PubMatic Connect Data Provider Agreement

August 28, 2025

Subject to Order Form

This Connect Data Provider Agreement (also formerly known as Audience Encore or Audience Match Agreement), effective as of the Effective Date provided in the Order Form, is entered into by and between PubMatic and the Provider listed on such Order Form.

1. DEFINITIONS.
   1. “Customer” means any mutual customer, publisher, demand partner, agency, or advertiser that receives Licensed Content from PubMatic.
   2. “Data Protection Laws” means all applicable local, state, federal, or international laws, regulations, or treaties relating to the privacy, security, or protection of Personal Data, as may be defined in such laws, including the European Area Law, U.S. state privacy laws, such as the California Consumer Protection Act (“CCPA”), § 1798.100 et. seq., and any subsequent supplements, amendments, or replacements to the same.
   3. “Data Provider Revenue” means gross revenue earned by Provider for the data on sales of impressions via the PubMatic Services.
   4. “End User” means a specific natural person who uses the Provider Properties.
   5. “European Area” means the European Union, European Economic Area, Switzerland, and the United Kingdom of Great Britain and Northern Ireland (“UK”).
   6. “European Area Law” means the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Addendums etc.) (EU Exit) Regulations 2019 (SI 2019/419) (collectively “UK Data Protection Law”); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”): or (iv) any successor or amendments thereto (including without limitation implementation of GDPR by Member States into their national law), or (v) any other law relating to the data protection, security, or privacy of individuals that applies in the European Area.
   7. “Intellectual Property” includes trade secrets, copyrights, trademarks, patents, logos, service marks, inventions, technology, Confidential Information, and other proprietary materials.
   8. “Licensed Content” means data owned or licensed by Provider that is delivered or otherwise made available to PubMatic pursuant to this Agreement which may include anonymous or pseudonymous or Personal Data but shall not include Personal Directory Data, or Sensitive Personal Data.
   9. “Marks” means trade names, trademarks, service marks, and logos.
   10. “Personal Data” shall have the meaning of this term or any similar term (such as “personal information” or “personally identifiable information”) under the relevant applicable privacy or data protection laws, or where no such laws apply, shall mean any information that by itself or when combined with other information (such as name, address, telephone number, e-mail address, precise geo location, financial account number, and government-issued identification number) can be used to identify a specific natural person.
   11. “Personal Directory Data” means calendar, address book, phone/text log, or photo/video file data (including any associated metadata), or similar data created by a user that is stored on or accessed through a device.
   12. “Provider Properties” means Provider owned, operated and/or controlled web or mobile properties or other sources of data for Provider.
   13. “PubMatic Services” means the services in relation to online advertising owned, operated, or provided by PubMatic through which Licensed Content shall be utilized in accordance with the rights and licenses granted herein.
   14. “Sensitive Personal Data” shall have the meaning relating to this term or any similar term (such as “sensitive personal information”) under relevant privacy or data protection laws, or where no such laws apply, shall mean, with respect to a specific natural person, medical or health information (including information about health conditions or treatments), financial information (including financial account information and number), sexual orientation, social security number or other government-issued identifiers, and personal information of children protected under any applicable child protection laws (such as the personal information defined under the United States Children’s Online Privacy Protection Act of 1998 (“COPPA”).
2. LICENSE GRANTS AND OWNERSHIP.
   1. License Grant. Provider hereby grants to PubMatic a non-exclusive, right and license during the Term to use, , host, integrate, display, sell, market, create derivatives of, create algorithms of the Licensed Content on the Provider’s own behalf and on behalf of the Customers for the purposes of (a) using the Licensed Content to create, deliver, analyze, model, plan, and optimize advertising campaigns, audiences and segments, and interest-based and cross-app advertising; (b) develop and optimize the PubMatic Services; and (c) ad delivery, analytics and reporting.
   2. Required Consents. Provider shall be solely responsible at no cost to PubMatic for (a) procuring and maintaining during the Term all necessary and applicable rights, consents, licenses, and clearances with respect to the Licensed Content as necessary for PubMatic and the Customers to exercise the rights and licenses granted by Provider herein (“Required Consents”) and (b) paying to any interested third parties all required royalties, clearance costs, and fees relating to or arising out of any Required Consents.
   3. Restrictions. PubMatic shall implement administrative, physical and technical safeguards to protect the Licensed Content from unauthorized access, loss or disclosure that are no less rigorous than accepted industry standards and using reasonable care. PubMatic shall notify Provider promptly in the event PubMatic learns of any unauthorized access, loss or disclosure of any Licensed Content, and will reasonably cooperate with Provider in any proceeding against any third parties necessary to protect Provider’s rights with respect to the Licensed Content. PubMatic shall retain the right to discontinue offering any of the Licensed Content at any time in the event that Licensed Content violates the terms of this Agreement or does not generate any Data Provider Revenue.
   4. Ownership. Except as expressly set forth in this Agreement, as between Provider and PubMatic, PubMatic retains all right, title and interest in and to the PubMatic Services and Intellectual Property of PubMatic. As between Provider and PubMatic, Provider retains all right, title and interest in and to the Licensed Content, the Provider Properties, and the Intellectual Property of Provider.
3. PROVIDER OBLIGATIONS; PROCESSING ADDENDUMS.
   1. Provider will perform its obligations under this Agreement, including with respect to the collection and provision of Licensed Content as contemplated hereby, in compliance with all applicable laws, rules and regulations.
   2. Provider shall ensure that the Provider Properties and each of the sources of Licensed Content: (i) contain a privacy policy that clearly and conspicuously discloses the collection, provision and use (including, without limitation, the use contemplated by this Agreement) of Licensed Content, including descriptions of data collection for interest-based and cross-app advertising, as applicable, and, if applicable, the use of technologies which collect, store or otherwise permit access to such data on or from an End User’s device, browser or terminal equipment (“Cookies and Similar Technologies”), in compliance with all applicable laws, rules and regulations, (ii) provide a conspicuous mechanism by which End Users may opt out of the use Cookies and Similar Technologies and any interest-based advertising and cross-app advertising”, as applicable, and (iii) to the extent required by applicable law, rule or regulation, obtain, with respect to Provider’s services, End Users’ prior and informed consent to the use, collection and sharing of the Licensed Content as contemplated by this Agreement.
   3. Provider will not pass or make available to PubMatic as part of Licensed Content: (i) Personal Directory Data, or (ii) Sensitive Personal Data.
   4. Provider will not pass or make available to PubMatic any data relating to an End User in the event that Provider knows that such End User has opted out of interest-based or cross-app advertising, the uses of Licensed Content contemplated by this Agreement, or the services provided by Provider.
   5. To the extent applicable, the Data Processing Addendum attached hereto shall form part of this Agreement and its terms are hereby incorporated in the Agreement by reference.
4. PROCESSING OF PERSONAL DATA RELATING TO SELECT U.S. RESIDENTS.
   1. Use Instructions and Limitations. The Provider instructs the following in connection with PubMatic’s Processing of Personal Data relating to residents of California, Colorado, Connecticut, Utah, and Virginia or other US States as may be applicable:
      1. PubMatic shall use, retain, disclose, or otherwise process Personal Data only on behalf of Provider and for the specific business purpose of providing the Services and in accordance with Provider’s instructions, including as described in the Agreement. PubMatic shall not Sell or Share Personal Data, as “Sell” and “Share” are defined in the CCPA and other applicable Data Protection Laws, nor use, retain, disclose, or otherwise process Personal Data outside of its business relationship with Provider or for any other purpose except as required by law. PubMatic will inform Provider in the time period required by applicable Data Protection Law if PubMatic determines that it is no longer able to meet its obligations under Data Protection Laws or where, in PubMatic’s reasonable opinion, any of Provider’s instructions infringes any Data Protection Laws. Provider reserves the right to take reasonable and appropriate steps to discontinue and remediate unauthorized use of Personal Data.
      2. PubMatic shall have rights to use Personal Data solely (i) to the extent necessary to (a) perform its obligations under this Agreement; (b) operate, manage, test, maintain and enhance the Services including as part of its business operations; (c) to disclose aggregate statistics about the Services in a manner that prevents individual identification or re-identification of Provider, Provider Data, or Personal Data, including without limitation any individual device, or individual person; and/or (d) protect the Services from a threat to the Services or Personal Data; (ii) if required by order of a court or authorized governmental agency, provided that prior notice first be given to Provider, or (iii) as otherwise expressly authorized by Provider.
      3. PubMatic will not combine Personal Data it processes on Provider’s behalf with Personal Data it receives from or on behalf of another person or persons, or that it collects from its own interactions with individuals, provided that PubMatic may combine Personal Data to perform any business purpose permitted or required under the Agreement to perform the Services.
   2. Third Parties. To the extent PubMatic processes the Personal Data of California residents as a “Third Party,” as “Third Party” is defined under the CCPA, § 1798.100 et. seq., this section, 4.2, will apply instead of 4.1 for such processing conducted as a Third Party: PubMatic may process Personal Data only for the limited and specified purposes described in the Agreement and related Schedules, Service Orders, and/or Statements of Work, including this DPA. PubMatic must comply with all applicable Data Protection Laws, including all applicable sections of the CCPA and provide the same level of privacy protection as required of businesses by the CCPA. Among these, PubMatic must comply with consumer requests to opt out of Sale or Sharing forwarded by Provider. Where PubMatic is providing Services that includes the collection of Personal Data on either Provider or PubMatic’s behalf on a Provider-managed website, PubMatic shall check for and comply with the website visitor’s opt-out preference signal unless otherwise informed by Provider that such website visitor has consented to the Sale or Sharing of their Personal Data. Provider shall forward consumer requests to PubMatic via the instructions provided on https://pubmatic.com/legal/dsr-notice. PubMatic will inform Provider in the time period required by applicable Data Protection Law if PubMatic determines that it is no longer able to meet its obligations under Data Protection Laws or where, in PubMatic’s reasonable opinion, any of Provider’s instructions infringes any Data Protection Laws. Provider reserves the right to take reasonable and appropriate steps to discontinue and remediate unauthorized use of Personal Data.
   3. Deidentification. Where PubMatic is permitted by applicable Data Protection law or this DPA to use Provider Personal Data for its internal business purposes in an aggregated and deidentified manner, PubMatic agrees to take reasonable measures designed to ensure that the Personal Data cannot be associated with an individual (or, household, where applicable), publicly commits to maintain and use the information in de-identified form only and make no attempt to re-identify the information except where necessary to test its de-identification processes, and contractually obligates any authorized recipients to comply with these obligations.
   4. Certification. PubMatic certifies that it understands these obligations and restrictions and will comply with them.
   5. DOJ Bulk Sensitive Data Rules. This Section 4.5 applies solely in instances where PubMatic provides Provider with access to personal data (such as when PubMatic facilitates access for the Provider’s generation of its Licensed Content). Solely for purposes of this Section 4.5, the terms “access,” “country of concern,” and “covered person” shall have the meanings ascribed to them in 28 CFR Part 202 Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (“DOJ Bulk Sensitive Data Rules”).
      1. Provider represents and warrants that it is not a covered person or country of concern. Provider will immediately notify PubMatic if it foresees a change that would cause it to become such a covered person or country of concern.
      2. Without limitation to Provider’s other obligations under the Agreement, when accessing personal data through PubMatic (including via pixel placement), Provider shall not: (a) transfer any such personal data to, or otherwise enable access to such personal data by (1) a covered person or country of concern or (2) absent equivalent protections to this Section 4.5, any subcontractor, affiliate, or third party; or (b) engage in any activity or conduct that would result in a violation of the DOJ Bulk Sensitive Data Rules by Provider or PubMatic. Provider shall promptly report to PubMatic any known or suspected violations of this Section 4.5.
      3. PubMatic may immediately suspend Provider’s access to any personal data or any portion thereof and terminate the Agreement (a) upon receipt of Provider’s notice or report, or (b) if PubMatic believes that Provider has failed to comply with this Section and/or is using the personal data in a manner that violates any applicable laws or regulation, or that would otherwise damage PubMatic’s customers, partners, business, or reputation.

5. PAYMENT; FEES; COSTS.
   1. Fees. The fees to be paid by PubMatic to Provider for the Licensed Content are set forth in the Order Form, which may be updated from time to time upon mutual agreement of the parties.
   2. Payment and Invoices. Following each month, PubMatic will provide Provider with a monthly statement that details the Data Provider Revenue and PubMatic Data Fee (the “Monthly Statement”). If Provider does not raise any issues in writing with regards to any Monthly Statement within thirty (30) days of receipt, Provider will forfeit their right to do so. PubMatic shall pay Provider the Data Provider Revenue (when in aggregate over $200), net of the PubMatic Data Fee, ninety (90) days after the end of each calendar month. Payments due under this Agreement shall be calculated based on PubMatic’s measurements. Provider agrees to hold PubMatic liable for payments of fees solely to the extent proceeds have cleared from the applicable Customer to PubMatic. PubMatic agrees to make every reasonable effort to collect and clear payment from the applicable Customer on a timely basis. If PubMatic cannot collect such payments from the applicable Customer within 120 days of date of the PubMatic invoice, PubMatic reserves the right to adjust subsequent payments to Provider to account for the fees it is unable to collect from the applicable Customer.
   3. Costs. Except as otherwise expressly provided hereunder, each Party shall be responsible for all costs and expenses incurred by it in connection with the performance of its obligations under this Agreement.
   4. Taxes. Provider will pay all taxes (including excise, sales, use, consumption, value-added or withholding taxes), customs or import duties, or any other levies, tariffs, duties or governmental fees that are due or payable in connection with this Agreement (“Taxes”), with the exception of taxes on PubMatic’s net income. Each party agrees to cooperate in good faith with respect to reasonable requests from the other party regarding Tax-related forms, documentation or other information relating to this Agreement that may be necessary or appropriate.
6. TERM; TERMINATION.
   1. Term. The initial term of this Agreement shall begin as of the Effective Date and shall continue for twelve (12) months thereafter (the “Initial Term”), unless earlier terminated in accordance with the terms of this Agreement. At the end of the Initial Term and each renewal term thereafter (together with the Initial Term, the “Term”), the term of this Agreement shall automatically renew for consecutive twelve (12) month periods (each a “Renewal Term”) unless either party provides the other party with written notice of non-renewal at least thirty (30) days prior to the date of the then existing Renewal Term.
   2. Termination for Convenience. Following the Initial Term, either party may terminate this Agreement at any time for any reason upon ninety (90) days’ prior written notice to the other party hereto.
   3. Material Breach. Either party may terminate this Agreement effective immediately, if the other party is in material breach of any obligation, representation, or warranty hereunder and fails to cure that material breach (if capable of cure) within thirty (30) days after receiving written notice of the material breach from the non-breaching party stating its intent to terminate.
   4. Bankruptcy. Either party may terminate this Agreement effective immediately upon written notice if: (i) the other party files a petition for bankruptcy or is adjudicated as bankrupt; (ii) a petition in bankruptcy is filed against the other party and such petition is not removed or resolved within thirty (30) days; (iii) the other party makes an assignment for the benefit of its creditors or an arrangement for its creditors pursuant to bankruptcy law; (iv) the other party discontinues its business; (v) a receiver is appointed over all or substantially all of the other party’s assets or business; or (vi) the other party is dissolved or liquidated.
   5. Effect of Termination. Upon termination of this Agreement, the following sections will survive: 2.4, 4, 5, 6, 7 and 8 through 10. In the event of early termination of this Agreement, Provider shall continue to provide the Licensed Content during the Wind-Down Period (as defined below). During the Wind-Down Period, Provider will continue receiving payments from PubMatic in accordance with Section 4 above. “Wind-Down Period” is defined as a 90 day period after the termination date of this Agreement during which Provider will continue to provide Licensed Content to PubMatic and the Customers, at PubMatic’s option.
7. CONFIDENTIALITY; PROTECTION OF CONFIDENTIAL INFORMATION AND PRESS RELEASES.
   1. “Confidential Information” means (i) technical innovations, know-how, business practices, consumer acquisition practices, patents, ideas, inventions, processes, financial records, prices, trade secrets, applications, source code, reporting, data, and Intellectual Property; (ii) any and all information that is disclosed by either party to the other party, either directly or indirectly, in writing, orally or by inspection of tangible objects, which if disclosed in writing or tangible form is marked as “Confidential,” or with some similar designation, or if disclosed orally or by inspection or observation, is identified as being proprietary and/or confidential at the time of disclosure, (iii) by the nature of the circumstances surrounding the disclosure should reasonably be treated as proprietary and/or confidential, or (iv) any information which is or reasonably should be considered to be proprietary and/or confidential.
   2. Exclusions. Confidential Information does not include information that: (i) is or becomes generally known to the public through no fault of or breach of this Agreement by the receiving party; (ii) is rightfully known by the receiving party at the time of disclosure without an obligation of confidentiality, as evidenced by the receiving party’s tangible (including written or electronic) records; (iii) is independently developed or obtained by the receiving party without use of the disclosing party’s Confidential Information, as evidenced by the receiving party’s tangible (including written or electronic) records; (iv) the receiving party rightfully obtains from a third party, who does not have a known obligation of confidentiality, without restriction on its use or disclosure.
   3. Use and Disclosure Restrictions. Neither party may use the other party’s Confidential Information, except as necessary for the performance of this Agreement nor may either party disclose Confidential Information of the other party to any third party or individual, except to those of its employees or subcontractors that need to know such Confidential Information for the purpose of performing this Agreement; provided, that each such employee or subcontractor is subject to a written agreement that includes binding use and disclosure restrictions that are at least as protective of Confidential Information as those set forth herein. Each party must use all reasonable efforts to maintain the confidentiality of all Confidential Information of the other party in its possession or control, but in no event less than the efforts that party ordinarily uses with respect to its own proprietary information of similar nature and importance. The foregoing obligations will not restrict either party from disclosing Confidential Information of the other party: (i) pursuant to the order or requirement of a court, administrative agency, or other governmental body, provided that the party required to make such a disclosure gives reasonable notice to the other party in order that the disclosing party may act to prevent or restrict the ordered disclosure; (ii) on a confidential basis to its legal or financial advisors; or (iii) on a confidential basis to present or future providers of venture capital and/or potential private investors in or acquirers of such party. Upon the written request of the disclosing party, all copies of Confidential Information shall be promptly returned or destroyed by the receiving party, except for any automatically generated electronic backup copies that may reside on a party’s computer systems or be stored offsite, and that shall be used for no purpose and remain subject to the confidentiality obligations contained herein.
   4. Press Releases. Except as necessary to perform its obligations herein, neither party may use the other party’s Marks or publicize this Agreement nor the relationship between the parties established herein to any third-party, including without limitation, issuing a press release, unless it has obtained the prior written approval of the other party hereto.
8. REPRESENTATIONS AND WARRANTIES.
   1. Mutual Representations and Warranties. Each of the parties represents and warrants that (i) it has the full power and authority to enter into this Agreement; (ii) the execution of this Agreement and performance of its obligations under this Agreement do not and will not violate any other agreements to which it is a party; (iii) this Agreement constitutes a legal, valid and binding obligation of it when executed and delivered; and (iv) it has and will have the necessary rights, title and interest to grant the licenses granted herein.
   2. Provider Representations and Warranties. Provider represents and warrants that (i) the Licensed Content does not, and will not, infringe, violate, or misappropriate the Intellectual Property rights of any third party; (ii) it has all Required Consents; (iii) the Licensed Content will meet the requirements of Section 3; (iv) it will comply with all applicable laws, rules, and regulations, including privacy laws and regulations, in its collection, storage, sharing and use of the Licensed Content; and (v) the collection, provision and use of Licensed Content as contemplated hereby do not, and will not, (a) violate the terms of its privacy policy or other disclosure made at the time of collection, or (b) violate the terms of service of any operating system or platform (including, without limitation, iOS or Android), web site, application or other source of Licensed Content.
   3. PubMatic Representations and Warranties. PubMatic represents and warrants that (i) the PubMatic platform does not, infringe, violate, or misappropriate the Intellectual Property rights of any third party; (ii) it will comply with the Restrictions in Section 2.3; (iii) it will comply with all applicable laws, rules, and regulations, including privacy laws and regulations in the use of the Licensed Content.
9. DISCLAIMERS; LIMITATION OF LIABILITY.
   1. Disclaimers. EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER PARTY MAKES ANY WARRANTIES, EXPRESS OR IMPLIED, WITH RESPECT TO THE SUBJECT MATTER OF THIS AGREEMENT, AND EACH PARTY EXPRESSLY DISCLAIMS THE IMPLIED WARRANTIES OF PERFORMANCE, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE, AND IMPLIED WARRANTIES ARISING FROM COURSE OF DEALING OR PERFORMANCE WITH RESPECT TO ITS PRODUCTS AND/OR SERVICES. THE PUBMATIC SERVICES WILL NOT PROVIDE SPECIFIC VOLUMES OF TRAFFIC, RESULTS, SALES OBJECTIVES OR ANY LEVEL OF PROFIT OR BUSINESS. PUBMATIC FURTHER DISCLAIMS ALL WARRANTIES AND LIABILITY RELATED TO ANY ARTIFICIAL INTELLIGENCE OR MACHINE LEARNING TECHNOLOGIES USED IN CONNECTION WITH THE SERVICES, AND DATA PROVIDER ACKNOWLEDGES THAT SUCH TECHNOLOGIES HAVE INHERENT LIMITATIONS INCLUDING POTENTIAL FOR ERRORS, BIAS, UNEXPLAINABLE OUTCOMES, OR MISCLASSIFICATION FOR WHICH PUBMATIC SHALL NOT BE LIABLE.
   2. LIMITATION OF LIABILITY. IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY PUNITIVE, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, RELIANCE OR CONSEQUENTIAL DAMAGES ARISING FROM OR RELATING TO THIS AGREEMENT, INCLUDING LOST DATA, BUSINESS, REVENUE, OR ANTICIPATED PROFITS, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, AND WHETHER OR NOT THE APPLICABLE PARTY WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES. PUBMATIC SHALL HAVE NO LIABILITY FOR THE ACTS OR OMISSIONS OF THIRD PARTIES EXCEPT FOR ITS SUBCONTRACTORS.
   3. EXCEPT FOR THE INDEMNIFICTAION OBLIGATIONS BELOW, IN NO EVENT WILL THE AGGREGATE LIABILITY OF EITHER PARTY UNDER THIS AGREEMENT EXCEED THE GREATER OF THE FEES PAYABLE TO PROVIDER BY PUBMATIC UNDER THIS AGREEMENT DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE DATE OF THE CLAIM AND ONE HUNDRED THOUSAND DOLLARS ($100,000). THE PARTIES AGREE THAT THE LIMITATIONS OF LIABILITY SET FORTH IN THIS SECTION WILL SURVIVE ANY TERMINATION OR EXPIRATION OF THIS AGREEMENT, AND WILL APPLY EVEN IF ANY LIMITED REMEDY SPECIFIED IN THIS AGREEMENT IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.
10. INDEMNIFICATION.
    1. PubMatic Indemnification. PubMatic agrees to indemnify, defend, and hold Provider and its directors, officers, shareholders, employees, affiliates, and agents harmless from and against any liabilities, damages, losses, or expenses (including reasonable attorneys’ fees) arising out of any claim, demand, action, or proceeding initiated by a third party that is based upon, arises out of, or relates to the alleged or actual breach of any of PubMatic’s representations and warranties set forth in Section 8 hereof; provided, however, that Provider: (i) promptly notifies PubMatic in writing of the claim, except that any failure to provide this notice promptly only relieves PubMatic of its responsibility pursuant to this Section to the extent its defense is materially prejudiced by the delay; (ii) grants PubMatic sole control of the defense and/or settlement of the claim; provided PubMatic uses legal counsel reasonably acceptable to Provider and (iii) provides PubMatic, at PubMatic’s expense, with all assistance, information and authority reasonably required for the defense and/or settlement of the claim. PubMatic shall not settle any claim in a manner that adversely affects the rights of Provider without Provider’s prior written consent, which consent shall not be unreasonably withheld or delayed. Provider may participate in and observe the proceedings at its own cost and expense with legal counsel of its own choosing.
    2. Provider Indemnification. Provider agrees to indemnify, defend, and hold PubMatic and its directors, officers, shareholders, employees, affiliates, and agents harmless from and against any liabilities, damages, losses, or expenses (including reasonable attorneys’ fees) arising out of any claim, demand, action, or proceeding initiated by a third party that is based upon, arises out of, or relates to the alleged or actual breach of any of Provider’s representations and warranties set forth in Sections 8 hereof,; provided, however, that PubMatic: (i) promptly notifies Provider in writing of the claim, except that any failure to provide this notice promptly only relieves Provider of its responsibility pursuant to this Section to the extent its defense is materially prejudiced by the delay; (ii) grants Provider sole control of the defense and/or settlement of the claim; provided Provider uses legal counsel reasonably acceptable to PubMatic; and (iii) provides Provider, at Provider’s expense, with all assistance, information and authority reasonably required for the defense and/or settlement of the claim. Provider shall not settle any claim in a manner that adversely affects the rights of PubMatic without PubMatic’s prior written consent, which consent shall not be unreasonably withheld or delayed. PubMatic may participate in and observe the proceedings at its own cost and expense with legal counsel of its own choosing.
11. MISCELLANEOUS.
    1. Each party to this Agreement represents and warrants that it is and shall remain in compliance with all applicable laws, regulations, and requirements administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), including but not limited to, the Trading with the Enemy Act, the International Emergency Economic Powers Act, and any Executive Orders or regulations promulgated thereunder (collectively, “OFAC Regulations”).
    2. (a) The parties acknowledge and agree that they shall not, directly or indirectly, engage in any transaction that would result in a violation of any OFAC Regulations.
       (b) Without limiting the generality of the foregoing, the parties shall not engage in any transactions or dealings with individuals, entities, or countries subject to sanctions imposed by OFAC.
    3. (a) Each party shall promptly notify the other party in writing if it becomes aware of any violation or potential violation of OFAC Regulations in connection with the performance of this Agreement.
       (b) In the event that either party is designated as a Specially Designated National (“SDN”) or otherwise becomes subject to sanctions under OFAC Regulations, that party shall immediately notify the other party in writing.
    4. Each party agrees to indemnify, defend, and hold harmless the other party, its affiliates, officers, directors, employees, and agents from and against any and all losses, liabilities, damages, costs, and expenses (including reasonable attorneys’ fees) arising out of or resulting from any breach of the representations and warranties set forth in this OFAC Sanctions section.
12. MISCELLANEOUS.
    1. Relationship of the parties. The relationship of PubMatic and Provider established by this Agreement is that of independent contractors, and nothing contained in this Agreement will create or be construed to constitute a partnership, joint venture, agency, or employment relationship between the parties. Neither party shall have any right to obligate or bind the other party hereto in any manner whatsoever, and nothing herein contained shall give, or is intended to give, any rights of any kind to any third parties.
    2. Governing Law; Jurisdiction. This Agreement shall be governed by, and construed and enforced in accordance with, the laws of the State of California, without reference to conflicts of laws principles. The parties agree that the federal and state courts located in Santa Clara County, California will have exclusive jurisdiction and venue under this Agreement, and the parties hereby agree to submit to such jurisdiction exclusively.
    3. Assignment. Neither party may assign any of its rights or obligations under this Agreement without the prior written consent of the other party, except that a party may assign this Agreement without consent but with written notice to the other party in connection with any merger, consolidation, reorganization, or sale of all or substantially all of its assets related to this Agreement, by operation of law or otherwise. This Agreement inures to the benefit of and is binding upon the parties’ permitted assignees, transferees and successors.
    4. Amendments. Except as otherwise set forth herein, all amendments to this Agreement must be in writing and executed by both parties hereto.
    5. Waiver. A waiver of any provision of this Agreement will only be valid if provided in writing and will only be applicable to the specific incident and occurrence so waived. The failure by either party to insist upon the strict performance of this Agreement, or to exercise any term hereof, will not act as a waiver of any right, promise or term, which will continue in full force and effect.
    6. Severability. If any provision, or portion thereof, of this Agreement is determined by a court of competent jurisdiction to be invalid, illegal or unenforceable, such determination will not impair or affect the validity, legality, or enforceability of the remaining provisions of this Agreement.
    7. Notices. All notices under the terms of this Agreement must be given in writing and sent by United States registered or certified mail, express courier, email, or must be delivered by hand to the addresses on the Order Form (or such other address as may be specified by a party in writing): All notices will be presumed to have been received when hand delivered, one (1) day after being sent via express courier, within five (5) business days after being placed in the United States mail, postage prepaid, certified or registered mail, or upon confirmation of delivery after being received via email.
    8. Force Majeure. Neither party will be responsible for any failure or delay in its performance under this Agreement due to causes beyond its reasonable control, including labor disputes, strikes, lockouts, carrier gateway provider service failures, internet or telecommunications failures, shortages of or inability to obtain labor, energy, or supplies, war, terrorism, riot, acts of God or governmental action, and such performance shall be excused to the extent that it is prevented or delayed by reason of any of the foregoing.
    9. Entire Agreement. This Agreement and any exhibits, addendums and schedules attached hereto set forth the entire agreement and understanding of the parties with respect to the subject matter hereof and supersede all prior and contemporaneous agreements or understandings (whether oral or written) between Provider and PubMatic regarding the subject matter. All exhibits and schedules attached to this Agreement are incorporated herein.
    10. Headings. Section or paragraph headings used in this Agreement are for reference purposes only, and should not be used in the interpretation hereof. No provision of this Agreement will be construed against either party as the drafter thereof.

EXHIBIT A

PubMatic — Data Processing Addendum for Connect

This Data Processing Addendum (“Addendum“) is entered into by and between PubMatic, Inc. (“PubMatic“) and the party identified in the signature block below (“Provider”), and forms part of the Connect Data Provider Agreement (the “Agreement”) between the parties relating to the subject matter of this Addendum.

The terms in this Addendum shall only apply to the extent PubMatic collects or otherwise processes Personal Data contained within Licensed Content protected or otherwise regulated by EU Data Protection Law. Capitalized terms used in this Addendum shall have the meaning given to them in the main body of the Agreement unless otherwise defined in this Addendum.

IT IS AGREED:

1. Definitions

   “Data Privacy Framework” means the EU-US, UK Extension to the EU-US and Swiss-US Data Privacy Framework (“DPF”) Program as set forth by the US Department of Commerce, European Commission, UK Government, and Swiss Federal Administration, and which regards the collection, use and retention of personal information from the EU, UK and Switzerland.

   “Demand Partners” means PubMatic’s media buying clients, including but not limited to demand side platforms, ad exchanges, agencies, agency trading desks and ad networks and Customers described in Section 1 of the Agreement.

   “Europe” means for the purposes of this Addendum, the European Economic Area and/or its member states, Switzerland and the United Kingdom.

   “EU Data Protection Law” means all data protection and privacy laws and regulations enacted in Europe, including (i) the EU General Data Protection Regulation (Regulation 2016/679)(“GDPR“); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any national laws made under or pursuant to (i) or (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA“) and (v) in respect of the United Kingdom, GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (together, “UK Privacy Law“); (in each case, as superseded, amended or replaced).

   “Personal Data” means any information relating to an identified or identifiable natural person to the extent that such information is protected as personal data under applicable EU Data Protection Law.

   “Privacy Requirements” means all applicable international, federal, national and state data protection and privacy laws, regulations, and industry self-regulatory rules, codes and guidelines that apply to the processing of data (including Personal Data) that is protected by EU Data Protection Law, as applicable to Provider, PubMatic and its Demand Partners , including without limitation: (i) the rules, codes and guidelines of the European Interactive Digital Advertising Alliance (EDAA) and the Network Advertising Initiative (NAI); and (iii) EU Data Protection Law (in each case, as amended, superseded or replaced).

   “PubMatic Services” has the meaning given to it in the Agreement.

   “Restricted Transfer” means: (i) where the GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner; and (iii) where the UK Privacy Law applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to section 17A of the United Kingdom Data Protection Act 2018.

   “Standard Contractual Clauses” means Module 2 (Controller to Processor) or Module 3 (Processor to Processor), as applicable, of the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 located at https://eur-lex.europa.eu/eli/dec_impl/2021/914/ as applicable and completed in accordance with this Addendum.

   “Subprocessor” means any third party that has access to the Personal Data and which is engaged by PubMatic to assist in fulfilling its obligations to provide the Services. Subprocessors may include PubMatic affiliates but shall exclude any PubMatic employee, contractor or consultant.

   “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s Office under S119(A) of the UK Data Protection Act 2018, as updated or amended from time to time.

   “Controller”, “data subject“, “processing” (and “process“), and “Processor” shall have the meanings given to them in EU Data Protection Law.

2. Scope of processing: Provider acknowledges and agrees that in connection with the PubMatic Services, PubMatic may receive from Provider, Personal Data contained within Licensed Content (as defined in the Agreement) about or related to End Users of the Provider Properties, as more particularly described in Appendix 1 of this Addendum.
3. Relationship of the parties: The parties acknowledge that PubMatic shall process Personal Data under the Agreement as a Processor acting on behalf of Provider (whether acting as a Controller or a Processor itself on behalf of third party Controllers) in accordance with this Addendum. Nothing in the Agreement (including this Addendum) shall limit or prevent PubMatic from collecting or using data that PubMatic would otherwise collect and process independently of Provider’s use of the PubMatic Services.
4. Data Protection. PubMatic agrees that:
   1. the description of the processing of Personal Data is set out in Appendix 1 of this Addendum;
   2. PubMatic shall process the Personal Data only for the purposes of delivering the PubMatic Services in accordance with the Agreement and on the documented lawful instructions of Provider as set out in full in this Addendum and the Agreement, including with regard to transfers of Personal Data to a third country, unless required otherwise by applicable law; in such event, PubMatic shall inform Provider of the legal requirement before processing, unless that law prohibits the provision of such information to Provider. PubMatic shall inform Provider if, in its opinion, Provider’s instructions infringe EU Data Protection Law;
   3. PubMatic shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
   4. PubMatic shall respect the conditions for appointing a Subprocessor as set out in Section 5 below;
   5. taking into account the nature of the processing, PubMatic shall assist Provider by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of any obligation Provider has under EU Data Protection Law to respond to requests from data subjects to access, correct, delete, object or exercise any other rights they have in respect of the Personal Data under EU Data Protection Law.
   6. if PubMatic receives any correspondence, enquiry or complaint from a data subject, regulatory or any other person particularly relating to its processing of Personal Data, it will promptly inform Provider and provide it with full details of the same unless and to the extent prevented by applicable law. Unless otherwise required by applicable law, PubMatic will not respond to any correspondence, enquiry or complaint from a data subject directly except to direct the data subject to the Provider, unless authorised by Provider (such permission not to be unreasonably withheld or delayed), and Provider agrees that PubMatic shall have no obligation to respond on Provider’s behalf;
   7. if Provider is required by applicable Privacy Requirements to conduct a data protection impact assessment in respect of the PubMatic Services, PubMatic shall provide (on a confidential basis) all information reasonably requested by Provider in connection with such assessment;
   8. at the choice of Provider, PubMatic shall delete or return all the Personal Data to Provider after the end of the provision of the PubMatic Services and the certificate of deletion of Personal Data described in Clauses 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by PubMatic to Provider upon Provider’s written request; and
   9. PubMatic shall make available to Provider all information reasonably necessary for PubMatic to demonstrate its compliance with the obligations in this Addendum, including by way of providing written responses to any audit questions raised by Provider (such audits not to be conducted more than once per annum and at Provider’s expense).
5. Subprocessing: Provider provides PubMatic with a general authorization to engage Subprocessors to assist in processing the Personal Data in the performance of the PubMatic Services provided that:
   1. PubMatic shall ensure that its Subprocessors are subject to data protection terms that protect the Personal Data to the same or substantially similar standard as set out in this Addendum;
   2. PubMatic accepts full liability for any breach of this Addendum that is caused by the act, error or omission of its Subprocessors;
   3. PubMatic maintains a list of its then-current Subprocessors and shall provide such a list to Provider upon request; and
   4. if PubMatic wishes to appoint or replace a Subprocessor it shall provide Provider with a minimum of ten (10) days prior notice and Provider may object to such appointment or replacement on reasonable data protection grounds within five (5) days following receipt of such notice. If Provider so objects, then either (i) PubMatic shall not use the proposed Subprocessor to process the Data; or (ii) if this is not possible, Provider may terminate the Agreement for its convenience upon written notice to PubMatic.
6. International Transfers:
   1. Subject to Section 6.2, to the extent that Provider (as “data exporter”) provides, makes available or otherwise transfers Personal Data to PubMatic (as “data importer”) and such transfer is a Restricted Transfer, the transfer shall be subject to the Standard Contractual Clauses, which shall be incorporated into and form an integral part of this Addendum as follows:
      1. in relation to transfers of Personal Data protected by the GDPR (i) Module Two (controller to processor) or Module 3 (processor to processor) shall apply, as applicable and in accordance with section 3 of this Addendum; (ii) Clause 7, the optional docking clause will apply; (iv) in Clause 9, Option 2 will apply and the time period for notice of changes to Subprocessors shall be as agreed under Section 5 above; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by laws of Ireland; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix 1 to this Addendum; and (vii) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix 2 to this Addendum;
      2. in relation to transfers of Personal Data protected by UK Privacy Law, the Standard Contractual Clauses shall also apply in accordance with paragraph (a) above, but as modified and interpreted by Part2: Mandatory Clauses of the UK Addendum, which shall be deemed executed by the Parties and incorporated into and form an integral part of this Addendum. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Appendices 1 and 2 of this Addendum and Table 4 in Part 1 shall be deemed completed by selecting “neither party”; and
      3. in relation to transfers of Personal Data protected by the Swiss DPA, the Standard Contractual Clauses shall also apply in accordance with paragraph (a) above, with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; (ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (iii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”; (iv) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (v) Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner; (vi) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (vii) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and (viii) Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
   2. The terms of the Standard Contractual Clauses shall not apply where and to the extent PubMatic (as the data importer) and the applicable transfer of Personal Data are covered by an alternative, suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection or appropriate safeguards for Personal Data (provided that it is deemed legally valid in jurisdictions subject to Data Protection Law), including the Data Privacy Framework or any U.S.- EU cross border transfer program which supersedes the Data Privacy Framework (an “Adequacy Mechanism”). Where an Adequacy Mechanism applies, PubMatic may process the Personal Data in compliance with the Adequacy Mechanism.
7. Security: Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, PubMatic shall implement appropriate technical and organizational security measures to protect the Personal Data as described in Appendix 2 of this Addendum (“Security Measures“). Such Security Measures shall protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data transmitted, stored or otherwise processed by PubMatic (a “Security Incident“). PubMatic shall inform Provider without undue delay in the event of a Security Incident. PubMatic may make changes to the Security Measures from time to time, so long as such changes do not degrade the overall security of the processing.
8. General: If there is any conflict between any provision in this Addendum and any provision in the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) Standard Contractual Clauses (where applicable); then (b) this Addendum, and then (c) the main body of the Agreement. With effect from the effective date, this Addendum is part of, and incorporated into the Agreement. To the extent there are any prior agreements with regard to the subject matter of this Addendum, this Addendum supersedes and replaces such prior agreements. This Addendum shall survive termination or expiry of the Agreement. Upon termination or expiry of the Agreement PubMatic may continue to process the Personal Data provided that such processing complies with the requirements of this Addendum and the Privacy Requirements. This Addendum may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. This Addendum may be executed via a recognized electronic signature service or delivered by facsimile transmission, or may be signed, scanned and emailed, and any such signatures shall be treated as original signatures for all applicable purposes.

EXHIBIT A – Appendix 1

EXHIBIT A – Appendix 2

Technical and Organisational Security Measures

PubMatic implements the Security Measures, available hereunder:

For further information, please see generally our privacy policy at https://pubmatic.com/legal/privacy-policy/