Content Ignite Data Processing Addendum

This Data Processing Addendum (the "DPA") forms part of the Master Service Agreement (MSA), or such other agreement governing the direct relationship between the Parties hereto, including, but not limited to, any applicable Order Form (collectively, the “Agreement”), and is entered into by and between (“Customer”) and Content Ignite Limited a limited liability company incorporated and existing under the laws of England and Wales (“Content Ignite”) (each, as defined in the Agreement) (each individually a “Party” and collectively the “Parties”).

In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings ascribed to them herein.
‍
1. 1. “Adequacy decision,” “data importer,” “data exporter,” "Process," "Processing," and “Sub-Processor,” and "Supervisory Authority" shall each have the meaning ascribed to it under Data Protection Law.

1.2. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.

1.3. “Business” and “Controller” shall have the meanings ascribed to in Data Protection Law and shall be used interchangeably herein.

1.4. “Consumer” and “Data Subject” shall have the meanings ascribed to in Data Protection Law and shall be used interchangeably herein.

1.5. “Covered Data” means the data collected, processed, or disclosed as detailed in the Agreement and for the purposes described in the Agreement. Covered Data may include Personal Data. For the avoidance of doubt, any personal data that: (i) Customer uploads directly to the Services; (ii) is received to the Services directly through Customer’s implementation, configuration, and/or use of the Platform; or (iii) Customer directs or instructs its partner (e.g., through configuration of the Services) to send to or share with Content Ignite for processing on Customer’s behalf for the purpose of providing the Services under the Agreement, shall be deemed Customer personal data received from Customer. For purposes of this DPA, Covered Data does not include the name and contact information of those Customer employees who are responsible for interacting with Content Ignite to perform under the Agreement which are addressed by confidentiality terms in the Main Agreement. 

1.6. "Data Protection Law" means all applicable laws and regulations applicable, including, as applicable, laws and regulations of the European Union (“EU”), the European Economic Area (“EEA”) and their member states, Switzerland and the United Kingdom (“UK”), including without limitation, Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (“General Data Protection Regulation” or “GDPR”) and EU Directive 2002/58/EC on Privacy and Electronic Communications (“e-Privacy Directive”) or, the superseding e-Privacy Regulation once effective, and the United Kingdom’s implementation of the General Data Protection Regulation (the Data Protection Act 2018) (“UK GDPR”), and PECR (Privacy and Electronic Regulations) and as applicable, the laws and regulations of the United States, including without limitation, the California Consumer Privacy Act of 2018 and its amendments including the California Privacy Rights Act (collectively, the “CCPA”). 

1.7. “Member States” means a member of the EU.

1.8. “Personal Data” and “Personal Information” shall have the meanings ascribed in Data Protection Law and shall be used interchangeably herein.

1.9. "Processor" shall have the meanings ascribed to it in Data Protection Law. “Processor” includes in its definition, “Service Provider.”

1.10. “Service Provider” shall have the meaning ascribed to it in Data Protection Law.

1.11. “Services” means the services provided by the Parties under the Agreement.

2.1. The Parties acknowledge and agree:

2.1.1. Content Ignite is a Processor and Customer is a Controller for all services provided by Content Ignite to Customer under the Agreement, except, in providing the Publisher Tag (as defined in the MSA), Content Ignite and Customer are Independent Controllers.

2.2. To the extent the CCPA applies, the Parties acknowledge and agree:

2.2.1. Content Ignite is a Service Provider to Customer, and Customer is a Business, except, Content Ignite and Customer are independent Businesses where:

2.2.1.1. Content Ignite provides the Publisher Tag (as defined in the MSA); and

2.2.1.2. Where Content Ignite receives personal information from the Integrated Services (defined in the Agreement) for the purpose of cross-context behavioral advertising.

3.1. Compliance with Law. With respect to the Covered Data, the Parties shall comply with Data Protection Law. Customer shall provide (or shall ensure that publishers provide) all necessary notice to consumers, including but not limited to, where applicable, any required disclosures under US Data Protection Laws such as the ‘Do Not Sell or Share My Personal Information’ disclosure and notice at collection requirements under CCPA. In addition, Customer will obtain, or otherwise ensure that the publisher obtains all necessary consent from consumers to fire the Content Ignite Publisher Tag (as defined in the MSA), and use the Integrated Services (as defined in the MSA). Customer shall not provide, nor enable Content Ignite to receive any Special Category Data or Sensitive Personal Data (or as otherwise defined in Data Protection Law) unless Customer (or the relevant publisher) does so with evidence of compliance with Data Protection Law.

3.2. Security.

3.2.1. Each Party shall maintain appropriate technical and organizational measures for protection of the: (i) security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, personal information); (ii) confidentiality of Covered Data; (iii) integrity of Covered Data; and (iv) as otherwise set forth in the Agreement (collectively, “Security Measures”).  

3.2.2. The Parties shall take reasonable steps to ensure that access to the Covered Data is limited on a need to know/access basis and that all personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Covered Data.

Where Content Ignite operates as a processor, this section 4 applies.

4.1. Limitations on Processing. Content Ignite shall at all times comply with Customer’s written instructions pursuant to and within the Agreement and this DPA, as well as all applicable laws, rules and regulations, including but not limited to, Data Protection Law. Content Ignite shall only process the Covered Data for the limited purposes specified in the Agreement and this DPA. Except as directed by Customer, Content Ignite shall not: (i) ‘sell’ or ‘share’ Customer personal data.

4.2. CCPA. To the extent the CCPA applies, Content Ignite may engage in the following Business Purposes:

4.2.1. Auditing consumer transactions, including, but not limited to, measuring advertising performance to unique visitors.

4.2.2. Detecting and protecting against malicious, deceptive, fraudulent, or illegal advertising activity.

4.2.3. Identifying and repairing errors that impair existing intended functionality.

4.2.4. Short-term, transient use, provided that the Personal Information is not disclosed to another third party and is not used to build a profile about a consumer.

4.2.5. Providing analytic, advertising, or marketing-related services.

4.2.6. Undertaking internal research for technological development and demonstration.

4.3. Data Subject Rights. Customer shall promptly notify Content Ignite if Customer receives a request from a Data Subject exercising a Data Subject Request. Upon Customer’s request, Content Ignite shall assist Customer in responding to such Data Subject Requests.

4.4. Data Protection Impact Assessment and Prior Consultation. Content Ignite shall provide reasonable assistance to Customer with any data protection impact assessments, audits, certifications, or prior consultations with legal or regulatory authorities or other competent data protection authorities, which Customer reasonably considers to be appropriate or required under any Data Protection Law, in relation to processing of Personal Data by Content Ignite.

4.5. Security Breach or other Non-Compliance. Content Ignite shall notify Customer without undue delay and, in any event, within seventy-two (72) hours upon Content Ignite or any sub-processor of Content Ignite becoming aware of: (i) a breach of Security Measures; (ii) any security breach (or substantially similar term) as defined by applicable Data Protection Law.

4.6. Government Requests. Where permitted, Content shall notify Customer if Content Ignite receives a compulsory request (whether through a subpoena, court order, search warrant, or other valid legal process) from any government agency or authority (including law enforcement) for access to or information about Customer personal data.

4.7. Audit. Upon the reasonable request of the Customer, Content Ignite shall make available to Customer all information in its possession necessary to demonstrate Content Ignite's compliance with the obligations described in the Agreement and this DPA and shall allow for, and cooperate with, reasonable assessments by Customer or the Customer’s designated assessor. Customer shall not use such an audit report for any other purpose than to assess Content Ignite’s compliance with the Agreement and this DPA. Customer shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate Content Ignite’s unauthorized use of Personal Data.

4.8. Return or Deletion of Personal Data. Upon the expiration or termination of the Agreement, Content Ignite shall, at Customer’s request, either return to Customer or destroy all personal data obtained by Content in providing the Services.Content Ignite will provide written confirmation to Customer of its compliance with this provision. For the sake of clarity, Content Ignite is under no obligation to return or delete Covered Data obtained under the Agreement and this DPA where Content Ignite operates as a Controller.

Where Content Ignite operates as a Controller, the terms of this section 5 shall apply.

5.1. Limitations on Processing. Content Ignite shall only process the Covered Data for the limited purposes specified in the Agreement.

5.2. Data Subject Rights. The Parties shall implement mechanisms to facilitate Data Subject requests. Each Party will be responsible for responding to enquiries from Data Subjects and any supervisory authority concerning the processing of applicable Covered Data by such Party. Each Party shall promptly notify the other Party when they receive requests from Data Subjects exercising a Data Subject Request related to the use of the Covered Data. The Parties shall coordinate mechanisms to collaborate and respond to any such requests within any statutory period prescribed by law. For avoidance of doubt, this Section 5.2 shall not create any obligation relating to fulfillment of Data Subject Requests for any Media Company that is not a Party to this DPA.

If the Services involves the transfer of Personal Data of Data Subjects in the EEA or the UK, to a country or territory outside of those regions which has not received an applicable adequacy decision, the Parties hereby incorporate, and agree to comply with, the Standard Contractual Clauses set out by the European Commission Decision 2021/914/EU and approved for use in data transfers under the UK GDPR, located at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en#ntc12-L_2021199EN.01003701-E0012 (the “SCCs”) . In such case: (1) The Parties will complete Annexes IA, IB, IC, AND II of this DPA; and (2) The Parties represent that they do not believe the laws and practices in any country to which Personal Data is transferred for purposes of the Agreement will prevent the importing Party from fulfilling its obligations under this DPA or the SCCs. By entering into this DPA, the Parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.

6.1. Ex-EEA Transfers. The Parties agree that the transfer of Personal Data, outside the EEA that is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR will be made pursuant to the EU SCCs, which are deemed entered into (and incorporated this DPA by this reference) and completed as follows:

6.1.1. Module 2 shall apply;

6.1.2. The optional docking clause in Clause 7 does/does not apply;

6.1.3. In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be ten (10) days;

6.1.4. In Clause 11, the optional language does not apply;

6.1.5. All square brackets in Clause 13 are hereby removed;

6.1.6. In Clause 17 (Option 1), the EU SCCs will be governed by the laws of the member state of the Data Exporter;

6.1.7. In Clause 18(b), disputes will be resolved before the courts of member state of the Data Exporter;

6.1.8 Annex I of the EU SCCs shall be deemed completed with the information set out in Annex IA, Annex IB, and Annex IC attached hereto; 

6.1.9. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II attached hereto; and

6.1.10. Annex III of the EU SCCs shall be deemed completed with the information set out in Annex III attached hereto.

6.2. Ex-UK Transfers. The Parties agree that transfer of Personal Data of UK Data Subject outside the UK, and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR are made pursuant to the SCCs as well as the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for International Data Transfers located at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ (the “IDTA”).

6.2.1. The IDTA is hereby incorporated by reference.The Parties shall complete Annex IV of this DPA.

6.2.2. ‘Part I: Tables’ of the IDTA shall be deemed completed with the information set out in Annex IV attached hereto.

7.1. Termination and Survival. This DPA and all provisions herein shall so long as the Agreement is in effect.

7.2.Counterparts. This DPA may be executed in any number of counterparts and any Party (including any duly authorized representative of a Party) may enter into this DPA by executing a counterpart.

7.3. Non-compliance. Each Party shall promptly inform the other if it is unable to comply with this DPA. If the non-complying Party cannot comply within a reasonable period of time, or is in substantial or persistent breach of this DPA, the complying Party shall be entitled to remediate the non-compliant action and/or terminate the Agreement insofar as it concerns Processing of Covered Data.

7.4. Ineffective clause. If individual provisions of this DPA are or become ineffective, the effectiveness of the remaining provisions shall not be affected. The Parties shall replace the ineffective clause with a legally allowed clause, which will accomplish the intended commercial intention as closely as possible.

7.5. Conflicts. In case of contradictions between this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.

7.6. Applicable law and jurisdiction. The applicable law and jurisdiction as set forth in the Agreement apply to this DPA.