Demand Partner Master Services Agreement

This Demand Services Agreement (this “Agreement”) is entered into by and between the demand partner listed below (“Demand Partner”) and PubMatic, Inc., a Delaware corporation (on behalf of itself and its majority-owned subsidiaries), with offices at 3 Lagoon Drive, Suite 180, Redwood City, CA 94065 (“PubMatic”). The effective date of this Agreement shall be the date of the last signature below, or the one date specified to the extent that only one signature is dated (“Effective Date”).

Demand Partner Contact/Billing Information
Full Entity Name:
Place of Registration:
TaxID/VAT/GST:
Address:
Sales Contact:
Sales Title:
Sales Phone:
Sales Email:
Billing Contact:
Billing Phone:
Billing Email(s):
Currency: Demand Partner agrees that all payments made under this Agreement shall be in the following currency:

          
Minimum Fee: Subject to the terms and conditions of this Agreement, if Demand Partner’s spend for any calendar quarter during the Term is less than $100,000 (the “Minimum Fee”), then Demand Partner agrees that PubMatic shall have the right to charge Demand Partner the Minimum Fee for that quarter in lieu of actual fees otherwise due (prorated for partial quarters); provided, however, that PubMatic’s right to charge the Minimum Fee shall not commence until the second full calendar quarter following the Effective Date hereof.

 

  1. DEMAND SERVICES. Demand Partner hereby engages PubMatic to gain access to digital advertising inventory available through various sites, applications and other digitally-accessible platforms, materials or content whether existing before or after the Effective Date hereof that is provided by publishers (the “Publisher Inventory”) for the purposes of placing ad units and/or creative content provided by Demand Partner (the “Creative Content”) on such Publisher Inventory via PubMatic’s various demand service offerings (the “Demand Services”). The Demand Services include the underlying technology which provides the programmatic offerings, including the API (i.e., application programming interface) or SDK (i.e., software development kit) through which PubMatic’s real time bidding (“RTB”) service is accessible, but do not include Publisher Inventory or Creative Content. The RTB services also provide Demand Partner with the ability to submit multiple bids in a private marketplace corresponding to multiple pre-approved seats within that Demand Partner’s pool of buyers (including, agencies, trading desks, ad networks, advertisers and Demand Partner itself) (each a “Buyer”) for Publisher Inventory that may be offered on an exclusive, preferred, non-exclusive, guaranteed or non-guaranteed basis. For each private marketplace transaction between a Buyer and publisher, a Buyer and publisher shall agree directly on the terms of the transaction, including those governing inventory, pricing and other factors specific to the transaction.  In connection with the Demand Services, PubMatic reserves the right to choose whether to send bid requests to Demand Partner and/or to accept or reject individual bids submitted by Demand Partner to purchase Publisher Inventory via the Demand Services.  In the event individual bids submitted by Demand Partner are rejected by PubMatic, PubMatic will undertake commercially reasonable efforts to notify Demand Partner in advance.
  2. TERM; TERMINATION

    1. Term. The term of this Agreement shall begin as of the Effective Date and shall continue for consecutive twelve (12) month auto-renewing terms (collectively, the “Term”), unless terminated by either party upon at least thirty (30) days’ written notice prior to the then applicable 12-month term or unless otherwise terminated as set forth herein.
    2. Termination for Breach. Each party may terminate this Agreement for material breach by written notice, effective in thirty (30) days, unless the other party first cures such breach.
    3. Termination for Convenience.  Following the Initial Term, either party may terminate this Agreement for any reason (or no reason) at any time during the Term by written notice to the other party, effective in thirty (30) days from such party’s receipt of such notice.
    4. Effects of Termination. Sections 3, 5, 6(a), 6(c), 6(d), and 8 through 14 will survive termination of this Agreement.

  3. REPRESENTATIONS AND WARRANTIES.

    1. Mutual. Each party represents and warrants to the other party that (i) it has all necessary rights and authority to enter into, execute and perform its obligations under this Agreement; and (ii) the execution of this Agreement and the performance of its obligations hereunder do not and will not violate any applicable law or regulation, or agreement to which it is a party or by which it is otherwise bound.
    2. Demand Partner. Demand Partner represents and warrants to PubMatic that:
      1. the Creative Content (and any product or service which the Creative Content promotes), which it displays on the Publisher Inventory via the Demand Services, will not violate the ad quality policy located at https://pubmatic.com/legal/aq-policy/, including any applicable law or regulation, or contain infringing, indecent, obscene or pornographic material, hate speech, subject matter that a reasonable person would consider highly objectionable, any material which promotes illegal activities, or contain any material that consists of or incorporates malware, viruses or other potentially destructive or harmful computer programs or security threats (“Prohibited Content”);
      2. it has all necessary rights, waivers and permissions from advertisers to deliver all Creative Content to the Publisher Inventory;
      3. it will not  directly or indirectly collect or use any personally-identifiable information or personal data of any user of the properties containing the Publisher Inventory;
      4. it will not send personally-identifiable information or personal data to PubMatic through any cookies, statistical identifiers or persistent identifiers (collectively, “Identifiers”) or otherwise;
      5. it will not collect or drop any Identifiers on any publisher’s users where the Publisher Inventory is subject to the Children’s Online Privacy Protection Act of 1998, as amended (“COPPA”), or which Demand Partner otherwise knows is subject to COPPA, and for all other Publisher Inventory not subject to COPPA, it shall only collect or drop Identifiers when approved by PubMatic and for the purpose of informing its bids and performance tracking;
      6. it will cease collecting or dropping Identifiers and delete Identifiers promptly following PubMatic’s request;
      7. it will not authorize any third party to collect or drop Identifiers on any of PubMatic’s publishers’ users or otherwise synch with Demand Partner’s Identifiers;
      8. it shall use the Demand Services in compliance with the then applicable PubMatic privacy policy (https://pubmatic.com/privacy-policy.php ), including complying with the “opt-out” principles articulated in the Network Advertising Initiative’s then current code; and
      9. in the event that Demand Partner is a French company, has operations in France or provides advertisements targeted at French audiences, it is not an advertising agency, does not have any direct relationship with any advertisers and does not otherwise have any advertising mandates from any advertisers which require sellers of advertising inventory to invoice advertisers directly.EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, EACH PARTY SPECIFICALLY DISCLAIMS ANY REPRESENTATIONS OR WARRANTIES, CONDITIONS OR UNDERTAKINGS, EXPRESS OR IMPLIED, REGARDING ITS RESPECTIVE SERVICES OR PRODUCTS, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.

  4. OBLIGATIONS OF DEMAND PARTNER.

    1. Demand Partner agrees: i) to comply with all block list requirements provided by PubMatic and its publishers; and ii) not to deliver unpaid public service announcements, blanks or Creative Content with incorrect attributes in response to an ad
    2. With respect to the RTB service only, Demand Partner will: (i) comply with the requirements of the RTB service technical specifications as updated from time to time; (ii) append the accurate advertisement landing page top level domain to each bid response that it issues to the RTB Service; and (iii) append the accurate ID number that applies to the Buyer (the ID number a “Buyer ID”) to each bid response that it issues to the RTB service. The Buyer ID may either be the number assigned within Demand Partner’s database or the one assigned by
    3. Demand Partner will fill impressions purchased or won via the Demand Services only with first party advertisements and will not, directly or indirectly, re-auction, re-sell or trade any impression purchased or won via the Demand Services to any third party, including, without limitation, any exchanges such as The Rubicon Project, Yahoo!, AppNexus Inc., Index Exchange, OpenX Technologies Inc. and Google Inc. and any of their respective affiliates, subsidiaries, successors and
    4. Demand Partner agrees that it will (i) comply with all applicable laws and regulations, (ii) undertake commercially reasonable efforts to comply with all applicable industry self-regulatory rules, codes and guidelines (including, without limitation and as applicable, the rules, codes and guidelines of the Interactive Advertising Bureau (IAB), the Network Advertising Initiative (NAI), the Digital Advertising Alliance (DAA) , COPPA; and the EU Data Protection Directive 95/46/EC and EU Directive 2002/58/EC, as implemented by relevant member states) (collectively, the “Applicable Privacy Requirements”) that relate to individual third party privacy and publicity , and (iii) be solely responsible for the operation of all web properties, and applications owned or operated by Demand Partner.  Demand Partner will include clear and conspicuous notices consistent with Applicable Privacy Requirements on its websites, mobile and tablet applications that (A) disclose (and, where legally required, obtain consent to) its practices with regard to Identifiers, targeting and online behavioral advertising, specifically addressing its data collection, use and disclosure practices (including the fact that by visiting Demand Partner’s website or mobile application, third parties may collect or place Identifiers on end user browsers or mobile applications; for this purpose, the types of data that may be collected for targeted advertising; the use of non-cookie technologies, such as statistical IDs, eTags and web cache; the use of cross-device technologies; and the fact that data collected may be used by third parties to target advertising on other sites or applications based on the end users’ online activity); and (B) inform users that they may opt-out of receiving targeted advertisements by visiting (i) the NAI website opt-out page located at http://www.networkadvertising.org/choices/, the DAA opt-out page located at http://www.aboutads.info/choices or for EU users, the EDAA opt-out page located at http://youronlinechoices.eu/, to opt out of interest-based advertising in web browsers through the use of cookies; (ii) the DAA’s AppChoices tool located at http://www.aboutads.info/choices, to opt out of interest-based advertising in mobile applications through the use of mobile advertising identifiers; (iii) the PubMatic opt-out page located at https://pubmatic.com/opt-out, to opt out of interest-based advertising in mobile applications and the mobile web through the use of statistical identifiers; and (iv) the links above for web browsers, mobile applications and statistical identifiers on each of the end user’s browsers and on each of the end user’s mobile devices, to opt out of cross-device targeting.PUBMATIC WILL HAVE NO LIABILITY IN CONNECTION WITH, AND DEMAND PARTNER SHALL INDEMNIFY, DEFEND AND HOLD PUBMATIC HARMLESS WITH RESPECT TO, DEMAND PARTNER’S FAILURE TO PROVIDE NOTICES REQUIRED BY APPLICABLE LAW TO END USERS, INCLUDING REGARDING ITS PRIVACY PRACTICES OR FOR DEMAND PARTNER’S COLLECTION, USE OR DISCLOSURE OF INFORMATION OR DATA IN CONNECTION WITH THIS AGREEMENT.
    5. The EU Data Sharing Addendum attached hereto shall form part of this Agreement and its terms are hereby incorporated in the Agreement by
    6. The US State Privacy Law Data Processing Addendum located at https://pubmatic.com/legal/us-data-processing-addendum/shall form part of this Agreement and its terms are hereby incorporated in the Agreement.

  5. OWNERSHIP. PubMatic retains all right, title and interest in and to the Demand Services, its databases, and all data or materials it provides or makes available to Demand Partner, including all enhancements, modifications or derivative works thereto and all proprietary rights, copyrights and other intellectual property rights therein. Demand Partner may not use the Demand Services except pursuant to the terms and condition of this Agreement, or challenge PubMatic’s ownership rights set forth Demand Partner will not directly or indirectly reverse engineer, copy, disassemble, reconstruct or decompile the Demand Services or any aspect or portion thereof or technology related thereto, or alter or remove any identification, trademark, brand or notice from the Demand Services.
  6. DATA RIGHTS & RESTRICTIONS.

    1. PubMatic Data. PubMatic is the exclusive owner of all right, title and interest in and to the PubMatic Data. “PubMatic Data” shall mean all data PubMatic passes to Demand Partner through cookie synchs, bid streams, macros or otherwise, including without limitation audience, contextual, impression and site-related data, as well as bid request, bid response and bid notification data and bidding
    2. Use of PubMatic Data. Provided that Demand Partner does not merge any PubMatic Data with personally-identifiable user information, Demand Partner shall have the right to use and share (to the extent permitted herein) the PubMatic Data solely for the following limited purposes during the Term of this Agreement:
      1. to determine amounts to be bid through the Demand Services;
      2. to disclose aggregate statistics about purchases made through the Demand Services in a manner that does not reveal or individually identify any publisher, any publisher sites, or site data;
      3. to perform its obligations under this Agreement; and
      4. if and as required by court order, law or governmental or regulatory agency (provided, that Demand Partner uses commercially reasonable efforts to give PubMatic prior reasonable notice of such required disclosure (if permitted by law) in order that PubMatic may seek a protective order or the equivalent, at PubMatic’s expense).
    3. Demand Partner Data. Demand Partner and/or a client of Demand Partner, as applicable, is the exclusive owner of all right, title and interest in and to the Demand Partner Data. “Demand Partner Data” shall mean all data Demand Partner collects independently of PubMatic after an ad impression is served to the user’s browser as well as Demand Partner’s ad server reporting. Demand Partner Data does not include PubMatic Data.
    4. Use of Demand Partner Data. PubMatic shall have the right to use and share the Demand Partner Data solely for the following limited purposes during and after the Term of this Agreement:
      1. accounting and discrepancy management;
      2. billing and payment of its clients and business partners;
      3. inclusion within PubMatic’s publisher reporting and user interface;
      4. performance of its obligations under this Agreement;
      5. enhancement and improvement of the Demand Services; and
      6. if and as required by court order, law or governmental or regulatory agency (provided, that PubMatic uses commercially reasonable efforts to give Demand Partner prior reasonable notice of such required disclosure (if permitted by law) in order that Demand Partner may seek a protective order or the equivalent, at Demand Partner’s expense).
    5. Use of Third-Party Data. Demand Partner may utilize third-party data providers with whom it has an independent contractual relationship, provided such data providers have been approved by PubMatic for Demand Partner use (“DP Data Provider”), or third-party data providers with whom PubMatic has a contractual relationship (“PubMatic Data Provider”) in connection with the Demand Services. Demand Partner will be responsible for any fees associated with a DP Data Provider. If Demand Partner opts to use a PubMatic Data Provider, PubMatic will charge Demand Partner directly for any applicable If Demand Partner opts to use a DP Data Provider, Demand Partner shall pay such DP Data Provider directly for any fees accrued hereunder for such data provider. In no case shall PubMatic be responsible or liable for any data provided by a DP Data Provider and Demand Partner shall indemnify, defend and hold harmless PubMatic its officers, directors, employees, shareholders, affiliates, representatives and agents from any losses related directly or indirectly to data provided by a DP Data Provider.

  7. USE OF MARKS; PUBLICITY. During the Term, Demand Partner grants PubMatic a limited, fully paidup, non-exclusive, non- transferrable right and license to use Demand Partner’s name, marks and logos (collectively, the “Demand Partner Marks”) in marketing materials, in group press releases with other customers, on PubMatic’s website, and to identify Demand Partner as a customer or user of the Demand Services in connection with providing the Demand Services hereunder. Demand Partner shall not use PubMatic’s name, logos or other marks without PubMatic’s prior written consent. Either party may issue a press release announcing the business relationship between the parties, upon written consent of the other party.
  8. PRICING; PAYMENT TERMS.

    1. PubMatic shall determine the winning bid price based on an auction taking into account bid responses, floor prices and fees to provide the auction. The price charged to Demand Partner shall not exceed the amount bid or otherwise agreed by Demand Partner.
    2. Credit limits and payment terms are subject to credit approval by PubMatic. Demand Partner agrees that it will make available to PubMatic information reasonably requested from time to time to facilitate a credit check. PubMatic may suspend participation in the Demand Services (i) if Demand Partner fails to meet credit or financial requirements established by PubMatic (including any prepayment obligations or limitations on allowable credit) and/or (ii) until all overdue invoices and interest are paid.
    3. Demand Partner will (i) pay all taxes (including excise, sales, use, consumption or value-added taxes), customs or import duties, or any other taxes, levies, tariffs, duties or governmental fees that are due or payable in connection with this Agreement (“Taxes”), with the exception of taxes on PubMatic’s net income, and (ii) to the extent that Demand Partner is required to pay or withhold any Taxes in connection with this Agreement, Demand Partner will gross up the payment owed to PubMatic such that PubMatic shall receive the same amount as if such Taxes had not applied. Each party agrees to cooperate in good faith with respect to reasonable requests from the other party regarding Tax-related forms, documentation or other information relating to this Agreement that may be necessary or appropriate.
    4. PubMatic shall monitor the quality of the Publisher Inventory by the use of proprietary tools and/or services of reputable third- party vendors which provide scoring and monitoring capabilities focused on inventory fraud. Demand Partner shall promptly inform PubMatic to the extent that it detects high levels of suspicious activity with respect to particular domains in the Publisher Inventory. PubMatic shall provide a credit to the Demand Partner for any “Noncompliant Impression” (as defined below) served by PubMatic through the Demand Services, provided that the following preconditions are met: (i) the Demand Partner is actively using an MRC-accredited inventory quality provider; (ii) the pertinent impressions are reported in writing to PubMatic no later than thirty (30) days after the close of the month during which the pertinent impressions were served; (iii) the written report must include the relevant timeframe and type of the suspicious activity, number of impressions marked as suspicious, and spend for such impression for each unique publisher ID and domain URL, as well as any additional information reasonably requested by PubMatic; (iv) PubMatic verifies in good faith that the relevant impressions are suspect traffic or were served in error by PubMatic; (v) the credit cannot exceed the total winning bid prices for the fraudulent impressions; and (vi) the total credit requested for the month exceeds $500 USD. “Noncompliant Impression” shall mean an impression which is deemed to be fraudulent, based on the relevant scoring by the MRC accredited vendor. For the avoidance of doubt, no makegood shall apply to viewability or brand safety issues. The provisions of this Section 8(d) provide the sole and exclusive remedy of Demand Partner, and the sole and exclusive obligation of PubMatic, with respect to any quality issues regarding Publisher Inventory.
    5.  Payment shall be due within thirty (30) days after the close of each calendar month by electronic transfer for the aggregated winning bid prices from the previous month specified in the applicable invoice. Payments due are based on PubMatic measurements for the applicable calendar month and payments due for guaranteed campaigns shall be no less than the prorated campaign amount for such month unless otherwise determined by PubMatic. All transactions hereunder will be conducted in U.S. Dollars and aggregated at the end of each month based on Pacific Time zone. When invoices are payable in a currency other than U.S. Dollars, the exchange rate shall be calculated using a month-end exchange rate. Late payments will be subject to interest charges of 1.5% per month (or the highest rate permitted by law, if less), and Demand Partner will pay all out-of- pocket expenses and attorneys’ costs incurred by PubMatic in collecting late payments.

  9. CONFIDENTIALITY. Except as expressly permitted in this Agreement, each party shall treat as proprietary and shall maintain in strict confidence all Confidential Information of the other party and shall not, without the express prior written consent of such other party, use such Confidential Information except in furtherance of its obligations hereunder; provided, however, that Demand Partner may share limited Confidential Information of PubMatic with Demand Partner’s Buyers of Publisher Inventory on PubMatic’s platform solely to the extent necessary to make purchases or bids of such inventory and PubMatic may share limited Confidential Information of Demand Partner with PubMatic’s independent contractors in connection with performing Demand Services under this Agreement, in each case as long as the receiving party has ensured that such third parties have signed an agreement in content similar to the provisions set forth in this Section or are otherwise legally obligated not to disclose such Confidential Information. “Confidential Information” shall mean any information of the disclosing party which is, or should reasonably be understood to be, confidential or proprietary to the receiving party, including, but not limited to information related to a party’s: (i) technical know- how, technological innovations, operations, financial status, or sales and business plans and strategies, (ii) trade secrets, patent applications, or other intellectual property and (iii) data and reporting available in user interfaces, in each case disclosed between the parties, either directly or indirectly, in writing, drawing, orally or electronically. For purposes of clarification, (1) Demand Partner Data is Confidential Information of Demand Partner and (2) PubMatic Data is Confidential Information of PubMatic. Notwithstanding the foregoing, Confidential Information shall not include information which the receiving party can demonstrate:
    (a) is known to the receiving party at the time of the disclosure; (b) has become publicly known through no wrongful act of the receiving party; (c) has rightfully been received from a third-party without a known obligation of confidentiality; or (d) is independently developed by the receiving party without the use of Confidential Information of the disclosing party. The foregoing obligations will not restrict either party from disclosing Confidential Information of the other party: (x) pursuant to the order or requirement of a court, administrative agency, or other governmental body, provided that the party required to make such a disclosure gives reasonable notice to the other party in order that the disclosing party may act to prevent or restrict the ordered disclosure; or
    (y) on a confidential basis to its legal or financial advisors. The terms of this Agreement shall be the Confidential Information of PubMatic.
  10. NON-SOLICITATION. During the Term and for one (1) year thereafter, neither party will not, directly or indirectly, solicit for employment or consulting services any person who was employed by the other party at any time during the Term of this Agreement, if the identity of such employee or consultant was shared or made known in connection with this Agreement; provided, however, that this section shall not prevent either party from soliciting for employment or consulting services any person who first responds to a general advertisement for a position with such party.
  11. INDEMNIFICATION. PubMatic agrees to indemnify, defend and hold harmless Demand Partner and its officers, directors, shareholders, corporate affiliates, successors and assigns from and against any third party claim, suit, demand or proceeding (“Claim”) against any such persons or entities arising out of, related to, or alleging (a) infringement of any copyright or trademark of a third party by the Demand Services, (b) any violation by PubMatic of applicable privacy laws, or (c) any material breach by PubMatic of its obligations, representations or warranties under this Agreement. Demand Partner agrees to indemnify, defend and hold harmless PubMatic and its officers, directors, shareholders, corporate affiliates, successors and assigns from and against any Claim against any such persons or entities arising out of, related to, or alleging (i) any violation by Demand Partner of applicable privacy laws, (ii) infringement or misappropriation of any intellectual property right of a third party by the Creative Content (or any product or service relating to the Creative Content), or (iii) any material breach by Demand Partner of its obligations, representations or warranties under this Agreement. In all cases in which a party seeks indemnification and/or defense hereunder, the indemnified party shall provide the indemnifying party with prompt written notice of such Claim, reasonable cooperation and assistance to the indemnifying party in connection with such Claims, and full control and authority to investigate, defend and settle such claims; provided, however, that settlements shall require prior approval by the indemnified party (which approval shall not be unreasonably withheld or delayed). If any of the Demand Services becomes, or in PubMatic’s opinion is likely to become, the subject of an infringement claim under this Agreement, PubMatic may, at its sole option and expense, either (x) procure for Demand Partner the right to continue using the applicable Demand Services, (y) replace or modify the applicable Demand Services so that they become non-infringing, or (z) solely if clauses (x) and (y) are not commercially practicable, terminate this Agreement. Notwithstanding the foregoing, PubMatic will have no obligation with respect to any infringement claim based upon (1) any use of the Demand Services not in accordance with this Agreement, (2) any use of the Demand Services in combination with other products, equipment, or software not supplied by PubMatic as part of the Demand Services, or (3) any modification of the Demand Services by any person other than PubMatic or its authorized agents or THIS SECTION STATES EACH PARTY’S ENTIRE LIABILITY, AND THE OTHER PARTY’S SOLE AND EXCLUSIVE REMEDY, FOR INTELLECTUAL PROPERTY INFRINGEMENT CLAIMS AND ACTIONS.
  12. LIMITATION OF LIABILITY. EXCEPT WITH RESPECT TO EITHER PARTY’S PAYMENT, CONFIDENTIALITY AND INDEMNIFICATION OBLIGATIONS, AND FRAUD AND WILLFUL MISCONDUCT, IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY UNDER THIS AGREEMENT EXCEED THE GREATER OF (A) THE ACTUAL AMOUNTS PAID BY DEMAND PARTNER TO PUBMATIC UNDER THIS AGREEMENT IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE CLAIM AND (B) US$1,000,000. NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN, IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR SPECIAL DAMAGES (INCLUDING LOST PROFITS, LOSS OF USE, OR LOST DATA), EVEN IF THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DEMAND PARTNER ACKNOWLEDGES AND AGREES THAT PUBMATIC IS NOT RESPONSIBLE OR HELD LIABLE FOR ANY ACTS OR OMISSIONS OF ANY PUBLISHER WHO TRANSACTS DIRECTLY WITH DEMAND PARTNER IN CONNECTION WITH THE DEMAND SERVICES.
  13. CHOICE OF LAW & VENUE. This Agreement shall be construed and interpreted under the laws of the State of New York, without giving effect to California’s principles of conflict of laws. The parties hereby submit to the exclusive jurisdiction of, and waive any venue objections against the state and federal courts located in the Borough of Manhattan, New York in any dispute arising under or in connection with this Agreement.
  14. MISCELLANIOUS. This Agreement constitutes the entire agreement between the parties and supersedes all preceding agreements or communications with respect to the subject matter hereof. Except as explicitly set forth herein, this Agreement shall not be modified except by a written agreement between the parties. The failure of either party to enforce strict performance by the other party of any provision of this Agreement or to exercise any right hereunder shall not be construed as a waiver of that party’s right. In the event that any provision of this Agreement is held invalid by a court with jurisdiction over the parties, such provision shall be deemed to be restated to reflect as nearly as possible the original intentions of the parties in accordance with applicable law, and the remainder of this Agreement shall remain in full force and effect. The rights and obligations of each party under this Agreement shall not be assigned without the prior written approval of the other party, which approval shall not be unreasonably withheld; provided, however, that either party may assign this Agreement without such consent to a corporate affiliate or in connection with a change of control or sale of substantially all of its assets, subject to the assigning party providing prior written notice of such assignment; and provided further that PubMatic may assign its rights under this Agreement, in part, to a PubMatic publisher in PubMatic’s sole discretion upon such publisher’s reasonable request. Any attempted assignment without consent where consent is required shall be void. Subject to the foregoing, each party’s rights and obligations shall inure to the benefit of their respective successors and permitted assigns. Except as otherwise expressly provided in this Agreement, there shall be no third party beneficiaries to the Agreement (including without limitation any Buyer or other advertiser, agency or client of Demand Partner). This Agreement may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. This Agreement may be executed via a recognized electronic signature service (e.g., EchoSign or DocuSign) or delivered by facsimile transmission, or may be signed, scanned and emailed, and any such signatures shall be treated as original signatures for all applicable purposes. Any notices given under this Agreement shall be deemed to be effectively given (i) when delivered personally, (ii) five (5) days after being placed in the mail, postage prepaid, certified or registered mail, or (iv) upon confirmation of delivery after being sent via express courier, mail or email, in each case, to the recipient’s address specified in this section or such other address as specified by the parties in writing, with a copy sent to the attention of General Counsel for notices to PubMatic.

IN WITNESS WHEREOF, Demand Partner and PubMatic have entered into this Agreement by their duly authorized representatives.

PubMatic, Inc. December 2019
Signature: Signature:
Name: Name:
Title: Title:
Date: Date:

 

PubMatic EU Data Sharing Addendum for Demand Partners

This Demand Partner Data Processing Addendum (the “Addendum“) forms part of the Contract(s) (defined below) between PubMatic, Inc. (“PubMatic“) and the party identified in the original governing agreement (“Demand Partner“). Capitalized terms used in this Addendum shall have the meanings given to them in the main body of the Contract(s) unless otherwise defined in this Addendum.

Introduction

  1. PubMatic is a provider of a supply-side platform, a technology platform which engages in the provision of auction or facilitation of purchases of digital advertising inventory. Demand Partner is a provider of a demand-side platform, ad exchange, advertiser, agency, agency trading desks or ad network which uses a technology platform or similar technology to engage in the buying of digital advertising inventory.
  2. PubMatic and Demand Partner have entered into a master contract, or other such governing contract, together with one or more connected statements of work, purchase orders, contracts and/or agreements (collectively the “Contract(s) or “Agreement(s)”), under which Demand Partner may purchase digital advertising inventory via PubMatic’s demand services (the “Demand Services”).
  3. PubMatic (and/or its publisher customer) is a controller of certain personal data that it wishes to share with Demand Partner, in connection with the performance of PubMatic’s obligations under the Contract(s).
  4. The parties have entered into this Addendum to ensure that in sharing such personal data pursuant to the Contract(s), they both comply with Applicable Privacy Law, with full respect for the fundamental data protection rights of the data subjects whose personal data will be processed.

 IT IS AGREED:

  1. Definitions:
    1. controller“, “processor“, “data subject“, “personal data“, “processing” (and “process“) and “special categories of personal data” shall have the meanings given in Applicable Privacy Law;
    2. Applicable Privacy Law” means any and all applicable privacy and data protection laws including, where applicable, European Data Protection Law (as may be amended or superseded from time to time);
    3. European Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”);  (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) any and all applicable national implementations of (i)  or (ii); (iv) in respect of the United Kingdom, GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 the (together, “UK Privacy Law“); and (v) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA“), in each case as may be amended or superseded from time to time;
    4. Europe” means, for the purposes of this Addendum, the European Economic Area (EEA), the United Kingdom and Switzerland;
    5. Industry Protocol” means the Transparency and Consent Framework developed by the IAB Europe, its policies, its global vendor list and specifications and/or any other mutually agreed upon industry protocols, as amended and updated from time to time;
    6. Privacy Shield” means the Swiss-US and EU-US Privacy Shield Frameworks, as operated by the U.S. Department of Commerce (as amended, superseded or replaced);
    7. Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as may be amended, superseded or replaced);
    8. Restricted Transfer” means: (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK Privacy Law applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
    9. Security Incident” means any event which resulted in, or which if successful would have resulted in, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Data (as defined in Section 2 herein) while in the custody or control of the Demand Partner, its affiliates, agents, subcontractors, processors or sub-processors, as applicable.
    10. Standard Contractual Clauses” means the standard contractual clauses and its appendices in European Commission Implementing Decision (EU) 2021/91 of 4 June 2021 relating to transfers of personal data to third countries pursuant to Regulation (EU) 2017/679 and any successor clauses issued from time to time by the European Commission, any applicable data protection authority, or other body with competent authority and jurisdiction, in each case, in relation thereto, completed in accordance with the terms of this Addendum. .
    11. UK Addendum” means the International Data Transfer Addendum (version B1.0) to the EU Commission Standard Contractual Clauses issued by UK Information Commissioners Office under S.119(A) of the UK Data Protection Act 2018, as amended, superseded or replaced from time to time.
  2. Processing Description In connection with the Demand Services, PubMatic will submit to Demand Services and/or Demand Partner may otherwise collect or receive certain PubMatic Data, including (but not limited to) in bid requests submitted to Demand Partner. Demand Partner acknowledges that such PubMatic Data (as described in the Contract(s)) may contain personal data, as more particularly described in Annex B, under the separate headings “C2C Data and “C2P Data” (collectively, the “Data“).
  3. Controller Terms applicable to Controller to Controller Data
    1. Demand Partner agrees that it shall (and shall ensure that its affiliates, agents, subcontractors, processors, sub-processors, buyers, partners, customers, clients, or  any other third party using its Demand Services or whose purchasing of digital advertising inventory may be enabled by the Demand Services) only process and collect the “C2C Data” solely for the purposes expressly permitted under the Contract(s) and in a manner that complies with Applicable Privacy Laws, the Contract(s) and where applicable, the Industry Protocol (collectively and individually, the “Permitted Purposes“).
    2. Relationship of the parties: The parties acknowledge that PubMatic is a controller of the C2C Data it discloses to Demand Partner, and that Demand Partner will process the C2C Data as a separate and independent controller strictly for the Permitted Purpose. In no event will the parties process the C2C Data jointly as joint controllers.
    3. Compliance with law: Each party shall be individually and separately responsible for complying with the obligations that apply to it as a controller under Applicable Privacy Law.  Without limitation to the foregoing, each party shall maintain a publicly accessible privacy policy on its website that satisfies the transparency disclosure requirements of Applicable Privacy Law.
    4. Consent Signals: Demand Partner shall (and shall ensure that its affiliates, agents, subcontractors, processors, sub-processors, buyers, partners, customers, clients, or  any other third party using its Demand Services or whose purchasing of digital advertising inventory may be enabled by the Demand Services) honor all “consent”, “no consent” and “opt-out” signals received from PubMatic (or any of its publisher clients or other controllers enabled by PubMatic through the Demand Services) in compliance with Applicable Privacy Laws and where applicable, the Industry Protocol.
    5. Deletion: Demand Partner will not, and will not permit any third party, to retain the C2C Data for longer than the period during which the Demand Partner has a legitimate need to retain the Data the Permitted Purposes and in compliance with Applicable Privacy Law.
  4. Processor Terms applicable to C2P Data: Demand Partner acknowledges and agrees that: (i) it shall process the C2P Data as a processor on behalf of PubMatic (whether itself the controller or acting on behalf of a third party controller); and (ii) to the extent such C2P Data is protected by European Data Protection Law, then the Demand Partner agrees to comply with the additional terms set out in Annex A of this Addendum.
  5. Standard Contractual Clauses
    1. General: Demand Partner agrees to abide by and process C2C Data and “C2P Data” protected by European Data Protection Law in accordance with the Standard Contractual Clauses, which shall be incorporated into and form an integral part of this Addendum. The terms of the Standard Contractual Clauses will apply where the applicable transfer of C2C or C2P Data is a Restricted Transfer. The parties agree that PubMatic is the Data Exporter and that Demand Partner is the Data Importer in respect of the Standard Contractual Clauses and any of the transfers described in this Section 4.
    2. Where Demand Partner Processes Personal Data as a controller pursuant to the Agreement: The parties agree that the Standard Contractual Clauses shall apply as follows:  (i) Module One will apply; (ii) In Clause 7, the optional docking clause will apply; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the EU SCCs shall be governed by the laws of Ireland; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex B below (“C2C Transfers”) to this Addendum; (vii) for the purposes of Clause 8.5(a), (b) and (c), as well as Annex II of the EU SCCs, the parties agree to the security measures described in Annex C to this Addendum; and (viii) for the purposes of Clause 8.5 (d), (e) and (f), where Demand Partner is required by a respective clause in the Standard Contractual Clauses or is otherwise legally compelled to notify the data subjects or the competent supervisory authority of a personal data breach, Demand Partner will first provide PubMatic with the details of the notification permitting PubMatic to have prior written input into the respective notification, where PubMatic desires to do, and without delaying the timing of the notification unduly.
    3. Where Demand Partner Processes Personal Data as a processor as described in the Agreement: (i) Module Two will apply; (ii) In Clause 7, the optional docking clause will apply; (iii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be 30 days; (iv) in Clause 11, the optional language will not apply; (v) in Clause 17, Option 1 will apply, and  EU SCCs shall be governed by the laws of Ireland; (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vii) Annex I of the  EU SCCs shall be deemed completed with the information set out in Annex B (“C2P Transfers”) to this Addendum; and (viii) For the purposes Clause 8.6(a), as well as Annex II of the EU SCCs, the parties agree to the security provisions contained in Annex C of this Addendum.
    4. Data Processing Protected by UK Privacy Laws: In relation to the Processing of Data that is protected by UK Privacy Laws, the Standard Contractual Clauses as implemented in accordance with Sections 5 (b) and (c) above shall also apply, but as modified and interpreted by Part2: Mandatory Clauses of the UK Addendum. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annexes B and C to this Addendum and Table 4 in Part 1 shall be deemed completed by selecting “neither party”.
    5. Data Processing  protected by the Swiss DPA: In relation to the Processing of Data that is protected by the Swiss DPA, the Standard Contractual Clauses as implemented in accordance with Sections 5(b) and (c) above shall also, with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; (ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (iii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”; (iv) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (v) Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner; (vi) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (vii) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of  Switzerland; and (viii) Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
  6. General Terms applicable to all Data
    1. Non-disclosure: Demand Partner will not disclose the Data to any third party without PubMatic’s prior written consent except: (i) where necessary for processing purposes expressly permitted under this Addendum; (ii) as permitted or to the extent required pursuant to the Contract(s); or (iii) where required by applicable law.
    2. Subcontracting: Demand Partner may appoint third party processors to process Data for the purposes expressly permitted under this Addendum, provided that such processors: (a) agree in writing to process Data in accordance with Demand Partner’s documented instructions; (b) implement appropriate technical and organizational security measures that are at least as protective as those described in Annex C (where applicable)  to protect the Data against a Security Incident; and (c) otherwise provide sufficient guarantees that they will process the Data in a manner that will meet the requirements of Applicable Privacy Law and this Addendum.
    3. Security: Demand Partner shall implement appropriate technical and organizational measures that are at least as protective as those described in Annex C (where applicable)  to protect the Data from Security Incidents (“Security Measures“).  Such Security Measures shall at a minimum comply with the requirements of Applicable Privacy Laws.  In the event that Demand Partner suffers a Security Incident, it shall notify PubMatic without undue delay and both parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident.
    4. International transfers: Where European Data Protection Law applies to the Data, the Demand Partner shall not process any such Data (nor permit any Data to be processed) in a territory outside of Europe (whether directly or via onward transfer) unless it has taken such measures as are necessary to ensure the transfer is in compliance with European Data Protection Law (including such measures as may be communicated by PubMatic to Demand Partner from time to time) and this Addendum.
    5. Privacy Shield: For so long as PubMatic is certified under the Privacy Shield and where Demand Partner processes any Data protected by PubMatic’s Privacy Shield certification, Demand Partner agrees to provide the same level of protection for such Data as is required by the Privacy Shield Principles. Demand Partner shall notify PubMatic if it makes a determination that it can no longer provide such protection and in such event, shall cease processing or take other reasonable and appropriate steps to remediate, (if remediable) any processing until such time as the processing meets the level of protection as is required by the Privacy Shield Principles.
    6. Transfer arrangements: To the extent that PubMatic adopts a data export mechanism not described in this Addendum (including any new version of or successor to the Standard Contractual Clauses pursuant to applicable European Data Protection Law) for the transfer of Data (“Alternative Transfer Mechanism“), such Alternative Transfer Mechanism shall apply instead of any mechanism described in this Addendum. Notwithstanding anything to the contrary, an Alternative Transfer Mechanism shall only apply to the extent that it complies with Applicable Privacy Law applicable to the country where the processing activities take place. Demand Partner agrees to execute any document and take any appropriate action as reasonably necessary to give effect to such Alternative Transfer Mechanism.
    7. Cooperation and data subject rights: In the event that either party receives: (i) any request from a data subject to exercise any of its rights under Applicable Privacy Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data (collectively, “Correspondence”) then, where such Correspondence relates to processing conducted by the other party, it shall promptly inform the other party and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfil their respective obligations under Applicable Privacy Law.
    8. Change in Law: Notwithstanding anything to the contrary in the Contract(s) or this Addendum, in the event of a change in Applicable Privacy Law or a determination or order from a supervisory authority or competent court affecting this Addendum or any processing activities under this Addendum, PubMatic may, in its sole discretion, amend this Addendum as reasonably necessary to ensure continued compliance with Applicable Privacy Law or compliance with any such orders.
    9. Survival: This Addendum shall survive termination or expiry of the Contract(s).  Subject to the terms of Annex A with respect to Demand Partner’s processing of C2P Data, upon termination or expiry of the Contract(s), Demand Partner may continue to process the Data provided that such processing complies with the requirements of this Addendum and Applicable Privacy Law.
    10. Miscellaneous: This Addendum shall be governed by and construed in all respects in accordance with the governing law and jurisdiction provisions set out in the Contract(s), unless required otherwise by Applicable Privacy Laws.  With effect from the effective date of the Contract(s), this Addendum shall be deemed a part of and incorporated into the Contract(s) so that references in the Contract(s) to the “Agreement” shall be interpreted to include this Addendum.  Except for the changes made by this Addendum, the Contract(s) shall remain unchanged and in full force and effect.  In the event of any conflict or inconsistency between this Addendum and any other term or terms of the Contract(s), this Addendum shall prevail in respect of the subject matter (i.e. the protection of personal data).  This Addendum may be executed: (i) in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement; and (ii) via a recognized electronic signature service or delivered by facsimile transmission, or may be signed, scanned and emailed, and any such signatures shall be treated as original signatures for all applicable purposes.  It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses. Accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Contract(s), including this Addendum, the Standard Contractual Clauses shall prevail to the extent of such conflict. The parties further agree this Addendum (with any commercially sensitive information redacted) may be shared with the US Department of Commerce on request.

Annex A

Processor Terms

Demand Partner agrees:

  1. it will process the C2P Data (and ensure that any persons authorized by the Demand Partner to process C2P Data (“Authorized Persons“) process the C2P Data) in accordance with PubMatic’s (or the third-party controller’s) documented lawful instructions, except where otherwise required by applicable law;
  2. it shall only process C2P Data for the purposes described in and in accordance with Annex B (C2P Transfers);
  3. it shall ensure that Authorized Persons are subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person who is not under such a duty of confidentiality to process the C2P Data. Demand Partner shall ensure that all Authorized Persons process the C2P Data only as necessary for the purposes described in Annex B (C2P Transfers);
  4. it shall not sub-contract any processing of the C2P Data to a third-party processor without the prior written consent of PubMatic and shall remain liable for any breach of this Addendum as it relates to C2P Data that is caused by or results in connection with an act, error or omission of its sub-contractor. If PubMatic refuses to consent to Demand Partner’s appointment of a third party sub-contractor on reasonable grounds relating to the protection of the C2P Data, then the parties shall discuss such concerns with a view to achieving a commercially reasonable resolution.  PubMatic hereby consents to Demand Partner engaging sub-contractors to process C2P Data on behalf of Demand Partner provided that (i) Demand Partner has provided a list of its current sub-contractors prior to the date of the execution of the Contract(s) and this Addendum and thereafter, provides at least 30 days prior notice of the addition or removal of any subcontractor (including details of the processing it performs or will perform); and (ii) Demand Partner imposes data protection terms on any subcontractor it appoints that protect the C2P Data to the same standard required of Demand Partner in respect of all C2P Data processed by Demand Partner pursuant to this Addendum;
  5. it shall permit PubMatic (or its third-party auditors) to audit Demand Partner’s compliance with Applicable Privacy Law and this Addendum in respect of C2P Data processing, and shall for these purposes make available to PubMatic all information, equipment, personnel or premises reasonably necessary for PubMatic (or its appointed third-party auditors) to conduct such audit;
  6. upon becoming aware of a Security Incident involving C2P Data, Demand Partner shall inform PubMatic without undue delay and provide all reasonable co-operation and assistance in accordance with and as more fully described in Section 6 (c) (“Security“) of this Addendum;
  7. to implement appropriate technical and organizational measures that are at least as protective as those described in Annex C to this Addendum;
  8. if PubMatic is required by Applicable Privacy Law to conduct a data protection impact assessment in respect of the Demand Services, Demand Partner shall provide all information reasonably requested by PubMatic in connection with such assessment and provide cooperation and assistance in connection with any consultation PubMatic is required to undertake with any data protection supervisory authorities;
  9. upon termination or expiry of the Addendum, it shall (at PubMatic’s election) destroy or return to PubMatic all C2P Data (including all copies of the C2P Data) in its possession or control (including any data sub-contracted to a third party for processing), except to the extent that it or any sub-contractor is required by applicable law to retain some or all of the C2P Data, in which event it shall isolate and protect the C2P Data from further processing except to the extent required by such law; and
  10. to assist PubMatic in connection with the fulfilment of PubMatic’s obligation to respond to data subject requests to exercise their rights under European Data Protection Law.

Annex B

Description of Processing Activities/ Transfer

Annex 1(A) List of Parties:

 

Data Exporter Data Importer
Name: PubMatic, Inc. Name: Demand Partner
Address:  601 Marshall Street

Redwood City, California 94063, USA

 Address: As identified in the Agreement.
Contact Person’s Name, position and contact details: Data Protection Officer, reachable at dpo@pubmatic.com , Privacy Officer, reachable at privacy@pubmatic.com Contact Person’s Name, position and contact details: As identified in the Agreement.
Activities relevant to the transfer:  See Annex 1(B) below Activities relevant to the transfer: See Annex 1(B) below
Role: Controller Role: Controller (C2C Data) / Processor (C2P Data)

 

 

 

Annex 1(B) Description of processing / transfer:

 

C2C Data

 

  Description
Categories of data subjects: End users of the publisher properties covered by the Demand Services or end users viewing ads delivered to PubMatic’s publisher customer’s properties.
Categories of personal data: To the extent applicable, may include:

·       Identifiers: cookie and mobile Ad identifiers (such as IDFA, ADID, GPID etc.,), IP address, data that could be used for fingerprinting, latitude and longitude, GPS location;

·       Demographic information: location,  age range, gender, other publisher-specified demographics (tied to an identifier);

·       User agent or such device information.
Sensitive data: None.
If sensitive data, the applied restrictions or safeguards[1] N/A
Frequency of the transfer: Continuous depending on the Agreement
Nature and subject matter of processing: Personal data transferred will be processed in accordance with the Agreement (including this Addendum) and may be subject to the following processing activities, to the extent applicable:

1. Storage and other processing necessary to provide the Demand Services to PubMatic.

2. Disclosures in accordance with the Agreement and/or as compelled by applicable laws.
Purpose(s) of the data transfer and further processing: If and to the extent applicable, to enable Data Importer to process C2C Data as a controller solely for purposes expressly permitted under the Agreement and this Addendum and in a manner that complies with European Data Protection Law (the “Permitted Purposes“). Such purposes shall include, if and to the extent applicable:  (i) setting and modifying a Demand Partner cookie, pixel or similar tracking technology; (ii) billing, fraud detection and prevention; (iii) security purposes and technical support.
Retention period (or, if not possible to determine, the criteria used to determine that period): Demand Partner will not, and will not permit any third party, to retain the C2C Data for longer than the period during which the Demand Partner has a legitimate need to retain the C2C Data for the Permitted Purposes and in compliance with EU/UK Data Protection Law

 

 

C2P Data

 

  Description
Categories of data subjects: End users of the publisher properties covered by the Demand Services or end users viewing ads delivered to PubMatic’s publisher customer’s properties.
Categories of personal data: To the extent applicable, may include:

·       Table of PubMatic’s unique end user identifiers created, assigned or retained by PubMatic and associated with an individual end user.

·       Identifiers: cookie and mobile Ad identifiers (such as IDFA, ADID, GPID etc.,), IP address, data that could be used for fingerprinting, latitude and longitude, GPS location;

·       Demographic information: location,  age range, gender, other publisher-specified demographics (tied to an identifier);

·       User agent or such device information.
Sensitive data: None.
If sensitive data, the applied restrictions or safeguards[2] N/A
Frequency of the transfer: Continuous depending on the Agreement
Nature and subject matter of processing: Personal data transferred will be processed in accordance with the Agreement (including this Addendum) and may be subject to the following processing activities to the extent applicable:

1. Storage and other processing necessary to provide the Demand Services to PubMatic.

2. Disclosures in accordance with the Agreement and/or as compelled by applicable laws.
Duration of the processing: The duration of the data processing under the Addendum is until the termination of the Agreement in accordance with its terms plus the period from the expiry of the Agreement until deletion of the personal data by Demand Partner in accordance with the terms of the Agreement.
Purpose(s) of the data transfer and further processing: Providing the Demand Services to PubMatic as a processor (where applicable), including for the purposes of determining the amounts to bid on publisher inventory and bidding on advertising impression opportunities.
Retention period (or, if not possible to determine, the criteria used to determine that period): Upon termination or expiry of the Agreement, it shall (at PubMatic’s election) destroy or return to PubMatic all C2P Data (including all copies of the C2P Data) in its possession or control (including any data sub-contracted to a third party for processing), except to the extent that it or any approved sub-contractor is required by applicable law to retain some or all of the C2P Data, in which event it shall isolate and protect the C2P Data from further processing except to the extent required by such law.

 

Annex 1(C) Competent supervisory authority:

 

The competent supervisory authority: (i) in connection with Data protected by the GDPR,  shall be determined in accordance with Clause 13 of the Standard Contractual Clauses; (ii) in connection with Data protected by the Swiss DPA, is the Federal Data Protection and Information Commissioner (FDPIC); and (iii) in connection with Data that is procested by UK Privacy Laws, is the Information Commissioners Office (the “ICO”).

 

 

Annex C

Description of C2P Data Processing

 

Technical and Organizational Measures

 

The technical and organizational measures implemented by Demand Partner (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are as follows:

Type of measure Terms
Measures of pseudonymisation and encryption of personal data Description of technical measures in place to prevent re-identification

·       Demand Partner has implemented data minimisation and privacy-by-design into its software development process to prevent personal data from being directly linkable to a data subject.  This includes measures such as truncating coordinates of geolocation data and removing the last octet from IP addresses.

·       Demand Partner only works with pseudonymized identifiers and has management and organizational controls are in place to prohibit internal teams, any relevant partners and subprocessors, from re-identifying data processing in connection with the Agreement.

·       If and when directly identifiable information were to be processed in connection with the services for addressability purposes, Demand Partner will ensure that industry standard cryptographic techniques are immediately applied to such data, including but not limited to, hashing, to help ensure data cannot be reidentified by unauthorised parties.

·       Advertising identifiers used by Demand Partner to track devices and deliver ads are not persistent; they are designed to deprecate within a reasonable time frame.

·       When activating/monetizing audiences, sensitive or directly identifiable personal data is not processed, but instead segment codes/deal codes are exchanged by the parties. Demand Partner does not process any actual characteristics about a data subject’s pseudonymized advertising ID.
Measures for ensuring ongoing confidentiality of processing systems and services Description of measures in place to secure information stored on systems.

·       Demand Partner has implemented and maintains a written information security program and has implemented measures to ensure the integrity, availability and security of personal information, including regular vulnerability scans and endpoint protection.

·       Demand Partner limits the risk that personal data will be exposed by implementing a data retention schedule to systems that store personal data processed performed in connection with the Contract.

·       Operational, technical management level controls in place that ensure end-user data processed by the platform cannot be linked to a natural person’s identity. Confidentiality terms with personnel.  Security program that aligns to industry good practices.
Measures for ensuring ongoing integrity of processing systems and services Demand Partner has implemented and maintains an information security program that contains administrative, technical and physical safeguards appropriate to protect against anticipated threats to, confidentiality and integrity of, and the unauthorized or accidental destruction, loss, access, acquisition, alteration or use of, personal data, and that meets (i) reasonable security practices applicable to Demand Partner’s industry; and (iii) any security requirements under the laws applicable Demand Partner under applicable law.
Measures for ensuring ongoing availability and resilience of processing systems and services Demand Partner maintains personal data availability and resilience through a variety of technical, physical, and administrative measures.

Examples of these measures include: tolerant infrastructure with geographically distinct availability zones for redundant data; secured and monitored operational sites; and, processes and policies for topics such as incident response and review, and vendor review.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident ·       See response above.

·       Further measures include regular backups, business continuity readiness plans and disaster recovery plans.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing ·       At least once annually, security measures relevant to the processing of personal data are reviewed and tested for alignment with industry good practices.

·       Security compliance has been integrated into Demand Partner’s product development practices, and the Demand Partner privacy, security and engineering teams collaborate regularly to ensure those standards are kept up to date.
Measures for user identification and authorisation ·       Demand Partner has in place procedures that comply with applicable law to authenticate requests from data subjects who have submitted rights request.

·       Demand Partner has operational and technical controls in place to ensure that access to systems that process personal data is only granted to authorized employees with a “need to know”.

·       Demand Partner has in place industry standard policies to ensure that unauthorized current and former personnel cannot improperly access systems that process personal data.
Measures for the protection of Data during storage ·       As per the Contract, personal data processed in connection with the services will not contain any sensitive personal information, and will be limited in scope, always pseudonymized (i.e., cookie ID, user agent information, etc.) and cannot be directly identified with a natural person by Demand Partner.

·       Data is only stored for as long as necessary for Demand Partner’s legitimate business purposes and is subject to a data retention schedule.

·       Personal data minimization procedures are in place with regard to personal data stored on Demand Partner’s systems (e.g., last octet of IP address is redacted, certain unique identifiers that are not needed for RTB are not logged, etc.)
Measures for ensuring physical security of locations at which personal data are processed ·       Facilities involved in the processing of personal data are accessible only by authorized personnel. Technical controls in place to secure processing facilities include access controls, two-factor authentication, firewalls, and anti-malware.  Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required in order to deliver advertising services under the Agreement.

·       Demand Partner provides personnel who access personal data with appropriate information security and data protection training. Demand Partner maintains appropriate physical security measures at each facility where personal data is processed, including authentication of all personnel who access data centres, IT equipment having physical barriers designed to prevent access by unauthorized individuals, and manned reception areas or logbooks with visitor entry/exit dates and times.
Measures for certification/assurance of processes and products ·       Demand Partner participates in industry certification and self-regulatory programs such as DAA, NAI Code of Practice. IAB TCF 2.0, and the IAB CCPA Compliance Framework.
Measures for ensuring data minimisation ·       Procedures are embedded in the system development process to minimize personal data collected and processed by the Demand Partner (e.g., truncation of IP address, stripping of personal data when an impression will be monetized using contextual ad-targeting, no data collection from unconsented or improperly consented impressions).

·       Demand Partner has a dedicated technical privacy specialist whose role focuses is at least partly dedicated to reviewing the implementation of data minimization across the organization.

 
Measures for ensuring accountability ·       Demand Partner performs a data mapping exercise that complies with Article 30 of GDPR and has created a record of processing activity to ascertain the scope of personal data processing activities performed by the organization.

·       Demand Partner has implemented a privacy program that is appropriate to the scope and nature of personal data processed that includes a personal data breach policy, data protection and legitimate interest assessments (where appropriate), appointment of a data protection officer (DPO), and data protection controls such as privacy by design.

·       The foregoing measures are regularly reviewed (at least once annually) and updated to ensure alignment with applicable law and industry standards.
Measures for allowing data portability and ensuring erasure ·       Demand Partner has implemented and maintains procedures to ensure data portability and erasure that comply with data protection laws.  Demand Partner has designated a data protection leader who is responsible for ensuring all requests from data subjects are reviewed and documented, including requests for erasure and copies of personal data, and that data subject requests are carried out timely and in accordance with law.