Data Processing Addendum

 

This Data Processing Addendum (including its Exhibits) (“Addendum”) forms part of and is subject to the Agreement agreed to by and between 9TH WONDER GLOBAL, LLC (“Service Provider”) and __________________________(“Client”).

1. Subject Matter and Duration.

a) Subject Matter. This Addendum reflects the parties’ commitment to abide by Data Privacy Laws concerning the Processing of Client Personal Data in connection with Service Provider’s execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.

b) Duration and Survival. This Addendum will become legally binding upon the effective date of the Agreement. Service Provider will Process Client Personal Data until the relationship terminates as specified in the Agreement.

2. Definitions.

For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.

a)Client Personal Data” means Personal Data Processed by Service Provider on behalf of Client to provide the Services.

b)Data Privacy Laws” means the applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Client Personal Data are subject. “Data Privacy Laws” may include, but are not limited to, the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; the United Kingdom Data Protection Act 2018; the California Consumer Privacy Act of 2018 (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, Connecticut’s Act Concerning Data Privacy and Online Monitoring, and the Utah Consumer Privacy Act (in each case as supplemented by implementing regulations and as amended, adopted, or superseded from time to time).

c)Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Privacy Laws.

d)Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

e)Security Incident(s)” means the breach of security leading to the unauthorized acquisition or compromise of Client Personal Data attributable to Service Provider.

f)Services” means the services that Service Provider performs under the Agreement.

g)Subprocessor(s)” means Service Provider’s authorized vendors and third-party service providers that Process Client Personal Data.

3. Processing Terms for Client Personal Data.

a) Documented Instructions. Service Provider shall Process Client Personal Data to provide the Services in accordance with the Agreement, this Addendum, any applicable Statement of Work, and any instructions agreed upon by the parties. Service Provider will, unless legally prohibited from doing so, inform Client in writing if it reasonably believes that there is a conflict between Client’s instructions and applicable law or otherwise seeks to Process Client Personal Data in a manner that is inconsistent with Client’s instructions. At Client’s instruction, Service Provider may interact with third-party companies that provide targeted or cross-contextual behavioral advertising services to Client, including through Media Buying Services, Third Party Contracts, and Social Media Services (collectively “Third Party Providers”). Notwithstanding any other provision of this DPA or the Agreement, as between the parties, Client is solely responsible for determining whether the disclosure of Personal Data to, or by, Service Provider to such Third Party Providers is subject to an opt-in right, opt-out right, or similar right under Data Privacy Laws; and Client agrees to provide data subjects with all notice and choices as required by Data Privacy Laws in such instances and provide a mutually agreed upon signal to Service Provider or the applicable Third Party Provider for any data subject who has exercised their Data Protection rights.

b) Authorization to Use Subprocessors. To the extent necessary to fulfill Service Provider’s contractual obligations under the Agreement, Client hereby authorizes Service Provider to engage Subprocessors.

c) Service Provider and Subprocessor Compliance. Service Provider shall (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Client Personal Data that imposes on such Subprocessors data protection requirements for Client Personal Data that are consistent with this Addendum; and (ii) remain responsible to Client for Service Provider’s Subprocessors’ failure to perform their obligations with respect to the Processing of Client Personal Data.

d) Right to Object to Subprocessors. Where required by Data Privacy Laws, Service Provider will notify Client via email prior to engaging any new Subprocessors that Process Client Personal Data and allow Client ten (10) days to object. If Client has legitimate objections to the appointment of any new Subprocessor, the parties will work together in good faith to resolve the grounds for the objection.

e) Confidentiality. Any person authorized to Process Client Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.

f) Personal Data Inquiries and Requests. Where required by Data Privacy Laws, Service Provider agrees to provide reasonable assistance and comply with reasonable instructions from Client related to any requests from individuals exercising their rights in Client Personal Data granted to them under Data Privacy Laws.

g) Prohibited Uses of Personal Data. Service Provider shall not (i) sell or share Client Personal Data as the terms “sell” or “share” are defined by the CCPA or (ii) retain, use, combine, or disclose Client Personal Data for any purpose other than as described in this Addendum or permitted under Data Privacy Laws.

h) Data Protection Impact Assessment and Prior Consultation. Where required by Data Privacy Laws, Service Provider agrees to provide reasonable assistance at Client’s expense to Client where, in Client’s judgement, the type of Processing performed by Service Provider requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities. Client shall reimburse Service Provider for non-negligible costs incurred specifically to provide Client services under this section.

i) Demonstrable Compliance. Upon Client’s reasonable request Service Provider agrees to provide information reasonably necessary to demonstrate compliance with this Addendum and permit Client to take reasonable steps to stop and remediate unauthorized use of Client Personal Data.

j) Service Optimization. Service Provider may Process Client Personal Data: (i) for its internal uses to build or improve the quality of its services; (ii) to detect Security Incidents; (iii) to protect against fraudulent or illegal activity; and (iv) as otherwise permitted by Data Privacy Laws.

k) Aggregation and De-Identification. Service Provider may: (i) compile aggregated and/or de-identified information in connection with providing the Services provided that such information cannot reasonably be used to identify Client or any data subject to whom Client Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use Aggregated and/or De-Identified Data for its lawful business purposes.

4. Information Security Program.

a) Security Measures. Service Provider shall use commercially reasonable efforts to implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Client Personal Data.

5. Security Incidents.

a) Notice. Upon becoming aware of a Security Incident, Service Provider agrees to provide written notice without undue delay and within the time frame required under Data Privacy Laws to Client. Where possible, such notice will include all available details required under Data Privacy Laws for Client to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.

6. Cross-Border Transfers of Client Personal Data.

a) Cross-Border Transfers of Client Personal Data. Client authorizes Service Provider and its Subprocessors to transfer Client Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States.

b) Appropriate Transfer Mechanism. If Client Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Client to Service Provider in a country that has not been found to provide an adequate level of protection under applicable Data Privacy Laws, the parties agree that the transfer shall be governed by an appropriate legal mechanism providing adequate safeguards, which shall be the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce (collectively “the US DPF”). 9th Wonder Global, LLC has certified to the US DPF. If the US DPF is not available as an appropriate safeguard for a transfer, then the parties agree to the Standard Contractual Clauses Module Two’s obligations in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Standard Contractual Clauses”) as supplemented by Exhibit A attached hereto, the terms of which are incorporated herein by reference. Each party’s signature to the Agreement shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.

7. Audits.

a) Client Audit. Where Data Privacy Laws afford Client an audit right, Client (or its appointed representative) may carry out an audit of Service Provider’s policies, procedures, and records relevant to the Processing of Client Personal Data. Any audit must be: (i) conducted during Service Provider’s regular business hours; (ii) with reasonable advance notice to Service Provider; (iii) carried out in a manner that prevents unnecessary disruption to Service Provider’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit shall be limited to once per year, unless an audit is carried out at the direction of a government authority having proper jurisdiction.

8. Client Personal Data Deletion.

a) Data Deletion. At the expiry or termination of the Agreement, Service Provider will delete all Client Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Service Provider’s data retention schedule), except where Service Provider is required to retain copies under applicable laws, in which case Service Provider will isolate and protect that Client Personal Data from any further Processing except to the extent required by applicable laws.

9. Client’s Obligations. Client represents and warrants that: (i) it has complied and will comply with Data Privacy Laws; (ii) it has provided data subjects whose Client Personal Data will be Processed in connection with the Agreement with a privacy notice or similar document that clearly and accurately describes Client’s practices with respect to the Processing of Client Personal Data; (iii) it has obtained and will obtain and continue to have, during the Term, all necessary rights, lawful bases, authorizations, consents, and licenses for the Processing of Client Personal Data as contemplated by the Agreement; and (iv) Service Provider’s Processing of Client Personal Data in accordance with the Agreement will not violate Data Privacy Laws or cause a breach of any agreement or obligations between Client and any third party.

10. Processing Details.

a) Subject Matter and Business Purpose. The subject matter and business purpose of the Processing is the Services pursuant to the Agreement and the applicable Statement of Work entered thereunder.

b) Duration. The Processing will continue until the expiration or termination of the Agreement.

c) Categories of Data Subjects. Data subjects whose Client Personal Data will be Processed pursuant to the Agreement, including customers and potential customers of Client.

d) Nature and Purpose of the Processing. The purpose of the Processing of Client Personal Data by Service Provider is the performance of the Services.

e) Types of Client Personal Data. Client Personal Data that is Processed pursuant to the Agreement to enable the performance of the Services.

EXHIBIT A TO THE DATA PROCESSING ADDENDUM

This Exhibit A forms part of the Addendum and supplements the Standard Contractual Clauses. Capitalized terms not defined in this Exhibit A have the meaning set forth in the Addendum.

The parties agree that the following terms shall supplement the Standard Contractual Clauses:

1. Supplemental Terms. The parties agree that: (i) a new Clause 1(e) is added the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Privacy Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must submit the request for specific authorization in accordance with Section 3(d) of the Addendum; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).

2. Annex I. Annex I to the Standard Contractual Clauses shall read as follows:

A. List of Parties

Data Exporter: Client.

Address: As set forth in the Notices section of the Agreement.

Contact person’s name, position, and contact details: Client’s Account Management Contact under the Agreement.

Activities relevant to the data transferred under these Clauses: The Services.

Role: Controller.

Data Importer: Service Provider.

Address: As set forth in the Notices section of the Agreement.

Contact person’s name, position, and contact details: Service Provider’s Client’s Account Management Contact under the Agreement.

Activities relevant to the data transferred under these Clauses: The Services.

Role: Processor.

B. Description of the Transfer:

Categories of data subjects whose personal data is transferred: The categories of data subjects whose personal data is transferred under the Clauses including, but not limited to, Client’s customers and potential customers.

Categories of personal data transferred: The categories of personal data transferred under the Clauses including, but not limited to, Contact Information such as name, email, account number, address, phone number; online identifiers such as IP address, device ID, advertising ID, etc.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: The parties agree that no sensitive or special categories of personal data will be transferred under the Agreement.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal data is transferred in accordance with the standard functionality of the Services, or as otherwise agreed upon by the parties.

Nature of the processing: The Services.

Purpose(s) of the data transfer and further processing: The Services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain personal data in accordance with the Addendum.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

Data importer will provide its list of subprocessors upon data exporter’s written request.

C. Competent Supervisory Authority: The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.

D. Additional Data Transfer Impact Assessment Questions:

Will data importer process any personal data under the Clauses about a non-United States person that is “foreign intelligence information” as defined by 50 U.S.C. § 1801(e)?

Not to data importer’s knowledge.

Is data importer subject to any laws in a country outside of the European Economic Area, Switzerland, and/or the United Kingdom where personal data is stored or accessed from that would interfere with data importer fulfilling its obligations under the Clauses? For example, FISA Section 702. If yes, please list these laws:

Not to data importer’s knowledge.

Has data importer ever received a request from public authorities for information pursuant to the laws contemplated by the question above? If yes, please explain:

As of the effective date of the Addendum, no court has found data importer to be eligible to receive process issued under the laws contemplated by this question, including FISA Section 702, and no such court action is pending. Further individuals may seek independent redress through the Data Protection Review Court, which is comprised of members from outside the US government and has powers to investigate and remediate complaints from EU, UK, and Swiss residents.

Has data importer ever received a request from public authorities for personal data of individuals located in European Economic Area, Switzerland, and/or the United Kingdom? If yes, please explain:

No.

E. Data Transfer Impact Assessment Outcome: Taking into account the information and obligations set forth in the Addendum and, as may be the case for a party, such party’s independent research, to the parties’ knowledge, the personal data originating in the European Economic Area, Switzerland, and/or the United Kingdom that is transferred pursuant to the Clauses to a country that has not been found to provide an adequate level of protection under applicable Data Privacy Laws is afforded a level of protection that is essentially equivalent to that guaranteed by applicable Data Privacy Laws.

F. Clarifying Terms: The parties agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Clauses will be provided upon data exporter’s written request; (ii) the measures data importer is required to take under Clause 8.6(c) of the Clauses will only cover data importer’s impacted systems; (iii) the audit described in Clause 8.9 of the Clauses shall be carried out in accordance with Section 7 of the Addendum; (iv) where permitted by applicable Data Privacy Laws, data importer may engage existing subprocessors using European Commission Decision C(2010)593 Standard Contractual Clauses for Controllers to Processors and such use of subprocessors shall be deemed to comply with Clause 9 of the Clauses; (v) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Clauses will be limited to the termination of the Clauses; (vi) unless otherwise stated by data importer, data exporter will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Clauses; (vii) the information required under Clause 15.1(c) of the Clauses will be provided upon data exporter’s written request; and (viii) notwithstanding anything to the contrary, data exporter will reimburse data importer for all costs and expenses incurred by data importer in connection with the performance of data importer’s obligations under Clause 15.1(b) and Clause 15.2 of the Clauses without regard for any limitation of liability set forth in the Agreement.

3. Annex II. Annex II of the Standard Contractual Clauses shall read as follows:

Data importer shall use commercially reasonable efforts to implement and maintain appropriate technical and organizational measures designed to protect personal data in accordance with the Addendum.

Pursuant to Clause 10(b), data importer will provide data exporter assistance with data subject requests in accordance with the Addendum.

4. Annex III. A new Annex III shall be added to the Standard Contractual Clauses and shall read as follows:

The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference.

Table 1: The start date in Table 1 is the effective date of the Addendum. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.

Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the Addendum.

Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.

Table 4: The parties agree that Importer may end the UK Addendum as set out in Section 19.