Dated: December 8, 2022
This Data Processing Addendum (“Addendum“) is entered into by and between PubMatic, Inc. (“PubMatic“) and the party subject to the Connect Data Provider Agreement or its equivalent (the “Agreement”) between the parties relating to the subject matter of this Addendum.
The terms in this Addendum shall only apply to the extent PubMatic collects or otherwise processes Personal Data contained within Licensed Content protected or otherwise regulated by EU Data Protection Law. Capitalized terms used in this Addendum shall have the meaning given to them in the main body of the Agreement unless otherwise defined in this Addendum.
IT IS AGREED:
1. Definitions
“Demand Partners” means PubMatic’s media buying clients, including but not limited to demand side platforms, ad exchanges, agencies, agency trading desks and ad networks and PubMatic Customers described in Section 11.1 of the Agreement.
“Europe” means for the purposes of this Addendum, the European Economic Area and/or its member states, Switzerland and the United Kingdom.
“EU Data Protection Law” means all data protection and privacy laws and regulations enacted in Europe, including (i) the EU General Data Protection Regulation (Regulation 2016/679)(“GDPR“); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any national laws made under or pursuant to (i) or (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA“) and (v) in respect of the United Kingdom, GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (together, “UK Privacy Law“); (in each case, as superseded, amended or replaced).
“Personal Data” means any information relating to an identified or identifiable natural person to the extent that such information is protected as personal data under applicable EU Data Protection Law.
“Privacy Requirements” means all applicable international, federal, national and state data protection and privacy laws, regulations, and industry self-regulatory rules, codes and guidelines that apply to the processing of data (including Personal Data) that is protected by EU Data Protection Law, as applicable to Client, PubMatic and its Demand Partners , including without limitation: (i) the rules, codes and guidelines of the European Interactive Digital Advertising Alliance (EDAA) and the Network Advertising Initiative (NAI); and (iii) EU Data Protection Law (in each case, as amended, superseded or replaced).
“PubMatic Services” has the meaning given to it in the Agreement.
“Restricted Transfer” means: (i) where the GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner; and (iii) where the UK Privacy Law applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to section 17A of the United Kingdom Data Protection Act 2018.
“Standard Contractual Clauses” means Module 2 (Controller to Processor) or Module 3 (Processor to Processor), as applicable, of the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 located at https://eur-lex.europa.eu/eli/dec_impl/2021/914, as applicable and completed in accordance with this Addendum.
“Subprocessor” means any third party that has access to the Audience Personal Data and which is engaged by PubMatic to assist in fulfilling its obligations to provide the Services. Subprocessors may include PubMatic affiliates but shall exclude any PubMatic employee, contractor or consultant.
“UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s Office under S119(A) of the UK Data Protection Act 2018, as updated or amended from time to time.
“Controller”, “data subject“, “processing” (and “process“), and “Processor” shall have the meanings given to them in EU Data Protection Law.
2. Scope of processing:
Client acknowledges and agrees that in connection with the PubMatic Services, PubMatic may receive from Client Personal Data contained within Licensed Content (as defined in the Agreement) about or related to End Users of the Client Properties, as more particularly described in Appendix 1 of this Addendum (“Audience Personal Data”).
3. Relationship of the parties:
The parties acknowledge that PubMatic shall process Audience Personal Data under the Agreement as a Processor acting on behalf of Client (whether acting as a Controller or a Processor itself on behalf of third party Controllers) in accordance with this Addendum. Nothing in the Agreement (including this Addendum) shall limit or prevent PubMatic from collecting or using data that PubMatic would otherwise collect and process independently of Client’s use of the PubMatic Services.
4. Data Protection.
PubMatic agrees that:
4.1. the description of the processing of Audience Personal Data is set out in Appendix 1 of this Addendum;
4.2. PubMatic shall process the Audience Personal Data only for the purposes of delivering the PubMatic Services in accordance with the Agreement and on the documented lawful instructions of Client as set out in full in this Addendum and the Agreement, including with regard to transfers of Audience Personal Data to a third country, unless required otherwise by applicable law; in such event, PubMatic shall inform Client of the legal requirement before processing, unless that law prohibits the provision of such information to Client. PubMatic shall inform Client if, in its opinion, Client’s instructions infringe EU Data Protection Law;
4.3. PubMatic shall ensure that persons authorized to process Audience Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
4.4. PubMatic shall respect the conditions for appointing a Subprocessor as set out in Section 5 below;
4.5. taking into account the nature of the processing, PubMatic shall assist Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of any obligation Client has under EU Data Protection Law to respond to requests from data subjects to access, correct, delete, object or exercise any other rights they have in respect of the Audience Personal Data under EU Data Protection Law.
4.6. if PubMatic receives any correspondence, enquiry or complaint from a data subject, regulatory or any other person particularly relating to its processing of Audience Personal Data, it will promptly inform Client and provide it with full details of the same unless and to the extent prevented by applicable law. Unless otherwise required by applicable law, PubMatic will not respond to any correspondence, enquiry or complaint from a data subject directly except to direct the data subject to the Client, unless authorised by Client (such permission not to be unreasonably withheld or delayed), and Client agrees that PubMatic shall have no obligation to respond on Client’s behalf;
4.7. if Client is required by applicable Privacy Requirements to conduct a data protection impact assessment in respect of the PubMatic Services, PubMatic shall provide (on a confidential basis) all information reasonably requested by Client in connection with such assessment;
4.8. at the choice of Client, PubMatic shall delete or return all the Audience Personal Data to Client after the end of the provision of the PubMatic Services and the certificate of deletion of Personal Data described in Clauses 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by PubMatic to Client upon Client’s written request; and
4.9. PubMatic shall make available to Client all information reasonably necessary for PubMatic to demonstrate its compliance with the obligations in this Addendum, including by way of providing written responses to any audit questions raised by Client (such audits not to be conducted more than once per annum and at Client’s expense).
5. Subprocessing:
Client provides PubMatic with a general authorization to engage Subprocessors to assist in processing the Audience Personal Data in the performance of the PubMatic Services provided that:
5.1. PubMatic shall ensure that its Subprocessors are subject to data protection terms that protect the Audience Personal Data to the same or substantially similar standard as set out in this Addendum;
5.2. PubMatic accepts full liability for any breach of this Addendum that is caused by the act, error or omission of its Subprocessors;
5.3. PubMatic maintains a list of its then-current Subprocessors and shall provide such a list to Client upon request; and
5.4. if PubMatic wishes to appoint or replace a Subprocessor it shall provide Client with a minimum of ten (10) days prior notice and Client may object to such appointment or replacement on reasonable data protection grounds within five (5) days following receipt of such notice. If Client so objects, then either (i) PubMatic shall not use the proposed Subprocessor to process the Data; or (ii) if this is not possible, Client may terminate the Agreement for its convenience upon written notice to PubMatic.
6. International Transfers:
6.1. Subject to Section 6.2, to the extent that Client (as “data exporter”) provides, makes available or otherwise transfers Audience Personal Data to PubMatic (as “data importer”) and such transfer is a Restricted Transfer, the transfer shall be subject to the Standard Contractual Clauses, which shall be incorporated into and form an integral part of this Addendum as follows:
6.1.1. in relation to transfers of Audience Personal Data protected by the GDPR (i) Module Two (controller to processor) or Module 3 (processor to processor) shall apply, as applicable and in accordance with section 3 of this Addendum; (ii) Clause 7, the optional docking clause will apply; (iv) in Clause 9, Option 2 will apply and the time period for notice of changes to Subprocessors shall be as agreed under Section 5 above; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by laws of Ireland; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix 1 to this Addendum; and (vii) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix 2 to this Addendum;
6.1.2. in relation to transfers of Audience Personal Data protected by UK Privacy Law, the Standard Contractual Clauses shall also apply in accordance with paragraph (a) above, but as modified and interpreted by Part2: Mandatory Clauses of the UK Addendum, which shall be deemed executed by the Parties and incorporated into and form an integral part of this Addendum. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Appendices 1 and 2 of this Addendum and Table 4 in Part 1 shall be deemed completed by selecting “neither party”; and
6.1.3. in relation to transfers of Audience Personal Data protected by the Swiss DPA, the Standard Contractual Clauses shall also apply in accordance with paragraph (a) above, with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; (ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (iii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”; (iv) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (v) Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner; (vi) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (vii) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and (viii) Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
6.2. The terms of the Standard Contractual Clauses shall not apply where and to the extent PubMatic (as the data importer) and the applicable transfer of Audience Personal Data are covered by an alternative, suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection or appropriate safeguards for Personal Data (an “Adequacy Mechanism”). Where an Adequacy Mechanism applies, PubMatic may process the Audience Personal Data in compliance with the Adequacy Mechanism.
7. Security:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, PubMatic shall implement appropriate technical and organizational security measures to protect the Audience Personal Data as described in Appendix 2 of this Addendum (“Security Measures”). Such Security Measures shall protect the Audience Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Audience Personal Data transmitted, stored or otherwise processed by PubMatic (a “Security Incident”). PubMatic shall inform Client without undue delay in the event of a Security Incident. PubMatic may make changes to the Security Measures from time to time, so long as such changes do not degrade the overall security of the processing.
8. General:
If there is any conflict between any provision in this Addendum and any provision in the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) Standard Contractual Clauses (where applicable); then (b) this Addendum, and then (c) the main body of the Agreement. With effect from the effective date, this Addendum is part of, and incorporated into the Agreement. To the extent there are any prior agreements with regard to the subject matter of this Addendum, this Addendum supersedes and replaces such prior agreements. This Addendum shall survive termination or expiry of the Agreement. Upon termination or expiry of the Agreement PubMatic may continue to process the Audience Personal Data provided that such processing complies with the requirements of this Addendum and the Privacy Requirements. This Addendum may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. This Addendum may be executed via a recognized electronic signature service or delivered by facsimile transmission, or may be signed, scanned and emailed, and any such signatures shall be treated as original signatures for all applicable purposes.
Appendix 1
Description of Processing / Transfer
| Annex 1(A): List of parties | |
| Data Importer: | Name: PubMatic, Inc.
Contact person’s name, position and contact details: DPO, contactable at dpo@pubmatic.com Activities relevant to the data transferred: See Annex 1(B) below. Signature and date: See Addendum. Role (Controller/Processor): Processor |
| Data Exporter: | Name: The party identified as “Client” in the Addendum.
Contact person’s name, position and contact details: As specified in the Agreement. Activities relevant to the data transferred: See Annex 1(B) below. Signature and date: See Addendum. Role (Controller/Processor): Controller |
| Annex 1(B): Description of the processing / transfer | |
| Categories of Data Subjects whose personal data is transferred: | |
| The personal data transferred concern the following categories of data subjects: |
Consumers (end users) and clients of Data Provider |
| Categories of personal data transferred | |
| The personal data transferred concern the following categories of data: | To the extent applicable, but not limited to, Mobile Ad IDs, PubMaticID cookie ID, alternate third party IDs |
| Sensitive data transferred (if appropriate) | |
| The personal data transferred concern the following categories of sensitive data: | N/A. |
| Frequency of the transfer | |
| (e.g. whether the data is transferred on a one-off or continuous basis) | Continuous. |
| Nature, subject matter and duration of the processing | |
| The nature and subject matter of the processing is the provision of the Connect Services pursuant to the Agreement.
The duration of the data processing is generally 30 days from receipt of data. |
|
| Purposes of the data transfer and further processing | |
| The transfer is made for the following purposes: | For the purposes of delivering the Connect Services in accordance with the Agreement. |
| Period for which the personal data will be retained, or if that is not possible the criteria used to determinate that period, if applicable | |
| The criteria used to determine the period is: | Connect Data shall generally be retained for 30 days from receipt by PubMatic. |
| Annex 1(C): Competent supervisory authority | |
| The competent supervisory authority, in accordance with Clause 13 of the New SCCs | The competent supervisory authority will be determined in accordance with the GDPR. |
Appendix 2
Technical and Organisational Security Measures
PubMatic implements the Security Measures, available hereunder:
| Type of measure | |
| Measures of pseudonymisation and encryption of personal data |
Alternate IDs are hashed and Connect Data is processed in connection with the services for addressability purposes, PubMatic will ensure that industry standard cryptographic techniques are immediately applied to such data, which may include hashing. When activating/monetizing audiences, sensitive or directly identifiable personal data is not processed. |
| Measures for ensuring ongoing confidentiality of processing systems and services | PubMatic has implemented and maintains an information security program and has implemented measures to ensure the integrity, availability and security of personal information.
Confidentiality terms with personnel are in place. System architecture that aligns to industry good practices.
|
| Measures for ensuring ongoing integrity of processing systems and services | Firewall protection for data ingestion service, ad service, and analytics. Confidentiality terms with are in place with personnel.
|
| Measures for ensuring ongoing availability and resilience of processing systems and services | Processes in our data centers, under our private cloud infrastructure aim to ensure “high availability” of services, including but not limited to redundancy and failover triggers, |
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Automated regular backups of data is setup. ·
Further measures include regular backups, business continuity readiness plans, and disaster recovery plans.
|
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | · See above
Upon updates and ugrades, security reviews of the architecture take place. Security compliance has been integrated into Company’s product development practices, and the Company privacy, security and engineering teams collaborate regularly to ensure those standards are kept up to date. |
| Measures for user identification and authorisation | · PubMatic has operational and technical controls in place to ensure that access to systems that process personal data is only granted to authorized employees with a “need to know”.
PubMatic has in place industry standard policies to ensure that unauthorized current and former personnel cannot improperly access systems that process personal data.
Data activation services (UI workflows for setup, configuration) have authorization measures in place. Data ingestion service supports authorization, no data providers are sending data using authorized end points. |
| Measures for the protection of data during storage | Access to data is restricted to very limited administrative users and application users. Services connect to the data store through a secured channel via credentials.
PubMatic does not process any sensitive personal data. |
| Measures for ensuring physical security of locations at which personal data are processed |
Facilities involved in the processing of personal data are accessible only by authorized personnel.
Technical controls in place to secure processing facilities include access controls, two-factor authentication, firewalls, and anti-malware.
Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required.
|
| Measures for certification/assurance of processes and products | Security process reviews occur quarterly as part of annual SOX audit. |
| Measures for ensuring data minimisation | No data linking happens across IDs. Data has TTL set. Data is cleaned automatically on expiry. |
| Measures for ensuring accountability | Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required and changes are logged.
|
| Measures for allowing data portability and ensuring erasure | PubMatic maintains a data subject request process which supports the privacy rights (access, deletion, rectification and portability) of data subjects as provided under the GDPR or other applicable law.
|