Connect (Commerce Partner) Log Level Data Addendum

This Log Level Data Addendum (“Addendum“) forms part of the Connect Data Provider Agreement (Order Form and online terms and conditions) (the “Contract”) between PubMatic, Inc. (“PubMatic” or “Licensor”) and the Provider as identified in the Order Form (“Licensee“). Capitalized terms used in this Addendum shall have the meanings given to them in the main body of the Contract unless otherwise defined in this Addendum.

  1. Introduction
    1. PubMatic is a provider of a supply-side platform, a technology platform which engages in the provision of auction or facilitation of purchases of digital advertising inventory. Licensee is a commerce media partner and a data provider.
    2. PubMatic and Licensee have concurrently entered into a Connect Data Provider Agreement under which Licensee provides audience segments (Audience Data) to PubMatic for targeted advertising (“the Contract” or “Agreement”).
    3. Licensee wishes to obtain transaction logs in respect of winning deals where the Licensee’s audience segments are targeted (“Log Level Data”) in order to match such logs against the Licensee’s own conversion data for the purpose of campaign attribution and performance measurement. PubMatic agrees to provide the Log Level Data and grants the Licensee a license to use Log Level Data for the limited Purpose stated herein.
    4. The parties are entering into this Addendum to ensure that, in sharing Log Level Data pursuant to the Contract, both parties comply with applicable laws.

    2. IT IS AGREED:

  2. Purpose

    3. PubMatic will provide Log Level Data to the Licensee for the sole purpose of campaign performance measurement and attribution of the Licensee’s and PubMatic’s mutual advertising clients. Particularly for: (a) conversion measurement and attribution of advertising campaigns run through PubMatic’s platform; (b) transparency and verification relating to the PubMatic Services, PubMatic’s platform, and inventory provided by PubMatic; (c) media planning, optimization, delivery, and activation of advertising campaigns in the PubMatic Services, PubMatic’s platform, and inventory provided by PubMatic; and (d) ad delivery, analytics and reporting. For the avoidance of doubt, the aforementioned Purpose includes informing the Licensee’s product offerings, which were made available on PubMatic’s platform after execution of the Contract.

  3. License Grant
    1. License Grant. PubMatic hereby grants to Licensee a limited, revocable, non-exclusive, worldwide license during the Term to use, copy, access, host, analyze, and store the Log Level Data solely for the Purpose in section 2 above.
    2. Restrictions. Licensee shall use the Log Level Data solely for the Purpose and not share the Log Level Data externally with the mutual advertising clients or third parties. Licensee shall not (a) sell, transfer, lease, assign, redistribute, disclose, disseminate, or otherwise make available such data to any third party; (b) use the Log Level Data for the benefit of PubMatic’s competitors; (c) reverse engineer, re-identify or de-anonymize, or attempt to reverse engineer, re-identify or de-anonymize any such data; (d) take any action to render the Log Level Data or any part thereof into Personal Data to the extent such Log Level Data is not deemed Personal Data under applicable law; (e) use Log Level Data in or to train its machine learning models for any use case other than what is outlined in the Purpose; (f) use Log Level Data or any insights or derivatives thereof to create, augment, or append user segments, audience profiles, or device profiles, or to enable targeting, retargeting, or behavioral advertising outside of campaigns expressly run through PubMatic’s platform; or (g) combine Log Level Data or any data derived therefrom with data received from third-party sources for any purpose, except that Licensee may combine Log Level Data solely with Licensee’s own first-party conversion data strictly for the purpose of performing conversion measurement and attribution in accordance with the Purpose, provided that any data, insights, or derivatives resulting from such combination shall remain subject to all restrictions in this Section 3.2. PubMatic reserves the right to terminate this license (a) should it determine that the Licensee is in breach of this Section 3, or (b) upon thirty (30) days’ written notice if Licensee is not actively running advertising campaigns through PubMatic’s platform, as the license granted hereunder is conditioned upon Licensee’s ongoing campaign activity with PubMatic.
    3. Security Measures. Licensee shall implement administrative, physical and technical safeguards to protect the Log Level Data from unauthorized access, loss or disclosure that are no less rigorous than accepted industry standards and using reasonable care in accordance with Annex B. Licensee shall notify PubMatic promptly in the event Licensee learns of any unauthorized access, loss or disclosure of any Log Level Data, and will reasonably cooperate with PubMatic in any proceeding against any third parties necessary to protect PubMatic’s rights with respect to the Log Level Data.
    4. Ownership. Except as expressly set forth in this Agreement, as between PubMatic and Licensee, PubMatic retains all right, title and interest in and to the Log Level Data and Intellectual Property of PubMatic.
    5. Personal Data: Parties shall comply with applicable privacy laws in the processing of Personal Data, including the Data Processing Addendum in Exhibit A to the extent applicable to the relevant processing activities.
  4. General

    In the event that this Addendum conflicts with any provision of the Contract, this Addendum shall control. Except as modified herein, all other terms of the Contract shall remain in full force and effect.

 

Exhibit A

Data Processing Addendum

  1. Definitions:
    1. controller“, “processor“, “data subject“, “personaldata“, “processing” (and “process“) and “special categories of personal data” shall have the meanings given in Applicable Privacy Law;
    2. Applicable Privacy Law” means any and all applicable privacy and data protection laws including, where applicable, European Data Protection Law (as may be amended or superseded from time to time);
    3. Data Privacy Framework” means the EU-US, UK Extension to the EU-US and Swiss-US Data Privacy Framework (“DPF“) Program as set forth by the US Department of Commerce, European Commission, UK Government, and Swiss Federal Administration, and which regards the collection, use and retention of personal information from the EU, UK and Switzerland.
    4. European Data Protection Law” or equivalent thereto in Original DPA shall incorporate UK privacy law. Particularly it shall mean: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) any and all applicable national implementations of (i) or (ii); (iv) in respect of the United Kingdom, GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 the (together, “UK Privacy Law“); and (v) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA“), in each case as may be amended or superseded from time to time;
    5. Europe” means, for the purposes of this Addendum, the European Economic Area (EEA), the United Kingdom and Switzerland;
    6. Industry Protocol” means the Transparency and Consent Framework developed by the IAB Europe, its policies, its global vendor list and specifications and/or any other mutually agreed upon industry protocols, as amended and updated from time to time;
    7. Model Clauses” means the Standard Contractual Clauses populated with information described in Section 4 of this Addendum;
    8. Restricted Transfer” means: (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK Privacy Law applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
    9. Security Incident” means any event which resulted in, or which if successful would have resulted in, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Data (as defined in Section 2 herein) while in the custody or control of the Licensee, its affiliates, agents, subcontractors, processors or sub-processors, as applicable.
    10. Standard Contractual Clauses” means the standard contractual clauses and its appendices in European Commission Implementing Decision (EU) 2021/91 of 4 June 2021 relating to transfers of personal data to third countries pursuant to Regulation (EU) 2017/679 and any successor clauses issued from time to time by the European Commission, any applicable data protection authority, or other body with competent authority and jurisdiction, in each case, in relation thereto, completed in accordance with the terms of this Addendum.
    11. UK Addendum” means the International Data Transfer Addendum (version B1.0) to the EU Commission Standard Contractual Clauses issued by UK Information Commissioners Office under S.119(A) of the UK Data Protection Act 2018, as amended, superseded or replaced from time to time.
    12. “US Privacy Addendum” means the addendum attached as Annex C for the processing of US residents Personal Data.
  2. Processing Description: In connection with the Contract, Licensee will receive certain Log Level Data from PubMatic. Licensee acknowledges that such Log Level Data (as described in this Addendum) may contain personal data, as more particularly described in Annex A (collectively, the “Data“).
  3. Controller Terms applicable to Data
    1. Licensee agrees that it shall only process and collect the Data solely for the purposes expressly permitted under the Contract and in a manner that complies with Applicable Privacy Laws, the Contract, and where applicable, the Industry Protocol (collectively and individually, the “Permitted Purposes“).
    2. Relationship of the parties: The parties acknowledge that PubMatic is a controller of the Data it discloses to Licensee, and that Licensee will process the Data as a separate and independent controller strictly for the Permitted Purposes. In no event will the parties process the Data jointly as joint controllers.
    3. Compliance with law: Each party shall be individually and separately responsible for complying with the obligations that apply to it as a controller under Applicable Privacy Law. Without limitation to the foregoing, each party shall maintain a publicly accessible privacy policy on its website that satisfies the transparency disclosure requirements of Applicable Privacy Law.
    4. Deletion: Licensee will not, and will not permit any third party, to retain the Data for longer than the period during which Licensee has a legitimate need to retain the Data. All such retention shall be solely for the Permitted Purposes and in compliance with Applicable Privacy Law. Upon the earlier of request by PubMatic or termination or expiration of the Contract, Licensee shall promptly return, remove, or delete the Data and all copies thereof from its systems.
  4. Standard Contractual Clauses
    1. General: Licensee agrees to abide by and process the Data protected by European Data Protection Law in accordance with the Standard Contractual Clauses, which is hereby incorporated into and form an integral part of this Addendum. The terms of the Standard Contractual Clauses will apply where the applicable transfer of Data is not subject to the laws of a jurisdiction recognized as providing an adequate level of protection for personal data (as described in European Data Protection Law). The parties agree that PubMatic is the Data Exporter and that Licensee is the Data Importer in respect of the Standard Contractual Clauses and any of the transfers described in this Section 4.
    2. The parties agree that the Standard Contractual Clauses apply as follows: (i) Module One will apply; (ii) In Clause 7, the optional docking clause will apply; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses shall be governed by the laws of Ireland; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex A to this Addendum; (vii) For the purposes of Clause 8.5(a), (b) and (c), as well as Annex II of the EU SCCs, the parties agree to the security measures described in Annex B to this Addendum; and (viii) for the purposes of Clause 8.5 (d), (e) and (f), where Licensee is required by a respective clause in the EU SCCs or is otherwise legally compelled to notify the data subjects or the competent supervisory authority of a personal data breach, Licensee shall first provide PubMatic with the details of the notification permitting PubMatic to have prior written input into the respective notification, where PubMatic desires to do, and without delaying the timing of the notification unduly.
    3. Data Protected by the UK GDPR: In relation to Data that is protected by the UK GDPR, the EU SCCs as implemented in accordance with Sections 4 (b) above shall apply provided that: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the UK GDPR, references to “EU”, “Union” and “Member State law” shall be interpreted as references to English law, and references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the relevant data protection authority and courts in England; (ii) to the extent and for so long as the EU SCCs as implemented in accordance with paragraph (i) above cannot be used to lawfully transfer the Data protected by the UK DPA and the UK GDPR to Licensee, the UK SCCs shall be incorporated into and form an integral part of the Addendum and shall apply to such transfers; and (iii) for the purposes of the UK SCCs (where applicable) the relevant Appendices of the UK SCCs shall be deemed completed using the information contained in Annexes A and B to this Addendum (as applicable).
    4. In relation to Data that is protected by the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”): the EU SCCs as implemented in accordance with Sections 4.a) and b) above will apply provided that references in the EU SCCs to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA, references to “EU”, “Union” and “Member State law” shall be interpreted as references to Swiss law, and references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the relevant data protection authority and courts in Switzerland.
  5. General Terms applicable to Data
    1. Non-disclosure: Licensee will not disclose the Data to any third party without PubMatic’s prior written consent except: (i) where necessary for processing purposes expressly permitted under this Addendum; (ii) as permitted or to the extent required pursuant to the Contract(s); or (iii) where required by applicable law.
    2. Subcontracting: Licensee may appoint third party processors to process Data for the purposes expressly permitted under this Addendum, provided that such processors: (a) agree in writing to process Data in accordance with Licensee’s documented instructions; (b) implement appropriate technical and organizational security measures that are at least as protective as those described in Annex B (where applicable) to protect the Data against a Security Incident; and (c) otherwise provide sufficient guarantees that they will process the Data in a manner that will meet the requirements of Applicable Privacy Law and this Addendum.
    3. Security: Licensee shall implement appropriate technical and organizational measures that are at least as protective as those described in Annex B (where applicable) to protect the Data from Security Incidents (“Security Measures“). Such Security Measures shall at a minimum comply with the requirements of Applicable Privacy Laws. In the event that Licensee suffers a Security Incident, it shall notify PubMatic without undue delay and both parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident.
    4. International transfers: Where European Data Protection Law applies to the Data, the Licensee shall not process any such Data (nor permit any Data to be processed) in a territory outside of Europe (whether directly or via onward transfer) unless it has taken such measures as are necessary to ensure the transfer is in compliance with European Data Protection Law (including such measures as may be communicated by PubMatic to Licensee from time to time) and this Addendum.
    5. Transfer arrangements: To the extent that PubMatic adopts a data export mechanism not described in this Addendum (including any new version of or successor to the Standard Contractual Clauses pursuant to applicable European Data Protection Law) for the transfer of Data including the Data Privacy Framework or any U.S.- EU cross border transfer program which supersedes the Data Privacy Framework (an “Adequacy Mechanism”). (“Alternative Transfer Mechanism“), such Alternative Transfer Mechanism shall apply instead of any mechanism described in this Addendum. Notwithstanding anything to the contrary, an Alternative Transfer Mechanism shall only apply to the extent that it complies with Applicable Privacy Law applicable to the country where the processing activities take place. Licensee agrees to execute any document and take any appropriate action as reasonably necessary to give effect to such Alternative Transfer Mechanism.
    6. Cooperation and data subject rights: In the event that either party receives: (i) any request from a data subject to exercise any of its rights under Applicable Privacy Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data (collectively, “Correspondence”) then, where such Correspondence relates to processing conducted by the other party, it shall promptly inform the other party and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfil their respective obligations under Applicable Privacy Law.
    7. Change in Law: Notwithstanding anything to the contrary in the Contract or this Addendum, in the event of a change in Applicable Privacy Law or a determination or order from a supervisory authority or competent court affecting this Addendum or any processing activities under this Addendum, PubMatic may, in its sole discretion, amend this Addendum as reasonably necessary to ensure continued compliance with Applicable Privacy Law or compliance with any such orders.
    8. Survival:This Addendum shall survive termination or expiry of the Contract(s). Upon termination or expiry of the Contract(s), Licensee shall cease all processing of the Data.
    9. Miscellaneous: This Addendum shall be governed by and construed in all respects in accordance with the governing law and jurisdiction provisions set out in the Contract(s), unless required otherwise by Applicable Privacy Laws. With effect from the effective date of the Contract(s), this Addendum shall be deemed a part of and incorporated into the Contract(s) so that references in the Contract(s) to the “Agreement” shall be interpreted to include this Addendum. Except for the changes made by this Addendum, the Contract(s) shall remain unchanged and in full force and effect. In the event of any conflict or inconsistency between this Addendum and any other term or terms of the Contract(s), this Addendum shall prevail in respect of the subject matter (i.e. the protection of personal data). This Addendum may be executed: (i) in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement; and (ii) via a recognized electronic signature service or delivered by facsimile transmission, or may be signed, scanned and emailed, and any such signatures shall be treated as original signatures for all applicable purposes. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses. Accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Contract(s), including this Addendum, the Standard Contractual Clauses shall prevail to the extent of such conflict. The parties further agree this Addendum (with any commercially sensitive information redacted) may be shared with the US Department of Commerce on request.

 

Annex A

Description of Processing Activities/ Transfer

Annex A(1) List of Parties:

Data Exporter

Data Importer

Name: PubMatic, Inc.

Name: See Order Form

Address: 601 Marshall St

Redwood City, California 94063, USA

Address: See Order Form

Contact Person’s Name, position and contact details: Data Protection Officer, reachable at dpo[at]pubmatic[.]com, Privacy Officer, reachable at privacy[at]pubmatic[.]com

Contact Person’s Name, position and contact details: As specified in the Order Form

Activities relevant to the transfer

See Annex A(2) below

Role: Controller

Role: Controller

Annex A(2) Description of transfer:

C2C Transfers

Description

Categories of data subjects:

End users of the publisher properties covered by the Licensee’s activities or end users viewing ads delivered to PubMatic’s publisher customer’s properties.

Categories of personal data:

  • Pseudonymous digital advertising identifiers, including but not limited to cookie IDs, mobile advertising IDs (MAIDs), hashed email addresses and alternative third-party identifiers; impression-level transaction data including timestamps, inventory attributes, deal IDs, and bid data; and truncated IP addresses.

Sensitive data:

None.

If sensitive data, the applied restrictions or safeguards

N/A

Frequency of the transfer:

Continuous

Nature and subject matter of processing:

Personal data transferred will be processed in accordance with the Contract and may be subject to the following processing activities:

  • Storage and other processing necessary for the Permitted Purposes
  • Disclosures in accordance with the Contract and/or as compelled by applicable laws.

Purpose(s) of the data transfer and further processing:

To enable Data Importer to process Data as a controller solely for purposes expressly permitted under the Contract and in a manner that complies with EU/UK Data Protection Law (the “Permitted Purposes“). Such purposes include: (a) conversion measurement and attribution of advertising campaigns run through PubMatic’s platform; (b) transparency and verification relating to the PubMatic Services, PubMatic’s platform, and inventory provided by PubMatic; (c) media planning, optimization, delivery, and activation of advertising campaigns in the PubMatic Services, PubMatic’s platform, and inventory provided by PubMatic; and (d) ad delivery, analytics and reporting.

Retention period (or, if not possible to determine, the criteria used to determine that period):

Licensee will not, and will not permit any third party, to retain the Data for longer than the period during which the Licensee has a legitimate need to retain the Data for the Permitted Purposes and in compliance with EU/UK Data Protection Law

Annex A(3) Competent supervisory authority:

The competent supervisory authority, in accordance with Clause 13 of the EU SCCs will be, for Data protected by the EU GDPR the Dutch Data Protection Authority (Dutch DPA) and for Data protected by the Swiss DPA, the Federal Data Protection and Information Commissioner (FDPIC). With respect to UK Data, the competent supervisory authority is the Information Commissioners Office (the “ICO“).

 

Annex B

Technical and Organizational Measures

The technical and organizational measures implemented by Licensee (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are as follows:

Type of measure

Terms

Measures of pseudonymization and encryption of personal data

Description of technical measures in place to prevent re-identification

  • Licensee has implemented data minimization and privacy-by-design into its software development process to prevent personal data from being directly linkable to a data subject. This includes measures such as truncating coordinates of geolocation data and removing the last octet from IP addresses.
  • Licensee only works with pseudonymized identifiers and has management and organizational controls are in place to prohibit internal teams, any relevant partners and subprocessors, from re-identifying data processing in connection with the Agreement.
  • If and when directly identifiable information were to be processed in connection with the services for addressability purposes, Licensee will ensure that industry standard cryptographic techniques are immediately applied to such data, including but not limited to, hashing, to help ensure data cannot be reidentified by unauthorized parties.
  • Advertising identifiers used by Licensee to track devices and deliver ads are not persistent; they are designed to deprecate within a reasonable time frame.
  • When activating/ monetizing audiences, sensitive or directly identifiable personal data is not processed, but instead segment codes/ deal codes are exchanged by the parties. Licensee does not process any actual characteristics about a data subject’s pseudonymized advertising ID.

Measures for ensuring ongoing confidentiality of processing systems and services

Description of measures in place to secure information stored on systems.

  • Licensee has implemented and maintains a written information security program and has implemented measures to ensure the integrity, availability and security of personal information, including regular vulnerability scans and endpoint protection.
  • Licensee limits the risk that personal data will be exposed by implementing a data retention schedule to systems that store personal data processed performed in connection with the Contract.
  • Operational, technical management level controls in place that ensure end-user data processed by the platform cannot be linked to a natural person’s identity. Confidentiality terms with personnel. Security program that aligns to industry good practices.

Measures for ensuring ongoing integrity of processing systems and services

Licensee has implemented and maintains an information security program that contains administrative, technical and physical safeguards appropriate to protect against anticipated threats to, confidentiality and integrity of, and the unauthorized or accidental destruction, loss, access, acquisition, alteration or use of, personal data, and that meets (i) reasonable security practices applicable to Licensee’s industry; and (iii) any security requirements under the laws applicable Licensee under applicable law.

Measures for ensuring ongoing availability and resilience of processing systems and services

Licensee maintains personal data availability and resilience through a variety of technical, physical, and administrative measures.

Examples of these measures include: tolerant infrastructure with geographically distinct availability zones for redundant data; secured and monitored operational sites; and, processes and policies for topics such as incident response and review, and vendor review.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • See response above.
  • Further measures include regular backups, business continuity readiness plans and disaster recovery plans.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
  • At least once annually, security measures relevant to the processing of personal data are reviewed and tested for alignment with industry good practices.
  • Security compliance has been integrated into Licensee’s product development practices, and the Licensee privacy, security and engineering teams collaborate regularly to ensure those standards are kept up to date.

Measures for user identification and authorization
  • Licensee has in place procedures that comply with applicable law to authenticate requests from data subjects who have submitted rights request.
  • Licensee has operational and technical controls in place to ensure that access to systems that process personal data is only granted to authorized employees with a “need to know”.
  • Licensee has in place industry standard policies to ensure that unauthorized current and former personnel cannot improperly access systems that process personal data.

Measures for the protection of Data during storage
  • As per the Contract, personal data processed in connection with the services will not contain any sensitive personal information, and will be limited in scope, always pseudonymized (i.e., cookie ID, user agent information, etc.) and cannot be directly identified with a natural person by Licensee.
  • Data is only stored for as long as necessary for Licensee’s legitimate business purposes and is subject to a data retention schedule.
  • Personal data minimization procedures are in place with regard to personal data stored on Licensee’s systems

Measures for ensuring physical security of locations at which personal data are processed
  • Facilities involved in the processing of personal data are accessible only by authorized personnel. Technical controls in place to secure processing facilities include access controls, two-factor authentication, firewalls, and anti-malware. Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required in order to deliver advertising services under the Agreement.
  • Licensee provides personnel who access personal data with appropriate information security and data protection training. Licensee maintains appropriate physical security measures at each facility where personal data is processed, including authentication of all personnel who access data centers, IT equipment having physical barriers designed to prevent access by unauthorized individuals, and manned reception areas or logbooks with visitor entry/ exit dates and times.

Measures for certification/ assurance of processes and products
  • Licensee participates in industry certification and self-regulatory programs such as DAA, NAI Code of Practice. IAB TCF 2.0, and the IAB CCPA Compliance Framework.

Measures for ensuring data minimization
  • Procedures are embedded in the system development process to minimize personal data collected and processed by the Licensee (e.g., truncation of IP address, stripping of personal data when an impression will be monetized using contextual ad-targeting, no data collection from unconsented or improperly consented impressions).
  • Licensee has a dedicated technical privacy specialist whose role focuses is at least partly dedicated to reviewing the implementation of data minimization across the organization.

Measures for ensuring accountability
  • Licensee performs a data mapping exercise that complies with Article 30 of GDPR and has created a record of processing activity to ascertain the scope of personal data processing activities performed by the organization.
  • Licensee has implemented a privacy program that is appropriate to the scope and nature of personal data processed that includes a personal data breach policy, data protection and legitimate interest assessments (where appropriate), appointment of a data protection officer (DPO), and data protection controls such as privacy by design.
  • The foregoing measures are regularly reviewed (at least once annually) and updated to ensure alignment with applicable law and industry standards.

Measures for allowing data portability and ensuring erasure
  • Licensee has implemented and maintains procedures to ensure data portability and erasure that comply with data protection laws. Licensee has designated a data protection leader who is responsible for ensuring all requests from data subjects are reviewed and documented, including requests for erasure and copies of personal data, and that data subject requests are carried out timely and in accordance with law.

 

Annex C

US Privacy Addendum

  1. Applicable Privacy Laws. To the extent referenced in the Agreement and hereunder, “Applicable Privacy Law(s)” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, European Data Protection Law and all applicable US federal and state privacy and data protection laws, including the California Consumer Privacy Act, § 1798.100 et. seq., as amended by the California Privacy Rights Act of 2021 (“CCPA”), and any other US state privacy laws as enacted, amended, or supplemented from time to time.
  2. General. To the extent European Data Protection (or similar reference) provisions in the existing Agreement mutually apply to US privacy laws, those provisions shall be deemed incorporated by reference to this Addendum.
  3. Personal Data and Privacy Requirements. To the extent referenced in the Agreement and hereunder, “Personal Data” and “Privacy Requirements” shall incorporate Applicable Privacy Laws and Data Protection Laws
  4. Sell and Share. The terms “Sell,” and “Share,” shall have the meanings given to them in the CCPA.
  5. Use Instructions and Limitations. To the extent Provider processes relating to residents of California, Colorado, Connecticut, Utah, and Virginia and other US States as may be applicable:
      1. Provider shall use, retain, disclose, or otherwise process Personal Data for the specific Purpose and in accordance with PubMatic’s instructions, including as described in the Agreement. Provider shall not Sell or Share Personal Data, as “Sell” and “Share” are defined in the CCPA and other applicable Data Protection Laws, nor use, retain, disclose, or otherwise process Personal Data outside of its business relationship with PubMatic or for any other purpose except as required by law. Provider will inform PubMatic in the time period required by applicable Data Protection Law if Provider determines that it is no longer able to meet its obligations under Data Protection Laws or where, in Provider’s reasonable opinion, any of PubMatic’s instructions infringes any Data Protection Laws. PubMatic reserves the right to take reasonable and appropriate steps to discontinue and remediate unauthorized use of Personal Data.
      2. Provider shall have rights to use Personal Data solely (i) to the extent necessary to (a) perform the Purpose under this Agreement; (b) use aggregate statistics in a manner that prevents individual identification or re-identification of PubMatic, PubMatic Data, or Personal Data, including without limitation any individual device, or individual person; and/or (c) protect the Personal data from security threat; (ii) if required by order of a court or authorized governmental agency, provided that prior notice first be given to PubMatic, or (iii) as otherwise expressly authorized by PubMatic.
      3. Provider will not combine Personal Data it processes with Personal Data it receives from or on behalf of another person or persons, or that it collects from its own interactions with individuals, provided that Provider may combine Personal Data to perform the Purpose permitted or required under the Agreement.
    2. Third Parties. To the extent Provider processes the Personal Data of California residents as a “Third Party,” as “Third Party” is defined under the CCPA, § 1798.100 et. seq., this section, 5.2, will apply instead of 5.1 for such processing conducted as a Third Party: Provider may process Personal Data only for the limited and specified purposes described in the Agreement including this DPA. Provider must comply with all applicable Data Protection Laws, including all applicable sections of the CCPA and provide the same level of privacy protection as required of businesses by the CCPA. Among these, Provider must comply with consumer requests to opt out of Sale or Sharing forwarded by PubMatic. Where Provider is providing services that includes the collection of Personal Data, Provider shall check for and comply with the website visitor’s opt-out preference signal. Provider will inform PubMatic in the time period required by applicable Data Protection Law if Provider determines that it is no longer able to meet its obligations under Data Protection Laws or where, in Provider’s reasonable opinion, any of PubMatic’s instructions infringes any Data Protection Laws. PubMatic reserves the right to take reasonable and appropriate steps to discontinue and remediate unauthorized use of Personal Data.
    3. Deidentification. Where Provider is permitted by applicable Data Protection law or this DPA to use PubMatic Personal Data for its internal business purposes in an aggregated and deidentified manner, Provider agrees to take reasonable measures designed to ensure that the Personal Data cannot be associated with an individual (or, household, where applicable), publicly commits to maintain and use the information in de-identified form only and make no attempt to re-identify the information except where necessary to test its de-identification processes, and contractually obligates any authorized recipients to comply with these obligations.
    4. Certification. Provider certifies that it understands these obligations and restrictions and will comply with them.