DATA PROCESSING AGREEMENT

Last modified: October 18, 2022

This Data Processing Agreement (“DPA”) governs the Processing of Personal Data by Apester Ltd. and its Affiliates (“Apester”) of behalf of customer (“Customer”). This DPA forms an integral part of the agreement executed between the parties (“Agreement”) governing the Services provided by Apester to Customer. Capitalized terms used herein but not defined herein shall have the meanings ascribed to them in the Agreement. This DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data during the course of the engagement between the parties and under the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

WHEREAS, Apester provides to Customer an online marketing solution that enables embedding advertisements and interactive units onto Customer’s website(s) or application(s) (“Services”);

WHEREAS, the parties desire to supplement the Agreement to achieve compliance with the UK, EU, Swiss, United States and other data protection laws and agree on the following:

1. DEFINITIONS

1.1. “Adequate Country” is a country that an adequacy decision from the European Commission.

1.2. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq.

1.3. “Controller“, “Processor“, “Data Subject“, “Personal Data“, “Processing” (and “Process“), “Personal Data Breach” and “Special Categories of Personal Data” shall all have the meanings given to them in EU Data Protection Law. The terms “Business”, “Business Purpose”, “Consumer”, “Service Provider”, “Sale” and “Sell” shall have the same meanings as ascribed to them in the CCPA. “Data Subject” shall also mean and refer to a “Consumer”. “Personal Data” shall also mean and refer to “Personal Information,” as such term is defined in the CCPA.

1.4. “Consent” means an End User informed and freely given consent, that meets the requirements stipulated under article 7 of the GDPR or under Purpose 1 of the IAB TCF Policy (as such term is defined below).

1.5. “Customer Data” means any and all Personal Data shared or otherwise collected by Apester’s system while providing its Services, as detailed in ANNEX I.

1.6. “Data Protection Law” means any and all applicable privacy and data protection laws and regulations, including, where applicable, the Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations (“Israeli Law”), the EU Data Protection Law, Swiss Data Protection Laws, the UK Data Protection Law and the CCPA, as all may be amended or superseded from time to time.

1.7. “End User” means a human end user or a visitor of a Customer’s website or any other digital property operated by Customer.

1.8. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) – (iii); and (iv) any legislation replacing or updating any of the foregoing.

1.9. “IAB Consent Management Framework” means the IAB tech labs’ technical specification for the GDPR transparency & consent framework.

1.10. “IAB TCF Policy” means the IAB Europe Transparency & Consent Framework – Policies Version 2020-11-18.3.2a available at: https://iabeurope.eu/wp-content/uploads/2020/11/TCF_v2-0_Policy_version_2020-11-18-3.2a.docx-1.pdf.

1.11. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other party’s Personal Data will comprise a Security Incident.

1.12. “Signal” as such term is defined under the IAB TCF Policy.

1.13. “Standard Contractual Clauses” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-ex.europa.eu/legalcontent/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.

1.9 “Swiss Data Protection Laws” or “FADP” shall mean the Swiss Federal Act on Data Protection of June 19, 1992, SR 235.1, and any other applicable data protection or privacy laws of the Swiss Confederation as amended, revised, consolidated, re-enacted or replaced from time to time, and to the extent applicable to the processing of Personal Data under the Agreement.

1.10. “Swiss SCC” shall mean the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner

1.11. ”UK Data Protection Laws” shall mean the Data Protection Act 2018 (DPA 2018), as amended, and EU General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as incorporated into UK law as the UK GDPR, as amended, and any other applicable UK data protection laws, or regulatory Codes of Conduct or other guidance that may be issued from time to time..

1.12. “UK GDPR” shall mean the GDPR as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time

1.13. “UK SCC” means the UK ‘International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers’, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State.

Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Law. A reference to any term or section of CCPA, UK Data Protection Laws or GDPR means the version as amended. Any references to the GDPR in this DPA shall mean the GDPR and/or UK GDPR depending on the applicable Law.

2. RELATIONSHIP OF THE PARTIES

2.1. The parties acknowledge that in relation to all Customer Data, as between the parties, Customer is the Controller of Customer Data, and that Apester, in the course of providing the Services is acting as a Processor on behalf of the Customer. For the purpose of the CCPA (and to the extent applicable), Customer is the Business and Apester is the Service Provider. Customer further acknowledges that Apester is a Vendor as such term is defined under the IAB TCF Policy.

2.2. The purpose, subject matter and duration of the Processing carried out by Apester on behalf of the Customer, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in ANNEX I attached hereto.

3. REPRESENTATIONS AND WARRANTIES

3.1. The Customer represents and warrants that: (i) its Processing instructions shall comply with applicable Data Protection Law; and (ii) it will comply with Data Protection Law, specifically with regards to the lawful basis principal for Processing Personal Data and all applicable CCPA provisions.

3.2 Customer acknowledges and agrees that Apester’s Services are dependent and based upon End User’s Consent that shall be obtained by Customer and which Apester relies on, amongst others, in its capacity as a Vendor. Customer also acknowledges that it shall be able to demonstrate such Consent at any time and represents that such Consent is existed. In addition, Customer will be able to support transmission of Consent and opt out parameters, as further detailed in Annex VII. Apester shall not be liable with respect to the obtaining of any required consent or with respect to the Signal provided by the Customer and shall transfer the Signal “as is” and as it was provided to Apester by the Customer as further reflected in Annex VII.

3.3. Customer represents and warrants that any ad request will include the applicable Consent parameter and the Signal so that any returned content will be lawfully served. Applicable Consent parameter will be determined by Customer as per the supported consent management Parameters that are detailed in Annex I, as may be updated from time to time by Apester or by its advertising partners. Apester, as the tech provider, has no control over such parameters or over the Signal and shall not be responsible for any parameter or Signal that was unlawfully or misleadingly sent by Customer, nor liable for any damage or damages resulted by it.

3.4. Apester represents and warrants that it: (i) shall process Personal Data, as set forth under Article 28(3) of the GDPR, on behalf of the Customer, solely for the purpose of providing the Service, and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with Customer’s written instructions including the Agreement and this DPA; (ii) in the event Apester is required under applicable laws, including Data Protection Law or any union or member state regulation, to Process Personal Data other than as instructed by Customer, it shall inform the Customer of such requirement prior to Processing such Personal Data, unless prohibited under applicable law; and (iii) shall provide reasonable cooperation and assistance to Customer in ensuring compliance with its obligation to carry out data protection impact assessments with respect to the processing of Personal Data and to consult with the supervisory authority (as applicable).

3.5. Apester shall take reasonable steps to ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Personal Data; (ii) that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (iii) that such personnel are aware of their responsibilities under this DPA and any applicable Data Protection Laws.

3.6. If the EU Data Protection Law or the CCPA do not apply to the Customer, then Customer must abide by any other Data Protection Law and data security laws and regulations that are applicable to it, and at a minimum Customer shall: (i) obtain and maintain any and all authorizations, permissions and informed consents, as may be necessary under applicable laws and regulations, in order to allow the Processor to lawfully collect, handle, retain, process and use the processed data within the scope of the Services; (ii) substantiate the legal basis and legitimize, pursuant to applicable law, any and all Personal Data or personally identifiable information transferred through the Services; (iii) have, properly publish and abide by an appropriate privacy policy that complies with all applicable Data Protection Law.

4. RIGHTS OF DATA SUBJECTS AND THE PARTIES’ COOPERATION OBLIGATIONS

4.1. It is agreed that where Apester receives a request from a Data Subject or an applicable authority in respect of Personal Data Processed by Apester, where relevant, it will direct the Data Subject or the applicable authority to the Customer in order to allow the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.

4.2. Where applicable, Apester shall assist the Customer in ensuring that Personal Data Processed is accurate and up to date, by informing the Customer without delay if it becomes aware of the fact that the Personal Data it is Processing is inaccurate or has become outdated.

5. DO NOT SELL PERSONAL INFORMATION

It is hereby agreed that any sharing of Personal Information between the parties is made solely in order to fulfill a Business Purpose and Vidazoo does not receive or process any Personal Information as consideration for the Services. Notwithstanding the above, the process of sharing the Personal Information by the Company with advertisers may be considered a Sale under the CCPA. The Customer is therefore solely liable for its compliance with the CCPA with respect to its use of the Services. It is the Customer’s sole responsibility and liability to determine whether the sharing or transferring of Personal Information of Consumers during the course of the Services constitutes a Sale of Personal Information and it is also the Customer’s responsibility to comply with the applicable CCPA requirements in this regard, including providing a “Do Not Sell” signal for end users who have exercised their right to opt out, where applicable.

6. SUB-PROCESSOR

6.1. The Customer acknowledges that Apester may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”). The Customer hereby, authorizes Apester to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub Processor on its behalf. Apester may continue to use those Sub-Processors already engaged by it, as listed in ANNEX III, and subject to the provision of a 30-day prior notice to the Customer, Apester may engage an additional or replace an existing Sub-Processor to process Personal Data. In case the Customer has not objected to the adding or replacing of a Sub-Processor in the allotted time period, such Sub Processor shall be considered as approved by the Customer. In the event the Customer objects, it may, under Apester’s sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement.

6.2. Apester shall, where it engages any Sub-Processor, impose, through a legally binding contract between Apester and the Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor (“Contract”). Apester shall ensure that the Contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Data Protection Law.

6.3. Apester shall remain fully responsible to the Customer for the performance of the Sub-Processor’s obligations in accordance with the Agreement. Apester shall notify the Customer of any failure by the Sub-Processor to fulfil its contractual obligations.

7. TECHNICAL AND ORGANIZATIONAL MEASURES

7.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, Apester shall implement appropriate physical, technical and organizational measures to protect the Customer Data as required under Data Protection Laws to ensure lawful processing of Customer Data and safeguard Customer Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction. The parties acknowledge that security requirements are constantly changing and that effective security requires the frequent evaluation and regular improvement of outdated security measures.

7.2. For more information on Apester’s security measures please see ANNEX II attached hereto.

8. SECURITY INCIDIENT

8.1. Apester shall notify the Customer upon becoming aware of any confirmed Security Incident involving the Customer’s Data in Apester’s possession or control, as determined by Apester in its sole discretion. Apester shall, in connection with any Security Incident affecting the Customer Data: (i) take such steps as necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Customer and provide the Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; (iii) notify the Customer in writing of any request, inspection, audit or investigation by a supervisory authority or other authority; (iv) keep the Customer informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) cooperate with the Customer and assist Customer with the Customer’s obligation to notify affected individuals in the case of a Security Incident.

8.2. Apester’s notification regarding or response to a Security Incident under this Section 8 shall not be construed as an acknowledgment by Apester of any fault or liability with respect to the Security Incident.

9. AUDIT RIGHTS

9.1. Apester shall respond promptly and adequately with respect to any inquiries from the Customer regarding the Processing of Personal Data in accordance with this DPA. Apester shall make available to the Customer all information necessary to demonstrate compliance with the obligations under the EU Data Protection Law.

9.2. Apester shall make available, solely upon prior written notice and no more than once per year (except for in the case of a Security Incident), information necessary to reasonably demonstrate compliance with this DPA to a reputable auditor nominated by the Customer, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). Apester may object to an auditor appointed by the Customer in the event Apester reasonably believes that the auditor is not suitably qualified or independent, is a competitor of Apester or otherwise unsuitable (“Objection Notice”). The Customer will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from Apester. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Apester’s premises, equipment, personnel and business. Any and all conclusions of such Audit shall be confidential and reported back to Apester immediately.

10. DATA TRANSFER

10.1. Transfers from the EEA, the UK or Switzerland to non-adequate third countries. Where the GDPR, UK GDPR or the Swiss FADP is applicable, if the Processing of Personal Data by Apester (or by a Sub-Processor) includes transfer of Personal Data (either directly or through an onward transfer) to a third country outside the EEA, the UK and Switzerland that is not an Adequate Country, such transfer shall only occur if an appropriate safeguard approved by the applicable Data Protection Law (the GDPR (Article 46), UK GDPR (Article 46) or Swiss FADP (as applicable)) for the lawful transfer of Personal Data under is in place.

10.2. If Apester or its Sub-processor relies on the Standard Contractual Clauses to facilitate a transfer to a third country that is not an Adequate Country, then:

10.2.1. transfer of Personal Data from the EEA the terms set forth in Annex IV shall apply.

10.2.2. transfer of Personal Data from the UK, the terms set forth in Annex V shall apply; and

10.2.3. transfer of Personal Data from Switzerland, the terms set forth in Annex VI shall apply.

11. CONFLICT

In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.

12. TERM & TERMINATION

12.1. This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates. The Customer shall be entitled to suspend the Processing of its Customer’s Data in the event that Apester is in breach of Data Protection Laws, the terms of this DPA all in accordance with a binding decision of a competent court or the competent supervisory authority.

12.2. Apester shall be entitled to terminate this DPA or terminate the Processing of Customer Data in the event that Processing of Personal Data under the Customer’s instructions or this DPA infringe applicable legal requirements. Such termination shall be subject to informing the Customer and the Customer insists on compliance with the instructions.

12.3. Following the termination of this DPA, Apester shall, at the choice of the Customer, delete all Customer’s Personal Data processed on behalf of the Customer and certify to the Customer that it has done so, or otherwise, return all Customer’s Data to the Customer and delete existing copies unless applicable law or regulatory requirements requires that Apester continue to store the Customer’s Personal Data. Until the Personal Data is deleted or returned, Apester shall continue to ensure compliance with this DPA.

ANNEX I
DETAILS OF PROCESSING

This Annex I include certain details of the Processing of the Customer Data as required by Article 28(3) GDPR.

Categories of Data Subjects:

(i) End users / Data Subject that viewed targeted and personalized ads provided in the Platform by third party advertisers which are placed on the Publisher inventory; (ii) End users interacting with the Apester Units; and (ii) Customer’s authorized users

Categories of Personal Data:

Online IDs such as: (i) a unique identifier stored on an end-user’s device, (ii) a unique identifier generated on the basis of device information, or (iii) a resettable advertising ID associated with a mobile device or an application;

And the Contact Information of the Customer’s authorized users.

Special Categories of Personal Data:

Not Applicable

Process Frequency:

The Personal Data is transferred on a continuous basis.

Nature of the processing:

hosting, transferring, testing and optimization.

Purpose(s) of Processing:

Processing carried out in connection with the provision of the services of displaying interactive content through the Customer’s digital assets and placing personalized targeted ads

Retention Period:

as long as it remains necessary for the purposes set forth above, subject to applicable laws, and to the Customer’s request.

ANNEX II
TECHNICAL AND ORGANISATIONSL MEASURES

1. Implement and maintain current and appropriate technical and organizational measures to protect Company Data against accidental, unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, disclosure or access;

2. Provide third-party attestation of static or dynamic application security testing or penetration testing on all software Processing Company Data, remediate any identified high vulnerabilities prior to delivery to Company, provide written remediation plans for medium and low vulnerabilities, and provide evidence of its remediation of any identified security vulnerabilities at Company’ request;

3. Maintain a level of security appropriate to the harm that may result from any unauthorized or unlawful Processing or accidental loss, destruction, damage, denial of service, alteration or disclosure, and appropriate to the nature of Company Data;

4. Oblige its employees, agents or other persons to whom it provides access to Company Data to keep it confidential; take reasonable steps to ensure the integrity of any employees who have access to Company Data; provide annual training to staff and subcontractors on the security requirements contained herein;

5. Maintain measures designed to ensure the ongoing confidentiality, integrity, availability and resilience of Service Provider’s systems and services;

6. Maintain a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing of Company Data, regularly testing such measures to validate their appropriateness and effectiveness, and implementing corrective action where deficiencies are revealed by such testing;

7. Log all individuals’ access to and activities on systems and at facilities containing Company Data. Upon Company’s request, and subject to applicable laws and the Service Providers retention policy, Service Provider will provide a report detailing a list of authorized users, their associated privileges, status of accounts, and history of activities;

8. For passwords applicable to Service Provider’s access, adhere to password policies for standard and privileged accounts consistent with industry best practices; protect both Service Providers and Company user accounts with access to Company Data using multi-factor authentication (e.g., using at least two different factors to authenticate such as a password and a security token or certificate);

9. Store and transmit Company Data using strong cryptography, consistent with industry best practices, and pseudonymize Personal Data where appropriate;

10. If connection is permitted by Company, only connect to Company’s networks via Virtual Private Network (VPN), without split tunneling, and utilizing strong cryptography consistent with industry best practices;

11. Ensure that only those Service Provider’s personnel who need to have access to Company Data are granted access, such access is limited to the least amount required, and only granted for the purposes of performing obligations under this DPA. Service Provider shall conduct access reviews upon each individual’s scope of responsibility change, Service Provider’s staffing change or other change impacting Service Provider’s personnel access to Company Data;

12. Maintain a physical security program that is consistent with industry best practices;

13. Ensure that any storage media (whether magnetic, optical, non-volatile solid state, paper, or otherwise capable of retaining information) that captures Company Data is securely erased or destroyed before repurposing or disposal;

14. Measures and assurances regarding US government surveillance (“Additional Safeguards”):

Apester agrees and hereby represents it maintains, and will continue to maintain, the following additional safeguards in connection with any Personal Data transferred under this Annex:

a) Apester maintains industry standard measures to protect the Personal Data from interception (including in transit from Customer to Apester and between different systems and services). This includes maintaining encryption of Personal Data in transit and at rest.

b) Apester will make reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under the GDPR or the UK GDPR, including (if applicable) under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”).

c) If Apester becomes aware of any law enforcement agency or other governmental authority (“Authority”) attempt or demand to gain access to or a copy of the Personal Data (or part thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, Apester shall: inform the relevant Authority that Apester is a Processor of the Personal Data and that Customer, as the Controller has not authorized Apester to disclose the Personal Data to the Authority; inform the relevant Authority that any and all requests or demands for access to the Personal Data should be directed to or served upon Customer in writing; and use reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Apester’s control.

d) Notwithstanding the above, if, taking into account the nature, scope, context and purposes of the related Authority’s intended access to Personal Data, Apester has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, these subsections shall not apply. In such event, Apester shall notify Customer, as soon as possible, following the access by the Authority, and provide Customer with relevant details, unless and to the extent legally prohibited to do so.

Apester will inform Customer, upon written request (and not more than once a year), of the types of binding legal demands for Personal Data Apester has received and complied with, including demands under national security orders and directives, specifically including any process under Section 702 of FISA.

ANNEX III
List of Sub-Processors

ANNEX IV
EU INTERNATIONAL TRANSFERS AND SCC

2. The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Personal Data from the EEA to other countries that are not deemed as Adequate Countries.

3. Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the transfer is effectuated by Customer as the data controller of the Personal Data and Apester is the data processor of the Personal Data.

4. The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and the Apester (as Data Importer), the following shall apply:

a) Clause 7 of the Standard Contractual Clauses shall not be applicable.

b) In Clause 9, option 2 (general written authorization) shall apply and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in the Sub-Processing Section of the DPA.

c) In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body.

d) In Clause 17, option 1 shall apply. The parties agree that the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Customer is established (where applicable).

e) In Clause 18(b) the parties choose the courts of the Republic of Ireland, as their choice of forum and jurisdiction.

5. Annex I.A of the Standard Contractual Clauses shall be completed as follows:

5.a.1. “Data Exporter“: Customer

5.a.2. “Data Importer“: Apester

5.a.3. Roles: (A) With respect to Module Two: (i) Data Exporter is a data controller and (ii) the Data Importer is a data processor.

5.a.4. Data Exporter and Data Importer Contact details: As detailed in the Agreement.

5.a.5. Signature and Date: By entering into the Agreement and DPA, Data Exporter and Data Importer are deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

6. Annex I.B of the Standard Contractual Clauses shall be completed as follows:

a) The purpose of the processing, nature of the processing, categories of data subjects, categories of personal data and the parties’ intention with respect to the transfer of special categories are as described in Annex I (Details of Processing) of this DPA.

b) The frequency of the transfer and the retention period of the personal data is as described in Annex I (Details of Processing) of this DPA.

c) The sub-processor which personal data is transferred are listed in Annex III.

7. Annex I.C of the Standard Contractual Clauses shall be completed as follows: the competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 3 above.

8. Annex II of this DPA (Technical and Organizational Measures) serves as Annex II of the Standard Contractual Clauses.

9. Annex III of this DPA (List of Sub-processors) serves as Annex III of the Standard Contractual Clauses.

ANNEX V
UK INTERNATIONAL TRANSFERS AND SCC

1. The parties agree that the terms of the Standard Contractual Clauses as amended by the UK Standard Contractual Clauses, and as amended in this Annex V, are hereby incorporated by reference and shall apply to transfer of Personal Data from the UK to other countries that are not deemed as Adequate Countries.

2. This Annex V is intended to provide appropriate safeguards for the purposes of transfers of Personal Data to a third country in reliance on Article 46 of the UK GDPR and with respect to data transfers from controllers to processors or from the processor to its sub-processors.

3. Terms used in this Annex V that are defined in the Standard Contractual Clauses, shall have the same meaning as in the Standard Contractual Clauses.

4. This Annex V shall (i) be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR, and (ii) not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.

5. Amendments to the UK Standard Contractual Clauses:

5.1. Part 1: Tables

5.1.1. Table 1 Parties: shall be completed as set forth in Section 4 within Annex IV above.

5.1.2. Table 2 Selected SCCs, Modules and Selected Clauses: shall be completed as set forth in Section 2 and 3 within Annex IV above.

5.1.3. Table 3 Appendix Information:

Annex 1A: List of Parties: shall be completed as set forth in Section 2 within Annex IV above.

Annex 1B: Description of Transfer: shall be completed as set forth in Annex I above.

Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: shall be completed as set forth in Annex II above.

Annex III: List of Sub processors: shall be completed as set forth in Annex III above.

5.1.4. Table 4 Ending this Addendum when the Approved Addendum Changes: shall be completed as “neither party”.

ANNEX VI
SUPPLEMENTARY TERMS FOR SWISS DATA PROTECTION LAW TRANSFERS ONLY

The following terms supplement the Clauses only if and to the extent the Clauses apply with respect to data transfers subject to Swiss Data Protection Law, and specifically the FDPA:

• The term ’Member State’ will be interpreted in such a way as to allow data subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.

• The clauses in the DPA protect the Personal Data of legal entities until the entry into force of the Revised Swiss FDPA.

• All references in this DPA to the GDPR should be understood as references to the FDPA insofar as the data transfers are subject to the FDPA.

• References to the “competent supervisory authority”, “competent courts” and “governing law” shall be interpreted as Swiss Data Protection Laws and Swiss Information Commissioner, the competent courts in Switzerland, and the laws of Switzerland (for Restricted Transfers from Switzerland).

• In respect of data transfers governed by Swiss Data Protection Laws and Regulations, the EU SCCs will also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws and Regulations until such laws are amended to no longer apply to a legal entity.

• The competent supervisory authority is the Swiss Federal Data Protection Information Commissioner

Annex VII
Consent Management Parameters

CaseAction
CMP IAB Framework parameters availableCustomer will pass the GDPR and CONSENT parameters to Apester’s player based on the Apester’s technical documentation available at Apester’s Platform and Apester will pass the parameters and Signal accordingly to the advertisers “as is”.
CMP IAB Framework parameters are not availableCustomer will initiate the call to Apester’s player without any special parameters and Apester will make a call to its advertisers without passing any special parameters. In this case some advertisers will treat the ad Request as the consent has been granted and process the request by serving personalized or contextual ads, while others will not process the request.