This ID Partner Data Processing Addendum (the “Addendum“) forms part of the Contract(s) (defined below) between PubMatic, Inc. (“PubMatic“) and the party identified in the original governing agreement (“ID Partner” or “Company”). Capitalized terms used in this Addendum shall have the meanings given to them in the main body of the Contract(s) unless otherwise defined in this Addendum.
Recitals
- Company has entered into one or more purchase orders, contracts and/or agreements (the “Contract(s) or “Agreement(s)” with PubMatic and/or its Affiliates. In delivering the Services under the Contract(s), or Company may process Personal Data controlled by PubMatic, a PubMatic Affiliate and/or their respective customers, contacts or partners.
- As part of its privacy policy and its contractual arrangements, PubMatic has provided certain assurances to its customers, contacts, partners and/or end-users to ensure the appropriate protection of Personal Data when PubMatic engages third party Companys. PubMatic’s engagement of Company is conditioned upon Company’s agreement to the terms and conditions of this DPA.
Agreement
1. DEFINITIONS
1.1 “Affiliate” means any entity that is directly or indirectly controlled by, controlling or under common control with PubMatic and/or Company (as applicable). “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Authorized Affiliate” means any PubMatic Affiliate permitted to use the Services pursuant to the Contract(s) between PubMatic and Company but has not signed its own agreement with Company.
1.3 “Applicable Privacy Law(s)” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, European Data Protection Law.
1.4 “Authorized Persons” means any person who processes Personal Data on Company’s behalf, including Company’s employees, officers, partners, principals, contractors and Sub-processors.
1.5 “Company ID Personal Data” means any Company Data that is Personal Data, provided by Company to PubMatic in the course of Company’s performance under the Contract(s).
1.6 “European Data Protection Law” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any national data protection laws made under or pursuant to (i) or (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”) and (v) in respect of the United Kingdom, GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (together, “UK Privacy Law”), in each case, as superseded, amended or replaced.
1.7 “Personal Data” means any PubMatic Data relating to an identified or identifiable natural person (“data subject”) and/or any PubMatic Data is deemed personal data or personally identifiable information under Applicable Privacy Laws.
1.8 “Privacy Shield” means the EU-US and Swiss-US Privacy Shield Frameworks, as operated by the U.S. Department of Commerce.
1.9 “Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of 12 July 2016 pursuant to the Directive, details of which can be found at www.privacyshield.gov/eu-us-framework.
- “PubMatic Data” means all information (i) provided to Company by or at the direction of PubMatic; (ii) created or obtained by Company on behalf of PubMatic; or (iii) which Company accesses at the direction of PubMatic , in the course of Company’s performance under the Contract(s), including (but not limited to) any information that pertains to PubMatic and/or is Confidential Information (as defined under the Contract(s)).
1.11 “Security Incident” means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction loss, alteration, unauthorized disclosure or access to PubMatic Data and/or Business Contact Data.
1.12 “Standard Contractual Clauses” means Module 1 (Controller to Controller), and Module 2 (Controller to Processor), as applicable, of the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 located at https://eur-lex.europa.eu/eli/dec_impl/2021/914, completed in accordance with this DPA.
1.13 “Sub-processor” means any third party (including any Company’s affiliate) engaged directly or indirectly by Company to process any Personal Data relating to this DPA and/or the Contracts. The term “Sub-processor” shall also include any third party appointed by a Sub-processor to process any Personal Data relating to this DPA and/or the Contracts.
1.14 The terms “Controller”, “Processor”, “personal data” and “processing”, have the meanings given to them in Applicable Privacy Laws. If and to the extent that Applicable Privacy Laws do not define such terms, then the definitions given in European Data Protection Law will apply.
2. ROLE AND SCOPE OF PROCESSING
2.1 Roles of the Parties and Details of Processing. Company shall process Personal Data under the Contract(s) as a Processor acting on behalf of PubMatic and/or its Affiliates (whether acting as Controller or acting as a Processor on behalf of third party Controllers). Company agrees that it will process Personal Data as described at Annex A, which forms an integral part of this DPA.
2.2 Company’s Processing of Personal Data. Company shall at all times: (i) process the Personal Data only for the purpose of providing the Services to PubMatic under the Contract(s) and in accordance with PubMatic’s documented instructions (of which this DPA shall form part); (ii) not process the Personal Data for its own purposes or those of any third party.
2.3 Company’s Notification Obligations Regarding PubMatic Instructions. Company shall promptly notify PubMatic in writing, unless prohibited from doing so under Applicable Privacy Law, if:
- It becomes aware or believes that any data processing instruction from PubMatic violates Applicable Privacy Law;
- It is unable to comply with PubMatic ’s data processing instructions for any reason; and/or
- It is unable to comply with the terms of the Contract(s) (including this DPA) as they relate to or govern the processing of Personal Data and/or the security of PubMatic Data for any reason.
2.4 Business Contact Data. PubMatic shall disclose to Company contact information relating to PubMatic’s representatives for (i) invoicing, billing and other business inquiries, (ii) information on usage of the Services, and (iii) contract management, which may include personal data (“Business Contact Data”). Company shall comply with all applicable laws and its applicable privacy policies with respect to the Processing of Business Contact Data and use Business Contact Data only for the purposes outlined in this Section 2.4.
2.5 No Rights for Company. Except as expressly set forth to the contrary in this DPA and the Contract(s), Company acknowledges that it has no right, title or interest in PubMatic Data (including all Personal Data, intellectual property or proprietary information) and may not sell, rent or lease PubMatic Data to anyone.
3. SUBPROCESSING
3.1 Appointment of Sub-processors. Company shall not subcontract any processing of the Personal Data to a Sub-processor without the prior written consent of PubMatic. Notwithstanding the foregoing, PubMatic consents to Company engaging Sub-processors to process the Personal Data provided that:
(a) Company provides at least 30 days prior written notice to PubMatic of the engagement of any new Sub-processor (including details of the processing and location) and Company shall update the list of all Sub-processors engaged to process Personal Data under this Agreement at Annex C and send such updated version to PubMatic prior to the engagement of the Sub-processor;
(b) Company imposes the same data protection terms on any Sub-processor it engages as contained in this DPA (including the Privacy Shield Principles and/or other data transfer provisions, where applicable); and
(c) Company remains fully liable for any breach of this DPA or the Contract(s) that is caused by an act, error or omission of such Sub-processor.
3.2 Objection Right for New Sub-Processors. PubMatic may object to the appointment or replacement of a Sub-processor within 20 days after PubMatic first receives prior notice of such change in accordance with Section 3.1(a) above, provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss in good faith commercially reasonably alternative solutions. If the parties cannot reach resolution within a reasonable period of time, which shall not exceed thirty (30) days, Company will either not appoint or replace the Sub-processor or, if this is not possible, PubMatic may terminate the Contract(s) (in whole or in part), by providing written notice to Company. PubMatic shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of the terminated products or services without imposing a penalty for such termination on PubMatic.
4. DATA SUBJECT RIGHTS AND COOPERATION
4.1 Data Subject Request. Company shall reasonably cooperate with PubMatic to enable PubMatic (or its third-party Controller) to respond to any requests, complaints or other communications from data subjects, data protection supervisory authorities, and regulatory or judicial bodies relating to the processing of Personal Data and Business Contact Data under the Contract(s), including requests from data subjects seeking to exercise their rights under Applicable Privacy Laws. In the event that any such request, complaint or communication is made directly to Company, Company shall promptly pass this onto PubMatic and shall not respond to such communication without PubMatic’s express authorization.
4.2 Subpoenas and Court Orders. If Company receives a subpoena, court order, warrant or other legal demand from a third party (including law enforcement, data protection supervisory authority, or other public or judicial authorities) seeking the disclosure of Personal Data, Company shall not disclose any information but shall immediately notify PubMatic in writing of such request, and reasonably cooperate with PubMatic if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws.
4.3 Data Privacy Impact Assessments (“DPIA’s”). Company will provide reasonable assistance to PubMatic (or its third-party Controller) in connection with data protection impact assessments and any consultation with applicable data protection authorities in respect of any processing of Personal Data under the DPA, where such assessments and consultation are deemed necessary by PubMatic (or a third-party Controller).
5. DATA ACCESS & SECURITY MEASURES
5.1 Confidentiality and Limitation of Access. Company shall ensure that any Authorized Person is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and that they process the Personal Data only for the purpose of delivering the Services under the Contract(s) to PubMatic. Company shall ensure that Company’s access to Personal Data is limited to those personnel performing Services in accordance with this DPA.
5.2 Security Measures. Company will implement and maintain all appropriate technical and organizational security measures to protect PubMatic Data and Business Contact Data from Security Incidents and to preserve the security, integrity and confidentiality of such data (“Security Measures”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall at a minimum include: the pseudonymization and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a Security Incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing. At a minimum, Company agrees to the Security Measures identified at Annex B.
6. SECURITY INCIDENTS
6.1 Notification of Security Incidents. In the event of a Security Incident, Company shall promptly (and in no event later than 24 hours of becoming aware of such Security Incident) inform PubMatic and provide written details of the Security Incident, including the type of data affected and the identity of affected person(s) as soon as such information becomes known or available to Company.
6.2 Companys Obligations Following Security Incident. Furthermore, in the event of a Security Incident, Company shall:
(a) provide timely information and cooperation as PubMatic may require to fulfil PubMatic’s data breach reporting obligations under Applicable Privacy Laws or to comply with or respond to any inquiries by a data protection supervisory authority or any lawsuit arising from the Security Incident, including without limitation collecting and preserving all evidence pertaining to the Security Incident and the investigation conducted by Company;
(b) take such measures and actions as are appropriate to remedy or mitigate the effects of the Security Incident and shall keep PubMatic up-to-date about all developments in connection with the Security Incident; and
(c) reimburse PubMatic for the reasonable costs for PubMatic to prepare and send all notifications that are legally required or reasonably necessary (as determined in the sole discretion of PubMatic). At the written request of PubMatic, Company agrees to provide, at its sole expense, credit monitoring and identity theft protection services to individuals affected by a Security Incident involving Personal Data of those individuals.
6.3 The content and provision of any notification, public/regulatory communication or press release concerning the Security Incident shall be solely at PubMatic’s discretion, except as otherwise required by applicable laws.
7. SECURITY REPORTS & INSPECTIONS
7.1 Company Security Standards. Company shall maintain records in accordance with ISO 27001 or similar Information Security Management System (“ISMS”) standards. Upon request, Company shall provide copies of relevant external ISMS certifications, audit report summaries and/or other documentation reasonably required by PubMatic to verify Company’s compliance with this DPA.
7.2 Right of Inspection. While it is the parties’ intention ordinarily to rely on Company’s obligations set forth in Section 7.1 to verify Company’s compliance with this DPA, PubMatic (or its appointed representatives) may carry out an inspection of the Company’s operations and facilities during normal business hours and subject to reasonable prior notice where PubMatic considers it necessary or appropriate (for example, without limitation, where PubMatic has reasonable concerns about Company’s data protection compliance, following a Security Incident or following instruction from a data protection authority).
8. INTERNATIONAL TRANSFERS
8.1 International Transfers. Company and/or its Affiliates shall not process or transfer any Personal Data and/or Business Contact Data in or to a territory other than the territory in which the Personal Data and/or Business Contact Data was first collected (nor permit such data to be so processed or transferred) unless it takes all such measures as are necessary to ensure such processing or transfer is in compliance with Applicable Privacy Laws (including such measures as may be communicated by PubMatic to Company). Company shall inform PubMatic of any international transfers of Personal Data in advance of making the transfer and shall assist PubMatic in assessing the parties’ respective obligations to comply with Applicable Privacy Laws
8.2 Privacy Shield Flow Downs. To the extent that PubMatic and/or the Authorized Affiliates are self-certified to the Privacy Shield, Company represents and warrants that it shall:
(a) provide (and procure all Sub-processors that provide) at least the same level of protection to such Personal Data as is required by the Privacy Shield Principles and the Security Measures set forth in Section 5.2 of this DPA;
(b) promptly notify PubMatic if it makes a determination that it can no longer meet its obligations under Section 8.2(a) above, and in such event, to work with PubMatic and promptly take all reasonable and appropriate steps to stop and remediate (if remediable) any processing until such time as the processing meets the level of protection as is required by Section 8.2(a); and
(c) immediately cease (and procure all Sub-processors immediately cease) processing such Personal Data if in PubMatic ‘s sole discretion, PubMatic determines that Company has not or cannot correct any non-compliance with Section 8.2(a) above in accordance with Section 8.2(b) within a reasonable time frame.
- Transfer Mechanism (PubMatic to Company Transfers). The parties agree that when the transfer of Personal Data from PubMatic (as exporter) to Company (as importer) is a Restricted Transfer and European Data Protection Law applies, the transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and shall form part of this DPA, as follows:
(a) in relation to Personal Data that is protected by the GDPR and processed in accordance with Section 2.1 of this DPA, (i) Module Two (controller to processor transfers), or Module 3 (processor to processor transfers) will apply, as appropriate; (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Section 3 of this DPA; (iv) in Clause 11, the optional language will not apply; (v) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by Irish law; (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vii) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex I to this DPA, as applicable; and (viii) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex II to this DPA;
(b) in relation to Business Contact Data that is protected by the GDPR and processed in accordance with Section 2.4 of this DPA, the Standard Contractual Clauses will apply completed as follows: (i) Module One will apply (controller to controller transfers); (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 11, the optional language will not apply; (v) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by Irish law; (vi) in Clause 18(b), disputes shall be resolved before the courts of the Ireland; (vii) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex I to this Agreement, as applicable; and (viii) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex II to this Agreement;
(c) in relation to personal data that is protected by the UK Privacy Law, the Standard Contractual Clauses shall apply in accordance with Sections 8.3(a) and 8.3(b) of this DPA (as applicable), but as modified and interpreted by the Part 2: Mandatory Clauses of the UK Addendum, which shall be incorporated into and form an integral part of this DPA. Any conflict between the terms of the Standard Contractual Clauses and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum. In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annex I (as applicable) and Annex II of this DPA and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”; and
(d) in relation to personal data that is protected by the Swiss DPA, the Standard Contractual Clauses shall apply in accordance with Sections 8.3(a) and 8.3(b) of this DPA (as applicable), but with the following modifications: (i) any references in the Standard Contractual Clauses to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA and the equivalent articles or sections therein; (ii) any references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be; (iii) any references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the relevant data protection authority and courts in Switzerland; and (iv) the Standard Contractual Clauses shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts.
- Transfer Mechanism (Company to PubMatic Transfers). The parties agree that when the transfer of Company ID Personal Data from Company (as exporter) to PubMatic (as importer) is a Restricted Transfer and European Data Protection Law applies, the transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and shall form part of this DPA, as follows:
(a) in relation to Company ID Personal Data that is protected by the GDPR (i) Module One will apply (controller to controller transfers); (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 11, the optional language will not apply; (v) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by Irish law; (vi) in Clause 18(b), disputes shall be resolved before the courts of the Ireland; (vii) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex I to this Agreement, as applicable; and (viii) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex II to this Agreement;
(b) in relation to Company ID Personal Data that is protected by the UK Privacy Law, the Standard Contractual Clauses shall apply in accordance with Sections 8.4(a) of this DPA, but as modified and interpreted by the Part 2: Mandatory Clauses of the UK Addendum, which shall be incorporated into and form an integral part of this DPA. Any conflict between the terms of the Standard Contractual Clauses and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum. In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annex I (as applicable) and Annex II of this DPA and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”; and
(c) in relation to personal data that is protected by the Swiss DPA, the Standard Contractual Clauses shall apply in accordance with Sections 8.4(a) of this DPA, but with the following modifications: (i) any references in the Standard Contractual Clauses to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA and the equivalent articles or sections therein; (ii) any references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be; (iii) any references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the relevant data protection authority and courts in Switzerland; and (iv) the Standard Contractual Clauses shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts.
- Additional Transfer Provisions: The parties further agree that in connection with Restricted Transfers to which European Data Protection Law applies:
(a) in the event that any provision of this DPA and/or the Agreement contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail;
(b) Company will not participate in any Restricted Transfers of personal data (other than as described in Sections 8.3 and 8.4 of this DPA, and including any onward transfers) unless the Restricted Transfer is made in compliance with Applicable Privacy Laws and pursuant to Standard Contractual Clauses implemented between the relevant exporter and importer of the personal data, as necessary in order to comply with Applicable Data Protection Law.
- Company acknowledges that PubMatic may disclose this DPA and any relevant privacy provisions in the Contract(s) to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request.
- To the extent that PubMatic adopts a data export mechanism not described in this DPA (including any new version of or successor to the Standard Contractual Clauses pursuant to applicable European Data Protection Law) for the transfer of personal data (“Alternative Transfer Mechanism“), such Alternative Transfer Mechanism shall apply instead of any mechanism described in this DPA. Notwithstanding anything to the contrary, an Alternative Transfer Mechanism shall only apply to the extent that it complies with Applicable Privacy Law applicable to the country where the processing activities take place. Supplier agrees to execute any document and take any appropriate action as reasonably necessary to give effect to such Alternative Transfer Mechanism.
9. DELETION & RETURN
9.1 Upon PubMatic’s request, or upon termination or expiry of this DPA, Company shall destroy or return to PubMatic all Personal Data (including copies) in its possession or control (including any Personal Data processed by its Sub-processors). This requirement shall not apply to the extent that Company is required by any applicable law to retain some or all of the Personal Data, in which event Company shall isolate and protect the Personal Data from any further processing except to the extent required by such law.
10. LIABILITY
10.1 Notwithstanding anything else to the contrary in the Contract(s), Company acknowledges and agrees that:
(a) it shall be liable for any loss of PubMatic Data (including Personal Data) and Business Contact Data arising under or in connection with the Contract(s) and this DPA to the extent such loss results from any failure of Company (or its Sub-processors) to comply with its obligations under this DPA and/or Applicable Privacy Laws; and
(b) any exclusion of damages or limitation of liability that may apply to limit the Company’s liability in the Contract(s) shall not apply to the Company’s liability arising under or in connection with this DPA, howsoever caused, regardless of how such amounts or sanctions awarded are characterized and regardless of the theory of liability, which liability shall be expressly excluded from any agreed exclusion of damages or limitation of liability.
10.2 The parties acknowledge and agree that any breach by Company of this DPA shall constitute a material breach of the Contract(s), in which event and without prejudice to any other right or remedy available to it, PubMatic may elect to immediately terminate the Contract(s) in accordance with the termination provisions in the Contract(s).
11. GENERAL
11.1 The obligations placed upon the Company under this DPA shall survive so long as Company and/or its Sub-processors processes Personal Data on behalf of PubMatic. The provisions contained in this DPA and its attachments, exhibits and schedules that by their context are intended to survive termination or expiration will survive.
11.2 This DPA may not be modified except by a subsequent written instrument signed by both parties.
11.3 If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
11.4 In the event of any conflict or inconsistency between this DPA and any data privacy provisions set out in any Contract(s), the parties agree that the terms of this DPA shall prevail.
11.5 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions set forth in the Contract(s), unless otherwise required by Applicable Privacy Laws.
11.6 This DPA may be executed in two or more counterparts, each of which shall be deemed an original and all of which taken together shall be deemed to constitute one and the same document. The Parties may sign and deliver this DPA by facsimile or email transmission.
Annex A
Description of Processing Activities/ Transfer
Annex 1(A) List of Parties:
| Data Exporter |
| Name: PubMatic, Inc. |
| Address: 601 Marshall Street
Redwood City, California 94063, USA |
| Contact Person’s Name, position and contact details: Data Protection Officer, reachable at dpo@pubmatic.com , Privacy Officer, reachable at privacy@pubmatic.com |
| Activities relevant to the transfer: See Annex 1(B) below |
| Role: Controller |
| Data Importer |
| Name: Identity Partner |
| Address: As identified in the Agreement. |
| Contact Person’s Name, position and contact details: As identified in the Agreement. |
| Activities relevant to the transfer: See Annex 1(B) below |
| Role: Controller (C2C Data) / Processor (C2P Data) |
ANNEX A
DETAILS OF THE PROCESSING
LIST OF PARTIES/DESCRIPTION OF PROCESSING
Part 1 – Processing and Transfer of Personal Data (Module 2 and 3 – controller/processor to processor transfers)
Data exporter:
| Name: | PubMatic, Inc. |
| Address: | 601 Marshall Street, Redwood City, CA 94063 |
| Contact person’s name, position and contact details: | dpo@pubmatic.com |
| Activities relevant to the data transferred under these Clauses: | Receipt of services offered by Company |
| Signature and date: | See signature and date of DPA |
| Role | Controller/processor |
Data importer(s):
| Name: | Company (as defined in the Contract(s)) |
| Address: | See Agreement or Original DPA |
| Contact person’s name, position and contact details: | See Agreement or Original DPA |
| Activities relevant to the data transferred under these Clauses: | Provision of services to PubMatic. |
| Signature and date: | See signature and date of DPA |
| Role | Processor |
Description:
| Categories of data subjects whose personal data is transferred: | To the extent applicable
|
| Categories of personal data transferred:
|
To the extent applicable
|
| Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
|
N/A |
| The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
|
Continuous |
| Nature of the processing:
|
To provide the Services under the Agreement for PubMatic and on behalf of applicable Publisher |
| Purpose(s) of the data transfer and further processing:
|
See above |
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
|
In accordance with the Agreement or as otherwise directed by PubMatic or Publisher |
Part 2 – Processing and Transfer of Business Contact Data (Module 1 – controller to controller transfers)
Data exporter(s):
| Name: | PubMatic, Inc. |
| Address: | 601 Marshall Street, Redwood City, CA 94063 |
| Contact person’s name, position and contact details: | dpo@pubmatic.com |
| Activities relevant to the data transferred under these Clauses: | Receipt of services offered by Company |
| Signature and date: | See signature and date of DPA |
| Role | Controller |
Data importer(s):
| Name: | Company (as defined in the Contract(s)) |
| Address: | See Agreement or Original DPA |
| Contact person’s name, position and contact details: | See Agreement or Original DPA |
| Activities relevant to the data transferred under these Clauses: | Provision of services to PubMatic. |
| Signature and date: | See signature and date of DPA |
| Role | Controller |
Description:
| Categories of data subjects whose personal data is transferred: | PubMatic Personnel and Publisher Personnel |
| Categories of personal data transferred:
|
Contact details (name, email, telephone) and professional details (role). |
| Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
|
N/A |
| The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
|
One-off |
| Nature of the processing:
|
Business relationships |
| Purpose(s) of the data transfer and further processing:
|
For business relationship and account management |
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
|
Personal Data will be retained in accordance with Section 4.7 of the PubMatic Privacy Policy at https://pubmatic.com/legal/privacy-policy/ |
Part 3 – Processing and Transfer of Company ID Personal Data (Module 1 – controller to controller transfers)
Data exporter(s):
| Name: | Company |
| Address: | See Agreement or Original DPA |
| Contact person’s name, position and contact details: | See Agreement or Original DPA |
| Activities relevant to the data transferred under these Clauses: | Provision of services to PubMatic |
| Signature and date: | See signature and date of DPA |
| Role | Controller |
Data importer(s):
| Name: | PubMatic, Inc. |
| Address: | See Agreement or Original DPA |
| Contact person’s name, position and contact details: | See Agreement or Original DPA |
| Activities relevant to the data transferred under these Clauses: | Receipt of services offered by Company |
| Signature and date: | See signature and date of DPA |
| Role | Controller |
Description:
| Categories of data subjects whose personal data is transferred: | To the extent applicable
End users
|
| Categories of personal data transferred:
|
To the extent applicable
Third party identifiers, which may contain cookie and mobile Ad identifiers (such as IDFA, ADID, GPID etc.) |
| Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
|
N/A |
| The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
|
Continuous |
| Nature of the processing:
|
To provide the Services under the Original Agreement for PubMatic and on behalf of applicable Publisher |
| Purpose(s) of the data transfer and further processing:
|
To provide the Services under the Original Agreement for PubMatic and on behalf of applicable Publisher |
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
|
Personal Data will be retained in accordance with Section 4.7 of the PubMatic Privacy Policy at https://pubmatic.com/legal/privacy-policy/ |
COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority will be (i) for Personal Data protected by the GDPR, determined in accordance with Clause 13 of the Standard Contractual Clauses; (ii) for Personal Data protected by the Swiss DPA, the Federal Data Protection and Information Commissioner (“FDPIC”); and (iii) for Personal Data protection by UK Privacy Law, the Information Commissioners Office (the “ICO”).
ANNEX B
SECURITY MEASURES
The technical and organizational measures implemented by Company (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are as follows:
| Type of measure | Terms |
| Measures of pseudonymisation and encryption of personal data | Description of technical measures in place to prevent re-identification
· Company has implemented data minimisation and privacy-by-design into its software development process to prevent personal data from being directly linkable to a data subject. · Company only works with pseudonymized identifiers and has management and organizational controls are in place to prohibit internal teams, any relevant partners and subprocessors, from re-identifying data processing in connection with the Agreement. · If and when directly identifiable information were to be processed in connection with the services for addressability purposes, Company will ensure that industry standard cryptographic techniques are immediately applied to such data, including but not limited to, hashing, to help ensure data cannot be reidentified by unauthorised parties. · Advertising identifiers used by Company to track devices and deliver ads are not persistent; they are designed to deprecate within a reasonable time frame. · When activating/monetizing audiences, sensitive or directly identifiable personal data is not processed, but instead segment codes/deal codes are exchanged by the parties. Company does not process any actual characteristics about a data subject’s pseudonymized advertising ID. |
| Measures for ensuring ongoing confidentiality of processing systems and services | Description of measures in place to secure information stored on systems.
· Company has implemented and maintains a written information security program and has implemented measures to ensure the integrity, availability and security of personal information, including regular vulnerability scans and endpoint protection. · Company limits the risk that personal data will be exposed by implementing a data retention schedule to systems that store personal data processed performed in connection with the Contract. · Operational, technical management level controls in place that ensure end-user data processed by the platform cannot be linked to a natural person’s identity. Confidentiality terms with personnel. Security program that aligns to industry good practices. |
| Measures for ensuring ongoing integrity of processing systems and services | Company has implemented and maintains an information security program that contains administrative, technical and physical safeguards appropriate to protect against anticipated threats to, confidentiality and integrity of, and the unauthorized or accidental destruction, loss, access, acquisition, alteration or use of, personal data, and that meets (i) reasonable security practices applicable to Company’s industry; and (iii) any security requirements under the laws applicable Company under applicable law. |
| Measures for ensuring ongoing availability and resilience of processing systems and services | Company maintains personal data availability and resilience through a variety of technical, physical, and administrative measures.
Examples of these measures include: tolerant infrastructure with geographically distinct availability zones for redundant data; secured and monitored operational sites; and, processes and policies for topics such as incident response and review, and vendor review. |
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | · See response above.
· Further measures include regular backups, business continuity readiness plans and disaster recovery plans. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | · At least once annually, security measures relevant to the processing of personal data are reviewed and tested for alignment with industry good practices.
· Security compliance has been integrated into Company’s product development practices, and the Company privacy, security and engineering teams collaborate regularly to ensure those standards are kept up to date. |
| Measures for user identification and authorisation | · Company has in place procedures that comply with applicable law to authenticate requests from data subjects who have submitted rights request.
· Company has operational and technical controls in place to ensure that access to systems that process personal data is only granted to authorized employees with a “need to know”. · Company has in place industry standard policies to ensure that unauthorized current and former personnel cannot improperly access systems that process personal data. |
| Measures for the protection of Data during storage | · As per the Contract, personal data processed in connection with the services will not contain any sensitive personal information, and will be limited in scope, always pseudonymized (i.e., cookie ID, user agent information, etc.) and cannot be directly identified with a natural person by Company.
· Data is only stored for as long as necessary for Company’s legitimate business purposes and is subject to a data retention schedule. · Personal data minimization procedures are in place with regard to personal data stored on Company’s systems |
| Measures for ensuring physical security of locations at which personal data are processed | · Facilities involved in the processing of personal data are accessible only by authorized personnel. Technical controls in place to secure processing facilities include access controls, two-factor authentication, firewalls, and anti-malware. Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required in order to deliver advertising services under the Agreement.
· Company provides personnel who access personal data with appropriate information security and data protection training. Company maintains appropriate physical security measures at each facility where personal data is processed, including authentication of all personnel who access data centres, IT equipment having physical barriers designed to prevent access by unauthorized individuals, and manned reception areas or logbooks with visitor entry/exit dates and times. |
| Measures for certification/assurance of processes and products | · Company participates in industry certification and self-regulatory programs such as DAA, NAI Code of Practice. IAB TCF 2.0, and the IAB CCPA Compliance Framework. |
| Measures for ensuring data minimisation | · Procedures are embedded in the system development process to minimize personal data collected and processed by the Company (e.g., truncation of IP address, stripping of personal data when an impression will be monetized using contextual ad-targeting, no data collection from unconsented or improperly consented impressions).
· Company has a dedicated technical privacy specialist whose role focuses is at least partly dedicated to reviewing the implementation of data minimization across the organization.
|
| Measures for ensuring accountability | · Company performs a data mapping exercise that complies with Article 30 of GDPR and has created a record of processing activity to ascertain the scope of personal data processing activities performed by the organization.
· Company has implemented a privacy program that is appropriate to the scope and nature of personal data processed that includes a personal data breach policy, data protection and legitimate interest assessments (where appropriate), appointment of a data protection officer (DPO), and data protection controls such as privacy by design. · The foregoing measures are regularly reviewed (at least once annually) and updated to ensure alignment with applicable law and industry standards. |
| Measures for allowing data portability and ensuring erasure | · Company has implemented and maintains procedures to ensure data portability and erasure that comply with data protection laws. Company has designated a data protection leader who is responsible for ensuring all requests from data subjects are reviewed and documented, including requests for erasure and copies of personal data, and that data subject requests are carried out timely and in accordance with law. |