Audience Data Match Agreement

Dated: March 21, 2025

AUDIENCE DATA MATCH AGREEMENT

This Audience Data Match Agreement (“Agreement“) is entered into by and between PubMatic, Inc.
(“PubMatic“) and you, the data provider (“Client”) for your access and the use of
PubMatic’s platform for targeted audience advertising. By accessing the PubMatic platform, Client accepts the terms of
this Agreement.

  1. License Grant, ownership AND data processing.
    1. License Grant. Client hereby grants to PubMatic a non-exclusive, worldwide, sublicensable license during the Term to use, host, display, create algorithms and deal ID based on, and modify the Audience Data (a) to create, deliver, analyze, model, plan, optimize, and report on advertising campaigns, audiences and segments within PubMatic Services and/or PubMatic’s publisher inventory; and (b) provide the PubMatic Services for Client’s benefit. For the avoidance of doubt, PubMatic will not otherwise sell Audience Data.
    2. Required Consents. Client shall be solely responsible at no cost to PubMatic for procuring and maintaining during the Term all necessary and applicable rights, consents, licenses, and clearances with respect to the Audience Data as necessary for PubMatic and the PubMatic’s customers to exercise the rights and licenses granted by Client herein.
    3. Restrictions. PubMatic shall not make the Audience Data available to any third party in raw and an unmodified form. PubMatic shall implement administrative, physical and technical safeguards to protect the Audience Data from unauthorized access, loss or disclosure that are no less rigorous than accepted industry standards and using reasonable care. PubMatic shall notify Client promptly in the event PubMatic learns of any unauthorized access, loss or disclosure of any Audience Data, and will reasonably cooperate with Client in any proceeding against any third parties necessary to protect Client’s rights with respect to the Audience Data. PubMatic shall retain the right to discontinue offering any of the Audience Data at any time.
    4. Ownership. Except as expressly set forth in this Agreement, as between Client and PubMatic, PubMatic retains all right, title and interest in and to the PubMatic Services and Intellectual Property of PubMatic. As between Client and PubMatic, Client retains all right, title and interest in and to the Audience Data, the Client properties, and the Intellectual Property of Client.
    5. Data Protection Addendum. To the extent applicable, the EU Data Protection Addendum for Audience Data Match attached hereto as Exhibit A shall form part of this Agreement and its terms are hereby incorporated in the Agreement by reference.
    6. PROCESSING OF PERSONAL DATA RELATING TO SELECT U.S. RESIDENTS
      1. Use Instructions and Limitations. The Client instructs the following in connection with PubMatic’s Processing of Personal Data relating to residents of California, Colorado, Connecticut, Utah, and Virginia or other US States as may be applicable:
      2. PubMatic shall use, retain, disclose, or otherwise process Personal Data only on behalf of Client and for the specific business purpose of providing the Services and in accordance with Client’s instructions, including as described in the Agreement. PubMatic shall not Sell or Share Personal Data, as “Sell” and “Share” are defined in the CCPA and other applicable Data Protection Laws, nor use, retain, disclose, or otherwise process Personal Data outside of its business relationship with Client or for any other purpose except as required by law. PubMatic will inform Client in the time period required by applicable Data Protection Law if PubMatic determines that it is no longer able to meet its obligations under Data Protection Laws or where, in PubMatic’s reasonable opinion, any of Client’s instructions infringes any Data Protection Laws. Client reserves the right to take reasonable and appropriate steps to discontinue and remediate unauthorized use of Personal Data.
      3. PubMatic shall have rights to use Personal Data solely (i) to the extent necessary to (a) perform its obligations under this Agreement; (b) operate, manage, test, maintain and enhance the Services including as part of its business operations; (c) to disclose aggregate statistics about the Services in a manner that prevents individual identification or re-identification of Client, Client Data, or Personal Data, including without limitation any individual device, or individual person; and/or (d) protect the Services from a threat to the Services or Personal Data; (ii) if required by order of a court or authorized governmental agency, provided that prior notice first be given to Client, or (iii) as otherwise expressly authorized by Client.
      4. PubMatic will not combine Personal Data it processes on Client’s behalf with Personal Data it receives from or on behalf of another person or persons, or that it collects from its own interactions with individuals, provided that PubMatic may combine Personal Data to perform any business purpose permitted or required under the Agreement to perform the Services.
    7. Third Parties. To the extent PubMatic processes the Personal Data of California residents as a “Third Party,” as “Third Party” is defined under the CCPA, § 1798.100 et. seq., this section, 1.7, will apply instead of 1.6.2 for such processing conducted as a Third Party: PubMatic may process Personal Data only for the limited and specified purposes described in the Agreement and related Schedules, Service Orders, and/or Statements of Work, including this DPA. PubMatic must comply with all applicable Data Protection Laws, including all applicable sections of the CCPA and provide the same level of privacy protection as required of businesses by the CCPA. Among these, PubMatic must comply with consumer requests to opt out of Sale or Sharing forwarded by Client. Where PubMatic is providing Services that includes the collection of Personal Data on either Client or PubMatic’s behalf on a Client-managed website, PubMatic shall check for and comply with the website visitor’s opt-out preference signal unless otherwise informed by Client that such website visitor has consented to the Sale or Sharing of their Personal Data. Client shall forward consumer requests to PubMatic via the instructions provided on https://pubmatic.com/legal/dsr-notice. PubMatic will inform Client in the time period required by applicable Data Protection Law if PubMatic determines that it is no longer able to meet its obligations under Data Protection Laws or where, in PubMatic’s reasonable opinion, any of Client’s instructions infringes any Data Protection Laws. Client reserves the right to take reasonable and appropriate steps to discontinue and remediate unauthorized use of Personal Data.
    8. Deidentification. Where PubMatic is permitted by applicable Data Protection law or this DPA to use Client Personal Data for its internal business purposes in an aggregated and deidentified manner, PubMatic agrees to take reasonable measures designed to ensure that the Personal Data cannot be associated with an individual (or, household, where applicable), publicly commits to maintain and use the information in de-identified form only and make no attempt to re-identify the information except where necessary to test its de-identification processes, and contractually obligates any authorized recipients to comply with these obligations.
    9. Certification. PubMatic certifies that it understands these obligations and restrictions and will comply with them
  2. Client Obligations.
    1. Client will perform its obligations under this Agreement, including with respect to the collection and provision of Audience Data as contemplated hereby, in compliance with all applicable laws, rules and regulations.
    2. Client shall ensure that the Client Properties and each of the sources of Audience Data: (i) contain a privacy policy that clearly and conspicuously discloses the collection, provision and use (including, without limitation, the use contemplated by this Agreement) of Audience Data, including descriptions of data collection for interest-based advertising, as applicable, (ii) provide a conspicuous mechanism by which End Users may opt out of interest-based advertising, as applicable and/or required by law, rule, or regulation, and (iii) to the extent required by applicable law, rule or regulation, obtain, with respect to Client’s services, End Users’ prior and informed consent to the use, collection and sharing of the Audience Data as contemplated by this Agreement.
    3. Client will not pass or make available to PubMatic as part of Audience Data: (i) Personal Directory Data or (ii) Sensitive Personal Data.
    4. Client will not pass or make available to PubMatic, or will immediately inform PubMatic if it previously provided, any data relating to an End User in the event that Client knows that such End User has opted out of interest-based or cross-app advertising, the uses of Audience Data contemplated by this Agreement, or the services provided by Client.
  3. Term; Termination.
    1. Term. The term of this Agreement will commence on the Effective Date and continue for a period of one (1) year (the “Initial Term”). This Agreement will automatically renew for additional sequential one (1) year terms if neither Party provides written notice of termination to the other Party at least sixty (60) days before the expiration of the Agreement (each, a “Renewal Term”).
    2. Convenience. Either party may terminate this Agreement, for convenience, effective immediately, upon thirty (30) days written notice to Client.
    3. Material Breach. Either party may terminate this Agreement effective immediately, if the other party is in material breach of any obligation, representation, or warranty hereunder and fails to cure that material breach (if capable of cure) within thirty (30) days after receiving written notice of the material breach from the non-breaching party stating its intent to terminate.
    4. Bankruptcy. Either party may terminate this Agreement effective immediately upon written notice if: (i) the other party files a petition for bankruptcy or is adjudicated as bankrupt; (ii) a petition in bankruptcy is filed against the other party and such petition is not removed or resolved within thirty (30) days; (iii) the other party makes an assignment for the benefit of its creditors or an arrangement for its creditors pursuant to bankruptcy law; (iv) the other party discontinues its business; (v) a receiver is appointed over all or substantially all of the other party’s assets or business; or (vi) the other party is dissolved or liquidated.
    5. Effect of Termination. Upon termination of this Agreement, the following sections will survive: Sections 3 through 10.
  4. Confidentiality; Protection of Confidential Information and Press Releases.
    1. Confidential Information means (i) technical innovations, know-how, business practices, consumer acquisition practices, patents, ideas, inventions, processes, financial records, prices, trade secrets, applications, source code, reporting, data, and Intellectual Property; (ii) any and all information that is disclosed by either party to the other party, either directly or indirectly, in writing, orally or by inspection of tangible objects, which if disclosed in writing or tangible form is marked as “Confidential,” or with some similar designation, or if disclosed orally or by inspection or observation, is identified as being proprietary and/or confidential at the time of disclosure, (iii) by the nature of the circumstances surrounding the disclosure should reasonably be treated as proprietary and/or confidential, or (iv) any information which is or reasonably should be considered to be proprietary and/or confidential.
    2. Exclusions. Confidential Information does not include information that: (i) is or becomes generally known to the public through no fault of or breach of this Agreement by the receiving party; (ii) is rightfully known by the receiving party at the time of disclosure without an obligation of confidentiality, as evidenced by the receiving party’s tangible (including written or electronic) records; (iii) is independently developed or obtained by the receiving party without use of the disclosing party’s Confidential Information, as evidenced by the receiving party’s tangible (including written or electronic) records; or (iv) the receiving party rightfully obtains from a third party, who does not have a known obligation of confidentiality, without restriction on its use or disclosure.
    3. Use and Disclosure Restrictions. Neither party may use the other party’s Confidential Information, except as necessary for the performance of this Agreement nor may either party disclose Confidential Information of the other party to any third party or individual, except to those of its employees or subcontractors that need to know such Confidential Information for the purpose of performing this Agreement; provided, that each such employee or subcontractor is subject to a written agreement that includes binding use and disclosure restrictions that are at least as protective of Confidential Information as those set forth herein. Each party must use all reasonable efforts to maintain the confidentiality of all Confidential Information of the other party in its possession or control, but in no event less than the efforts that party ordinarily uses with respect to its own proprietary information of similar nature and importance. The foregoing obligations will not restrict either party from disclosing Confidential Information of the other party: (i) pursuant to the order or requirement of a court, administrative agency, or other governmental body, provided that the party required to make such a disclosure gives reasonable notice to the other party in order that the disclosing party may act to prevent or restrict the ordered disclosure; (ii) on a confidential basis to its legal or financial advisors; or (iii) on a confidential basis to present or future providers of venture capital and/or potential private investors in or acquirers of such party. Upon the written request of the disclosing party, all copies of Confidential Information shall be promptly returned or destroyed by the receiving party, except for any automatically generated electronic backup copies that may reside on a party’s computer systems or be stored offsite, and that shall be used for no purpose and remain subject to the confidentiality obligations contained herein.
    4. Press Releases. Except as necessary to perform its obligations herein, neither party may use the other party’s Marks or publicize this Agreement nor the relationship between the parties established herein to any third-party, including without limitation, issuing a press release, unless it has obtained the prior written approval of the other party hereto.
  5. Representations and Warranties.
    1. Mutual Representations and Warranties. Each of the parties represents and warrants that (i) it has the full power and authority to enter into this Agreement; (ii) the execution of this Agreement and performance of its obligations under this Agreement do not and will not violate any other agreements to which it is a party; and (iii) this Agreement constitutes a legal, valid and binding obligation of it when executed and delivered.
    2. Client Representations and Warranties. Client represents and warrants that (i) the Audience Data does not, and will not, infringe, violate, or misappropriate the Intellectual Property rights of any third party; (ii) it has all required consents described in Section 1.3; (iii) the Audience Data will meet the requirements of Section 2; (iv) it will comply with all applicable laws, rules, and regulations, including privacy laws and regulations, in its collection, storage, sharing and use of the Audience Data; and (v) the collection, provision and use of Audience Data as contemplated hereby do not, and will not, (a) violate the terms of any privacy policy or other disclosure made at the time of collection, or (b) violate the terms of service of any operating system or platform (including, without limitation, iOS or Android), web site, application or other source of Audience Data.
  6. Disclaimers; Limitation of Liability.
    1. Disclaimers. EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER PARTY MAKES ANY WARRANTIES, EXPRESS OR IMPLIED, WITH RESPECT TO THE SUBJECT MATTER OF THIS AGREEMENT, AND EACH PARTY EXPRESSLY DISCLAIMS THE IMPLIED WARRANTIES OF performance, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE, AND IMPLIED WARRANTIES ARISING FROM COURSE OF DEALING OR PERFORMANCE with respect to its products and/or services. the pubmatic services will not provide specific volumes of traffic, results, sales objectives or any level of profit or business.
    2. LIMITATION OF LIABILITY. EXCEPT FOR A PARTY’S indemnity OBLIGATIONS UNDER SECTION 7, IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY PUNITIVE, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, RELIANCE OR CONSEQUENTIAL DAMAGES arising from or relating to this agreement, INCLUDING LOST DATA, BUSINESS, REVENUE, OR ANTICIPATED PROFITS, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, AND WHETHER OR NOT THE APPLICABLE PARTY WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES. PUBMATIC shall have no liability for the acts or omissions of third parties. IN NO EVENT WILL the aggregate LIABILITY of PubMatic under this agreement EXCEED THE lesser of the FEES PAYABLE to Client by PUBMATIC UNDER THIS AGREEMENT DURING THE six (6) MONTHS IMMEDIATELY PRECEDING THE DATE OF THE CLAIM and ten thousand dollars ($10,000). THE PARTIES AGREE THAT THE LIMITATIONS OF LIABILITY SET FORTH IN THIS SECTION WILL SURVIVE ANY TERMINATION OR EXPIRATION OF THIS AGREEMENT, AND WILL APPLY EVEN IF ANY LIMITED REMEDY SPECIFIED IN THIS AGREEMENT IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.
  7. INDEMNIFICATION.
    1. PubMatic Indemnification. PubMatic agrees to indemnify, defend, and hold Client and its directors, officers, shareholders, employees, affiliates, and agents harmless from and against any liabilities, damages, losses, or expenses (including reasonable attorneys’ fees) arising out of any claim, demand, action, or proceeding initiated by a third party that is based upon, arises out of, or relates to the alleged or actual breach of any of PubMatic’s representations and warranties set forth in Section 5.1 (Mutual Representations and Warranties) hereof; provided, however, that Client: (i) promptly notifies PubMatic in writing of the claim, except that any failure to provide this notice promptly only relieves PubMatic of its responsibility pursuant to this Section to the extent its defense is materially prejudiced by the delay; (ii) grants PubMatic sole control of the defense and/or settlement of the claim; provided PubMatic uses legal counsel reasonably acceptable to Client and (iii) provides PubMatic, at PubMatic’s expense, with all assistance, information and authority reasonably required for the defense and/or settlement of the claim. PubMatic shall not settle any claim in a manner that adversely affects the rights of Client without Client’s prior written consent, which consent shall not be unreasonably withheld or delayed. Client may participate in and observe the proceedings at its own cost and expense with legal counsel of its own choosing.
    2. Client Indemnification. Client agrees to indemnify, defend, and hold PubMatic and its directors, officers, shareholders, employees, affiliates, and agents harmless from and against any liabilities, damages, losses, or expenses (including reasonable attorneys’ fees) arising out of any claim, demand, action, or proceeding initiated by a third party that is based upon, arises out of, or relates to the alleged or actual breach of any of Client’s representations and warranties set forth in Sections 5.1 (Mutual Representations and Warranties) and 5.2 (Client Representations and Warranties) hereof, and the use by PubMatic or the PubMatic Customers of the Audience Data as contemplated in this Agreement; provided, however, that PubMatic: (i) promptly notifies Client in writing of the claim, except that any failure to provide this notice promptly only relieves Client of its responsibility pursuant to this Section to the extent its defense is materially prejudiced by the delay; (ii) grants Client sole control of the defense and/or settlement of the claim; provided Client uses legal counsel reasonably acceptable to PubMatic; and (iii) provides Client, at Client’s expense, with all assistance, information and authority reasonably required for the defense and/or settlement of the claim. Client shall not settle any claim in a manner that adversely affects the rights of PubMatic without PubMatic’s prior written consent, which consent shall not be unreasonably withheld or delayed. PubMatic may participate in and observe the proceedings at its own cost and expense with legal counsel of its own choosing.
  8. Compliance with OFAC Regulations:
    1. Each party to this Agreement represents and warrants that it is and shall remain in compliance with all applicable laws, regulations, and requirements administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), including but not limited to, the Trading with the Enemy Act, the International Emergency Economic Powers Act, and any Executive Orders or regulations promulgated thereunder (collectively, “OFAC Regulations”).
    2. (a) The parties acknowledge and agree that they shall not, directly or indirectly, engage in any transaction that would result in a violation of any OFAC Regulations.
    3. (b) Without limiting the generality of the foregoing, the parties shall not engage in any transactions or dealings with individuals, entities, or countries subject to sanctions imposed by OFAC.
    4. (a) Each party shall promptly notify the other party in writing if it becomes aware of any violation or potential violation of OFAC Regulations in connection with the performance of this Agreement.
    5. (b) In the event that either party is designated as a Specially Designated National (“SDN”) or otherwise becomes subject to sanctions under OFAC Regulations, that party shall immediately notify the other party in writing.
    6. Each party agrees to indemnify, defend, and hold harmless the other party, its affiliates, officers, directors, employees, and agents from and against any and all losses, liabilities, damages, costs, and expenses (including reasonable attorneys’ fees) arising out of or resulting from any breach of the representations and warranties set forth in this OFAC Sanctions section.
  9. MISCELLANEOUS.
    1. Relationship of the parties. The relationship of PubMatic and Client established by this Agreement is that of independent contractors, and nothing contained in this Agreement will create or be construed to constitute a partnership, joint venture, agency, or employment relationship between the parties. Neither party shall have any right to obligate or bind the other party hereto in any manner whatsoever, and nothing herein contained shall give, or is intended to give, any rights of any kind to any third parties.
    2. Governing Law; Jurisdiction. This Agreement shall be governed by, and construed and enforced in accordance with, the laws of the State of California, without reference to conflicts of laws principles. The parties agree that the federal and state courts located in Santa Clara County, California will have exclusive jurisdiction and venue under this Agreement, and the parties hereby agree to submit to such jurisdiction exclusively.
    3. Assignment. Client may not assign any of its rights or obligations under this Agreement without the prior written consent of PubMatic, except that Client may assign this Agreement without consent but with prior written notice to PubMatic in connection with any merger, consolidation, reorganization, or sale of all or substantially all of its assets related to this Agreement, by operation of law or otherwise. This Agreement inures to the benefit of and is binding upon the parties’ permitted assignees, transferees and successors.
    4. Amendments. Except as otherwise set forth herein, all amendments to this Agreement must be in writing and executed by both parties hereto.
    5. Waiver. A waiver of any provision of this Agreement will only be valid if provided in writing and will only be applicable to the specific incident and occurrence so waived. The failure by either party to insist upon the strict performance of this Agreement, or to exercise any term hereof, will not act as a waiver of any right, promise or term, which will continue in full force and effect.
    6. Severability. If any provision, or portion thereof, of this Agreement is determined by a court of competent jurisdiction to be invalid, illegal or unenforceable, such determination will not impair or affect the validity, legality, or enforceability of the remaining provisions of this Agreement.
    7. Notices. All legal notices to PubMatic under the terms of this Agreement must be given in writing and sent by United States registered or certified mail, express courier, email, or must be delivered by hand to the following addresses: 601 Marshall Street, Redwood City CA 94063 ; email: legal@pubmatic.com

All notices will be presumed to have been received when hand delivered, one (1) day after being sent via express courier, within five (5) business days after being placed in the United States mail, postage prepaid, certified or registered mail, or upon confirmation of delivery after being received via facsimile transmission or email. A courtesy copy of all notices to PubMatic shall be sent to legal@pubmatic.com.

    1. Force Majeure.Neither party will be responsible for any failure or delay in its performance under this Agreement due to causes beyond its reasonable control, including labor disputes, strikes, lockouts, carrier gateway provider service failures, internet or telecommunications failures, shortages of or inability to obtain labor, energy, or supplies, war, terrorism, riot, acts of God or governmental action, and such performance shall be excused to the extent that it is prevented or delayed by reason of any of the foregoing.
    2. Entire Agreement. This Agreement and any exhibits, addendums and schedules attached hereto set forth the entire agreement and understanding of the parties with respect to the subject matter hereof and supersede all prior and contemporaneous agreements or understandings (whether oral or written) between Client and PubMatic regarding the subject matter. All exhibits and schedules attached to this Agreement are incorporated herein.
    3. Headings. Section or paragraph headings used in this Agreement are for reference purposes only, and should not be used in the interpretation hereof. No provision of this Agreement will be construed against either party as the drafter thereof.
    4. Counterparts. This Agreement may be signed in one or more counterparts, which may be in an electronically delivered format. Each of them is an original, and all of them constitute one agreement.
  1. DEFINITIONS.
    1. Audience Data” means any data owned or licensed by Client that is delivered or otherwise made available to PubMatic pursuant to this Agreement.
    2. “End User” means a specific natural person who uses the Client Properties.
    3. “Intellectual Property” includes trade secrets, copyrights, trademarks, patents, logos, service marks, inventions, technology, Confidential Information, and other proprietary materials.
    4. “Personal Data” shall have the meaning of this term or any similar term (such as “personal information” or “personally identifiable information”) under the relevant applicable privacy or data protection laws, or where no such laws apply, shall mean any information that by itself or when combined with other information (such as name, address, telephone number, e-mail address, precise geo location, financial account number, and government-issued identification number) can be used to identify a specific natural person.
    5. “Personal Directory Data” means calendar, address book, phone/text log, or photo/video file data (including any associated metadata), or similar data created by a user that is stored on or accessed through a device.
    6. “Client Properties” means Client owned, operated and/or controlled web or mobile properties or other sources of data for Client.
    7. “PubMatic Customer” means any mutual customer, publisher, demand partner, agency, or advertiser that receives Audience Data from PubMatic.
    8. PubMatic Services means the online advertising services owned, operated, or provided by PubMatic through which Audience Data shall be utilized in accordance with the rights and licenses granted herein.
    9. “Sensitive Personal Data” shall have the meaning relating to this term or any similar term (such as “sensitive personal information”) under relevant privacy or data protection laws, or where no such laws apply, shall mean, with respect to a specific natural person, medical or health information (including information about health conditions or treatments), financial information (including financial account information and number), sexual orientation, social security number or other government-issued identifiers, and personal information of children protected under any applicable child protection laws (such as the personal information defined under the United States Children’s Online Privacy Protection Act of 1998 (“COPPA”).
    10. “Term” means the Initial Term and any Renewal Terms.

EXHIBIT B

EU Data ProtectionAddendum

This Data Processing Addendum (“Addendum“) is entered into by and between PubMatic, Inc.
(“PubMatic“) and the party identified in the signature block below (“Client”), and
forms part of the Audience Data MatchAgreement (the “Agreement”) between the parties relating to the
subject matter of this Addendum.

The terms in this Addendum shall only apply to the extent PubMatic collects or otherwise processes Personal Data
contained within Licensed Content protected or otherwise regulated by EU Data Protection Law. Capitalized terms used in
this Addendum shall have the meaning given to them in the main body of the Agreement unless otherwise defined in this
Addendum.

IT IS AGREED:

  1. Definitions
  2. “Data Privacy Framework” means the EU-US, UK Extension to the EU-US and Swiss-US Data Privacy Framework (“DPF”) Program as set forth by the US Department of Commerce, European Commission, UK Government, and Swiss Federal Administration, and which regards the collection, use and retention of personal information from the EU, UK and Switzerland.
  3. Demand Partners” means PubMatic’s media buying clients, including but not limited to demand side platforms, ad exchanges, agencies, agency trading desks and ad networks and PubMatic Customers described in Section 10.7 of the Agreement.
  4. Europe” means for the purposes of this Addendum, the European Economic Area and/or its member states, Switzerland and the United Kingdom.
  5. EU Data Protection Law” means all data protection and privacy laws and regulations enacted in Europe, including (i) the EU General Data Protection Regulation (Regulation 2016/679)(“GDPR“); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any national laws made under or pursuant to (i) or (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA“) and (v) in respect of the United Kingdom, GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (together, “UK Privacy Law“); (in each case, as superseded, amended or replaced).
  6. Personal Data” means any information relating to an identified or identifiable natural person to the extent that such information is protected as personal data under applicable EU Data Protection Law.
  7. Privacy Requirements” means all applicable international, federal, national and state data protection and privacy laws, regulations, and industry self-regulatory rules, codes and guidelines that apply to the processing of data (including Personal Data) that is protected by EU Data Protection Law, as applicable to Client, PubMatic and its Demand Partners , including without limitation: (i) the rules, codes and guidelines of the European Interactive Digital Advertising Alliance (EDAA) and the Network Advertising Initiative (NAI); and (iii) EU Data Protection Law (in each case, as amended, superseded or replaced).
  8. PubMatic Services” has the meaning given to it in the Agreement.
  9. Restricted Transfer” means: (i) where the GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner; and (iii) where the UK Privacy Law applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to section 17A of the United Kingdom Data Protection Act 2018.
  10. Standard Contractual Clauses” means Module 2 (Controller to Processor) or Module 3 (Processor to Processor), as applicable, of the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 located at https://eur-lex.europa.eu/eli/dec_impl/2021/914/, as applicable and completed in accordance with this Addendum.
  11. Subprocessor” means any third party that has access to the Audience Personal Data and which is engaged by PubMatic to assist in fulfilling its obligations to provide the Services. Subprocessors may include PubMatic affiliates but shall exclude any PubMatic employee, contractor or consultant.
  12. UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s Office under S119(A) of the UK Data Protection Act 2018, as updated or amended from time to time.
  13. Controller”, “data subject“, “processing” (and “process“), and “Processor” shall have the meanings given to them in EU Data Protection Law.
  1. Scope of processing: Client acknowledges and agrees that in connection with the PubMatic Services, PubMatic may receive from Client Personal Data contained within Licensed Content (as defined in the Agreement) about or related to End Users of the Client Properties, as more particularly described in Appendix 1 of this Addendum (“Audience Personal Data”).
  2. Relationship of the parties: The parties acknowledge that PubMatic shall process Audience Personal Data under the Agreement as a Processor acting on behalf of Client (whether acting as a Controller or a Processor itself on behalf of third party Controllers) in accordance with this Addendum. Nothing in the Agreement (including this Addendum) shall limit or prevent PubMatic from collecting or using data that PubMatic would otherwise collect and process independently of Client’s use of the PubMatic Services.
  3. Data Protection. PubMatic agrees that:
    1. the description of the processing of Audience Personal Data is set out in Appendix 1 of this Addendum;
    2. PubMatic shall process the Audience Personal Data only for the purposes of delivering the PubMatic Services in accordance with the Agreement and on the documented lawful instructions of Client as set out in full in this Addendum and the Agreement, including with regard to transfers of Audience Personal Data to a third country, unless required otherwise by applicable law; in such event, PubMatic shall inform Client of the legal requirement before processing, unless that law prohibits the provision of such information to Client. PubMatic shall inform Client if, in its opinion, Client’s instructions infringe EU Data Protection Law;
    3. PubMatic shall ensure that persons authorized to process Audience Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
    4. PubMatic shall respect the conditions for appointing a Subprocessor as set out in Section 5 below;
    5. taking into account the nature of the processing, PubMatic shall assist Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of any obligation Client has under EU Data Protection Law to respond to requests from data subjects to access, correct, delete, object or exercise any other rights they have in respect of the Audience Personal Data under EU Data Protection Law.
    6. if PubMatic receives any correspondence, enquiry or complaint from a data subject, regulatory or any other person particularly relating to its processing of Audience Personal Data, it will promptly inform Client and provide it with full details of the same unless and to the extent prevented by applicable law. Unless otherwise required by applicable law, PubMatic will not respond to any correspondence, enquiry or complaint from a data subject directly except to direct the data subject to the Client, unless authorised by Client (such permission not to be unreasonably withheld or delayed), and Client agrees that PubMatic shall have no obligation to respond on Client’s behalf;
    7. if Client is required by applicable Privacy Requirements to conduct a data protection impact assessment in respect of the PubMatic Services, PubMatic shall provide (on a confidential basis) all information reasonably requested by Client in connection with such assessment;
    8. at the choice of Client, PubMatic shall delete or return all the Audience Personal Data to Client after the end of the provision of the PubMatic Services and the certificate of deletion of Personal Data described in Clauses 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by PubMatic to Client upon Client’s written request; and
    9. PubMatic shall make available to Client all information reasonably necessary for PubMatic to demonstrate its compliance with the obligations in this Addendum, including by way of providing written responses to any audit questions raised by Client (such audits not to be conducted more than once per annum and at Client’s expense).
  4. Subprocessing: Client provides PubMatic with a general authorization to engage Subprocessors to assist in processing the Audience Personal Data in the performance of the PubMatic Services provided that:
    1. PubMatic shall ensure that its Subprocessors are subject to data protection terms that protect the Audience Personal Data to the same or substantially similar standard as set out in this Addendum;
    2. PubMatic accepts full liability for any breach of this Addendum that is caused by the act, error or omission of its Subprocessors;
    3. PubMatic maintains a list of its then-current Subprocessors and shall provide such a list to Client upon request; and
    4. if PubMatic wishes to appoint or replace a Subprocessor it shall provide Client with a minimum of ten (10) days prior notice and Client may object to such appointment or replacement on reasonable data protection grounds within five (5) days following receipt of such notice. If Client so objects, then either (i) PubMatic shall not use the proposed Subprocessor to process the Data; or (ii) if this is not possible, Client may terminate the Agreement for its convenience upon written notice to PubMatic.
  5. International Transfers:
    1. Subject to Section 6.2, to the extent that Client (as “data exporter”) provides, makes available or otherwise transfers Audience Personal Data to PubMatic (as “data importer”) and such transfer is a Restricted Transfer, the transfer shall be subject to the Standard Contractual Clauses, which shall be incorporated into and form an integral part of this Addendum as follows:
    2. in relation to transfers of Audience Personal Data protected by the GDPR (i) Module Two (controller to processor) or Module 3 (processor to processor) shall apply, as applicable and in accordance with section 3 of this Addendum; (ii) Clause 7, the optional docking clause will apply; (iv) in Clause 9, Option 2 will apply and the time period for notice of changes to Subprocessors shall be as agreed under Section 5 above; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by laws of Ireland; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix 1 to this Addendum; and (vii) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix 2 to this Addendum;
    3. in relation to transfers of Audience Personal Data protected by UK Privacy Law, the Standard Contractual Clauses shall also apply in accordance with paragraph (a) above, but as modified and interpreted by Part2: Mandatory Clauses of the UK Addendum, which shall be deemed executed by the Parties and incorporated into and form an integral part of this Addendum. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Appendices 1 and 2 of this Addendum and Table 4 in Part 1 shall be deemed completed by selecting “neither party”; and
    4. in relation to transfers of Audience Personal Data protected by the Swiss DPA, the Standard Contractual Clauses shall also apply in accordance with paragraph (a) above, with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; (ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (iii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”; (iv) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (v) Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner; (vi) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (vii) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and (viii) Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
    5. The terms of the Standard Contractual Clauses shall not apply where and to the extent PubMatic (as the data importer) and the applicable transfer of Audience Personal Data are covered by an alternative, suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection or appropriate safeguards for Personal Data (provided that it is deemed legally valid in jurisdictions subject to Data Protection Law), including the Data Privacy Framework or any U.S.- EU cross border transfer program which supersedes the Data Privacy Framework (an “Adequacy Mechanism”). Where an Adequacy Mechanism applies, PubMatic may process the Audience Personal Data in compliance with the Adequacy Mechanism.
  6. Security: Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, PubMatic shall implement appropriate technical and organizational security measures to protect the Audience Personal Data as described in Appendix 2 of this Addendum (“Security Measures”). Such Security Measures shall protect the Audience Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Audience Personal Data transmitted, stored or otherwise processed by PubMatic (a “Security Incident”). PubMatic shall inform Client without undue delay in the event of a Security Incident. PubMatic may make changes to the Security Measures from time to time, so long as such changes do not degrade the overall security of the processing.
  7. General: If there is any conflict between any provision in this Addendum and any provision in the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) Standard Contractual Clauses (where applicable); then (b) this Addendum, and then (c) the main body of the Agreement. With effect from the effective date, this Addendum is part of, and incorporated into the Agreement. To the extent there are any prior agreements with regard to the subject matter of this Addendum, this Addendum supersedes and replaces such prior agreements. This Addendum shall survive termination or expiry of the Agreement. Upon termination or expiry of the Agreement PubMatic may continue to process the Audience Personal Data provided that such processing complies with the requirements of this Addendum and the Privacy Requirements. This Addendum may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. This Addendum may be executed via a recognized electronic signature service or delivered by facsimile transmission, or may be signed, scanned and emailed, and any such signatures shall be treated as original signatures for all applicable purposes.

 

Description of Processing / Transfer

Annex 1(A): List of parties
Data Importer: Name: PubMatic, Inc.
Contact person’s name, position and contact details: DPO, contactable at dpo@pubmatic.com
Activities relevant to the data transferred: See Annex 1(B) below.
Signature and date: See Addendum.
Role (Controller/Processor): Processor
Data Exporter: Name: The party identified as “Client” in the Addendum.
Contact person’s name, position and contact details: As specified in the Agreement.
Activities relevant to the data transferred: See Annex 1(B) below.
Signature and date: See Addendum.
Role (Controller/Processor): Controller
Annex 1(B): Description of the processing / transfer
Categories of Data Subjects whose personal data is transferred:
The personal data transferred concern the following categories of data subjects: Consumers (end users) and clients of Data Provider
Categories of personal data transferred
The personal data transferred concern the following categories of data: To the extent applicable, but not limited to, Mobile Ad IDs, PubMaticID cookie ID, alternate third party IDs
Sensitive data transferred (if appropriate)
The personal data transferred concern the following categories of sensitive data: N/A.
Frequency of the transfer
(e.g. whether the data is transferred on a one-off or continuous basis) Continuous.
Nature, subject matter and duration of the processing
The nature and subject matter of the processing is the provision of the Services pursuant to the Agreement.
The duration of the data processing is generally 30 days from receipt of data.
Purposes of the data transfer and further processing
The transfer is made for the following purposes: For the purposes of delivering the Services in accordance with the Agreement.
Period for which the personal data will be retained, or if that is not possible the criteria used to determinate that period, if applicable
The criteria used to determine the period is: Audience Data shall generally be retained for 30 days from receipt by PubMatic.
Annex 1(C): Competent supervisory authority
The competent supervisory authority, in accordance with Clause 13 of the New SCCs The competent supervisory authority will be determined in accordance with the GDPR.

Appendix 2

Technical and Organisational Security Measures

PubMatic implements the Security Measures, available hereunder:

Type of measure
Measures of pseudonymisation and encryption of personal data Alternate IDs are hashed and Audience Data is processed in connection with the services for addressability purposes,
PubMatic will ensure that industry standard cryptographic techniques are immediately applied to such data, which may include hashing.
When activating/monetizing audiences, sensitive or directly identifiable personal data is not processed.
Measures for ensuring ongoing confidentiality of processing systems and services  PubMatic has implemented and maintains an information security program and has implemented measures to ensure the integrity, availability and security of personal information.
Confidentiality terms with personnel are in place.  System architecture that aligns to industry good practices.
Measures for ensuring ongoing integrity of processing systems and services Firewall protection for data ingestion service, ad service, and analytics. Confidentiality terms with are in place with personnel.
Measures for ensuring ongoing availability and resilience of processing systems and services Processes in our data centers, under our private cloud infrastructure aim to ensure “high availability” of services, including but not limited to redundancy and failover triggers,
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Automated regular backups of data is setup. ·
Further measures include regular backups, business continuity readiness plans, and disaster recovery plans.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing See above
Upon updates and ugrades, security reviews of the architecture take place.
Security compliance has been integrated into Company’s product development practices, and the Company privacy, security and engineering teams collaborate regularly to ensure those standards are kept up to date.
Measures for user identification and authorisation PubMatic has operational and technical controls in place to ensure that access to systems that process personal data is only granted to authorized employees with a “need to know”.
PubMatic has in place industry standard policies to ensure that unauthorized current and former personnel cannot improperly access systems that process personal data.
Data activation services (UI workflows for setup, configuration) have authorization measures in place. Data ingestion service supports authorization, no data providers are sending data using authorized end points.
Measures for the protection of data during storage Access to data is restricted to very limited administrative users and application users. Services connect to the data store through a secured channel via credentials.
PubMatic does not process any sensitive personal data.
Measures for ensuring physical security of locations at which personal data are processed Facilities involved in the processing of personal data are accessible only by authorized personnel.
Technical controls in place to secure processing facilities include access controls, two-factor authentication, firewalls, and anti-malware.
Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required.
Measures for certification/assurance of processes and products Security process reviews occur quarterly as part of annual SOX audit.
Measures for ensuring data minimisation No data linking happens across IDs. Data has TTL set. Data is cleaned automatically on expiry.
Measures for ensuring accountability Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required and changes are logged.
Measures for allowing data portability and ensuring erasure PubMatic maintains a data subject request process which supports the privacy rights (access, deletion, rectification and portability) of data subjects as provided under the GDPR or other applicable law.

For further information, please see generally our privacy policy at https://pubmatic.com/legal/privacy-policy/