CARRIER- DIGITAL TURBINE

GLOBAL DATA PROCESSING ADDENDUM

 

This Data Processing Addendum (“Addendum”) supplements and forms part of any existing and currently in effect commercial agreement and any amendments thereto (the “Agreement“), either previously or concurrently executed by Digital Turbine USA, Inc. (“DT”) and the company or business that will be or has been using the Service (as defined in the applicable Agreement) provided by DT (“Carrier”). Each party to this Addendum will also be referred to as a “Party” and together – the “Parties”. This Addendum reflects the Parties’ agreement on the Processing of Personal Data in connection with the Service.

 

This Addendum takes effect as of the Effective Date of the Agreement entered between Carrier and DT. In case of any conflict between a provision of this Addendum and the Agreement, the provisions of this Addendum will prevail. Capitalized terms used herein and not defined herein will have the meaning set forth in the Agreement, or under applicable Data Protection Laws.

  1. DEFINITIONS
    • Adequacy Decision” means, a decision by a competent authority of a country, or statutory provisions, that recognize another country as providing an adequate level of protection to Personal Data, as determined pursuant to the Data Protection Laws of the country that issued the decision or enacted such statutory provisions, and in accordance with such decision or statutory provisions, the transfer of Personal Data to such other recognized country is permitted without additional measures related to the transfer of the Personal Data.
    • Affiliates” means, with respect to a Party, all entities which directly or indirectly control, are being controlled by, or are under common control with such Party.
    • Controller” means the entity which determines the purposes and means of the Processing of Personal Data and including “Business” and similar terms under Data Protection Laws. In the context of this Addendum the term means Carrier.
    • Data Protection Laws” means all laws and regulations worldwide which apply to the respective Party’s Processing of Personal Data under the Agreement and this Addendum.
    • Data Subject” means an identified or identifiable natural person, a household consisting of natural persons, or a device associated with a natural person, to whom the Personal Data relates, including “Consumer” and any similar terms under applicable Data Protection Laws.
    • Personal Data” means any information where such information is protected under Data Protection Laws and including “Personal Information” and any similar terms under Data Protection Laws.
    • Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed and including “Security Breach” and any similar terms under Data Protection Laws.
    • Personal Data Transfer” means: (i) transfer of Personal Data from Carrier to DT; or (ii) an onward transfer of Personal Data from DT to a Sub-Processor, in each case, where such transfer outside of the jurisdiction of Carrier would be regulated by Data Protection Laws including through (a) an Adequacy Decision, (b) Statutory Data Transfer Agreements, or (c) in accordance with the terms of other applicable lawful data transfer measures or derogations.
    • Personnel” means persons authorized by DT to Process Carrier Personal Data.
    • Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, and including the terms “using”, “collecting” and any similar terms under Data Protection Laws.
    • Processor” means the entity which Processes Personal Data on behalf of the Controller and including “Service Provider” and similar terms under Data Protection Laws. In the context of this Addendum this term means DT.
    • Statutory Data Transfer Agreement” means statutory provisions enacted pursuant to Data Protection Laws, which establish binding terms for cross-border transfer of Personal Data from one jurisdiction to another, including where applicable under Data Protection Laws, through access to Personal Data from the non-transferring territory, which can be executed between the transferring and the recipient parties to facilitate the lawful cross-border transfer of Personal Data.
    • Carrier Personal Data” – Personal Data Processed by DT on the Carrier’s behalf, under the Agreement.
    • Sub-Processor” means any third party, including a DT Affiliate, appointed by or on behalf of DT to undertake Processing in connection with the Service.
    • Supervising Authority” means an independent public authority which is established in a jurisdiction under Data Protection Laws with competence in matters pertaining to the protection of Personal Data.
    • Third Party” means an entity which is not a Controller, a Processor or Data Subject, or any person acting under their direct authority. Where applicable Data Protection Laws do not include a Processor position, then service providers and contractors who Process Personal Data on the Controller’s behalf will be regarded as a Third Party. For the purpose of this Addendum, attribution providers, fraud detection and cyber security service providers as well as Demand Partners constitute Third Parties.
  2. DATA PROCESSING
    • Within the scope of the Service, Carrier hereby engages DT for the purposes of installing mobile applications provided by DT on behalf of its third-party demand partners (“Demand Partners”), via DT’s app install technology or via Carrier’s app install technology (the “Purpose”). The Purpose include the processing of device advertising IDs (AAIDs) of Android devices for attribution.
    • Carrier assumes the position of a Controller and hereby agrees to appoint DT as Carrier’s Processor, and Carrier authorizes and instructs DT to Process Carrier Personal Data related to Data Subjects who chose to install app via the Service, and to share such data with relevant Carrier’s mobile measurement partner (“MMP”) on Carrier’s behalf, as part of the Service. Carrier authorizes DT to engage with all relevant Demand Partners under data processing agreements on Carrier’s behalf, including, inter alia, engaging such Demand Partners under the EU SCCs on Carrier’s behalf to facilitate the lawfulness of Personal Data Transfers between Carrier and Demand Partners. In consideration for providing the Service to Carrier, DT transfers payments to Carrier from relevant Demand Partners that purchased the ad space inventory on Carrier’s mobile application or website and retains a share of such payments, pursuant to the terms of the Agreement. DT does not receive from Carrier and Carrier does not sell (as defined under Data Protection Laws), or otherwise pay DT, any monetary or other valuable consideration for Carrier’s sharing of Carrier Personal Data with DT or for DT’s Processing of Carrier Personal Data on behalf of Carrier. DT will not sell, or share (as defined under applicable Data Protection Laws) Personal Data received under this Addendum, which is disclosed by Carrier to DT only for the limited business purpose defined above as the Purpose.
    • Carrier acknowledges and agrees that Carrier has the sole responsibility for: (a) the lawfulness of the Processing of Personal Data of Carrier mobile application’s users, and warrant to DT that Carrier is legally allowed to engage DT for the purpose of such Processing on Carrier’s behalf; (b) providing all necessary notices and obtaining all required permissions and consents from the Data Subjects, or otherwise securing the lawful grounds for the Processing described in this Addendum, as required under applicable Data Protection Laws, including, without limitation the sharing of Personal Data with, and the Processing thereof by DT, DT’s Affiliates and relevant Third Parties for the Purpose, and (c) if required by applicable Data Protection Laws, explicitly indicating DT’s receipt and Processing of Carrier’s Personal Data under its privacy notice, and will obtain any required consents, including without limitation for the applicable trans-border transfer of Personal Data, or such other lawful grounds of Processing, as required under applicable Data Protection Laws.
    • Neither Party will do, nor cause or permit to be done, anything which may knowingly or intentionally result in a breach of Data Protection Laws. DT undertakes to: (i) comply with its obligations under Data Protection Laws, including providing the same level of privacy protection as required by Carrier under Data Protection Law; and, (ii) notify Carrier no later than within five (5) business days after determining that DT can no longer meet its obligations under applicable Data Protection Laws with respect to Personal Data disclosed to it under this Addendum.
    • DT may not: (i) Sell Personal Data received from Carrier under this Addendum; or, (ii) retain, use, or disclose such Personal Data for any purpose other than for the specific purpose of performing the Service, including retaining, using, or disclosing Personal Data received from Carrier for a commercial purpose other than providing the Service to Carrier or outside of the direct business relationship between DT and Carrier.
    • Carrier may take reasonable and appropriate steps to ensure that DT uses the Personal Data disclosed to it under this Addendum in a manner consistent with Carrier’s obligations under Data Protection Laws and, upon notice, take reasonable and appropriate steps to stop and remediate DT’s unauthorized use of Personal Data disclosed to DT hereunder.
    • DT will only Process Personal Data on Carrier’s behalf in accordance with Carrier’s written instructions unless the Processing is required by applicable Data Protection Laws. Carrier hereby instructs DT to Process Personal Data, including transfer of Personal Data outside of Carrier’s jurisdiction, for the following purposes: (i) Processing in accordance with this Addendum, the Agreement and pursuant to the features and limitations of the applicable Service(s) which DT provides Carrier under the terms of the Agreement; and (ii) Processing to comply with other reasonable instructions provided by Carrier, where such instructions are consistent with the terms of the Agreement. DT will be under no obligation to comply with instructions that DT deems as violating Data Protection Laws. Processing outside the scope of this Addendum (if any) will require prior written agreement between DT and Carrier on additional instructions and terms for Processing. Except as permitted under applicable Data Protection Laws, DT will not Process Carrier Personal Data for any other purposes, or outside of the direct business relationship between Carrier and DT, and without limitation, will not sell or otherwise receive payment or other valuable monetary consideration from Demand Partners and other Third Parties for sharing Carrier Personal Data with such Demand Partners and other Third Parties. DT acknowledges and will comply with the restrictions set forth in this section.
    • Carrier authorizes DT to collect, via its SDK, API or otherwise (collectively, “DT Integration Technology”), the following Personal Data, for the purposes described under this Addendum, and as further defined during Carrier’s integration with DT’s applicable DT Integration Technology:
      • Google AAID.
      • Information about the installed mobile app on Carrier’s devices such as package name, keywords, and version.
  • Data Subjects affected by the Processing under this Addendum are the end users of Carrier’s mobile device or other properties. DT uses the Personal Data collected form such users solely for providing the Service to Carrier. Processing operations by DT include the Processing of the aforementioned Carrier’s Personal Data to (a) serve Carrier device users with a list or catalog of mobile apps to choose from to install on their device, (b) to produce reports on the apps installed on Carrier’s device via the Service.
  • DT will ensure that DT’s access to Carrier Personal Data is limited to those personnel who require such access to perform the Service under the Agreement. DT imposes appropriate contractual obligations upon its personnel who engage in the Processing of Personal Data, including relevant obligations regarding confidentiality, data protection and data security. DT ensures that its applicable personnel were informed of the confidential nature of the Personal Data, have received appropriate training and have executed written confidentiality agreements. DT will further ensure that such confidentiality agreements survive the termination of the employment or engagement of its personnel.
  1. DATA SECURITY
    • DT will take appropriate technical and organizational measures to ensure a level of security appropriate to the risk involved in Processing Carrier Personal Data. These measures are aimed at ensuring that Carrier Personal Data is reasonably protected against accidental or unauthorized destruction, accidental loss, as well as against unauthorized alteration of, disclosure of and access to Carrier Personal Data – all as specified at https://www.digitalturbine.com/wp-content/uploads/2022/07/Fyber-Group-Security-Annex.pdf (the “Data Security Addendum”).
    • To the extent that the technical and organizational measures taken by DT do not meet mandatory requirements, as set forth under Data Protection Laws which are applicable to Carrier, Carrier must notify DT in written or in text form thereof prior to the start of any Processing of Carrier Personal Data. In that case, both parties will negotiate in good faith an adjustment of the technical and organizational measures and the compensation for those required adjustments. The technical and organizational security measures may be adjusted by DT at any time insofar as the security level does not fall below the security level of the technical and organizational security measures set forth in the Data Security Addendum.
  2. COOPERATION
    • DT will use commercially reasonable efforts to provide in a prompt manner such co-operation as is reasonably necessary to enable Carrier to ensure compliance with applicable Data Protection Laws. DT will notify Carrier without undue delay, unless prohibited under applicable laws, of:
      • any official competent supervisory proceedings regarding the Processing of Carrier Personal Data conducted by Supervisory Authorities vis-à-vis DT, as well as support and cooperation which may be required from Carrier in such inspections/proceedings conducted vis-à-vis Carrier upon Carrier’s request;
      • any legal or factual circumstances preventing DT from executing any of Carrier’s instructions under the terms of this Addendum; and
      • any material changes impacting the technical and organizational security measures implemented by DT which cause such measures to fall short of DT’s data security obligations as set forth in the Data Security Addendum.
    • To the extent DT receives complaints and/or inquiries from Data Subjects or third parties requesting information regarding the Processing of Carrier Personal Data, DT will forward such complaints and/or inquiries to Carrier without undue delay. DT will not provide any information to any Data Subjects or third parties, unless (i) DT is statutorily obligated to provide such information or (ii) Carrier has given DT instructions to do so. To the extent that DT will be obliged to provide to third parties information regarding Carrier Personal Data on the basis of statutory provisions, DT will inform Carrier in due time prior to providing the information, of the recipient, the date and time, the content of the information to be issued, and the legal basis thereof, unless such notice is prohibited by applicable laws.
    • DT will support Carrier and assist in handling Data Subjects’ requests to exercise their rights to access, rectify, erase or such other rights afforded to Data Subjects under Data Protection Laws, in relation to their Personal Data, by taking reasonable measures based upon Carrier’s instructions. Should Carrier be obligated to provide information to any Data Subject or third party regarding the Process of Carrier Personal Data by DT, DT will use commercially reasonable efforts to support Carrier in the provision of such information. Carrier acknowledges that as DT does not Process specific unique identifiers such as name, photo ID, government issued ID, email address and telephone number, DT’s ability to identify Personal Data related to a specific Data Subject is limited and Carrier may need to furnish DT, and potentially request the Data Subject who invoked the right to exercise rights, to furnish, additional details, as necessary to enable DT to assist with the request.
    • To the extent necessary, DT will provide Carrier reasonable assistance, at Carrier’s expense, with any data protection impact assessments, and prior consultations with Supervising Authorities, which Carrier reasonably considers to be required by Data Protection Laws, in each case solely in relation to Processing of Carrier Personal Data and considering the nature of the Processing and information available to DT.
    • If pursuant to applicable Data Protection Laws, Carrier decides at its sole discretion and liability, that an opt-in consent from Data Subjects is required for sharing of Carrier Personal Data with DT, DT’s Affiliates and Third Parties for targeted advertising purposes, then subject to a written notification by Carrier to DT in relation thereof, Carrier will set an opt-in flagging mechanism with DT’s technical support, which will transmit Carrier’s users’ choice (an opt-in consent or a refusal to consent) to DT which shall also pass such flag ‘as is’ to its relevant Third Parties. Accordingly, if a refusal signal was transmitted in relation to any specific Data Subject, DT will not Process Carrier Personal Data related to the relevant Data Subject for targeted advertising purposes and will only use and share such Carrier Personal Data for the limited permissible uses under the applicable Data Protection Laws, including for invoicing, attribution and reporting purposes.
    • If pursuant to applicable Data Protection Laws, Carrier decides, at its sole discretion and liability, that its mobile application should provide users with an opt-out option from sharing of Carrier Personal Data with DT, DT’s Affiliates and Third Parties for targeted advertising purposes,, including without limitation an option to opt-out or object to further Processing or to the selling of Personal Data, on its mobile application or other online property’s homepage, then subject to a written notification by Carrier to DT in relation thereof, Carrier will set an opt-out flagging mechanism with DT’s technical support, which will transmit Carrier’s users’ opt-out requests to DT, and accordingly, DT will cease Processing Carrier Personal Data related to the opted-out users, device or household (as applicable) and may only use and share such Carrier Personal Data for the limited permissible uses under the applicable Data Protection Laws, including for attribution and reporting purposes.

Carrier hereby acknowledges and agrees that DT is under no obligation or ability to check and confirm the accuracy of the signals and transitions from Carrier regarding its mobile application’s users, and it will therefore assume no responsibility and liability for any false transmission or failure to transmit to DT with accurate opt-in or opt-out signals.

  1. PERSONAL DATA BREACH
    • DT will notify Carrier without undue delay after becoming aware of any Personal Data Breach related to Carrier Personal Data which DT, or any of DT’s Sub-Processors. DT’s notice will at least: (a) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) communicate the name and contact details of the DT’s DPO, which will be available to provide any additional available information about the Personal Data Breach; (c) describe the likely consequences of the Personal Data Breach; (d) describe the measures taken or proposed to be taken by DT to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
    • DT will work diligently, pursuant to its incident management and breach notification policies and procedures to promptly identify and remediate the cause of the Personal Data Breach and will promptly inform Carrier accordingly.
  2. AUDIT
    • DT will allow for and contribute to audits, including inspections, conducted by Carrier or another auditor mandated by Carrier, in relation to DT’s obligations under this Addendum. DT may satisfy the audit obligation under this section by providing Carrier with attestations, certifications and summaries of audit reports conducted by accredited third party auditors.
    • Other audits by Carrier are subject to the following terms: (i) the audit will be pre-scheduled in writing with DT, at least forty-five (45) days in advance and will be performed not more than once a year (unless the audit is required by a Supervisory Authority); (ii) a third-party auditor will execute a non-disclosure and non-competition undertaking directly with DT; (iii) the auditor will not have access to non-Carrier’s data (iv) Carrier will make sure that the audit will not interfere with or damage DT’s business activities and information and network systems; (v) Carrier will bear all costs and expenses related to the audit and will assume responsibility and liability for the audit and for any failures or damage caused as a result thereof; (vi) the auditor will first deliver a draft report to DT and allow DT reasonable time and no less than ten (10) business days, to review and respond to the auditor’s findings, before submitting the report to Carrier; (vii) Carrier will receive only the auditor’s report, with DT’s comments, without any ‘raw data’ materials of DT, will keep the audit results in strict confidentiality and will use it solely for the specific purposes of the audit under this Addendum; (viii) as soon as the purpose of the audit is completed, Carrier will permanently and completely dispose of all copies of the audit report.
  3. SUB-PROCESSING
    • DT engages Sub-Processors to perform certain Processing of Carrier Personal Data on Carrier’s behalf. Prior to an engagement with a Sub-Processor, DT: (i) Carries out reviews and requires or receives adequate assurances that the Sub-Processor complies with obligations substantially similar to the obligations as set out in this Addendum; and (ii) ensures that a Statutory Data Transfer Agreement or such other appropriate methods of Personal Data transfer are at all relevant times incorporated into the agreement executed between DT and the Sub-Processor, if the engagement with the Sub-Processor involves a Personal Data Transfer of Carrier Personal Data,.
    • Upon the execution of this Addendum, Carrier hereby gives DT Carrier’s approval to engage the companies detailed at https://www.hubsupport.center/subprocessors/ as Sub-Processors.
    • Where a Sub-Processor fails to fulfill its data protection obligations or statements, DT will remain fully liable to Carrier for the performance of the Sub-Processor’s obligations to the same extent that DT would be liable to Carrier directly under the terms of this Addendum, except as otherwise set forth in the Agreement, if DT would have performed the obligations of the Sub-Processor.
    • DT will inform Carrier of DT’s engagement with a new Sub-Processor. Carrier may object to the use of new or additional Sub-Processor by sending DT a written notice within five (5) business days of receipt of said notice. If Carrier objects to the new Sub-Processor, DT will make commercially reasonable efforts to provide Carrier the same level of Service without the use of such Sub-Processor. Notwithstanding, Carrier’s objection and the results thereof will not amend, alter or reduce Carrier’s obligations under the Agreement. Carrier will not be entitled to any refund and will hold DT harmless from and against any claims, suits and demands associated with or related to Carrier’s termination of the Agreement, in connection with Carrier’s objection to a new Sub-Processor.
    • Notwithstanding the provisions here above (e.g. prior consent by Carrier), Carrier hereby authorizes DT to sub-contract the Processing to Sub-Processors based outside of Carrier’s jurisdiction, to the extent necessary, at DT sole discretion, to duly perform the Service on condition that the Sub-Processors provide sufficient guarantees in relation to required level of data protection, e.g. through a sub-contracting agreement which is based on a Statutory Data Protection Agreement , or based on such other applicable Personal Data Transfer mechanisms. Any such Statutory Data Protection Agreement concluded by DT will be treated as if concluded in the name and on behalf of Carrier. Carrier will be responsible to obtain regulatory approvals from the relevant Supervising Authorities and to perform any submissions and registrations, as required by Data Protection Laws.
  4. PERSONAL DATA TRANSFER
    • If DT imports Carrier Personal Data to, or accesses Carrier Personal Data from, as applicable to the lawful transfer of Personal Data under Data Protection Laws, a country that is not subject to an Adequacy Decision, and the Data Protection Laws mandate a Personal Data Transfer measure to facilitate the lawful Personal Data Transfer, Carrier and DT hereby agree that the applicable Statutory Data Transfer Agreement will apply in respect of any such Personal Data Transfer from Carrier to DT.
    • DT participate in the EU-US Data Privacy Framework (“EU-US DPF”), the UK Extension to the EU-US DPF (“UK Extension”), and the Swiss-US Data Privacy Framework (“Swiss-US DPF”), as set forth by the US Department of Commerce.
    • In accordance with the EU-US DPF, DT commits to resolve DPF Principles-related complaints about its collection and use of the Carrier Personal Data.
    • If the EU-US DPF will become invalidated in the future, each Party agrees to execute the applicable Statutory Data Transfer Agreement upon request of the other Party and further agrees that absent of execution, the terms and conditions of the Statutory Data Transfer Agreement, such applicable Statutory Data Transfer Agreement will in any event apply to any Carrier Personal Data.
    • Transfer of Personal Data which is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”) to a country outside of the European Economic Area and that is not subject to an Adequacy Decision (“Third Country”), is made in accordance with the EU Standard Contractual Clauses (“EU SCCs”), pursuant to EU Commission Decision C(2021)3972, in the module specified in Exhibit A which is attached and incorporated by reference to this Addendum, or, as required, in accordance with any successor thereof or an alternative lawful data transfer mechanism, and Carrier further authorizes DT to engage demand side partners, under the first module of the EU SCCs, on behalf of the Carrier, including, without limitation, by designating the applicable supervisory authority therein, for the purposes of facilitating the lawful transfer of Personal Data, as part of DT’s Service to Carrier, as set forth in the Agreement.
    • In accordance with Article 46 of the GDPR and the EU SCCs, and without prejudice to any provisions of this Addendum, DT undertakes the following additional safeguards to secure Personal Data transferred by it on the basis of the EU SCCs to Third Countries:
      • DT will implement and maintain the technical and organizational measures, as specified in Annex II of Exhibit A, such as encryption, access controls, or similar technologies, as applicable, with a purpose to protect Carrier Personal Data against any processing for national security or other government purposes that goes beyond what is necessary and proportionate in a democratic society, considering the type of processing activities under the Agreement and relevant circumstances;
      • For the purposes of safeguarding Carrier Personal Data when any government or regulatory authority requests access to such data, and unless required by a valid court order or if otherwise DT may face criminal charges for failing to comply with orders or demands to disclose or otherwise provide access to Carrier Personal Data, or where the access is requested in the event of imminent threat to lives, DT will:
        • not purposefully create back doors or similar programming that could be used to access Carrier Personal Data;
        • not provide the source code or encryption keys to any government agency for the purpose of accessing Carrier Personal Data; and
        • upon Carrier’s written request, provide reasonable available information about the requests of access to Personal Data by government agencies DT has received in the 6 months preceding to Carrier’s request.
      • If DT receives a request by a government agency to access the Carrier Personal Data, DT will notify Carrier of such request to enable the Carrier to take necessary actions, to communicate directly with the relevant authority and to respond to such request. If DT is prohibited by law to notify Carrier of such request, DT will make reasonable efforts to challenge such prohibition through judicial action or other means, at Carrier’s expense, and, to the extent possible, will provide only the minimum amount of information necessary.
  1. DELETION AND RETENTION OF PERSONAL DATA
    • Within a reasonable time after the end of the provision of the Service, DT will return Carrier Personal Data to Carrier or delete such data, including by de-identifying thereof.
    • Notwithstanding, Carrier acknowledges and agrees that DT may retain copies of Carrier Personal Data as necessary in connection with its routine backup and archiving procedures and to ensure compliance with its legal obligations and its continuing obligations under applicable law, including to retain data pursuant to legal requirements and to use such data to protect DT, DT’s Affiliates, agents, and any person on their behalf in court and administrative proceedings. To the extent that Data Protection Laws prohibit DT from retaining such copies of Carrier Personal Data, then Carrier agrees to defend and hold DT harmless from and against any claims, suits and demands related to, or in connection with the Processing of Carrier Personal Data by DT, its Affiliates, any relevant Demand Partner, and any person on their behalf.
  2. LIMITATION OF LIABILITY

Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this Addendum, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a Party means the aggregate liability of that Party and all of its Affiliates under the Agreement.

  1. GENERAL PROVISIONS
    • To the extent that Processing relates to Personal Data originating from a jurisdiction or in a jurisdiction which has any mandatory requirements in addition to those in this Addendum, both Parties may agree to any additional measures required to ensure compliance with applicable Data Protection Laws and any such additional measures agreed to by the parties will be documented in a duly executed written addendum or amendment to this Addendum.
    • All obligations of each Party under this Addendum are made to the extent that Data Protection Laws mandate such obligations.
    • If any variation is required to this Addendum as a result of a change in Data Protection Laws, including any variation which is required to the Statutory Data Transfer Agreement, then either Party may provide written notice to the other Party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this Addendum, including the Statutory Data Transfer Agreement, to address such changes.
    • Carrier instructs DT to create and use De-identified Information for the provision of the Service (as good practice, and in line with data protection by design and by default principles, DT may de-identify the Carrier Personal Data prior to using such information to provide the Service to Carrier). DT may further use such De-identified Information for DT’s legitimate Business Purposes, including for testing, development, controls, and operations of DT’s services.

For the purpose of this section, “De-identified Information” means the Carrier Personal Data that has been de-identified or aggregated by DT, so that it cannot reasonably be associated with, or be used to identify, a particular Individual or Household, and will include anonymized information (as defined under Data Protection Laws); provided that DT: (A) has implemented commercially reasonable measures to ensure that the information cannot be associated with an Individual or Household to which such information may pertain; (B) maintains and uses the information in de-identified form and does not attempt to re-identify such information (other than for the purpose of determining whether DT’s de-identification processes satisfy applicable requirements under Data Protection Laws); and, (C) uses commercially reasonable measures to contractually obligate all third-parties with whom DT shares such information to comply with all of DT’s commitments specified under sub-sections (A)-(C) above.

  • This Addendum will become effective upon its execution by the Parties. It will terminate upon the end of the Processing of Personal Data by DT in accordance with the Agreement unless otherwise provided in this Addendum.
  • Any inquiries related to this Addendum will be sent to the following addresses:

To DT: [email protected].

To Carrier: to the email provided in the Agreement.

 

 

EXHIBIT A

STANDARD CONTRACTUAL CLAUSES

 

ANNEX to the COMMISSION IMPLEMENTING DECISION on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council:

 

☐ MODULE ONE: Transfer controller to controller

  • MODULE TWO: Transfer controller to processor

☐ MODULE THREE: Transfer processor to processor

☐ MODULE FOUR: Transfer processor to controller

[Tick the box next to the relevant transfer module]

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN

 

 

 

ANNEX I

  1. LIST OF PARTIES

Data exporter(s): The Identity and contact details of the data exporter(s) are Carrier’s information as stated on the Agreement.

 

Data importer(s):

 

Entity’s full legal Name: Digital Turbine USA, Inc. (each, the “Service”).

Address: 110 San Antonio St., Austin, Texas 78701, USA

Contact person’s name & title: DT’s legal team, email: [email protected].

Activities relevant to the data transferred under these Clauses: attribution.

Role (controller/processor): Processor

Data Protection Officer name: Michael Panienka, email: [email protected]

 

  1. DESCRIPTION OF TRANSFER

 

Categories of data subjects whose personal data is transferred: Mobile application users

 

Categories of personal data transferred: Location data, mobile app user data

 

Sensitive data is NOT transferred.

 

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):

On frequent and continuous basis whenever a user uses a mobile application.

 

Nature of the processing: All operations such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination (solely with non-personal data of exporter), restriction, erasure, or destruction of data (whether by automated means), anonymization, etc.

 

Purpose(s) of the data transfer and further processing: To enable the measurement and attribution of mobile application installation on Carrier’s mobile device.

 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: up to 30 days.

 

For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing: The subject matter of the processing is Carrier’s Personal Data, the nature of the Processing is the performance of the Service under the Agreement and as detailed above and the duration of the Processing is the term of the Agreement.

 

  1. COMPETENT SUPERVISORY AUTHORITY
[not applicable to Module Four]

 

The Identity the competent supervisory authority in accordance with Clause 13 of the New SCC is:

 

Where the data exporter is established in an EU Member State – the supervisory authority of such EU Member State shall act as competent supervisory authority.

 

Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) – the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority.

 

Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) – the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses, shall act as competent supervisory authority.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE PERSONAL DATA

[not applicable to Module Four]

The Processor has implemented the measures as described in this exhibit insofar as the respective measure contributes or can contribute directly or indirectly to the protection of the Personal Data under the Addendum entered between the Parties.

These measures are commercially reasonable, are aligned with industry standard technical and organizational measures, to protect Personal Data. These measures are consistent with applicable laws and meet the standard of protection appropriate to the risk of processing Personal Data while providing the Processor’s services. The Processor will regularly carry out, test, review and update all such measures.

These measures will be subject to technical progress and future developments of Processor’s services. As such, the Processor will be permitted to implement alternative adequate measures. In such event, the security level may not be lower than the measures memorialized here. Material changes are to be coordinated with the Controller and documented.

Measures for ensuring physical security of locations at which Personal Data are processed

The Processor has implemented the following entry control measures insofar as Personal Data are processed in the Processor’s premises or access to such data from these premises cannot be precluded:

  • Unauthorized persons are to be denied entry to the data processing facilities in which Personal Data are processed or used.
  • Entry authorizations to office buildings, computer centers, and server rooms are restricted to the necessary minimum.
  • Use of effective entry authorization controls through an adequate locking system (e.g., security key with documented key management, electronic locking systems with documented authorizations management).
  • Documented and comprehensible processes for obtaining, changing, and rescinding entry authorizations, including routine and documented review whether the granted entry authorizations are up to date.
  • Reasonable prophylactic and detection measures regarding unauthorized entry and entry attempts (e.g., routine checks of burglary security system for doors, gates, and windows, burglar alarm, video monitoring, guard service, security patrol).
  • Written rules for employees and visitors for dealing with technical entry security measures.

Measure for user identification, authorization and for ensuring events logging

Potential use of data processing systems by unauthorized persons is to be prevented. The Processor has implemented the following access control measures for systems and networks, in which Personal Data are processed or through which access to Personal Data is possible, insofar as the Processor is responsible for the Personal Data access authorizations:

  • Persons authorized to use a data processing system will be able to access only the data underlying their access authorization and that Personal Data will be incapable of being read, copied, changed, or removed without authorization during the processing and use of the data and after the data have been stored.
  • Access authorizations to Personal Data is restricted to the necessary minimum.
  • Access authorizations to Demand Partners systems and non-public networks are restricted to the necessary minimum.
  • Use of effective access authorization controls through personalized and unambiguous user identification and a secure authentication process.
  • Recording of access, even by administrators.
  • For password authentications:
    • Specifications are to be made that ensure continuous password quality of at least twelve (12) characters, four (4) degrees of complexity (upper case, lower case, numbers, special characters), and a change cycle of a maximum of ninety (90) days.
    • Technical test procedures are to be used to ensure password quality.
  • If asymmetric key procedures (e.g., certificates, private-public-key-method) are used for authentication, it is to be assured that secret (private) keys are at all times protected by a password (passphrase).
  • Implementation of documented and comprehensible processes for obtaining, changing, and rescinding access authorizations, including routine and documented review whether the granted access authorizations are up to date.
  • Implementation of reasonable measures for securing network infrastructure (e.g. intrusion detection systems, use of 2-factor authentication for remote access, separation of networks, encrypted network protocols, and so forth).
  • Written rules for employees for dealing with the security measures above and the secure use of passwords.
  • Use of input controls – there is a possibility to subsequently review and determine whether and by whom Personal Data was entered, altered in, or removed from data processing systems. The Processor has implemented the following input control measures on its systems, which are used for processing the Personal Data or which enable or convey access to such systems:
    • Creation and audit-proof storage of processing protocols.
    • Securing log files against manipulation.
    • Recording and evaluating unauthorized and failed login attempts.
    • Ensuring that no group accounts (including administrators or root) are used.

Measures for ensuring system configuration, including default configuration and encryption of Personal Data

  • Ensuring that critical or material security updates/patches will be installed according to the Processor’s internal Patch Management Policy: a. in client operating systems; b. in server operating systems reachable via public networks (e.g., webservers); c. in application programs (incl. browser, plugins, PDF-reader, etc.); d. in security infrastructure (virus scanner, firewalls, IDS-systems, content filters, routers, and so forth.); and e. in server operating systems of internal servers.
  • Reasonable measures are used for the protection of end-devices, servers, and other infrastructure elements against unauthorized access (such as multi-level virus protection concept, content filters, application firewall, intrusion detection systems, desktop firewalls, system hardening, content encryption).
  • The Processor has implemented the following sharing control measures insofar as Personal Data will be received, transferred, or transported by the Processor:
    • Reasonable measures for securing network infrastructure (e.g., intrusion detection systems, use of 2-factor authentication for remote access, separation of networks, encrypted network protocols, and so forth.)
    • Encryption – Processor implements encryption technology which commensurate with the state-of-the-art to be prescribed so that Personal Data will be incapable of being read, copied, changed, or removed during electronic transmission or during transport for storage on data carriers, such as RSA 2048.
      • Data carrier encryption with – state of the art – algorithms and protocols to be classified as secure (e.g., TLSbased protocols) for the protection of mobile devices (notebooks, tablet PCs, smartphones, etc.) and data carriers (external hard drives, USB sticks, memory cards, and so forth).
    • Implementation of technical security measures for export and import interfaces (hardware and application related).

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services and the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident

Personal Data will be protected against accidental destruction or loss. The Processor has implemented the following availability control measures insofar as the processing is required for maintaining productive services:

  • Operation and routine maintenance of fire alarms in server rooms, computer centers, and material infrastructure rooms.
  • Creating sufficient backups
  • Ensuring backup storage in a separate fire compartment.
  • Routine backup integrity reviews.
  • Systems and data restoration processes and documentation.

An incident would receive immediate attention from all relevant personnel. Once identified and validated, incidents will be reported according to the Processor’s security and privacy policies.

Processor’s development processes follow secure software development industry-standard practices, which include formal design reviews, threat modeling, and completion of a risk assessment.

Processor uses hash function to de-identify the Personal Data prior to any use.

Measures for ensuring data quality and allowing data portability and processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Personal Data collected for different purposes will be capable of being processed separately. The Processor has implemented the following separation measures insofar as such is within its area of responsibility:

  • Logical and/or physical separation of test, development, and production systems.
  • Separation of Controller’s Personal Data from other data sets including, but not limited to, its own, within the processing systems, and at interfaces.
  • Ensuring that Personal Data are constantly identifiable on account of suitable labels; if such are processed for different purposes, including information specifying the respective purpose.

Measures for ensuring limited Personal Data retention

Personal Data is to be deleted, if it is processed for purposes as soon as the knowledge thereof is no longer necessary for the fulfillment of the purpose of the saving in accordance with DT’s data retention policy.

The Processor has implemented the following measures ensuring data deletion insofar as such is within its area of responsibility:

  • Ensuring that the Personal Data are capable of being deleted at any time upon request of the Controller.
  • Implementation of processes, tools, and documentation for secure deletion in a manner, such that recovery of the data is not possible given today’s state of technology (e.g., through overwriting).
  • Providing the employees with specifications regarding how and when data are to be deleted.

Measures for internal IT and IT security governance and management and for ensuring accountability

The Processor has in place internal policies containing formal instructions for data processing procedures; Contractors are being carefully vetted regarding data security; The Processor personnel is being trained periodically to maintain awareness regarding data protection and security requirements.

 

 

 

 

ANNEX III

LIST OF SUB-PROCESSORS

[not applicable to Modules One and Four]

 

This Annex must be completed for Modules Two and Three, in case of the specific authorization of sub-processors (Clause 9(a), Option 1).

 

The Controller has authorized the use of the following sub-processors by Processor: https://www.hubsupport.center/subprocessors/