DATA PROCESSING ADDENDUM
This Data Processing Addendum is entered into as of October 29, 2021 (the “Effective Date”) between International Web Services, LLC d/b/a ShopROI (“Company”) and the individual or entity who signed up through the Company’s online interface or entered into an Insertion Order or other governing agreement for the Company Services (“Advertiser”) and will apply in connection with the advertising and monetization services performed by Company for Advertiser (the “Services”) under the governing agreement(s) between the parties (the “Agreement”) which involve processing of personal data (each as defined below).
Data Protection
- Definitions: In this Data Processing Addendum, the following terms shall have the following meanings:
- "controller", "processor", "data subject", "personal data" and "processing" (and "process") shall have the meanings given in Applicable Data Protection Law;
- "Applicable Data Protection Law" shall mean: Regulation 2016/679 General Data Protection Regulation (“GDPR”) of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and any applicable rules, regulations, directives, or laws adopted under or in furtherance thereof, from time to time. If the Agreement involves the processing of personal data of a data subject in a jurisdiction which has data privacy or data protection laws and regulations which are more protective of the data subject’s rights than the GDPR, then such additional laws and regulations shall be considered as part of the Applicable Data Protection Law under this Data Processing Addendum. For instance, if the Agreement involves the processing of personal data of a California resident, the Applicable Data Protection Law shall be the California Consumer Privacy Act of 2018 (“CCPA”).
- “Advertiser Properties” shall mean any and all of the Advertiser’s websites, software applications, platforms, or other internet properties, as well as those owned or operated by Advertiser’s third-party advertisers, publishers, or affiliates, in connection with which Advertiser utilizes Company’s Services.
- Relationship of the Parties: Advertiser (the controller) has acquired or will acquire certain personal data from data subjects (the “Data”), and hereby appoints Company as a processor of such personal data in order to enable Company to provide Services to Advertiser. Such Data includes all personal data from data subjects collected through Advertiser Properties. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
- Subject Matter, Duration, Purpose, Types of Personal Data, Categories of Data Subjects: The Agreement, any Insertion Orders issued thereunder, any amendments, addendums, and/or exhibits thereto, including this Data Processing Addendum, shall set forth the subject-matter and duration of the processing, the nature and purpose of the processing, the types of personal data processed and the categories of data subjects. Company shall process the Data as a processor solely as Company deems necessary to perform its obligations under the Agreement to provide the Services and this Data Processing Addendum in accordance with the instructions of Advertiser (the "Permitted Purpose"), except where otherwise required by Applicable Data Protection Law. In no event shall Company process the Data for its own purposes or those of any third party, except where otherwise permitted under the Agreement or required by Applicable Data Protection Law. Advertiser shall obtain any necessary consent for Company to access and utilize Advertiser employee personal data as necessary for the provision of Company Services, such as for correspondence related to business operations such as invoicing, payments, and technical issues relating to the Company Services. Company shall process such personal data under the legitimate business interest of maintaining business operations with Advertiser.
- International Transfers: Advertiser shall not transfer the Data (nor permit the Data to be transferred) to any jurisdiction other than those to which transfers are permitted under the Applicable Data Protection Law unless it first establishes such protections as are necessary to ensure that the transfer is in compliance with Applicable Data Protection Law. Such protections may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorization in accordance with Applicable Data Protection Law, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission, or has certified to the U.S.-E.U. Privacy Shield and such certification has not lapsed or been revoked. Advertiser hereby consents to Company’s transfer of the Data for processing in the United States.
- Advertiser Obligations; Consent or other Legal Bases for Processing: Advertiser shall comply with the Applicable Data Protection Law in connection with its use of the Services. Advertiser also (a) shall process Data in accordance with the requirements of the Applicable Data Protection Law; (b) agrees that its Agreement with Company, and this Data Processing Addendum thereto, constitutes its complete instructions with regard to Company’s processing of Advertiser’s Data, (c) shall have sole responsibility for the accuracy and quality of the Data provided to Company, including establishing and documenting the lawful basis or bases on which Advertiser acquires the Data, as well as the lawful basis or bases for Company’s processing under the Applicable Data Protection Law, and provides documentation evidencing such lawful basis or bases to Company upon Company’s request, and (d) agrees that Company’s TOMs are sufficient to ensure adequate protection of Advertiser’s Data under the Applicable Data Protection Law. Additionally, Advertiser agrees that the Privacy Policy (or equivalent policy) on Advertiser Properties will describe, in sufficient clarity, the use of cookies and unique identifiers by third parties such as Company, for legitimate business purposes such as targeted advertising and analytics, fake and duplicated traffic detection, frequency capping, optimization, reporting, and troubleshooting, which are necessary to provision of the Company Services. Advertiser hereby represents and warrants that it has either (a) obtained all required consents from the data subjects, including individual affirmative consents with respect to Company’s activities in placing or accessing any cookies, web beacons, IP addresses, user agents, HTTP request headers, device IDs, domains, referrer domains or any other unique identifiers on a data subject’s device, and transfer of Data to be processed in the United States, in order to render the Company Services to Advertiser, or (b) established another adequate lawful basis or bases, for Company’s processing activities to comply with Applicable Data Protection Law. Upon Company’s request, Advertiser shall provide documentation to Company evidencing the data subjects’ consent and/or Advertiser’s lawful basis or bases. As between Company and Advertiser, Advertiser agrees that it is solely responsible for providing any information to the data subjects required by Applicable Data Protection Laws regarding Company’s processing of the Data. Advertiser shall immediately notify Company in the event of any changes to, and/or revocation of, the consent of any data subject(s).
- Confidentiality of Processing: Company shall ensure that any person that it authorizes to process the Data (including Company employees, agents, and subcontractors) (an "Authorized Person") shall be subject to a duty of confidentiality (whether a contractual duty or a statutory or other legal duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Company shall ensure that all Authorized Persons process the Data only as necessary for the Permitted Purpose, or otherwise in accordance with Applicable Data Protection Law.
- Security: Taking into account the state of the art, the costs of implementation, and nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of the data subjects, each party shall implement appropriate technical and organizational measures to protect the Data from accidental or unlawful destruction, and from any loss, alteration, unauthorized disclosure of, or access to the Data (each such event being a "Security Incident"). Such measures shall include, as practicable and appropriate: the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- Subcontracting: Company may engage any of its affiliates or third-party partners or vendors as sub-processors, provided that Company or the Company affiliate has entered into a written agreement with each such third-party sub-processor containing data protection obligations not less protective than those in this Data Processing Addendum with respect to the protection of Advertiser’s Data to the extent applicable to the nature of the portion of the Services being provided in whole or in part by such third-party sub-processor. Company may engage third-party subprocessors for purposes including without limitation: to handle the processing of payments, to detect and protect against fraud, to provide data storage and management, to assist in marketing Company’s products or services, to conduct audits, to provide web analytics and business intelligence, to provide customer support, to send email and platform alerts, to provide customer surveys and messaging services, and to provide hosting, design, development and other operations which make our services possible.
- Cooperation and Data Subjects' Rights: Each party shall provide reasonable and timely assistance to the other party to enable the other party to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party for which a duty to respond is triggered under Applicable Data Protection Law in connection with the processing of the Data. Each party shall promptly provide reasonable assistance required to permit the other party to comply with the other party’s obligations under Applicable Data Protection Law to communicate with a data subject regarding a breach with regard to such data subject’s personal data.
- Data Protection Impact Assessment: If either party believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform the other party and provide the other party with all such reasonable and timely assistance as the other party may require under applicable Data Protection Law in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
- Security Incidents: Each party shall inform the other party without undue delay after becoming aware of any Security Incident arising under or relating to the Agreement. The informing party shall provide information and cooperation as the other party may reasonably require in order for the other party to fulfill its data breach reporting obligations under Applicable Data Protection Law. The informing party shall further take reasonable measures and actions to remedy or mitigate the effects of the Security Incident and shall provide the other party with additional information about developments in connection with the Security Incident.
- Destruction or Return of Data: Upon termination or expiration of the Agreement (or a statement of work, service order, or equivalent engagement document under the Agreement), Company shall (at Advertiser’s election) destroy or return to Advertiser all Data (including all copies of the Data) in its possession or control (including by any sub-processor(s)), unless longer retention of the personal data is required by law, regulation or other retention obligation, including, but not limited to, Company’ data retention and back-up/archival requirements, in which case Company will use reasonable efforts to isolate and protect the retained Data from further processing, except to the extent required or permitted by Applicable Data Protection Law.
- Audit: Advertiser shall permit Company (or its appointed third party auditors, or its authorized regulators) to audit Advertiser’s compliance with this Data Processing Addendum or Applicable Data Protection Law, and shall make available to Company information, systems and staff reasonably necessary for Company (or its third party auditors) to conduct such audit. Advertiser acknowledges that Company (or its third party auditors) may enter its premises for the purposes of conducting this audit, provided that Company gives Advertiser a minimum of 30 (thirty) days’ prior written notice of its intention to audit, the auditors conduct the audit during Advertiser’s normal business hours, and the auditors take all reasonable measures to prevent unnecessary disruption to Advertiser’s operations. Company will not exercise its audit rights more than once in any twelve (12) calendar month period. Company agrees to treat all information acquired during the course of any audits as confidential information of Advertiser, and maintain the confidentiality of such information to the same nature and extent that Company maintains its own confidential information.
- Notifications: If Company is no longer able to satisfy any of its obligations under this Data Processing Addendum, then Company shall immediately notify Advertiser and, if necessary, stop processing Advertiser’s Data.
Indemnification
Advertiser shall indemnify and hold harmless Company and its affiliates, employees, and agents, for all costs, damages, or losses incurred in connection with claims, demands, or proceedings by a data subject or any other third party, and/or any associated financial penalties imposed by supervisory or regulatory authorities, arising from (1) any breach by Advertiser of its obligations under this Data Processing Addendum, including but not limited to any misrepresentation or omission as to the legal basis for Advertiser’s acquisition of the Data and/or Company’s processing of the Data, or (2) any breach by Advertiser of Applicable Data Protection Law. Advertiser shall not enter into any settlement without Company’s express prior written consent that (1) assigns, imparts or imputes fault or responsibility to Company or its affiliates, (2) includes a consent to an injunction or similar relief or otherwise imposes any obligation binding upon Company or its affiliates, or (3) provides for relief other than monetary damages that Advertiser solely bears. Any indemnification made under this Section 2 of this Data Processing Addendum shall not be subject to any limitation of liability set forth in the Agreement, any Insertion Orders, amendments, addendums, and/or exhibits thereto.
Priority of Documents; Notices & Updates
In case of any conflict between the Agreement and this Data Processing Addendum, the terms of this Data Processing Addendum shall control with respect to the subject matter in conflict. Any notice to Advertiser shall be effective upon Company’s sending of an email to the address currently on file in Company’s systems, or posting of a notice in Advertiser’s account within Company’s platform website. Company may amend or replace this Data Processing Addendum at any time, and any such amendment or replacement will become effective immediately upon posting to the Company platform website, or as otherwise communicated to Advertiser. Advertiser’s use of the Company Services after that date will constitute acceptance of the updated Data Processing Addendum. Advertiser’s sole and exclusively remedy if it objects to the amended or new Data Processing Addendum is to terminate its use of the Company Services.