Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Ad Exchange Supply Agreement between Customer and (the “Agreement”) pursuant to which will provide the Services (as defined in the Agreement) to Customer. agrees to comply with the following provisions with respect to any Personal Data Processed for Customer in connection with the provision of the Services. References to the Agreement will be construed as including this DPA. For the purpose of this DPA, Customer is the Data Controller and is the Data Processor. Any capitalized terms not defined herein shall have the respective meanings given to them in the Agreement.


“Affiliates” means any entity which is controlled by, controls or is in common control with

“Customer” means the Customer that has executed the Agreement for Services.

“Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.

“Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, applicable to the Processing of Personal Data under the Agreement.

“Data Subject” means the individual to whom Personal Data relates.

“” means the entity that is a party to the Agreement.

“Personal Data” means any information relating to an identified or identifiable person. The types of Personal Data and categories of Data Subjects Processed under this DPA include but are not limited to the following: IP addresses, location data, interest segments, device data, retargeting data, advertising data, browser generated data, and online identifiers of the end users of digital properties.

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).

“Security Breach” has the meaning set forth in Section 7 of this DPA.

“Sub-processor” means any Data Processor engaged by


2.1 The parties agree that with regard to the Processing of Personal Data, Customer is the Data Controller and is the Data Processor.

2.2 Customer shall, in its use or receipt of the Services, Process Personal Data in accordance with the requirements of the Data Protection Laws and Customer will ensure that its instructions for the Processing of Personal Data shall comply with the Data Protection Laws. If believes or becomes aware that any of Customer’s instructions conflicts with any Data Protection Laws, shall inform Customer. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer obtained the Personal Data.

2.3 During the Term of the Agreement, shall only Process Personal Data on behalf of and in accordance with the Supply Agreement and Customer’s instructions and shall treat Personal Data as confidential information. Customer instructs to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and any applicable orders; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement. may Process Personal Data other than on the instructions of the Customer if it is required under applicable law to which is subject.  In this situation shall inform the Customer of such a requirement unless the law prohibits this on important grounds of public interest. The objective of Processing of Personal Data by is the performance of the Services pursuant to the Agreement.


3.1 To the extent Customer, in its use or receipt of the Services, does not have the ability to correct, amend, restrict, block or delete Personal Data, as required by Data Protection Laws, may use commercially reasonable efforts to comply with reasonable requests by Customer to facilitate such actions to the extent is legally permitted to do so.

3.2 shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the Processing of that person’s Personal Data. shall not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer. shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request, to the extent legally permitted and to the extent Customer does not have access to such Personal Data through its use or receipt of the Services.


4.1 shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, and are subject to obligations of confidentiality and such obligations survive the termination of that individual’s engagement with

4.2 shall ensure that access to Personal Data is limited to those personnel who require such access to perform the Services.


5.1 Customer acknowledges and agrees that (i) Affiliates may be retained as Sub-processors; and (ii) may engage third-party Sub-processors in connection with the provision of the Services. Any such Sub-processors will be permitted to obtain Personal Data only to deliver the services has retained them to provide, and are prohibited from using Personal Data for any other purpose. agrees that any agreement with a Sub-processor will include substantially the same data protection obligations as set out in this DPA.

5.2 may change the list of Sub-processors by no less than 5 business days’ notice via email. If Customer objects to’s change in such other Sub-processors, Customer may, as its sole and exclusive remedy terminate the portion of any Agreement relating to the Services that cannot be reasonably provided without the objected-to new Sub-processor by providing 30 days’ written notice to

5.3 shall be liable for the acts and omissions of its Sub-processors to the same extent would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.


6.1 shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data.

6.2 No more than once per year, Customer may engage a mutually agreed upon third party to audit solely for the purposes of meeting its audit requirements pursuant to Article 28, Section 3(h) of the General Data Protection Regulation (“GDPR”).  To request an audit, Customer must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to [email protected]. The auditor must execute a written confidentiality agreement acceptable to before conducting the audit. The audit must be conducted during regular business hours, subject to’s policies, and may not unreasonably interfere with’s business activities.  Any audits are at Customer’s expense.

6.3 Any request for to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law.  Customer shall reimburse for any time spent for any such audit at the rates agreed to by the parties. Before the commencement of any such audit, Customer and shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Customer shall promptly notify with information regarding any non-compliance discovered during the course of an audit.

6.4 will reasonably cooperate with Customer, at Customer’s expense, to assist Customer in ensuring compliance with Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to


7.1 If becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Customer Personal Data transmitted, stored or otherwise Processed on’s equipment or in’s facilities (“Security Breach”), will promptly notify Customer of the Security Breach.

7.2. Customer agrees that an unsuccessful Security Breach attempt will not be subject to this Section. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Customer Personal Data or to any of’s equipment or facilities storing Customer Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.

7.3. Notification(s) of Security Breaches, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by any means selects, including via email. It is Customer’s sole responsibility to ensure it maintains accurate contact information on’s support systems at all times.

8) RETURN AND DELETION OF CUSTOMER DATA shall delete or return Customer Data to Customer after the end of the provision of Services under the Agreement and shall delete existing copies unless applicable law requires storage of such data.


Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.