Dated: December 11, 2020

This Marketing Data Processing Addendum (“DPA“) is made a part of and incorporated into the Agreement entered into by and between the PubMatic, Inc. (“PubMatic“) and the party identified in the signature block of the originating Agreement (“Supplier”). In the event of a conflict between the Agreement and this DPA, this DPA shall control to the extent of the conflict with respect to the Vendor’s Processing and disclosure of any Data (including Personal Data).

  1. DEFINITIONS

    1. “Affiliate” means any entity that is directly or indirectly controlled by, controlling or under common control with PubMatic and/or Supplier (as applicable). “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
    2. “Authorized Affiliate” means any PubMatic Affiliate permitted to use the Services pursuant to the Contract(s) between PubMatic and Supplier but has not signed its own agreement with Supplier.
    3. “Applicable Privacy Law(s)” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, EU Data Protection Law.
    4. “Authorized Persons” means any person who processes Personal Data on Supplier’s behalf, including Supplier’s employees, officers, partners, principals, contractors and Sub-processors.
    5. “EU Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data (the “Directive”); and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any national data protection laws made under or pursuant to (i).
    6. “Model Clauses” means the Standard Contractual Clauses for Processors as approved by the European Commission and available at http://ec.europa.eu/justice/data-protection/international-transfers/files/clauses_for_personal_data_transfer_processors_c2010-593.doc (as updated, amended or superseded from time to time).
    7. “Personal Data” means any PubMatic Data relating to an identified or identifiable natural person (“data subject”) and/or any PubMatic Data is deemed personal data or personally identifiable information under Applicable Privacy Laws.
    8. “Privacy Shield” means the EU-US and Swiss-US Privacy Shield Frameworks, as operated by the U.S. Department of Commerce.
    9. “Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of 12 July 2016 pursuant to the Directive, details of which can be found at www.privacyshield.gov/eu-us-framework.
    10. “PubMatic Data” means all information (i) provided to Supplier by or at the direction of PubMatic; (ii) created or obtained by Supplier on behalf of PubMatic; or (iii) which Supplier accesses at the direction of PubMatic , in the course of Supplier’s performance under the Contract(s), including (but not limited to) any information that pertains to PubMatic and/or is Confidential Information (as defined under the Contract(s)).
    11. “Security Incident” means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction loss, alteration, unauthorized disclosure or access to PubMatic Data and/or Business Contact Data.
    12. “Sub-processor” means any third party (including any Supplier’s affiliate) engaged directly or indirectly by Supplier to process any Personal Data relating to this DPA and/or the Contracts. The term “Sub-processor” shall also include any third party appointed by a Sub-processor to process any Personal Data relating to this DPA and/or the Contracts.
    13. The terms “Controller”, “Processor”, and “processing”, have the meanings given to them in Applicable Privacy Laws. If and to the extent that Applicable Privacy Laws do not define such terms, then the definitions given in EU Data Protection Law will apply.

  2. ROLE AND SCOPE OF PROCESSING

    1. Roles of the Parties and Details of Processing. Supplier shall process Personal Data under the Contract(s) as a Processor acting on behalf of PubMatic and/or its Affiliates (whether acting as Controller or acting as a Processor on behalf of third party Controllers). Supplier agrees that it will process Personal Data as described at Annex A, which forms an integral part of this DPA.
    2. Supplier’s Processing of Personal Data. Supplier shall at all times: (i) process the Personal Data only for the purpose of providing the Services to PubMatic under the Contract(s) and in accordance with PubMatic’s documented instructions; (ii) not process the Personal Data for its own purposes or those of any third party.
    3. Supplier’s Notification Obligations Regarding PubMatic Instructions. Suppliers shall promptly notify PubMatic in writing, unless prohibited from doing so under Applicable Privacy Law, if:
      1. It becomes aware or believes that any data processing instruction from PubMatic violates Applicable Privacy Law;
      2. It is unable to comply with PubMatic ’s data processing instructions for any reason; and/or
      3. It is unable to comply with the terms of the Contract(s) (including this DPA) as they relate to or govern the processing of Personal Data and/or the security of PubMatic Data for any reason.
    4. Business Contact Data. PubMatic shall disclose to Supplier contact information relating to PubMatic’s representatives for (i) invoicing, billing and other business inquiries, (ii) information on usage of the Services, and (iii) contract management (“Business Contact Data”). Supplier shall comply with all applicable laws and its applicable privacy policies with respect to the Processing of Business Contact Data and use Business Contact Data only for the purposes outlined in this Section 2.4.
    5. No Rights for Supplier. Except as expressly set forth to the contrary in this DPA and the Contract(s), Supplier acknowledges that it has no right, title or interest in PubMatic Data (including all Personal Data, intellectual property or proprietary information) and may not sell, rent or lease PubMatic Data to anyone.

  3. SUBPROCESSING

    1. Appointment of Sub-processors. Supplier shall not subcontract any processing of the Personal Data to a Sub-processor without the prior written consent of PubMatic. Notwithstanding this, PubMatic consents to Supplier engaging Sub-processors to process the Personal Data provided that:
      1. Supplier provides at least 30 days prior written notice to PubMatic of the engagement of any new Sub-processor (including details of the processing and location) and Supplier shall update the list of all Sub-processors engaged to process Personal Data under this Agreement at Annex C and send such updated version to PubMatic prior to the engagement of the Sub-processor;
      2. Supplier imposes the same data protection terms on any Sub-processor it engages as contained in this DPA (including the Privacy Shield Principles and/or other data transfer provisions, where applicable); and
      3. Supplier remains fully liable for any breach of this DPA or the Contract(s) that is caused by an act, error or omission of such Sub-processor.
    2. Objection Right for New Sub-Processors. PubMatic may object to the appointment or replacement of a Sub-processor within 20 days after PubMatic first receives prior notice of such change, provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss in good faith commercially reasonably alternative solutions. If the parties cannot reach resolution within a reasonable period of time, which shall not exceed thirty (30) days, Supplier will either not appoint or replace the Sub-processor or, if this is not possible, PubMatic may terminate the Contract(s) (in whole or in part), by providing written notice to Supplier. PubMatic shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of the terminated products or services without imposing a penalty for such termination on PubMatic.

  4. DATA SUBJECT RIGHTS AND COOPERATION

    1. Data Subject Request. Supplier shall reasonably cooperate with PubMatic to enable PubMatic (or its third-party Controller) to respond to any requests, complaints or other communications from data subjects and regulatory or judicial bodies relating to the processing of Personal Data and Business Contact Data under the Contract(s), including requests from data subjects seeking to exercise their rights under Applicable Privacy Laws. In the event that any such request, complaint or communication is made directly to Supplier, Supplier shall promptly pass this onto PubMatic and shall not respond to such communication without PubMatic’s express authorization.
    2. Subpoenas and Court Orders. If Supplier receives a subpoena, court order, warrant or other legal demand from a third party (including law enforcement or other public or judicial authorities) seeking the disclosure of Personal Data, Supplier shall not disclose any information but shall immediately notify PubMatic in writing of such request, and reasonably cooperate with PubMatic if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws.
    3. Data Privacy Impact Assessments (“DPIA’s”). To the extent Supplier is required under Applicable Privacy Laws, Supplier will assist PubMatic (or its third-party Controller) to conduct a data protection impact assessment and, where legally required, consult with applicable data protection authorities in respect of any proposed processing activity that present a high risk to data subjects.

  5. DATA ACCESS & SECURITY MEASURES

    1. Confidentiality and Limitation of Access. Supplier shall ensure that any Authorized Person is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and that they process the Personal Data only for the purpose of delivering the Services under the Contract(s) to PubMatic. Supplier shall ensure that Supplier’s access to Personal Data is limited to those personnel performing Services in accordance with this DPA.
    2. Security Measures. Supplier will implement and maintain all appropriate technical and organizational security measures to protect PubMatic Data and Business Contact Data from Security Incidents and to preserve the security, integrity and confidentiality of such data (“Security Measures”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall at a minimum include: the pseudonymization and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a Security Incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.

  6. SECURITY INCIDENTS

    1. Notification of Security Incidents. In the event of a Security Incident, Supplier shall promptly (and in no event later than 24 hours of becoming aware of such Security Incident) inform PubMatic and provide written details of the Security Incident, including the type of data affected and the identity of affected person(s) as soon as such information becomes known or available to Supplier.
    2. Suppliers Obligations Following Security Incident. Furthermore, in the event of a Security Incident, Supplier shall:
      1. provide timely information and cooperation as PubMatic may require to fulfil PubMatic’s data breach reporting obligations under Applicable Privacy Laws or to comply with or respond to any inquiries by a data protection authority or any lawsuit arising from the Security Incident, including without limitation collecting and preserving all evidence pertaining to the Security Incident and the investigation conducted by Supplier;
      2. take such measures and actions as are appropriate to remedy or mitigate the effects of the Security Incident and shall keep PubMatic up-to-date about all developments in connection with the Security Incident; and
      3. reimburse PubMatic for the reasonable costs for PubMatic to prepare and send all notifications that are legally required or reasonably necessary (as determined in the sole discretion of PubMatic). At the written request of PubMatic, Supplier agrees to provide, at its sole expense, credit monitoring and identity theft protection services to individuals affected by a Security Incident involving Personal Data of those individuals.
    3. The content and provision of any notification, public/regulatory communication or press release concerning the Security Incident shall be solely at PubMatic’s discretion, except as otherwise required by applicable laws.

  7. SECURITY REPORTS & INSPECTIONS

    1. Supplier Security Standards. Supplier shall maintain records in accordance with ISO 27001 or similar Information Security Management System (“ISMS”) standards. Upon request, Supplier shall provide copies of relevant external ISMS certifications, audit report summaries and/or other documentation reasonably required by PubMatic to verify Supplier’s compliance with this DPA.
    2. Right of Inspection. While it is the parties’ intention ordinarily to rely on Supplier’s obligations set forth in Section 7.1 to verify Supplier’s compliance with this DPA, PubMatic (or its appointed representatives) may carry out an inspection of the Supplier’s operations and facilities during normal business hours and subject to reasonable prior notice where PubMatic considers it necessary or appropriate (for example, without limitation, where PubMatic has reasonable concerns about Supplier’s data protection compliance, following a Security Incident or following instruction from a data protection authority).

  8. INTERNATIONAL TRANSFERS

    1. International Transfers. Supplier and/or its Affiliates shall not process or transfer any Personal Data and/or Business Contact Data in or to a territory other than the territory in which the Personal Data and/or Business Contact Data was first collected (nor permit such data to be so processed or transferred) unless it takes all such measures as are necessary to ensure such processing or transfer is in compliance with Applicable Privacy Laws (including such measures as may be communicated by PubMatic to Supplier). Supplier shall inform PubMatic of any international transfers of Personal Data in advance of making the transfer and shall assist PubMatic in assessing the parties’ respective obligations to comply with Applicable Privacy Laws.
    2. Privacy Shield Flow Downs. To the extent that PubMatic and/or the Authorized Affiliates are self-certified to the Privacy Shield, Supplier represents and warrants that it shall:
      1. provide (and procure all Sub-processors that provide) at least the same level of protection to such Personal Data as is required by the Privacy Shield Principles and the Security Measures set forth in Section 5.2 of this DPA;
      2. promptly notify PubMatic if it makes a determination that it can no longer meet its obligations under Section 8.2(a) above, and in such event, to work with PubMatic and promptly take all reasonable and appropriate steps to stop and remediate (if remediable) any processing until such time as the processing meets the level of protection as is required by Section 8.2(a); and
      3. immediately cease (and procure all Sub-processors immediately cease) processing such Personal Data if in PubMatic ‘s sole discretion, PubMatic determines that Supplier has not or cannot correct any non-compliance with Section 8.2(a) above in accordance with Section 8.2(b) within a reasonable time frame.
    3. Transfer Mechanism.
      1. To the extent Supplier and/or its US Affiliates are self-certified to Privacy Shield, Supplier agrees: (i) that it and/or its US Affiliates (as applicable) shall maintain such Privacy Shield certification; and (ii) with respect to Personal Data and/or Business Contact Data that is protected by EU Data Protection Law and/or that originates from Switzerland and/or the United Kingdom, it and/or its US Affiliates (as applicable) shall comply with the Privacy Shield Principles when handling such data.
      2. The parties further agree that if and to the extent Supplier and/or its Affiliates processes or transfers (directly or via onward transfer) Personal Data that is protected by EU Data Protection Law and/or that originates from Switzerland and/or the United Kingdom in or to any country or recipient not recognized by the European Commission as providing an adequate level of protection for personal data (as described in EU Data Protection Law) and such transfer is not covered by the Supplier and/or its US Affiliates Privacy Shield certification (if applicable and valid), Supplier and/or its Affiliates (as applicable) agree to abide by and process such data in accordance with the Model Clauses.
      3. For the purposes of Section 8.3(b) the parties further agree: (i) the Model Clauses are incorporated by reference and form an integral part of this DPA; (ii) Supplier and/or its Affiliates (as applicable) shall be the “data importer” and PubMatic (acting on behalf of itself and all Affiliates) is the “data exporter” (notwithstanding that PubMatic may be located outside the European Economic Area, Switzerland and/or the United Kingdom); and (iii) Annexes A and B of this DPA will take the place of Appendixes 1 and 2 of the Model Clauses respectively.
    4. Supplier acknowledges that PubMatic may disclose this DPA and any relevant privacy provisions in the Contract(s) to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request.

  9. DELETION & RETURN

    1. Upon PubMatic’s request, or upon termination or expiry of this DPA, Supplier shall destroy or return to PubMatic all Personal Data (including copies) in its possession or control (including any Personal Data processed by its Sub-processors). This requirement shall not apply to the extent that Supplier is required by any applicable law to retain some or all of the Personal Data, in which event Supplier shall isolate and protect the Personal Data from any further processing except to the extent required by such law.

  10. LIABILITY

    1. Notwithstanding anything else to the contrary in the Contract(s), Supplier acknowledges and agrees that:
      1. (a) it shall be liable for any loss of PubMatic Data (including Personal Data) and Business Contact Data arising under or in connection with the Contract(s) and this DPA to the extent such loss results from any failure of Supplier (or its Sub-processors) to comply with its obligations under this DPA and/or Applicable Privacy Laws; and
      2. (b) any exclusion of damages or limitation of liability that may apply to limit the Supplier’s liability in the Contract(s) shall not apply to the Supplier’s liability arising under or in connection with this DPA, howsoever caused, regardless of how such amounts or sanctions awarded are characterized and regardless of the theory of liability, which liability shall be expressly excluded from any agreed exclusion of damages or limitation of liability.
    2. The parties acknowledge and agree that any breach by Supplier of this DPA shall constitute a material breach of the Contract(s), in which event and without prejudice to any other right or remedy available to it, PubMatic may elect to immediately terminate the Contract(s) in accordance with the termination provisions in the Contract(s).