CONVERT (RETAIL MEDIA SOLUTION) DATA PROTECTION AGREEMENT
This Data Protection Agreement (“Agreement“ or “DPA”) is entered into by and between PubMatic, Inc. (“PubMatic“) and you (“Company”), and forms part of all agreements between the parties relating to the subject matter of this DPA (each, an “Agreement”). This DPA is effective as of the date on which the DPA is signed or otherwise adopted by both parties (“Effective Date”).
The terms in this Agreement shall only apply to the extent PubMatic or you collect or otherwise process Data (including Personal Data) protected or otherwise regulated by Data Protection Law. Capitalized terms used in this Agreement shall have the meaning given to them in the main body of the Agreement unless otherwise defined in this Agreement.
IT IS AGREED:
- Definitions
“Adequacy Mechanism” has the meaning described in Section 12.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code. § 1798.100 et. seq., as amended by the California Privacy Rights Act 2020.
“Controller” means the entity that determines the purposes and means of the processing of Personal Data.
“Data” has the meaning given to it in Section 2 of this DPA.
“Data Exporter” means the party sending or transferring Personal Data that which is subject to Data Protection Law
“Data Importer” means the party receiving the Personal Data that which is subject to Data Protection Law
“Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded or replaced.
“Data Protection Law” means as applicable to a party in its Processing of Data: (i) Regulation 2016/679 (the European General Data Protection Regulation (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC) (“e-Privacy Directive”); (iii) all national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA“); and (v) in respect of the United Kingdom, GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 the (together, “UK Privacy Law“); ; and (v) State Privacy Laws, in each case, as may be amended, superseded or replaced from time to time.in each case, as may be amended, superseded or replaced from time to time.
“Europe” means, for the purposes of this DPA, the European Economic Area (EEA), the United Kingdom, and Switzerland.
“Partners” means PubMatic’s third-party partners including but not limited to data providers, matching partners, analytics partners, attribution partners and fraud partners.
“Personal Data” means any information relating to an identified or identifiable natural person to the extent that such information is protected as “personal data” under applicable Data Protection Law.
“Privacy Requirements” means: (i) Data Protection Law, as applicable to Company, PubMatic, its Partners, and their respective processing of Data under this DPA; and (ii) any applicable self-regulatory codes, rules or guidelines, including without limitation, the rules, codes and guidelines of the European Interactive Digital Advertising Alliance (EDAA), the Network Advertising Initiative (NAI), and IAB Transparency and Consent Framework (TCF) (in each case, as amended, superseded or replaced).
“PubMatic Products” has the meaning given to it in the Agreement or if not set forth in the Agreement, means PubMatic’s online advertising services, products, and features described at https://pubmatic.com/legal/program-descriptions.
“Restricted Transfer” means: (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK Privacy Law applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
“Tracking Technologies” means technologies used to store or gain access to data stored on a user’s device, including (as applicable), cookies, mobile SDKs, browser cache, unique identifiers, web beacons, pixels and/or similar tracking technologies.
“PubMatic Privacy Policy” means the PubMatic privacy policy available on PubMatic’s public facing website, the most current version of which is available at www.pubmatic.com/privacy-policy (as updated or amended from time to time).
“Standard Contractual Clauses” means Module 1 (Controller to Controller) of the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 located at https://eur-lex.europa.eu/eli/dec_impl/2021/914.
“State Privacy Laws” means the CCPA, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring of 2022, the Indiana Consumer Data Protection Act, the Iowa Act Relating to Consumer Data Protection of 2023, the Montana Consumer Data Privacy Act, the Tennessee Information Protection Act, the Utah Consumer Privacy Act of 2022, and the Virginia Consumer Data Protection Act, and other additional U.S. state privacy laws enacted, in each case as amended and including any regulations promulgated thereunder.
“UK Addendum” means the International Data Transfer Addendum (version B1.0) to the EU Commission Standard Contractual Clauses issued by UK Information Commissioners Office under S.119(A) of the UK Data Protection Act 2018, as amended, superseded or replaced from time to time.
The terms “data subject“, “processing” (and “process“) shall have the meanings given to them in Data Protection Law.
The terms “Sell” and “Share” shall have the meanings given to them in the CCPA.
- Scope of processing:Unless otherwise and separately agreed between the parties, the parties agree and understand that: (i) in connection with the PubMatic Products, a Data Importer may receive data or otherwise collect (solely in the case of PubMatic) Data (including Personal Data) as more particularly described in Annex A of this DPA (collectively, “Data”); (ii) a party hereto use Tracking Technologies in order to collect certain Data; and (iii) PubMatic (and its Partners) may process the Data for (i) the purposes contemplated by the Agreement and for any other purposes described in the PubMatic Privacy Policy (in the case of PubMatic) (ii) the purposes described in this DPA (in the case of Company) (“Permitted Purposes”).
- Relationship of the parties:The parties acknowledge that subject to the designated role of a party in Annex A of this DPA, each party may process such Data as a separate and independent Controller and only for the Permitted Purposes, and in the case PubMatic is acting as a Processor, it shall process data in accordance with the terms of this DPA.
- Requesting Consent:In each case where consent is the lawful basis for processing Personal Data and/or required for use of Tracking Technologies pursuant to the Privacy Requirements, the Data Exporter agrees that it shall be responsible for obtaining all necessary consents from the relevant data subjects on behalf of the Data Importer to lawfully permit the Data Importer to: (i) collect, process and share Data for Permitted Purposes; and (ii) to enable PubMatic to use Tracking Technologies in order to collect Data in connection with the performance of the PubMatic Products. The Data Exporter represents and warrants that it shall, at all times maintain and make operational a mechanism for obtaining and recording such consent and that enables such consent to be withdrawn, in accordance with applicable Privacy Requirements. PubMatic is registered with and supports the IAB Transparency and Consent Framework (“Industry Framework”).
- Notice Requirements:The Data Exporter agrees that it is responsible for ensuring that all data subjects are appropriately notified about the data collection and use practices taking place through the PubMatic Products. The Data Exporter represents and warrants that it shall conspicuously post, maintain and abide by a publicly accessible privacy notice within all destinations from which the Data is collected that satisfies the requirements of the Privacy Requirements and the Agreement (including this DPA). Without prejudice to the generality of the foregoing, such notice shall at a minimum include the following information: (i) a statement that data may be collected for advertising purposes; (ii) a description of the type of Personal Data collected by the Data Importer (and in the case of PubMatic its Partners) and the purposes of processing thereof; (iii) a description of the categories of individuals who will have access to the Personal Data; (iv) the identity of the Controller(s) of the Data; (v) a conspicuous link to or description of how to access a relevant choice mechanism; and/or (vi) any other information required to comply with the information and transparency requirements of applicable Privacy Requirements. The PubMatic Privacy Policy, its explanation of the Data PubMatic collects and how the PubMatic Products use it, may assist Company in complying with your notification obligations under this DPA.
- Prohibited Data Sharing:Company shall not target Ads to any users or on any sites using any of the PubMatic Products if such is directed at or likely to be accessed by any data subject that is deemed a child under applicable Privacy Requirements of the country in which the child resides. Company shall flag within the PubMatic Products or inform PubMatic in writing prior to launching any of such Company Properties on any of the PubMatic Products or pass to PubMatic or its Partners any Personal Data of any data subject that is deemed a child under applicable Data Protection Law.
- Noncompliance:If either party is unable to comply with its consent and notice obligations under the Agreement (including this DPA) in respect of the Data, such party shall promptly notify the other party hereto.
- Co-operation and Data Subject Rights:The parties shall, on request, provide each other with all reasonable and timely assistance (at their own expense) and co-operation to enable the other party to comply with its obligations under the Privacy Requirements, including in order to enable the other party to respond to: (i) any request from a data subject to exercise any of its rights under Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) in relation to the Data; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data (“Correspondence”). Each party shall promptly inform the other if it receives any Correspondence directly from a data subject in relation to the Data. Subject to obligations of confidentiality and polices on disclosure of information, where a party has a concern that the other party has not complied with this DPA, the parties agree to exchange information to ascertain the cause of such non-compliance and take reasonable steps to remediate.
- Processor Terms
9.1 Data Protection. PubMatic agrees that:
9.1.1 the description of the processing of Personal Data is set out in Annex A of this DPA;
9.1.2 PubMatic shall process the Personal Data only for the purposes of delivering the PubMatic Services in accordance with the Agreement and on the documented lawful instructions of Company as set out in full in this DPA and the Agreement, including with regard to transfers of Personal Data to a third country, unless required otherwise by applicable law; in such event, PubMatic shall inform Company of the legal requirement before processing, unless that law prohibits the provision of such information to Company. PubMatic shall inform Company if, in its opinion, Company’s instructions infringe Data Protection Law;
9.1.3 PubMatic shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
9.1.4 PubMatic shall respect the conditions for appointing a Subprocessor as set out in Section 9.2 below
9.1.5 taking into account the nature of the processing, PubMatic shall assist Company by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of any obligation Company has under Data Protection Law to respond to requests from data subjects to access, correct, delete, object or exercise any other rights they have in respect of the Personal Data under Data Protection Law
9.1.6 if PubMatic receives any correspondence, enquiry or complaint from a data subject, regulatory or any other person particularly relating to its processing of Personal Data, it will promptly inform Company and provide it with full details of the same unless and to the extent prevented by applicable law. Unless otherwise required by applicable law, PubMatic will not respond to any correspondence, enquiry or complaint from a data subject directly except to direct the data subject to the Company, unless authorised by Company (such permission not to be unreasonably withheld or delayed), and Company agrees that PubMatic shall have no obligation to respond on Company’s behalf;
9.1.7 if Company is required by applicable Privacy Requirements to conduct a data protection impact assessment in respect of the PubMatic Services, PubMatic shall provide (on a confidential basis) all information reasonably requested by Company in connection with such assessment;
9.1.8 at the choice of Company, PubMatic shall delete or return all the Personal Data to Company after the end of the provision of the PubMatic Services and the certificate of deletion of Personal Data described in Clauses 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by PubMatic to Company upon Company’s written request; and
9.1.9 PubMatic shall make available to Company all information reasonably necessary for PubMatic to demonstrate its compliance with the obligations in this DPA, including by way of providing written responses to any audit questions raised by Company (such audits not to be conducted more than once per annum and at Company’s expense).
9.2 Subprocessing: Company provides PubMatic with a general authorization to engage Subprocessors to assist in processing the Personal Data in the performance of the PubMatic Services provided that:
9.2.1 PubMatic shall ensure that its Subprocessors are subject to data protection terms that protect the Personal Data to the same or substantially similar standard as set out in this DPA;
9.2.2 PubMatic accepts full liability for any breach of this DPA that is caused by the act, error or omission of its Subprocessors;
9.2.3 PubMatic maintains a list of its then-current Subprocessors and shall provide such a list to Company upon request; and
9.2.4 if PubMatic wishes to appoint or replace a Subprocessor it shall provide Company with a minimum of ten (10) days prior notice and Company may object to such appointment or replacement on reasonable data protection grounds within five (5) days following receipt of such notice. If Company so objects, then either (i) PubMatic shall not use the proposed Subprocessor to process the Data; or (ii) if this is not possible, Company may terminate the Agreement for its convenience upon written notice to PubMatic. - Processing of California Personal Data: To the extent either party is a Third Party as defined by the CCPA, the following provisions shall apply: The Third Party may process Personal Data of California consumers only for the limited and specified purposes as described in the Agreement or this DPA, in related schedules, services orders, and/or statements of work, and in PubMatic’s relevant privacy policies, including this DPA. The Third Party must comply with all Applicable Data Protection Laws, including all applicable sections of the CCPA and provide the same level of privacy protection as required of businesses by the CCPA. Among these, the Third Party must comply with consumer requests to opt out of Sale or Sharing forwarded by the data exporter. The exporter shall forward such requests (and other privacy rights requests) via the instructions provided at https://pubmatic.com/legal/dsr-notice/ if PubMatic is the Third Party. Where a party is providing services that includes the collection of Personal Data on either Company or PubMatic’s behalf, to the extent required, the Third Party shall check for and comply with an opt-out preference signal unless otherwise informed by the exporter that such data subject has consented to the Sale or Sharing of their Personal Data. The Third Party will inform the exporter in the time period required by Applicable Data Protection Law if, the Third Party determines that it is no longer able to meet its obligations under Data Protection Laws or where in its reasonable opinion, any of the exporter’s instructions infringes any Applicable Data Protection Laws. The exporter reserves the right to take reasonable and appropriate steps to discontinue and remediate unauthorized use of Personal Data.
- Standard Contractual Clauses: Subject to Section 12, the parties agree that when the transfer of Personal Data from Exporter to Importer is a Restricted Transfer and Data Protection Law applies, the transfer shall be subject to the Standard Contractual Clauses, which shall be deemed incorporated into and shall form part of this DPA, as follows:
(a) in relation to transfers of Personal Data protected by the GDPR, the Standard Contractual Clauses shall apply, completed as follows: (i) in Clause 7, the optional docking clause will apply, (ii) in Clause 11, the optional language will not apply; (iii) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by laws of Ireland; (iv) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (v) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex A to this DPA; and (vii) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex B to this DPA;
(b) in relation to transfers of Personal Data protected by UK Privacy Law, the Standard Contractual Clauses shall also apply completed in accordance with paragraph (a) above, but as modified and interpreted by Part2: Mandatory Clauses of the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annexes A and B of this DPA and Table 4 in Part 1 shall be deemed completed by selecting “neither party”; and
(c) in relation to transfers of Personal Data protected by the Swiss DPA, the Standard Contractual Clauses shall also apply completed in accordance with paragraph (a) above, with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; (ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (iii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”; (iv) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (v) Clause 13(a) and Part C of Annex A are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner; (vi) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (vii) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and (viii) Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses. Accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement, including this DPA, the Standard Contractual Clauses shall prevail to the extent of such conflict.
- Adequacy Mechanisms: The terms of the Standard Contractual Clauses will not apply where and to the extent i the applicable transfer of Personal Data are covered by an alternative, suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection or appropriate safeguards for Personal Data (provided that it is deemed legally valid in jurisdictions subject to Data Protection Law), including any U.S. – EU cross-border data transfer program such as the Data Privacy Framework or any U.S.- EU cross border transfer program which supersedes the Data Privacy Framework (an “Adequacy Mechanism”). Where an Adequacy Mechanism applies, PubMatic shall process the Personal Data in compliance with the Adequacy Mechanism and the Standard Contractual Clauses shall not apply.
- Alternative Transfer Mechanisms: The parties agree that if Data Protection Law no longer allows the lawful transfer of Personal Data under the Standard Contractual Clauses and/or a relevant regulator or court of competent jurisdiction requires the parties to adopt additional measures (“Additional Measures“) or an alternative data export solution (“Alternative Transfer Mechanism“) to enable the lawful transfer of Data outside of Europe and such requirements are not satisfied by an Adequacy Mechanism in line with Section 12 above (if applicable), both parties agree to cooperate and agree any Additional Measures or Alternative Transfer Mechanism that may be required (but only to the extent such Additional Measures or Alternative Transfer Mechanism extend to the territories to which Data is transferred).
- Contact. Company shall notify PubMatic of an individual within its organization authorized to respond from time to time to enquiries regarding the Data and shall deal with such enquiries promptly. The individual within PubMatic authorized to respond from time to time to enquiries regarding the Data and who shall deal with such enquiries promptly can be contactable here: dpo@pubmatic.com(or such other contact as may be communicated to Company from time to time).
- Changes in Law. In the event that there is a change in the Privacy Requirements that apply to the processing of Data, that would, in the reasonable opinion of a party, require changes to the PubMatic Products, the means by which the PubMatic Products are provided or used and/or terms and conditions of this DPA, that party reserves the right (acting reasonably) to request such changes; provided that, to the extent possible, the party requesting the change will provide at least thirty (30) days prior written notice (including by email) of such changes and agrees to discuss such changes in good faith. If the requested changes will cause a material harm to any party (which includes for the avoidance of doubt, causing a party to be in breach of Data Protection Law) or materially alter any party’s provision or use (as applicable) of the PubMatic Products, such party may terminate the Agreement for the affected PubMatic Products upon written notice without liability for such termination.
- Security: Both parties shall implement appropriate technical and organizational measures to protect the copy of the Data in their possession or control (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data.
- General: Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between any provision in this DPA and any provision in the Agreement, this DPA controls and takes precedence. With effect from the effective date, this DPA is part of, and incorporated into the Agreement. To the extent there are any prior agreements with regard to the subject matter of this DPA, this DPA supersedes and replaces such prior agreements. This DPA shall survive termination or expiry of the Agreement. Upon termination or expiry of the Agreement PubMatic may continue to process the Data provided that such processing complies with the requirements of this DPA and the Privacy Requirements. This DPA may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. This DPA may be executed via a recognized electronic signature service or delivered by facsimile transmission, or may be signed, scanned and emailed, and any such signatures shall be treated as original signatures for all applicable purposes.
Annex A
Description of the Transfer
A-1List of Parties
Data exporter: for Audience Extension (Direct AXT & Deal ID AXT); Sponsored Listing and Onsite Display Products
| 1. | Name: | See Agreement |
| Address: | See Agreement | |
| Contact person’s name, position and contact details: | See Agreement | |
| Activities relevant to the data transferred under these Clauses: | See Section B (description of Transfer) below. | |
| Signature and date: | See Agreement | |
| Role (controller/processor): | Controller |
Data importer: for Audience Extension (Direct AXT & Deal ID AXT); Sponsored Listing and Onsite Display Products
| 1. | Name: | PubMatic, Inc. |
| Address: | 601 Marshall Street, Redwood City, CA 94063 | |
| Contact person’s name, position and contact details: | DPO, contactable at dpo@pubmatic.com | |
| Activities relevant to the data transferred under these Clauses: | See Section B (description of Transfer) below. | |
| Signature and date: | See Agreement | |
| Role (controller/processor): | Controller: Audience Extension (Direct AXT); Sponsored Listing and Onsite Display Products
Processor: Audience Extension (Deal ID AXT) |
A-2 List of Parties
Data exporter: for Log level Reporting
| 2. | Name: | PubMatic, Inc. |
| Address: | 601 Marshall Street, Redwood City, CA 94063 | |
| Contact person’s name, position and contact details: | DPO, contactable at dpo@pubmatic.com | |
| Activities relevant to the data transferred under these Clauses: | See Section B (description of Transfer) below. | |
| Signature and date: | See Agreement | |
| Role (controller/processor): | Controller |
Data Importer: for Log level Reporting
| 2. | Name: | See Agreement |
| Address: | See Agreement | |
| Contact person’s name, position and contact details: | See Agreement | |
| Activities relevant to the data transferred under these Clauses: | See Section B (description of Transfer) below. | |
| Signature and date: | See Agreement | |
| Role (controller/processor): | Controller |
- Description of Transfer
Defined terms are as set out in the Data Processing Agreement agreed between the parties.
| Categories of data subjects: | End users and Company Personnel |
| Categories of personal data:
|
To the extent applicable:
End users
Company Personnel: Contact details (name, email, telephone) and professional details (role).
|
| Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
|
NA |
| The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):
|
End Users – Continuous
Company Personnel – Only where required to facilitate communication between the parties.
|
| Nature of the processing:
|
Receipt, storage, use, processing for the purpose supplying the PubMatic Products and business relationships. |
| Purpose(s) of the data transfer and further processing:
|
End Users: For the Permitted Purposes (as defined in this DPA) including (a) transparency and verification in relation to PubMatic Services, PubMatic platform and inventory provided by PubMatic; (b) media planning, optimization, delivery and activation of advertising campaigns, and (c) ad delivery, analytics and reporting
Company Personnel: For business relationship and account management purposes.
|
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
|
Personal Data will be retained in accordance the PubMatic Privacy Policy at https://pubmatic.com/legal/privacy-policy/
In the case of Company as a recipient of the Personal Data, it will not allow any third party to retain the data for longer than the period which the Company has a legitimate need to retain the data for the Permitted Purposes and in compliance with Data Protection Law |
- Competent Supervisory Authority
The competent supervisory authority will be (i) for Personal Data protected by the GDPR, determined in accordance with Clause 13 of the Standard Contractual Clauses; (ii) for Personal Data protected by the Swiss DPA, the Federal Data Protection and Information Commissioner (“FDPIC”); and (iii) for Personal Data protection by UK Privacy Law, the Information Commissioners Office (the “ICO”).
Annex B
Technical and Organizational Measures
The technical and organizational measures implemented by PubMatic (including any relevant certifications) to maintain an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are as follows:
PubMatic Inc.
| Type of measure | Terms |
| Measures of pseudonymization and encryption of personal data | Description of technical measures in place to prevent re-identification
· PubMatic has implemented data minimization and privacy-by-design into its software development process to prevent personal data from being directly linkable to a data subject where consent is not received. · Advertising identifiers used by PubMatic to track devices and deliver ads are not persistent; they are designed to deprecate within a reasonable time frame.
|
| Measures for ensuring ongoing confidentiality of processing systems and services | Description of measures in place to secure information stored on systems.
· PubMatic has implemented and maintains a written information security program and has implemented measures to ensure the integrity, availability and security of personal information, including regular vulnerability scans and endpoint protection. · PubMatic limits the risk that personal data will be exposed by implementing a data retention schedule to systems that store personal data processed under the agreement. · Operational, technical management level controls in place that ensure end-user data processed by the platform cannot be linked to a natural person’s identity. Confidentiality terms with personnel. Security program that aligns to industry good practices. |
| Measures for ensuring ongoing integrity of processing systems and services | PubMatic has implemented and maintains an information security program that contains administrative, technical and physical safeguards appropriate to protect against anticipated threats to, confidentiality and integrity of, and the unauthorized or accidental destruction, loss, access, acquisition, alteration or use of, personal data, and that meets (i) reasonable security practices applicable to PubMatic’s industry; and (iii) any security requirements under the laws applicable company under applicable law. |
| Measures for ensuring ongoing availability and resilience of processing systems and services | PubMatic maintains personal data availability and resilience through a variety of technical, physical, and administrative measures.
Examples of these measures include: tolerant infrastructure with geographically distinct availability zones for redundant data; secured and monitored operational sites; and, processes and policies for topics such as incident response and review, and vendor review. |
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | · See response above.
· Further measures include regular backups, business continuity readiness plans, and disaster recovery plans. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | · At least once annually, security measures relevant to the processing of personal data are reviewed and tested for alignment with industry good practices.
· Security compliance has been integrated into Company’s product development practices, and the Company privacy, security and engineering teams collaborate regularly to ensure those standards are kept up to date. |
| Measures for user identification and authorization | · PubMatic has in place procedures that comply with applicable law to authenticate requests from data subjects who have submitted rights request.
· PubMatic has operational and technical controls in place to ensure that access to systems that process personal data is only granted to authorized employees with a “need to know”. · PubMatic has in place industry standard policies to ensure that unauthorized current and former personnel cannot improperly access systems that process personal data. |
| Measures for the protection of Data during storage | · PubMatic does not process any sensitive personal information, and personal data processing is limited in scope
· Data is only stored for as long as necessary for Company’s legitimate business purposes and is subject to a data retention schedule.
|
| Measures for ensuring physical security of locations at which personal data are processed | · Facilities involved in the processing of personal data are accessible only by authorized personnel. Technical controls in place to secure processing facilities include access controls, two-factor authentication, firewalls, and anti-malware. Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required in order to deliver advertising services under the Agreement.
· PubMatic provides personnel who access personal data with appropriate information security and data protection training. PubMatic maintains appropriate physical security measures at each facility where personal data is processed, including authentication of all personnel who access data centers, IT equipment having physical barriers designed to prevent access by unauthorized individuals, and manned reception areas or logbooks with visitor entry/exit dates and times. |
| Measures for certification/assurance of processes and products | · PubMatic participates in industry certification and self-regulatory programs such as DAA, NAI Code of Practice. IAB TCF 2.0, and the IAB CCPA Compliance Framework. |
| Measures for ensuring data minimization | · Procedures are embedded in the system development process to minimize personal data collected and processed by the PubMatic (e.g., no data collection from unconsented or improperly consented impressions).
· PubMatic has a dedicated technical privacy specialist whose role focuses is at least partly dedicated to reviewing the implementation of data minimization across the organization.
|
| Measures for ensuring accountability | · PubMatic performs a data mapping exercise that complies with Article 30 of GDPR and has created a record of processing activity to ascertain the scope of personal data processing activities performed by the organization.
· PubMatic has implemented a privacy program that is appropriate to the scope and nature of personal data processed that includes a personal data breach policy, data protection and legitimate interest assessments (where appropriate), appointment of a data protection officer (DPO), and data protection controls such as privacy by design. · The foregoing measures are regularly reviewed (at least once annually) and updated to ensure alignment with applicable law and industry standards. |
| Measures for allowing data portability and ensuring erasure | · PubMatic has implemented and maintains procedures to ensure data portability and erasure that comply with data protection laws. PubMatic has designated a data protection leader who is responsible for ensuring all requests from data subjects are reviewed and documented, including requests for erasure and copies of personal data, and that data subject requests are carried out timely and in accordance with law. |
Company
| Type of measure | Terms |
| Measures of pseudonymization and encryption of personal data | Description of technical measures in place to prevent re-identification
· Company has implemented data minimization and privacy-by-design into its software development process to prevent personal data from being directly linkable to a data subject. This includes measures such as truncating coordinates of geolocation data and removing the last octet from IP addresses. · Company only works with pseudonymized identifiers and has management and organizational controls are in place to prohibit internal teams, any relevant partners and sub processors, from re-identifying data processing in connection with the Agreement. · If and when directly identifiable information was to be processed in connection with the services for addressability purposes, Company will ensure that industry standard cryptographic techniques are immediately applied to such data, including but not limited to, hashing, to help ensure data cannot be reidentified by unauthorized parties. · Advertising identifiers used by Company to track devices and deliver ads are not persistent; they are designed to deprecate within a reasonable time frame. · When activating/monetizing audiences, sensitive or directly identifiable personal data is not processed, but instead segment codes/deal codes are exchanged by the parties. Company does not process any actual characteristics about a data subject’s pseudonymized advertising ID. |
| Measures for ensuring ongoing confidentiality of processing systems and services | Description of measures in place to secure information stored on systems.
· Company has implemented and maintains a written information security program and has implemented measures to ensure the integrity, availability and security of personal information, including regular vulnerability scans and endpoint protection. · Company limits the risk that personal data will be exposed by implementing a data retention schedule to systems that store personal data processed performed in connection with the Contract. · Operational, technical management level controls in place that ensure end-user data processed by the platform cannot be linked to a natural person’s identity. Confidentiality terms with personnel. Security program that aligns to industry good practices. |
| Measures for ensuring ongoing integrity of processing systems and services | Company has implemented and maintains an information security program that contains administrative, technical and physical safeguards appropriate to protect against anticipated threats to, confidentiality and integrity of, and the unauthorized or accidental destruction, loss, access, acquisition, alteration or use of, personal data, and that meets (i) reasonable security practices applicable to Company’s industry; and (iii) any security requirements under the laws applicable Company under applicable law. |
| Measures for ensuring ongoing availability and resilience of processing systems and services | Company maintains personal data availability and resilience through a variety of technical, physical, and administrative measures.
Examples of these measures include tolerant infrastructure with geographically distinct availability zones for redundant data; secured and monitored operational sites; and, processes and policies for topics such as incident response and review, and vendor review. |
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | · See response above.
· Further measures include regular backups, business continuity readiness plans and disaster recovery plans. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | · At least once annually, security measures relevant to the processing of personal data are reviewed and tested for alignment with industry good practices.
· Security compliance has been integrated into Company’s product development practices, and the Company privacy, security and engineering teams collaborate regularly to ensure those standards are kept up to date. |
| Measures for user identification and authorization | · Company has in place procedures that comply with applicable law to authenticate requests from data subjects who have submitted rights request.
· Company has operational and technical controls in place to ensure that access to systems that process personal data is only granted to authorized employees with a “need to know”. · Company has in place industry standard policies to ensure that unauthorized current and former personnel cannot improperly access systems that process personal data. |
| Measures for the protection of Data during storage | · As per the Contract, personal data processed in connection with the services will not contain any sensitive personal information, and will be limited in scope, always pseudonymized (i.e., cookie ID, user agent information, etc.) and cannot be directly identified with a natural person by Company.
· Data is only stored for as long as necessary for Company’s legitimate business purposes and is subject to a data retention schedule. · Personal data minimization procedures are in place with regard to personal data stored on Company’s systems (e.g., last octet of IP address is redacted, certain unique identifiers that are not needed for RTB are not logged, etc.) |
| Measures for ensuring physical security of locations at which personal data are processed | · Facilities involved in the processing of personal data are accessible only by authorized personnel. Technical controls in place to secure processing facilities include access controls, two-factor authentication, firewalls, and anti-malware. Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required in order to deliver advertising services under the Agreement.
· Company provides personnel who access personal data with appropriate information security and data protection training. Company maintains appropriate physical security measures at each facility where personal data is processed, including authentication of all personnel who access data centers, IT equipment having physical barriers designed to prevent access by unauthorized individuals, and manned reception areas or logbooks with visitor entry/exit dates and times. |
| Measures for certification/assurance of processes and products | · Company participates in industry certification and self-regulatory programs such as DAA, NAI Code of Practice. IAB TCF 2.0, and the IAB CCPA Compliance Framework. |
| Measures for ensuring data minimization | · Procedures are embedded in the system development process to minimize personal data collected and processed by the Company (e.g., truncation of IP address, stripping of personal data when an impression will be monetized using contextual ad-targeting, no data collection from unconsented or improperly consented impressions).
· Company has a dedicated technical privacy specialist whose role focuses is at least partly dedicated to reviewing the implementation of data minimization across the organization. |
| Measures for ensuring accountability | · Company performs a data mapping exercise that complies with Article 30 of GDPR and has created a record of processing activity to ascertain the scope of personal data processing activities performed by the organization.
· Company has implemented a privacy program that is appropriate to the scope and nature of personal data processed that includes a personal data breach policy, data protection and legitimate interest assessments (where appropriate), appointment of a data protection officer (DPO), and data protection controls such as privacy by design. · The foregoing measures are regularly reviewed (at least once annually) and updated to ensure alignment with applicable law and industry standards. |
| Measures for allowing data portability and ensuring erasure | · Company has implemented and maintains procedures to ensure data portability and erasure that comply with data protection laws. Company has designated a data protection leader who is responsible for ensuring all requests from data subjects are reviewed and documented, including requests for erasure and copies of personal data, and that data subject requests are carried out timely and in accordance with law. |