Master Service Agreement for Supply Partners
This Master Service Agreement for Supply Partners (“MSA”) is incorporated in and forms an integral part of the applicable Service Order entered between either Fyber GmbH or Fyber Monetization Ltd. (“Fyber” or “we”), each d/b/a “Digital Turbine” (as applicable) (“DT”) and the entity that uses such service, all as set forth in the applicable Service Order (“Supply Partner”, “you”) that was entered between the parties (each a “Party” and together the “Parties”).
The following documents with are included this MSA as appendixes and form an integral part hereof, which together with the Service Order, form the agreement between Demand Partner and Fyber with respect to the Service provided by Fyber to Supply Partner under and in accordance with the terms of the applicable Service Order (the “Agreement”):
- The Data Protection Addendum attached hereto as Appendix B (“DPA”).
- The Local Addenda to this MSA attached hereto as Appendix C (“Local Addenda”).
- Any guidelines, policies or other terms, including content policies referenced hereto.
Before using any Service, we ask that you read the Agreement carefully, as by using and/or accessing the Service, you hereby agree and accept the Agreement in full. We recommend that you print out or save a local copy of the Agreement for your records. Capitalized terms used but not defined elsewhere in the Agreement will have the meaning ascribed to them in Appendix A attached hereto.
This MSA contains provisions that apply to all of the Fyber services. However, the provisions in this MSA that apply to you are only those that relate to the Service(s) utilized by you under and in accordance with the terms of your Service Order with Fyber.
By using and/or accessing the service that is described in your Service Order with Fyber (“Service”), you hereby agree and accept the Agreement in full. We recommend that you print out or save a local copy of the Agreement for your records. Capitalized terms used but not defined elsewhere in the Agreement will have the meaning ascribed to them in Appendix A attached hereto.
If you do not accept this Agreement in its entirety, you may not access or use any Service. if you are an individual who consents to this Agreement on behalf of a business, you represent and warrant that you have the authority to bind that business to this Agreement and your consent to this Agreement will be treated as the consent of the business. In that event, “business”, “you” or “your” will refer and apply to that business. You also consent to the use of: (a) electronic means to consent to and complete this agreement and to provide you with any notices given pursuant to this Agreement; and (b) electronic records to store information related to this Agreement and your use of any Service.
From time to time we may change this MSA. Fyber will make reasonable commercial efforts to notify you of any updates to this MSA by making such updates available on the Fyber website and/or the respective Fyber dashboard. notwithstanding the foregoing, your continued use of any Service will be deemed acceptance to any amended or updated MSA.
1.1. Scope. Subject to the terms and conditions of the Agreement, Fyber will provide to Supply Partner the Service(s), as they are described in the applicable Service Order.
1.2. Conflict resolution clause. In the event of a conflict between a provision of this MSA and a provision of the applicable Service Order, the provision of the Service Order shall prevail.
2. Registration & Set Up
2.1. Supply Partner shall establish an Account by completing the registration process on the Fyber website and providing Fyber with accurate and complete information. Supply Partner will keep all Account information up-to-date.
2.2. Login Data. Supply Partner agrees to keep access data, such as user names and other login data, passwords, and other data required to access the Service(s) and the Account, strictly confidential, and will not disclose such data to any Third Party without Fyber’s prior written (email suffices) approval or as otherwise agreed in the Agreement. The Supply Partner must inform Fyber immediately upon becoming aware that any unauthorized Third Party has gained access to any such data or to Supply Partner’s technology, systems, equipment, and/or property. Fyber reserves the right at its sole discretion to either change any access data or to block any Account, at Fyber’s own discretion and without prior notification. In such cases, Fyber will inform the Supply Partner without undue delay, and will provide any such new access data upon request within a reasonable time.
2.3. Information and Filters. Supply Partner is solely responsible for submitting to Fyber its App’s characteristics, including but not limited to the Store ID or the domain and the name of the application, and for keeping such information up-to-date, including activating or deactivating filters available on the applicable Fyber dashboard, and applying various blacklisting and tagging features to screen out certain categories of Ads from being served on Supply Partner’s App.
3. Licenses and proprietary rights
3.1. Fyber’s license to Supply Partner. During the term hereof and subject to Supply Partner’s compliance with the Agreement, Fyber will provide Supply Partner with a limited, non-exclusive, royalty-free, non-transferable, non-assignable, non-sub-licensable, revocable license to: (a) access and use the applicable Service in accordance with the terms of the Agreement and solely for the purposes of: (i) selling Ad Inventory of the App to Demand Partners, and (ii) allowing Ads provided by Demand Partners to be delivered and placed on the App via the SDK, API or Tag (as applicable to Supply Partner’s integration with the Service); (b) download, install and/or use Fyber’s proprietary Software Developer Kits (“SDK”), solely for the purposes of using the Service as provided in this Agreement in which case Supply Partner agrees to be bound by the SDK License, currently available at https://www.fyber.com/legal/sdklicense which may be amended from time to time; (c) use Fyber’s proprietary Application Programming Interface (“API”) solely for the purposes of using the Service as provided in this Agreement in which case Supply Partner agrees to be bound by the API License, currently available at https://www.fyber.com/legal/apilicense which may be amended from time to time; and (d) access and use the Fyber dashboard for the purpose of viewing Supply Partner’s activity and performance via the Service.
3.2. Supply Partner’s License to Fyber.
3.2.1. With respect to the Fyber Marketplace and Fyber FairBid Service: for the duration of the Term and subject to the terms of the Agreement, Supply Partner hereby grants to Fyber and its Affiliates a non-transferable and non-assignable (except pursuant to section 11.4), , non-exclusive, royalty free, worldwide right and license to: (a) use the Ad Request, solely (i) for providing the Service(s), and (ii) in accordance with the Data Processing Addendum; and (b) enable Demand Partners to (i) deliver and place Ads on the App through the Service, and (ii) exchange the Ad Request required for providing the Service with Demand Partners on Supply Partner’s behalf.
3.2.2. With respect to the Offer Wall Service: for the duration of the Term and subject to the terms of the Agreement, Supply Partner hereby grants to Fyber and its Affiliates a non-transferable and non-assignable (except pursuant to Section 11.4), non-exclusive, royalty-free, and worldwide right and license to (a) integrate into the App an opt-in user-initiated scrollable list of offers of individual ads offered by Demand Partners and use any information derived from the provision of the Service for: (i) providing the Service(s), and (ii) solely in accordance with the Data Processing Addendum; and (b) provide technical support to Users of the Offer Wall Service on behalf of Supply Partner.
3.3. No Implied License. Except as expressly provided herein, nothing in this Agreement will be construed to confer any ownership interest, license, sale or other rights upon Supply Partner or Fyber (as applicable) by implication, estoppel or otherwise, as to any Intellectual Property Rights of the other party or any Third Party.
3.4. Open Source Software. The Service may include open source software (“OSS”). To the extent so provided by the license that governs the applicable OSS (“OSS License”), each such OSS is subject to its respective OSS License, not this Agreement. If, and solely to the extent, an OSS License requires that this Agreement effectively impose, or incorporate by reference, certain disclaimers, provisions, prohibitions or restrictions, then such disclaimers, provisions, prohibitions or restrictions shall be deemed to be imposed, or incorporated by reference into this Agreement, as required, and shall supersede any conflicting provision of this Agreement, solely with respect to the corresponding OSS which is governed by such OSS License, available under https://www.fyber.com/legal/opensource. Fyber does not make any representation or warranty with respect to any OSS or free software that may be included in or accompany the Service. Fyber hereby disclaims all liability to you or any third party related to any such software that may be included in or accompany the Service.
4. Representations and Warranties
4.1. Mutual Representations and Warranties. Each party represents and warrants that: (a) it has all requisite power and authority to execute and enter into the Agreement and perform its obligations therein and hereunder, and that the Agreement is a valid and binding agreement by such party; and (b) the execution of the Agreement, and its performance under it, will not constitute a breach or default of, or otherwise violate, any agreement to which it is a party, or violate any right of any third party arising therefrom.
4.2. Supply Partner Representations and Warranties. Supply Partner represents and warrants that:
4.2.1. all Apps and Ad Inventory complies with all applicable laws and regulations, including criminal code, data protection laws, consumer laws, youth protection provisions, and industry self-regulatory guidelines, such as the Digital Advertising Alliance (“DAA”) Self-Regulatory Principles or similar self-regulatory guidelines for mobile advertising in countries in which Users of the App are situated, that such App does not contain or promote any illegal content and/or any Prohibited Content, and that Supply Partner is solely and exclusively responsible for the App and Ad Inventory;
4.2.2. it shall not, and shall not permit, assist, or encourage any Third Party to, violate any Intellectual Property Rights or otherwise violate or breach any duty toward, or rights of, any person or entity, including without limitation rights of privacy and publicity via the App and/or Ad Inventory;
4.2.3. it shall not, and shall not permit, assist, or encourage any Third Party to, engage in Fraud via the App and/or Ad Inventory; and
4.2.4. it will not issue Ad Requests for any Ad Inventory and/or in relation to any App containing Fraud or violating Fyber’s Content Guidelines published on the Fyber website at https://www.fyber.com/legal/supply-content-guidelines/, as may be amended by Fyber from time to time.
4.3. Protection of Children. To the extent Supply Partner’s App audience includes children as defined under applicable laws, Supply Partner represents and warrants that: (i) Supply Partner will comply with all applicable laws and regulations related to providing behavioral advertising to children, including without limitation the Children’s Online Privacy Protection Act and its rules, as amended from time to time (collectively, “COPPA”), General Data Protection Regulation (“GDPR”) and California Consumer Privacy Act (“CCPA”); and (ii) Supply Partner shall not knowingly collect or allow Fyber to collect on its behalf any personal information of children for the purpose of ad targeting.
4.4. Supply Partner is required to flag, via the Fyber dashboard, if its App or a specific Ad Request is not directed at children. Supply Partner hereby acknowledges that Fyber relies on Supply Partner’s indication and will enable behavioral advertising only if Supply Partner has flagged its App or Ad Request as not directed at children.
4.5. App-Ads.txt. Supply Partner will include Fyber as a Direct on its App-ads.txt file in accordance with the IAB Tech Lab App-Ads.txt Public Spec (referenced here: https://iabtechlab.com/wp-content/uploads/2019/03/app-ads.txt-v1.0-final-.pdf). Fyber shall have the right to withhold payments due to Supply Partner under this Agreement, if Fyber’s Demand Partners refuse payment for Ads served via the Service on the App as a result of Supply Partner failure to list Fyber as a Direct in its App-Ads.txt file.
4.6. Pre-screening of Ads. If Supply Partner Seat is in China, then Supply Partner further represent and warrants that it will verify the Ad content and decide on the publishing of an Ad on its App in compliance with the Interim Measures for the Administration of Internet Advertisements.
4.7. Fyber Representation and Warranty. Fyber represents and warrants that: (a) the Service shall, in all material aspects, operate as set out in its respective Service description set forth in the applicable Service Order; and (b) the Service shall be and is in incompliance with applicable laws and does not infringe any third-party Intellectual Property Rights.
5. Fees & Payment / Taxes / Netting clause
5.1. Tracking. Fyber’s tracking and reporting regarding Ad Impressions and other payable events (if applicable) under the Service Order , shall constitute the basis to calculate the Ad Impressions or other payable events (as applicable) for the purpose of this Agreement, if not otherwise agreed between the Parties in the Service Order. Supply Partner shall duly examine the Account data and the amounts due to it when provided by Fyber, and shall notify Fyber, in writing (email suffices) and without undue delay (but in no event later than no later than fourteen (14) days upon receipt of the applicable report from Fyber), of any inaccuracy of the Account data or the amounts due to it that could be reasonably identified in such examination. If Supply Partner fails to notify Fyber of any such identifiable inaccuracy within such time period, the Account data and the amounts due to Supply Partner shall be deemed correct with regard to such identifiable inaccuracy. Supply Partner further agrees and acknowledges that the determinations of Fyber with respect its reporting and invoices are final where the difference between the evidence provided by Supply Partner and the Account data is less than ten percent (10%), which is considered a deviation in tracking customary in trade and therefore reasonably acceptable by both Parties. If the deviation is 10% or more, the Parties will negotiate in good faith to find an amiable solution.
5.2. Payout Threshold. In the case that the balance of amount(s) payable to Supply Partner is less than US$1,000 or the equivalent thereof in the applicable currency, the balance will be carried forward to the following calendar month until (a) the balance of payable amounts exceeds one US$1,000 or the equivalent thereof in the applicable currency, or (b) within sixty (60) days after the end of the month in which the Agreement is terminated.
5.3. Payment Terms. Subject to Section 5.2 above, any amounts due and payable to Supply Partner shall be paid within sixty (60) calendar days after the end of each calendar month, in US$, if not otherwise agreed between the Parties in the Service Order. Fyber may deduct from the payable amounts the costs (if any) of the wireless transfer of the payable amounts to Supply Partner’s bank account or of such other payment method as may be agreed between the Parties.
5.4. Tax and VAT. Each party shall bear its own expenses (including but not limited to any tax obligations) relating to the activities and payments received under the Agreement. All sums payable under the Agreement are exclusive of any applicable tax.
5.5. Fraud. Notwithstanding anything to the contrary stated anywhere else in this Agreement, Fyber reserves the right, where it has reason to believe in good faith that Fraud actually took place, to withhold or suspend payment or any other associated revenues, unless and until Supply Partner provides evidence satisfactorily establishing the validity of the Ad Impressions or other payable Users’ activities (if applicable). In addition, Supply Partner will promptly notify Fyber of any actual or suspected Fraud, and cooperate with Fyber in good faith to investigate, prevent and remedy any Fraud.
5.6. Netting Agreement. Supply Partner hereby acknowledges and agrees that Fyber shall have the right to set-off any and all amounts due by Supplier Partner to Fyber or any of its Affiliates, from any amount payable by Fyber or Affiliates to Supply Partner.
6. Modification of Service
The Service, by its nature, may be updated and developed continuously over time. Fyber may modify the Service without prior notice, but only with effect for the future (i.e., not retroactively) and provided that the modification is reasonable for the Supply Partner considering its interests. A modification is reasonable for the Supply Partner if it is necessary to adapt the Services to changed circumstances regarding technological developments, market requirements, and any changes of applicable law, and in case of any new features, functions, or services added to the Services. Accordingly, Supply Partner’s right to use the Services under this Agreement is limited to the then-current version of the Services. If a modification of a Service is not reasonably acceptable for Supply Partner, Supply Partner has the right to terminate the Agreement with respect to such Service effective immediately upon notice. Supply Partner shall have no other claims against Fyber due to changes in and to the Services.
7. Disclaimers; Limitation of Liability
7.1. Disclaimer. Fyber provides the Service and/or any Fyber dashboard and/or Ads “as is” and “as available”, without representations and warranties of any kind, express or implied, including, without limitation, implied warranties of merchantability, title, fitness for a particular purpose, reasonable care and skill, or any warranties arising out of a course of dealing or course of performance. Without limiting the foregoing, Fyber does not warrant that Supply Partner’s use of the Service and/or any Fyber dashboard will be uninterrupted, error-free, or virus-free, nor does Fyber make any warranty as to any results that may be obtained by use of the Service and/or any Fyber dashboard. Further, Supply Partner acknowledges that Ad(s) are provided by Demand Partners and that Fyber is not responsible for and does not provide any representation or warranty with respect to any Ad content that is connected or related to any Service. Fyber does not have any obligation to monitor the Ad content and is not responsible for the accuracy, completeness, appropriateness, legality, applicability, quality, suitability of the Ad content. While Fyber is under no obligation to do so, without limiting any other terms of this Agreement, Fyber reserves the right to remove any Ad content and permanently suspend provision of its Service to Supply Partner without notice in the event the that any App content is in violation of this Agreement. Partner acknowledges that it has received no assurances from Fyber that it will earn any particular amount of money or that it will recoup any expenditure made in fulfillment of its obligations under this Agreement, or that Fyber shall fill any percentage of available ad space for any App.
7.2. Limitation of Liability. Except for breach of confidentiality, willful misconduct and/or gross negligence, to the maximum extent permitted by applicable law, neither Party will be liable for indirect, special, incidental, punitive or consequential damages arising out of or related to this agreement, however caused, and under whatever cause of action or theory of liability even if a Party has been advised of the possibility of such damages. For all claims related to this Agreement neither Party’s total aggregate liability shall exceed the amount of ten thousand US Dollars (US$10,000). Notwithstanding all the foregoing, nothing in this Agreement shall limit the liability under Sections 8 and 9.
8.1. By Fyber. Fyber (for purposes of this Section 8.1, the “Indemnifying Party”) shall indemnify, defend and hold harmless Supply Partner and its directors, officers, employees and agents (collectively, the “Supply Partner Indemnified Parties”) against any liability, damage, loss or expense, fines, penalties and interests (including reasonable attorneys’ fees and costs) incurred by the Supply Partner Indemnified Parties as a result of any third-party claim, suit or other proceeding (collectively, “Claims”) alleging that the Service, as provided by Fyber to Supply Partner under the Agreement, infringes any Intellectual Property Right of a Third Party, except and to the extent such infringement arises from Supply Partner’s use of the Service in violation of this Agreement, or from any modification of the Service, or any combination of the Service with any other component or material. In the event of any such threatened or actual Claim, in addition to its indemnification obligations herein, Fyber will have the right, in its discretion, to either (a) replace or modify the infringing or allegedly infringing components of the Service, or (b) immediately terminate this Agreement upon written notice to Supply Partner.
8.2. By Supply Partner. Supply Partner (for purposes of this Section 8.2, the “Indemnifying Party”) shall indemnify, defend and hold harmless Fyber and its Affiliates, and its and their directors, officers and employees (collectively, the “Fyber Indemnified Parties”, and together with the Supply Partner Indemnified Parties, each shall be referred to hereunder as an “Indemnified Party”) against any liability, damage, loss or expense, fines, penalties and interests (including reasonable attorneys’ fees and costs) incurred by the Fyber Indemnified Parties as a result of any Claim brought or made against any of the Fyber Indemnified Parties in connection with, arising out of or relating to (a) any alleged or actual breach of Supply Partner’s representations, warranties or covenants under Sections 3, 4 and 9 of this MSA; (b) an allegation that the App’s content breached the Content Guidelines, contains any illegal content or facilitates Fraud; (c) an allegation that the App, or users’ downloads, installations or any use thereof, violates any law including infringes upon or misappropriates any Intellectual Property Right, publicity or privacy right; and/or (d) an allegation that Supply Partner has breached the Data Protection Addendum, attached hereto as Appendix B.
8.3. Indemnification Process. The Indemnified Party shall: (a) give the Indemnifying Party prompt written notice of the relevant Claim; (b) provide the Indemnifying Party, at the Indemnifying Party’s expense, with reasonable information, assistance and cooperation in the defense of such Claim; and (c) give the Indemnifying Party the right to control the defense and settlement of any such Claim, except that the Indemnifying Party will not enter into any settlement that affects the Indemnified Party’s rights or interest without the indemnified Party’s prior written approval, which shall not be unreasonably withheld or delayed, and provided further that the Indemnified Party shall not be required to allow the Indemnifying Party to assume the control of the defense of a Claim to the extent that the Indemnified Party determines (i) any relief other than monetary damages is sought against Indemnifying Party, (ii) there may be a conflict of interest between the Indemnifying Party and Indemnified Party in the conduct of the defense, or (iii) settlement of, or an adverse judgment with respect to, such claim could reasonably be expected to establish a precedential custom or practice materially adverse to the continuing business interests of the Indemnifying Party, and in such events the costs of defense will be considered “Claims” as defined above. The Indemnified Party will have the right to participate in the defense of such Claim with counsel of its choice at its own expense.
9.1. Confidentiality. Except as provided herein, neither Party shall disclose Confidential Information, including, but not limited, to the terms or conditions of the Agreement, to any Third Party, except as permitted by the Agreement. Notwithstanding anything to the contrary stated in the Agreement, Fyber may communicate the general nature of the Agreement and identify or announce Supply Partner as a customer of Fyber to Third Parties by name and logo, including in communications to existing and potential customers.
9.2. Handling Confidential Information. The receiving party of any Confidential Information from the disclosing party will use the same degree of care to protect the disclosing party’s Confidential Information as it uses for its own Confidential Information of similar nature, but in no event less than a reasonable degree of care, and will use such Confidential Information only for the purpose of exercising its rights or fulfilling its obligations under this Agreement. The receiving party will promptly return or destroy the disclosing party’s Confidential Information upon request of the disclosing party or upon termination of this Agreement (whichever occurs earlier), provided that the receiving party shall have the right to retain a copy of the Confidential Information if and to the extent required (i) by applicable mandatory law, for the duration of the required record retention period, or (ii) for the enforcement of any claims against the other party that may arise under this Agreement until such claims become time-barred. In this event, the receiving party shall return, destroy, or delete (as applicable) such copy upon the expiration of the applicable record retention or limitation period. Except as otherwise provided for in the Agreement, the receiving party shall not disclose any Confidential Information to any person or entity other than to its employees, professional advisors and auditors and its Affiliates and their employees, professional advisors and auditors who have a strict business need to access such Confidential Information and who are bound by non-disclosure obligations as restrictive as the confidentiality obligations in this MSA regarding the protection, use, and confidentiality of such Confidential Information.
9.3. Confidentiality Exception. Notwithstanding the obligations set forth in Section 9.1, each party may disclose the other party’s Confidential Information to the extent that such disclosure is required to be disclosed pursuant to a duly authorized subpoena, court order, or government authority order, provided that the receiving party shall (where reasonably practicable and without breaching statutory or regulatory requirements) provide prompt written notice to the disclosing party prior to such disclosure, so that the disclosing party may seek a protective order or other appropriate remedy.
9.4. Injunctive Relief. The Parties acknowledge that any breach of a party’s obligations arising under this Section 9 may give rise to irreparable harm to the other party and that such breach may be inadequately compensable in monetary compensation. Accordingly, either party may seek and obtain injunctive relief or other equitable remedies against such breach or threatened breach, in addition to any other legal remedies that may be available. The Parties acknowledge and agree that the covenants contained herein are necessary for the protection of legitimate business interests of the owners of the Confidential Information and are reasonable in scope and content.
10. Term & Termination
10.1. Term. The Agreement will enter into effect either upon (i) Fyber accepting Supply Partner’s Account registration (whereby such registration includes the acceptance of the Agreement by Supply Partner); or (ii) the signing of a Service Order between the Parties, which shall incorporate this MSA (the “Effective Date”). The Agreement shall continue in force thereafter, until terminated as provided herein (the “Term”).
10.2. Termination for Convenience. Unless otherwise agreed in the applicable Service Order, either party may terminate the Agreement at any time for any reason and without liability upon thirty (30) days prior written notice of termination (email shall suffice) to the other party. Notwithstanding the foregoing, upon mutual written agreement of the Parties (email suffices), such termination may be postponed until the date on which all Ads scheduled to be delivered through the Service have been delivered.
10.3. Termination for Cause. Fyber may suspend Supply Partner’s access to and use of all or any part of the Service immediately, with or without notice, if Fyber believes in good faith that Supply Partner materially breached any part of this Agreement. Fyber may terminate this Agreement for breach if Supply Partner fails to cure such breach within five (5) business days after receiving written (email sufficing) notice of such breach. Either party may terminate the Agreement for cause with immediate effect upon written notice to the other party if the other party is in breach of one of its material obligations under the Agreement, provided that the breaching party has not cured such breach within five (5) business days after receipt of a written (email suffices) notice of the breach from the terminating party
10.4. Effect of Termination. Upon termination of the Term of this Agreement, all rights and licenses granted under the Agreement shall immediately terminate. Supply Partner shall discontinue all access to and use of the Service and shall have no rights in or to any Account data, which shall, as between Supply Partner and Fyber, be the exclusive property of Fyber and must be deleted by Supply Partner after settling any open amounts payable by or to Fyber. Termination of the Agreement will not release the Parties of any obligation accruing prior to such termination, or any amounts due to Supply Partners for Ads delivered up to the termination date in accordance with the terms of any applicable Service Order.
10.5. Surviving Provisions. The rights and duties of the Parties under Sections 7.2, 8, 9, 10.5, 11 and Appendix B of this MSA will survive the termination of the Agreement.
11.1. Entire Agreement; Amendment; Severability. The Agreement supersedes all previous agreements between the Parties relating to the subject matter hereof. No provision of the Agreement will be deemed amended or modified by either party, unless such amendment or modification is made in writing and signed by both parties. If any provision of the Agreement is found by a competent authority to be unenforceable or invalid under the applicable law, the enforceability and validity of the remaining provisions will not be affected. Such provision will be interpreted and enforced so as to best accomplish the objectives of the Parties within the limits of applicable law, including applicable court decisions.
11.2. No Waiver. Fyber’s failure to act with respect to a breach by Supply Partner does not waive Fyber’s right to act with respect to that breach or subsequent or similar breaches. No consent or waiver by Fyber under the Agreement shall be deemed effective unless delivered in writing and signed by a duly appointed representative of Fyber.
11.3. Counterparts. This Agreement may be executed in any number of counterparts, each of which will be deemed an original and all of which taken together will constitute one signed agreement between the Parties. Signatures may be transmitted by facsimile or electronic mail in PDF or another similar format and will be deemed original.
11.4. Assignment. Supply Partner will not assign or otherwise transfer this Agreement or any right or interest thereunder to any Third Party without the prior written consent of Fyber, except if such assignment occurs (a) pursuant to a merger, transfer or a sale of all or substantially all its assets or capital stock; or (b) to any successor or assignee of all or substantially all its business. Fyber may assign or otherwise transfer this Agreement without consent. Subject to the foregoing terms and restriction on assignments, the Agreement will be fully binding upon, inure to the benefit of, and be enforceable by, the Parties and their respective successors and assignees. Except as permitted by the foregoing, any attempted assignment, delegation or other transfer will be null, void and of no effect.
11.5. Force Majeure. Neither party will be liable to the other party for failure or delay in performing its obligations due to causes beyond its reasonable control, including without limitation acts of God, terrorism, war, riots, fire, earthquake, flood or degradation or failure of third-party networks or communications infrastructure.
11.6. Marketing. Supply Partner agrees that Fyber may identify Supply Partner, including by using Supply Partner’s name(s) and logo(s), as a customer of Fyber, including in Fyber’s website(s), newsletters, case studies, emails or promotional posts in social media; in the event that Supply Partner wishes to be excluded from a specific promotion/publication of Fyber, Supply Partner may notify Fyber in writing and Fyber will cease using Supply Partner’s name(s) and logo(s) in such publication, on a going-forward basis, provided that Fyber will not be required to cease such use in any printed material that has already been printed or ordered. Unless otherwise agreed by Parties, you will not be entitled to any compensation as a result of any such publication.
11.7. Arbitration. The Parties agree to arbitrate any dispute arising out of or relating to this Agreement or any Service, except that nothing in this Agreement will prohibit either Party from seeking temporary or preliminary injunctive or other equitable relief in any court of competent jurisdiction with respect to any alleged unlawful use of Intellectual Property Rights. THE PARTIES AGREE THAT THIS ARBITRATION PROVISION PREVENTS SUITS IN COURT OR A JURY TRIAL. Fyber and Supply Partner agree: (a) to notify each other, in writing, of any dispute within thirty (30) days of when it arises; (b) to attempt informal resolution prior to any demand for arbitration; (c) that any arbitration will occur in New York County, New York State, USA; and (d) that arbitration will be conducted confidentially by a single arbitrator in accordance with the Rules of JAMS. The state or federal courts in New York County, New York State, have exclusive jurisdiction over any appeals of an arbitration award. Other than with respect to class procedures and remedies as discussed below, the arbitrator has the authority to grant any remedy that would otherwise be available in court. Any dispute between the Parties will be governed by this Agreement and the laws of the State of New York and applicable United States law, without giving effect to any conflict of laws principles that may provide for the application of the law of another jurisdiction. WHETHER THE DISPUTE IS HEARD IN ARBITRATION OR IN COURT, THE PARTIES WILL NOT COMMENCE AGAINST THE OTHER OR PARTICIPATE IN ANY CLASS ACTION, CLASS ARBITRATION OR OTHER REPRESENTATIVE ACTION OR PROCEEDING.
11.8. Governing Law and Jurisdiction; Local Addenda. Unless otherwise stated in Sections 11.8.1 to 11.8.3 or otherwise agreed to by the parties, this Agreement is governed by the laws of the State of New York, USA, excluding its conflict of laws principles, and the laws of the United States (including the Federal Arbitration Act). To the extent the arbitration provision in Section 11.7 does not apply, Supply Partner and Fyber agree that the courts located in New York County, New York State, USA shall have exclusive jurisdiction over any dispute between the Parties arising out of or relating to this Agreement, and the parties hereby consent to the personal jurisdiction and venue of these courts.
11.8.1. Germany. If Supply Partner has its Seat in the Federal Republic of Germany, the following shall apply:
(a) The Agreement and any non-contractual obligations arising out of or in connection with it shall be governed by, and construed in accordance with, the laws of the Federal Republic of Germany, without regards to their conflict of laws rules. To the extent the arbitration provision in Section 11.7 does not apply, Supply Partner and Fyber agree that the courts located in Berlin, Germany shall have exclusive jurisdiction over any dispute between the parties arising out of or relating to the Agreement, or any non-contractual obligations arising out of or in connection with it, and the parties hereby consent to the personal jurisdiction and venue of these courts.
(b) The terms and conditions of the Local Addendum to the Master Service Agreement for Supply Partners – Germany in Appendix C shall be effective as an integral part of the Agreement and shall replace and supersede any conflicting provisions, except for conflicting terms individually agreed upon between the parties in the applicable Service Order, which shall take precedence over the terms thereof.
11.8.2. Europe. If Supply Partner has its Seat in the European Economic Area (other than the Federal Republic of Germany) or otherwise within Europe (including Armenia, Cyprus, Greenland, and the entire territory of Azerbaijan, Georgia, Kazakhstan, Russia, and Turkey), the following shall apply:
(a) The Agreement and any non-contractual obligations arising out of or in connection with it shall be governed by, and construed in accordance with, the laws of England and Wales, without regards to its conflict of laws rules. To the extent the arbitration provision in Section 11.7 does not apply, Supply Partner and Fyber agree that the courts in England shall have exclusive jurisdiction over any dispute between the parties arising out of or relating to the Agreement, or any non-contractual obligations arising out of or in connection with it, and the parties hereby consent to the personal jurisdiction and venue of these courts.
(b) The terms and conditions of the Local Addendum to the Master Service Agreement for Supply Partners – Europe in Appendix C shall be effective as an integral part of the Agreement and shall replace and supersede any conflicting provisions, except for conflicting terms individually agreed upon between the parties in the applicable Service Order, which shall take precedence over the terms thereof.
11.8.3. Asia. If Supply Partner has its Seat in Mainland China, Hong Kong, Macau, Taiwan, Indonesia or Singapore the following shall apply:
(a) The Agreement and any non-contractual obligations arising out of or in connection with it shall be governed by, and construed in accordance with, Hong Kong law, without regards to its conflict of laws rules.
(b) The terms and conditions of the Local Addendum to the Master Service Agreement for Supply Partners – Asia in Appendix C shall be effective as an integral part of the Agreement and shall replace and supersede any conflicting provisions, except for conflicting terms individually agreed upon between the parties in the applicable Service Order, which shall take precedence over the terms thereof.
11.9. Independent Contractors. The Parties hereto are and shall remain independent contractors, and nothing herein shall be deemed to create any agency, partnership or joint-venture relationship between the parties. Neither party shall be deemed to be an employee or legal representative of the other, nor shall either party have any right or authority to create any obligation on behalf of the other party.
11.10. It is not the intention of this Agreement to create any third-party beneficiary rights in any third-party individual or entity that is not a party to this Agreement, and no such rights will be deemed to have been created.
11.11. Notice. Notices must be in writing and will be deemed given when (a) delivered personally; (b) delivered by recognized overnight courier (established by written verification of personal, certified or registered delivery from a courier or the postal service); (c) sent by fax (established by a transmission report); or (d) sent by email to the recipient at the most up-to-date email address provided by the other party, provided that (i) the sending party can confirm that the email was apparently sent successfully according to its ordinary technical records, and that the party did not receive an error notice, and (ii) the email includes in the subject line “LEGAL NOTICE”. If sent by email from Supply Partner to Fyber, the following address must be copied: [email protected]. Notices to a party shall be sent to the postal and electronic mail addresses set forth in this Agreement, or such different address as a party may designate in writing to the other party from time to time.
Appendix A – Definitions
“Account” means an online, password-protected account provided by Fyber allowing Supply Partner to access and use the Services in accordance with the Agreement.
“Ad” means promotional content and creatives, including text, graphics, video or rich media, provided by Demand Partners to Fyber or to the Service for placement on the Inventory of the App via the Service.
“Ad Impression” means when an Ad is fetched from its source and is countable.
“Ad Inventory” means the Ad space(s) available via the Service for sale by Supply Partner on its App for the placement of Ads.
“Ad Request” means an electronic request for an Ad, and any parameter or information transmitted and/or sent by Supply Partner to Fyber in connection with the App.
“Affiliates” means, with respect to a party, any and all entities which, directly or indirectly, control, are being controlled by, or are under common control with such party.
“API” means application programming interface that specifies patterns of interaction between certain software components.
“App(s)” (previously referred to as “Property”) means any mobile application(s) or mobile website(s), owned, controlled and/or developed by Supply Partner.
“Bid” means the price offered by Demand Partner for a specific Ad Impression on the App and an Ad received by Demand Partners via the Service in response to an Ad Request.
“Confidential Information” means any proprietary, confidential and/or trade secret information of a disclosing party and/or its Affiliates, and/or others possessed by disclosing party, whether furnished before or after the Effective Date of any Service Order entered by and between Fyber and Supply Partner, regardless of the manner in which it is furnished. Such information includes without limitation, the following: (a) any information, artwork, designs, ideas, concepts, know-how, data, products, services, processes, techniques, drawings, programs, code, inventions, computer program, formulae or test data, work in progress, engineering, manufacturing, marketing, financial, sales, suppliers, customers, investors and/or business information, whether in oral, written, graphic, or electronic form; and/or (b) any document, diagram, drawing, computer program and/or code or other communication; and/or (c) the terms and conditions of this Agreement. Any information disclosed by the disclosing party whether it is conspicuously marked “confidential”, is known or should have been reasonably known by the receiving party to be confidential in nature, shall be considered as Confidential Information. For purposes of the Agreement, Confidential Information shall not include any information that: (a) is, or subsequently becomes, publicly available without the receiving party’s breach of any obligation owed to the disclosing party; (b) became known to the receiving party prior to the disclosing party’s disclosure of such information to receiving party; (c) became known to the receiving party from a source other than the disclosing party by means other than by a breach of an obligation of confidentiality owed to the disclosing party; or (d) is independently developed by the receiving party without the use of any of the disclosing party’s Confidential Information. If a particular portion or aspect of the Confidential Information becomes subject to any of the foregoing exceptions, all other portions or aspects of such information shall remain confidential and subject to all of the provisions of the Agreement.
“Costs” means Fyber’s costs and fees related to the operation, maintenance, and data security that are directly associated with providing the Service to Supply Partners, including but not limited to costs and fees related to third-parties for the Ad serving and bidding, Fraud detection vendors (including mitigation and prevention measures), customer support, tracking, attribution and measurement and credit risk assessment management, all up to a maximum 10% of the Revenue.
“Demand Partners” means third parties that have entered into a contract with Fyber to buy Ad Inventory via the Service from Supply Partner, to serve Ads on that App. Such Demand Partners may be advertisers, Ad agencies, Ad networks, Exchanges and demand side platforms (DSPs).
“Fraud” includes, among others and without limitations: (a) any action taken by any person that is intended to inflate, either directly or indirectly, the Supply Partner Revenue Share; and/or (b) the generation of User activities through a mechanism not approved by or acceptable to Fyber, including but not limited to (i) applying automatic redirecting of Users, blind text, or misleading links, forced and/or artificial clicks, bots, or any other automatic process or method that generates a User activity without a conscious and willful action of a User; (ii) creating fake impressions, clicks, views, and installs generated by a person, a robot, an automated program, or any equivalent or similar mechanism having an equivalent or similar effect; (iii) operation of or linking to Ad Inventory on the App that displays no content for the sole purpose of generating User Activities; (vi) implementation of 1×1 pixels to deliver invisible advertisements; (iv) impersonating or misappropriating the identity of a Supply Partner and/or any other Third Party.
“Fyber API” means Fyber’s application programming interface that specifies patterns of interaction between certain software components.
“Intellectual Property Rights” means any patent, copyright, neighboring right to copyright, including database right, right to trademarks, right to trade and business secrets, right to trade dresses, right to domain names, right to mask works, right to moral rights of authors of copyright protected works, right to publicity, right to privacy, and any other personal right, right of attribution, or integrity; or any other intellectual or industrial property right anywhere in the world, whether under statutory law, common law, or otherwise.
“Net Revenue” means the gross revenue received by Fyber from Demand Partners for the delivery of Ads on the App via the Service less any taxes, rebates, charge-backs, make-good, all applicable advertising agency commissions, refunds, Costs, including but not limited to any risk fees , bad debts and any other uncollected amounts.
“Prohibited Content” means any content or other material that (a) violates any applicable law or regulation, including the criminal code, data protection, consumer law and children protection laws, or infringes any Third Party rights, including Intellectual Property Rights; (b) is obscene, sexually explicit or defamatory; (c) encourages violence or is threatening or harassing; (d) contains viruses, spyware, adware, pirated software; digital rights protection circumvention or hacking tools, spamming tools or any other harmful code or activity that could, in an impermissible manner, access or use, impair or injure any data, devices, computer systems; or software; (e) is false, misleading or deceptive; (f) includes references to illegal gambling, alcohol, tobacco, drugs, or firearms, including without limitation ammunitions, fireworks and explosives; (g) endorses or encourages violence, hatred, revenge, racism, sexism, victimization, discrimination of any kind; (h) results in consumer fraud, product liability, or breach of contract to which Customer is a party, or causes injury to any Third Party; or (j) promotes any products and services that fall within any of the foregoing categories (a) to (h).
“Revenue” means all amounts received by Fyber from Demand Partners for Ads delivered and placed on the App via the Service.
“Seat” means the address provided for Supply Partner in the applicable Service Order. If no address is provided in the applicable Service Order then the Seat will be deemed to be in New York City, New York, USA, for the purposes of this agreement.
“Third Party” means any natural person or legal entity other than a party or authorized agent of a party.
“User” means a human end-user accessing an App.
DT GLOBAL DATA PROTECTION ADDENDUM
FOR SUPPLY PARTNERS
This Data Protection Addendum (“Addendum”) supplements and forms part of any existing and currently in effect commercial agreement (the “Agreement“), either previously or concurrently executed by either Fyber GmbH or Fyber Monetization Ltd., each d/b/a “Digital Turbine” (as applicable) (“DT”) and the company or business that has been using the Service (as defined on the applicable Service Order) provided by DT (“Supply Partner”). Each party to this Addendum will also be referred to as a “Party” and together – the “Parties”. This Addendum reflects the Parties’ agreement on the Processing of Personal Data in connection with the Service.
This Addendum takes effect as of the Effective Date of the Agreement entered between Supply Partner and DT. In case of any conflict between a provision of this Addendum and the Agreement, the provisions of this Addendum will prevail. Capitalized terms used herein and not defined herein will have the meaning set forth in the Agreement, or under applicable Data Protection Laws.
- “Adequacy Decision” means, a decision by a competent authority of a country, or statutory provisions, that recognize another country as providing an adequate level of protection to Personal Data, as determined pursuant to the Data Protection Laws of the country that issued the decision or enacted such statutory provisions, and in accordance with such decision or statutory provisions, the transfer of Personal Data to such other recognized country is permitted without additional measures related to the transfer of the Personal Data.
- “Affiliates” means, with respect to a Party, all entities which directly or indirectly control, are being controlled by, or are under common control with such Party.
- “Controller” means the entity which determines the purposes and means of the Processing of Personal Data and including “Business” and similar terms under Data Protection Laws. In the context of this Addendum the term means Supply Partner.
- “Data Protection Laws” means as such term, or any similar term referring to Personal Data Processed by DT on Supply Partner’s behalf, is defined in the DPA or the Agreement, and to the extent that the Agreement or DPA does not include such term – any Personal Data Processed by DT on behalf of Supply Partner as a Service Provider or Processor in connection with the provision of the Service to Supply Partner under the Agreement.
- “Data Subject” means an identified or identifiable natural person, a household consisting of natural persons, or a device associated with a natural person, to whom the Personal Data relates, including “Consumer” and any similar terms under applicable Data Protection Laws.
- “Demand Partners” mean advertisers, DSPs, ad networks and other online advertising entities.
- “Personal Data” means any information where such information is protected under Data Protection Laws and including “Personal Information” and any similar terms under Data Protection Laws.
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed and including “Security Breach” and any similar terms under Data Protection Laws.
- “Personal Data Transfer” means: (i) transfer of Personal Data from Supply Partner to DT; or (ii) an onward transfer of Personal Data from DT to a Sub-Processor, in each case, where such transfer outside of the jurisdiction of Supply Partner would be regulated by Data Protection Laws including through (a) an Adequacy Decision, (b) Statutory Data Transfer Agreements, or (c) in accordance with the terms of other applicable lawful data transfer measures or derogations.
- “Personnel” means persons authorized by DT to Process Supply Partner Personal Data.
- “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, and including the terms “using”, “collecting” and any similar terms under Data Protection Laws.
- “Processor” means the entity which Processes Personal Data on behalf of the Controller and including “Service Provider” and similar terms under Data Protection Laws. In the context of this Addendum this term means DT.
- “Statutory Data Transfer Agreement” means statutory provisions enacted pursuant to Data Protection Laws, which establish binding terms for cross-border transfer of Personal Data from one jurisdiction to another, including where applicable under Data Protection Laws, through access to Personal Data from the non-transferring territory, which can be executed between the transferring and the recipient parties to facilitate the lawful cross-border transfer of Personal Data.
- “Supply Partner Personal Data” – Personal Data Processed by DT on the Supply Partner’s behalf, under the Agreement.
- “Sub-Processor” means any third party, including a DT Affiliate, appointed by or on behalf of DT to undertake Processing in connection with the Service.
- “Supervising Authority” means an independent public authority which is established in a jurisdiction under Data Protection Laws with competence in matters pertaining to the protection of Personal Data.
- “Third Party” means an entity which is not a Controller, a Processor or Data Subject, or any person acting under their direct authority. Where applicable Data Protection Laws do not include a Processor position, then service providers and contractors who Process Personal Data on the Controller’s behalf will be regarded as a Third Party. For the purpose of this Addendum, attribution providers, fraud detection and cyber security service providers as well as Demand Partners constitute Third Parties.
- DATA PROCESSING
- Within the scope of the Service, Supply Partner hereby engages DT for the purposes of monetizing Supply Partner’s mobile application(s) with ads provided by third party advertisers t through DT’s programmatic ad monetization platform (the “Purpose”).
- Supply Partner assumes the position of a Controller and hereby agrees to appoint DT as Supply Partner’s Processor, and Supply Partner authorizes and instructs DT to Process Supply Partner Personal Data related to Data Subjects who use Supply Partner app’s users, and to share such data with relevant Demand Partners on Supply Partner’s behalf, as part of the Service. Supply Partner authorizes DT to engage with all relevant Demand Partners under data processing agreements on Supply Partner’s behalf, including, inter alia, engaging such Demand Partners under the EU SCCs on Supply Partner’s behalf to facilitate the lawfulness of Personal Data Transfers between Supply Partner and Demand Partners. In consideration for providing the Service to Supply Partner, DT transfers payments to Supply Partner from relevant Demand Partners that purchased the ad space inventory on Supply Partner’s mobile application or website and retains a share of such payments, pursuant to the terms of the Agreement. DT does not receive from Supply Partner and Supply Partner does not sell (as defined under Data Protection Laws), or otherwise pay DT, any monetary or other valuable consideration for Supply Partner’s sharing of Supply Partner Personal Data with DT or for DT’s Processing of Supply Partner Personal Data on behalf of Supply Partner. DT will not sell or share (as defined under applicable Data Protection Laws) Personal Data received under this Addendum, which is disclosed by Supply Partner to DT only for the limited business purpose defined above as the Purpose.
- Supply Partner acknowledges and agrees that Supply Partner has the sole responsibility for: (a) the lawfulness of the Processing of Personal Data of Supply Partner mobile application’s users, and warrant to DT that Supply Partner is legally allowed to engage DT for the purpose of such Processing on Supply Partner’s behalf; and (b) providing all necessary notices and obtaining all required permissions and consents from the Data Subjects, or otherwise securing the lawful grounds for the Processing described in this Addendum, as required under applicable Data Protection Laws, including, without limitation the sharing of Personal Data with, and the Processing thereof by DT, DT’s Affiliates and relevant Third Parties for the purpose of using DT’s ad monetization services as set forth in the Agreement.
- Neither Party will do, nor cause or permit to be done, anything which may knowingly or intentionally result in a breach of Data Protection Laws. DT undertakes to: (i) comply with its obligations under Data Protection Laws, including providing the same level of privacy protection as required by Supply Partner under Data Protection Law; and, (ii) notify Supply Partner no later than within five (5) business days after determining that DT can no longer meet its obligations under applicable Data Protection Laws with respect to Personal Data disclosed to it under this Addendum.
- DT may not: (i) Sell Personal Data received from Supply Partner under this Addendum; or, (ii) retain, use, or disclose such Personal Data for any purpose other than for the specific purpose of performing the Service, including retaining, using, or disclosing Personal Data received from Supply Partner for a commercial purpose other than providing the Service to Supply Partner or outside of the direct business relationship between DT and Supply Partner.
- Supply Partner may take reasonable and appropriate steps to ensure that DT uses the Personal Data disclosed to it under this Addendum in a manner consistent with Supply Partner’s obligations under Data Protection Laws and, upon notice, take reasonable and appropriate steps to stop and remediate DT’s unauthorized use of Personal Data disclosed to DT hereunder.
- DT will only Process Personal Data on Supply Partner’s behalf in accordance with Supply Partner’s written instructions unless the Processing is required by applicable Data Protection Laws. Supply Partner hereby instructs DT to Process Personal Data, including transfer of Personal Data outside of Supply Partner’s jurisdiction, for the following purposes: (i) Processing in accordance with this Addendum, the Agreement and pursuant to the features and limitations of the applicable Service(s) which DT provides Supply Partner under the terms of the Agreement; and (ii) Processing to comply with other reasonable instructions provided by Supply Partner, where such instructions are consistent with the terms of the Agreement. DT will be under no obligation to comply with instructions that DT deems as violating Data Protection Laws. Processing outside the scope of this Addendum (if any) will require prior written agreement between DT and Supply Partner on additional instructions and terms for Processing. Except as permitted under applicable Data Protection Laws, DT will not Process Supply Partner Personal Data for any other purposes, or outside of the direct business relationship between Supply Partner and DT, and without limitation, will not sell or otherwise receive payment or other valuable monetary consideration from Demand Partners and other Third Parties for sharing Supply Partner Personal Data with such Demand Partners and other Third Parties. DT acknowledges and will comply with the restrictions set forth in this section.
- Supply Partner authorizes DT to collect, via its SDK, the following Personal Data, for the purposes described under this Addendum, and as further defined during Supply Partner’s integration with DT’s applicable SDK:
- Information about an end user’s device such as device type and model, network provider, browser type, language, device IP address, operation system, network connection type, and device GPS location (only if Supply Partner enables such data collection during the SDK integration setup and a user provides permission to the collection thereof).
- Advertising ID (Apple IDFA, if the user has provided permission to use it, or Google AAID).
- Information about Supply Partner’s mobile app such as package name, keywords, and version.
- Additional user information Supply Partner enables DT to collect during the SDK integration setup and only if a user provides permission to the collection thereof, such as users’ age, gender, zip code, and GPS location.
- Further details related to the additional data that DT’s SDK may collect and process for contextual app targeting (as applicable) is available at: https://developer.DT.com/hc/en-us/articles/360010959798-Contextual-App-Targeting-for-the-Post-IDFA-Era.
- Data Subjects affected by the Processing under this Addendum are the end users of Supply Partner’s mobile app. DT uses the Personal Data collected form such users solely for providing the Service to Supply Partner. Processing operations by DT include the Processing of the aforementioned Supply Partner’s Personal Data to (a) serve Supply Partner app’s users with ads (contextual and/or targeted), (b) to produce reports on the performance of the ad campaigns on Supply Partner’s app and to improve and optimize the advertising performance on Supply Partner’s app and Supply Partner’s monetization via the Service. As part of the Service, DT also processes Supply Partner Personal Data for fraud prevention, bot detection, rating, analytics, viewability, security & verification services, problem and fault management.
- DT will ensure that DT’s access to Supply Partner Personal Data is limited to those personnel who require such access to perform the Service under the Agreement. DT imposes appropriate contractual obligations upon its personnel who engage in the Processing of Personal Data, including relevant obligations regarding confidentiality, data protection and data security. DT ensures that its applicable personnel were informed of the confidential nature of the Personal Data, have received appropriate training and have executed written confidentiality agreements. DT will further ensure that such confidentiality agreements survive the termination of the employment or engagement of its personnel.
- DATA SECURITY
- DT will take appropriate technical and organizational measures to ensure a level of security appropriate to the risk involved in Processing Supply Partner Personal Data. These measures are aimed at ensuring that Supply Partner Personal Data is reasonably protected against accidental or unauthorized destruction, accidental loss, as well as against unauthorized alteration of, disclosure of and access to Supply Partner Personal Data – all as specified at DT.com/securitypolicy (the “Data Security Addendum”).
- To the extent that the technical and organizational measures taken by DT do not meet mandatory requirements, as set forth under Data Protection Laws which are applicable to Supply Partner, Supply Partner must notify DT in written or in text form thereof prior to the start of any Processing of Supply Partner Personal Data. In that case, both parties will negotiate in good faith an adjustment of the technical and organizational measures and the compensation for those required adjustments. The technical and organizational security measures may be adjusted by DT at any time insofar as the security level does not fall below the security level of the technical and organizational security measures set forth in the Data Security Addendum.
- DT will use commercially reasonable efforts to provide in a prompt manner such co-operation as is reasonably necessary to enable Supply Partner to ensure compliance with applicable Data Protection Laws. DT will notify Supply Partner without undue delay, unless prohibited under applicable laws, of:
- any official competent supervisory proceedings regarding the Processing of Supply Partner Personal Data conducted by Supervisory Authorities vis-à-vis DT, as well as support and cooperation which may be required from Supply Partner in such inspections/proceedings conducted vis-à-vis Supply Partner upon Supply Partner’s request;
- any legal or factual circumstances preventing DT from executing any of Supply Partner’s instructions under the terms of this Addendum; and
- any material changes impacting the technical and organizational security measures implemented by DT which cause such measures to fall short of DT’s data security obligations as set forth in the Data Security Addendum.
- To the extent DT receives complaints and/or inquiries from Data Subjects or third parties requesting information regarding the Processing of Supply Partner Personal Data, DT will forward such complaints and/or inquiries to Supply Partner without undue delay. DT will not provide any information to any Data Subjects or third parties, unless (i) DT is statutorily obligated to provide such information or (ii) Supply Partner has given DT instructions to do so. To the extent that DT will be obliged to provide to third parties information regarding Supply Partner Personal Data on the basis of statutory provisions, DT will inform Supply Partner in due time prior to providing the information, of the recipient, the date and time, the content of the information to be issued, and the legal basis thereof, unless such notice is prohibited by applicable laws.
- DT will support Supply Partner and assist in handling Data Subjects’ requests to exercise their rights to access, rectify, erase or such other rights afforded to Data Subjects under Data Protection Laws, in relation to their Personal Data, by taking reasonable measures based upon Supply Partner’s instructions. Should Supply Partner be obligated to provide information to any Data Subject or third party regarding the Process of Supply Partner Personal Data by DT, DT will use commercially reasonable efforts to support Supply Partner in the provision of such information. Supply Partner acknowledges that as DT does not Process specific unique identifiers such as name, photo ID, government issued ID, email address and telephone number, DT’s ability to identify Personal Data related to a specific Data Subject is limited and Supply Partner may need to furnish DT, and potentially request the Data Subject who invoked the right to exercise rights, to furnish, additional details, as necessary to enable DT to assist with the request.
- To the extent necessary, DT will provide Supply Partner reasonable assistance, at Supply Partner’s expense, with any data protection impact assessments, and prior consultations with Supervising Authorities, which Supply Partner reasonably considers to be required by Data Protection Laws, in each case solely in relation to Processing of Supply Partner Personal Data and considering the nature of the Processing and information available to DT.
- If pursuant to applicable Data Protection Laws, Supply Partner decides at its sole discretion and liability, that an opt-in consent from Data Subjects is required for sharing of Supply Partner Personal Data with DT, DT’s Affiliates and Third Parties for targeted advertising purposes, then subject to a written notification by Supply Partner to DT in relation thereof, Supply Partner will set an opt-in flagging mechanism with DT’s technical support, which will transmit Supply Partner’s users’ choice (an opt-in consent or a refusal to consent) to DT which shall also pass such flag ‘as is’ to its relevant Third Parties. Accordingly, if a refusal signal was transmitted in relation to any specific Data Subject, DT will not Process Supply Partner Personal Data related to the relevant Data Subject for targeted advertising purposes and will only use and share such Supply Partner Personal Data for the limited permissible uses under the applicable Data Protection Laws, including for invoicing, attribution and reporting purposes.
- If pursuant to applicable Data Protection Laws, Supply Partner decides, at its sole discretion and liability, that its mobile application should provide users with an opt-out option from sharing of Supply Partner Personal Data with DT, DT’s Affiliates and Third Parties for targeted advertising purposes,, including without limitation an option to opt-out or object to further Processing or to the selling of Personal Data, on its mobile application or other online property’s homepage, then subject to a written notification by Supply Partner to DT in relation thereof, Supply Partner will set an opt-out flagging mechanism with DT’s technical support, which will transmit Supply Partner’s users’ opt-out requests to DT, and accordingly, DT will cease Processing Supply Partner Personal Data related to the opted-out users, device or household (as applicable) and may only use and share such Supply Partner Personal Data for the limited permissible uses under the applicable Data Protection Laws, including for attribution and reporting purposes.
- Supply Partner hereby acknowledges and agrees that DT is under no obligation or ability to check and confirm the accuracy of the signals and transitions from Supply Partner regarding its mobile application’s users, and it will therefore assume no responsibility and liability for any false transmission or failure to transmit to DT with accurate opt-in or opt-out signals.
- DT will use commercially reasonable efforts to provide in a prompt manner such co-operation as is reasonably necessary to enable Supply Partner to ensure compliance with applicable Data Protection Laws. DT will notify Supply Partner without undue delay, unless prohibited under applicable laws, of:
- PERSONAL DATA BREACH
- DT will notify Supply Partner without undue delay after becoming aware of any Personal Data Breach related to Supply Partner Personal Data which DT, or any of DT’s Sub-Processors. DT’s notice will at least: (a) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) communicate the name and contact details of the DT’s DPO, which will be available to provide any additional available information about the Personal Data Breach; (c) describe the likely consequences of the Personal Data Breach; (d) describe the measures taken or proposed to be taken by DT to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
- DT will work diligently, pursuant to its incident management and breach notification policies and procedures to promptly identify and remediate the cause of the Personal Data Breach and will promptly inform Supply Partner accordingly.
- DT will allow for and contribute to audits, including inspections, conducted by Supply Partner or another auditor mandated by Supply Partner, in relation to DT’s obligations under this Addendum. DT may satisfy the audit obligation under this section by providing Supply Partner with attestations, certifications and summaries of audit reports conducted by accredited third party auditors.
- Other audits by Supply Partner are subject to the following terms: (i) the audit will be pre-scheduled in writing with DT, at least forty-five (45) days in advance and will be performed not more than once a year (unless the audit is required by a Supervisory Authority); (ii) a third-party auditor will execute a non-disclosure and non-competition undertaking directly with DT; (iii) the auditor will not have access to non-Supply Partner’s data (iv) Supply Partner will make sure that the audit will not interfere with or damage DT’s business activities and information and network systems; (v) Supply Partner will bear all costs and expenses related to the audit and will assume responsibility and liability for the audit and for any failures or damage caused as a result thereof; (vi) the auditor will first deliver a draft report to DT and allow DT reasonable time and no less than ten (10) business days, to review and respond to the auditor’s findings, before submitting the report to Supply Partner; (vii) Supply Partner will receive only the auditor’s report, with DT’s comments, without any ‘raw data’ materials of DT, will keep the audit results in strict confidentiality and will use it solely for the specific purposes of the audit under this Addendum; (viii) as soon as the purpose of the audit is completed, Supply Partner will permanently and completely dispose of all copies of the audit report.
- DT engages Sub-Processors to perform certain Processing of Supply Partner Personal Data on Supply Partner’s behalf. Prior to an engagement with a Sub-Processor, DT: (i) Carries out reviews and requires or receives adequate assurances that the Sub-Processor complies with obligations substantially similar to the obligations as set out in this Addendum; and (ii) ensures that a Statutory Data Transfer Agreement or such other appropriate methods of Personal Data transfer are at all relevant times incorporated into the agreement executed between DT and the Sub-Processor, if the engagement with the Sub-Processor involves a Personal Data Transfer of Supply Partner Personal Data,.
- Upon the execution of this Addendum, Supply Partner hereby gives DT Supply Partner’s approval to engage the companies detailed at https://www.digitalturbine.com/wp-content/uploads/2022/07/The-Fyber-group-sub-processors-1.pdf as Sub-Processors.
- Where a Sub-Processor fails to fulfill its data protection obligations or statements, DT will remain fully liable to Supply Partner for the performance of the Sub-Processor’s obligations to the same extent that DT would be liable to Supply Partner directly under the terms of this Addendum, except as otherwise set forth in the Agreement, if DT would have performed the obligations of the Sub-Processor.
- DT will inform Supply Partner of DT’s engagement with a new Sub-Processor. Supply Partner may object to the use of new or additional Sub-Processor by sending DT a written notice within five (5) business days of receipt of said notice. If Supply Partner objects to the new Sub-Processor, DT will make commercially reasonable efforts to provide Supply Partner the same level of Service without the use of such Sub-Processor. Notwithstanding, Supply Partner’s objection and the results thereof will not amend, alter or reduce Supply Partner’s obligations under the Agreement. Supply Partner will not be entitled to any refund and will hold DT harmless from and against any claims, suits and demands associated with or related to Supply Partner’s termination of the Agreement, in connection with Supply Partner’s objection to a new Sub-Processor.
- Notwithstanding the provisions here above (e.g. prior consent by Supply Partner), Supply Partner hereby authorizes DT to sub-contract the Processing to Sub-Processors based outside of Supply Partner’s jurisdiction, to the extent necessary, at DT sole discretion, to duly perform the Service on condition that the Sub-Processors provide sufficient guarantees in relation to required level of data protection, e.g. through a sub-contracting agreement which is based on a Statutory Data Protection Agreement , or based on such other applicable Personal Data Transfer mechanisms. Any such Statutory Data Protection Agreement concluded by DT will be treated as if concluded in the name and on behalf of Supply Partner. Supply Partner will be responsible to obtain regulatory approvals from the relevant Supervising Authorities and to perform any submissions and registrations, as required by Data Protection Laws.
- PERSONAL DATA TRANSFER
- If DT imports Supply Partner Personal Data to, or accesses Supply Partner Personal Data from, as applicable to the lawful transfer of Personal Data under Data Protection Laws, a country that is not subject to an Adequacy Decision, and the Data Protection Laws mandate a Personal Data Transfer measure to facilitate the lawful Personal Data Transfer, Supply Partner and DT hereby agree that the applicable Statutory Data Transfer Agreement will apply in respect of any such Personal Data Transfer from Supply Partner to DT.
- Each Party agrees to execute the applicable Statutory Data Transfer Agreement upon request of the other Party and further agrees that absent of execution, the terms and conditions of the Statutory Data Transfer Agreement, such applicable Statutory Data Transfer Agreement will in any event apply to any Supply Partner Personal Data.
- Transfer of Personal Data which is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”) to a country outside of the European Economic Area and that is not subject to an Adequacy Decision (“Third Country”), is made in accordance with the EU Standard Contractual Clauses (“EU SCCs”), pursuant to EU Commission Decision C(2021)3972, in the module specified in Exhibit A which is attached and incorporated by reference to this Addendum, or, as required, in accordance with any successor thereof or an alternative lawful data transfer mechanism, and Supply Partner further authorizes DT to engage demand side partners, under the first module of the EU SCCs, on behalf of the Supply Partner, including, without limitation, by designating the applicable supervisory authority therein, for the purposes of facilitating the lawful transfer of Personal Data, as part of DT’s ad monetization services to Supply Partner, as set forth in the Agreement.
- In accordance with Article 46 of the GDPR and the EU SCCs, and without prejudice to any provisions of this Addendum, DT undertakes the following additional safeguards to secure Personal Data transferred by it on the basis of the EU SCCs to Third Countries:
- DT will implement and maintain the technical and organizational measures, as specified in Annex II of Exhibit A, such as encryption, access controls, or similar technologies, as applicable, with a purpose to protect Supply Partner Personal Data against any processing for national security or other government purposes that goes beyond what is necessary and proportionate in a democratic society, considering the type of processing activities under the Agreement and relevant circumstances;
- For the purposes of safeguarding Supply Partner Personal Data when any government or regulatory authority requests access to such data, and unless required by a valid court order or if otherwise DT may face criminal charges for failing to comply with orders or demands to disclose or otherwise provide access to Supply Partner Personal Data, or where the access is requested in the event of imminent threat to lives, DT will:
- not purposefully create back doors or similar programming that could be used to access Supply Partner Personal Data;
- not provide the source code or encryption keys to any government agency for the purpose of accessing Supply Partner Personal Data; and
- upon Supply Partner’s written request, provide reasonable available information about the requests of access to Personal Data by government agencies DT has received in the 6 months preceding to Supply Partner’s request.
- If DT receives a request by a government agency to access the Supply Partner Personal Data, DT will notify Supply Partner of such request to enable the Supply Partner to take necessary actions, to communicate directly with the relevant authority and to respond to such request. If DT is prohibited by law to notify Supply Partner of such request, DT will make reasonable efforts to challenge such prohibition through judicial action or other means, at Supply Partner’s expense, and, to the extent possible, will provide only the minimum amount of information necessary.
- DELETION AND RETENTION OF PERSONAL DATA
- Within a reasonable time after the end of the provision of the Service, DT will return Supply Partner Personal Data to Supply Partner or delete such data, including by de-identifying thereof.
- Notwithstanding, Supply Partner acknowledges and agrees that DT may retain copies of Supply Partner Personal Data as necessary in connection with its routine backup and archiving procedures and to ensure compliance with its legal obligations and its continuing obligations under applicable law, including to retain data pursuant to legal requirements and to use such data to protect DT, DT’s Affiliates, agents, and any person on their behalf in court and administrative proceedings. To the extent that Data Protection Laws prohibit DT from retaining such copies of Supply Partner Personal Data, then Supply Partner agrees to defend and hold DT harmless from and against any claims, suits and demands related to, or in connection with the Processing of Supply Partner Personal Data by DT, its Affiliates, any relevant Demand Partner, and any person on their behalf.
- LIMITATION OF LIABILITY
Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this Addendum, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a Party means the aggregate liability of that Party and all of its Affiliates under the Agreement.
- GENERAL PROVISIONS
- To the extent that Processing relates to Personal Data originating from a jurisdiction or in a jurisdiction which has any mandatory requirements in addition to those in this Addendum, both Parties may agree to any additional measures required to ensure compliance with applicable Data Protection Laws and any such additional measures agreed to by the parties will be documented in a duly executed written addendum or amendment to this Addendum.
- All obligations of each Party under this Addendum are made to the extent that Data Protection Laws mandate such obligations.
- If any variation is required to this Addendum as a result of a change in Data Protection Laws, including any variation which is required to the Statutory Data Transfer Agreement, then either Party may provide written notice to the other Party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this Addendum, including the Statutory Data Transfer Agreement, to address such changes.
- Supply Partner instructs DT to create and use De-identified Information for the provision of the Service (as good practice, and in line with data protection by design and by default principles, DT may de-identify the Supply Partner Personal Data prior to using such information to provide the Service to Supply Partner). DT may further use such De-identified Information for DT’s legitimate Business Purposes, including for testing, development, controls, and operations of DT’s services.
For the purpose of this section, “De-identified Information” means the Supply Partner Personal Data that has been de-identified or aggregated by DT, so that it cannot reasonably be associated with, or be used to identify, a particular Individual or Household, and will include anonymized information (as defined under Data Protection Laws); provided that DT: (A) has implemented commercially reasonable measures to ensure that the information cannot be associated with an Individual or Household to which such information may pertain; (B) maintains and uses the information in de-identified form and does not attempt to re-identify such information (other than for the purpose of determining whether DT’s de-identification processes satisfy applicable requirements under Data Protection Laws); and, (C) uses commercially reasonable measures to contractually obligate all third-parties with whom DT shares such information to comply with all of DT’s commitments specified under sub-sections (A)-(C) above.
- This Addendum will become effective upon its execution by the Parties. It will terminate upon the end of the Processing of Personal Data by DT in accordance with the Agreement unless otherwise provided in this Addendum.
- Any inquiries related to this Addendum will be sent to the following addresses:
To DT: [email protected].
To Supply Partner: to the email provided in the Agreement.
STANDARD CONTRACTUAL CLAUSES
ANNEX to the COMMISSION IMPLEMENTING DECISION on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council:
☐ MODULE ONE: Transfer controller to controller
- MODULE TWO: Transfer controller to processor
☐ MODULE THREE: Transfer processor to processor
☐ MODULE FOUR: Transfer processor to controller
[Tick the box next to the relevant transfer module]
A. LIST OF PARTIES
Data exporter(s): The Identity and contact details of the data exporter(s) are Supply Partner’s information as stated on the Agreement.
Entity’s full legal Name: Fyber Monetization Ltd. For the DT Exchange and DT FairBid or Fyber GmbH for Offer Wall (each, the “Service”).
Address: Fyber Monetization Ltd: 4 Hapsagot Street
Petah Tikva 4951447 | Israel, Fyber GmbH: Wallstraße 9-13
10179 Berlin | Germany
Contact person’s name & title: DT’s legal team, email: [email protected].
Activities relevant to the data transferred under these Clauses: ad targeting, ad monetization, optimization, reporting, fraud detection, billing.
Role (controller/processor): Processor
Data Protection Officer name: Michael Panienka, email: [email protected]
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Mobile application users
Categories of personal data transferred: Location data, mobile app user data
Sensitive data is NOT transferred.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):
On frequent and continuous basis whenever a user uses a mobile application.
Nature of the processing: All operations such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination (solely with non-personal data of exporter), restriction, erasure, or destruction of data (whether by automated means), anonymization, etc.
Purpose(s) of the data transfer and further processing: To enable the ad monetization of a mobile application that is being used by the user
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: up to 30 days.
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing: The subject matter of the processing is Supply Partner’s Personal Data, the nature of the Processing is the performance of the Service under the Agreement and as detailed above and the duration of the Processing is the term of the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
[not applicable to Module Four]
The Identity the competent supervisory authority in accordance with Clause 13 of the New SCC is:
Where the data exporter is established in an EU Member State – the supervisory authority of such EU Member State shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) – the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) – the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses, shall act as competent supervisory authority.
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE PERSONAL DATA
[not applicable to Module Four]
The Processor has implemented the measures as described in this exhibit insofar as the respective measure contributes or can contribute directly or indirectly to the protection of the Personal Data under the DPA entered between the Parties.
These measures are commercially reasonable, are aligned with industry standard technical and organizational measures, to protect Personal Data. These measures are consistent with applicable laws and meet the standard of protection appropriate to the risk of processing Personal Data while providing the Processor’s services. The Processor will regularly carry out, test, review and update all such measures.
These measures will be subject to technical progress and future developments of Processor’s services. As such, the Processor will be permitted to implement alternative adequate measures. In such event, the security level may not be lower than the measures memorialized here. Material changes are to be coordinated with the Controller and documented.
Measures for ensuring physical security of locations at which Personal Data are processed
The Processor has implemented the following entry control measures insofar as Personal Data are processed in the Processor’s premises or access to such data from these premises cannot be precluded:
- Unauthorized persons are to be denied entry to the data processing facilities in which Personal Data are processed or used.
- Entry authorizations to office buildings, computer centers, and server rooms are restricted to the necessary minimum.
- Use of effective entry authorization controls through an adequate locking system (e.g., security key with documented key management, electronic locking systems with documented authorizations management).
- Documented and comprehensible processes for obtaining, changing, and rescinding entry authorizations, including routine and documented review whether the granted entry authorizations are up to date.
- Reasonable prophylactic and detection measures regarding unauthorized entry and entry attempts (e.g., routine checks of burglary security system for doors, gates, and windows, burglar alarm, video monitoring, guard service, security patrol).
- Written rules for employees and visitors for dealing with technical entry security measures.
Measure for user identification, authorization and for ensuring events logging
Potential use of data processing systems by unauthorized persons is to be prevented. The Processor has implemented the following access control measures for systems and networks, in which Personal Data are processed or through which access to Personal Data is possible, insofar as the Processor is responsible for the Personal Data access authorizations:
- Persons authorized to use a data processing system will be able to access only the data underlying their access authorization and that Personal Data will be incapable of being read, copied, changed, or removed without authorization during the processing and use of the data and after the data have been stored.
- Access authorizations to Personal Data is restricted to the necessary minimum.
- Access authorizations to Demand Partners systems and non-public networks are restricted to the necessary minimum.
- Use of effective access authorization controls through personalized and unambiguous user identification and a secure authentication process.
- Recording of access, even by administrators.
- For password authentications:
- Specifications are to be made that ensure continuous password quality of at least twelve (12) characters, four (4) degrees of complexity (upper case, lower case, numbers, special characters), and a change cycle of a maximum of ninety (90) days.
- Technical test procedures are to be used to ensure password quality.
- If asymmetric key procedures (e.g., certificates, private-public-key-method) are used for authentication, it is to be assured that secret (private) keys are at all times protected by a password (passphrase).
- Implementation of documented and comprehensible processes for obtaining, changing, and rescinding access authorizations, including routine and documented review whether the granted access authorizations are up to date.
- Implementation of reasonable measures for securing network infrastructure (e.g. intrusion detection systems, use of 2-factor authentication for remote access, separation of networks, encrypted network protocols, and so forth).
- Written rules for employees for dealing with the security measures above and the secure use of passwords.
- Use of input controls – there is a possibility to subsequently review and determine whether and by whom Personal Data was entered, altered in, or removed from data processing systems. The Processor has implemented the following input control measures on its systems, which are used for processing the Personal Data or which enable or convey access to such systems:
- Creation and audit-proof storage of processing protocols.
- Securing log files against manipulation.
- Recording and evaluating unauthorized and failed login attempts.
- Ensuring that no group accounts (including administrators or root) are used.
Measures for ensuring system configuration, including default configuration and encryption of Personal Data
- Ensuring that critical or material security updates/patches will be installed according to the Processor’s internal Patch Management Policy: a. in client operating systems; b. in server operating systems reachable via public networks (e.g., webservers); c. in application programs (incl. browser, plugins, PDF-reader, etc.); d. in security infrastructure (virus scanner, firewalls, IDS-systems, content filters, routers, and so forth.); and e. in server operating systems of internal servers.
- Reasonable measures are used for the protection of end-devices, servers, and other infrastructure elements against unauthorized access (such as multi-level virus protection concept, content filters, application firewall, intrusion detection systems, desktop firewalls, system hardening, content encryption).
- The Processor has implemented the following sharing control measures insofar as Personal Data will be received, transferred, or transported by the Processor:
- Reasonable measures for securing network infrastructure (e.g., intrusion detection systems, use of 2-factor authentication for remote access, separation of networks, encrypted network protocols, and so forth.)
- Encryption – Processor implements encryption technology which commensurate with the state-of-the-art to be prescribed so that Personal Data will be incapable of being read, copied, changed, or removed during electronic transmission or during transport for storage on data carriers, such as RSA 2048.
- Data carrier encryption with – state of the art – algorithms and protocols to be classified as secure (e.g., TLSbased protocols) for the protection of mobile devices (notebooks, tablet PCs, smartphones, etc.) and data carriers (external hard drives, USB sticks, memory cards, and so forth).
- Implementation of technical security measures for export and import interfaces (hardware and application related).
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services and the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
Personal Data will be protected against accidental destruction or loss. The Processor has implemented the following availability control measures insofar as the processing is required for maintaining productive services:
- Operation and routine maintenance of fire alarms in server rooms, computer centers, and material infrastructure rooms.
- Creating sufficient backups
- Ensuring backup storage in a separate fire compartment.
- Routine backup integrity reviews.
- Systems and data restoration processes and documentation.
An incident would receive immediate attention from all relevant personnel. Once identified and validated, incidents will be reported according to the Processor’s security and privacy policies.
Processor’s development processes follow secure software development industry-standard practices, which include formal design reviews, threat modeling, and completion of a risk assessment.
Processor uses hash function to de-identify the Personal Data prior to any use.
Measures for ensuring data quality and allowing data portability and processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
Personal Data collected for different purposes will be capable of being processed separately. The Processor has implemented the following separation measures insofar as such is within its area of responsibility:
- Logical and/or physical separation of test, development, and production systems.
- Separation of Controller’s Personal Data from other data sets including, but not limited to, its own, within the processing systems, and at interfaces.
- Ensuring that Personal Data are constantly identifiable on account of suitable labels; if such are processed for different purposes, including information specifying the respective purpose.
Measures for ensuring limited Personal Data retention
Personal Data is to be deleted, if it is processed for purposes as soon as the knowledge thereof is no longer necessary for the fulfillment of the purpose of the saving in accordance with DT’s data retention policy.
The Processor has implemented the following measures ensuring data deletion insofar as such is within its area of responsibility:
- Ensuring that the Personal Data are capable of being deleted at any time upon request of the Controller.
- Implementation of processes, tools, and documentation for secure deletion in a manner, such that recovery of the data is not possible given today’s state of technology (e.g., through overwriting).
- Providing the employees with specifications regarding how and when data are to be deleted.
Measures for internal IT and IT security governance and management and for ensuring accountability
The Processor has in place internal policies containing formal instructions for data processing procedures; Contractors are being carefully vetted regarding data security; The Processor personnel is being trained periodically to maintain awareness regarding data protection and security requirements.
LIST OF SUB-PROCESSORS
[not applicable to Modules One and Four]
This Annex must be completed for Modules Two and Three, in case of the specific authorization of sub-processors (Clause 9(a), Option 1).
The Controller has authorized the use of the following sub-processors by Processor: http://www.DT.com/subprocessors
Local Addenda to the Master Service Agreement for Supply Partners
Local Addendum – Germany
This Local Addendum to the Master Service Agreement for Supply Partners (“Addendum”) shall only become effective as an integral part of the Agreement between Fyber and Supply Partner (i) to the extent the parties explicitly agree upon its applicability in the applicable Service Order or (ii) if Supply Partner has its Seat in the Federal Republic of Germany, as stated in Section 11.8.1of the MSA. In either case the provisions of this Addendum shall replace and supersede any conflicting provisions in the remaining Agreement, except for conflicting terms individually agreed upon between the parties in the applicable Service Order, which shall take precedence over the terms of this Addendum.
Capitalized terms used in this Addendum will have the meaning ascribed to them in the MSA unless otherwise defined herein.
1. Interpretation of “Warranty”
For the avoidance of doubt, the parties agree that the words “to represent/representation”, “to warrant/warranty” shall be understood as referring to an ordinary German law contractual representation (Zusicherung) and not to a German law guarantee with strict liability (Garantie).
2. Tax and VAT
Any legally owed German VAT for services supplied by Supply Partner in Germany shall be added to the due amounts in the respective statutory amount.
3. Disclaimers; Limitation of Liability
3.1. Section 7.1 of the MSA shall be deleted and replaced with the following:
“7.1 Quality; Availability of Service(s).
7.1.1 Fyber provides the Service(s) in accordance with the recognized state of the art and the care of a prudent service provider.
7.1.2 If Fyber cannot supply the Service(s) to Supply Partner for reasons beyond the control of Fyber (“Non-availability of Service”), Fyber will inform Supply Partner without undue delay, at the same time indicating – if possible – when Fyber will be able to continue the supply of the Service(s). If the Non-availability of Service has continued for two (2) weeks, Fyber may terminate the Agreement upon written notice to Supply Partner with immediate effect. It is also deemed a case of Non availability of Service within the meaning of the above sentence in case the timely provision of the Service(s) is prevented through force majeure, i.e., events which cannot be reasonably foreseen and averted by taking reasonable precautions by Fyber, such as war, acts of terrorism, internal unrest, forces of nature, sabotage, and attacks by third parties, strikes in areas for the functioning of which Fyber is not responsible and failure of communications networks or systems of a third party for which Fyber is not responsible (this also applies when such a case of force majeure occurs at one of Fyber’s subcontractors or suppliers). Statutory rights of termination of each party in the case of such Non-availability of Service remain unaffected.
3.2. Section 7.2 of the MSA shall be deleted and replaced with the following:
7.2.1 Subject to Section 7.2.2, Fyber shall be liable for damages and futile expenses caused to or incurred by Supply Partner (collectively the “Damages”) pursuant to applicable statutory law.
7.2.2 Fyber’s liability for Damages of Supply Partner (irrespective of the legal nature of the claim, whether under contract, tort, or otherwise)
(a) caused by (i) a breach of material contractual obligations of Fyber under the Agreement with ordinary negligence (einfache Fahrlässigkeit), or (ii) a breach of non-material obligations by employees or vicarious agents of Fyber who are not legal representatives or executive officers (leitende Angestellte) of Fyber with gross negligence (grobe Fahrlässigkeit), shall be limited to those Damages foreseeable at the time of conclusion of the Agreement that typically arise in transactions of this nature;
(b) caused by a breach of non-material obligations under the Agreement with ordinary negligence shall be excluded; and
(c) caused by a defect of the Service(s) that already existed at the conclusion of the Agreement shall be excluded, provided that such Damages were not caused with negligence or willful intent of Fyber or a person for whose behavior Fyber is vicariously liable.
7.2.3 A material contractual obligation of Fyber according to the meaning of the foregoing Section 7.2.2 is an obligation, the fulfilment of which is a prerequisite for enabling the proper fulfilment of the Agreement in the first place and on which the Supply Partner regularly relies and may rely.
7.2.4 Notwithstanding Section 7.2.2, nothing in the Agreement shall limit Fyber’s liability for Damages arising from death or personal injury, from breach of a contractual guarantee as to the quality of goods or services or, in case of any other liability pursuant to applicable mandatory law, where such liability cannot be excluded or limited by agreement between the parties in advance (e.g., under sec. 1 of the German Product Liability Act).
7.2.5 The above limitations to liability also apply to the liability of employees, executive officers, legal representatives and vicarious agents of Fyber.”
4. Modifications to the MSA
4.1. Fyber reserves the right to change or amend the MSA at any time effective prospectively. Any change or amendment will be notified to Supply Partner in a suitable manner (including but not limited to by email or by display of the notice in the Account) at least four (4) weeks prior to its effective date.
4.2. Supply Partner has the right to object to any change or amendment of the MSA within two (2) weeks after the date of the notification of the intended change or amendment. In case of a timely objection, each party shall be entitled to terminate the Agreement for cause upon notice to the other party, such termination to become effective upon the date that the intended change or amendment was to take effect. If Supply Partner does not object within two (2) weeks after the date of the notification, the change or amendment shall be deemed accepted by Supply Partner and become an integral part of the Agreement.
4.3. In its notification, Fyber will inform Supply Partner of Supply Partner’s right to object within two (2) weeks, both party’s right to terminate the Agreement in case of objection, and the legal consequences of non-objection.
Section 11.7 of the MSA shall be deleted and replaced with the following:
“11.5 Arbitration. All disputes between the parties arising out of or relating to the Agreement, including any non-contractual obligations arising out of or in connection with it, shall be finally settled in accordance with the Arbitration Rules of the German Institution of Arbitration (DIS) without recourse to the ordinary courts of law. The place of arbitration shall be Berlin, Germany. The arbitral proceedings shall be held in the English language.”
6. Governing Law and Dispute Resolution
6.1. Governing Law. The Agreement and any non-contractual obligations arising out of or in connection with it shall be governed by, and construed in accordance with, the laws of the Federal Republic of Germany, without regards to their conflict of laws rules.
6.2. Jurisdiction. To the extent the arbitration provision in Section 11.7 of the MSA (as modified by Section 4 of this Addendum) does not apply, Supply Partner and Fyber agree that the courts in Berlin, Germany shall have exclusive jurisdiction over any dispute between the parties arising out of or relating to this Addendum, the Agreement, or any non-contractual obligations arising out of or in connection with them, and the parties hereby consent to the personal jurisdiction and venue of these courts.
Local Addendum – Europe
This Local Addendum to the Master Service Agreement for Supply Partners (“Addendum”) shall only become effective as an integral part of the Agreement between Fyber and Supply Partner (i) to the extent the parties explicitly agree upon its applicability in the applicable Service Order or (ii) if Supply Partner has its Seat in European Economic Area (other than the Federal Republic of Germany) or otherwise within Europe (including Armenia, Cyprus, Greenland, and the entire territory of Azerbaijan, Georgia, Kazakhstan, Russia, and Turkey), as stated in Section 11.8.2 of the MSA. In either case the provisions of this Addendum shall replace and supersede any conflicting provisions in the remaining Agreement, except for conflicting terms individually agreed upon between the parties in the applicable Service Order, which shall take precedence over the terms of this Addendum.
Capitalized terms used in this Addendum will have the meaning ascribed to them in the MSA unless otherwise defined herein.
1. Disclaimers; Limitation of Liability
1.1. Section 7.1 of the MSA shall be deleted and replaced with the following:
“7.1 Service Disclaimer. Except as otherwise expressly provided in the Agreement and except for any implied warranties or conditions or terms that cannot be excluded as a matter of law, Fyber does not make any representations, covenants, conditions or warranties to the Supply Partner, whether express or implied, including warranties of title or implied warranties of merchantability, satisfactory quality or fitness for a particular purpose, non-infringement, accuracy, availability, or error or malware-free or uninterrupted operation.”
1.2. Section 7.2 of the MSA shall be deleted and replaced with the following:
“7.2 Limitation of Liability.
7.2.1 Neither party excludes or limits its liability to the other party pursuant to the indemnities detailed in Section 8 or in respect of (i) death or personal injury arising as a result of a party’s negligence or that of its employees, agents or sub-contractors (as applicable), (ii) fraudulent misrepresentation by Fyber, or (iii) any other liability that cannot be excluded or limited as a matter of law.
7.2.2 In respect of losses not covered by Section 7.2.1 and subject to Section 7.2.3, to the extent permitted by law, Fyber’s aggregate liability to the Supply Partner, whether arising in contract, tort (including negligence), misrepresentation (other than fraudulent misrepresentation), breach of statutory duty, contribution or otherwise pursuant to this Agreement in respect of all claims, losses, or damages suffered by the Supply Partner, shall not exceed an amount equal to €2,500.
7.2.3 To the extent permitted by law, Fyber shall not be liable to the Supply Partner for the following loss and damage (including costs and expenses relating to or arising out of such loss and damage) whether arising from contract, tort (including negligence), breach of statutory duty, contribution or otherwise:
a. indirect loss, incidental loss, collateral loss or consequential loss;
b. exemplary, punitive or special damages;
c. lost revenue, profits, contracts or business;
d. lost anticipated savings;
e. lost goodwill or reputation;
f. loss of or damages to, and restitution of, records or data; and/or
g. lost management time, even if Supply Partner has been advised of the possibility of such damages or loss. Fyber shall be excused from the performance of, and shall not be held liable for, any failure or delay in performing any of its obligations under the Agreement to the extent that such non-performance or delay is caused by any acts and omissions of Supply Partner or any party acting for or on behalf of Supply Partner.”
2. Rights of Third Parties
Section 11.10 of the MSA shall be deleted and replaced with the following:
“11.8 No Third Party Rights. It is not the intention of this Agreement to create any third-party beneficiary rights in any third-party individual or entity that is not a party to this Agreement, and no such rights will be deemed to have been created.
11.8.1 A person who is not a party to the Agreement has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any part of the Agreement. This shall not affect any right or remedy of a third party which exists or is available apart from that Act.
11.8.2 The right of the parties to terminate, rescind or agree any variation, waiver or settlement relating to the Agreement is not subject to the consent of any person that is not a party to the Agreement.”
3. Governing Law and Dispute Resolution
3.1. Governing Law. This Addendum, the Agreement, and any non-contractual obligations arising out of or in connection with them shall be governed by, and construed in accordance with, the laws of England and Wales, without regards to their conflict of laws rules.
3.2. Jurisdiction. To the extent the arbitration provision in Section 11.7 of the MSA does not apply, Supply Partner and Fyber agree that the courts in England shall have exclusive jurisdiction over any dispute between the parties arising out of or relating to this Addendum, the Agreement, or any non-contractual obligations arising out of or in connection with them, and the parties hereby consent to the personal jurisdiction and venue of these courts.
Local Addendum – Asia
This Local Addendum to the Master Service Agreement for Supply Partners (“Addendum”) shall only become effective as an integral part of the Agreement between Fyber and Supply Partner (i) to the extent the parties explicitly agree upon its applicability in the applicable Service Order or (ii) if Supply Partner has its Seat in Mainland China, Hong Kong, Macau, Taiwan, Indonesia or Singapore as stated in Section 11.8.3 of the MSA. In either case the provisions of this Addendum shall replace and supersede any conflicting provisions in the remaining Agreement, except for conflicting terms individually agreed upon between the parties in the applicable Service Order, which shall take precedence over the terms of this Addendum.
Capitalized terms used in this Addendum will have the meaning ascribed to them the MSA unless otherwise defined herein.
Section 11.7 of the MSA shall be deleted and replaced with the following:
“11.5 Any dispute, controversy or claim arising out of or relating to the Agreement, including the existence, validity, interpretation, performance, breach or termination thereof or any dispute regarding non-contractual obligations arising out of or relating to it shall be referred to and finally resolved by arbitration administered by the Hong Kong International Arbitration Centre (“HKIAC”) under the HKIAC Administered Arbitration rules in force when the a Notice of Arbitration is submitted. The seat of arbitration shall be Hong Kong. The arbitration proceedings shall be conducted in English. The arbitral award made by HKIAC shall be final and binding upon the parties.
The arbitration tribunal shall consist of three (3) arbitrators. The claimant shall select one arbitrator, and the respondent shall select one arbitrator. The third arbitrator, who shall be the presiding arbitrator, shall be jointly appointed by the claimant and the respondent. If either the claimant or the respondent fails to select an arbitrator or the parties fail to agree on the choice of the third arbitrator, HKIAC shall make the appointment on their behalf.
Notwithstanding this Section 11.5, any party may apply for a preservation order or seek other interim relief in any court of competent jurisdiction.”
2. Rights of Third Parties
Section 11.10 of the MSA shall be deleted and replaced with the following:
“11.8 It is not the intention of this Agreement to create any third-party beneficiary rights in any third-party individual or entity that is not a party to this Agreement, and no such rights will be deemed to have been created. The terms of the Agreement shall not be enforceable under the Contracts (Rights of Third Parties) Ordinance (Cap. 632 of the laws of Hong Kong) by any person other than the parties stated in the Agreement. Notwithstanding any term of the Agreement, the consent of any person who is not a party is not required to rescind or vary the Agreement at any time.”
3. Governing Law and Dispute Resolution
3.1. Governing Law. This Addendum, the Agreement, and any non-contractual obligations arising out of or in connection with them shall be governed by, and construed in accordance with, Hong Kong law, without regards to its conflict of laws rules.
3.2. Jurisdiction. The second sentence of Section 11.8 of the MSA shall not apply.
Last Updated January 2023