GLOBAL DATA PROTECTION ADDENDUM FOR ADVERTISERS
This Global Data Protection Addendum (“Addendum”) supplements, supersedes, and forms part of any existing and currently valid Insertion Order (IO) or any other agreement’s type (“Agreement“), either previously or concurrently, entered by andbetween the applicable Media Company entity specified on the Agreement and any applicable Affiliate of Media Company listed in Appendix A attached hereto that is involved in the Processing of Personal Data under the Agreement (“DT”) and the Advertiseror agency that has entered into such Agreement with DT (“Advertiser”). Each party to this Addendum will also be referred to as a “Party” and together – the “Parties”. This Addendum reflects the Parties’ agreement on the Processing of Personal Data in connection with the applicable service(s) described in the Agreement (the “Service”). This Addendum takes effect as of the Effective Date of the Agreement entered between Advertiser and DT. Executing the Agreement that refers to this Addendum constitute execution of this Addendum as well and the acceptance of all its terms in their entirety by both Parties. In case of any conflict between a provision of this Addendum and the Agreement, or any previous data protection agreement entered between the Parties, the provisions of this Addendum will prevail. Capitalized terms used herein and not defined herein will have the meaning set forth in the Agreement, or under applicable Data Protection Laws.
DT’s provision of the Service to Advertiser entails either or both (a) the transmission of data retrieved, sent, and received by and from DT’s Publishers, and (b) depending on the type of Service, by and from Advertisers. Certain transmitted data may constitute Personal Data. A description of the dataflow within each Service is described in Appendix A attached hereto (“Service’s Data Flow”).
1. Definitions
1.1. “Affiliate(s)” means with respect to a party, all entities which, directly or indirectly, control, are being controlled by, or are under common control with such party.
1.2. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data and including “Business” and any similar term under Data Protection Laws. In the context of this Addendum the term means Publishers.
1.3. “Data Protection Laws” mean all laws and regulations worldwide, which apply to the respective Party’s Processing of Personal Data under the Agreement and this Addendum.
1.4. “Data Subject” means an identified or identifiable natural person, a household consisting of natural persons, or a device associated with a natural person, to whom the Personal Data relates, including “Consumer” and any similar terms under applicable Data Protection Laws.
1.5. “Advertiser’s Data Subjects” – mean Data Subjects who engage directly with Advertiser as Controller.
1.6. “Advertiser’s Personal Data” – mean Personal Data related to Advertiser’s Data Subjects.
1.7. “Personal Data” means any information where such information is protected under Data Protection Laws and including “Personal Information” and any similar terms under Data Protection Laws.
1.8. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed and including “Security Breach” and any similar terms under Data Protection Laws.
1.9. “Personal Data Transfer” means: (i) transfer of Personal Data from Advertiser to DT, and from DT to Advertiser; or (ii) an onward transfer of Personal Data by a Party to a Sub-Processor, in each case, where such transfer outside of the jurisdiction of a transferring Party would be regulated by Data Protection Laws including through (a) an Adequacy Decision, (b) Statutory Data Transfer Agreements, or (c) in accordance with the terms of other applicable lawful data transfer measures or derogations.
1.10. “Personnel” means persons authorized by a Party to Process Personal Data.
1.11. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, and including the terms “using”, “collecting” and any similar terms under Data Protection Laws.
1.12. “Processor” means the entity which Processes Personal Data on behalf of the Controller and including “Service Provider” and similar terms under Data Protection Laws. DT is the Processor of the Publishers who are responsible for the accuracy, quality, and legality of the Personal Data, and for the means by which they acquired such Personal Data.
1.13. “Publishers” mean DT’s supply-side customers (e.g., mobile application developers, owners, distributors).
1.14. “Publishers’ Data Subjects” – mean Data Subjects who interact with Publishers’ mobile application(s).
1.15. “Publishers’ Personal Data” – mean Personal Data related to Publishers’ Data Subjects.
1.16. “Statutory Data Transfer Agreement” means statutory provisions enacted pursuant to Data Protection Laws, which establish binding terms for cross-border transfer of Personal Data from one jurisdiction to another, including where applicable under Data Protection Laws, through access to Personal Data from the non-transferring territory, which can be executed between the transferring and the recipient parties to facilitate the lawful cross-border transfer of Personal Data.
1.17. “Sub-Processor” means any third party, including an Affiliate of a Party, appointed by or on behalf of a Party to undertake Processing in connection with the Agreement.
1.18. “Supervising Authority” means an independent public authority which is established in a jurisdiction under Data Protection Laws with competence in matters pertaining to the protection of Personal Data.
- Processing of Advertiser’s Personal Data by DT
2.1. As described in the Service’s Data Flow, where DT provides Advertiser with the Service, DT Processes Advertiser’s Personal Data as a Processor.
2.2. Whenever DT Processes Advertiser’s Personal Data provided to it by Advertiser through the Service, DT will: (i) ensure that its third-party service providers acting as its Processors that DT shares Advertiser’s Personal Data with, will Process such data in accordance with DT’s obligations under this Addendum; (ii) be fully liable for performance of DT’s third-party service providers in connection with their Processing of Advertiser’s Personal Data that was shared or transmitted to DT by Advertiser as part of Advertiser’s use of the Service.
2.3. If DT receives from Advertiser any inquiries, correspondence, exercise of rights requests or complaints (“Advertiser’s Correspondence”) originated from Advertiser’s customers, Data Subjects or from any SupervisingAuthority or regulator, in relation to the Processing of Advertiser’s Personal Data by DT, DT will promptly cooperate in good faith as necessary and reasonable to respond to such Advertiser’s Correspondence.
2.4. To the extent that Advertiser operates as a Processor on behalf of its customers, the Parties acknowledge that: Advertiser is not selling Personal Data to DT and that Personal Data is disclosed by Advertiser to DT only for the limited business purpose of DT providing Advertiser with the Services, described in Appendix A attached hereto. DT further acknowledges that Advertiser is prohibited from: (i) Selling Advertiser’s Personal Data; and (ii) retaining, using, or disclosing Advertiser’s Personal Data for any commercial purpose other than for the specific purpose of performing its services to its customers or outside of the direct business relationship between Advertiser and its customers, unless permitted under applicable laws.
2.5. DT undertakes to: (i) comply with its respective obligations under Data Protection Laws and, (ii) notify the Advertiser no later than within five (5) business days after determining that it can no longer meet its obligations under applicable Data Protection Laws with respect to Personal Data disclosed to it by Advertiser under this DPA.
2.6. Advertiser will take reasonable and appropriate steps to ensure that DT uses the Personal Data disclosed to it under this DPA in a manner consistent with Advertiser’s obligations under Data Protection Laws; and, upon notice, take reasonable and appropriate steps to stop and remediate DT’s unauthorized use of Advertiser’s Personal Data.
- Processing of Publishers’ Personal Data by Advertiser
3.1. For the purposes of this Addendum and the Agreement, the Parties agree and acknowledge that Advertiser uses the Service on behalf of its advertisers-customers or on Advertiser’s own behalf.
3.2. Nothing in this Addendum will limit Advertiser from Processing Personal Data that was shared or transmitted to it by DT subject to Advertiser’s independent lawful ground to Process such data as a Controller. Otherwise, Advertiser may Process Personal Data shared or transmitted to it by DT, including without limitation Publishers’ click data, as a Processor, only as necessary to purchase Inventory on mobile applications and deliver Ads to such mobile application’s users via the Service (together, the “Permitted Purpose”).
3.3. Except as part of Advertiser’s independent lawful ground to Process Personal Data transmitted to it by DT as part of the Service, or as necessary for the Permitted Purpose, any Processing of Personal Data by Advertiser, its Affiliates, agents, vendors, customers, partners and/or other third party, is strictly prohibited.
3.4. Advertiser acknowledges that:
3.4.1. Publishers share Publishers’ Personal Data with DT; DT collects and shares Publishers’ Personal Data with Advertisers on behalf of Publishers in its capacity as a Processor of the Publishers.
3.4.2. Advertiser shares Advertiser’s Personal Data with DT, strictly and as necessary to facilitate DT’s provision of the Service to Advertiser, or to the extent applicable, to strictly and as necessary to facilitate Advertiser’s provisions of Advertiser’s services to Advertiser’s advertisers’ customers and on their behalf.
3.5. Whenever Advertiser Process Publishers’ Personal Data, it will Process such data in accordance with Advertiser’s obligations under this Addendum; (ii) not make any attempts and ensure that such third-party advertisers-customers and/or partners will not make any attempt to re-identify any data that was shared or transmitted by DT when provided with a signal by DT that indicates that the Publishers’ Data Subject declined consent under Data Protection Laws; (iii) be fully liable for the performance of its third-party advertisers-customers and/or partners in connection with their Processing such data that was shared or transmitted to Advertiser by DT as part of Advertiser’s use of the Service.
3.6. If Advertiser receives from DT any inquiries, correspondence, exercise of rights requests or complaints (“DT Correspondence”) originated from Publishers or from any competent authority or regulator, in relation to the Processing of Publishers’ Personal Data conducted by Advertiser or any of its advertisers-customers or partners, Advertiser will promptly cooperate in good faith as necessary and reasonable to respond to such DT Correspondence.
3.7. Advertiser acknowledges that DT, as a Processor on behalf of its Publishers, is prohibited from: (i) selling Publishers’ Personal Data; and (ii) retaining, using, or disclosing Publishers’ Personal Data for any commercial purpose other than for the specific purpose of performing the ad monetization services it provides to its Publishers or outside of the direct business relationship between DT and Publishers, unless permitted under applicable laws.
3.8. Advertiser undertakes to: (i) comply with its respective obligations under Data Protection Laws; and (ii) notify DT no later than within five (5) business days after determining that it can no longer meet its obligations under applicable Data Protection Laws with respect to Personal Data disclosed to it by DT under this DPA.
3.9. DT will take reasonable and appropriate steps to ensure that Advertiser uses the Personal Data disclosed to it under this DPA in a manner consistent with DTs obligations under Data Protection Laws; and, upon notice, take reasonable and appropriate steps to stop and remediate Advertiser’s unauthorized use of Publisher’s Personal Data.
- Processing Personal Data
4.1. Each Party will ensure that its access to Personal Data transmitted to it by the other Party is being Processed only by those Personnel who require such access to fulfill each Party’s obligations under the Agreement and this Addendum. Each Party will impose appropriate contractual obligations upon its Personnel engaged in the Processing of such data including relevant obligations regarding confidentiality, data protection and appropriate data security. Each Party will ensure that its Personnel engaged in the Processing of such data are informed of the confidential nature of such data, have received appropriate training of their responsibilities, and have executed written confidentiality agreements.
4.2. The Parties acknowledge that Advertiser pays DT, in accordance with the terms of the Agreement, for the Service.Neither Party receives from the other Party any monetary or other valuable consideration for Processing Personal Data and/or for sharing Personal Data with the other Party.
4.3. The nature of Processing by the Parties, categories of Data Subjects, types of Personal Data are indicated in Annex I to Exhibits A and B respectively, and serves as an integral part of this Addendum, whether Exhibits A and B apply in their entirety, or not.
4.4. The Parties will respect Data Subjects’ choice not to be tracked for the purpose of targeted advertising and will not attempt to circumvent the Data Subject’s choice as presented through the operating system of the Data Subject’s device.
4.5. Each Party engages and authorizes the other Party to engage Sub-Processors to perform certain Processing in connection with the Agreement. The lists of Sub-Processors of each Party are referred to from Annex III of Exhibits A and B respectively, and serve as an integral part of this Addendum, whether Exhibits A and B apply in their entirety, or not. Prior to an engagement with a Sub-Processor, each Party: (i) carries out reviews and requires or receives adequate assurances that the Sub-Processor complies with obligations substantially similar to the obligations as set out in this Addendum; and (ii) ensures that a Statutory Data Transfer Agreement or such other appropriate methods of Personal Data transfer are at all relevant times incorporated into the agreement executed between the Party and its Sub-Processor, if the engagement with the Sub-Processor involves a Personal Data Transfer. Each Party may object to the Processing of such Party’s Personal Data by a new Sub-Processor of the other Party, for reasonable and explained grounds, within five (5) business days following the other Party’s written notice to the objecting Party of the intended Processing of Personal Data by the new Sub-Processor. If the objecting Party timely sends the other Party a written objection notice, the Parties will make a good-faith effort to resolve the objection. In the absence of a resolution, the other Party will make commercially reasonable efforts to provide the objecting Party with the same level of service, without using the new Sub-Processor to Process the objecting Party’s Personal Data.
4.6. Advertiser instructs DT to create and use De-identified Information for the provision of the Services (as good practice, and in line with data protection by design and by default principles, DT may de-identify the Advertiser’s Personal Data prior to using such information to provide the Service to the Advertiser). DT may further use such De-identified Information for DT’s legitimate Business Purposes, including for testing, development, controls, and operations of DT’s services.
For the purpose of this section, “De-identified Information” means the Advertiser Personal Data that has been de-identified or aggregated by DT, so that it cannot reasonably be associated with, or be used to identify, a particular Individual or Household, and will include anonymized information (as defined under Data Protection Laws); provided that DT: (A) has implemented commercially reasonable measures to ensure that the information cannot be associated with an Individual or Household to which such information may pertain; (B) maintains and uses the information in de-identified form and does not attempt to re-identify such information (other than for the purpose of determining whether DT’s de-identification processes satisfy applicable requirements under Data Protection Laws); and, (C) uses commercially reasonable measures to contractually obligate all third-parties with whom DT shares such information to comply with all of DT’s commitments specified under sub-sections (A)-(C) above.
- Personal Data Transfer
5.1. This Section 5 applies to Personal Data Transfers, as required by the Parties to perform their obligations under the Agreement, including the export of Personal Data by Advertiser to DT and the export of Publishers’ Personal Data by DT to Advertiser.
5.2. As applicable under Data Protection Laws for the lawful transfer of Personal Data, if a Party imports Personal Data to, or accesses Personal Data from, a country that is not subject to an Adequacy Decision, and the Data Protection Laws mandate a Personal Data Transfer measure to facilitate the lawful Personal Data Transfer, Advertiser and DT hereby agree that the applicable Statutory Data Transfer Agreement will apply in respect of any such Personal Data Transfer from one Party to another.
5.3. Each Party agrees to execute the applicable Statutory Data Transfer Agreement upon request of the other Party and further agrees that absent of execution, the terms, and conditions of the Statutory Data Transfer Agreement, will in any event apply to any relevant Personal Data.
5.4. Transfer of Personal Data which is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”) to a country outside of the European Economic Area and that is not subject to an Adequacy Decision (“Third Country”), is made in accordance with the EU Standard Contractual Clauses (“EU SCCs”), pursuant to EU Commission Decision C(2021)3972, in the module specified in Exhibit A, for Personal Data Transfer by Advertiser to DT, and in Exhibit B, for Personal Data Transfer from DT to Advertiser, which are attached and incorporated by reference to this Addendum, or, as required, in accordance with any successor thereof or an alternative lawful data transfer mechanism, and each Advertiser further acknowledges that DT engages Advertiser, under the first module of the EU SCCs, on behalf of its Publishers, including, without limitation, by designating the applicable Supervisory Authority therein on their behalf, for the purposes of facilitating the lawful transfer of Personal Data, as part of DT’s ad monetization services to its Publishers.
5.5. In accordance with Article 46 of the GDPR and the EU SCCs, and without prejudice to any provisions of this Addendum, each Party undertakes the following additional safeguards to secure Personal Data transferred by it based on the EU SCCs to Third Countries:
5.5.1. Each Party will implement and maintain technical and organizational measures, such as encryption, access controls, or similar technologies, as applicable, with a purpose to protect the transferred Personal Data against any processing for national security or other government purposes that goes beyond what is necessary and proportionate in a democratic society, considering the type of processing activities under the Agreement and relevant circumstances;
5.5.2. For the purposes of safeguarding the transferred Personal Data when any government or regulatory authority requests access to such data, and unless required by a valid court order or if otherwise the Party that receives the request (“Requested Party”) may face criminal charges for failing to comply with orders or demands to disclose or otherwise provide access to the transferred Personal Data, or where the access is requested in the event of imminent threat to lives, the Requested Party will:
5.5.2.1. not purposefully create back doors or similar programming that could be used to access the transferred Personal Data;
5.5.2.2. not provide the source code or encryption keys to any government agency for the purpose of accessing the transferred Personal Data; and,
5.5.2.3. upon the other Party’s written request, provide reasonable available information about the requests of access to Personal Data by government agencies that the Requested Party has received in the 6 months preceding to the other Party’s request.
5.5.3. When a Requested Party receives a request by a government agency to access the transferred Personal Data, the Requested Party will notify the other Party of such request to enable the other Party to take necessary actions, to communicate directly with the relevant authority and to respond to such request. If the Requested Party is prohibited by law to notify the other Party of such request, the Requested Party will make reasonable efforts to challenge such prohibition through judicial action or other means, at the other Party’s expense, and, to the extent possible, will provide only the minimum amount of information necessary.
6. Data Security
6.1. Each Party Processing Personal Data transmitted to it by the other Party will maintain appropriate administrative, physical, organizational and technical safeguards aimed at maintaining an appropriate level of security, confidentiality and integrity of the Personal Data in accordance with official guidelines as provided by Supervising Authorities, good industry practice and Annex II of Exhibits A and B to this Addendum, as applicable to the Parties, which serves as an integral part of this Addendum, whether Exhibits A and B apply in their entirety, or not.
6.2. Each Party undertakes to regularly monitor compliance with these safeguards and will not materially decrease the overall security controls during the term of this Addendum.
6.3. Each Party will not transfer Personal Data to third parties except under written contracts that guarantee at least a level of data protection and information security as provided herein and will assume responsibility for the acts and omissions of said third parties, in relation to the Processing of Personal Data.
7. Personal Data Breach
Each Party Processing Personal Data transmitted to it by the other Party will maintain security incident management policies and procedures and will, notify the other Party of any actual or reasonably suspected Personal Data Breach without undue delay after becoming aware of such breach. To the extent that the Personal Data Breach occurred on the information systems of a Party, or on the information systems of any third party acting on such Party’s behalf, such Party will make all reasonable efforts to promptly identify and remediate the cause of the breach and will inform the other Party accordingly.
8. Assistance
8.1. Each Party when Processing Personal Data transmitted to it by the other Party will provide the other Party with all reasonably necessary assistance, in connection with any inquiries received from, or prior consultation with any Supervising Authority, exercise of such Party’s Data Subjects rights, and conducting impact assessments, as required under applicable Data Protection Laws.
8.2. Advertiser acknowledges and agrees that, except for the permitted purposes under the Data Protection Laws it will cease Processing Publisher’s Personal Data transmitted to it by DT via the Service and is related to an opted-out Publishers’ Data Subjects, whenever Advertiser is aware of such opt-out signal.
8.3. DT acknowledges and agrees that, except for the permitted purposes under the Data Protection Laws, upon Advertiser’s transmission of an opt-out signal to DT, DT will cease any Processing of Advertiser’s Personal Data related to the opted-out Advertiser Data Subjects.
8.4. For the purpose of establishing the opt-out flagging mechanism, the Parties will cooperate in good faith with each other to be able to receive such flags from each other.
8.5. For the purpose of this Addendum, it is the sole responsibility and liability of the Party who is transmitting Personal Data to the other Party under this Addendum to decide if the out-out option in relation to such Personal Data is required, pursuant to applicable Data Protection Laws and to instruct the other Party accordingly.
9. Audit
The Party Processing Personal Data that was transmitted to it by the other Party in connection with the Service will make available to the other Party all information reasonably necessary to demonstrate its compliance with this Addendum and will permit and contribute to any data audits reasonably required by the other party upon the other party’s prior written request and advanced notice, subject to appropriate confidentiality, operational and financial arrangements in relation to such audits.
10. Retention and Destruction
10.1. Except as part of Advertiser’s independent lawful ground to Process Publishers’ Personal Data transmitted to it by DT as part of the Service, Advertiser may retain such data for not more than 30 days and may save such data for a longer period for invoicing, reporting, discrepancy reasons and to prevent fraud, but in any case, for no longer than 90 days from receiving such data from DT. Notwithstanding the foregoing, upon DT’s written request, Advertiser will return all such Personal Data and copies thereof to DT or will destroy all such Personal Data and certify in writing to the DT that it has done so.
10.2. As required under applicable Data Protection Laws and without limiting the aforesaid, at the choice of a Party (the “Requesting Party”), the other Party (the “Responding Party”) will delete or return all Requesting Party’s Personal Data to the Requesting Party after the end of the provision of Services relating to Processing of the Requesting Party’s Personal Data and delete existing copies unless otherwise required or permitted under applicable Data Protection Laws.
10.3. To preserve the right to privacy of Data Subject, including minimizing risks associated with Personal Data Breaches, limit Personal Data retention periods, and follow the data minimization principle, DT will process data based on extracts of Personal Data on an aggregated, anonymize and non-identifiable form. Nothing will prevent DT from using data that is not subject to Data Protection Laws for its lawful purposes.
11. Term
This Addendum will commence upon the execution hereof and will continue until the later of: (i) the expiration or termination of the Agreement, pursuant to the terms therein, or (ii) as long as either Party has possession of Personal Data received by, from or through the Service. Either Party may terminate this Addendum, by a written notice to the other Party with immediate effect, if a Party breach any of the provisions under this Addendum. Such termination will not limit the terminating Party’s rights and remedies under the Agreement and the applicable law.
12. Limitation of Liability
Each Party’s and all its Affiliates’ liability, taken together in the aggregate, arising out of or related to this Addendum, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, except that each Party’s limit on liability for breaching the Party’s obligations under this Addendum will be the amount charged by DT from the Advertiser in the twelve (12) months preceding the occurrence of the breach. Any reference in such liability section under the Agreement to the liability of a Party means the aggregate liability of that Party and all of its Affiliates under the Agreement.
13. Miscellaneous.
13.1. To the extent that Processing relates to Personal Data originating from a jurisdiction or in a jurisdiction which has any mandatory requirements in addition to those in this Addendum, both Parties may agree to any additional measures required to ensure compliance with applicable Data Protection Laws and any such additional measures agreed to by the parties will be documented in a duly executed written addendum or amendment to this Addendum.
13.2. Any alteration or modification of this Addendum is not valid unless made in writing and executed by duly authorized Personnel of both Parties.
13.3. Invalidation of one or more of the provisions under Addendum will not affect the remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially the same objectives.
13.4. Each Party acknowledges that the other party and/or its Affiliates may disclose this Addendum and any relevant privacy provisions in the Agreement to any Supervising Authority to the extent required under the applicable law. Such disclosure will not constitute a breach of such Party’s confidentiality obligation under the Agreement.
13.5. This Agreement may be executed electronically, as part of the Agreement. Each Party consent to the use of: (a) electronic means to consent to and complete this Addendum and to provide you with any notices given pursuant to this Addendum; and (b) electronic records to store information related to this Addendum and each Party’s use of any Service in compliance with this Addendum.
Appendix A
Service | DT’s Entity providing the Service | Address | GDPR/LGPD Position | CCPA Position |
DSP | AdColony Inc. (USA) | 1888 Century Park East, Suite 1450, Century City, CA 90067, USA
|
Processor | Service Provider |
Offer Wall | Fyber Media GmbH (Germany) | Wallstraße 9-13 10179 Berlin, Germany | Processor | Service Provider |
DT Direct | Fyber Media GmbH (Germany) | Wallstraße 9-13 10179 Berlin, Germany | Processor | Service Provider |
DSP | Triapodi Ltd. d/b/a “Appreciate” | 4 Hapsagot St. Petach-Tikva, Israel 4951447 | Processor | Service Provider |
Dynamic Installs (formerly, Preload) | Digital Turbine Media, Inc. | 406 Blackwell St., Durham, North Carolina 27701, USA | Processor | Service Provider |
Apps Select (formerly, Wizard) | Digital Turbine Media, Inc. | 406 Blackwell St., Durham, North Carolina 27701, USA | Processor | Service Provider |
DT Games Hub (formerly, Apps Hub, Games Folder) | Digital Turbine Media, Inc. | 406 Blackwell St., Durham, North Carolina 27701, USA | Processor | Service Provider |
Ignite Notifications/Post Install Notifications | Digital Turbine Media, Inc. | 406 Blackwell St., Durham, North Carolina 27701, USA | Processor | Service Provider |
Single Tap Monetization (formerly, SingleTap) | Digital Turbine Media, Inc. | 406 Blackwell St., Durham, North Carolina 27701, USA | Processor | Service Provider |
- Processing of Advertiser’s Personal Data by DT:
- Advertiser may share Personal Data with DT in the form of a suppression list (i.e., a list of Advertising IDs that Advertiser wishes DT to exclude form receiving its Ad). DT process such data solely to run the Ad campaign on Advertiser’s behalf as its Processor/Service Provider.
- Advertiser will share with DT, whether directly or via Advertiser’s attribution provider / MMP, postbacks (i.e., feedback that a specific Advertising ID had install the Advertiser’s app on its device because of the clicked Ad run by DT or that the Advertiser’s app that was preloaded to the device was opened for the first time by the user). DT Processes the postbacks to accurately execute CPI based billing to Advertiser. DT process such data solely to invoice the Advertiser for services rendered as Advertiser’s Data Processor/Service Provider.
- Processing of Publisher’s Personal Data by Advertiser:
- DT either (a) runs Advertiser’s Ad campaign and choses on which mobile apps of DT’s publishers such Ad will be delivered, or (b) DT decides to preload Advertiser’s app to certain Android mobile devices that DT’s IP is embedded in. When the app or device user clicks on the Ad or when the Advertiser’s app has been preloaded to the device, DT transmits Publisher’s Personal Data (i.e., Advertising ID and IP Address) to the Advertiser, whether directly or via Advertiser’s attribution provider / MMP. When DT shares such data with Advertiser it is doing so as the Publisher’s Processor/Service Provider.
- After the click, the user is, except in Preloads/Dynamic Installs where the app has been preloaded to the device without any action taken by the user, redirected to the mobile applications store to download Advertiser’s app. Once the user downloads the app or opens it for the first time on the device, Advertiser establishes a (contractual) relationship with the user as an independent Controller/Business.
- However, if the user changed his/her mind after redirected to the mobile applications store and decided not to download Advertiser’s app, or the user never opens the app that was preloaded to the device, the Advertiser is restricted from using Publisher’s Personal Data that DT previously shared together with the click event for any other purpose other than to use the DT service (no contractual relationship was created between the user and the Advertiser and therefore the user remained publisher’s user). DT, in this scenario, must ensure that restrictions and obligations on the use of Personal Data processing are part of the Addendum between DT and Advertiser.
EXHIBIT A
STANDARD CONTRACTUAL CLAUSES
FOR PERSONAL DATA TRANSFERS FROM ADVERTISER TO DT
ANNEX to the COMMISSION IMPLEMENTING DECISION on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council:
☐ MODULE ONE: Transfer controller to controller
- MODULE TWO: Transfer controller to processor
☐ MODULE THREE: Transfer processor to processor
☐ MODULE FOUR: Transfer processor to controller
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN
ANNEX I
PROCESSING OF ADVERTISER’S PERSONAL DATA BY DT
A. LIST OF PARTIES
Data exporter(s): Advertiser’s information as stated in the Agreement.
Data importer(s):
Entity’s full legal Name: As set forth in the Agreement and in Appendix A above.
Address: As set forth in the Agreement and in Appendix A above.
Contact person’s name & title: DT’s legal team, email: [email protected].
Activities relevant to the data transferred under these Clauses: ad targeting, ad monetization, optimization, reporting, fraud detection, billing.
Role (controller/processor): Processor
Data Protection Officer name: Michael Panienka, email: [email protected]
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Mobile application users
Categories of personal data transferred by Advertiser: IP Address and advertising ID.
Sensitive data is NOT transferred.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): On frequent andcontinuous basis whenever a user uses a mobile application.
Nature of the processing: All operations such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination (solely with non-personal data of exporter), restriction, erasure, or destruction of data (whether by automated means), anonymization, etc.
Purpose(s) of the data transfer and further processing: suppression list and invoicing.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: up to 13 months for fraud related issues only or for longer if an to the extent required under applicable law.
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing: The subject matter of the processing is Advertiser’s Personal Data, the nature of the Processing is the performance of the Service under the Agreement and as detailed above and the duration of the Processing is the term of the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
The Identity the competent supervisory authority in accordance with Clause 13 of the New SCC is:
Where the data exporter is established in an EU Member State – the supervisory authority of such EU Member State shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) – the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) – the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses, shall act as competent supervisory authority.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE PERSONAL DATA
The Processor has implemented the measures as described in this exhibit insofar as the respective measure contributes or can contribute directly or indirectly to the protection of the Personal Data under the Addendum entered between the Parties.
These measures are commercially reasonable, are aligned with industry standard technical and organizational measures, to protect Personal Data. These measures are consistent with applicable laws and meet the standard of protection appropriate to the risk of processing Personal Data while providing the Processor’s services. The Processor will regularly carry out, test, review and update all such measures.
These measures will be subject to technical progress and future developments of Processor’s services. As such, the Processor will be permitted to implement alternative adequate measures. In such event, the security level may not be lower than the measures memorialized here. Material changes are to be coordinated with the Controller and documented.
Measures for ensuring physical security of locations at which Personal Data are processed
The Processor has implemented the following entry control measures insofar as Personal Data are processed in the Processor’s premises or access to such data from these premises cannot be precluded:
- Unauthorized persons are to be denied entry to the data processing facilities in which Personal Data are processed or used.
- Entry authorizations to office buildings, computer centers, and server rooms are restricted to the necessary minimum.
- Use of effective entry authorization controls through an adequate locking system (e.g., security key with documented key management, electronic locking systems with documented authorizations management).
- Documented and comprehensible processes for obtaining, changing, and rescinding entry authorizations, including routine and documented review whether the granted entry authorizations are up to date.
- Reasonable prophylactic and detection measures regarding unauthorized entry and entry attempts (e.g., routine checks of burglary security system for doors, gates, and windows, burglar alarm, video monitoring, guard service, security patrol).
- Written rules for employees and visitors for dealing with technical entry security measures.
Measure for user identification, authorization and for ensuring events logging
Potential use of data processing systems by unauthorized persons is to be prevented. The Processor has implemented the following access control measures for systems and networks, in which Personal Data are processed or through which access to Personal Data is possible, insofar as the Processor is responsible for the Personal Data access authorizations:
- Persons authorized to use a data processing system will be able to access only the data underlying their access authorization and that Personal Data will be incapable of being read, copied, changed, or removed without authorization during the processing and use of the data and after the data have been stored.
- Access authorizations to Personal Data is restricted to the necessary minimum.
- Access authorizations to Advertisers systems and non-public networks are restricted to the necessary minimum.
- Use of effective access authorization controls through personalized and unambiguous user identification and a secure authentication process.
- Recording of access, even by administrators.
- For password authentications:
- Specifications are to be made that ensure continuous password quality of at least twelve (12) characters, four (4) degrees of complexity (upper case, lower case, numbers, special characters), and a change cycle of a maximum of ninety (90) days.
- Technical test procedures are to be used to ensure password quality.
- If asymmetric key procedures (e.g., certificates, private-public-key-method) are used for authentication, it is to be assured that secret (private) keys are at all times protected by a password (passphrase).
- Implementation of documented and comprehensible processes for obtaining, changing, and rescinding access authorizations, including routine and documented review whether the granted access authorizations are up to date.
- Implementation of reasonable measures for securing network infrastructure (e.g., intrusion detection systems, use of 2-factor authentication for remote access, separation of networks, encrypted network protocols, and so forth).
- Written rules for employees for dealing with the security measures above and the secure use of passwords.
- Use of input controls – there is a possibility to subsequently review and determine whether and by whom Personal Data was entered, altered in, or removed from data processing systems. The Processor has implemented the following input control measures on its systems, which are used for processing the Personal Data or which enable or convey access to such systems:
- Creation and audit-proof storage of processing protocols.
- Securing log files against manipulation.
- Recording and evaluating unauthorized and failed login attempts.
- Ensuring that no group accounts (including administrators or root) are used.
Measures for ensuring system configuration, including default configuration and encryption of Personal Data
- Ensuring that critical or material security updates/patches will be installed according to the Processor’s internal Patch Management Policy: a. in client operating systems; b. in server operating systems reachable via public networks (e.g., webservers); c. in application programs (incl. browser, plugins, PDF-reader, etc.); d. in security infrastructure (virus scanner, firewalls, IDS-systems, content filters, routers, and so forth.); and e. in server operating systems of internal servers.
- Reasonable measures are used for the protection of end-devices, servers, and other infrastructure elements against unauthorized access (such as multi-level virus protection concept, content filters, application firewall, intrusion detection systems, desktop firewalls, system hardening, content encryption).
- The Processor has implemented the following sharing control measures insofar as Personal Data will be received, transferred, or transported by the Processor:
- Reasonable measures for securing network infrastructure (e.g., intrusion detection systems, use of 2-factor authentication for remote access, separation of networks, encrypted network protocols, and so forth.)
- Encryption – Processor implements encryption technology which commensurate with the state-of-the-art to be prescribed so that Personal Data will be incapable of being read, copied, changed, or removed during electronic transmission or during transport for storage on data carriers, such as RSA 2048.
- Data carrier encryption with – state of the art – algorithms and protocols to be classified as secure (e.g., TLSbased protocols) for the protection of mobile devices (notebooks, tablet PCs, smartphones, etc.) and data carriers (external hard drives, USB sticks, memory cards, and so forth).
- Implementation of technical security measures for export and import interfaces (hardware and application related).
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services and the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
Personal Data will be protected against accidental destruction or loss. The Processor has implemented the following availability control measures insofar as the processing is required for maintaining productive services:
- Operation and routine maintenance of fire alarms in server rooms, computer centers, and material infrastructure rooms.
- Creating sufficient backups
- Ensuring backup storage in a separate fire compartment.
- Routine backup integrity reviews.
- Systems and data restoration processes and documentation.
An incident would receive immediate attention from all relevant personnel. Once identified and validated, incidents will be reported according to the Processor’s security and privacy policies.
Processor’s development processes follow secure software development industry-standard practices, which include formal design reviews, threat modeling, and completion of a risk assessment.
Processor uses hash function to de-identify the Personal Data prior to any use.
Measures for ensuring data quality and allowing data portability and processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
Personal Data collected for different purposes will be capable of being processed separately. The Processor has implemented the following separation measures insofar as such is within its area of responsibility:
- Logical and/or physical separation of test, development, and production systems.
- Separation of Controller’s Personal Data from other data sets including, but not limited to, its own, within the processing systems, and at interfaces.
- Ensuring that Personal Data are constantly identifiable on account of suitable labels; if such are processed for different purposes, including information specifying the respective purpose.
Measures for ensuring limited Personal Data retention
Personal Data is to be deleted, if it is processed for purposes as soon as the knowledge thereof is no longer necessary for the fulfillment of the purpose of the saving in accordance with DT’s data retention policy.
The Processor has implemented the following measures ensuring data deletion insofar as such is within its area of responsibility:
- Ensuring that the Personal Data are capable of being deleted at any time upon request of the Controller.
- Implementation of processes, tools, and documentation for secure deletion in a manner, such that recovery of the data is not possible given today’s state of technology (e.g., through overwriting).
- Providing the employees with specifications regarding how and when data are to be deleted.
Measures for internal IT and IT security governance and management and for ensuring accountability
The Processor has in place internal policies containing formal instructions for data processing procedures; Contractors are being carefully vetted regarding data security; The Processor personnel is being trained periodically to maintain awareness regarding data protection and security requirements.
ANNEX III
LIST OF SUB-PROCESSORS
[not applicable to Modules One and Four]
This Annex must be completed for Modules Two and Three, in case of the specific authorization of sub-processors (Clause 9(a), Option 1).
The Controller has authorized the use of the following sub-processors by Processor:
Digital Turbine | Amazon Web Services, Inc. | Cloud-based computing services (AWS)- US |
Digital Turbine | Google LLC | Cloud-based computing services (GCP)- US |
Digital Turbine | Databricks, Inc. | Cloud-based computing services- US |
Fyber | http://www.fyber.com/subprocessors. | |
Appreciate | https://appreciate.mobi/subprocessors | |
AdColony | Amazon Web Services, Inc. | Cloud-based computing services (AWS)- US |
AdColony | Google LLC | Cloud-based computing services (GCP)- Google Big Query US |
EXHIBIT B
STANDARD CONTRACTUAL CLAUSES
FOR PERSONAL DATA TRANSFERS FROM DT (ON BEHALF OF PUBLISHERS) TO ADVERTISER
ANNEX to the COMMISSION IMPLEMENTING DECISION on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council:
- MODULE ONE: Transfer controller to controller
☐ MODULE TWO: Transfer controller to processor
☐ MODULE THREE: Transfer processor to processor
☐ MODULE FOUR: Transfer processor to controller
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN
ANNEX I
PROCESSING OF PUBLISHERS’ PERSONAL DATA BY ADVERTISER
A. LIST OF PARTIES
Data exporter(s): As set forth in the Agreement and in Appendix A above.
Address: As set forth in the Agreement and in Appendix A above.
Contact person’s name & title: DT’s legal team, email: [email protected]
Data Protection Officer name: Michael Panienka, email: [email protected]
Data importer(s): Advertiser’s name and contact details, as stated in the Agreement.
Activities relevant to the data transferred under these Clauses: ad targeting and delivery of ads to mobile application’s users, optimization, reporting, fraud detection, billing.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Mobile application users
Categories of personal data transferred: IP Address and Advertising ID.
Sensitive data is NOT transferred.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):
On frequent and continuous basis whenever a user chooses to click on an Ad.
Nature of the processing: All operations such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination (solely with non-personal data of exporter), restriction, erasure, or destruction of data (whether by automated means), anonymization, etc.
Purpose(s) of the data transfer and further processing: to monitor the installation of a mobile app on the user’s device or any other action that the Parties agreed, in writing, will be measured as payable event, for billing and invoicing purposes, for dealing with fraud claims and to provide reporting.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: up to 30 days from the personal data transfer.
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing: The subject matter of the processing is publishers’ Personal Data, the nature of the Processing is the performance of the Service under the Agreement and as detailed above and the duration of the Processing is the term of the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
The Identity the competent supervisory authority in accordance with Clause 13 of the New SCC is:
Where the data exporter is established in an EU Member State – the supervisory authority of such EU Member State shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) – the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) – the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses, shall act as competent supervisory authority.
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE PERSONAL DATA
Advertiser hereby represents and warrants that it has implemented the technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security, considering the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons as described in its internal Technical and Organizational Measures Policy, a copy of which will be provided to Data Exporter upon written request.
ANNEX III
LIST OF SUB-PROCESSORS
[not applicable to Modules One and Four]
This Annex must be completed for Modules Two and Three, in case of the specific authorization of sub-processors (Clause 9(a), Option 1).
The Controller has authorized the use of the following sub-processors by Processor: none