Dated: September 14, 2020

This Marketing Data Processing Addendum (“DPA“) is made a part of and incorporated into the Agreement entered into by and between the PubMatic, Inc. (“PubMatic“) and the party identified in the signature block below (“Event Partner“). In the event of a conflict between the Agreement and this DPA, this DPA shall control to the extent of the conflict with respect to the Event Partner’s Processing and disclosure of any Data (including Personal Data).

  1. Any capitalized terms used but not defined in this DPA shall have the meaning set forth in the Agreement.

    1. Data Protection Laws” means any privacy and/or data protection laws, regulations and binding guidance that apply to the Processing of Personal Data under this DPA and/or to the privacy of electronic communications, including (but not limited to) the General Data Protection Regulation (EU) 2016/679 (the “GDPR“), Directive 2002/58/EC and any legislation or regulations implementing, replacing, amending or made pursuant to such laws.
    2. Controller” shall have the meaning given to it under the GDPR.
    3. Data Subject” shall have the meaning given to it in the GDPR.
    4. Personal Data” shall mean any information that directly or indirectly identifies an individual, including any information that is “personal data”, “personal information” or “personally identifiable information” under Data Protection Laws.  For the avoidance of doubt, information about an individual in the business context is considered Personal Data.  For example, business contact information is considered Personal Data.
    5. Processing” shall have the meaning given to it in the GDPR and “process“, “processes” and “processed” shall be interpreted accordingly.
    6. “Security Breach” means a potential or confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Data Processed under or in connection with the Agreement.
    7. “Standard Contractual Clauses” means the Standard Contractual Clauses for controllers (2004) as approved by the European Commission and available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32004D0915 (as amended, superseded or updated from time to time).

  2. Relationship of the Parties: The parties acknowledge and agree that pursuant to the Agreement (including this DPA), Event Partner will disclose the Personal Data described in Appendix 1 (“Data“) to PubMatic for processing. The parties acknowledge and agree that Event Partner is a Controller of such Data and that PubMatic will process the Data as a separate and independent Controller for the purposes described in Appendix 1 (or as otherwise agreed in writing by the parties) (the “Permitted Purpose“). In no event will the parties process the Data as joint Controllers.
     
  3. Data Protection Obligations

    1. Compliance with law: Without prejudice to Event Partner’s obligations under Section 2 of this DPA, each party agrees that it shall be individually and separately responsible for complying with the obligations that apply to it as a Controller under Data Protection Laws. Event Partner represents and warrants to PubMatic that it is a Controller of the Data under Data Protection Laws and that it is lawfully entitled to process, and has (and, to the extent that Event Partner has obtained the Data from third party sources (“Sources“), procures that all Sources have) provided all required notices and obtained all necessary and valid  consents, approvals, and authorizations (including, without limitation meeting the consent standard (where applicable) set by Data Protection Laws) from the relevant Data Subjects to: (i) process and share the Data in accordance with this Agreement; and (ii) to enable PubMatic to lawfully process the Data for the purposes contemplated by this Agreement, including the Permitted Purposes.
    2. Consent Records. Event Partner shall maintain (and procure that all Sources maintain) a record of all consents obtained from Data Subjects pursuant to Section 3.1 above as required by Data Protection Laws, including the time and date on which consent was obtained, the information presented to Data Subjects in connection with their giving consent, and details of the mechanism used to obtain consent. Event Partner shall make these records available to PubMatic promptly upon written request.
    3. Form of Notice and Consent. Without limitation to Section 3.1 above, Event Partner agrees that where and to the extent it is responsible for providing any notice and obtaining any consents on behalf of PubMatic pursuant to this DPA or where otherwise reasonably requested by PubMatic: (a) it must obtain (and procure that all Sources obtain) PubMatic’s prior written approval of the form and method of the notice, choice and/or consent mechanism(s) used to notify data subjects and obtain their consent or exercise choice (as applicable) with respect to the processing of their personal data for the purposes contemplated by this Agreement; and (b) Event Partner agrees to make (and procure that all Sources make) any changes to such notices, choice and consent mechanisms, including with respect to form, method of delivery, or otherwise, as reasonably requested by PubMatic. If Event Partner (or any of its Sources) is unable to comply with its notice and consent obligations under this Section 3, Event Partner shall promptly notify PubMatic.

  4. Assistance and Cooperation.

    1. In the event that either party receives any correspondence, enquiry or complaint from a Data Subject, regulator or other third party related to the disclosure of the Data by Event Partner to PubMatic for the Permitted Purpose; or that relates (or also relates) to the business of the other party (“Correspondence“), it shall promptly inform the other party giving full details of the same, and the parties shall cooperate reasonably and in good faith in order to respond to the Correspondence in accordance with any requirements under Data Protection Laws.
    2. In the event that either party receives any correspondence, enquiry or complaint from a Data Subject, regulator or other third party related to the disclosure of the Data by Event Partner to PubMatic for the Permitted Purpose; or that relates (or also relates) to the business of the other party (“Correspondence”), it shall promptly inform the other party giving full details of the same, and the parties shall cooperate reasonably and in good faith in order to respond to the Correspondence in accordance with any requirements under Data Protection Laws.

  5. Security. Both parties shall implement and maintain an information security program (which shall include appropriate technical and organizational measures, policies, and processes) to protect against Security Breaches and to ensure the security, availability, integrity, resilience and confidentiality of the systems storing and Processing the Data.
     
  6. Data Transfers.

    1. The parties acknowledge that, where PubMatic is a recipient of the Data protected by Data Protection Laws applicable to the European Economic Area, United Kingdom and/or Switzerland (collectively for the purposes of this DPA “Europe”), PubMatic agrees to abide by and process such Data in accordance with the Standard Contractual Clauses, which are incorporated by reference and form an integral part of this Agreement. For the purposes of the Standard Contractual Clauses the parties agree that PubMatic is the “data importer” and Event Partner is the “data exporter” under the Standard Contractual Clauses (notwithstanding that Event Partner may itself be located outside of the Europe) and Appendix 1 shall replace Annex B of the Standard Contractual Clauses and (b) the data importer selects option (iii) for the purposes of Clause 2(h) of the Standard Contractual Clauses. In the event of any conflict or inconsistency between the provisions of this DPA and the Standard Contractual Clauses as outlined in this DPA, the provisions of the Standard Contractual Clauses shall prevail.
    2. The parties acknowledge that if PubMatic cannot comply Section 6.1 in relation to cross-border data transfers (including but not limited to the Standard Contractual Clauses) for whatever reason, PubMatic agrees to inform promptly the Event Partner of its inability to comply, in which case the Event Partner is entitled to immediately suspend the transfer of data to PubMatic and/or suspend or terminate the affected services. If Event Partner intends to suspend and/or terminate the affected services, it shall first provide written notice to the Event Partner and provide PubMatic with a reasonable period of time to implement a mutually agreeable alternative data transfer mechanism that complies with the requirements of Data Protection Laws and/or cure the non-compliance (“Cure Period“). If after the Cure Period, PubMatic has not or cannot cure the non-compliance to the reasonable satisfaction of the Event Partner, then the Event Partner may immediately terminate the affected services in accordance with the termination provisions in this DPA without liability to either party.
    3. The parties agree that if Data Protection Laws no longer allow the lawful transfer of Customer Data under the Standard Contractual Clauses and/or a relevant regulator or court of competent requires the parties to adopt additional measures (“Additional Measures“) or an alternative data export solution (“Alternative Transfer Mechanism“) to enable the lawful transfer of Data outside of Europe, both parties agree to cooperate and agree any Additional Measures or Alternative Transfer Mechanism that may be required (but only to the extent such Additional Measures or Alternative Transfer Mechanism extend to the territories to which Data is transferred).

  7. Indemnity

    1. Event Partner shall indemnify PubMatic from and against all loss, cost, harm, expense (including reasonable legal fees), liabilities or damage (“Damage“) suffered or incurred by PubMatic as a result of Event Partner’s breach of the data protection provisions set out in this Agreement or Data Protection Laws, and provided that: (i) PubMatic gives Event Partner prompt notice of any circumstances of which it is aware that give rise to an indemnity claim; and (ii) PubMatic takes reasonable steps and actions to mitigate any ongoing Damage it may suffer as a consequence of Event Partner’s breach.

  8. Miscellaneous

    1. Appendices to this DPA will be deemed to be an integral part of this Agreement to the same extent as if they had been set forth verbatim herein.
    2. This DPA may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.