DATA PROCESSING AGREEMENT

Data Processing

DATA PROCESSING AGREEMENT (Advertiser scroll down)

This Data Processing Agreement (“DPA“) is hereby entered by and between Vexigo Inc. (“Company”) and you, a publisher using the Company’s services (“Publisher”). Each a “party” and collectively, the “parties“.

This DPA forms an integral part of all agreements between the parties (“Publisher Agreement” or “Agreement”) entered, accepted or signed by the Publisher as of May 25, 2018 (“Effective Date”) and to the extent that EU Data Protection Law applies to the Processing of Personal Data under the Agreement, including if:

  1. The Processing is in the context of the activities of an establishment of either party in the European Economic Area (“EEA”); or
  2. the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA by or on behalf of a party.

Notwithstanding the above, this DPA and the obligations hereunder do not apply to aggregated reporting or statistics information a party may collect from end users or provide to the other party.

 

  1. DEFINITIONS

1.1. “Publisher Data” means any and all data shared between the parties that may include, inter alia, device information, IDs, events, and country level geo location data. The Publisher Data includes, without limitation, data deemed as Personal Data and IDs all as detailed in Schedule 1 attached herein.

1.2. “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law) as may be amended or superseded from time to time.

1.3. “Controller“, “Processor“, “Data Subject“, “Personal Data“, “Processing” (and “Process“), “Personal Data Breach”, “Special Categories of Personal Data” and “Supervisory Authority” shall have the meanings given in EU Data Protection Law.

1.4. “EU Data Protection Law” means the (i) General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (iv) any legislation replacing or updating any of the foregoing (v) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.

1.5. “ID” means online identifiers such as IPs, advertising IDs, cookies and agents.

1.6. “Security Incident” means any security breach relating any Personal Data elements leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data within, Personal Data transmitted, stored or otherwise processed; including without limitation the meaning assigned to it under section 12 of Article 4 of the GDPR.

  1. RELATIONSHIP OF THE PARTIES

In relation to all Publisher Data, the Company acknowledges that, as between the parties, Publisher is the Controller of Company Data, and that the Company, in providing the services is acting as a Processor on behalf of the Controller. The subject-matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Schedule 1.

  1. REPRESENTATIONS AND WARRANTIES

The Publisher represents and warrants that: (a) its Processing instructions comply with all applicable Data Protection Laws, the Publisher acknowledges that, taking into account the nature of the Processing, the Company is not in a position to determine whether the Publisher’s instructions infringe applicable Data Protection Laws; and (b) the Publisher hereby warrants and represents that as of the Effective Date it will comply with EU Data Protection Law, specifically with the lawful basis for Processing Personal Data. The Company represents and warrants it shall process Personal Data, as set forth under Article 28(3) of the GDPR and Schedule 1 attached herein, on behalf of the Publisher, solely for the purpose of providing the service. Notwithstanding the above, in the event required under applicable laws, the Company may Process Personal Data other than as instructed by the Publisher, in such event the Company shall make best efforts to inform the Publisher of such requirement unless prohibited under applicable law.

  1. RIGHTS OF THE DATA SUBJECT

It is agreed that where either party receives a request from a Data Subject or an applicable authority in respect of Personal Data Controlled or Processed by the other party, where relevant, the party receiving such request will direct the Data Subject or the authority to the other party, as applicable, in order to enable the other party to respond directly to the Data Subject’s request. Each party shall reasonable cooperate and assist the other party in handling of a Data Subject’s or an authority’s request, to the extent permitted under Data Protection Law.

  1. SUB-PROCESSOR

The Publisher acknowledges that the Company may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”). Publisher hereby, authorizes the Company to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub- Processor on its behalf. The Company may, continue to use those Sub-Processors already engaged by the Company (as detailed in Schedule 2) and the Company may, engage an additional or replace an existing Sub-Processor to process Personal Data provided that it notifies the Publisher. The Company shall, where it engages any Sub-Processor impose, through a legally binding contract between the Company and Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.

  1. TECHNICAL AND SECURITY MEASURES

Each party shall implement appropriate technical and organizational measures to protect the Personal Data and its security, confidentiality and integrity and the Data Subject’s rights.

  1. SECURITY INCIDENT

The Company will notify Publisher without undue delay upon becoming aware that an actual Security Incident involving the Publisher Data in Company’s possession or control has occurred, as Company determines in its sole discretion. Company’s notification of or response to a Security Incident under this section 3 shall not be construed as an acknowledgment by the Company of any fault or liability with respect to the Security Incident. The Company will, in connection with any Security Incident affecting Publisher Data: (i) quickly and without delay, take such steps as are necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause (ii) co-operate with Publisher and provide Publisher with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; and (iii) immediately notify Publisher in writing of any request, inspection, audit or investigation by a supervisory authority or other authority.

  1. AUDIT RIGHTS

The Company shall make available, solely upon prior written notice and no more than once per year, to a reputable auditor nominated by the Publisher, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Publisher Data (“Audit”).

The Audit shall be subject to the terms of this DPA and confidentiality obligations (including towards third parties). The Company may object in writing to an auditor appointed by the Publisher in the event the Company reasonably believes, the auditor is not suitably qualified or independent, a competitor of the Company or otherwise manifestly unsuitable (“Objection Notice”). In the event of Objection Notice, the Publisher will appoint a different auditor or conduct the Audit itself.

The Publisher shall bear all expenses related to the Audit and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Company’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Any and all conclusions of such Audit shall be confidential and reported back to the Company immediately.

  1. DATA TRANSFER

Where EU Data Protection Law applies, neither party shall transfer to a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is following EU Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data.

  1. LIABILITY

Each party shall take out and maintain insurance policies to the value sufficient to meet their respective liabilities under or in connection with this DPA.

  1. GENERAL

In the event of any conflict or inconsistency between this DPA and the Company’s privacy policy, the Company’s privacy policy shall prevail, provided only that the procedure prevailing through the privacy policy shall not constitute as a breach or infringement of any Data Protection Laws. In the event of inconsistencies between the provisions of this DPA and any other agreements signed between the parties, including the Publisher Agreement, the terms of this DPA shall prevail. Nothing

in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.

 

SCHEDULE 1

Details of Processing of Controller Personal Data

This Schedule 1 includes certain details of the Processing Personal Data as required by Article 28(3) GDPR.

Subject matter and duration of the Processing of Personal Data

Processing carried out in connection with the provision of the services. The duration shall be for the terms of the partnership with an additional period from the expiration of the partnership until deletion of Publisher Data by the Company in accordance with the terms of this DPA.

The nature and purpose of the Processing of Personal Data

To provide the services and display advertisement on Publishers assets

The types of Personal Data Processed

IDs

The categories of Data Subject to whom the Personal Data relates

Users/Data Subject in the EEA.

 

 

SCHEDULE 2

Sub Processors

Company’s servers

Company’s advertisers

 

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA“) is hereby entered by and between Vexigo Inc. (“Company”) and you, an advertiser using the Company’s services (“Advertiser”). Each a “party” and collectively, the “parties”.

This DPA forms an integral part of all agreements between the parties (“Advertiser Agreement” or “Agreement”) entered, accepted or signed by the Advertiser as of May 25, 2018 (“Effective Date”) and to the extent that EU Data Protection Law applies to the Processing of Personal Data under the Agreement, including if:

  • the Processing is in the context of the activities of an establishment of either party in the European Economic Area (“EEA”); or
  • the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA by or on behalf of a party.

 

Notwithstanding the above, this DPA and the obligations hereunder do not apply to aggregated reporting or statistics information a party may collect from end users or provide to the other party.

 

  1. DEFINITIONS
    • Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law) as may be amended or superseded from time to time.
    • Controller“, “Processor“, “Data Subject“, “Personal Data“, “Processing” (and “Process“), “Personal Data Breach” and “Special Categories of Personal Data” shall have the meanings given in EU Data Protection Law.
    • Company Data” means data collected on behalf of Company’s Publishers and shared with the Advertiser subject to the Advertiser Agreement and for the purpose of providing the service, including without limitations, IDs.
    • EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iv) any legislation replacing or updating any of the foregoing.
    • IDs” means: (i) a unique identifier stored on an end-user’s device, (ii) a unique identifier generated on the basis of device information, (iii) a resettable advertising ID associated with a mobile device or an application; or (iv) IP Address.
    • Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other Party’s Personal Data will comprise a Security Incident.

 

 

  1. RELATIONSHIP OF THE PARTIES

The parties agree and acknowledge that under the performance of their obligations set forth in the Advertiser Agreement, and with respect to the Processing of Company Data, the Company is the Data Controller and the Advertiser is the Data Processor. Each party shall be individually and

separately responsible for complying with the obligations that apply to it subject to the Data Protection Law. The subject-matter and duration of the Processing carried out by the Processor in connection with the Advertiser Agreement, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex A

 

  1. PROCESSING AND PROTECTION OF PERSONAL DATA
  • Each party shall Process Personal Data in compliance with applicable Data Protection Law, industry standards and its obligations herein. Without derogating from the general or specific terms herein, the Advertiser hereby warrants and confirms that as of May 25, 2018 it will be compliant with EU Data Protection Law.
  • In respect of the Processing of Personal Data by Advertiser in connection with the Advertiser Agreement where EU Data Protection Law applies, the Advertiser is responsible for and shall comply with applicable Data Protection Law and agrees that it shall: (a) treat all Company Data processed by it on behalf of the Company as confidential and ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (b) cooperate as requested by the Company and implement appropriate technical and organizational measures to enable Company to comply with any exercise of rights by a Data Subject under applicable Data Protection Law in respect of Personal Data processed by Company under the Advertiser Agreement (including, without limitation, deletion of a Data Subject’s Personal Data); (c) not access or transfer outside the EEA any Personal Data without the prior written consent of the Company; (d) provide the Company with reasonable resources and assistance as are required by the Company pursuant to Articles 32 to 36 of the GDPR; (e) by Company’s sole disclosure, delete all the Company Data following the completion of the Processing, and delete existing copies unless European Union or Member State law requires storage of such; (f) make available to the Company at its request all information necessary to demonstrate compliance with the obligations herein and under Article 28 of the GDPR, including without limitation, provide the Company with a written description of the technical and organizational methods employed by Advertiser and its Sub- Processors (if any) for the Processing of Personal Data; and (g) immediately inform the Company if, in the its opinion, an instruction from the Company infringes applicable Data Protection Law.
  1.  
  2. NOTIFICATION OF SECURITY INCIDENT

The Advertiser will notify the Company without undue delay, and, in any event within forty-eight

(48) hours, upon becoming aware that an actual Security Incident has occurred. The Advertiser will, as soon as possible, provide the Company with at least the following information with respect to the Security Incident: (a) a description of the cause and nature of the Security Incident including the categories and approximate numbers of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the measures being taken to contain, investigate and remediate the Security Incident; (c) the likely consequences and risks for the Company and its Data Subjects as a result of the Security Incident; and (d) any mitigating actions taken and a proposed plan to mitigate any risks for Data Subjects as a result of the Security Incident. Further, the Advertiser shall (i) immediately and without delay, take necessary steps to contain, remediate, minimize any effects of the Security Incident and to identify its cause; (ii) co-operate with the Company and provide the Company with applicable assistance and information as it may reasonably require in connection with the mitigation of the Security Incident; and (iii) immediately notify the Company in writing of any request, inspection, audit or investigation by a Supervisory Authority.

 

  1. TECHNICAL AND ORGANIZATIONAL MEASURES

The Advertiser shall implement and maintain the technical and organizational measures and take all other measures required pursuant to Article 32 of the GDPR including all organizational and technical security measures necessary to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Company Data, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.

 

  1. SUB-PROCESSORS

The Advertiser may engage with Sub-Processors and notified in writing to Company prior to this DPA. In the event the Advertiser requires to engage with additional or replace an existing Sub-Processor to process Personal Data, it shall notify the Company in writing of any intended use or replacement of a Sub-Processor (email notification to the DPO at: dpo@vidstart.com shall be sufficient) within thirty (30) days of the engagement or replacement of the Sub-Processor concerned, unless the Company objects in writing to the proposed use or replacement of the relevant Sub-Processor within thirty (30) days of receipt of the email notification (in which case Advertiser shall not use or replace the Sub-Processor concerned in relation with the Company Data. The Advertiser shall (i) only use a Sub-Processor that has provided sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR and this DPA and ensure the protection of the rights of Data Subjects; and (ii) impose, through a legally binding contract between Advertiser and Sub-Processor, the same data protection obligations as set out in this DPA. The Advertiser acknowledges and agrees that if any Sub-Processor fails to fulfil its obligations in the contract between the Advertiser and Sub-Processor, Advertiser shall remain fully liable to the Company for the performance of the Sub-Processor’s obligations.

 

  1. AUDIT

Upon reasonable request of the Company, the Advertiser will submit its data processing facilities, data files and documentation as reasonably needed by the Company for the purpose of auditing or inspecting the Advertiser to ensure compliance with the warranties and undertakings under this DPA (“Audit”). The Audit will be conducted (i) by the Company or any independent or impartial inspection agents or auditors agreed between the parties; and (ii) by providing reasonable notice and during regular business hours. The request will be subject to the extent permitted under applicable law.

  1. CONFLICT

In the event of a conflict between the terms and conditions of this DPA and the terms and conditions of the Company Privacy Policy, the Company Privacy Policy shall prevail. In the event of a conflict between the terms and conditions of this DPA and the Advertiser Agreement, this DPA shall prevail. Except as set forth herein all of the terms and conditions of the Advertiser Agreement shall remain in full force and effect.

 

 

ANNEX A

DETAILS OF PROCESSING ACTIVITIES

Subject Matter

Processing carried out for the purpose of providing the services as detailed in the Advertiser Agreement and specifically for the purpose of placing advertisement within the digital assets of Company’s partners (i.e., publishers, suppliers, etc.)

Categories of data and Types of Personal Data

IDs

Special categories of data

NONE

Duration

Solely for the purpose of providing the services (i.e., bidding on ad placement or placing an ad) and shall be promptly deleted thereafter.