DATA PROTECTION ADDENDUM (Controller-Controller)

Yieldmo, Inc., on behalf of itself and its Affiliates (“Yieldmo”) and the counterparty agreeing to this Data  Protection Addendum (“Company”) have entered into an agreement, insertion order or other contract for the  provision of the Controller Services, as amended from time to time (the “Main Agreement”). This Data  Protection Addendum (‘DPA”) is intended to comply with the parties’ obligations under Data Privacy Laws with  respect to the Processing of Controller Personal Data pursuant to the Main Agreement. Yieldmo and Company  are Individually referred to as a “Party” or together as “Parties”. In the event of a conflict between this DPA and  the Main Agreement, this DPA shall prevail. 

1. DEFINITIONS.  

a. “Adequate Country” means a country or territory that is recognized under EU Data Protection Law as  providing adequate protection for Personal Data; 

b. “Affiliate” means, with respect to a Party, an entity that owns or controls, is owned or controlled by or is or  under common control or ownership with the Party, where “control” is defined as the possession, directly or  indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether  through ownership of voting securities, by contract or otherwise. 

c. “Data Privacy Laws” shall mean all applicable laws governing the handling of Personal Data, including  without limitation (1) EC Regulation 2016/679 (“GDPR“) on the protection of natural persons with regard to the  processing of personal data and on the free movement of such data, and the EU e-Privacy Directive (Directive  2002/58/EC) (the “e-Privacy Directive”) (collectively, “EU Data Protection Law”); (2) the local law of the  place(s) where Processing by a Party and its Personnel takes place; and (3) the California Consumer Privacy  Act of 2018 (“CCPA“); in each case, all of the foregoing as amended, replaced or supplemented from time to  time, and all subordinate legislation made under them, together with any codes of practice, regulations or other  guidance issued by the governments, agencies, data protection regulators, or other authorities in the relevant  countries or jurisdictions. 

d. “EEA” means the European Economic Area, the United Kingdom or Switzerland.

e. “Controller Personal Data” means any Personal Data that is provided or made available by a Party to the  other Party under the Main Agreement in connection with the providing Party’s provision or use (as applicable)  of the Controller Services. 

f. Controller Services means the services as described in the Main Agreement.  

g. “Data Subject” means a natural person to whom any Controller Personal Data pertains.

h. “Process, Processing and Processed” means any operation or set of operations which is performed on  Controller Personal Data or on subsets thereof, whether or not by automated means, such as collection,  recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by  transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or  destruction. 

i. “Personal Data” or the equivalent ‘personal information’ means any information relating, directly or  indirectly, to an identified or identifiable natural person or otherwise as defined in applicable Data Privacy Laws.

j. “Personal Data Breach” means confirmed unauthorised, accidental or unlawful Processing, access, loss,  or disclosure of Controller Personal Data. 

k. “Personnel” means all officers, directors and employees, independent contractors or service providers of a  Party or its Affiliates. 

l. “SCC” means either (a) for data subjects located in the EEA, the unchanged version of the standard  contractual clauses in Commission Decision 2021/914/EU (MODULE 1: Transfer Controller to Controller)  (without optional clauses) as can be found at https://eur-lex.europa.eu/legal 

content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN) (the “EU SCC”); or (b) for data subjects located in  the United Kingdom (“UK”), the unchanged version of the Standard Contractual Clauses for the transfer of  Personal Data to Processors established in Third Countries (Controller to Controller Transfers SET II) approved  by EC Commission decision of 27 December 2004 (without optional clauses, and with option iii selected in  clause II(h)) as can be found at https://eur-lex.europa.eu/legal 

content/EN/TXT/HTML/?uri=CELEX:32004D0915&from=EN (the “UK SCC”). 

m. “Sell” shall have the meaning assigned to it in the CCPA. 

n. The terms “controller”, and “processor” as used in this Agreement have the meanings given in the GDPR.

2. Role of the Parties. For purposes of EU Data Protection Law, each Party is an independent Controller of  the Controller Personal Data that it collects or Processes pursuant to the Main Agreement. Each Party shall be  individually and separately responsible for complying with the obligations that apply to it as a Controller under  EU Data Protection Law. The Parties agree that they are not joint Controllers of any Controller Personal Data. Each Party will individually determine the purposes and means of its Processing of Controller Personal Data.  For purposes of the CCPA, each Party is considered to be a “third party”. 

3. Obligations of the Parties. 

a. Each Party shall comply with all applicable requirements of Data Privacy Laws.  

Each Party represents and warrants at all times that: (i) it has the necessary right and authority to enter into this  DPA and to perform its obligations herein; (ii) its execution and performance under this DPA and the Main  Agreement will not violate any agreement to which it is a party; (iii) it has provided all required information to  Data Subjects including, where required, that Personal Data that may be passed to third parties for the purposes  of the Main Agreement; and (iv) in collecting Controller Personal Data, it did not violate any applicable self regulatory principles promulgated by the Network Advertising Initiative (“NAI”), the Digital Advertising Alliance  (“DAA”) or the European Interactive Digital Advertising Alliance (“EDAA”) (such Self-Regulatory Principles,  collectively, the “SRPs”). In the event that Company is the owner or operator of the mobile websites, mobile  applications or other media from which it collects or makes available the Controller Personal Data, Company  represents and warrants that either: (x) it is a participant in the IAB Europe Transparency & Consent Framework (“TCF”) and will adhere to TCF rules and guidelines, or (y) that it has otherwise obtained any legally required  consent to the collection, use and disclosure of Controller Personal Data to allow Yieldmo to Process such  Controller Personal Data in connection with the Controller Services. 

b. Without limiting the foregoing, each Party will maintain a publicly-accessible privacy policy on its website  that is in compliance with Data Privacy Laws. 

c. Each Party will notify the other Party in writing of any action or instruction of the other Party under this DPA  or the Main Agreement which, in its opinion, infringes applicable Data Privacy Laws. 

d. Subject to this DPA, each Party, acting as a Controller, may Process the Controller Personal Data in  accordance with, and for the purposes permitted in, the Main Agreement (the “Permitted Purposes”). 

4. Security and Confidentiality. Each Party shall implement appropriate technical and organisational  measures to protect the Controller Personal Data from unauthorised, accidental or unlawful access, loss,  disclosure or destruction. In the event that a Party suffers a Personal Data Breach, it shall notify the other Party  without undue delay, but in any event within seventy-two (72) hours of it confirming same, and both Parties shall  cooperate in good faith to agree and take such measures as may be necessary to mitigate or remedy the effects  of the Personal Data Breach. Nothing herein prohibits either Party from providing notification of the Personal  Data Breach to regulatory authorities as may be required by Data Protection Laws prior to notification of the  other Party so long as the notifying Party provides notification to the other Party without undue delay. Each  Party shall ensure that all of its Personnel who have access to and/or Process Controller Personal Data are  obliged to keep the Controller Personal Data confidential. 

5. Transfers outside the EEA. Where the Controller Services involve the storage and/or Processing of  Controller Personal Data in a manner which transfers Personal Data out of the EEA or the UK to a jurisdiction  that is not an Adequate Country, and EU Data Protection Law applies to the transfers of such Controller  Personal Data (“Transferred Personal Data”), both Parties agree that such transfers shall be governed by the  applicable SCC which shall be incorporated into this DPA by reference and form an integral part of this DPA.  Annexes I and II to this DPA will take the place of Annexes I and II of the EU SCC and Appendixes 1 and 2 of  the UK SCC respectively. The parties may store and process Transferred Personal Data in the United States of  America, the UK and/or any other country in which either party or any of its Processors maintains facilities so  long as such party and any of its processors: a) transfer such data via a valid legal mechanism such as the  appropriate SCC; b) provide at least the same level of protection to such Transferred Personal Data as is  required by the appropriate SCC and/or as Yieldmo may otherwise reasonably require to ensure an adequate  level of protection for such Transferred Personal Data in accordance with the requirements of EU Data  Protection Law. In the event of inconsistencies between the provisions of the applicable SCC and this DPA or  other agreements between the parties, the applicable SCC shall take precedence. The terms of this DPA shall  not vary the SCC in any way. If the SCC are deemed invalid by a governmental or judicial entity with jurisdiction  over Transferred Personal Data (e.g., the EU Court of Justice) or if such entity imposes additional rules and/or  restrictions regarding such Transferred Personal Data, the Parties agree to work in good faith to find an  alternative and/or modified approach with respect to such Transferred Personal Data which is in compliance with EU Data Protection Law. Where the European Commission or other relevant supervisory authority issues  new, updated or replacement SCC, then a Party may notify the other Party in writing thereof and the Parties  shall replace the SCC with such new clauses and make any other necessary amendments to this DPA. 

6. Data Subject Requests. Each Party will process its own requests for Data Subjects to exercise their rights. With respect to objections from, or on behalf of Data Subjects to the Processing of Personal Data that is shared  between the Parties, including requests to opt-out from the Sale of Personal Information pursuant to CCPA, the  parties will collaborate to honor such objections or opt-out requests. 

7. Compliance Cooperation. Both Parties agree to reasonably cooperate and assist each other in relation to  any regulatory inquiry, complaint or investigation concerning the Controller Personal Data shared between the  Parties. 

8. Allocation of Costs. Each Party shall perform its obligations under this DPA at its own cost, except as  otherwise specified herein. 

10. Liability. The liability of the Parties under or in connection with this Agreement will be subject to the  exclusions and limitations of liability in the Main Agreement. 

11. Miscellaneous. If any provision or condition of this DPA is held or declared invalid, unlawful or  unenforceable by a competent authority or court, then the remainder of this DPA shall remain valid. The  provision or condition affected shall be construed to be amended in such a way that ensures its validity,  lawfulness and enforceability while preserving the parties’ intentions, or if that is not possible, as if the invalid,  unlawful or unenforceable part had never been contained in this DPA. This DPA shall be governed by and construed in accordance with the laws governing the Main Agreement, and any disputes shall be resolved by  the courts agreed for resolution of disputes under the Main Agreement.

 

ANNEX I 

A. LIST OF PARTIES 

1. Data Exporter 

2. Data Importer 

B. DESCRIPTION OF TRANSFER / PROCESSING ACTIVITIES 

Categories of data subjects whose Personal Data is transferred 

(a) end users of websites, mobile websites or applications on which the Controller Services are utilized;

(b) the Parties’ employees, contractors and representatives. 

Categories of Personal Data transferred 

(a) pseudonymous data collected through or in relation to the Controller Services (e.g. IP addresses, cookie  identifiers, mobile advertising IDs). The above may be accompanied by other information about the data subjects  whose Personal Data is being transferred, such as browser type and version, time stamp, device operating system  and platform and country associated with the data subject. 

(b) names and contact details. 

Sensitive data transferred (if applicable) 

• None. 

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

• Continuous. 

Nature of the processing 

• As set out in the Agrement. 

Purpose(s) of the data transfer and further processing 

• The Parties will process the Controller Personal Data as part of the Controller Services in accordance with  the Agreement.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that  period 

• The later of 13 months from the date of collection, or for the Term of the Agreement. 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

• As above. 

C. COMPETENT SUPERVISORY AUTHORITY  

The Irish Data Protection Commissioner.

 

ANNEX II 

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO  ENSURE THE SECURITY OF THE DATA 

Each party will implement and maintain a comprehensive written information security program designed to protect Personal  Data from unauthorized access, use, modification, disclosure or destruction. Without limiting the generality of the foregoing,  as part of its information security program, each party will: 

• limit access to Personal Data to the minimum number of its personnel who require such access in order to  perform its obligations under the Terms of use and the DPA 

• provide appropriate training to its personnel who process Personal Data 

• use multi-factor authentication for access to any systems storing Personal Data 

• use reputable services and/or tools to continuously monitor for malicious or unauthorized behavior • encrypt Personal Data at rest and in transit 

 

 

Last updated: February 15, 2022