Dated: October 26, 2021

This Demand Partner Data Processing Addendum (the “Addendum“) forms part of the Contract(s) (defined below) between PubMatic, Inc. (“PubMatic“) and the party identified in the signature block below (“Demand Partner“). Capitalized terms used in this Addendum shall have the meanings given to them in the main body of the Contract(s) unless otherwise defined in this Addendum.

Introduction

  1. PubMatic is a provider of a supply-side platform, a technology platform which engages in the provision of auction or facilitation of purchases of digital advertising inventory. Demand Partner is a provider of a demand-side platform, ad exchange, advertiser, agency, agency trading desks or ad network which uses a technology platform or similar technology to engage in the buying of digital advertising inventory.
  2. PubMatic and Demand Partner have entered into a master contract, or other such governing contract, together with one or more connected statements of work, purchase orders, contracts and/or agreements (collectively the “Contract(s)”), under which Demand Partner may purchase digital advertising inventory via PubMatic’s demand services (the “Demand Services”).
  3. PubMatic (and/or its publisher customer) is a controller of certain personal data that it wishes to share with Demand Partner, in connection with the performance of PubMatic’s obligations under the Contract(s).
  4. The parties have entered into this Addendum to ensure that in sharing such personal data pursuant to the Contract(s), they both comply with Applicable Privacy Law, with full respect for the fundamental data protection rights of the data subjects whose personal data will be processed.

 IT IS AGREED:

  1. Definitions:
    1. controller“, “processor“, “data subject“, “personal data“, “processing” (and “process“) and “special categories of personal data” shall have the meanings given in Applicable Privacy Law;
    2. Applicable Privacy Law” means any and all applicable privacy and data protection laws including, where applicable, European Data Protection Law (as may be amended or superseded from time to time);
    3. European Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively the “UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;
    4. Europe” means, for the purposes of this Addendum, the European Economic Area (EEA), the United Kingdom and Switzerland;
    5. Industry Protocol” means the Transparency and Consent Framework developed by the IAB Europe, its policies, its global vendor list and specifications and/or any other mutually agreed upon industry protocols, as amended and updated from time to time;
    6. Model Clauses” means the Standard Contractual Clauses populated with information described in Section 4 of this Addendum;
    7. Processor Standard Contractual Clauses” means the Standard Contractual Clauses for processors as approved by the European Commission pursuant to the European Commission decision C(2010) 593 of 5 February 2010 (as updated, amended or replaced from time to time);
    8. Privacy Shield” means the Swiss-US and EU-US Privacy Shield Frameworks, as operated by the U.S. Department of Commerce (as amended, superseded or replaced);
    9. Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as may be amended, superseded or replaced);
    10. Security Incident” means any event which resulted in, or which if successful would have resulted in, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Data (as defined in Section 2 herein) while in the custody or control of the Demand Partner, its affiliates, agents, subcontractors, processors or sub-processors, as applicable.
    11. Standard Contractual Clauses” means: (i) the standard contractual clauses and its appendices in European Commission Implementing Decision (EU) 2021/91 of 4 June 2021 relating to transfers of personal data to third countries pursuant to Regulation (EU) 2017/679 and any successor clauses issued from time to time by the European Commission, any applicable data protection authority, or other body with competent authority and jurisdiction, in each case, in relation thereto (the “EU SCCs”) and (ii) standard data protection clauses specified in regulations made by the Secretary of State under section 17C(b) of the 2018 Data Protection Act and for the time being in force in the United Kingdom (the “UK SCCs”).
  2. Processing Description In connection with the Demand Services, PubMatic will submit to Demand Services and/or Demand Partner may otherwise collect or receive certain PubMatic Data, including (but not limited to) in bid requests submitted to Demand Partner. Demand Partner acknowledges that such PubMatic Data (as described in the Contract) may contain personal data, as more particularly described in Annex B (collectively, the “Data“).
  3. Controller Terms applicable to C2C Data
    1. Demand Partner agrees that it shall (and shall ensure that its affiliates, agents, subcontractors, processors, sub-processors, buyers, partners, customers, clients, or any other third party using its Demand Services or whose purchasing of digital advertising inventory may be enabled by the Demand Services) only process and collect the Controller to Controller Data (“C2C Data”) solely for the purposes expressly permitted under the Contract(s) and in a manner that complies with Applicable Privacy Laws, the Contract(s) and where applicable, the Industry Protocol (collectively and individually, the “Permitted Purposes“).
    2. Relationship of the parties: The parties acknowledge that PubMatic is a controller of the C2C Data it discloses to Demand Partner, and that Demand Partner will process the C2C Data as a separate and independent controller strictly for the Permitted Purpose. In no event will the parties process the Data jointly as joint controllers.
    3. Compliance with law: Each party shall be individually and separately responsible for complying with the obligations that apply to it as a controller under Applicable Privacy Law. Without limitation to the foregoing, each party shall maintain a publicly accessible privacy policy on its website that satisfies the transparency disclosure requirements of Applicable Privacy Law.
    4. Consent Signals: Demand Partner shall (and shall ensure that its affiliates, agents, subcontractors, processors, sub-processors, buyers, partners, customers, clients, or any other third party using its Demand Services or whose purchasing of digital advertising inventory may be enabled by the Demand Services) honor all “consent”, “no consent” and “opt-out” signals received from PubMatic (or any of its publisher clients or other controllers enabled by PubMatic through the Demand Services) in compliance with Applicable Privacy Laws and where applicable, the Industry Protocol.
    5. Deletion: Demand Partner will not, and will not permit any third party, to retain the C2C Data for longer than the period during which the Demand Partner has a legitimate need to retain the Data the Permitted Purposes and in compliance with Applicable Privacy Law.
  4. Standard Contractual Clauses
    1. General: Demand Partner agrees to abide by and process C2C Data and Controller to Processor Data (“C2P Data”) protected by European Data Protection Law in accordance with the Standard Contractual Clauses, which shall be incorporated into and form an integral part of this Addendum. The terms of the Standard Contractual Clauses will apply where the applicable transfer of C2C or C2P Data is not subject to the laws of a jurisdiction recognized as providing an adequate level of protection for personal data (as described in European Data Protection Law). The parties agree that PubMatic is the Data Exporter and that Demand Partner is the Data Importer in respect of the Standard Contractual Clauses and any of the transfers described in this Section 4.
    2. Where Demand Partner Processes Personal Data as a controller pursuant to the Agreement: The parties agree that the Model Clauses shall apply as follows: (i) Module One will apply; (ii) In Clause 7, the optional docking clause will apply; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the EU SCCs shall be governed by the laws of the Netherlands; (v) in Clause 18(b), disputes shall be resolved before the courts of the Netherlands; (vi) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex B below (“C2C Transfers”) to this Addendum; (vii) For the purposes of Clause 8.5(a), (b) and (c), as well as Annex II of the EU SCCs, the parties agree to the security measures described in Annex C to this Addendum; and (viii) for the purposes of Clause 8.5 (d), (e) and (f), where Demand Partner is required by a respective clause in the EU SCCs or is otherwise legally compelled to notify the data subjects or the competent supervisory authority of a personal data breach, Demand Partner will first provide PubMatic with the details of the notification permitting PubMatic to have prior written input into the respective notification, where PubMatic desires to do, and without delaying the timing of the notification unduly.
    3. Where Demand Partner Processes Personal Data as a processor as described in the Agreement: (i) Module Two will apply; (ii) In Clause 7, the optional docking clause will apply; (iii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be 30 days; (iv) in Clause 11, the optional language will not apply; (v) in Clause 17, Option 1 will apply, and EU SCCs shall be governed by the laws of the Netherlands; (vi) in Clause 18(b), disputes shall be resolved before the courts of the Netherlands; (vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex B (“C2P Transfers”) to this Addendum; and (viii) For the purposes Clause 8.6(a), as well as Annex II of the EU SCCs, the parties agree to the security provisions contained in Annex C of this Addendum. Demand Partner agrees to comply with the additional terms set out in Annex A of this Addendum.
    4. Data Protected by the UK GDPR: In relation to Data that is protected by the UK GDPR, the EU SCCs as implemented in accordance with Sections 4 (b) and (c) above shall apply provided that: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the UK GDPR, references to “EU”, “Union” and “Member State law” shall be interpreted as references to English law, and references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the relevant data protection authority and courts in England; (ii) to the extent and for so long as the EU SCCs as implemented in accordance with paragraph (i) above cannot be used to lawfully transfer the Data protected by the UK DPA and the UK GDPR to Demand Partner, the UK SCCs shall be incorporated into and form an integral part of the Addendum and shall apply to such transfers; and (iii) for the purposes of the UK SCCs (where applicable) the relevant Appendices of the UK SCCs shall be deemed completed using the information contained in Annexes B and C to this Addendum (as applicable).
    5. In relation to Data that is protected by the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”): the EU SCCs as implemented in accordance with Sections 4.a) and b) above will apply provided that references in the EU SCCs to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA, references to “EU”, “Union” and “Member State law” shall be interpreted as references to Swiss law, and references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the relevant data protection authority and courts in Switzerland.
  5. General Terms applicable to all Data
    1. Non-disclosure: Demand Partner will not disclose the Data to any third party without PubMatic’s prior written consent except: (i) where necessary for processing purposes expressly permitted under this Addendum; (ii) as permitted or to the extent required pursuant to the Contract(s); or (iii) where required by applicable law.
    2. Subcontracting: Demand Partner may appoint third party processors to process Data for the purposes expressly permitted under this Addendum, provided that such processors: (a) agree in writing to process Data in accordance with Demand Partner’s documented instructions; (b) implement appropriate technical and organizational security measures that are at least as protective as those described in Annex C (where applicable) to protect the Data against a Security Incident; and (c) otherwise provide sufficient guarantees that they will process the Data in a manner that will meet the requirements of Applicable Privacy Law and this Addendum.
    3. Security:Demand Partner shall implement appropriate technical and organizational measures that are at least as protective as those described in Annex C (where applicable) to protect the Data from Security Incidents (“Security Measures”). Such Security Measures shall at a minimum comply with the requirements of Applicable Privacy Laws. In the event that Demand Partner suffers a Security Incident, it shall notify PubMatic without undue delay and both parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident.
    4. International transfers:Where European Data Protection Law applies to the Data, the Demand Partner shall not process any such Data (nor permit any Data to be processed) in a territory outside of Europe (whether directly or via onward transfer) unless it has taken such measures as are necessary to ensure the transfer is in compliance with European Data Protection Law (including such measures as may be communicated by PubMatic to Demand Partner from time to time) and this Addendum.
    5. Privacy Shield: For so long as PubMatic is certified under the Privacy Shield and where Demand Partner processes any Data protected by PubMatic’s Privacy Shield certification, Demand Partner agrees to provide the same level of protection for such Data as is required by the Privacy Shield Principles. Demand Partner shall notify PubMatic if it makes a determination that it can no longer provide such protection and in such event, shall cease processing or take other reasonable and appropriate steps to remediate, (if remediable) any processing until such time as the processing meets the level of protection as is required by the Privacy Shield Principles.
    6. Transfer arrangements: To the extent that PubMatic adopts a data export mechanism not described in this Addendum (including any new version of or successor to the Model Clauses pursuant to applicable European Data Protection Law) for the transfer of Data (“Alternative Transfer Mechanism“), such Alternative Transfer Mechanism shall apply instead of any mechanism described in this Addendum. Notwithstanding anything to the contrary, an Alternative Transfer Mechanism shall only apply to the extent that it complies with Applicable Privacy Law applicable to the country where the processing activities take place. Demand Partner agrees to execute any document and take any appropriate action as reasonably necessary to give effect to such Alternative Transfer Mechanism.
    7. Cooperation and data subject rights: In the event that either party receives: (i) any request from a data subject to exercise any of its rights under Applicable Privacy Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the(collectively, “Correspondence”) then, where such Correspondence relates to processing conducted by the other party, it shall promptly inform the other party and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfil their respective obligations under Applicable Privacy Law.
    8. Change in Law: Notwithstanding anything to the contrary in the Contract or this Addendum, in the event of a change in Applicable Privacy Law or a determination or order from a supervisory authority or competent court affecting this Addendum or any processing activities under this Addendum, PubMatic may, in its sole discretion, amend this Addendum as reasonably necessary to ensure continued compliance with Applicable Privacy Law or compliance with any such orders.
    9. Survival: This Addendum shall survive termination or expiry of the Contract(s). Upon termination or expiry of the Contract(s), Demand Partner may continue to process the Data provided that such processing complies with the requirements of this Addendum and Applicable Privacy Law.
    10. Miscellaneous: This Addendum shall be governed by and construed in all respects in accordance with the governing law and jurisdiction provisions set out in the Contract(s), unless required otherwise by Applicable Privacy Laws. With effect from the effective date of the Contract(s), this Addendum shall be deemed a part of and incorporated into the Contract(s) so that references in the Contract(s) to the “Agreement” shall be interpreted to include this Addendum. Except for the changes made by this Addendum, the Contract(s) shall remain unchanged and in full force and effect. In the event of any conflict or inconsistency between this Addendum and any other term or terms of the Contract(s), this Addendum shall prevail in respect of the subject matter (i.e. the protection of personal data). This Addendum may be executed: (i) in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement; and (ii) via a recognized electronic signature service or delivered by facsimile transmission, or may be signed, scanned and emailed, and any such signatures shall be treated as original signatures for all applicable purposes. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Model Clauses. Accordingly, if and to the extent the Model Clauses conflict with any provision of the Contract(s), including this Addendum, the Model Clauses shall prevail to the extent of such conflict. The parties further agree this Addendum (with any commercially sensitive information redacted) may be shared with the US Department of Commerce on request.

Annex A

Processor Terms

Demand Partner agrees:

  1. it will process the C2P Data (and ensure that any persons authorized by the Demand Partner to process C2P Data (“Authorized Persons“) in accordance with PubMatic’s (or the third-party controller’s) documented lawful instructions, except where otherwise required by applicable law;
  2. it shall only process C2P Data for the  purposes described in and in accordance with Annex C;
  3. it shall ensure that Authorized Persons are subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty or otherwise) and shall not permit any person who is not under such a duty of confidentiality to process the C2P Data. Demand Partner shall ensure that all Authorized Persons process the C2P Data only as necessary for the purposes described in Annex C;
  4. it shall not sub-contract any processing of the C2P Data to a third-party processor without the prior written consent of PubMatic and shall remain liable for any breach of this Addendum as it relates to C2P Data that is caused by or results in connection with an act, error or omission of its sub-contractor. If PubMatic refuses to consent to Demand Partner’s appointment of a third party sub-contractor on reasonable grounds relating to the protection of the C2P Data, then the parties shall discuss such concerns with a view to achieving a commercially reasonable resolution. PubMatic hereby consents to Demand Partner engaging sub-contractors to process C2P Data on behalf of Demand Partner provided that (i) Demand Partner provides at least 30 days prior notice of the addition or removal of any subcontractor (including details of the processing it performs or will perform; and (ii) Demand Partner imposes data protection terms on any subcontractor it appoints that protect the C2P Data to the same standard required of Demand Partner in respect of all C2P Data processed by Demand Partner pursuant to this Addendum;
  5. it shall permit PubMatic (or its third-party auditors) to audit Demand Partner’s compliance with Applicable Privacy Law in respect of C2P Data processing, and shall for these purposes make available to PubMatic all information reasonably necessary for PubMatic (or its appointed third-party auditors) to conduct such audit;
  6. upon becoming aware of a Security Incident involving C2P Data, Demand Partner shall inform PubMatic and provide all reasonable co-operation and assistance in accordance with and as more fully described in Section 5 (c) (“Security“) of this Addendum;
  7. if PubMatic is required by Applicable Privacy Law to conduct a data protection impact assessment in respect of the Demand Services, Demand Partner shall provide all information reasonably requested by PubMatic in connection with such assessment;
  8. upon termination or expiry of the Addendum, it shall (at PubMatic’s election) destroy or return to PubMatic all C2P Data (including all copies of the C2P Data) in its possession or control (including any data sub-contracted to a third party for processing), except to the extent that it or any sub-contractor is required by applicable law to retain some or all of the C2P Data, in which event it shall isolate and protect the C2P Data from further processing except to the extent required by such law; and

Annex B

Description of Processing Activities/ Transfer

Annex 1(A) List of Parties:

 

Data Exporter Data Importer
Name: PubMatic, Inc. Name: Demand Partner
Address:  3 Lagoon Drive, Suite 180

Redwood City, California 94065, USA

Address: As identified in the Agreement.
Contact Person’s Name, position and contact details: Data Protection Officer, reachable at dpo@pubmatic.com , Privacy Officer, reachable at privacy@pubmatic.com Contact Person’s Name, position and contact details: As identified in the Agreement.
Activities relevant to the transfer:  See Annex 1(B) below Activities relevant to the transfer: See Annex 1(B) below
Role: Controller Role: Controller (C2C Data) / Processor (C2P Data)

 

Annex 1(B) Description of transfer:

C2C Transfers

  Description
Categories of data subjects: End users of the publisher properties covered by the Demand Services or end users viewing ads delivered to PubMatic’s publisher customer’s properties.
Categories of personal data: ·       Identifiers: cookie and mobile Ad identifiers (such as IDFA, ADID, GPID etc.,), IP address, data that could be used for fingerprinting, latitude and longitude, GPS location;

·       Demographic information: location,  age range, gender, other publisher-specified demographics (tied to an identifier);

·       User agent or such device information.

Sensitive data: None.
If sensitive data, the applied restrictions or safeguards[1] N/A
Frequency of the transfer: Continuous
Nature and subject matter of processing: Personal data transferred will be processed in accordance with the Agreement (including this Addendum) and may be subject to the following processing activities:

1. Storage and other processing necessary to provide the Demand Services to PubMatic.

2. Disclosures in accordance with the Agreement and/or as compelled by applicable laws.

Purpose(s) of the data transfer and further processing: To enable Data Importer to process C2C Data as a controller solely for purposes expressly permitted under the Agreement and in a manner that complies with EU/UK Data Protection Law (the “Permitted Purposes“). Such purposes shall include:  (i) setting and modifying a Demand Partner cookie, pixel or similar tracking technology; (ii) billing, fraud detection and prevention; (iii) security purposes and technical support.
Retention period (or, if not possible to determine, the criteria used to determine that period): Demand Partner will not, and will not permit any third party, to retain the C2C Data for longer than the period during which the Demand Partner has a legitimate need to retain the C2C Data for the Permitted Purposes and in compliance with EU/UK Data Protection Law

 

C2P Transfers

  Description
Categories of data subjects: End users of the publisher properties covered by the Demand Services or end users viewing ads delivered to PubMatic’s publisher customer’s properties.
Categories of personal data: ·       Table of PubMatic’s unique end user identifiers created, assigned or retained by PubMatic and associated with an individual end user.

·       Identifiers: cookie and mobile Ad identifiers (such as IDFA, ADID, GPID etc.,), IP address, data that could be used for fingerprinting, latitude and longitude, GPS location;

·       Demographic information: location,  age range, gender, other publisher-specified demographics (tied to an identifier);

·       User agent or such device information.

Sensitive data: None.
If sensitive data, the applied restrictions or safeguards[2] N/A
Frequency of the transfer: Continuous
Nature and subject matter of processing: Personal data transferred will be processed in accordance with the Agreement (including this Addendum) and may be subject to the following processing activities:

1. Storage and other processing necessary to provide the Demand Services to PubMatic.

2. Disclosures in accordance with the Agreement and/or as compelled by applicable laws.

Duration of the processing: The duration of the data processing under the Addendum is until the termination of the Agreement in accordance with its terms plus the period from the expiry of the Agreement until deletion of the personal data by Demand Partner in accordance with the terms of the Agreement.
Purpose(s) of the data transfer and further processing: Providing the Demand Services to PubMatic as a processor (where applicable), including for the purposes of determining the amounts to bid on publisher inventory and bidding on advertising impression opportunities.
Retention period (or, if not possible to determine, the criteria used to determine that period): Upon termination or expiry of the Agreement, it shall (at PubMatic’s election) destroy or return to PubMatic all C2P Data (including all copies of the C2P Data) in its possession or control (including any data sub-contracted to a third party for processing), except to the extent that it or any approved sub-contractor is required by applicable law to retain some or all of the C2P Data, in which event it shall isolate and protect the C2P Data from further processing except to the extent required by such law.

 

Annex 1(C) Competent supervisory authority:

The competent supervisory authority, in accordance with Clause 13 of the EU SCCs will be, for Data protected by the EU GDPR the Dutch Data Protection Authority (Dutch DPA) and for Data protected by the Swiss DPA, the Federal Data Protection and Information Commissioner (FDPIC). With respect to UK Data, the competent supervisory authority is the Information Commissioners Office (the “ICO“).

 

Annex C

Description of C2P Data Processing

 

Technical and Organizational Measures

The technical and organizational measures implemented by Demand Partner (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are as follows:

Type of measure Terms
Measures of pseudonymisation and encryption of personal data Description of technical measures in place to prevent re-identification

·       Demand Partner has implemented data minimisation and privacy-by-design into its software development process to prevent personal data from being directly linkable to a data subject.  This includes measures such as truncating coordinates of geolocation data and removing the last octet from IP addresses.

·       Demand Partner only works with pseudonymized identifiers and has management and organizational controls are in place to prohibit internal teams, any relevant partners and subprocessors, from re-identifying data processing in connection with the Agreement.

·       If and when directly identifiable information were to be processed in connection with the services for addressability purposes, Demand Partner will ensure that industry standard cryptographic techniques are immediately applied to such data, including but not limited to, hashing, to help ensure data cannot be reidentified by unauthorised parties.

·       Advertising identifiers used by Demand Partner to track devices and deliver ads are not persistent; they are designed to deprecate within a reasonable time frame.

·       When activating/monetizing audiences, sensitive or directly identifiable personal data is not processed, but instead segment codes/deal codes are exchanged by the parties. Demand Partner does not process any actual characteristics about a data subject’s pseudonymized advertising ID.

Measures for ensuring ongoing confidentiality of processing systems and services Description of measures in place to secure information stored on systems.

·       Demand Partner has implemented and maintains a written information security program and has implemented measures to ensure the integrity, availability and security of personal information, including regular vulnerability scans and endpoint protection.

·       Demand Partner limits the risk that personal data will be exposed by implementing a data retention schedule to systems that store personal data processed performed in connection with the Contract.

·       Operational, technical management level controls in place that ensure end-user data processed by the platform cannot be linked to a natural person’s identity. Confidentiality terms with personnel.  Security program that aligns to industry good practices.

Measures for ensuring ongoing integrity of processing systems and services Demand Partner has implemented and maintains an information security program that contains administrative, technical and physical safeguards appropriate to protect against anticipated threats to, confidentiality and integrity of, and the unauthorized or accidental destruction, loss, access, acquisition, alteration or use of, personal data, and that meets (i) reasonable security practices applicable to Demand Partner’s industry; and (iii) any security requirements under the laws applicable Demand Partner under applicable law.
Measures for ensuring ongoing availability and resilience of processing systems and services Demand Partner maintains personal data availability and resilience through a variety of technical, physical, and administrative measures.

Examples of these measures include: tolerant infrastructure with geographically distinct availability zones for redundant data; secured and monitored operational sites; and, processes and policies for topics such as incident response and review, and vendor review.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident ·       See response above.

·       Further measures include regular backups, business continuity readiness plans and disaster recovery plans.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing ·       At least once annually, security measures relevant to the processing of personal data are reviewed and tested for alignment with industry good practices.

·       Security compliance has been integrated into Demand Partner’s product development practices, and the Demand Partner privacy, security and engineering teams collaborate regularly to ensure those standards are kept up to date.

Measures for user identification and authorisation ·       Demand Partner has in place procedures that comply with applicable law to authenticate requests from data subjects who have submitted rights request.

·       Demand Partner has operational and technical controls in place to ensure that access to systems that process personal data is only granted to authorized employees with a “need to know”.

·       Demand Partner has in place industry standard policies to ensure that unauthorized current and former personnel cannot improperly access systems that process personal data.

Measures for the protection of Data during storage ·       As per the Contract, personal data processed in connection with the services will not contain any sensitive personal information, and will be limited in scope, always pseudonymized (i.e., cookie ID, user agent information, etc.) and cannot be directly identified with a natural person by Demand Partner.

·       Data is only stored for as long as necessary for Demand Partner’s legitimate business purposes and is subject to a data retention schedule.

·       Personal data minimization procedures are in place with regard to personal data stored on Demand Partner’s systems (e.g., last octet of IP address is redacted, certain unique identifiers that are not needed for RTB are not logged, etc.)

Measures for ensuring physical security of locations at which personal data are processed ·       Facilities involved in the processing of personal data are accessible only by authorized personnel. Technical controls in place to secure processing facilities include access controls, two-factor authentication, firewalls, and anti-malware.  Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required in order to deliver advertising services under the Agreement.

·       Demand Partner provides personnel who access personal data with appropriate information security and data protection training. Demand Partner maintains appropriate physical security measures at each facility where personal data is processed, including authentication of all personnel who access data centres, IT equipment having physical barriers designed to prevent access by unauthorized individuals, and manned reception areas or logbooks with visitor entry/exit dates and times.

Measures for certification/assurance of processes and products ·       Demand Partner participates in industry certification and self-regulatory programs such as DAA, NAI Code of Practice. IAB TCF 2.0, and the IAB CCPA Compliance Framework.
Measures for ensuring data minimisation ·       Procedures are embedded in the system development process to minimize personal data collected and processed by the Demand Partner (e.g., truncation of IP address, stripping of personal data when an impression will be monetized using contextual ad-targeting, no data collection from unconsented or improperly consented impressions).

·       Demand Partner has a dedicated technical privacy specialist whose role focuses is at least partly dedicated to reviewing the implementation of data minimization across the organization.

 

Measures for ensuring accountability ·       Demand Partner performs a data mapping exercise that complies with Article 30 of GDPR and has created a record of processing activity to ascertain the scope of personal data processing activities performed by the organization.

·       Demand Partner has implemented a privacy program that is appropriate to the scope and nature of personal data processed that includes a personal data breach policy, data protection and legitimate interest assessments (where appropriate), appointment of a data protection officer (DPO), and data protection controls such as privacy by design.

·       The foregoing measures are regularly reviewed (at least once annually) and updated to ensure alignment with applicable law and industry standards.

Measures for allowing data portability and ensuring erasure ·       Demand Partner has implemented and maintains procedures to ensure data portability and erasure that comply with data protection laws.  Demand Partner has designated a data protection leader who is responsible for ensuring all requests from data subjects are reviewed and documented, including requests for erasure and copies of personal data, and that data subject requests are carried out timely and in accordance with law.