Last updated: October 2023
TStack, Inc., hereinafter referred to as TrustedStack (“TrustedStack”) and the counterparty (“Company”) agreeing to this Data Protection Addendum (this “Addendum”) have entered into an agreement for the provision of the Services, as amended from time to time (the “Agreement”). This Addendum establishes the Parties’ relationship and obligations with respect to personal data accessed in accordance with the services provided to Company under the Agreement (the “Services”). TrustedStack and Company are each from time to time referred to herein as a “Party” and collectively as the “Parties”. Capitalized terms used but not defined herein have the meanings given in the Agreement.
- “Applicable Data Law” means all data protection and privacy laws, regulations and self-regulatory codes applicable to the personal data in question, including, where applicable, the CCPA, the CPA, the CTDPA, the UCPA, the VCDPA, European Data Law, the LGPD, and all applicable regulations and binding guidelines, decisions, orders, and interpretations by the U.S. Federal Trade Commission (“FTC”) and any other applicable laws, rules and regulations with respect to data privacy, including but not limited to Industry Regulations.
- The “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., as amended, including without limitation any and all applicable implementing regulations. The “CPA” means the Colorado Privacy Act, Senate Bill 21-190 (2021), as amended, including without limitation any and all applicable implementing regulations. The “CTDPA” means the Connecticut Data Protection Act, Senate Bill 6 (2022), as amended, including without limitation any and all applicable implementing regulations. The “UCPA” means the Utah Consumer Privacy Act, Senate Bill 227 (2022), as amended, including without limitation any and all applicable implementing regulations. The “VCDPA” means Virginia Consumer Data Protection Act, Va. Code §§ 59.1-575 et seq., as amended, including without limitation any and all applicable implementing regulations.
- “European Data Law” means (i) the EU General Data Protection Regulation 2016/679 (“EU GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s (“UK”) European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iv) the Swiss Federal Act on Data Protection 1992 (“Swiss DPA”); and (v) any and all applicable national laws made under or pursuant to (i), (ii), (iii) and (iv); in each case as may be amended or superseded from time to time.
- “Industry Regulations” means all applicable, then-current industry self-regulatory rules, regulations, codes and guidelines for online behavioral targeting and privacy compliances, including those issued by the Interactive Advertising Bureau (IAB), IAB’s Europe’s EU Transparency and Consent Framework, the Network Advertising Initiative (NAI) Code of Conduct, the Digital Advertising Alliance (DAA) Principles, the EASA Best Practice Recommendation on Online Behavioral Advertising, administered by the European Interactive Digital Advertising Alliance, the Australian Digital Advertising Alliance’s (ADAA) Best Practice Guideline for Online Behavioral Advertising; and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework.
- The “LGPD” means the Lei Geral de Proteção de Dados (Law No. 13.709/2018), as amended, including without limitation any and all applicable implementing regulations.
- “Restricted Transfer” means (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; (iii) where the Swiss DPA applies, a transfer of personal data from Switzerland to any other country which is not determined to provide adequate protection for personal data by the Federal Data Protection and Information Commission or Federal Council (as applicable); and (iv) where another Applicable Data Law applies, a cross-border transfer of personal data from that jurisdiction to any other country which is not based on adequacy regulations pursuant to that Applicable Data Law.
- “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. For the avoidance of doubt, any personal data breach will comprise a Security Incident.
- “SCCs” means the standard contractual clauses (i) where the EU GDPR or Swiss DPA applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”); and (iii) where another Applicable Data Law applies, the standard contractual clauses or other appropriate cross-border transfer mechanisms approved by an appropriate data protection authority or similar body that is adopted or permitted under that Applicable Data Law.
- “business”, “consumer”, “controller”, “processor”, “data subject”, “processing” (and “process”), “recipient”, “sale”, “sensitive data”, “service provider”, “sharing” (and “share(s)”), and “third party” shall have the meanings given in Applicable Data Law.
- “personal data” shall mean any information or data that constitutes “personal information,” “personal data,” “personally identifiable information,” or a similar term defined under Applicable Data Law.
- Purpose. Each Party shall disclose or make available personal data to the other Party for the sole purpose provided in Schedule 1 to this Addendum (the “Purpose”). The Parties are acting as separate and independent data controllers and not as joint controllers or as a data controller and data processor.
- Other Measures. Each Party shall be individually and separately responsible for complying with the obligations that apply to it under Applicable Data Law. Without limiting the foregoing, each Party shall (i) conduct and document a data protection assessment that satisfies the requirement of Applicable Data Law; and (ii) implement and maintain appropriate technical and organizational measures for safeguarding the processing of personal data that are appropriate to the risk and designed to be sufficient under Applicable Data Law.
- COPPA. Each Party shall comply with the Children’s Online Privacy Protection Act and other applicable laws related to the collection, use, and other processing of the data of children as defined under the law of the relevant jurisdiction to the extent they are applicable to such Party’s activities. Neither Party shall sell the personal data of a consumer if such Party has actual knowledge the consumer is less than 16, unless the consumer, in the case of consumers at least 13 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of that consumer’s personal data.
- Ownership. Nothing in this Addendum shall be construed to convey any ownership interest or license in personal data that is contrary to the ownership interests and licenses set forth in the Agreement.
- Regulatory Matters. Each Party agrees to (i) promptly notify the other Party in writing of any question, complaint, investigation, inquiry, warrant, subpoena or proceedings from or brought by any public, governmental, and/or judicial agency or authority (each, a “Regulatory Request”) that either (A) relates to such other Party’s processing of personal data in relation to the Services, or (B) either Party’s potential failure to comply with Applicable Data Law; and (ii) comply with any written litigation hold, document preservation notice, or similar legal hold requested by the other Party in connection with any Regulatory Request, lawsuit, or other claim, except to the extent required by applicable law.
- Security Incidents. If a Party suffers a confirmed Security Incident with respect to personal data disclosed from the other Party, such Party shall notify the other Party without undue delay and the Parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident.
3. Restricted Transfers.
The Parties agree that when the transfer of personal data under the Agreement is a Restricted Transfer, the SCCs shall be incorporated into this Addendum by this reference and apply to such Restricted Transfer, with each Party being deemed to have entered into the SCCs as follows:
- EU SCCs. In relation to personal data that is protected by the EU GDPR, the EU SCCs shall apply completed as follows: (i) Module One shall apply; (ii) Company shall ensure that the information called for by Section II, Clause 8.2(a) of the EU SCCs, as well as a copy of the EU SCCs, are supplied free of charge to all data subjects; (iii) in Clause 7, the optional docking clause shall not apply; (iv) in Clause 11, the optional language shall not apply; (v) in Clause 17, Option 1 shall apply, and the EU SCCs shall be governed by Irish law; (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 to this Addendum; and (viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2 to this Addendum.
- UK SCCs. In relation to personal data that is protected by the UK GDPR, the UK SCCs will apply completed as follows: (i) as set out above in Section 3.a of this Addendum and the EU SCCs shall be deemed amended as specified by Part 2 of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018 (“UK Addendum”) in respect of the transfer of such personal data; and (ii) tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above at Section 3.a (as applicable), in Schedule 1 and Schedule 2 of this Addendum and table 4 in Part 1 shall be deemed completed by selecting “neither party”.
- Swiss SCCs. In relation to personal data that is protected by the Swiss DPA, the EU SCCs shall apply as set out in Section 3.a of this Addendum amended as follows: (i) references to ‘Regulation (EU) 2016/679’ in the EU SCCs shall be deemed to refer to the Swiss DPA; (ii) references to specific articles of ‘Regulation (EU) 2016/679’ shall be deemed replaced with the equivalent article or section of the Swiss DPA; (iii) references to ‘EU’, ‘Union’ and ‘Member State’ shall be deemed replaced with ‘Switzerland’; (iv) references to the ‘competent supervisory authority’ shall be replaced with the ‘Swiss Federal Data Protection Information Commissioner’; and (v) in Clause 18(b), disputes shall be resolved before the competent courts of Switzerland.
- Other jurisdictions. In relation to personal data that is protected by another Applicable Data Law, the Parties agree that such SCCs shall automatically apply to the transfer of personal data from Company to TrustedStack and, where applicable shall be deemed completed on a mutatis mutandis basis to the completion of the SCCs as described above.
In respect of data subjects whose personal data is processed in the course of providing the Services, Company will be responsible for providing notice in accordance with the LGPD, including but not limited to notice as required under Article 18 of the LGPD. Each Party shall separately be responsible for fulfilling requests they receive from data subjects to exercise their rights under the LGPD.
5. UNITED STATES.
- To the extent either Party collects and shares the personal data of California residents, each Party shall be considered a business or a third party under the CCPA, but in no case a service provider.
- Each Party (i) will only process personal data disclosed to it by the other Party in furtherance of the limited and specified Purpose, unless required by Applicable Data Law; (ii) will comply with all applicable sections of the CCPA and the CCPA implementing regulations (the “CCPA Regulations”), providing the same level of privacy as is required of the other Party; (iii) grant the other Party the right to ensure that it uses the personal information it receives in a manner consistent with the other Party’s obligations under the CCPA and the CCPA Regulations; (iv) grant the other Party the right to stop and remediate any unauthorized use of personal information; and (v) notify the other Party if it makes a determination that it can no longer meet its obligations under the CCPA.
- Each Party (the “Discloser”) may disclose personal data of United States data subjects to a service provider or processor in order to fulfill the Purpose, provided the Discloser (i) prohibits the service provider/processor from selling or sharing such personal data to any third party in violation of Applicable Data Law; (ii) prohibits the service provider/processor from retaining, using, or disclosing such personal data for any reason other than for the Purpose (except as permitted by Applicable Data Law), detecting Security Incidents, and/or protecting against fraudulent or illegal activity; (iii) prohibits the service provider/processor from combining such personal data with other personal data unless permitted by Applicable Data Law; (iv) requires the service provider/processor to honor all legal requests or choices from data subjects; and (v) prohibits the service provider/processor from accessing such personal data unless the disclosing Party can monitor the service provider/processor’s compliance. Without limiting the foregoing, each Party will require that any service provider/processor that may receive such personal data first executes a written contract compatible with Applicable Data Law.
- Each Discloser may disclose personal data of United States data subjects to a third party in order to fulfill the Purpose. If that disclosure includes personal data of consumers, the Discloser must put in place an agreement that (i) identifies the limited purposes for which the third party may use the personal data; (ii) requires the third party to comply with Applicable Data Law; (iii) allows the Discloser to take reasonable steps to ensure the recipient of the personal data uses the personal data in accordance with its obligations; (iv) allows the discloser to stop and remediate unauthorized use of the personal data by the recipient; and requires the third party to notify the Discloser if it cannot meet its obligations under Applicable Data Law.
- Applicable Law and Jurisdiction. This Addendum is and remains governed by and shall be construed in accordance with the law designated as applicable in the Agreement, except to the extent required otherwise under the SCCs.
- Conflicts. In the event of any inconsistency between the Agreement, this Addendum and/or any SCCs with respect to the subject matter of this Addendum, the superiority of governing terms and conditions are: first, the SCCs for the relevant subject matter and/or jurisdiction; second, this Addendum; and third, the Agreement.
- Entire agreement. This Addendum is the Parties’ entire agreement as it relates to the Parties’ obligations under Applicable Data Law and supersedes all related prior and contemporaneous oral understandings, representations, prior discussions, letters of intent, or agreements (executed or otherwise).
- No further amendment. Except as modified by this Addendum, the Agreement remains unmodified and in full force and effect.
A. LIST OF PARTIES
Exporter Name, Address, Contact Person’s Name and Contact Details: Company, as set out in the Agreement
Activities relevant to the personal data transferred under the Clauses: Facilitate the sale of space to display Ads on any Site; Place Ads on any Site; Measure and optimize the performance of the Parties’ digital marketing activities; As otherwise described in the Agreement or agreed to in writing by the Parties.
Role (controller/processor): Independent Data Controller
Importer Name, Address, Contact Person’s Name and Contact Details: TrustedStack, as set out in the Agreement
Activities relevant to the personal data transferred under the Clauses: Facilitate the sale of space to display Ads on any Site; Place Ads on any Site; Measure and optimize the performance of the Parties’ digital marketing activities; Assess whether to submit bids for Inventory made available by data exporter; As otherwise described in the Agreement or agreed to in writing by the Parties.
Role (controller/processor): Independent Data Controller
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: End users of Sites.
Categories of personal data transferred: Online identifiers provided by devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. Other data: exporter’s general marketing and transactional communications and personal data use may span broad categories of any data relevant to data exporter’s relationship with the data subject, and may vary from time to time.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: None.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): Daily.
Nature of the processing: For the data importer to provide the Services and the processing of personal data of end users of Sites.
Purpose(s) of the data transfer and further processing: For the data importer to provide the Services, including but not limited to the following: Facilitate the sale of space to display Ads on any Site; Place Ads on any Site; Measure and optimize the performance of the Parties’ digital marketing activities.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The greater of the Term or twelve (12) months.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Not applicable to the extent each party is an Independent Data Controller. Notwithstanding the foregoing, each Party shall for all personal data exchanged as part of this Agreement and independently enter into an agreement with their respective processors specifying subject matter, nature and duration of the processing. In the event of the use of processors and/or sub-processors, each Party shall be responsible for complying with the requirements of Article 28 of the EU GDPR. Accordingly, each Party shall, inter alia: use only processors that can provide the necessary guarantees that they implement appropriate technical and organizational measures in such a way as to ensure that processing complies with the requirements of the EU GDPR and safeguards the rights of the data subject; ensure that a valid data processing arrangement is in place between the relevant Party and the processor; and ensure that there is a valid sub-processor arrangement between the processor and any sub-processor.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13: The Data Protection Commission of Ireland.
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA: Each Party shall be responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that processing is in compliance with the EU GDPR; taking into account the nature, scope, context and purposes of the processing involved, as well as the risks of varying degrees of likelihood and severity for the rights and freedoms of natural persons. The measures shall be reviewed and updated as necessary (Article 24 of the EU GDPR) but shall include but not be limited to the following:
- Measures of pseudonymisation and encryption of personal data: Pseudonymization of personal data of data subjects where possible. Application of security controls, e.g., data siloing, restricting and monitoring access, designating confidential status, employing best-practice technologies.
- Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services: Development and implementation of technologies and systems that accord with industry standards. Evaluation and monitoring of security of each important third-party partner during initiation of and periodically over the life of its relationship with TrustedStack.
- Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident: Development and implementation of response plans for incidents of concern, which permit investigation, mitigation and notification. Such plans are organized according to security risk and include internal and external messaging protocols.
- Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing: Performance of periodic reviews by privacy, security and engineering teams to ensure all measures align with best industry practices.
- Measures for user identification and authorization: Development and implementation of procedures to authenticate and respond to DSARs and to limit systems access to authorized individuals.
- Measures for the protection of data during storage: Rejection of all sensitive data and/or special categories of personal data potentially sourced by Company; pseudonymization and minimization of personal data of data subjects where possible; storage of data only so long as needed and in accordance with agreed-upon timeframes.
- Measures for ensuring physical security of locations at which personal data are processed: Restriction of access to storage facilities on need-to-know basis; implementation of access and security controls in accordance with industry standards; training of all relevant personnel regarding security and protection of data.
- Measures for ensuring system configuration, including default configuration: Implementation of configuration management tools where appropriate.
- Measures for internal IT and IT security governance and management: Appointment of persons responsible for maintaining security management and data protection.
- Measures for certification/assurance of processes and products: Implementation of relevant controls and processes.
- Measures for ensuring data minimisation: Rejection of all sensitive data and/or special categories of personal data potentially sourced by Company; pseudonymization and minimization of personal data of data subjects where possible; storage of data only so long as needed and in accordance with agreed-upon timeframes; limitation to data necessary to perform the Services.
- Measures for ensuring limited data retention: Implementation and periodic review of data retention and destruction policies and procedures.
- Measures for ensuring accountability: Implementation and periodic review of data mapping and data protection policies and procedures.
- Measures for allowing data portability and ensuring erasure: Development and implementation of procedures to authenticate and respond to DSARs.