Dated: December 1, 2022

This Demand Partner Data Processing Addendum (the “Addendum“) forms part of the Contract(s) (defined below) between PubMatic, Inc. (“PubMatic“) and the party identified in the original governing agreement (“Demand Partner“). Capitalized terms used in this Addendum shall have the meanings given to them in the main body of the Contract(s) unless otherwise defined in this Addendum.

Introduction

  1. PubMatic is a provider of a supply-side platform, a technology platform which engages in the provision of auction or facilitation of purchases of digital advertising inventory. Demand Partner is a provider of a demand-side platform, ad exchange, advertiser, agency, agency trading desks or ad network which uses a technology platform or similar technology to engage in the buying of digital advertising inventory.
  2. PubMatic and Demand Partner have entered into a master contract, or other such governing contract, together with one or more connected statements of work, purchase orders, contracts and/or agreements (collectively the “Contract(s) or “Agreement(s)”), under which Demand Partner may purchase digital advertising inventory via PubMatic’s demand services (the “Demand Services”).
  3. PubMatic (and/or its publisher customer) is a controller of certain personal data that it wishes to share with Demand Partner, in connection with the performance of PubMatic’s obligations under the Contract(s).
  4. The parties have entered into this Addendum to ensure that in sharing such personal data pursuant to the Contract(s), they both comply with Applicable Privacy Law, with full respect for the fundamental data protection rights of the data subjects whose personal data will be processed.

 IT IS AGREED:

  1. Definitions:
    1. controller“, “processor“, “data subject“, “personal data“, “processing” (and “process“) and “special categories of personal data” shall have the meanings given in Applicable Privacy Law;
    2. Applicable Privacy Law” means any and all applicable privacy and data protection laws including, where applicable, European Data Protection Law (as may be amended or superseded from time to time);
    3. European Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”);  (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) any and all applicable national implementations of (i)  or (ii); (iv) in respect of the United Kingdom, GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 the (together, “UK Privacy Law“); and (v) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA“), in each case as may be amended or superseded from time to time;
    4. Europe” means, for the purposes of this Addendum, the European Economic Area (EEA), the United Kingdom and Switzerland;
    5. Industry Protocol” means the Transparency and Consent Framework developed by the IAB Europe, its policies, its global vendor list and specifications and/or any other mutually agreed upon industry protocols, as amended and updated from time to time;
    6. Privacy Shield” means the Swiss-US and EU-US Privacy Shield Frameworks, as operated by the U.S. Department of Commerce (as amended, superseded or replaced);
    7. Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as may be amended, superseded or replaced);
    8. Restricted Transfer” means: (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK Privacy Law applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
    9. Security Incident” means any event which resulted in, or which if successful would have resulted in, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Data (as defined in Section 2 herein) while in the custody or control of the Demand Partner, its affiliates, agents, subcontractors, processors or sub-processors, as applicable.
    10. Standard Contractual Clauses” means the standard contractual clauses and its appendices in European Commission Implementing Decision (EU) 2021/91 of 4 June 2021 relating to transfers of personal data to third countries pursuant to Regulation (EU) 2017/679 and any successor clauses issued from time to time by the European Commission, any applicable data protection authority, or other body with competent authority and jurisdiction, in each case, in relation thereto, completed in accordance with the terms of this Addendum. .
    11. UK Addendum” means the International Data Transfer Addendum (version B1.0) to the EU Commission Standard Contractual Clauses issued by UK Information Commissioners Office under S.119(A) of the UK Data Protection Act 2018, as amended, superseded or replaced from time to time.
  2. Processing Description In connection with the Demand Services, PubMatic will submit to Demand Services and/or Demand Partner may otherwise collect or receive certain PubMatic Data, including (but not limited to) in bid requests submitted to Demand Partner. Demand Partner acknowledges that such PubMatic Data (as described in the Contract(s)) may contain personal data, as more particularly described in Annex B, under the separate headings “C2C Data and “C2P Data” (collectively, the “Data“).
  3. Controller Terms applicable to Controller to Controller Data
    1. Demand Partner agrees that it shall (and shall ensure that its affiliates, agents, subcontractors, processors, sub-processors, buyers, partners, customers, clients, or  any other third party using its Demand Services or whose purchasing of digital advertising inventory may be enabled by the Demand Services) only process and collect the “C2C Data” solely for the purposes expressly permitted under the Contract(s) and in a manner that complies with Applicable Privacy Laws, the Contract(s) and where applicable, the Industry Protocol (collectively and individually, the “Permitted Purposes“).
    2. Relationship of the parties: The parties acknowledge that PubMatic is a controller of the C2C Data it discloses to Demand Partner, and that Demand Partner will process the C2C Data as a separate and independent controller strictly for the Permitted Purpose. In no event will the parties process the C2C Data jointly as joint controllers.
    3. Compliance with law: Each party shall be individually and separately responsible for complying with the obligations that apply to it as a controller under Applicable Privacy Law.  Without limitation to the foregoing, each party shall maintain a publicly accessible privacy policy on its website that satisfies the transparency disclosure requirements of Applicable Privacy Law.
    4. Consent Signals: Demand Partner shall (and shall ensure that its affiliates, agents, subcontractors, processors, sub-processors, buyers, partners, customers, clients, or  any other third party using its Demand Services or whose purchasing of digital advertising inventory may be enabled by the Demand Services) honor all “consent”, “no consent” and “opt-out” signals received from PubMatic (or any of its publisher clients or other controllers enabled by PubMatic through the Demand Services) in compliance with Applicable Privacy Laws and where applicable, the Industry Protocol.
    5. Deletion: Demand Partner will not, and will not permit any third party, to retain the C2C Data for longer than the period during which the Demand Partner has a legitimate need to retain the Data the Permitted Purposes and in compliance with Applicable Privacy Law.
  1. Processor Terms applicable to C2P Data: Demand Partner acknowledges and agrees that: (i) it shall process the C2P Data as a processor on behalf of PubMatic (whether itself the controller or acting on behalf of a third party controller); and (ii) to the extent such C2P Data is protected by European Data Protection Law, then the Demand Partner agrees to comply with the additional terms set out in Annex A of this Addendum.
  2. Standard Contractual Clauses
  1. General: Demand Partner agrees to abide by and process C2C Data and “C2P Data” protected by European Data Protection Law in accordance with the Standard Contractual Clauses, which shall be incorporated into and form an integral part of this Addendum. The terms of the Standard Contractual Clauses will apply where the applicable transfer of C2C or C2P Data is a Restricted Transfer. The parties agree that PubMatic is the Data Exporter and that Demand Partner is the Data Importer in respect of the Standard Contractual Clauses and any of the transfers described in this Section 4.
    1. Where Demand Partner Processes Personal Data as a controller pursuant to the Agreement: The parties agree that the Standard Contractual Clauses shall apply as follows:  (i) Module One will apply; (ii) In Clause 7, the optional docking clause will apply; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the EU SCCs shall be governed by the laws of Ireland; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex B below (“C2C Transfers”) to this Addendum; (vii) for the purposes of Clause 8.5(a), (b) and (c), as well as Annex II of the EU SCCs, the parties agree to the security measures described in Annex C to this Addendum; and (viii) for the purposes of Clause 8.5 (d), (e) and (f), where Demand Partner is required by a respective clause in the Standard Contractual Clauses or is otherwise legally compelled to notify the data subjects or the competent supervisory authority of a personal data breach, Demand Partner will first provide PubMatic with the details of the notification permitting PubMatic to have prior written input into the respective notification, where PubMatic desires to do, and without delaying the timing of the notification unduly.
    2. Where Demand Partner Processes Personal Data as a processor as described in the Agreement: (i) Module Two will apply; (ii) In Clause 7, the optional docking clause will apply; (iii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be 30 days; (iv) in Clause 11, the optional language will not apply; (v) in Clause 17, Option 1 will apply, and  EU SCCs shall be governed by the laws of Ireland; (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vii) Annex I of the  EU SCCs shall be deemed completed with the information set out in Annex B (“C2P Transfers”) to this Addendum; and (viii) For the purposes Clause 8.6(a), as well as Annex II of the EU SCCs, the parties agree to the security provisions contained in Annex C of this Addendum.
    3. Data Processing Protected by UK Privacy Laws: In relation to the Processing of Data that is protected by UK Privacy Laws, the Standard Contractual Clauses as implemented in accordance with Sections 5 (b) and (c) above shall also apply, but as modified and interpreted by Part2: Mandatory Clauses of the UK Addendum. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annexes B and C to this Addendum and Table 4 in Part 1 shall be deemed completed by selecting “neither party”.
    4. Data Processing  protected by the Swiss DPA: In relation to the Processing of Data that is protected by the Swiss DPA, the Standard Contractual Clauses as implemented in accordance with Sections 5(b) and (c) above shall also, with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; (ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (iii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”; (iv) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (v) Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner; (vi) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (vii) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of  Switzerland; and (viii) Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
  1. General Terms applicable to all Data
      1. Non-disclosure: Demand Partner will not disclose the Data to any third party without PubMatic’s prior written consent except: (i) where necessary for processing purposes expressly permitted under this Addendum; (ii) as permitted or to the extent required pursuant to the Contract(s); or (iii) where required by applicable law.
      2. Subcontracting: Demand Partner may appoint third party processors to process Data for the purposes expressly permitted under this Addendum, provided that such processors: (a) agree in writing to process Data in accordance with Demand Partner’s documented instructions; (b) implement appropriate technical and organizational security measures that are at least as protective as those described in Annex C (where applicable)  to protect the Data against a Security Incident; and (c) otherwise provide sufficient guarantees that they will process the Data in a manner that will meet the requirements of Applicable Privacy Law and this Addendum.
      3. Security: Demand Partner shall implement appropriate technical and organizational measures that are at least as protective as those described in Annex C (where applicable)  to protect the Data from Security Incidents (“Security Measures“).  Such Security Measures shall at a minimum comply with the requirements of Applicable Privacy Laws.  In the event that Demand Partner suffers a Security Incident, it shall notify PubMatic without undue delay and both parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident.
      4. International transfers: Where European Data Protection Law applies to the Data, the Demand Partner shall not process any such Data (nor permit any Data to be processed) in a territory outside of Europe (whether directly or via onward transfer) unless it has taken such measures as are necessary to ensure the transfer is in compliance with European Data Protection Law (including such measures as may be communicated by PubMatic to Demand Partner from time to time) and this Addendum.
      5. Privacy Shield: For so long as PubMatic is certified under the Privacy Shield and where Demand Partner processes any Data protected by PubMatic’s Privacy Shield certification, Demand Partner agrees to provide the same level of protection for such Data as is required by the Privacy Shield Principles. Demand Partner shall notify PubMatic if it makes a determination that it can no longer provide such protection and in such event, shall cease processing or take other reasonable and appropriate steps to remediate, (if remediable) any processing until such time as the processing meets the level of protection as is required by the Privacy Shield Principles.
      6. Transfer arrangements: To the extent that PubMatic adopts a data export mechanism not described in this Addendum (including any new version of or successor to the Standard Contractual Clauses pursuant to applicable European Data Protection Law) for the transfer of Data (“Alternative Transfer Mechanism“), such Alternative Transfer Mechanism shall apply instead of any mechanism described in this Addendum. Notwithstanding anything to the contrary, an Alternative Transfer Mechanism shall only apply to the extent that it complies with Applicable Privacy Law applicable to the country where the processing activities take place. Demand Partner agrees to execute any document and take any appropriate action as reasonably necessary to give effect to such Alternative Transfer Mechanism.
      7. Cooperation and data subject rights: In the event that either party receives: (i) any request from a data subject to exercise any of its rights under Applicable Privacy Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data (collectively, “Correspondence”) then, where such Correspondence relates to processing conducted by the other party, it shall promptly inform the other party and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfil their respective obligations under Applicable Privacy Law.
      8. Change in Law: Notwithstanding anything to the contrary in the Contract(s) or this Addendum, in the event of a change in Applicable Privacy Law or a determination or order from a supervisory authority or competent court affecting this Addendum or any processing activities under this Addendum, PubMatic may, in its sole discretion, amend this Addendum as reasonably necessary to ensure continued compliance with Applicable Privacy Law or compliance with any such orders.
      9. Survival: This Addendum shall survive termination or expiry of the Contract(s).  Subject to the terms of Annex A with respect to Demand Partner’s processing of C2P Data, upon termination or expiry of the Contract(s), Demand Partner may continue to process the Data provided that such processing complies with the requirements of this Addendum and Applicable Privacy Law.
      10. Miscellaneous: This Addendum shall be governed by and construed in all respects in accordance with the governing law and jurisdiction provisions set out in the Contract(s), unless required otherwise by Applicable Privacy Laws.  With effect from the effective date of the Contract(s), this Addendum shall be deemed a part of and incorporated into the Contract(s) so that references in the Contract(s) to the “Agreement” shall be interpreted to include this Addendum.  Except for the changes made by this Addendum, the Contract(s) shall remain unchanged and in full force and effect.  In the event of any conflict or inconsistency between this Addendum and any other term or terms of the Contract(s), this Addendum shall prevail in respect of the subject matter (i.e. the protection of personal data).  This Addendum may be executed: (i) in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement; and (ii) via a recognized electronic signature service or delivered by facsimile transmission, or may be signed, scanned and emailed, and any such signatures shall be treated as original signatures for all applicable purposes.  It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses. Accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Contract(s), including this Addendum, the Standard Contractual Clauses shall prevail to the extent of such conflict. The parties further agree this Addendum (with any commercially sensitive information redacted) may be shared with the US Department of Commerce on request.

 

Annex A

Processor Terms

Demand Partner agrees:

  1. it will process the C2P Data (and ensure that any persons authorized by the Demand Partner to process C2P Data (“Authorized Persons“) process the C2P Data) in accordance with PubMatic’s (or the third-party controller’s) documented lawful instructions, except where otherwise required by applicable law;
  2. it shall only process C2P Data for the purposes described in and in accordance with Annex B (C2P Transfers);
  3. it shall ensure that Authorized Persons are subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person who is not under such a duty of confidentiality to process the C2P Data. Demand Partner shall ensure that all Authorized Persons process the C2P Data only as necessary for the purposes described in Annex B (C2P Transfers);
  4. it shall not sub-contract any processing of the C2P Data to a third-party processor without the prior written consent of PubMatic and shall remain liable for any breach of this Addendum as it relates to C2P Data that is caused by or results in connection with an act, error or omission of its sub-contractor. If PubMatic refuses to consent to Demand Partner’s appointment of a third party sub-contractor on reasonable grounds relating to the protection of the C2P Data, then the parties shall discuss such concerns with a view to achieving a commercially reasonable resolution.  PubMatic hereby consents to Demand Partner engaging sub-contractors to process C2P Data on behalf of Demand Partner provided that (i) Demand Partner has provided a list of its current sub-contractors prior to the date of the execution of the Contract(s) and this Addendum and thereafter, provides at least 30 days prior notice of the addition or removal of any subcontractor (including details of the processing it performs or will perform); and (ii) Demand Partner imposes data protection terms on any subcontractor it appoints that protect the C2P Data to the same standard required of Demand Partner in respect of all C2P Data processed by Demand Partner pursuant to this Addendum;
  5. it shall permit PubMatic (or its third-party auditors) to audit Demand Partner’s compliance with Applicable Privacy Law and this Addendum in respect of C2P Data processing, and shall for these purposes make available to PubMatic all information, equipment, personnel or premises reasonably necessary for PubMatic (or its appointed third-party auditors) to conduct such audit;
  6. upon becoming aware of a Security Incident involving C2P Data, Demand Partner shall inform PubMatic without undue delay and provide all reasonable co-operation and assistance in accordance with and as more fully described in Section 6 (c) (“Security“) of this Addendum;
  7. to implement appropriate technical and organizational measures that are at least as protective as those described in Annex C to this Addendum;
  8. if PubMatic is required by Applicable Privacy Law to conduct a data protection impact assessment in respect of the Demand Services, Demand Partner shall provide all information reasonably requested by PubMatic in connection with such assessment and provide cooperation and assistance in connection with any consultation PubMatic is required to undertake with any data protection supervisory authorities;
  9. upon termination or expiry of the Addendum, it shall (at PubMatic’s election) destroy or return to PubMatic all C2P Data (including all copies of the C2P Data) in its possession or control (including any data sub-contracted to a third party for processing), except to the extent that it or any sub-contractor is required by applicable law to retain some or all of the C2P Data, in which event it shall isolate and protect the C2P Data from further processing except to the extent required by such law; and
  10. to assist PubMatic in connection with the fulfilment of PubMatic’s obligation to respond to data subject requests to exercise their rights under European Data Protection Law.

 

 

 

Annex B

Description of Processing Activities/ Transfer

Annex 1(A) List of Parties:

 

Data Exporter Data Importer
Name: PubMatic, Inc. Name: Demand Partner
Address:  601 Marshall Street

Redwood City, California 94063, USA

Address: As identified in the Agreement.
Contact Person’s Name, position and contact details: Data Protection Officer, reachable at dpo@pubmatic.com , Privacy Officer, reachable at privacy@pubmatic.com Contact Person’s Name, position and contact details: As identified in the Agreement.
Activities relevant to the transfer:  See Annex 1(B) below Activities relevant to the transfer: See Annex 1(B) below
Role: Controller Role: Controller (C2C Data) / Processor (C2P Data)

 

 

 

Annex 1(B) Description of processing / transfer:

 

C2C Data

 

  Description
Categories of data subjects: End users of the publisher properties covered by the Demand Services or end users viewing ads delivered to PubMatic’s publisher customer’s properties.
Categories of personal data: To the extent applicable, may include:

·       Identifiers: cookie and mobile Ad identifiers (such as IDFA, ADID, GPID etc.,), IP address, data that could be used for fingerprinting, latitude and longitude, GPS location;

·       Demographic information: location,  age range, gender, other publisher-specified demographics (tied to an identifier);

·       User agent or such device information.

Sensitive data: None.
If sensitive data, the applied restrictions or safeguards[1] N/A
Frequency of the transfer: Continuous depending on the Agreement
Nature and subject matter of processing: Personal data transferred will be processed in accordance with the Agreement (including this Addendum) and may be subject to the following processing activities, to the extent applicable:

1. Storage and other processing necessary to provide the Demand Services to PubMatic.

2. Disclosures in accordance with the Agreement and/or as compelled by applicable laws.

Purpose(s) of the data transfer and further processing: If and to the extent applicable, to enable Data Importer to process C2C Data as a controller solely for purposes expressly permitted under the Agreement and this Addendum and in a manner that complies with European Data Protection Law (the “Permitted Purposes“). Such purposes shall include, if and to the extent applicable:  (i) setting and modifying a Demand Partner cookie, pixel or similar tracking technology; (ii) billing, fraud detection and prevention; (iii) security purposes and technical support.
Retention period (or, if not possible to determine, the criteria used to determine that period): Demand Partner will not, and will not permit any third party, to retain the C2C Data for longer than the period during which the Demand Partner has a legitimate need to retain the C2C Data for the Permitted Purposes and in compliance with EU/UK Data Protection Law

 

 

C2P Data

 

  Description
Categories of data subjects: End users of the publisher properties covered by the Demand Services or end users viewing ads delivered to PubMatic’s publisher customer’s properties.
Categories of personal data: To the extent applicable, may include:

·       Table of PubMatic’s unique end user identifiers created, assigned or retained by PubMatic and associated with an individual end user.

·       Identifiers: cookie and mobile Ad identifiers (such as IDFA, ADID, GPID etc.,), IP address, data that could be used for fingerprinting, latitude and longitude, GPS location;

·       Demographic information: location,  age range, gender, other publisher-specified demographics (tied to an identifier);

·       User agent or such device information.

Sensitive data: None.
If sensitive data, the applied restrictions or safeguards[2] N/A
Frequency of the transfer: Continuous depending on the Agreement
Nature and subject matter of processing: Personal data transferred will be processed in accordance with the Agreement (including this Addendum) and may be subject to the following processing activities to the extent applicable:

1. Storage and other processing necessary to provide the Demand Services to PubMatic.

2. Disclosures in accordance with the Agreement and/or as compelled by applicable laws.

Duration of the processing: The duration of the data processing under the Addendum is until the termination of the Agreement in accordance with its terms plus the period from the expiry of the Agreement until deletion of the personal data by Demand Partner in accordance with the terms of the Agreement.
Purpose(s) of the data transfer and further processing: Providing the Demand Services to PubMatic as a processor (where applicable), including for the purposes of determining the amounts to bid on publisher inventory and bidding on advertising impression opportunities.
Retention period (or, if not possible to determine, the criteria used to determine that period): Upon termination or expiry of the Agreement, it shall (at PubMatic’s election) destroy or return to PubMatic all C2P Data (including all copies of the C2P Data) in its possession or control (including any data sub-contracted to a third party for processing), except to the extent that it or any approved sub-contractor is required by applicable law to retain some or all of the C2P Data, in which event it shall isolate and protect the C2P Data from further processing except to the extent required by such law.

 

Annex 1(C) Competent supervisory authority:

 

The competent supervisory authority: (i) in connection with Data protected by the GDPR,  shall be determined in accordance with Clause 13 of the Standard Contractual Clauses; (ii) in connection with Data protected by the Swiss DPA, is the Federal Data Protection and Information Commissioner (FDPIC); and (iii) in connection with Data that is procested by UK Privacy Laws, is the Information Commissioners Office (the “ICO”).

 

 

Annex C

Description of C2P Data Processing

 

Technical and Organizational Measures

 

The technical and organizational measures implemented by Demand Partner (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are as follows:

Type of measure Terms
Measures of pseudonymisation and encryption of personal data Description of technical measures in place to prevent re-identification

·       Demand Partner has implemented data minimisation and privacy-by-design into its software development process to prevent personal data from being directly linkable to a data subject.  This includes measures such as truncating coordinates of geolocation data and removing the last octet from IP addresses.

·       Demand Partner only works with pseudonymized identifiers and has management and organizational controls are in place to prohibit internal teams, any relevant partners and subprocessors, from re-identifying data processing in connection with the Agreement.

·       If and when directly identifiable information were to be processed in connection with the services for addressability purposes, Demand Partner will ensure that industry standard cryptographic techniques are immediately applied to such data, including but not limited to, hashing, to help ensure data cannot be reidentified by unauthorised parties.

·       Advertising identifiers used by Demand Partner to track devices and deliver ads are not persistent; they are designed to deprecate within a reasonable time frame.

·       When activating/monetizing audiences, sensitive or directly identifiable personal data is not processed, but instead segment codes/deal codes are exchanged by the parties. Demand Partner does not process any actual characteristics about a data subject’s pseudonymized advertising ID.

Measures for ensuring ongoing confidentiality of processing systems and services Description of measures in place to secure information stored on systems.

·       Demand Partner has implemented and maintains a written information security program and has implemented measures to ensure the integrity, availability and security of personal information, including regular vulnerability scans and endpoint protection.

·       Demand Partner limits the risk that personal data will be exposed by implementing a data retention schedule to systems that store personal data processed performed in connection with the Contract.

·       Operational, technical management level controls in place that ensure end-user data processed by the platform cannot be linked to a natural person’s identity. Confidentiality terms with personnel.  Security program that aligns to industry good practices.

Measures for ensuring ongoing integrity of processing systems and services Demand Partner has implemented and maintains an information security program that contains administrative, technical and physical safeguards appropriate to protect against anticipated threats to, confidentiality and integrity of, and the unauthorized or accidental destruction, loss, access, acquisition, alteration or use of, personal data, and that meets (i) reasonable security practices applicable to Demand Partner’s industry; and (iii) any security requirements under the laws applicable Demand Partner under applicable law.
Measures for ensuring ongoing availability and resilience of processing systems and services Demand Partner maintains personal data availability and resilience through a variety of technical, physical, and administrative measures.

Examples of these measures include: tolerant infrastructure with geographically distinct availability zones for redundant data; secured and monitored operational sites; and, processes and policies for topics such as incident response and review, and vendor review.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident ·       See response above.

·       Further measures include regular backups, business continuity readiness plans and disaster recovery plans.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing ·       At least once annually, security measures relevant to the processing of personal data are reviewed and tested for alignment with industry good practices.

·       Security compliance has been integrated into Demand Partner’s product development practices, and the Demand Partner privacy, security and engineering teams collaborate regularly to ensure those standards are kept up to date.

Measures for user identification and authorisation ·       Demand Partner has in place procedures that comply with applicable law to authenticate requests from data subjects who have submitted rights request.

·       Demand Partner has operational and technical controls in place to ensure that access to systems that process personal data is only granted to authorized employees with a “need to know”.

·       Demand Partner has in place industry standard policies to ensure that unauthorized current and former personnel cannot improperly access systems that process personal data.

Measures for the protection of Data during storage ·       As per the Contract, personal data processed in connection with the services will not contain any sensitive personal information, and will be limited in scope, always pseudonymized (i.e., cookie ID, user agent information, etc.) and cannot be directly identified with a natural person by Demand Partner.

·       Data is only stored for as long as necessary for Demand Partner’s legitimate business purposes and is subject to a data retention schedule.

·       Personal data minimization procedures are in place with regard to personal data stored on Demand Partner’s systems (e.g., last octet of IP address is redacted, certain unique identifiers that are not needed for RTB are not logged, etc.)

Measures for ensuring physical security of locations at which personal data are processed ·       Facilities involved in the processing of personal data are accessible only by authorized personnel. Technical controls in place to secure processing facilities include access controls, two-factor authentication, firewalls, and anti-malware.  Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required in order to deliver advertising services under the Agreement.

·       Demand Partner provides personnel who access personal data with appropriate information security and data protection training. Demand Partner maintains appropriate physical security measures at each facility where personal data is processed, including authentication of all personnel who access data centres, IT equipment having physical barriers designed to prevent access by unauthorized individuals, and manned reception areas or logbooks with visitor entry/exit dates and times.

Measures for certification/assurance of processes and products ·       Demand Partner participates in industry certification and self-regulatory programs such as DAA, NAI Code of Practice. IAB TCF 2.0, and the IAB CCPA Compliance Framework.
Measures for ensuring data minimisation ·       Procedures are embedded in the system development process to minimize personal data collected and processed by the Demand Partner (e.g., truncation of IP address, stripping of personal data when an impression will be monetized using contextual ad-targeting, no data collection from unconsented or improperly consented impressions).

·       Demand Partner has a dedicated technical privacy specialist whose role focuses is at least partly dedicated to reviewing the implementation of data minimization across the organization.

 

Measures for ensuring accountability ·       Demand Partner performs a data mapping exercise that complies with Article 30 of GDPR and has created a record of processing activity to ascertain the scope of personal data processing activities performed by the organization.

·       Demand Partner has implemented a privacy program that is appropriate to the scope and nature of personal data processed that includes a personal data breach policy, data protection and legitimate interest assessments (where appropriate), appointment of a data protection officer (DPO), and data protection controls such as privacy by design.

·       The foregoing measures are regularly reviewed (at least once annually) and updated to ensure alignment with applicable law and industry standards.

Measures for allowing data portability and ensuring erasure ·       Demand Partner has implemented and maintains procedures to ensure data portability and erasure that comply with data protection laws.  Demand Partner has designated a data protection leader who is responsible for ensuring all requests from data subjects are reviewed and documented, including requests for erasure and copies of personal data, and that data subject requests are carried out timely and in accordance with law.