Data Processing Addendum - Agreement for Processing of Client Data by Zeotap

The Parties, meaning Client and Zeotap (as defined in the Master Services Agreement (“MSA”)), agree to be bound by the below, should it be applicable to that Party(ies). The capitalized terms not specifically defined in the different Sections shall have the meaning set out in the MSA. The terms “Data Subject”, “Data Controller”, “Data Processor”, “EU Standard Contractual Clauses”, “Sub-processor”, “process”, “processes”, “processing” or “processed”, as used throughout the Sections, shall have the meaning as prescribed in Applicable Laws.

This Data Processing Agreement (“DPA”) and applicable Attachments apply when Zeotap acts as a Data Processor and processes Client Data (where Client Data is Personal Data) on behalf of Client in order to supply the Products agreed to between Zeotap and Client. Where Client is a processor of the Personal Data covered by this DPA, Zeotap shall be a Sub-processor of the Personal Data and this DPA shall apply accordingly. This DPA does not apply when Zeotap and Client would be considered Data Controllers in their own right. In the event of a conflict between the terms of the MSA as they relate to the processing of Personal Data and this DPA, the DPA shall prevail.

1.Scope and compliance with Applicable Laws

1.1 The categories of Data Subjects, types of Client Data processed and purposes of processing are set out in Attachment 1 of this DPA. Zeotap shall process Client Data for the Term (or longer to the extent required by Applicable Laws).

1.2 Client shall further ensure that the instructions it provides to Zeotap in relation to the processing of Client Data will comply with all Applicable Laws and shall not put Zeotap in breach of its obligations under Applicable Laws.

1.3 If the Client uses the Products to process any categories of Personal Data not expressly covered by this DPA, Client acts at its own risk and Zeotap shall not be responsible for any potential compliance deficits related to such use.

2.Obligations of Data Controller

2.1 Client represents and warrants that it will ensure that Client Data: (i) does not include any special categories of Personal Data; (ii) does not include any information relating to a person younger than 16 (sixteen) years of age, and (iii) is, where it has been agreed that such data will be hashed, hashed in such a way that Zeotap is reasonably in no position to determine individual users behind the Client Data.

2.2 Client acknowledges and agrees that it is Client’s responsibility as Controller to ensure that its use of the Products complies with all Applicable Laws that are applicable to Client. Client represents and warrants that it and/or its customers lawfully acquired/generated Client Data, and Client is authorised to share Client Data with Zeotap for the purposes of the MSA. Specifically, Client shall ensure that there are no legal restrictions according to the Applicable Laws that restrict or forbid the use, disclosure, retention or transfer of Client Data as set out in MSA. In case the Web Java Script (see definition below) is used to onboard Client Data, Client agrees to post a privacy policy disclosing the use of third party pixels/cookies and which shall contain a link to the Privacy Policy, as well as any other reference as may be required by Applicable Laws. (“Web Java Script” means Zeotap’s pixel that can be implemented in Client’s media units to upload Client Data to the System.)

2.3 Client shall own all right, title and interest in and to all of Client Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Client Data. Zeotap is under no duty to investigate the completeness, accuracy or sufficiency of the Client Data. Without prejudice to the generality of the foregoing, Client shall: (i) have provided all notices and obtained all consents, permissions and rights necessary under Applicable Laws, (a) for the sharing of any Client Data for the purposes of the supply of Products and, (b) if applicable, for the matching of Client Data with Zeotap Data, for the usage of such matched data for analytics and for targeted advertising, (c) if applicable, for the usage of the Web Java Script, and (d) if applicable, such notice and/or consent wording shall include a link to the Privacy Policy and disclose that Client Data is shared with Zeotap and Third Party Platforms; (ii) comply with Applicable Laws, in particular, notice and consent requirements; (iii) upon Zeotap’s request, provide Zeotap with information confirming its compliance with Applicable Laws, especially information pertaining to the collection and use of Client Data; (iv) if applicable, post a privacy policy disclosing the matching of Client Data with Zeotap Data, the use of Output Data and Data Segments, including a link to the Privacy Policy; and, if applicable, (v) comply and contractually bind Third Party Platforms to comply with Content Restrictions. For the avoidance of any doubt, where Client Data is unhashed (directly identifiable), Client represents and warrants that (a) the necessary notices have been provided in accordance with the transparency principle and consents have been obtained from the Data Subjects as required under Applicable Laws, (b) that such Client Data can be used for the respective Products (e.g. executing an email campaign through a Third Party Platform).

2.4 Where Client transfers unhashed Client Data to Zeotap, Zeotap shall apply additional appropriate security measures for the storage of such data, provided that Client has properly classified Client Data as directly identifiable Personal Data. Client is responsible for properly classifying the Client Data as directly identifiable Personal Data through the features and functionalities made available by Zeotap in the System. Where Personal Data is sent to Zeotap without the appropriate classification by Client, Zeotap will not apply such additional appropriate security measures to the storage of such data.

2.5 Client acknowledges and agrees that if Client requests Zeotap to transfer Client Data to a Third Party Platform, Client is solely responsible and liable for this transfer within the scope of its instructions and in any event, Client shall not act or omit to act in a way which places Zeotap in breach of any Applicable Laws. Client represents and warrants that it entered or will enter into agreements to authorise any data processing by such Third Party Platforms and to (i) appoint such Third Party Platforms as processors/controllers and, (ii) if applicable, enter into data processing agreements, EU Standard Contractual Clauses, including supplementary measures as required, and/or another mechanism to ensure compliance of any international transfers.

3.Obligations of Data Processor

3.1 Notwithstanding anything to the contrary in the MSA, in relation to Client Data, Zeotap shall:

3.1.1 only process Client Data in accordance with Client’s documented instructions (which may be specific or general in nature as set out in the MSA or as otherwise notified by Client). Notwithstanding the foregoing, Zeotap may process Client Data as required under Applicable Laws. In this situation, Zeotap will take reasonable steps to inform Client of such a requirement before Zeotap processes the data, unless the Applicable Laws prohibit this;

3.1.2 ensure only authorized personnel who have undergone the appropriate training in the protection and handling of Personal Data and are bound to respect the confidentiality of Client Data shall have access to the same;

3.1.3 implement appropriate technical and organizational measures to protect against unauthorized or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Data. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Client Data and having regard to the nature of the Client Data which is to be protected. Client hereby confirms that it has reviewed and approved such technical and organizational measures implemented by Zeotap, which is available on request;

3.1.4 without undue delay and to the extent permitted by Applicable Laws, notify Client of any requests from Data Subjects seeking to exercise their rights under Applicable Laws addressed to Client and, at Client’s written request and cost, taking into account the nature of the processing, assist Client by implementing appropriate technical and organizational measures, insofar as this is possible, to assist with the Client’s obligation to respond to such requests. To the extent that Client Data is not accessible to Client through the Products provided under the MSA, Zeotap shall, where legally permitted and upon Client’s request, provide commercially reasonable efforts to assist Client in responding to such requests if responses to such requests are required by Applicable Laws;

3.1.5 at Client’s written request and cost, taking into account the nature of processing and the information available to the Zeotap, assist Client with its obligations under Articles 32 to 36 of the GDPR or equivalent provisions under Applicable Laws;

3.1.6 delete or return to Client any such Client Data within 30 (thirty) days of a written request from Client and, in any case, within ninety (90) days after the termination or expiration of the MSA, unless Applicable Laws require storage of the Client Data; and

3.1.7 immediately inform the Client if, in its opinion, an instruction infringes Applicable Laws.

3.2 Zeotap has appointed a data protection officer. The appointed person can be reached at [email protected].

4.Sub-processing

4.1 Client authorizes Zeotap to transfer Client Data or give access to Client Data to members of the Zeotap Group and third parties as Sub-processors (and permit Sub-processors to appoint in accordance with Clause 4.1) for the purposes of supplying the Product or other purposes identified in the ‘Processing Activities’ section of Attachment 1. Zeotap will restrict the Sub-processors’ access to Client Data only to what is necessary to supply the Products to Client. Zeotap shall remain responsible for its Sub-processor’s compliance with the obligations of this DPA. Zeotap shall ensure that any Sub-processors to whom Zeotap transfers Client Data enter into written agreements with Zeotap requiring that the Sub-processors abide by terms no less protective than those set forth in this DPA. The current list of Sub-processors engaged by Zeotap and authorized by Client is available at https://zeotap.com/legal-hub/sub-processors, and, to the extent applicable, Third Party Platforms as listed in the System.

4.2 Zeotap can at any time and without justification appoint a new Sub-processor provided that Client is given 20 (twenty) days’ prior notice and Client does not legitimately object to such changes within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a Sub-processor’s non-compliance with Applicable Laws. If, in Zeotap’s reasonable opinion, such objections are legitimate, Zeotap shall refrain from using such Sub-processor in the context of the processing of Client Data. In such cases, Zeotap shall use reasonable efforts to (i) make available to Client a change in Zeotap’s Products or (ii) recommend a change to the Client’s configuration or use of the Products to avoid the processing of Client Data by the objected-to Sub-processor. If Zeotap is unable to make available such change within a reasonable period of time, which shall not exceed 90 (ninety) days, Client may, by providing written notice to Zeotap, terminate the Products which cannot be provided by Zeotap without the use of the objected-to Sub-processor by providing written notice to Zeotap.

5.Personal Data Incidents

5.1 Zeotap shall notify Client, without undue delay, if Zeotap becomes aware of any Personal Data Incident involving Client Data and take such steps as Client may reasonably require, within the timescales reasonably required by Client, to remedy the Personal Data Incident and provide such further information as Client may reasonably require. Zeotap reserves the right to charge an administrative fee for assistance provided under this Clause 5 unless and to the extent that Client demonstrates that such assistance is required because of a failure by Zeotap to abide by this DPA.

6.International transfers of Client Data

6.1 Zeotap may transfer Client Data outside the country from which it was originally collected provided that such transfer is required in connection with the Products and such transfers take place in accordance with Applicable Laws. Zeotap shall ensure that its Sub-processors comply with the obligations of a data importer. Client hereby authorizes Zeotap to engage Zeotap’s Affiliates, external cloud services providers and Third Party Platforms as third-party processors of Client Data as required for the supply of Products. Client authorizes Zeotap to enter data privacy and/or data processing agreements and/or EU Standard Contractual Clauses, including supplementary measures as required, with such Affiliates, external cloud services providers and, if applicable, Third Party Platforms on behalf of Client to ensure compliance with Applicable Laws. To the extent there is any conflict between this DPA and the EU Standard Contractual Clauses, the terms of the EU Standard Contractual Clauses shall prevail. For the avoidance of any doubt, the provisions of clause 2.4 of this DPA shall prevail.

7.Audits

7.1 At Client’s written request, Zeotap shall make available to Client information strictly necessary to demonstrate compliance with Zeotap’s obligations set forth under Applicable Laws, provided that Zeotap shall have no obligation to provide commercially confidential information. On no more than an annual basis and at the Client’s expense, Zeotap shall further allow for and contribute to audits and inspections by Client or its authorized third-party auditor that shall not be a competitor of Zeotap, provided that Client gives written notice to Zeotap at least 30 (thirty) days in advance. The scope of any such audits, including conditions of confidentiality, shall be mutually agreed upon by the Parties prior to initiation.

8.Liability

8.1A processor shall be liable for the damage caused by processing only where it has not complied with obligations under Applicable Laws, specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

Attachment 1

Details of Processing

Zeotap may, on notice to Client, periodically update this Attachment 1 to reflect changes in processing activities.

Categories of Data Subjects

Means app users or website users of Client or Client’s customers or potential customers.

Types of Personal Data

The Client Data processed by Zeotap in connection with Zeotap’s supply of Products is determined and controlled by Client as Data Controller and in accordance with the Agreement, but may include as examples:

• Online Identifiers – cookie IDs, mobile advertising device IDs such as Apple’s Identifier For Advertisers (IDFA) and Google Advertising ID (“Advertising ID / Ad ID”);
• Offline Identifiers – hashed / unhashed email addresses and hashed / unhashed telephone numbers;
• IP address – region, country and/or city;
• Interest data;
• Demographic information like age, gender, city/region, income, language and mobile contract data such as prepaid/postpaid (“Demographic Data”);
• Mobile app usage data about apps installed/accessed on a user’s device and app events and browsing data such as browsing URLs (“App Usage and Browsing Data”);
• Purchase data.
  

Processing activities and duration of the processing

Client Data processed in connection with the MSA shall be used by Zeotap to manage the relationship with and supply Products to the Client. Zeotap may carry out the following processing in respect of Client Data: transfer, transformation, encryption, enrichment, aggregation and/or any other processing activity necessary for the supply of the Products. The duration of the processing corresponds to the Term (as defined under the MSA).