U.S. Data Processing Agreement Addendum

This Dstillery (the “Media Partner”) U. S. Data Processing Addendum (“DPA”) incorporated by reference into any and all services agreements, insertion orders and addendums currently in place between Company and Dstillery (the “Agreement(s)”). This DPA applies to the Processing of Personal Information in connection with the services provided by Media Partner (the “Services”) to the Company and the Company’s Affiliates. 

1. Definitions
   1. “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Company or Media Partner respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
   2. “Applicable Privacy Laws” means any U.S. state or federal privacy or security law and/or self-regulatory code that are in effect during the Term, and which apply to Personal Information processed pursuant to the Agreement, including but not limited to the Virginia Consumer Data Protection Act, the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Protection Act, the Utah Consumer Privacy Act, each as amended, replaced or supplemented from time to time, and all subordinate legislation made under them, together with any codes of practice, regulations or other guidance issued by the governments, agencies, data protection regulators, or other authorities in the relevant countries, states or other jurisdictions, and (to the extent applicable to the parties) the NAI and DAA self-regulatory codes.
   3. “Approved Sub-processor” means a third-party entity that processes data on behalf of and as specifically directed by Media Partner pursuant to a written contract and is thereby bound by obligations that are substantially similar to the obligations set out in this DPA. A list of Approved Sub-processors is available in Appendix A.
   4. “Company” means Dstillery client and its Affiliate companies worldwide.
   5. “Personal Information” or “Personal Data” shall mean: (1) any information relating to an identified or identifiable natural person or household; and (2) any information defined as “personally identifiable information,” “personal information,” “personal data” or similar terms as such terms are defined under Applicable Privacy Laws.
   6. “Company Personal Information” shall mean the Personal Information of persons provided by Company which Media Partner Processes in connection with Services provided by Media Partner. Such persons may include, but are not limited to, Company’s current or prospective customers and site/app visitors, consumers, employees, contractors or business partners.
   7. “Company Third Party Partner” means any entity, exclusive of Media Partner, engaged by Company for the processing of Personal Information.
   8. “Data Subject” means any person or household as defined by Applicable Privacy Laws.
   9. “Process” or “Processing” means any set of operations performed upon Personal Information, whether or not by automatic means, including the following activities: collect, retain, process, transfer, share or otherwise use.
   10. “Incident” means the known accidental or unlawful destruction, loss, alteration, unauthorized disclosure of Personal Information, or access to, transmission of, storage of, or otherwise processing by Media Partner or a Sub-processor of Media Partner.
   11. “Sensitive Information” means information defined as “sensitive” or “special category” about an individual or household under Applicable Privacy Laws, including but not limited to: financial account numbers, insurance plan numbers, precise information about health or medical conditions, medical records or pharmaceutical prescriptions, government-issued identifiers (such as a Social Security number), race, ethnicity, religion, trade union membership, sexual orientation, genetic or biometric information and precise location information such as GPS coordinates.
   12. “Service Provider” means the Processing of Company Personal Information by Media Partner as directed by Company and for no other purpose as defined under Applicable Privacy Laws whereby Service Provider does not sell or share such information unless directed in writing by Company.
2. Multiple Warranties: Each of the parties represent and warrant that it understands the rules, restrictions, requirements and definitions of the Applicable Privacy Laws and agrees to adhere to the requirements of the Applicable Privacy Laws that applies to each party’s Processing of Personal Information of consumers for the Services stated in the Agreement, including, but not limited to: a) having a privacy policy in compliance with Applicable Privacy Laws; b) providing Data Subjects with a privacy notice and opt-out choice where required by Applicable Privacy Laws; c) providing each other reasonable cooperation with respect to verifiable Data Subject requests as required under Applicable Privacy Laws. Both parties will use reasonable attempts to avoid providing “Sensitive Information” or Personal Information of Non-U.S. Data Subjects to the other party except as otherwise agreed in writing (e.g., to provide each other with bank details to facilitate payments between the parties). Both parties further agree that Media Partner is not responsible for the privacy or security practices of any of Company’s Third Party Partners.
3. The Nature of Data Processed: Company Personal Information shall include email addresses (which will be de-identified and/or rendered as psedudonymous personal information by Media Partner) and/or pseudonymous user IDs (e.g., cookie ID, HEM or MAID) and/or logfile data collected via Company websites, mobile applications or other forms of digital media.
4. The Business Purpose(s); Media Partner shall use Company Personal Information to provide the Services as described in the Agreement only on behalf of Company and only for the following business purpose(s): (a) to target ads and customize content on websites, mobile applications and other forms of digital media via the Services, including using cross-context behavioral advertising, targeted advertising, first-party advertising, and/or profiling; (b) for operational purposes such as contextual advertising, frequency capping, measurement, fraud detection and prevention, and ensuring and measuring viewability, auditing, security and integrity, debugging, short term, transient uses, analytics, internal research, and efforts to improve quality and safety; (c) to verify or maintain the quality of a model created for Company; and (d) to improve, upgrade, or enhance the Service without using Company Personal Information on behalf of other of Media Partner’s customers. Each of the below is deemed a “Permitted Purpose” of Company Personal Information where Media Partner operates as a Service Provider, as indicated with a [X] below:
   [ ] ID-free Custom AI, a cookieless behavioral targeting solution that performs on par with cookies.
   [ ] Custom Patient Targeting, a privacy-safe patient targeting solution which doesn’t rely on user-based targeting
   [ ] Custom and/or Pre-Built targeting audiences which does not use Company Personal Information
   [ ] The use of Company Personal Information for onboarding via LiveRamp and the use of the pseudonymized / de-identified data to create targeted segments solely for Company.
5. Media Partner Warranties: Media Partner agrees that: a) it shall Process all Personal Information using the same standard of commercially reasonable care as Company uses to ensure the protection of such data in compliance with Applicable Privacy Laws; b) except as specifically allowed under Applicable Privacy Laws, it shall not Process Company Personal Information except for the specific business purposes and Permitted Purposes described herein, unless as required by law or a government authority (in which case Media Partner shall use its reasonable efforts to notify Company before such disclosure or as soon thereafter as reasonably possible); and c) except for Approved Sub-processors, it shall only transfer Company Personal Information to a third-party, including a Company Third-Party Partner as specifically directed by Company. Any Approved Sub-processors will be permitted to obtain Company Personal Information only to deliver the Services Media Partner has retained them to provide. Media Partner shall remain fully liable for all acts or omissions of its Approved Sub-processors. Media Partner certifies that it understands the restrictions in this DPA and will comply with them.
6. Company Warranties: Company agrees that it is responsible for providing legally sufficient privacy notices to applicable Data Subjects and (where required by Applicable Privacy Laws) must obtain appropriate consent from Data Subjects for Company’s information collection and use practices relating to the Services including but not limited to the use of cookies and similar technologies for tracking purposes in connection with the Services. Company further represents and warrants that: (i) it shall collect Company Personal Information in compliance with all applicable laws, regulations, and industry standards including but not limited to the Applicable Privacy Laws, (ii) it has secured all necessary rights to provide the Company Personal Information; and (iii) the person signing this Agreement or otherwise indicating acceptance of this Agreement has the requisite power and authority to execute this Agreement and bind the Company and (as applicable) any Company Affiliate(s) to perform the obligations and make the promises set forth herein, including on behalf of any client of yours. Company further represents and warrants that Company Personal Information does not include information: (a) that Company knows or reasonably should know is from or about children under the age of 16; (b) that contains “protected health information” as defined under the Health Insurance Portability and Accountability Act (“HIPPA”); or (c) that is obtained from websites, mobile apps or other forms of media which are “covered entities” under HIPPA or are child-directed as defined under the Children’s Online Privacy Protection Act.
7. Data Retention: Media Partner shall retain Company Personal Information only for as long as necessary to provide Services to Company. Upon termination of the parties Agreement for any reason, Media Partner shall erase, delete, or destroy all or any part of such Company Personal Information in accordance with Media Partner’s policy.
8. Security:
   1. Information Security Standard. Media Partner agrees that it will use commercially reasonable efforts to maintain administrative, technical, and physical safeguards that are no less rigorous than industry standard practices to ensure the security and confidentiality of Personal Information, protect against any anticipated threats or hazards to the confidentiality, availability or integrity of Personal Information, and protect against unauthorized access, use, or alteration of Personal Information.
   2. Written Information Security Program. Media Partner shall maintain, in writing, reasonable security procedures and practices (“Written Information Security Program” or “WISP”) that are necessary to protect Personal Information within its control from unauthorized access, destruction, use, modification, or disclosure.
   3. Incident Procedures:
      1. Media Partner shall notify Company without undue delay (within 48 hours) of any Reportable Incident by sending an email with all available and relevant details to Company’s designated email address(es).
      2. Media Partner shall investigate the Reportable Incident, and provide reasonable and necessary cooperation with Company, including facilitating interviews with relevant personnel, making available all relevant records, logs, files, data reporting and other materials, and providing Company with reasonable physical access to the facilities affected.
      3. Unless required by law, Media Partner shall not inform any third party of any Reportable Incident without first obtaining Company’s prior written consent, other than to inform a complainant that the matter has been forwarded to Company’s legal counsel.
      4. Following a Reportable Incident, Media Partner shall document responsive actions taken in connection with the Incident and shall conduct a post-breach review of events and actions taken, if any, to make changes in security practices and procedures to prevent such Incident from occurring again in the future.
   4. Incident Remediation. Media Partner shall use its commercially reasonable efforts to mitigate and remedy any Incident and prevent any further Incident at its sole expense.
   5. Third party notification. Media Partner agrees that, unless applicable law states otherwise, Company shall have the sole right to determine (i) whether notice of the Reportable Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as required by law or regulation, or otherwise in Company’s discretion, (ii) the contents of such notice, and (iii) whether any type of remediation may be offered to affected persons, as well as the nature and extent of any such remediation. Media Partner agrees to reimburse Company for reasonable costs described in this section for Reportable Incidents and/or as required by applicable law.
9. Compliance Audits: Once per year, Company (or its appointed representatives) may carry out an inspection of Media Partner’s operations and facilities at Company’s expense and during normal business hours and subject to reasonable prior notice where Company reasonably considers it necessary or appropriate (for example, without limitation, where Company has reasonable concerns about Media Partner’s compliance with Applicable Privacy Laws, following a Reportable Incident or following instruction from a data protection authority).
10. Data Subject Requests:
    1. Media Partner shall, at no additional cost, assist Company to provide reasonably appropriate technical and organizational measures, and any reasonably necessary product features and functionality to allow the Company to effectively fulfill its obligations to respond to Data Subject requests for information, access, correction, rectification, restriction, portability, objection, and deletion requests pertaining to Company Personal Information as required under Applicable Privacy Laws (each, a “Data Subject Request“). At the direction of a Company Affiliate, Media Partner shall promptly, and in any event within thirty (30) days, unless otherwise agreed in writing, use commercially reasonable efforts to completely respond to and fulfill a Company’s request for further Data Subject Request assistance.
    2. Media Partner shall maintain complete and accurate records in connection with each of Company’s Data Subjet Requests.
    3. Media Partner shall notify the Company of any Data Subject Requests that it receives, without responding to the individual except to acknowledge receipt of the Data Subject Request.
11. Legal Compliance: Both parties agree to notify the other party within five (5) business days if it (i) has reason to believe that it is unable to comply with any of its obligations under this DPA and it cannot cure this inability to comply within a reasonable timeframe; or (ii) becomes aware of any circumstances or change in applicable Applicable Privacy Laws that is likely to prevent it from fulfilling its obligations under this DPA. If this DPA, or any actions to be taken or contemplated to be taken in performance of this DPA, does not or would not satisfy either party’s obligations under such Applicable Privacy Laws, the Parties will negotiate in good faith an amendment to this DPA.
12. Term: The term of this Addendum commences as of the Addendum Effective Date and will end upon the latter of: (i) Media Partner’s secure destruction (to be confirmed in writing) of all Company Personal Information Processed by Media Partner under the Agreement, or (ii) such date that Media Partner ceases to provide Services to Company.