Data Processing Addendum
Effective as of June 1, 2022
The Parties, meaning Client and Zeotap (as defined in the agreement that covers the Client’s use of the Services (“Agreement”)), agree to be bound by the below, should it be applicable to that Party(ies). This Data Processing Agreement (“DPA”) and applicable Attachment(s) apply when Zeotap acts as a Data Processor and processes Client Data (where Client Data is Personal Data) on behalf of Client in order to supply the Services agreed to between Zeotap and Client. Where the Client is a processor of the Personal Data covered by this DPA, Zeotap shall be a Sub-processor of the Personal Data and this DPA shall apply accordingly. This DPA does not apply when Zeotap and Client would be considered Data Controllers in their own right. In the event of a conflict between the terms of the Agreement as they relate to the processing of Personal Data and this DPA, the DPA shall prevail.
“Services” means the services purchased by Client, as identified in the Order Form, and provided by Zeotap through the System, or otherwise agreed by the Parties, and pursuant to the Agreement.
“Standard Contractual Clauses” means (i) where the GDPR applies, the standard contractual clauses annexed to the EU Commission Decision 2021/914 of 4 June 2021, for the transfer of Personal Data to processors established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs“).
The terms “Data Subject”, “Data Controller”, “Data Processor”, “process”, “processes”, “processing” or “processed”, “Personal Data Breach”, as used throughout the DPA, shall have the meaning as prescribed in Applicable Laws. The capitalised terms not specifically defined in the different Sections shall have the meaning set out in the Agreement.
- Scope and compliance with Applicable Laws
2.1. The categories of Data Subjects, types of Client Data processed and purposes of processing are set out in Attachment 1 of this DPA. Zeotap shall process Client Data for the Term (or longer to the extent required by Applicable Laws).
2.2. Client shall further ensure that the instructions it provides to Zeotap in relation to the processing of Client Data will comply with all Applicable Laws and shall not put Zeotap in breach of its obligations under Applicable Laws.
2.3. If the Client uses the Services to process any categories of Personal Data not expressly covered by this DPA, the Client acts at its own risk and Zeotap shall not be responsible for any potential compliance deficits related to such use.
- Obligations of Data Controller
3.1. Client represents and warrants that Client Data: (i) does not and will not include any special categories of Personal Data; (ii) does not and will not include any information relating to a person younger than 16 (sixteen) years of age, and (iii) is, where it has been agreed that such data will be hashed, hashed in such a way that Zeotap is reasonably in no position to determine individual users behind the Client Data.
3.4. Where Client transfers unhashed Client Data to Zeotap, Zeotap shall apply additional appropriate security measures for the storage of such data, provided that Client has properly classified Client Data as directly identifiable Personal Data. Client is responsible for properly classifying the Client Data as directly identifiable Personal Data through the features and functionalities made available by Zeotap in the System. Where Personal Data is sent to Zeotap without the appropriate classification by Client, Zeotap will not apply such additional appropriate security measures to the storage of such data.
- Obligations of Data Processor
4.1. Notwithstanding anything to the contrary in the Agreement, in relation to Client Data, Zeotap shall:
4.1.1. only process Client Data in accordance with Client’s documented instructions (which may be specific or general in nature as set out in the Agreement or as otherwise notified by Client). Notwithstanding the foregoing, Zeotap may process Client Data as required under Applicable Laws. In this situation, Zeotap will take reasonable steps to inform Client of such a requirement before Zeotap processes the data, unless the Applicable Laws prohibit this;
4.1.2. ensure only authorised personnel who have undergone the appropriate training in the protection and handling of Personal Data and are bound to respect the confidentiality of Client Data shall have access to the same;
4.1.3. implement appropriate technical and organisational measures to protect against unauthorised or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Client Data. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of Client Data and having regard to the nature of the Client Data which is to be protected. Client hereby confirms that it has reviewed and approved such technical and organisational measures implemented by Zeotap, which is available on request;
4.1.4. without undue delay and to the extent permitted by Applicable Laws, notify Client of any requests from Data Subjects seeking to exercise their rights under Applicable Laws addressed to Client and, at Client’s written request and cost, taking into account the nature of the processing, assist Client by implementing appropriate technical and organisational measures, insofar as this is possible, to assist with the Client’s obligation to respond to such requests. To the extent that Client Data is not accessible to Client through the Services provided under the Agreement, Zeotap shall, where legally permitted and upon Client’s request, provide commercially reasonable efforts to assist Client in responding to such requests if responses to such requests are required by Applicable Laws;
4.1.5. at Client’s written request, taking into account the nature of processing and the information available to the Zeotap, assist Client with its obligations under Articles 32 to 36 GDPR or equivalent provisions under Applicable Laws;
4.1.6. delete from its System or return to Client any such Client Data and if applicable all existing copies of Client Data: (i) within 30 (thirty) days of a written request from Client, and, (ii) in any case, within ninety (90) days after the termination or expiration of the Agreement, unless Applicable Laws require storage of the Client Data;
4.1.7. immediately inform the Client if, in its opinion, an instruction infringes Applicable Laws.
- Designation of a data protection officer
In accordance with Article 37(1)(b) GDPR, and to the extent that the core activities of the Zeotap consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale, Zeotap has appointed a data protection officer. The appointed person can be reached at [email protected].
6.1. Appointment of Sub-processors: Client authorises Zeotap to transfer Client Data or give access to Client Data to members of the Zeotap Group and third parties, appointed hereby upon Client’s general written authorisation as Sub-processors for the purposes of supplying the Services or other purposes identified in the ‘Processing Activities’ section of Attachment 1. Zeotap will restrict the Sub-processors’ access to Client Data only to what is necessary to supply the Services to Client. Zeotap shall remain responsible for its Sub-processor’s compliance with the obligations of this DPA. Zeotap shall ensure that any Sub-processors to whom Zeotap transfers Client Data enter into written agreements with Zeotap requiring that the Sub-processors abide by terms no less protective than those set forth in this DPA. The current list of Sub-processors engaged by Zeotap and authorised by Client is available at https://zeotap.com/legal-hub/sub-processors, and, to the extent applicable, Third Party Platforms as listed in the System.
6.2. Objection rights for new Sub-processors: Zeotap can at any time and without justification appoint a new Sub-processor provided that Client is given 20 (twenty) days’ prior notice and Client does not legitimately object to such changes within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a Sub-processor’s non-compliance with Applicable Laws. If, in Zeotap’s reasonable opinion, such objections are legitimate, Zeotap shall refrain from using such Sub-processor in the context of the processing of Client Data. In such cases, Zeotap shall use reasonable efforts to (i) make available to Client a change in the affected Services or (ii) recommend a change to the Client’s configuration or use of the affected Services to avoid the processing of Client Data by the objected-to Sub-processor. If Zeotap is unable to make available such change within a reasonable period of time, which shall not exceed 90 (ninety) days, Client may, by providing written notice to Zeotap, terminate the Order Form in relation to the Services which cannot be provided by Zeotap without the use of the objected-to Sub-processor.
- Personal Data Breaches
Zeotap shall notify Client, without undue delay, if Zeotap becomes aware of any Personal Data Breach involving Client Data and take such steps as Client may reasonably require, within the timescales reasonably required by Client, to remedy the Personal Data Breach and provide such further information as Client may reasonably require. Zeotap reserves the right to charge an administrative fee for assistance provided under this Clause 7 unless and to the extent that Client demonstrates that such assistance is required because of a failure by Zeotap to abide by this DPA.
- International transfers of Client Data
Zeotap may transfer Client Data outside the country from which it was originally collected by Client provided that such transfer is required in connection with the supply of Services and such transfers take place in accordance with Applicable Laws. Zeotap shall ensure that its Sub-processors comply with the obligations of a data importer. Client hereby authorises Zeotap to engage Zeotap’s Affiliates, external cloud services providers and Third Party Platforms as third-party processors of Client Data as required for the supply of Services. Client authorises Zeotap to enter data privacy and/or data processing agreements and/or Standard Contractual Clauses, including supplementary measures as required, with such Affiliates, external cloud services providers and, if applicable, Third Party Platforms on behalf of Client to ensure compliance with Applicable Laws. To the extent there is any conflict between this DPA and the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail. At Client’s written request, Zeotap shall make available all information and transfer impact assessment documentation.
9.1. Zeotap uses external auditors to verify the adequacy of its security measures with respect to its processing of Client Data. Such audits are performed at least once annually at Zeotap’s expense by independent third-party security professionals at Zeotap’s selection and result in the generation of a certificate and confidential audit report. At Client’s written request, Zeotap shall make available to Client information strictly necessary to demonstrate compliance with Zeotap’s obligations set forth under Applicable Laws, provided that Zeotap shall have no obligation to provide commercially confidential information.
9.2. Notwithstanding the foregoing, on no more than an annual basis and at the Client’s expense, Zeotap shall further allow for and contribute to audits and inspections by Client or its authorised third-party auditor that shall not be a competitor of Zeotap, provided that Client gives written notice to Zeotap at least 30 (thirty) days in advance. The scope of any such audits, including conditions of confidentiality, shall be mutually agreed upon by the Parties prior to initiation.
A processor shall be liable for the damage caused by processing only where it has not complied with obligations under Applicable Laws, specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
Attachment 1: Description of Processing
1. Details of Processing
Zeotap may, on written notice to Client, periodically update this Attachment 1 to reflect changes in processing activities.
2. Categories of Data Subjects
Zeotap processes Client Data relating to the following categories of Data Subjects:
- potential or actual customers of Client or Client’s customers, whose personal data is uploaded to the System by Client or Client’s customers;
- visitors to Client’s or Client’s customers websites, mobile applications or other digital or physical properties;
- Client’s employees or authorised users using the Services.
3. Types of Personal Data
The Client Data processed by Zeotap in connection with Zeotap’s supply of Services is determined and controlled by Client as Data Controller and in accordance with the Agreement, but may include as examples:
- Online Identifiers – cookie IDs, mobile advertising device IDs;
- Offline Identifiers – hashed / unhashed email addresses and hashed / unhashed telephone numbers;
- IP address – region, country and/or city;
- Interest data;
- Demographic information like age, gender, city/region, income, language and mobile contract data such as prepaid/postpaid;
- Mobile app usage data about apps installed/accessed on a user’s device and app events and browsing data such as browsing URLs;
- Purchase data.
4. Nature and Purposes of the Processing activities
1. Client Data processed in connection with the Agreement shall be used by Zeotap to manage the relationship with and provide the Services to the Client on a continuous basis for the duration of the Agreement, as Client’s Users interact with the System.
2. For the provision of Services, Zeotap may carry out the following processing in respect of Client Data: collection, use, transfer, transformation, encryption, aggregation, deletion.
5. Duration of the processing
The duration of the processing corresponds to the Term as defined under the Agreement.