SCHEDULE 1 – VUNGLE EXCHANGE DATA PRIVACY ADDENDUM
This Data Privacy Addendum (the “Addendum”) forms part of the Contract(s) (defined below) between Vungle SEA Pte Ltd. (“Liftoff”) and the party identified in the Agreement (“Demand Partner“). Capitalized terms used in this Addendum shall have the meanings given to them in the main body of the Contract(s) unless otherwise defined in this Addendum.
A. Liftoff is a provider of a supply-side platform, a technology platform, which engages in the provision of auction or facilitation of purchases of digital advertising inventory. Demand Partner is a provider of a demand-side platform, ad exchange, agency, agency trading desks or ad network which uses a technology platform or similar technology to engage in the buying of digital advertising inventory.
B. Liftoff and Demand Partner have entered into an Agreement, together with one or more connected statements of work, purchase orders, contracts and/or agreements (collectively and as amended from time to time, the “Contract(s)”), under which Demand Partner may purchase digital advertising inventory via Liftoff’s supply side services (the “Demand Services”).
C. Liftoff (and/or its publisher customer) is a controller of certain personal data that it wishes to share with Demand Partner, in connection with the performance of Liftoff’s obligations under the Contract(s).
D. The parties have entered into this Addendum to ensure that in sharing such personal data pursuant to the Contract(s), they both comply with Applicable Privacy Law.
IT IS AGREED:
- “controller“, “processor“, “data subject“, “personal data“, “processing” (and “process“) and “special categories of personal data” shall have the meanings given in Applicable Privacy Law;
- “Applicable Privacy Law” means any and all applicable privacy and data protection laws including, where applicable, European Data Protection Law (as may be amended or superseded from time to time);
- “European Data Protection Law” means any applicable laws and regulations in any relevant jurisdiction in Europe relating to the use or processing of personal data including: (a) EU Regulation 2016/679 (“GDPR”); (b) GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (c) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (d) in the UK, the Data Protection Act 2018 (“DPA”); (e) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); and (f) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time.
- “Europe” means, for the purposes of this Addendum, the European Economic Area (“EEA”), United Kingdom and Switzerland;
- “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Data.
- “Restricted Country” means any country outside the UK or EEA which is not deemed adequate by (a) (for personal data subject to GDPR) the European Commission pursuant to article 45 of GDPR, or (b) (for personal data subject to UK GDPR) the Secretary of State in accordance with the relevant provisions of the UK GDPR and the DPA, or an adequacy decision recognised pursuant to paragraphs 4 and 5 of Schedule 21 of the DPA
- Processing Description:
- In connection with the Demand Services, Liftoff will submit to Demand Partner and/or Demand Partner may otherwise collect or receive, certain data, including (but not limited to) in bid requests submitted to Demand Partner (the “Data“). Demand Partner acknowledges that such Data may contain personal data, as more particularly described in Appendix B (“C2P Data”).
- Processor Terms applicable to C2P Data:
- Demand Partner acknowledges and agrees that:
- it shall process the C2P Data as a processor on behalf of Liftoff (whether itself the controller or acting on behalf of a third party controller); and
- to the extent such C2P Data is protected by European Data Protection Law, then the Demand Partner agrees to comply with the additional terms set out in Appendix A of this Addendum.
- General Terms applicable to all Data:
- Non-disclosure: Demand Partner will not disclose the Data to any third party without Liftoff’s prior written consent except: (i) where necessary for processing purposes expressly permitted under this Addendum; (ii) as permitted or to the extent required pursuant to the Contract(s); or (iii) where required by applicable law.
- Subcontracting: Subject to the subcontracting provisions of Appendix A (as applicable), Demand Partner may appoint third party processors to process Data for the purposes expressly permitted under this Addendum, provided that such processors: (i) agree in writing to process Data in accordance with Demand Partner’s documented instructions (which shall align with Liftoff’s instructions to Demand Partner); (ii) implement appropriate technical and organizational security measures to protect the Data against a Security Incident; and (iii) otherwise provide sufficient guarantees that they will process the Data in a manner that will meet the requirements of Applicable Privacy Law and this Addendum.
- Security: Demand Partner shall implement appropriate technical and organizational measures to protect the Data from Security Incidents (“Security Measures“). Such Security Measures shall at a minimum comply with the requirements of Applicable Privacy Law. In the event that Demand Partner suffers a Security Incident, it shall notify Liftoff without undue delay (and in any event within forty-eight (48) hours) with full details of the Security Incident and both parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident.
- International transfers:
- The Demand Partner shall not process any such Data (nor permit any Data to be processed) in a territory outside of the UK or EEA (whether directly or via onward transfer) unless it has taken such measures as are necessary to ensure the transfer is in compliance with European Data Protection Law (including such measures as may be communicated by Liftoff to Demand Partner from time to time) and this Addendum.
- To the extent that, under the Contract(s), Liftoff transfers Data to the Demand Partner in circumstances where the Demand Partner is located or will process the Data in a Restricted Country, the provisions of Appendix C shall apply.
- Cooperation and data subject rights: In the event that either party receives: (i) any request from a data subject to exercise any of its rights under Applicable Privacy Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and/or (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party, in each case in connection with the processing of the Data (collectively, “Correspondence”) then, where such Correspondence relates to processing conducted by the other party, it shall promptly (and in any event within two (2) working days) inform the other party and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfil their respective obligations under Applicable Privacy Law.
- Change in Law: Notwithstanding anything to the contrary in the Contract(s) or this Addendum, in the event of a change in Applicable Privacy Law or a determination or order from a supervisory authority or competent court affecting this Addendum or any processing activities under this Addendum, Liftoff may, in its sole discretion, amend this Addendum as reasonably necessary to ensure continued compliance with Applicable Privacy Law or compliance with any such orders.
- Survival: This Addendum shall survive termination or expiry of the Contract(s).
- Miscellaneous: This Addendum shall be governed by and construed in all respects in accordance with the governing law and jurisdiction provisions set out in the Contract(s), unless required otherwise by Applicable Privacy Laws. With effect from the effective date of the Contract(s), this Addendum shall be deemed a part of and incorporated into the Contract(s) so that references in the Contract(s) to the “Agreement” shall be interpreted to include this Addendum. Except for the changes made by this Addendum, the Contract(s) shall remain unchanged and in full force and effect. In the event of any conflict or inconsistency between this Addendum and any other term or terms of the Contract(s), this Addendum shall prevail in respect of the subject matter (i.e. the protection of personal data).
Schedule 1 – Appendix A
Demand Partner agrees that when processing C2P Data, such processing shall be in its capacity as a processor of Liftoff and that:
- it shall process the C2P Data (and ensure that any persons authorized by the Demand Partner to process C2P Data (“Authorized Persons“)) in accordance with Liftoff’s (or the third-party controller’s) documented lawful instructions, except where otherwise required by applicable law;
- it, and all Authorized Persons, shall only process C2P Data for the purposes described in and in accordance with Appendix B;
- it shall ensure that Authorized Persons are subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty or otherwise) and shall not permit any person who is not under such a duty of confidentiality to process the C2P Data;
- it shall not sub-contract any processing of the C2P Data to a third-party processor without the prior written consent of Liftoff and shall remain liable for any breach of this Addendum as it relates to C2P Data that is caused by an act, error or omission of its sub-contractor. If Liftoff refuses to consent to Demand Partner’s appointment of a third party sub-contractor on reasonable grounds relating to the protection of the C2P Data, then the parties shall discuss such concerns with a view to achieving a commercially reasonable resolution. Liftoff hereby consents to Demand Partner engaging sub-contractors to process C2P Data on behalf of Demand Partner provided that (i) Demand Partner provides at least 30 days prior notice of the addition or removal of any subcontractor (including details of the processing it performs or will perform); and (ii) Demand Partner imposes data protection terms on any subcontractor it appoints that protect the C2P Data to the same standard required of Demand Partner in respect of all C2P Data processed by Demand Partner pursuant to this Addendum;
- it shall not transfer, access or process the C2P Data outside the UK or the EEA without the prior written consent of Liftoff (and, if Liftoff so consents, take such steps as set out at clause 5.d.i of this Addendum);
- it shall permit Liftoff (or its third-party auditors) to audit Demand Partner’s compliance with Applicable Privacy Law in respect of C2P Data processing, and shall for these purposes make available to Liftoff all information reasonably necessary for Liftoff (or its appointed third-party auditors) to conduct such audit;
- upon becoming aware of a Security Incident involving C2P Data, Demand Partner shall inform Liftoff and provide all reasonable co-operation and assistance in accordance with and as more fully described in Section 5.c. (“Security“) of this Addendum;
- take such steps as are reasonably required to assist Liftoff in ensuring compliance with its obligations under Articles 30 to 36 (inclusive) of GDPR;
- provide Liftoff with its full co-operation and assistance in relation to any request made by a data subject to exercise its rights under Applicable Privacy Law in relation to that person’s personal data; and
- upon termination or expiry of the Addendum, it shall cease processing the C2P Data and (at Liftoff’s election) destroy or return to Liftoff all C2P Data (including all copies of the C2P Data) in its possession or control (including any data sub-contracted to a third party for processing), except to the extent that it or any sub-contractor is required by applicable law to retain some or all of the C2P Data, in which event it shall isolate and protect the C2P Data from further processing except to the extent required by such law.
Schedule 1 – Appendix B
Description of C2P Data Processing
Liftoff (Data Exporter where applicable):
- Name: Vungle SEA Pte Ltd.;
- Address: 6 Shenton Way 38-01 OUE Downtown 1 Singapore 068809
- Email: [email protected]
- Contact person’s name, position and contact details: , DPO, see contact details above
- Activities relevant to the data transferred: SSP services
- Signature and date: As per the Contract
- Role: Controller
Demand Partner (Data Importer where applicable):
- Name: As set out for the “Demand Partner” in the Contract
- Address: As set out for the “Demand Partner” in the Contract
- Email: As set out for the “Demand Partner” in the Contract
- Contact person’s name, position and contact details: As set out for the “Demand Partner” in the Contract Activities relevant to the data transferred: Demand Partner services (demand-side platform, ad exchange, agency, agency trading desks or ad network)
- Signature and date: As per the Contract
- Role: Processor
Categories of data subjects whose personal data is transferred:
- End users of the publisher properties covered by the Demand Services or end users viewing ads delivered to Data Exporter’s publisher properties.
Purposes of transfer and further processing:
- To enable Demand Partner to process C2P Data as a processor solely for the purposes of providing the Demand Services to Liftoff pursuant to the Contract(s), including for the purposes of determining the amounts to bid on publisher inventory and bidding on advertising impression opportunities.
Categories of personal data transferred:
- Table of Liftoff’s unique end user identifiers created, assigned or retained by Liftoff and associated with an individual end user.
- Identifiers: mobile Ad identifiers (such as IDFA, ADID, GPID etc.,); IP address, data that could be used for fingerprinting, latitude and longitude, GPS location;
- Demographic information: location, age range, gender, other publisher-specified demographics (tied to an identifier);
- User agent or such device information.
Frequency of the transfer:
- On a continuous basis
- Demand Partner affiliates and its third party processors engaged in accordance with this Addendum.
Period for which the personal data will be retained, or if that is not possible the criteria used to determinate that period, if applicable:
- The duration of the data processing under this Addendum is until the termination of the Contract(s) in accordance with its terms plus the period from the expiry of the Contract(s) until deletion of the Data by Demand Partner in accordance with the terms of the Contract(s).
Nature of processing:
- Personal data transferred will be processed in accordance with the Contract(s) (including the Addendum) and may be subject to the following processing activities: (i) Storage and other processing necessary to provide the Demand Services to Liftoff; and (ii) Disclosures in accordance with the Contract(s) and/or as compelled by applicable laws
- As consented to by Liftoff in accordance with Appendix A, para IV.
Schedule 1 – Appendix C
International Data Transfer
- “EEA Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 set out in the European Commission Decision 2021/914 dated 4 June 2021 as amended or replaced from time to time;
- “Ex-EEA Transfer” means a transfer of personal data subject to GDPR by Liftoff to Demand Partner (or its premises) in a Restricted Country;
- “Ex-UK Transfer” means a transfer of personal data subject to UK GDPR by Liftoff to Demand Partner (or its premises) in a Restricted Country; and
- “UK Addendum” means the International Data Transfer Addendum to the EEA Standard Contractual Clauses, as may be amended, replaced or superseded by the UK’s Information Commissioner’s Office (“ICO”) from time to time (including as formally issued by the ICO under section 119A(1) DPA).
- International Transfers
- The parties agree that in the event of an ex-EEA Transfer, Liftoff shall comply with the data exporter’s obligations in the EEA Standard Contractual Clauses and Demand Partner shall comply with the data importer’s obligations in the EEA Standard Contractual Clauses, and the EEA Standard Contractual Clauses are deemed to have been executed by the Parties and incorporated into (and form part of) this Addendum, with the following amendments:
- only the provisions of Module 2 of the EEA Standard Contractual Clauses shall apply (along with those provisions which apply to all Modules) and for these purposes, provisions relating specifically to Modules 1, 3 and 4 are deleted;
- Clause 7 (docking clause) of the EEA Standard Contractual Clauses shall be included;
- the governing law for the purposes of Clause 17 (governing law) of the EEA Standard Contractual Clauses shall be the laws of Ireland;
- the relevant courts for the purposes of Clause 18 (choice of forum and jurisdiction) of the EEA Standard Contractual Clauses shall be the courts of Ireland;
- Annexes IA, IB and IC to the EEA Standard Contractual Clauses shall be deemed to have been completed with the information in Appendix B to this Addendum;
- Annex II to the EEA Standard Contractual Clauses shall be deemed to have been completed with the information in Appendix 4 to this Addendum.
- The Parties agree that in the event of an Ex-UK Transfer, such transfer shall be conducted pursuant to the EEA Standard Contractual Clauses as supplemented and amended by the UK Addendum, which will be deemed to be executed by the Parties and incorporated into and form part of this Addendum, with the Part 1 tables to the UK Addendum completed as follows:
Table 1 shall be deemed completed with the information from Appendix B to this Addendum, and the start date shall be the date of this Addendum;
In Table 2, the first option shall be selected and the relevant version of the “Approved EEA SCCs” referenced in that option shall be the EEA Standard Contractual Clauses referenced in clause B.I. of this Appendix C above (as amended in accordance with clause B.I.);
Table 3 shall be deemed completed with the information from Appendix B and Appendix D to this Schedule 1;
Table 4 shall be deemed completed such that the Exporter has the right to end the UK Addendum as set out in Section 19 of Part 2 of the UK Addendum; and
Liftoff shall comply with the data exporter’s obligations in the UK Addendum and the Demand Partner shall comply with the data importer’s obligations in the UK Addendum, and if there is any conflict between this Addendum and the UK Addendum, the UK Addendum shall prevail.
Schedule 1 – Appendix D
Technical and Organisational Security Measures of the Demand Partner
As provided by Demand Partner to Liftoff prior to the Effective Date of the Contract.