ADS INTERACTIVE MEDIA GROUP
SUPPLY SIDE DATA PROCESSING AGREEMENT (DPA)

This Data Processing Agreement (“DPA”) forms an integral part of the Master Service Agreement, Insertion Order, Supply Agreement, Header Bidding Agreement, Monetization Agreement or any other agreement governing the provision of services by Ads Interactive Media Group and/or its Affiliates (collectively, the “Company”) to the counterparty accepting this DPA (“Customer”) (collectively, the “Parties”).

For purposes of this DPA, “Customer” may include, without limitation, publishers, website operators, mobile application developers, advertising networks, monetization partners, SSP partners, traffic suppliers, media owners, reseller partners or any other business partner utilizing, integrating with or otherwise receiving services from Company.

This DPA applies to the extent that the Parties process Personal Data in connection with the services provided under the Agreement, including but not limited to header bidding, programmatic advertising, monetization, advertising optimization, yield management, fraud prevention, invalid traffic detection, analytics, reporting, identity synchronization, cookie synchronization, audience segmentation, ad serving, ad measurement, ad verification and related advertising technology services.

Except where explicitly agreed otherwise in writing, the Parties acknowledge and agree that each Party acts as an independent controller with respect to Personal Data processed in connection with the Services.

This DPA supplements the Agreement and governs the processing of Personal Data between the Parties.

If you are accepting this DPA on behalf of Customer, you represent and warrant that:

(a) you have full authority to bind Customer to this DPA;
(b) you have read and understood this DPA; and
(c) Customer agrees to comply with this DPA.

1. INTRODUCTION

1.1 This DPA reflects the Parties’ agreement regarding the processing of Personal Data in connection with applicable Data Protection Laws.

1.2 Any ambiguity in this DPA shall be interpreted to permit the Parties to comply with all applicable Data Protection Laws.

1.3 In the event Data Protection Laws impose stricter obligations than those set out in this DPA, the applicable Data Protection Laws shall prevail.

2. DEFINITIONS

2.1“Affiliate” means any entity directly or indirectly controlling, controlled by, or under common control with a Party.

2.2 “Approved Jurisdiction” means:

(a) a member state of the European Economic Area;
(b) the United Kingdom; or
(c) any country or jurisdiction recognized by the European Commission or UK authorities as providing adequate protection for Personal Data.

2.3 “Data Protection Laws” means all applicable laws and regulations relating to privacy, security and protection of Personal Data, including:

2.4“Data Subject” means an identified or identifiable natural person.

2.5 “IVT” means Invalid Traffic, including but not limited to General Invalid Traffic (GIVT), Sophisticated Invalid Traffic (SIVT), fraudulent traffic, automated traffic, non-human traffic, incentivized traffic, bot traffic, emulator-generated traffic, spoofed inventory, manipulated ad requests, click spam, ad stacking, domain spoofing, SDK spoofing, traffic laundering, fraudulent installs and any other traffic determined to violate industry standards, platform policies or applicable laws.

2.6 “Personal Data” means any information relating to an identified or identifiable natural person, including any information defined as personal data or personal information under applicable Data Protection Laws.

2.7 “Security Incident” means any actual or reasonably suspected accidental, unlawful or unauthorized destruction, loss, alteration, disclosure of, access to or use of Personal Data.

2.8 “Special Categories of Data” means any sensitive data under Article 9 GDPR or equivalent provisions under applicable Data Protection Laws.

2.9 “Standard Contractual Clauses” or “SCCs” means:

(a) the European Commission Standard Contractual Clauses issued pursuant to Regulation (EU) 2016/679; and
(b) where applicable, the UK International Data Transfer Addendum.

2.10 “TCF” means the IAB Europe Transparency and Consent Framework version 2.2, including any successor framework.

2.11 “TC String” means the consent string generated under the TCF.

3. APPLICATION OF THIS DPA

3.1 This DPA will only apply to the extent all of the following conditions are met:

3.2 This DPA will only apply to the services for which the Parties agreed to in the Agreement, which incorporates this DPA by reference.

4. ROLES OF THE PARTIES

4.1 Independent Controllers

Except where otherwise expressly agreed in writing, each Party:

(a) acts as an independent controller;
(b) independently determines the purposes and means of its processing;
(c) is individually responsible for complying with its obligations under Data Protection Laws.

4.2 Restrictions on Processing

Each Party shall process Personal Data solely:

(a) for the purposes set forth in the Agreement;
(b) for legitimate advertising technology purposes;
(c) for fraud prevention and security purposes;
(d) as otherwise permitted by applicable law.

Section 4.1 will not affect any restrictions on either Party’s rights to use or otherwise process Personal Data under the Agreement.

4.3 Sharing of Personal Data. In performing its obligations under the Agreement, a Party may provide Personal Data to the other Party. Each Party shall process Personal Data only for (i) the purposes set forth in the Agreement or as (ii) otherwise agreed to in writing by the Parties, provided such processing strictly complies with (a) the Data Protection Laws, and (b) its obligations under this Agreement (the “Permitted Purposes”). Neither Party shall share any Personal Data with the other Party that (i) allows Data Subjects to be directly identified (for example by reference to their name and e-mail address); or (ii) that contains Personal Data relating to children under 16 years.

4.4 Lawful grounds and transparency. Each Party shall maintain a publicly-accessible privacy policy on its mobile apps and websites that is available via a prominent link that satisfies transparency disclosure requirements of the Data Protection Laws. Each Party warrants and represents that it has provided Data Subjects with appropriate transparency regarding data collection and use, as well as all required notices, and obtained any and all consents or permissions necessary under the Data Protection Laws. It is hereby clarified that Customer is the initial Controller of Personal Data. Where Customer relies on consent as its legal basis to process Personal Data, it shall ensure that it obtains a proper affirmative act of consent from Data Subjects in accordance with the Data Protection Laws in order for itself and Company to process such Personal Data as set out herein. Customer acknowledges that Company and its advertisers use cookies and similar tracking technologies in order to provide the services under the Agreement, including for the purpose of cross-site or cross-device advertising. Customer shall ensure that appropriate notice and consent mechanisms are displayed and implemented on all applicable Customer properties with respect to the foregoing. Both Parties will cooperate in good faith in order to identify the information disclosure requirements and each Party hereby permits the other Party to identify it in the other Party’s privacy policy, and to provide a link to the other Party’s privacy policy in its privacy policy.

4.5 Data Subject Rights. It is agreed that where either Party receives a request from a Data Subject in respect of Personal Data controlled by such Party, then such Party shall be responsible to exercise the request, in accordance with Data Protection Laws.

4.6 Mutual Assistance. Each Party shall provide the other Party with such:

4.7 Resolution of Disputes with Data Subjects or Supervisory Authorities. If either Party is the subject of a claim by a Data Subject or a supervisory authority, or receives a notice or complaint from a supervisory authority relating to its respective processing activities (a “DP Claim”), it shall promptly inform the other Party of the DP Claim and provide the other Party with such information as it may reasonably request regarding the DP Claim. Where the DP Claim concerns the respective processing activities of one Party only, then that Party shall assume sole responsibility for disputing or settling the DP Claim. Where the DP Claim concerns the respective processing activities of both Parties, then the Parties shall use all reasonable endeavors to cooperate with a view to disputing or settling the DP Claim in a timely manner; provided always that neither Party shall make any admission or offer of settlement or compromise without using all reasonable endeavors to consult with the other Party in advance.

5. TRANSPARENCY, CONSENT AND TCF COMPLIANCE

5.1 Privacy Policies

Each Party shall maintain publicly accessible privacy policies compliant with applicable Data Protection Laws.

5.2 Customer Consent Obligations

Customer represents and warrants that:

(a) it has implemented a legally compliant Consent Management Platform (CMP);
(b) it obtains all necessary consents and permissions required under applicable Data Protection Laws;
(c) it properly discloses the use of cookies, device identifiers, advertising technologies and cross-site tracking technologies;
(d) it properly discloses the involvement of Company and downstream advertising partners;
(e) all consent signals transmitted to Company are valid, accurate and up-to-date.

5.3 TCF Compliance

Where applicable, Customer shall:

(a) implement and maintain an IAB Europe TCF v2.2 compliant CMP;
(b) ensure valid TC Strings are collected and transmitted;
(c) ensure Company is properly declared within the CMP vendor list;
(d) ensure lawful basis signals are properly communicated;
(e) comply with all applicable IAB policies, technical specifications and framework requirements.

5.4 Consent Liability

Customer acknowledges and agrees that it is solely responsible for:

(a) obtaining legally valid consent;
(b) displaying consent notices;
(c) storing and transmitting TC Strings;
(d) managing user preferences;
(e) ensuring lawful grounds for processing.

5.5 Cookies and Advertising Technologies

Publiser acknowledges that Company and its partners may use:

for purposes including:

6. IVT, FRAUD PREVENTION AND SECURITY PROCESSING

6.1 Fraud Prevention Rights

Company may process Personal Data for the purposes of:

(a) detecting, investigating and preventing IVT;
(b) fraud prevention;
(c) security monitoring;
(d) brand safety;
(e) malware detection;
(f) policy enforcement;
(g) traffic quality analysis;
(h) suspicious activity monitoring;
(i) ad fraud investigations;
(j) enforcement of platform rules;
(k) legal compliance.

6.2 Traffic Quality Monitoring

Company may analyze:

for purposes of detecting IVT and ensuring platform integrity.

6.3 Enforcement Actions

Company reserves the right to:

(a) suspend monetization;
(b) block inventory;
(c) reject bid requests;
(d) withhold payments related to confirmed IVT;
(e) request logs, reports and supporting evidence;
(f) investigate suspicious traffic;
(g) terminate Services;
(h) report suspected fraud to partners, exchanges or authorities.

6.4 Customer Cooperation

Customer shall reasonably cooperate with Company in connection with fraud investigations, IVT reviews, security incidents and traffic quality audits.

7. DATA SUBJECT RIGHTS

Each Party shall independently handle Data Subject requests relating to its own processing activities.

Where reasonably necessary, the Parties shall cooperate in good faith regarding:

8. SECURITY

8.1 Each Party shall implement appropriate technical and organizational measures to protect Personal Data.

8.2 Such measures shall include, where appropriate:

(a) encryption;
(b) pseudonymization;
(c) access controls;
(d) logging and monitoring;
(e) vulnerability management;
(f) disaster recovery;
(g) incident response procedures;
(h) regular security assessments.

8.3 In the event of a confirmed Security Incident, the affected Party shall notify the other Party without undue delay and the Parties shall cooperate in good faith to agree on such measures as may be necessary to mitigate or remedy the effects of the Security Incident.

8.4 The Parties will provide a level of protection for Personal Data that is at least equivalent to that required under the Data Protection Laws. Both Parties shall implement appropriate technical and organizational measures to protect the Personal Data.

9. INTERNATIONAL TRANSFERS

9.1 Transfers of Personal Data Out of the European Economic Area. Either Party may transfer Personal Data outside the European Economic Area or UK, provided it complies with applicable provisions regarding the transfer of Personal Data to third countries under the Data Protection Laws (such as where the transfer of Personal Data is to an Approved Jurisdiction or through the use of Standard Contractual Clauses, or other applicable frameworks).If the Parties processes Personal Data outside the EEA or an Approved Jurisdiction, then the Parties shall be deemed to enter into the Standard Contractual Clauses and the UK Addendum, as applicable, subject to any amendments contained in Annex I, in which event: (i) the Standard Contractual Clauses and the UK Addendum are incorporated herein by reference; and (ii) the Customer shall be considered the data exporter and Company shall be considered the data importer (as these terms are defined therein).

Personal Data may be transferred outside the EEA or UK where:

(a) an adequacy decision exists;
(b) SCCs are implemented;
(c) another lawful transfer mechanism applies.

9.2 Where required, the Parties agree that the SCCs are incorporated into this DPA by reference.

9.3 For SCC purposes:

(a) Customer shall be the data exporter;
(b) Company shall be the data importer.

10. SUBPROCESSORS AND PARTNERS

10.1 Company may engage subprocessors, vendors, cloud providers, fraud prevention vendors, advertising exchanges, SSPs, DSPs and technology partners in connection with the Services.

10.2 Company shall maintain appropriate contractual protections with such subprocessors where required by applicable law.

11. RETENTION

Each Party shall retain Personal Data only:

(a) as necessary for the purposes of the Agreement;
(b) for fraud prevention, security or audit purposes;
(c) as required by law;
(d) pursuant to legitimate retention policies.

12. INDEMNIFICATION

Customer will indemnify and hold Company and its partners harmless from any cost, charge, damages, expenses or losses incurred as a result of Customer’s breach of any of the provisions of this DPA

(a) its breach of this DPA;
(b) its violation of Data Protection Laws;
(c) its failure to obtain required consent;
(d) its fraudulent conduct or intentional misconduct.

13. REGULATORY CLAIMS AND COOPERATION

13.1 Each Party shall promptly notify the other Party of:

(a) regulatory investigations;
(b) complaints;
(c) enforcement actions;
(d) Data Subject claims;
(e) supervisory authority inquiries.

13.2 The Parties shall reasonably cooperate in responding to such matters.

14. CHANGES TO THIS DPA

14.1 Customer acknowledges and agrees that Company may amend this DPA as may be required from time-to-time, by posting the amended DPA to its website and any amendments to the DPA are effective as of the date of posting. Where such change may have a material adverse impact on Customer, as reasonably determined by Company, then Company will use commercially reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect. Customer’s continued use of the Services after the amended DPA is posted or notice is given, constitutes Customer’s agreement to and acceptance of the amended DPA

14.2.If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this DPA, and each Party will promptly begin complying with such Data Protection Laws in respect of its respective processing activities.

By signing on an applicable IO, the Parties acknowledge that they have read and understood the terms of this DPA and agree to be legally bound by.

15. PRIORITY

If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement, then the terms of this DPA will govern. Subject to the amendments in this DPA, the Agreement remains in full force and effect

16. GOVERNING LAW

Unless otherwise agreed in the Agreement, this DPA shall be governed by the laws of Hungary.

The courts of Budapest, Hungary shall have exclusive jurisdiction.

ANNEX I – DESCRIPTION OF PROCESSING

Categories of Data Subjects

Categories of Personal Data

Special Categories of Data

None intentionally collected.

Purposes of Processing

Frequency of Transfer

Continuous.

Retention

As necessary for operational, security, fraud prevention, audit and legal compliance purposes.

ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES

Company shall implement appropriate technical and organizational measures including:

  1. encryption and pseudonymization;
  2. access management controls;
  3. monitoring and logging;
  4. backup and disaster recovery procedures;
  5. incident response procedures;
  6. vulnerability testing;
  7. fraud detection systems;
  8. traffic quality monitoring systems;
  9. anti-bot and IVT detection mechanisms;
  10. periodic security reviews.
3x Marketing Diamond Award Winner