Data Processing Addendum for Publishers

The terms of this Data Processing Addendum for Publishers (“DPA”) apply whereby Bidmatic Inc. (“Bidmatic”) and you (“Publisher”) (each a “Party” and together the “Parties”) entered into a mutual agreement relating to the Terms of Service whereby either one or both of the Parties will be sharing Personal Data (as defined herein) to the other Party in order to provide and/or receive the Bidmatic Services. This DPA shall be incorporated into the Terms of Service and shall be binding on the Parties.

1. CONFLICT

In the event of any conflict between the provisions of the Terms of Service and the provisions of this DPA, the provisions of this DPA shall take precedence.

2. DEFINITIONS AND INTERPRETATION

In this DPA, the following terms shall have the meanings set out below:

2.1. “Account“ has the meaning set out in Bidmatic Terms of Service.

2.2. “Agreed Purposes“ means performing respective actions under the Terms of Service to make available and receive the Bidmatic Services and to process the Shared Personal Data with other data provided by third parties as it considers necessary.

2.3. “Applicable Laws“ means the laws and regulations of any jurisdiction that may be applicable to the Personal Data, including a Member State of the European Union or the laws of the European Union applicable to the Parties and any other applicable law including but not limited to the Data Protection Legislation and the e-Privacy Legislation.

2.4. “Bidmatic Services“ means Bidmatic’s online advertising services, products, and features described in Bidmatic Terms of Service.

2.5. “Data Protection Legislation“ means (i) the EU General Data Protection Regulation ((EU) 2016/679) as amended, replaced, or superseded from time to time and laws implementing or supplementing the GDPR; (ii) to the extent applicable, the data protection laws of any other country, including the United Kingdom; and (iii) the California Consumer Protection Act and other relevant US federal or state laws.

2.6. “Data Controller“ has the meaning set out in the GDPR.

2.7. “Data Processor“ has the meaning set out in the GDPR.

2.8. “Data Subject“ has the meaning set out in the GDPR.

2.9. “Demand Partners“ means Bidmatic’s media buying clients, including but not limited to advertisers, demand side platforms, ad exchanges, agencies, agency trading desks, and ad networks.

2.10. “e-Privacy Legislation“ means (i) the EU Privacy and Electronic Communications Directive (2002/58/EC) as transposed into domestic legislation of each Member State as amended, replaced, or superseded from time to time; and (ii) to the extent applicable, the privacy laws of any other country, including the United Kingdom if and when the United Kingdom ceases to be a Member State.

2.11. “GDPR“ means General Data Protection Regulation ((EU) 2016/679).

2.12. “Permitted Recipients“ means the Party to this DPA, its employees, and any third-party processor engaged by such Party to process Personal Data for the Agreed Purposes.

2.13. “Personal Data“ has the meaning set out in Applicable Laws to the information collected.

2.14. “Privacy Shield“ means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce (as may be amended, superseded, or replaced).

2.15. “Publisher Properties“ means the websites, mobile applications, and/or other digital media properties owned or operated by the Publisher and accessible through the Bidmatic Services or via which Personal Data used in connection with the Bidmatic Services is collected.

2.16. “Shared Personal Data“ means Personal Data relating to any Data Subject to be shared between the Parties, including IP address, device ID, etc.

2.17. “Terms of Service“ means the Terms of Service located on Bidmatic`s website via the link: https://bidmatic.io/tos/ (as updated or amended from time to time).

2.18. “Tracking Technologies“ means technologies used to store or gain access to data stored on a user’s device, including (as applicable), cookies, mobile SDKs, browser cache, unique identifiers, web beacons, pixels, and/or similar tracking technologies.

2.19. “US State Privacy Laws“ means all state laws relating to the protection and processing of Personal Data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act.

2.20. “Restricted Transfer“ means (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK Privacy Law applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to section 17A of the United Kingdom Data Protection Act 2018.

2.21. “Standard Contractual Clauses“ means Module 1 (Controller to Controller) of the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 located at https://eur-lex.europa.eu/eli/dec_impl/2021/914.

2.22. “UK Addendum“ means the International Data Transfer Addendum (version B1.0) to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioners Office under S.119(A) of the UK Data Protection Act 2018, as amended, superseded, or replaced from time to time.

3. DATA PROTECTION

3.1. Scope of the processing. Unless otherwise and separately agreed between the Parties, the Parties agree and understand that (i) in connection with the Bidmatic Services, Bidmatic may collect or otherwise receive data (including Personal Data) about or related to end-users of the Publisher Properties as more particularly described in Annex A of this DPA; (ii) Bidmatic and its Demand Partners use Tracking Technologies in order to collect certain data, and (iii) Bidmatic (and its Demand Partners) may process the data for the purposes set for by the Terms of Service and for any other purposes described in their privacy statements.

3.2. Relationship of the Parties. The Parties acknowledge that to the extent the data is Personal Data, each Party shall process such data as an independent Data Controller and only for the Agreed Purposes.

3.3. Shared Personal Data. A Party shall share (“Data Exporter”) the Shared Personal Data with the other Party (“Data Importer”) for the purpose of performing under provisions of the Terms of Service by the Parties. The Parties are separate and independent Data Controllers and in no event will the Parties process the Shared Personal Data as joint Data Controllers.

3.4. Effect of non-compliance with Data Protection Legislation. Each Party shall comply with all the obligations imposed on a Data Controller under the Data Protection Legislation, and any material breach of the Data Protection Legislation by one Party shall, if not remedied within 30 (thirty) days of written notice from the other Party, give grounds to the other Party to terminate this DPA with immediate effect.

3.5. The Data Exporter obligations. The Data Exporter shall: (a) ensure that it has all necessary notices and consents, where applicable, to enable the lawful transfer of the Shared Personal Data to the Permitted Recipients for the Agreed Purposes, including but not limited to, any notices and consents required under the e-Privacy Legislation; (b) record, document, store and make available to the Data Importer upon request the legal bases and consents that are being relied on to request Bidmatic Services; (c) when required, list the Data Importer, with a link to its privacy policy, to its list of vendors as a Data Controllers with respect to the Services; and (d) give full information to any Data Subject whose Personal Data may be processed under the Terms of Service of the nature of such processing and their rights regarding such processing as required under the Data Protection Legislation.

3.6. The Data Importer obligations. The Data Importer shall: (a) only process the Shared Personal Data for the Agreed Purposes; (b) process the Shared Personal Data in accordance with Applicable Laws; (c) maintain appropriate technical and organizational measures for the protection, security, confidentiality and integrity of the Shared Personal Data; (d) notify the other Party within 72 hours of discovering a data incident involving the Shared Personal Data and fully cooperate with the Data Exporter to remedy the incident; (e) not disclose the Shared Personal Data to any third party unless permitted by the Data Exporter in writing and if such permission is granted, it shall ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this DPA; and (f) not retain the Shared Personal Data for longer than the period during which it has a legitimate need to retain the Shared Personal Data for or in connection with the Agreed Purposes.

3.7. Publisher Privacy Notice Requirements. Publisher agrees that it is responsible for ensuring that all Data Subjects are appropriately notified about the data collection and use practices taking place on the Publisher Properties via Bidmatic Services. Publisher represents and warrants that it shall conspicuously post, maintain and abide by a publicly accessible privacy notice within all Publisher Properties from which the data is collected that satisfies the requirements of the Applicable Laws and the Terms of Service (including this DPA). Without prejudice to the generality of the foregoing, such notice shall at a minimum include the following information: (i) a statement that data may be collected for advertising purposes; (ii) a description of the type of Personal Data collected by Bidmatic and its Demand Partners and the purposes of processing thereof, including for delivering ads across the Publisher Properties over time; (iii) a description of the categories of individuals who will have access to the Personal Data; (iv) the identity of the Controller(s) of the data; (v) a link to or description of how to access a relevant choice mechanism; and/or (vi) any other information required to comply with the information and transparency requirements of Applicable Laws. The privacy notice, its explanation of the data Bidmatic collects and how Bidmatic Services use it, may assist you in complying with your notification obligations under this DPA.

3.8. US State Privacy Laws Compliance. For data of California residents, each Party agrees to comply with California Consumer Protection Act (CCPA) and will employ reasonable efforts to provide a Do Not Sell My Information link on the home page of any Publisher Properties where Shared Personal Data will be provided. For users who exercise the CCPA Do Not Sell right, each Party agrees to limit the uses of Shared Data as restricted by the CCPA. For data of Virginia, Connecticut, and Colorado residents, each Party agrees to comply with Virginia Consumer Data Protection Act (VCDPA), Connecticut Data Privacy Act (CTDPA), and Colorado Privacy Act (CPA) and not to use “dark patterns” to obtain consumer consent. For data of New York residents, each Party agrees to comply with New York Privacy Act (NYPA). For data of Washington residents, each Party agrees to comply with Washington Privacy Act (WPA). For data of Utah residents, each Party agrees to comply with the Utah Consumer Privacy Act (UCPA).

3.9. Industry Standards. Each Party will use reasonable efforts to provide or require partners to provide end users with notice of the use and sharing of Shared Personal Information and to provide end users with the ability to opt-out of the uses of Shared Personal Information for cross-contextual advertising, as defined by industry best practices.

3.10. Mutual assistance. Each Party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular, each Party shall:

• 3.10.1. if required, consult with the other Party about any notices given to Data Subjects in relation to the Shared Personal Data;

• 3.10.2. promptly inform the other Party about the receipt of any Data Subject access or deletion request or any other request permissible under applicable Data Protection Legislation;

• 3.10.3. provide the other Party with reasonable assistance in complying with any Data Subject access or deletion request;
• 3.10.4. inform the other Party before or after disclosing or releasing any Shared Personal Data in response to a Data Subject access request;
• 3.10.5. assist the other Party in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators;
• 3.10.6. notify the other Party without undue delay on becoming aware of any breach of the Data Protection Legislation;
• 3.10.7. use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from transfers of such Shared Personal Data;
• 3.10.8. maintain complete and accurate records and information to demonstrate its compliance with this paragraph; and

• 3.10.9. provide the other Party with contact details of at least one employee as a point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the Parties’ compliance with the Data Protection Legislation.

3.11. Prohibited Data Sharing. Publisher shall not include or launch on any Publisher Properties any of Bidmatic Services if such Publisher Properties are directed at or likely to be accessed by any Data Subject that is deemed a child under Applicable Laws of the country in which the child resides. Publisher shall inform Bidmatic in writing prior to launching on any of such Publisher Properties any of the Bidmatic Services or pass to Bidmatic or its Demand Partners any Personal Data of any Data Subject that is deemed a child under Applicable Laws.

3.12. International Transfers. The Recipient Party shall not process, nor permit the processing of, any of the Shared Personal Data, in a territory outside the European Economic Area or the United Kingdom or Switzerland (“EEA”) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Data Protection Legislation. Such measures may include, without limitation, transferring the Shared Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, for internal transfers by a recipient that has achieved binding corporate rules authorization in accordance with Applicable Laws, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

3.13. Storage limitation. The Data Importer shall retain the Shared Personal Data for no longer than necessary for the purpose(s) determined according to the Terms of Service for which it is processed. It shall put in place appropriate technical and organizational measures to ensure compliance with this obligation, including the erasure or anonymization of the data and all backups at the end of the retention period.

3.14. Measure to ensure the security of processing. Each Party undertakes to observe the principles of due and proper data processing in accordance with Art. 32 in conjunction with Art. 5 (1) GDPR. Each Party shall take all necessary measures to safeguard the data and the security of the processing, in particular taking into account the state of the art, as well as to reduce possible adverse consequences for the affected Parties. Measures to be taken include, in particular, measures to protect the confidentiality, integrity, availability, and resilience of systems and measures to ensure continuity of processing after incidents. In order to ensure an appropriate level of processing security at all times, each Party shall regularly evaluate the measures implemented and make any necessary adjustments. The Data Importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security. The Data Importer shall ensure that persons authorized to process the Shared Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. In the event of a Personal Data breach concerning Personal Data processed by the Data Importer under this DPA, the Data Importer shall take appropriate measures to address the Personal Data breach, including measures to mitigate its possible adverse effects.

3.15. Noncompliance. If Data Exporter is unable to comply with its consent and notice obligations under the Terms of Service (including this DPA) in respect of the Shared Personal Data, the Data Exporter shall promptly notify Data Importer and cease the transfer until mitigation.

4. DATA TRANSFERS

4.1. Standard Contractual Clauses. The Parties agree that when the transfer of Personal Data from Publisher (as Data Exporter) to Bidmatic (as Data Importer) is a Restricted Transfer and European Data Protection Legislation applies, the transfer shall be subject to the Standard Contractual Clauses, which shall be deemed incorporated into and shall form part of this DPA, as follows:

(a) in relation to transfers of Personal Data protected by the GDPR, the Standard Contractual Clauses shall apply, completed as follows: (i) in Clause 7, the optional docking clause will apply, (ii) in Clause 11, the optional language will not apply; (iii) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by laws of Ireland; (iv) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (v) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex A to this DPA; and (vii) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex B to this DPA;

(b) in relation to transfers of Personal Data protected by UK Privacy Law, the Standard Contractual Clauses shall also apply completed in accordance with paragraph (a) above, but as modified and interpreted by Part2: Mandatory Clauses of the UK Addendum, which shall be deemed executed by the Parties and incorporated into and form an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annexes A and B of this DPA and Table 4 in Part 1 shall be deemed completed by selecting “neither party”; and

(c) in relation to transfers of Personal Data protected by the Swiss Data Protection Act (Swiss DPA), the Standard Contractual Clauses shall also apply completed in accordance with paragraph (a) above, with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; (ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (iii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”; (iv) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (v) Clause 13(a) and Part C of Annex A are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner; (vi) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (vii) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and (viii) Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.

4.2. Adequacy Mechanisms. The terms of the Standard Contractual Clauses will not apply where and to the extent Bidmatic (as Data Importer) and the applicable transfer of Personal Data are covered by an alternative, suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection or appropriate safeguards for Personal Data (provided that it is deemed legally valid in jurisdictions subject to European Data Protection Law), including any U.S. – EU cross-border data transfer program which supersedes the Privacy Shield (an “Adequacy Mechanism”). Where an Adequacy Mechanism applies, Bidmatic shall process the Personal Data in compliance with the Adequacy Mechanism and the Standard Contractual Clauses shall not apply.

4.3. Alternative Transfer Mechanisms. The Parties agree that if European Data Protection Legislation no longer allows the lawful transfer of Personal Data under the Standard Contractual Clauses and/or a relevant regulator or court of competent jurisdiction requires the Parties to adopt additional measures (“Additional Measures“) or an alternative data export solution (“Alternative Transfer Mechanism“) to enable the lawful transfer of data outside of EEA and such requirements are not satisfied by an Adequacy Mechanism in line with clause 4.2 above (if applicable), both Parties agree to cooperate and agree any Additional Measures or Alternative Transfer Mechanism that may be required (but only to the extent such Additional Measures or Alternative Transfer Mechanism extend to the territories to which Data is transferred).

4.4. It is not the intent of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses. Accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Terms of Service, including this DPA, the Standard Contractual Clauses shall prevail to the extent of such conflict.

5. MISCELLANEOUS PROVISIONS

5.1. Contact. Publisher shall notify Bidmatic of a representative within its organization authorized to respond from time to time to inquiries regarding the data and shall deal with such inquiries promptly. The representative within Bidmatic authorized to respond from time to time to inquiries regarding the Shared Data and who shall deal with such inquiries promptly can be contactable here: legal@bidmatic.io.

5.2. Changes in Law. In the event that there is a change in the Applicable Laws that apply to the processing of data, that would, in the reasonable opinion of a Party, require changes to the Bidmatic Services, the means by which the Bidmatic Services are provided or used and/or terms of this DPA, that Party reserves the right (acting reasonably) to request such changes; provided that, to the extent possible, the Party requesting the change will provide at least thirty (30) days prior notice (including by email or via Publisher Account on the Bidmatic platform) of such changes and agrees to discuss such changes in good faith. If the requested changes will cause material harm to any Party (which includes for the avoidance of doubt, causing a Party to be in breach of European Data Protection Legislation) or materially alter any Party’s provision or use (as applicable) of the Bidmatic Services, such Party may terminate the Terms of Service for the affected Bidmatic Services upon written notice without liability for such termination.

5.3. Indemnity. Publisher shall indemnify Bidmatic against all liabilities, costs, expenses, damages, and losses (including but not limited to any direct, indirect, or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by Bidmatic arising out of or in connection with the breach of the Applicable Laws by the Publisher, its employees or agents, provided that Bidmatic gives to the Publisher prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and sole authority to manage, defend and/or settle it.

5.4. Security. Both Parties shall implement appropriate technical and organizational measures to protect the copy of the data in their possession or control (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the data.5.5 General. With effect from the effective date, this DPA is part of and incorporated into the Terms of Service. To the extent there are any prior agreements with regard to the subject matter of this DPA, this DPA supersedes and replaces such prior agreements. This DPA shall survive termination or expiry of the Terms of Service. Upon termination or expiry of the Terms of Service Bidmatic continue to process the data provided that such processing complies with the requirements of this DPA and the Applicable Laws. This DPA may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. This DPA may be executed by means of accepting the Terms of Service by the Publisher upon registration on Bidmatic’s platforms and may be signed, scanned, and emailed, and any such copies shall be treated as original for all applicable purposes.

5.5. General. With effect from the effective date, this DPA is part of and incorporated into the Terms of Service. To the extent there are any prior agreements with regard to the subject matter of this DPA, this DPA supersedes and replaces such prior agreements. This DPA shall survive termination or expiry of the Terms of Service. Upon termination or expiry of the Terms of Service Bidmatic continue to process the data provided that such processing complies with the requirements of this DPA and the Applicable Laws. This DPA may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. This DPA may be executed by means of accepting the Terms of Service by the Publisher upon registration on Bidmatic’s platforms and may be signed, scanned, and emailed, and any such copies shall be treated as original for all applicable purposes.

---

ANNEX A

Description of the Transfer

1. List of Parties

Controller/Data Exporter:

Controller/Data Importer:

2. Description of Data Transfer

Defined terms are as set out in the DPA agreed between the Parties.

---

ANNEX B

Technical and Organizational Measures

Bidmatic Inc. (“BIDMATIC”) takes appropriate Technical and Organizational Measures to ensure a level of security appropriate to the risk of the processing of Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The implemented security measures include, but are not limited to:

1. Access security

• Strong passwords, based on a password policy, are used to provide access security;
• Information is stored in databases with state-of-the-art corresponding encryption.

2. Data integrity

Data integrity of information is guaranteed by a state-of-the-art database.

3. Organizational security

All applying workflows, information, and disciplinary consequences are also codified for employees in a comprehensible way.

4. Physical security

Whereas physical storage location is not within the space of BIDMATIC but with a partner and/or another 3^rd party, said partner and/or 3rd party is contractually obliged to fulfill the requirements according to the legislation applicable.

5. Network and data security

• Only secure communication channels are being used;
• Only those network protocols essential for the delivery of the organization’s service to its users are open.

6. Security incident management

• Both manual and automatic incident monitoring has been implemented by BIDMATIC in its systems;
• Said incident monitoring is continuously held to the state-of-the-art and controlled on functionality;
• Incident response workflows are defined, and incident report training is conducted based on said workflows.

7. Testing and evaluation procedures

• Risk analysis is part of all new projects;
• All code is checked into a version-controlled repository. Code changes are subject to peer review;
• Deployment uses continuous integration testing, including automatic content security policy (cross-site scripting, clickjacking, and other code injection attacks) checks;
• Projects are carefully tested by a dedicated team before going to production.

8. Data Disposal

Opt-out information is publicly available on BIDMATIC’s website.