, installs, as well as post-install event data (collectively “Advertiser Data“). For the avoidance of doubt, “Advertiser Data” as defined herein does not include any data (including Personal Data) or information, which is already known, accessible, discernible, or otherwise collected by Liftoff independently.
3. Relationship of the parties: To the extent the Advertiser Data contains Personal Data, Liftoff shall process such data as a processor on behalf of Customer in accordance with this Addendum. In no event will the parties process Personal Data under this IO as joint controllers. Nothing in the IO (including this Addendum) shall limit or prevent Liftoff from collecting or using data that Liftoff would otherwise collect and process independently of Customer’s use of the Advertising Services.
4. Data protection: Liftoff agrees that:
4.1. the description of the processing of Personal Data is set out in Appendix A to this Addendum;
4.2. Liftoff shall process the Advertiser Data only for the purposes of delivering the Advertising Services in accordance with the IO (the “Purpose“) and on the documented lawful instructions of Customer as set out in full in this Addendum and the IO, including with regard to transfers of Advertiser Data to a third country, unless required otherwise by applicable law; in such event, Liftoff shall inform Customer of the legal requirement before processing, unless that law prohibits the provision of such information to Customer. Liftoff shall inform Customer if, in its opinion, Customer’s instructions infringe Data Protection Laws;
4.3. Liftoff shall ensure that persons authorized to process the Advertiser Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
4.4. Liftoff shall respect the conditions for appointing a Subprocessor as set out in Section 7 below;
4.5. taking into account the nature of the processing, Liftoff shall assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfillment of any obligation Customer has under Data Protection Laws to respond to requests from individuals to access, correct, delete, object or exercise any other rights they have in respect of the Advertiser Data under Data Protection Laws;
4.6. if Liftoff receives any correspondence, enquiry or complaint from a data subject, regulator or any other person relating to its processing of Advertiser Data, it will promptly inform Customer and provide it with full details of the same unless and to the extent prevented by applicable law. Unless otherwise required by applicable law, Liftoff will not respond to such correspondence, enquiry or complaint directly except to direct the data subject to the Customer, unless authorised by Customer (such permission not to be unreasonably withheld or delayed), and Customer agrees that Liftoff shall have no obligation to respond on Customer’s behalf;
4.7. if Customer is required by applicable Privacy Requirements to conduct a data protection impact assessment in respect of the Advertising Services, Liftoff shall provide (on a confidential basis) all information reasonably requested by Customer in connection with such assessment;
4.8. at the choice of Customer, Liftoff shall delete or return all the Advertiser Data to Customer after the end of the provision of the Liftoff Services and the certificate of deletion of Personal Data described in Clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by Liftoff to Customer upon Customer’s written request; and
4.9. Liftoff shall make available to Customer all information reasonably necessary for Liftoff to demonstrate its compliance with the obligations in this Addendum, including by way of providing written responses to any audit questions raised by Customer (such audits not to be conducted more than once per annum and at Customer’s expense).
5. Data Security:
5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Liftoff shall implement appropriate technical and organisational security measures for the Advertiser Data, as described in Appendix B to this Addendum (“Security Measures“). Such measures shall protect the Advertiser Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, Advertiser Data transmitted, stored or otherwise processed by Liftoff (a “Security Incident“).
5.2. Liftoff shall inform Customer without undue delay in the event of a Security Incident.
6. International Transfers:
6.1. To the extent Liftoff processes Advertiser Data protected by the GDPR (“European Personal Data”) in a country outside of Europe, where such a transfer is not governed by a decision of the European Commission pursuant to Article 25(6) of the EU Data Protection Directive 95/46/EC or Article 45, 46 or 49 of GDPR respectively, Liftoff shall process such European Personal Data in accordance with the EEA Standard Contractual Clauses, which shall be incorporated into and form an integral part of this Addendum, as follows:
(a) (i) Liftoff shall be deemed the “data importer” and Customer shall be deemed the “data exporter”; (ii) Clause 7, the optional docking clause will apply; (iv) in Clause 9, Module 2 shall apply and the time period for notice of changes to Subprocessors shall be as agreed under Section 7.4 of this Addendum, (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by laws of the Ireland; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix A to this Addendum; and (vii) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix B to this Addendum.
(b) in the case of any transfers of Personal Data protected by Data Protection Laws applicable to Switzerland, (i) general and specific references in the Standard Contractual Clauses to GDPR (or any predecessor to the GDPR) shall have the same meaning as the equivalent reference in Data Protections Laws of the Switzerland; (ii) any obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or data subject is established shall refer to an obligation such aforementioned Data Protection Laws; and (iii) references to the “competent supervisory authority” and “competent courts” shall be replaced with “the Swiss Federal Data Protection and Information Commissioner ” and “relevant courts in Switzerland”.
6.2. To the extent Liftoff processes Advertiser Data protected by the UK GDPR and the DPA (“UK Personal Data”) in a country outside of the UK, where such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the DPA, or an adequacy decision recognised pursuant to paragraphs 4 and 5 of Schedule 21 of the DPA, Liftoff shall process such UK Personal Data in accordance with the applicable provisions of the EEA Standard Contractual Clauses (as set out in clause 6.1) as amended by the UK Addendum, which shall be incorporated into and form an integral part of this Addendum, with the Part 1 tables to the UK Addendum completed as follows:
6.2.1. Table 1 shall be deemed completed with the information from Appendix B to this Addendum, and the start date shall be the Effective Date of the IO;
6.2.2. In Table 2, the first option shall be selected and the relevant version of the “Approved EU SCCs” referenced in that option shall be the EU SCCs referenced in Clause 6.1 above (as amended in accordance with Clause 6.1);
6.2.3. Table 3 shall be deemed completed with the information from Appendix A and Appendix B to this Addendum; and
6.2.4. Table 4 shall be deemed completed such that the Importer has the right to end the UK Addendum as set out in Section 19 of Part 2 of the UK Addendum;, and
6.2.5. the transferring party shall comply with the data exporter’s obligations in the UK Addendum and the receiving party shall comply with the data importer’s obligations in the UK Addendum, and if there is any conflict between this Addendum and the UK Addendum, the UK Addendum shall prevail.
7. Subprocessing: Customer provides Liftoff with a general authorization to engage Subprocessors to assist it in processing Advertiser Data in the performance of the Liftoff Services provided that:
7.1. Liftoff shall ensure that its Subprocessors are subject to data protection terms that protect the Advertiser Data to the same or a substantially similar standard as set out in this Addendum;
7.2. Liftoff accepts full liability for any breach of this Addendum that is caused by the act, error or omission of its Subprocessors;
7.3. Liftoff maintains a list of its then-current Subprocessors and shall provide such list upon request to Customer; and
7.4. if Liftoff wishes to appoint or replace a Subprocessors it shall provide Customer with a minimum of fourteen (14) days prior notice and Customer may object to such appointment or replacement on reasonable data protection grounds within seven (7) days following receipt of such notice. If Customer so objects, then either (i) Liftoff shall not use the proposed Subprocessors to process the Advertiser Data; or (ii) if this is not possible, Customer may terminate the IO for its convenience upon written notice to Liftoff.
8.1. This Addendum shall survive termination or expiry of the IO. Upon termination or expiry of the IO, Liftoff may continue to process Advertiser Data, provided that such processing complies with the requirements of this Addendum and the Privacy Requirements.
8.2. Notwithstanding anything to the contrary in the IO and without prejudice to Section 4.2 above, Liftoff may periodically make modifications to this Addendum as may be required to comply with the Privacy Requirements.
Schedule 1 – Appendix A
Details of Transfer
Annex 1(A): List of parties
Name: Vungle SEA Pte. Ltd. (“Liftoff”).
Address: 6 Shenton Way 38-01 OUE Downtown 1 Singapore 068809
Official registration number (if any):
Contact person’s name, position and contact details: [email protected]
Activities relevant to the data transferred: See Annex 1(B) below.
Signature and date: See Addendum.
Role (Controller/Processor): Processor
Name: the party identified as “Customer” in the Addendum.
Address: As specified in the IO
Official registration number (if any): As specified in the IO
Contact person’s name, position and contact details: As specified in the IO.
Activities relevant to the data transferred: See Annex 1(B) below.
Signature and date: See Addendum.
Role (Controller/Processor): Controller
Annex 1(B): Description of the processing / transfer
Categories of Data Subjects whose personal data is transferred:
The personal data transferred concern the following categories of data subjects
End users of mobile applications or otherwise viewing ads delivered via the Advertising Services.
Categories of personal data transferred
The personal data transferred concern the following categories of data:
Mobile identifiers (e.g., advertising IDs, IP address) and mobile device information.
Sensitive data transferred (if appropriate)
The personal data transferred concern the following categories of sensitive data:
Frequency of the transfer
(e.g. whether the data is transferred on a one-off or continuous basis)
Nature, subject matter and duration of the processing
Liftoff is a provider of a supply-side platform, a technology platform, which engages in the provision of auction or facilitation of purchases of digital advertising inventory.
The subject matter of the processing is the provision of the Advertising Services pursuant to IO.
The duration of the data processing is until the termination of the IO in accordance with its terms plus the period from the expiry of the IO until deletion of the Personal Data by Liftoff in accordance with the terms of this Addendum.
Purposes of the data transfer and further processing
The transfer is made for the following purposes:
The Purpose (as defined in the Addendum).
Period for which the personal data will be retained, or if that is not possible the criteria used to determinate that period, if applicable
The data is usually aggregated or deleted within 30-60 days but may be retained for up to 18 months from the date of collection before aggregation or deletion.
The criteria used to determine the period is:
Annex 1(C): Competent supervisory authority
The competent supervisory authority, in accordance with Clause 13 of the New SCCs
The competent supervisory authority will be determined in accordance with the GDPR.
Schedule 1 – Appendix B
Technical and Organizational Security Measure
Each party employs a combination of policies, procedures, guidelines and technical and physical controls to protect the personal data it processes from accidental loss and unauthorised access, disclosure or destruction.
Governance and Policies
Each party assigns personnel with responsibility for the determination, review and implementation of security polices and measures.
● has documented the security measures it has implemented in a security policy and/or other relevant guidelines and documents;
● reviews its security measures and policies on a regular basis to ensure they continue to be appropriate for the data being protected.
Each party establishes and follows secure configurations for systems and software, and ensures that security measures are considered during project initiation and the development of new IT systems.
Each party has a breach response plan that has been developed to address data breach events. The plan is regularly tested and updated no less than once per year.
Intrusion, anti-virus and anti-malware defences
Each party’s IT systems used to process personal data have appropriate data security measures, including: (a) physical access controls; (b) remote access control includes firewalls on the internal network; (c) user access is logged and monitored for unusual and unauthorized access; (d) threat assessment and vulnerability scanning; (e) data is encrypted at rest.
Each party limits access to personal data by implementing appropriate access controls, including: (a) limiting administrative access privileges and use of administrative accounts; (b) changing all default passwords before deploying operating systems, assets or applications; (c) requiring authentication and authorisation to gain access to IT systems (i.e. require users to enter a user id and password before they are permitted access to IT systems); (d) only permitting user access to personal data which the user needs to access for their job role or otherwise limited to the purpose for which they are given access (i.e. Service Provider implements measures to ensure least privilege access to IT systems); (e) appropriate procedures for controlling the allocation and revocation of personal data access rights, including procedures for revoking employee access to IT systems when they leave their job or change role; (f) encouraging users to use strong passwords, such as passwords with over fourteen characters, combination of upper and lower case letters, numbers and special characters; (g) automatic timeout and locking of user terminals if left idle; (h) monitoring and logging access to IT systems.
Availability and Back-up personal data
Each party has a documented disaster recovery plan that ensures that key systems and data can be restored in a timely manner in the event of a physical or technical incident. The plan is regularly tested and updated. Service Provider regularly backs-up information on IT systems and keeps back-ups in separate locations. Back-ups of information are tested periodically.
Segmentation of personal data
Each party separates and limits access between network components and, where appropriate, implements measures to provide for separate processing (storage, amendment, deletion, transmission) of personal data collected and used for different purposes.
Disposal of IT equipment
Each party has in place processes to securely remove all personal data before disposing of IT systems, and uses appropriate technology to purge equipment of data and/or destroy hard disks.
Each party uses encryption technology where appropriate to protect personal data held electronically, including encryption of data where appropriate and encryption of company issued portable devices used to process personal data. Encryption keys are stored separately from the encrypted information, and are subject to appropriate security measures.
Transmission or transport of personal data
Appropriate controls are implemented by each party to secure personal data during transmission or transit, including, but not limited to: use of VPNs; SSL in transit; logging personal data when transmitted electronically; ensuring physical security for personal data as appropriate when transported.
Asset and Software management
Each party maintains an inventory of IT assets and the data stored on them, together with a list of owners of the relevant IT assets. Service Provider: documents and implements rules for acceptable use of IT assets; proactively monitors software vulnerabilities and promptly implements any out of cycle patches.
Each party implements physical security measures to safeguard personal data. This may include deployment of appropriate building security, including visitor logs, ID card access for staff, logs of staff access to buildings, and CCTV.
Staff training and awareness
Each party’s agreements with staff and contractors and employee handbooks set out its personnel’s responsibilities in relation to information security.
Each party requires: staff training on data security and privacy issues relevant to their job role and ensures that new starters receive appropriate training before they start their role (as part of the on boarding procedures); appropriate screening and background checks on individuals that have access to sensitive personal data; that Staff are subject to disciplinary measures for breaches of such party’s policies and procedures relating to data privacy and security.
Selection of service providers and commission of services
Each party assesses service providers’ ability to meet their security requirements before engaging them. Each party has written contracts in place with service providers which require them to implement appropriate security measures to protect the personal data they have access to and limit the use of personal data in accordance with Service Provider’s instructions.
Each party audits service providers (including subprocessors) that have access to such party’s data either through physical inspection by appropriately qualified security auditors or by reviewing its service providers’ security accreditation (such as ISO 27001 or SOC II) reports. Each party’s breach response protocol and agreements with its service providers provide for the audit of such service providers (and subprocessors) following receipt of any notice of a security incident from that service provider.
Assistance with Data Subject Rights Requests
Liftoff has implemented appropriate policies and measures to identify and address data subject rights requests, including: (a) maintaining accurate records to enable it to identify quickly all personal data processed on behalf of Client; (b) ensuring deletion and rectification requests are fully actioned.