DATA PROCESSING AGREEMENT
Last modified: October 31st 2021
This Data Processing Agreement (“DPA”) is an integral part of the Service Agreement executed between Apester and the Customer (as defined in the applicable master services agreement “MSA” or “Agreement” signed between the parties). Capitalized terms not defined herein shall have the respective meanings given to them in the Agreement. This DPA sets forth the Parties’ responsibilities and obligations regarding the Processing of Personal Data or Personal Information during the course of the engagement between the Parties.
1.1. “Adequate Country” is a country that an adequacy decision from the European Commission.
1.2. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq.
1.3. “Controller”, “Processor”, “Personal Data”, “Data Subject”, “Personal Data”, “Processing” (and “Process”), “Personal Data Breach” and “Special Categories of Personal Data” shall all have the meanings given to them in EU Data Protection Law. The terms “Personal Information”, “Business”, “Business Purpose”, “Consumer”, “California Consumer”, “Service Provider” and “Sell” shall have the meaning ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer” as such term is defined in the CCPA. “Personal Data” shall also mean “Personal Information” for the purpose of this DPA.
1.4. “IAB TCF Policy” means the IAB Europe Transparency & Consent Framework – Policies Version 2020-11-18.3.2a available at: https://iabeurope.eu/wp-content/uploads/2020/11/TCF_v2-0_Policy_version_2020-11-18-3.2a.docx-1.pdf.
1.5. “ID” means (i) a unique identifier stored on an end-user’s device, (ii) a unique identifier generated on the basis of a device’s information, or (iii) an online identifier associated with a particular device.
1.6. “Customer Data” means Personal Information or Personal Data which is processed by Apester solely on behalf of Customer, as detailed in ANNEX I.
1.7. “Data Protection Law” means any and all applicable privacy and data protection laws and regulations, including, where applicable, EU Data Protection Law and the CCPA, including, where applicable, Israeli Privacy Protection Regulations (Data Security) 5777-2017Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations (“Israeli Law”), all as may be amended or superseded from time to time.
1.8. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725;(iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iii) any legislation replacing or updating any of the foregoing.
1.9. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach will comprise a Security Incident.
1.10. “Standard Contractual Clauses” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.
1.11. “UK GDPR” means th7e Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
1.12. “UK SCC” means where the UK GDPR applies, the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK.
2. RELATIONSHIP OF THE PARTIES
2.1. The parties acknowledge that the Customer is the Controller of the Customer Data and Apester, in providing the Service is acting as a Processor on behalf of Customer. For the purpose of the CCPA (and to the extent applicable), the Customer is the Business, and Apester is the Service Provider. Personal Data may be collected and stored by Apester’s advertisers as part of the Services, however, such advertisers shall not be considered to be Company’s Sub-Processors.
2.2. The purpose, subject matter, and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data, and categories of Data Subjects are described in ANNEX I attached hereto.
3.2. Apester represents and warrants that (i) it shall process the Personal Data on behalf of Customer, solely for the purpose of providing the Services and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with Customer’s written instructions including as set forth in the Agreement and this DPA; and (ii) in the event the Apester is required under applicable laws to Process Customer Data other than as instructed by Customer, Apester shall make its best efforts to inform Customer of such requirement prior to Processing such Customer Data unless prohibited under applicable law.
3.3. Apester shall take reasonable steps to ensure (i) the reliability of its staff and any other person acting under its supervision who may come into contact with or otherwise have access to and Process the Customer Data; (ii) that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (iii) ensure that such personnel is aware of their responsibilities under this DPA and any Data Protection Laws.
3.4. The Customer acknowledges that Apester is a Vendor as defined under the IAB TCF Policy. As between the parties, the Customer undertakes accepts and agrees that the Data Subjects do not have a direct relationship with the Apester and that the Apester relies on Customer’s lawful basis (as required under applicable Data Protection Law), including in Apester’s capacity as a Vendor. In the event consent is needed in accordance with the Data Protection Law or under Purpose 1 of the IAB TCF Policy, the Customer shall ensure that it obtains a proper act of consent from Data Subjects, unless it has a legal exemption to not obtain such consent in accordance with Purpose 1 of the IAB TCF Policy. Furthermore, the Customer will maintain and display all necessary and appropriate notices in accordance with applicable Data Protection Law and other relevant privacy requirements in order to allow it to Process Personal Data and enable the lawful transferring and Processing of Personal Data to and by advertisers. Customer shall also where applicable, provide the Data Subjects with the ability to opt out of the abovementioned Processing. In the event a Data Subject’s consent is required under Data Protection Law or pursuant to the IAB TCF Policy, Customer shall be fully responsible to support and transmit to Apester, through the Services, the Signal (as such term is defined under the IAB TCF Policy), the parameters of the Data Subject’s consent, or the opt-out settings, as applicable. The Customer shall maintain a record of all consents obtained from Data Subjects, which shall include: (i) the time and date that the consent was obtained; (ii) the information presented to the Data Subject in connection with their consent; (iii) details of the mechanism used to obtain consent; and (iv) a record of the same information included in (i)-(iii) above in relation to all withdrawals of consent by each Data Subject. Customer shall make these records available to Apester promptly upon request. Apester shall not be liable with respect to the obtaining of any required consent or with respect to the Signal provided by the Customer and shall transfer the Signal “as is” and as it was provided to Apester by the Customer.
4. DATA SUBJECT RIGHTS
4.1. When Apester receives a request from a Data Subject (“DSR”) or a request from an authority, with respect to Customer Data, Apester will, unless otherwise required under applicable laws, direct the Data Subject or the authority to the Customer in order to enable the Customer to respond directly. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a DSR.
4.2. Where applicable, Apester shall assist the Customer to ensure that Customer Data Processed is accurate and up to date by informing the Customer without delay if Apester becomes aware that the Customer Data it is processing is inaccurate or has become outdated.
5. DO NOT SELL PERSONAL INFORMATION
6.1. Customer acknowledges that Apester may transfer Personal Data to and otherwise interact with third-party data Processors (“Sub-Processor”). The Customer hereby authorizes Apester to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Apester may continue to use those Sub-Processors already engaged by Apester, as listed in ANNEX III, and Apester may engage an additional or replace an existing Sub-Processor to process Personal Data subject to providing a 30 days prior notice to the Customer. In case the Customer has not objected to the adding or replacement of a Sub-Processor, such Sub-Processor shall be considered as approved by the Customer. In the event the Customer objects, in good faith, its sole remedy is to terminate the Agreement.
6.2. Apester shall, where it engages any Sub-Processor, impose, through a legally binding contract between Apester and the Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor. Apester shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data Protection Law.
6.3. Apester shall remain fully responsible for the performance of the Sub-Processors obligations, and shall notify the Customer of any failure by the Sub-Processor to fulfill its contractual obligations.
7. TECHNICAL AND ORGANIZATION MEASURES
7.1. Taking into account state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the parties, Apester shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and in accordance with best industry practices to protect data from a Security Incident. Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Technical and organizational measures implemented by Apester to ensure an appropriate level of security.
7.2. The security measures are further detailed in ANNEX II.
8. SECURITY INCIDIENT
8.1. Apester will notify Customer upon becoming aware of any confirmed Security Incident involving Customer Data, as determined by Apester in its sole discretion. Apester will, in connection with any Security Incident affecting Customer Data: (i) take needed steps to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) cooperate with the Customer and provide Customer with needed assistance and information as it may reasonably require in connection with the Security Incident; (iii) notify Customer in writing of any request, inspection, audit or investigation by a supervisory authority or other authority; (iv) keep the Customer informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) cooperate with the Customer and assist Customer, in the Customer’s expense, with the Customer’s obligation to notify affected individuals in if required.
8.2. Apester’s notification regarding or response to a Security Incident under this Section 8 shall not be construed as an acknowledgment by the Apester of any fault or liability with respect to the Security Incident.
9. AUDIT RIGHTS
9.1. Apester shall respond to inquiries from the Customer regarding the Processing of Personal Data in accordance with this DPA, further, shall make available to the Customer all information necessary to demonstrate compliance with the obligations under the EU Data Protection Laws.
9.2. Apester shall make available, solely upon prior written notice and no more than once per year, unless in the event of a Security Incident, to a reputable auditor nominated by Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). Apester may object to an auditor appointed by Customer in the event Apester reasonably believes the auditor is not suitably qualified or independent, is a competitor of Apester, or otherwise unsuitable (“Objection Notice”). The Customer will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from Apester. The Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall), over the course of such Audit, avoid causing any damage, injury, or disruption to Apester’s premises, equipment, personnel, and business. Any and all conclusions of such an Audit shall be confidential and reported back to Apester immediately.
9.3. Any information obtained under this Section 9 shall be deemed Confidential Information and are subject to the confidentiality obligations set forth in the Agreement.
10. DATA TRANSFER
10.1. The Customer acknowledges and agrees that in order to provide the Services Apester might transfer (or access) Customer Data from countries outside the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”), Switzerland and the United Kingdom (“UK”) as detailed herein.
10.2. The parties acknowledge that EU Data Protection Law does not require Standard Contractual Clauses or an alternative transfer solution in order for Customer Data to be processed in or transferred to an Adequate Country (“Permitted Transfers”).
10.3. In the event the Processing includes transferring of Personal Data from the EEA, Switzerland or the UK to other countries and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Apester for the lawful transfer of processing Personal Data outside the EEA, Switzerland or the UK, as applicable or is not exempt under Article 49 of the GDPR (collectively “Restricted Transfer”), the following shall apply:
10.3.1. In order to maintain the integrity, security and confidentiality of the Personal Data, a Restricted Transfer shall be subject, in addition to the terms of this DPA, to the terms and obligations of the Module II of the Standard Contractual Clauses in which Apester shall be deemed as the Data Importer and the Customer shall be deemed as the Data Exporter.
10.3.2. The purpose and description of the transfer shall be detailed in ANNEX I.
10.3.3. The UK SCC shall incorporate ANNEX I, II and III herein.
10.4. The Customer further agrees that where Apester engages a Sub-Processor, and those processing activities include a Restricted Transfer, Apester and the Sub-Processor shall be bound by the Standard Contractual Clauses in which Apester shall be deemed as the Data Exporter and the Sub-Processor shall be deemed as the Data Importer. For the purposes of such engagement, Apester and the Sub-Processor will enter into Module III of the Standard Contractual Clauses.
10.5. Subject to Clause 13 of Standard Contractual Clauses, Apester agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Standard Contractual Clauses. Notwithstanding the above the UK SCCs shall be governed by the laws of England and Wales.
10.6. Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”) are further detailed in ANNEX II.
11.1. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.
12. TERM & TERMINATION
12.1. This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates. The Customer shall be entitled to suspend the Processing of Customer Data in the event Apester is in breach of Data Protection Laws, this DPA or a binding decision of a competent court or the competent supervisory authority.
12.2. Apester shall be entitled to terminate this DPA or terminate the Processing of Customer Data in the event the Processing of Personal Data under the Customer’s instructions or this DPA infringe applicable legal requirements. Such termination shall be subject to informing the Customer and the Customer insists on compliance with the instructions.
12.3. Following termination of this DPA, Apester shall, at the choice of the Customer, delete the Customer Data processed on behalf of the Customer and certify to the Customer that it has done so, or return all the Customer Data to the Customer and delete existing copies unless applicable law or regulatory requires the storage of the Customer Data. Until the data is deleted or returned, Apester shall continue to ensure compliance with this DPA.
DETAILS OF PROCESSING AND TRANSFERRING OF CUSTOMER PERSONAL DATA
This ANNEX I includes certain details of the Processing of Customer Data as required by Article 28(3) GDPR and details of transferring Personal Data subject to the Standard Contractual Clauses and the UK SCC.
Categories of data subjects whose personal data is processed or transferred:
End users of Customer’s Digital Assets, interacting with the Platform.
Categories of personal data processed and transferred:
Depending on the Services obtained by the Customer (i.e., IBP, CHP, SEM etc.) the following categories may be applicable:
- IDs – such as the end-user’s IP address, UDID Cookie ID and Session ID.
- Information provided by the end users of Customer’s Digital Assets voluntarily while interacting with the Content Unit
Sensitive data processed or transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measure:
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Nature of Purpose(s) for the processing and transferring:
Analytics and optimization
Purpose(s) for which the Personal Data is processed or transferred on behalf of the controller:
The Customer Data is processed by Apester on behalf of the Customer to provide the Services under the MSA and for internal operations.
Duration of the processing:
Processing shall be carried out in connection with the provision of the Services. The duration shall be for the duration of the Term.
For transfers to (sub-) Processors, also specify subject matter, nature and duration of the processing.
Sub-Processors are used to provide hosting services and enable the provision of the Services by the Company.
TECHNICAL AND ORGANISATIONAL MEASURES
(I) GENERAL BACKGROUND:
This Technical and Organizational Measures Annex sets out the measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services, the measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, the measures taken for user identification and authorization as well as the measures taken for the protection of data during storage and during transmission.
The following policies are maintained by the Company in order to ensure the measures set forth above, the policies are updated on an ongoing basis and reviewed annually for gaps:
- Information Security
- Security Incident Response
- Vulnerability Management
- Policy Management and Maintenance
- Data Request
- System Access
- Business continuance and disaster recovery
SYSTEM ACCESS CONTROL
Company’s database is accessible only by a minimal amount of Company employees and personnel, all accessible only from within the Company office. The personal data processed and stored by Company is based on cloud services and access granted through personal user authentication. Access to systems is restricted and is based on procedures to ensure appropriate approvals are provided solely to the extent required. In addition, remote access and wireless computing capabilities are restricted and require that both user and system safeguards. The systems are also protected and solely authorized employees may access the systems by using a designated password. In addition to password login, two-factor authentication (“2FA”) provides an added layer of security to Apester database.
PHYSICAL ACCESS CONTROL
The measures for ensuring physical security of locations at which Personal Data are processed include security measures implemented in Company’s office (alarm system, security cards, CCTV, etc.) and the physical security measures taken by Company hosting providers. The Company secures access to its offices and ensures that solely authorized persons have access such as employees. All visitors which visit the Company facilities are accompanied by Apester employees at all times. Company works with Google Cloud Platform and MongoDB as its main storage and hosting processors, Google’s security policy available here. MongoDB’s security policy available here. When the Personal Data is transferred to the applicable servers it is always done in a secure and encrypted manner, encryption by default, at rest and in transit. AWS undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited to, SSAE 16-compliant SOC 2 certification and ISO 27001 certification.
DATA ACCESS CONTROL
All access to a database, system or storage is solely with authorization hierarchy and password protection by two-factor authentication. Further, the access to the Personal Data is restricted to solely the employees that “need to know” and is protected by passwords and user names. Access to the Personal Data is secured and is highly managed by access control policies. The Company uses high level security measures to ensure that the Personal Data will not be accessed, modified, copied, used, transferred or deleted without specific authorization. The Company audits any and all access to the database and any authorized access is immediately reported and handled. Each employee is able to perform actions solely according to the permissions determined by the Company. Each access is logged and monitored, and any unauthorized access is automatically reported. Further, Company has ongoing review of which employees’ have authorizations, to assess whether access is still required. Company revokes access immediately upon termination of employment. Authorized individuals can solely access Personal Data that is established in their individual profiles.
ORGANIZATIONAL AND OPERATIONAL SECURITY
The Company educates its employees and service providers, consultants and contractors and raises awareness, risk and assessment with regards to any processing of Personal Data. Internal security testing is done on a regular basis. Further measures for internal IT and IT security governance and management have been taken and the Company’s IT team ensures security of all hardware and software by installing all updates needed, installing anti-malware software on computers to protect against malicious use and malicious software as well as virus detection on endpoints, email attachment scanning, system compliance scans, information handling options for the data exporter based on data type, network security, and system and application vulnerability scanning, use secured email transfer, etc. It is the responsibility of the individuals across the Company to comply with these practices and standards.
Apester conducted a transfer impact assessment (“TIA”) identifying all transfers of Personal Data and is able to share the TIA upon Customer’s request. The purpose of transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of these data or during their transport or storage in the applicable data center. Further, any and all transfers of the data (either between the servers, from Customer side to server side and between Company’s designated partners) is secured (HTTPS) and encrypted. Default encryption is implemented in transit and rest.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident were implemented by the Company and include an automated backup procedure. The Company has a backup concept which includes automated daily backups. Periodical checks are preformed to determine that the backup have occurred. The Company has also implemented Business Continuity plans and Disaster Recovery policies so that in the event of a disaster Apester will be able to continue to provide the services. Customer
Personal Data and raw data are all deleted as soon as possible or legally applicable. Usually, the data is provided by the Customer for the purpose of providing the services by Apester and is deleted upon termination of the contractual obligations. However, certain data, such as financial data is required to be retained for a longer period of time.
Employees, Customers, vendors and applicable processors are all signed on binding agreements all of which include applicable data provisions and data security obligations. As part of the employment process, employees undergo a screening and are provided with access to the database solely upon training to ensure he or she are well educated and responsible to handle the Personal Data. Employees are bound to comply with this Security Policy in addition to internal security policies and procedures and breaking or not complying with such shall result in disciplinary actions. To ensure the employees stay educated and up to date with applicable policies and legislation the Company holds annual compliance training which include data security education.
DATA SUBJECT REQUEST
The Company has an online mechanism to enable individuals to submit a data subject request (“DSR”), further, the Company has implemented internal policies to handle the DSR subject to applicable data protection laws and contractual obligations.
Company has ensured all documents, including without limitations, agreements, privacy policies online terms, etc. are compliant with the Data Protection Regulations, including by implementing Data Processing Agreement and where needed Standard Contractual Clauses (either pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN or pursuant to the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK).
Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”) have been implemented due to the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems decision (“Schrems II”), these measures include the following:
- encryption both in transit and at rest;
- As of the date of this DPA, Sentry has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II decision.
- No court has found Apester to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
- Apester shall not comply with any request under FISA for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance).
- Apester shall use all available legal mechanisms to challenge any demands for data access through national security process that Sentry receives, as well as any non-disclosure provisions attached thereto.
- Apester will notify Customer if Apester can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.
Google Cloud Platform
Atlas mongo DB