Data Processing Addendum for Advertisers

Last updated : Oct 10, 2023

The terms of this Data Processing Addendum for Advertisers (“DPA”) apply whereby Bidmatic Inc. (“Bidmatic”) and You (“Advertiser”) (each a “Party” and together the “Parties”) entered into a mutual agreement relating to the Terms of Services whereby either one or both of the Parties will be sharing Personal Data (as defined herein) to the other Party in order to provide and/or receive the Bidmatic Services (“Services”). This DPA shall be incorporated into the Terms of Services and shall be binding on the Parties.

1. CONFLICT

In the event of any conflict between the provisions of the Terms of Services and the provisions of this DPA, the provisions of this DPA shall take precedence.

2. DEFINITIONS AND INTERPRETATION

In this DPA, the following terms shall have the meanings set out below:

2.1. “Account“ has the meaning set out in the Terms of Services.

2.2. “Agreed Purposes” means performing their respective actions under the Terms of Service to make available and receive the Services and to process the Shared Personal Data with other data provided by third parties as it considers necessary;

2.3. “Advertiser Property“ means any advertising materials such as trademarks, logos, slogans, creative assets such as images or videos, and any other proprietary materials used in advertising, created by or for the Advertiser and accessible through the Bidmatic Services;

2.4. “Terms of Services” means the Terms of Services located on Bidmatic`s website via the link: https://bidmatic.io/tos

2.5. “Applicable Laws” means the laws and regulations of any jurisdiction that may be applicable to the Personal Data, including a Member State of the European Union or the laws of the European Union applicable to the Parties and any other applicable law including but not limited to the Data Protection Legislation and the e-Privacy Legislation;

2.6. “Data Protection Legislation” means (i) the EU General Data Protection Regulation ((EU) 2016/679) as amended, replaced, or superseded from time to time and laws implementing or supplementing the GDPR; (ii) to the extent applicable, the data protection laws of any other country, including the United Kingdom; and (iii) the California Consumer Protection Act and other relevant US federal or state laws;

2.7. “Data Controller” has the meaning set out in the GDPR;

2.8. “Data Processor” has the meaning set out in the GDPR;

2.9. “Data Subject” has the meaning set out in the GDPR;

2.10. “e-Privacy Legislation” means (i) the EU Privacy and Electronic Communications Directive (2002/58/EC) as transposed into domestic legislation of each Member State as amended, replaced, or superseded from time to time; and (ii) to the extent applicable, the privacy laws of any other country, including the United Kingdom if and when the United Kingdom ceases to be a Member State;

2.11. “GDPR” means General Data Protection Regulation ((EU) 2016/679);

2.12. “Permitted Recipients” means the Party to this DPA, its employees, and any third-party processor engaged by such Party to process Personal Data for the Agreed Purpose;

2.13. “Personal Data” has the meaning set out in applicable law to the information collected, for example the GDPR when it is applicable to the data and the CCPA when subject to California law;

2.14. “Property” means a website, app, toolbar, plug-in, service, or other Internet-accessible destination within the remit of the Services provided under the Terms of Services;

2.15. “Shared Personal Data” means Personal Data relating to any Data Subject to be shared between the Parties, including IP address, device ID, etc.;

2.16. “Standard Contractual Clauses“ means Module 1 (Controller to Controller) of the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 located at https://eur-lex.europa.eu/eli/dec_impl/2021/914.

2.17. “Tracking Technologies“ means technologies used to store or gain access to data stored on a user’s device, including (as applicable), cookies, mobile SDKs, browser cache, unique identifiers, web beacons, pixels, and/or similar tracking technologies;

2.18. “US State Privacy Laws“ means all state laws relating to the protection and processing of personal data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act.

3. DATA PROTECTION

3.1. Scope of processing. Unless otherwise and separately agreed between the Parties, the Parties agree and understand that: (i) in connection with the Bidmatic Services, Bidmatic may collect data and transfer to Advertiser Data (including Personal Data) about or related to Data Subjects; as more particularly described in Annex A of this DPA (ii) Bidmatic and its Publishers use Tracking Technologies in order to collect certain Data, and (iii) Bidmatic and Advertiser may process the Data for the purposes set for by the Terms of Services and for any other purposes described in their Privacy Statements (“Permitted Purposes”).

3.2. Relationship of the parties. The Parties acknowledge that to the extent the Data is Personal Data, each party shall process such Data as an independent Controller only for the Permitted Purposes.

3.3. Shared Personal Data. A Party shall share (“Data Exporter”) the Shared Personal Data with the other Party (“Data Importer”) for the purpose of performing under provisions of the Terms of Services by the Parties. The Parties are separate and independent Data Controllers and in no event will the Parties process the Shared Personal Data as joint controllers.

3.4. Effect of non-compliance with Data Protection Legislation. Each Party shall comply with all the obligations imposed on a Data Controller under the Data Protection Legislation, and any material breach of the Data Protection Legislation by one Party shall, if not remedied within 30 (thirty) days of written notice from the other Party, give grounds to the other Party to terminate this DPA with immediate effect.

3.5. The Data Exporter obligations. The Data Exporter shall: (a) ensure that it has all necessary notices and consents, where applicable, to enable the lawful transfer of the Shared Personal Data to the Permitted Recipients for the Agreed Purposes, including but not limited to, any notices and consents required under the e-Privacy Legislation; (b) record, document, store and make available to the Data Importer upon request the legal bases and consents that are being relied on to request the Services; (c) when required, list the Data Importer, with a link to its privacy policy, to its list of vendors as a Data Controllers with respect to the Services; and (d) give full information to any Data Subject whose Personal Data may be processed under the Terms of Services of the nature of such processing and their rights regarding such processing as required under the Data Protection Legislation.

3.6. The Data Importer obligations. The Data Importer shall: (a) only process the Shared Personal Data for the Agreed Purposes; (b) process the Shared Personal Data in accordance with Applicable Laws; (c) maintain appropriate technical and organizational measures for the protection, security, confidentiality and integrity of the Shared Personal Data; (d) notify the other Party within 72 hours of discovering a data incident involving the Shared Personal Data and fully cooperate with the Data Exporter to remedy the incident; (e) not disclose the Shared Personal Data to any third party unless permitted by the Data Exporter in writing and if such permission is granted, it shall ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this Data Processing Addendum; and (f) not retain the Shared Personal Data for longer than the period during which it has a legitimate need to retain the Shared Personal Data for or in connection with the Agreed Purposes.

3.7. US State Privacy Laws Compliance. For data of California residents, each party agrees to comply with California Consumer Protection Act (CCPA) and will employ reasonable efforts to provide a Do Not Sell My Information link on the home page of any Property where Shared Personal Data will be provided. For users who exercise the CCPA Do Not Sell right, each Party agrees to limit the uses of Shared Data as restricted by the CCPA. For data of Virginia residents, each party agrees to comply with Virginia Consumer Data Protection Act (VCDPA) and not to use of “dark patterns” to obtain the consumer consent. For data of New York residents, each party agrees to comply with New York Privacy Act (NYPA). For data of Washington residents, each party agrees to comply with Washington Privacy Act (WPA). For data of Colorado residents, each party agrees to comply with Colorado Privacy Act (CPA). There are also the Connecticut Data Privacy Act (CDPA), and the Utah Consumer Privacy Act (UCPA) and the Parties are obligated to comply with.

3.8. Industry Standards. Each Party will use reasonable efforts to provide or require partners to provide end users with notice of the use and sharing of Shared Personal Information and to provide end users with the ability to opt-out of the uses of Shared Personal Information for cross-contextual advertising, as defined by industry best practices.

3.9. Mutual assistance. Each Party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular, each Party shall:

3.9.1. if required, consult with the other Party about any notices given to Data Subjects in relation to the Shared Personal Data;

3.9.2. promptly inform the other Party about the receipt of any Data Subject access or deletion request or any other request permissible under applicable Data Protection Legislation;

3.9.3. provide the other Party with reasonable assistance in complying with any Data Subject access or deletion request;

3.9.4. inform the other Party before or after disclosing or releasing any Shared Personal Data in response to a Data Subject access request;

3.9.5. assist the other Party in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators;

3.9.6. notify the other Party without undue delay on becoming aware of any breach of the Data Protection Legislation;

3.9.7. use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from transfers of such Shared Personal Data;

3.9.8. maintain complete and accurate records and information to demonstrate its compliance with this paragraph; and

3.9.9. provide the other Party with contact details of at least one employee as a point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the Parties’ compliance with the Data Protection Legislation.

3.10. International Transfers. The Recipient Party shall not process, nor permit the processing of, any of the Shared Personal Data, in a territory outside the European Economic Area or the United Kingdom or Switzerland (“EEA”) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Data Protection Legislation. Such measures may include, without limitation, transferring the Shared Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, for internal transfers by a recipient that has achieved binding corporate rules authorization in accordance with Applicable Laws, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

3.11. Storage limitation. The Data Importer shall retain the Shared Personal Data for no longer than necessary for the purpose(s) determined according to the Terms of Services for which it is processed. It shall put in place appropriate technical and organizational measures to ensure compliance with this obligation, including the erasure or anonymization of the data and all backups at the end of the retention period.

3.12. Measure to ensure the security of processing. Each Party undertakes to observe the principles of due and proper data processing in accordance with Art. 32 in conjunction with Art. 5 (1) GDPR. Each Party shall take all necessary measures to safeguard the data and the security of the processing, in particular taking into account the state of the art, as well as to reduce possible adverse consequences for the affected parties. Measures to be taken include, in particular, measures to protect the confidentiality, integrity, availability, and resilience of systems and measures to ensure continuity of processing after incidents. In order to ensure an appropriate level of processing security at all times, each Party shall regularly evaluate the measures implemented and make any necessary adjustments. The Data Importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security. The Data Importer shall ensure that persons authorized to process the Shared Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. In the event of a personal data breach concerning personal data processed by the Data Importer under this DPA, the Data Importer shall take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effects.

3.13. Noncompliance. If Data Exporter is unable to comply with its consent and notice obligations under the Terms of Services (including this DPA) in respect of the Shared Personal Data, the Data Exporter shall promptly notify Data Importer and cease the transfer until mitigation.

4. DATA TRANSFERS

4.1. Standard Contractual Clauses. The parties agree that when the transfer of Personal Data from Bidmatic (as Data Exporter) to Advertiser (as Data Importer) is a Restricted Transfer and European Data Protection Law applies, the transfer shall be subject to the Standard Contractual Clauses, which shall be deemed incorporated into and shall form part of this DPA, as follows:

(a) in relation to transfers of Personal Data protected by the GDPR, the Standard Contractual Clauses shall apply, completed as follows: (i) in Clause 7, the optional docking clause will apply, (ii) in Clause 11, the optional language will not apply; (iii) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by laws of Ireland; (iv) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (v) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex A to this DPA; and (vii) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex B to this DPA;

(b) in relation to transfers of Personal Data protected by UK Privacy Law, the Standard Contractual Clauses shall also apply completed in accordance with paragraph (a) above, but as modified and interpreted by Part2: Mandatory Clauses of the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annexes A and B of this DPA and Table 4 in Part 1 shall be deemed completed by selecting “neither party”; and

(c) in relation to transfers of Personal Data protected by the Swiss DPA, the Standard Contractual Clauses shall also apply completed in accordance with paragraph (a) above, with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; (ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (iii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”; (iv) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (v) Clause 13(a) and Part C of Annex A are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner; (vi) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (vii) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and (viii) Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.

4.2. Adequacy Mechanisms. The terms of the Standard Contractual Clauses will not apply where and to the extent Bidmatic (as Data Exporter) and the applicable transfer of Personal Data are covered by an alternative, suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection or appropriate safeguards for Personal Data (provided that it is deemed legally valid in jurisdictions subject to European Data Protection Law), including any U.S. – EU cross-border data transfer program which supersedes the Privacy Shield (an “Adequacy Mechanism”). Where an Adequacy Mechanism applies, Bidmatic shall process the Personal Data in compliance with the Adequacy Mechanism and the Standard Contractual Clauses shall not apply.

4.3. Alternative Transfer Mechanisms. The Parties agree that if European Data Protection Law no longer allows the lawful transfer of Personal Data under the Standard Contractual Clauses and/or a relevant regulator or court of competent jurisdiction requires the parties to adopt additional measures (“Additional Measures“) or an alternative data export solution (“Alternative Transfer Mechanism“) to enable the lawful transfer of data outside of Europe and such requirements are not satisfied by an Adequacy Mechanism in line with the paragraph above (if applicable), both Parties agree to cooperate and agree any Additional Measures or Alternative Transfer Mechanism that may be required (but only to the extent such Additional Measures or Alternative Transfer Mechanism extend to the territories to which data is transferred).

4.4. It is not the intent of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses. Accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Terms of Services, including this DPA, the Standard Contractual Clauses shall prevail to the extent of such conflict.

5. MISCELLANEOUS PROVISIONS

5.1. Contact. Advertiser shall notify Bidmatic of a representative within its organization authorized to respond from time to time to inquiries regarding the data and shall deal with such inquiries promptly. The representative within Bidmatic authorized to respond from time to time to inquiries regarding the data and who shall deal with such inquiries promptly can be contactable here: legal@Bidmatic.com.

5.2. Changes in Law. In the event that there is a change in the privacy requirements that apply to the processing of data, that would, in the reasonable opinion of a Party, require changes to the Bidmatic Services, the means by which the Bidmatic Services are provided or used and/or terms and conditions of this DPA, that Party reserves the right (acting reasonably) to request such changes; provided that, to the extent possible, the Party requesting the change will provide at least thirty (30) days prior notice (including by email or via Advertiser account on the Bidmatic Platform) of such changes and agrees to discuss such changes in good faith. If the requested changes will cause material harm to any Party (which includes for the avoidance of doubt, causing a Party to be in breach of European Data Protection Law) or materially alter any Party’s provision or use (as applicable) of the Bidmatic Services, such Party may terminate the effect of the Terms of Services for the affected Bidmatic Services upon written notice without liability for such termination.

5.3. Indemnity. Advertiser shall indemnify Bidmatic against all liabilities, costs, expenses, damages, and losses (including but not limited to any direct, indirect, or consequential losses, loss of profit, loss of reputation, and all interest, penalties, and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by Bidmatic arising out of or in connection with the breach of the Applicable Laws by the Advertiser, its employees or agents, provided that Bidmatic gives to the Advertiser prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and sole authority to manage, defend and/or settle it.

5.4. Security. Both Parties shall implement appropriate technical and organizational measures to protect the copy of the data in their possession or control (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the data.

5.5. General. With effect from the effective date, this DPA is part of and incorporated into the Terms of Services. To the extent there are any prior agreements with regard to the subject matter of this DPA, this DPA supersedes and replaces such prior agreements. This shall survive termination or expiry of the Terms of Services. Upon termination or expiry the Terms of Services Parties may continue to process the data provided that such processing complies with the requirements of this DPA and the Applicable Laws. This DPA may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. This DPA may be executed by means of accepting the Terms of Services by the Advertiser upon registration on the Bidmatic’s platforms and may be signed, scanned, and emailed, and any such copies shall be treated as original for all applicable purposes.

ANNEX A

Description of the Transfer

List of Parties

Controller/ Data importer:

Name:	See the information in the Advertiser Account
Address:	See the information in the Advertiser Account
Contact person’s name, position and contact details:	See the information in the Advertiser Account
Activities relevant to the data transferred under these Clauses:	See the Description of Data Transfer
Signature and date:	See the information in the Advertiser Account
Role (controller/processor):	Controller

Controller / Data exporter:

Name:	Bidmatic, Inc.
Address:	16192 Costal Hwy, City of Lewes, County of Sussex, 19958, DE, USA
Contact person’s name, position, and contact details:	DPO, accessible at legal@bidmatic.io
Activities relevant to the data transferred under these Clauses:	See the Description of Data Transfer
Signature and date:	See the information in the Advertiser Account
Role (controller/processor):	Controller

Description of Data Transfer

Defined terms are as set out in the Data Processing Addendum agreed between the parties.

Categories of data subjects	End users viewing ads in log files format with information; Advertiser`s employees and other personnel authorized to use Bidmatic Services.
Categories of personal data	End Users data such as: location, age range, gender, User-agent or such device information (Demographic information); frequency of identifiers visiting and viewing with respect to advertising (Behavioral data); Bidmatic Personnel data: Contact details (name, email, telephone) and professional details (role).
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)	End Users – Continuous. Bidmatic Personnel – Only where required to facilitate communication between the parties.
Nature of the processing	Receipt, storage, use, and processing for the purpose of the Bidmatic Services provision and business relationships.
Purpose(s) of the data transfer and further processing	End Users: For the Permitted Purposes (as defined in this DPA). Bidmatic Personnel: For business relationship and account management purposes.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:	Until necessary for the provision of the Bidmatic Services.

ANNEX B

Technical-organizational Measures

Version 1.5 as of June 24, 2022

Bidmatic Inc. (“BIDMATIC”) takes appropriate Technical and Organizational Measures to ensure a level of security appropriate to the risk of the processing of Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The implemented security measures include, but are not limited to:

1. Access security

Strong passwords, based on a password policy, are used to provide access security;
Information is stored in databases with state-of-the-art corresponding encryption.

2. Data integrity

Data integrity of information is guaranteed by a state-of-the-art database.

3. Organizational security

All applying workflows, information, and disciplinary consequences are also codified for employees in a comprehensible way.

4. Physical security

Whereas physical storage location is not within the space of BIDMATIC but with a partner and/or another 3^rd party, said partner and/or 3rd party is contractually obliged to fulfill the requirements according to the legislation applicable.

5. Network and data security

Only secure communication channels are being used;
Only those network protocols essential for the delivery of the organization’s service to its users are open.

6. Security incident management

Both manual and automatic incident monitoring have been implemented by BIDMATIC in its systems;
Said incident monitoring is continuously held to the state-of-the-art and controlled on functionality;
Incident response workflows are defined, and incident report training is conducted based on said workflows.

7. Testing and evaluation procedures

Risk analysis is part of all new projects;
All code is checked into a version-controlled repository. Code changes are subject to peer review;
Deployment uses continuous integration testing, including automatic content security policy (cross-site scripting, clickjacking, and other code injection attacks) checks;
Projects are carefully tested by a dedicated team before going to production.

8. Data Disposal

Opt-out information is publicly available on BIDMATIC’s website.