Hubvisor DPA

Last Updated: January 1st, 2025

This Hubvisor Data Protection Addendum (this “DPA”) sets forth the terms pursuant to which (i) a Party (the “Disclosing Party”) may transmit, disclose, or otherwise make available Personal Data to the other Party (the “Receiving Party”) for the Processing Purposes further defined in Annex A and (ii) Receiving Party may Process such Personal Data received from the Receiving Party for the Processing Purposes (as defined below). This DPA is supplemented by the terms of the EEA/UK Data Protection Addendum (the “EEA/UK Schedule”). In event of any dispute or conflict between this DPA and the EEA/UK Schedule, the EEA/UK Schedule shall prevail. This DPA is effective as of the effective date of the Master Terms (“Effective Date”) and shall remain in effect and shall survive the termination of the Master Terms and/or any Order Form entered into pursuant to the Master Terms.

Section 1.  Definitions.  For purposes of this DPA, the following terms will have the meaning ascribed below:

“Applicable Laws” means applicable laws, or governmental rules, regulations, or orders.

“CCPA” means the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020, and any regulations promulgated thereunder.

“Children’s Data” means any data related to individuals under eighteen (18) years of age subject to regulation under Applicable Laws, including but not limited to the Children’s Online Privacy Protection Act of 1998 (“COPPA”), the UK Age-Appropriate Design Code, the California Age-Appropriate Design Code Act, or similar legislation.

"Consumer” means a “consumer,” “data subject,” or equivalents as defined under Applicable Laws.

1.4 “Data Breach” means any unauthorized access to, or use, loss, disclosure or other processing of data, including but not limited to, Personal Data, or as may be otherwise defined under Data Protection Laws, including, in the case of State Privacy Laws, a “breach of the security of the system,” “security breach,” “breach of security,” “breach of system security,” and other analogous terms.

“Data Protection Laws” means all applicable international, federal, state, and local data protection and privacy laws, rules, directives, regulations, orders, decrees, judgments, and governmental requirements currently in effect, or as they become effective, to the extent they apply to Personal Data processed by a Party under the Master Terms, including, as applicable, the State Privacy Laws and GDPR.

“EEA” means the European Economic Area.

“Personal Health Information” or “PHI” has the meaning ascribed to under the Health Insurance Portability and Accountability Act, as amended, and implementing regulations and guidance related thereto.

“Precise Location Data” has the meaning set forth in Applicable Laws and where not defined under Applicable Laws, as defined by the NAI Guidance on Determining Whether Location is Imprecise, as updated from time to time and currently available at: https://thenai.org/wp-content/uploads/2021/07/nai_impreciselocation2.pdf.

“Processing Purposes” has the meaning set forth in Annex A attached hereto, as may be supplemented in an applicable Order Form.

“Security Incident” includes a real or suspected adverse event in relation to cybersecurity that results in unauthorized access, denial of service, disruption, unauthorized use of a computer resource for processing or storage of information or unauthorized changes to data or information.

“Sensitive Personal Data” means any data or information related to a Consumer defined as “sensitive personal data,” “sensitive personal information,” “special categories of data” or equivalents under Applicable Laws. For purposes of this Schedule, “Sensitive Personal Data” also means Children’s Data, PHI, and Precise Location Data.

“Specific Consent” means the Consumer permissions required under Applicable Laws for processing Sensitive Personal Data for the Processing Purposes and purposes specified in the Master Terms, including without limitation a clear, affirmative act signifying Consumer’s freely given, specific, informed, and unambiguous agreement to the processing of Sensitive Personal Data for such Processing Purposes.

“State Privacy Laws” means state privacy laws as applicable from time to time, including without limitation the CCPA, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring of 2022, the Utah Consumer Privacy Act of 2022, and the Virginia Consumer Data Protection Act, in each case as amended and including any regulations promulgated thereunder.

“Supervisory Authority” means the relevant regulatory authority under applicable Data Protection Laws.

“Third Country” means any jurisdiction other than the jurisdiction in which the Disclosing Party is established, or if the Disclosing Party is established in the EEA, any jurisdiction outside the EEA.

“UK” means the United Kingdom.

“Controller”, “Processor”, “Personal Data” and “Process(-ing)” (or their analogous terms) shall have the meanings ascribed to them in the applicable Data Protection Laws.

Section 2.  Scope and Interpretation.

2.1 Unless otherwise defined in applicable Data Protection Laws or this DPA, all capitalized terms used in the DPA will have the meanings ascribed to them in the Master Terms.

2.2 This DPA will be interpreted and construed consistently with applicable Data Protection Laws. Where this DPA uses terms that are defined in applicable Data Protection Laws, those terms shall have the same meaning and shall be read and interpreted in light of the provisions of Data Protection Laws as applied to Personal Data in the relevant territory in which the Processing of Personal Data occurs and/or from which the Personal Data is sourced (as applicable). This DPA shall not be interpreted in a way that conflicts with rights and obligations provided for in applicable Data Protection Laws.

2.3 This DPA does not prevent the Parties from agreeing on additional clauses or safeguards, provided they do not contradict, directly or indirectly, this DPA or prejudice the rights or freedoms of data subjects.

2.4 Publisher shall not provide any Publisher Data to Hubvisor to the extent Publisher (i) has not received a Consumer’s Specific Consent, or (ii) has received a Consumer’s opt-out or other revocation of rights to use the Consumer’s Personal Information, each to the extent required pursuant to applicable Data Protection Laws.

2.5 In the event of a conflict between this DPA and any provision of the Master Terms or any Order Form, this DPA shall prevail, unless the Parties expressly agree to modify or deviate from the DPA in a writing signed by the authorized representatives of each Party that makes specific reference to the clause or provision of this DPA to be modified.

2.6 If any variation is required to this DPA as a result of a change in Data Protection Law, then either Party may provide written notice to the other Party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this DPA to address such changes, subject at all times to Hubvisor’s rights in accordance with Section 11.9 of the Master Terms.

2.7 Except as otherwise required by applicable Data Protection Laws or as set forth in this Section, the governing law and jurisdiction shall be the same as set out in the Master Terms, without regard to conflict of laws principles. Disputes or claims arising out of or relating to the processing of Personal Data subject to:

2.7.1 any matter concerning State Privacy Law shall be governed by the laws of the applicable state, provided that the exclusive place of jurisdiction for all disputes arising out of or in connection with a State Privacy Law shall be the state and federal courts of New York County, New York unless required by Applicable Laws;

2.7.2 any matter concerning EEA, UK, or APAC law shall be governed by the governing law, and disputes in connection therewith shall be subject to the exclusive jurisdiction of the courts, of (i) France should Publisher be based in the European Union (EU) or European Economic Area (EEA) or the Asia-Pacific area (APAC); (ii) the United Kingdom (London) should Publisher be based in the United Kingdom

Section 3.  Roles.

3.1 Under this DPA, each Party acts as a separate and distinct independent Controller (or similarly applicable term under applicable Data Protection Laws (e.g., a Business under CCPA).

3.2 In the event that any Disclosing Party, as a Processor on behalf of a Controller, provides Personal Data to Receiving Party, the Disclosing Party will ensure that the Controller on whose behalf it is providing Personal Data has agreed to the obligations set forth in Sections 4 and 6 of this DPA.

3.3 In the event that any Receiving Party, as a Processor on behalf of a Controller, receives Personal Data from Disclosing Party, the Receiving Party will ensure that the Controller on whose behalf it is receiving Personal Data has agreed to the obligations set forth in Sections 5 and 6 of this DPA.

3.4 Each Party may engage or use Processors, provided that the arrangement with their Processor (if any), is governed by a written contract which includes terms that provide the same level of protection for Personal Data as those set out in this DPA.

Section 4.  Disclosing Party's Obligations.

Disclosing Party will:

4.1.  Take all reasonable steps appropriate to ensure that the Personal Data it shares with the Receiving Party is accurate, complete, relevant and up to date and correct any errors in the relevant Personal Data as soon as practicable and communicate the rectifications to third parties, if applicable.

4.2.  Implement appropriate technical and organizational measures to ensure the security of the Personal Data while in transit to the Receiving Party.

4.3.  Provide all notices and obtain any consents, including Specific Consents (to the extent applicable), required by relevant Data Protection Laws necessary to permit each Party to Process Personal Data for the Processing Purposes.

4.4.  To the extent providing Personal Data originally collected by another Controller, (i) contractually obligate such Controller to provide all notices and obtain any consents, including Specific Consents (to the extent applicable), required by relevant Data Protection Laws necessary to permit each Party to Process Personal Data for the Processing Purposes, and (ii) take reasonable steps to ensure compliance with such contractual obligations.

4.5.  Notify the Receiving Party if it, or any applicable Processor, is, or believes it will be, unable to comply with the terms of this DPA and/or any relevant Data Protection Laws.

4.6.  Not transfer any Sensitive Personal Data to Receiving Party under any circumstances.

Section 5.  Receiving Party's Obligations.

Receiving Party will:

5.1.  Only Process the Personal Data in order to perform its obligations under the Master Terms and for the Processing Purposes.

5.2.  Ensure that any person acting under its authority in relation to the Personal Data, including a Processor, Processes the Personal Data only on the Receiving Party’s instructions and ensure such persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3.  Notify Disclosing Party as soon as reasonably practicable upon becoming aware of a Data Breach affecting Personal Data Processed in connection with the Master Terms.

5.4.  Not refer to Disclosing Party in any notification of a Data Breach to a Supervisory Authority or third party unless required to do so by law.

5.5.  Appoint an individual within Receiving Party's organization who will be responsible for ensuring that Receiving Party complies with its obligations regarding data protection as set out in the Master Terms and this DPA. The Receiving Party will make available this individual's contact details to Disclosing Party on Receiving Party's written request.

5.6.  Ensure that, in case Receiving Party engages a Processor for the Processing of Personal Data received from Disclosing Party, all necessary steps to facilitate compliance with requirements regarding the engagement of Processors under applicable Data Protection Laws are taken.

5.7.  Except as expressly permitted by the Master Terms, not retain, use or disclose Personal Data of the Disclosing Party for longer than necessary to serve the purposes set out in the Master Terms and in this DPA.

5.8.  Take reasonable steps to ensure that access to Personal Data is strictly limited to those individuals who need to know and access the relevant Personal Data of the Receiving Party, for the purposes of the Master Terms and this DPA, and to comply with Data Protection Laws.

Section 6.  Parties' Obligations

The Parties:

6.1.  Shall ensure the Personal Data is adequate, relevant and limited to what is necessary in relation to the Master Terms and the Processing Purposes.

6.2.  Shall cooperate with each other and provide assistance, to the extent reasonably requested, in relation to requests or complaints by Data Subjects, any inquiries or investigations conducted by any Supervisory Authority with respect to Personal Data.

6.3.  Shall comply with its respective obligations under the relevant Data Protection Laws with respect to the Processing of Personal Data, including having in place appropriate physical, technical and organizational measures which ensure a level of security as required under applicable Data Protection Laws.

6.4.  Shall, in case the Receiving Entity is established in a Third Country, take all necessary steps to facilitate compliance with requirements regarding transfers of Personal Data to such Third Country under applicable Data Protection Laws.

6.5.  Shall be responsible for their own reporting and information obligations related to Data Breaches as required by applicable Data Protection Laws.

6.6.  For the avoidance of doubt, each Party shall remain liable to the other Party for any and all acts or omissions by each Processor in relation to the Processing of Personal Data.

Section 7.  Security Incidents or Data Breach.

7.1.  Each Party (“First Party”) shall as soon as practicable after becoming aware of, or suspecting:

7.1.1. a Security Incident or Data Breach relating to the other Party’s (“Second Party”) Personal Data and to the extent that such data can be reasonably identified by the First Party as having been affected by the Security Incident or Data Breach; or

7.1.2. any violation of the Data Protection Laws caused by First Party, its employees, or third party contracted by it relating to the Second Party’s Personal Data and to the extent that such data can be reasonably identified by the First Party as having been affected by such violation,

but in any event within 24 hours of becoming aware or beginning to suspect, provide the Second Party with notice, including the nature, cause and consequences of such event, the remedial measures taken and to be taken, and further information and assistance as may be requested by the First Party in connection with the Security Incident or Data Breach.

7.2.  First Party shall co-operate with the Second Party and take steps as are directed by the Second Party to assist in the investigation, mitigation, and remediation of each such Security Incident or Data Breach.

7.3.  Each Party shall be responsible each for their own reporting requirements of Security Incidents or Data Breaches to relevant Supervisory Authorities and individuals as required by applicable Data Protection Laws.

Section 8.  APAC Specific Undertakings

To the extent a Disclosing Party transmits, discloses, or otherwise makes available Personal Data to the Receiving Party for the Processing Purposes  with respect to a Consumer located within the Asia Pacific region, this Section 8 shall control in the event of a conflict with other provisions of this DPA. The Parties shall only transfer or disclose Personal Data of the other Party to a Third Country (or, where the Disclosing Party is subject to the New Zealand Privacy Act 2020, to a Foreign Person or Entity (as defined in the Privacy Act 2020)) with the other Party’s prior written consent and in accordance with Data Protection Laws. Each Party shall provide prompt reasonable assistance to the other Party in connection with any and all personal data impact assessments and/or security assessments as required under applicable Data Protection Laws to transfer Personal Data to Third Countries and/or to third parties.

Section 9.  State Privacy Law Specific Undertakings

To the extent a Disclosing Party transmits, discloses, or otherwise makes available Personal Data to the Receiving Party for the Processing Purposes  with respect to a Consumer subject to State Privacy Law, this Section 9 shall control in the event of a conflict with other provisions of this DPA.

9.1.  State Privacy Law Specific Terms.  ****For purposes of this Section 9, the following terms will have the meaning ascribed below:

9.1.1.  “Advertising Purposes” means all Restricted Purposes in addition to (i) activities that constitute Targeted Advertising or Cross-Context Behavioral Advertising under State Privacy Laws, including any processing that involves displaying ads to a Consumer that are selected based on the Consumer’s cross-context behaviors, (ii) creating or supplementing user profiles for such purposes, and (iii) the Processing Purposes.

9.1.2.  “Global Privacy Platform” or “GPP” means the IAB’s industry framework for the sharing of consent, opt-out or other Consumer flags or signals, including as made available by the IAB in Europe (“TCF”), the United States, Canada, and any other applicable territory, with technical specifications currently available at https://github.com/InteractiveAdvertisingBureau/Global-Privacy-Platform.

9.1.3.  “Restricted Processing” means Processing only for Restricted Purposes.

9.1.4.  “Restricted Processing Signal” means any flag or signal indicating that a Consumer has opted out of the Sale, Sharing, or Processing for purposes of Targeted Advertising of their Personal Data, including without limitation those flags or signals sent through the IAB CCPA Compliance Framework, Global Privacy Platform, or other signaling system agreed to by the Parties.

9.1.5.  “Restricted Purposes” means advertising-related Processing for the Processing Purposes and that qualifies as a Business Purpose under the State Privacy Laws, including Processing for purposes of auditing; security and integrity; debugging; short term, transient uses; analytics; providing advertising or marketing services that do not include Cross-Contextual Behavioral Advertising, Targeted Advertising, or profiling; internal research; and efforts to improve quality and safety. Restricted Purposes include the Processing Purposes and fraud detection and prevention, each only to the extent such activity (i) is permissible for a Processor to perform under the applicable State Privacy Laws; and (ii) does not result in a Sale or Sharing of Personal Data or constitute Processing of Personal Data for Targeted Advertising purposes.

9.1.6.  References in this Section 9 to “Business,” “Business Purpose,” “Commercial Purpose,” “Consumer,” “Controller,” “Cross-Context Behavioral Advertising,” “Deidentified,” “De-identified Data,” “Personal Data,” “Personal Information,” “Process(-ing)” “Processor,” “Sale,” “Sell,” “Service Provider,” “Share,” “Targeted Advertising” and “Third Party” shall have the meanings ascribed to them in applicable State Privacy Laws, respectively.

9.2.  Notwithstanding Section 3.1 above, if a Restricted Processing Signal is present or the purpose of the Processing is Restricted Processing, the Receiving Party shall act as a Processor and Processes the Personal Data on behalf of Disclosing Party (which may operate as either the Controller or a Processor to another Controller).

9.3.  Each Party shall provide Consumers with a clear and conspicuous ability to opt out of (a) the Sale or Sharing of their Personal Data, or (b) the Processing of their Personal Data for purposes of Targeted Advertising, each of (a) and (b) in compliance with State Privacy Laws. If a Consumer opts out, Disclosing Party will (i) not Process such Consumer’s Personal Data for the Processing Purposes, including Targeted Advertising purposes, and (ii) will not disclose such Consumer’s Personal Data to any Third Party.

9.4.  Neither Receiving Party shall modify any Restricted Processing Signal received from a Disclosing Party.

9.5.  Each Party shall transmit all Restricted Processing Signals received in conjunction with Personal Data to any recipients of such Personal Data.

9.7.  CCPA Third Party Terms.

9.7.1.  This Section 9.7 applies only when the Receiving Party Processes Personal Data from the Disclosing Party (i) that is subject to the CCPA; and (ii) no Restricted Processing Signal is present.  To the extent a Restricted Processing Signal is present, the Disclosing Party shall not disclose or transfer any Personal Data related to such Consumer to the Receiving Party for any purposes whatsoever.

9.7.2.  Disclosing Party makes Personal Data available to Receiving Party only for Advertising Purposes. Receiving Party will Process Personal Data only for such Advertising Purposes, and in accordance with its obligations and any restrictions in the Master Terms.

9.7.3.  Receiving Party will comply with applicable obligations under the CCPA, including by providing an appropriate level of privacy protection as required by the CCPA, and will notify Disclosing Party without undue delay if Receiving Party determines it can no longer meet its obligations under the CCPA.

9.7.4.  Upon Disclosing Party’s reasonable request, Receiving Party will provide the following to Disclosing Party to demonstrate Receiving Party’s Processing of Personal Data consistent with Disclosing Party’s obligations under the CCPA:

9.7.4.1.  A copy of a certificate issued for security verification reflecting the outcome of an audit conducted by an independent third-party auditor; or

9.7.4.2.  Any other information the Parties agree is reasonably necessary for Disclosing Party to verify Receiving Party’s Processing is consistent with Disclosing Party’s obligations under the CCPA, such as an attestation.

9.7.5.  If Disclosing Party reasonably believes that Receiving Party is engaged in the unauthorized use of Personal Data provided by Disclosing Party, Disclosing Party may notify Receiving Party of such belief using the contact information provided in the Master Terms, and the Parties will work together in good faith to stop or remediate the allegedly unauthorized use of such Personal Data, as necessary.

9.8. If there is any inconsistency or conflict between this Section 9 and the Master Terms with respect to Processing of Consumers whose Personal Data is subject to a State Privacy Law, then this Section 9 will govern, regardless of

Schedule A: EEA/UK Data Protection Addendum

This EEA Data Protection Addendum (“EEA/UK Schedule”) sets forth additional terms governing the transfer of Personal Data by the Disclosing Party to the Receiving Party for the Processing Purposes further defined in Annex A and is applicable where the Disclosing Party is located within the EEA or where the transferred Personal Data is subject to the GDPR / due to its exterritorial effect under Art. 3 (2) GDPR / UK GDPR. This EEA/UK Addendum supplements and forms part of the DPA.

Section 1.  Definitions

“EU Restricted Transfer” means a transfer of Personal Data by Disclosing Party to the Receiving Party, in each case, where such transfer would be prohibited by GDPR and/or laws implementing or supplementing the GDPR in the absence of the protection for the transferred Personal Data provided by the EU Standard Contractual Clauses.

“EU Standard Contractual Clauses” means the standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority.

“GDPR” means the EU General Data Protection Regulation 2016/679 of the European Parliament of the Council.

“UK GDPR” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

“UK IDTA” means the International Data Transfer Agreement issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018, as amended or replaced from time to time by a competent authority.

“UK Restricted Transfer” means a transfer of Publisher Data that constitutes Consumer Personal Data by the Disclosing Party or any Disclosing Party Affiliate to the Receiving Party or any Receiving Party Affiliate (or any onward transfer), in each case, where such transfer would be prohibited by UK Data Protection Laws in the absence of the protection for the transferred Consumer Personal Data provided by the UK Standard Contractual Clauses.

“UK Standard Contractual Clauses” means, as applicable, (i) the EU Standard Contractual Clauses as amended by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner (“UK Addendum”), as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR; or (ii) the UK IDTA as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR.

Section 2.  Disclosing Party's Obligations.

Disclosing Party shall:

2.1.  Communicate to Receiving Party any rectification or erasure of personal data or restriction of Processing carried out in accordance with Art. 16, Art. 17 (1) and Art. 18 GDPR / UK GDPR unless this proves impossible or involves disproportionate effort.

2.2.  Communicate to Receiving Party any withdrawal of consent (Art. 7 (3) GDPR / UK GDPR) in relation to Personal Data which has been disclosed to Receiving Party.

2.3.  Not transfer any Sensitive Personal Data to Receiving Party under any circumstances

Section 3.  Restricted Transfers.

Disclosing Party will:

3.1.  In respect of any EU Restricted Transfer, Disclosing Party (as “data exporter”) and Receiving Party (as “data importer”), with effect from the commencement of any relevant transfer, hereby enter into Module 1 of the EU Standard Contractual Clauses in respect of any transfer of Personal Data from Disclosing Party to Receiving Party and:

3.1.1.  Clause 7 – Docking clause of the EU Standard Contractual Clauses shall apply;

3.1.2.  Clause 11(a) – Redress of the EU Standard Contractual Clauses, the optional language shall not apply;

3.1.3.  Clause 13(a) – Supervision of EU Standard Contractual Clauses, the following shall be inserted:

Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

3.1.4.  Clause 17 – Governing law of the EU Standard Contractual Clauses “Option 1” shall apply, and the “Member State” shall be France;

3.1.5.  Clause 18 – Choice of forum and jurisdiction of the EU Standard Contractual Clauses the Member State shall be France (Paris);

3.1.6.  Annex 1 of the EU Standard Contractual Clauses shall be deemed to be pre-populated with the relevant sections of Appendix 1 to this EEA/UK Addendum and the processing operations are deemed to be those described in Annex A of the DPA;

3.1.7.  Annex 2 of the EU Standard Contractual Clauses shall be deemed to be pre-populated with the relevant sections of Appendix 2 to this DPA.

3.2.  In respect of any UK Restricted Transfer, Disclosing Party (as “data exporter”) and Receiving Party (as “data importer”), hereby enter into the UK Standard Contractual Clauses in respect of any transfer from Disclosing Party to the Receiving Party with Module 1 of the EU Standard Contractual Clauses applying between Disclosing Party and Receiving Party. The provisions of Sections 3.1 (a), (b) and (f) of this EEA/UK Addendum shall apply to the UK Addendum.

3.3.  The EU Standard Contractual Clauses made under Section 3.1 and the UK Standard Contractual Clauses made under Section 3.2 of this EEA/UK Addendum, shall come into effect on the commencement of the EU Restricted Transfer / UK Restricted Transfer to which the EU Standard Contractual Clauses / UK Standard Contractual Clauses relate.

Appendix 1: Description of the Processing

Part 1. List of Parties

Data exporter(s)

The Publisher identified in the Order Form. Publisher’s data protection officer and/or representative in the European Union/United Kingdom is as identified in the Order Form.

Data importer(s)

Hubvisor, a SAS incorporated in France (RCS n° 833 231 681). Hubvisor’s data protection officer and/or representative in the European Union/United Kingdom is:

DPO, dpo@hubvisor.io

Part 2. Description of Transfer

Categories of data subjects whose personal data is transferred: Consumers utilizing the Media owned, operated, or contractually controlled by Publisher.

Categories of personal data transferred: IP address, Device ID and Unique ID (either generated by Hubvisor or by a Bidder).

Sensitive data transferred (if applicable): N/A

Frequency of the transfer: On a continuous basis.

Nature of the processing: Collection, recording, organization, structuring, alteration, retrieval, consultation, disclosure by transmission, erasure or destruction

Purpose(s) of the data transfer and further processing: See Annex A of the DPA and the applicable Order Form.

Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The data will be retained for as required for the Processing Purposes and will be deleted immediately after.

Part 3.  Competent Supervisory Authority/ies.

Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of GDPR in accordance with its Art 3 (2) and has appointed a representative pursuant to Art. 27 (1) GDPR: The supervisory authority of the Member State in which the representative within the meaning of Art. 27 (1) GDPR is established shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of GDPR in accordance with its Art. 3 (2) without however having to appoint a representative pursuant to Art. 27 (2) GDPR: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored shall act as competent supervisory authority.

Appendix 2.  Technical and organizational measures.

Description of the technical and organizational measures implemented by the parties (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Hubvisor: www.hubvisor.io/legal/tom

Publisher: as mentioned in the Order Form

Annex A.  Processing Purposes.

Section 1.  This Annex A forms a part of the Master Terms and shall be binding on the Parties as supplemental terms in connection with the performance of any Order Form for the Services specified in this Annex A. Capitalized terms not defined herein shall have the meanings set forth in the Master Terms or the DPA.

Section 2.  The “Processing Purposes” means the following specific and limited purposes:

2.1.  The performance of all actions, processes, transfers, and other actions necessary to enable the Publisher’s full use of the Hubvisor Service, whether the Hubvisor Relay or the Hubvisor Prebid Server, or both, as well as any actions or services, including consulting services contemplated by the Master Terms and any Order Form entered into thereunder, including the onward transfer of all Publisher Data to Hubvisor’s Bidders, as necessary for Hubvisor to fulfil its contractual commitments to such Bidders, as a separate Controller under Applicable Law, including specifically the following:

2.1.1. Retrieval of end-user IP address and end-user specific user IDs (created by either Hubvisor, Publisher, Publisher’s Suppliers and/or Hubvisor’s Suppliers) from end-user device and/or Publisher

2.1.2. Transfer of said personal data to Consumer device and/or Hubvisor’s Suppliers (for consumers in EEA/UK, only if consent has been provided through through Publisher)

2.1.3 Creation of fully anonymised aggregates for reporting and optimization purposes

2.1.3. No personal data is stored by Hubvisor beyond the time required to execute the tasks described above

and

2.2.  ****Any additional controller purposes specifically identified in an Order Form.