Data Processing Agreement

Last Updated: May 30, 2024

This Data Processing Agreement (“DPA”) is entered by and between Overwolf Ltd. and its Affiliates (“Company” or “Vendor”) and the Developer signed the Overwolf Developer Terms and Conditions executed between the parties (“Developer” and “Agreement”), and is entered into force on the date on which the Developer accepted the Agreement (“Effective Date”).

Capitalized terms used herein but not defined herein shall have the meanings ascribed to them in the Agreement (each of Vendor and Developer, a “party” and together the “parties”).

WHEREAS, Vendor is the developer, owner, and operator of the platform/s, APIs, SDKs, tools, plugins, codes, technology, content, and other services that are provided to third party Developers (as such terms may be defined in the Agreement and for the purpose of this DPA shall be referred to as the “Services”);

WHEREAS, during the use of the Services by the Developer, the parties will process and share Personal Data (as such terms are defined below) subject to the terms and conditions of this DPA; and

WHEREAS, the parties desire to supplement this DPA to achieve compliance with the UK, EU, Swiss, United States, and other data protection laws and agree on the following:

DEFINITIONS
1. “Adequate Country” is a country that has an adequacy decision from the European Commission.
2. “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 - 1798.199) of 2018, including as modified by the California Privacy Rights Act (“CPRA”) as well as all regulations promulgated thereunder from time to time.
3. “CPA” means the Colorado Privacy Act C.R.S.A. § 6-1-1301 et seq. (SB 21-190), including any implementing regulations and amendments.
4. “CTDPA” means the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022), including any implementing regulations and amendments thereto.
5. “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” (and “Process”), “Personal Data Breach” and “Special Categories of Personal Data” shall all have the meanings given to them in EU Data Protection Law, CPA, VCDPA and CTDPA. The terms “Business”, “Business Purpose”, “Consumer”, “Cross Context Behavioral Advertising” (also known as "CCBA"), “Contractor”, “First-Party Business”, “Service Provider”, “De-identified Data” or “Deidentified Data”, “Share”, “Sale”, “Sell”, “Third-Party Business” and “Targeted Advertising”, shall have the same meanings as ascribed to them in the US Data Protection Laws. “Data Subject” shall also mean and refer to a “Consumer”. “Personal Data” shall also mean and refer to “Personal Information”.
6. “Consent” means an End User informed and freely given consent, that meets the requirements stipulated under Article 7 of the GDPR or the IAB Policies.
7. “Data Protection Law” means applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law, UK Data Protection Laws, Swiss Data Protection Laws, Israeli Law, US Data Protection Laws, and the Brazilian General Data Protection Law (“LGPD”) as may be amended or superseded from time to time.
8. “EEA” means the European Economic Area.
9. “End User” means an individual using, visiting or browsing the Application (as such term defined in the Agreement), or any other digital property operated by the Developer.
10. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any laws relating to data protection, the Processing of Personal Data, privacy or electronic communications in force from time to time in the United Kingdom, including the UK General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018, UK Data Protection and Digital Information Bill (collectively, “UK Data Protection Laws”), (v) the Swiss Federal Act on Data Protection (“Swiss FDPA”); (vi) any national data protection laws made under, pursuant to, replacing or succeeding (i) – (iii); and (vii) any legislation replacing or updating any of the foregoing.
11. “IAB Framework” means the IAB Tech Labs’ technical specification for the GDPR transparency & consent framework (“TCF”) and the Global Privacy Platform (“GPP”).
12. “IAB Policies” means the (i) IAB Europe TCF available at: 230509-TCF-Policies-TransparencyConsentFramework_Policies_version_TCF-v2.2.pdf; (ii) IAB Global Privacy platform including the Multi State Privacy Framework (“MSPA”) available at: IAB First Amended and Restated Multi-State Privacy Agreement (MSPA).pdf
13. “ID” means (i) a unique identifier stored on an End-User’s device; (ii) a unique identifier generated for a specific End User; (iii) an online identifier associated with a particular device; or (iii) a cookie ID, agent ID, IP address, URL or RTB tag, or any online identifier identifying an End User or a specific device.
14. “Israeli Law” means Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017, and other related privacy regulations.
15. “Privacy Signals” means the End Users’ preference signals, indicating the End Users’ preference for Processing Personal Data, such as: requesting to opt-out from selling or sharing Personal Data, opt-out from Processing Personal Data for Targeted Advertising, including without limitations flags or signals sent through a cookie banner, cookie manager, consent management platform or other technology (“CMP”) such as IAB Global Privacy Platform (“GPP”) or otherwise the CCPA “Do Not Sell Or Share My Personal Information” signals, Google restricted data Processing (“RDP”) signals, Global Consent Platform (“GCP”) signals, and any other opt-out from interest-based advertising signals such as the Digital Advertising Alliance (DAA) and the Network Advertising Initiative (NAI), as applicable.
16. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other party’s Personal Data will comprise a Security Incident.
17. “Standard Contractual Clauses” or “SSC” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.
18. “Swiss Data Protection Laws” or “FADP” shall mean the Swiss Federal Act on Data Protection of June 19, 1992, SR 235.1, and any other applicable data protection or privacy laws of the Swiss Confederation as amended, revised, consolidated, re-enacted or replaced from time to time, and to the extent applicable to the Processing of Personal Data under the Agreement.
19. “Swiss SCC” shall mean the applicable standard data protection clauses issued, approved, or recognized by the Swiss Federal Data Protection and Information Commissioner.
20. “UK SCC” means the UK's International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers, available at: international-data-transfer-addendum.pdf, as adopted, amended or updated by the UK's Information Commissioner's Office, Parliament or Secretary of State.
1.1 “UCPA” means the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.
1.2 "US Data Protection Laws" means any U.S. federal and state privacy laws effective and apply to the Processing of Personal Data, and any implementing regulations and amendment thereto, including without limitation, the CCPA, the CPA, the CTDPA, the VCDPA, and the UCPA.
1.3 “VCDPA” means the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392), including any implementing regulations and amendments thereto.
Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Law. A reference to any term or section of US Data Protection Laws, UK Data Protection Laws, or GDPR means the version as amended. Any references to the GDPR in this DPA shall mean the GDPR and/or UK GDPR depending on the applicable Law.
RELATIONSHIP OF THE PARTIES
1. Pursuant to this DPA and in the course of the engagement set for the therein, Company and Developer will Process the Personal Data described in Annex I.
2. The Parties acknowledge that for the Processing the Personal Data by the Company for (i) the Restricted Purpose in the course of providing services to Developer as specified under the US Privacy Law Addendum (detailed in ANNEX VIII); (ii) providing CMP services for the Developer; the Company shall be considered as a Processor / Service Provider, as applicable.
3. Except as otherwise agreed in by the Parties under Section 2.2 above, each party is an independent Controller with respect to Personal Data Processed under the Agreement. Each party shall be individually and separately responsible for complying, and shall be able to demonstrate compliance, with applicable Data Protection Laws in connection with the Processing of Personal Data. The purpose, subject matter, and duration of the Processing, the type of Personal Data, and categories of Data Subjects are described in ANNEX I attached hereto.
REPRESENTATIONS AND WARRANTIES
1. Each party shall notify the other party, in writing without undue delay (unless prohibited by law) upon becoming aware of:
  1. A security incident that may affect the other party or the Processing of Personal Data provided to or made available by the other party (“Security Incident Notice”). A Security Incident Notice shall include, to the extent available: (i) a description of the nature of the Security Incident, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) a description of the likely consequences of the company that has been exposed; and (iii) a description of the measures taken or proposed to be taken to address the company that has been exposed, including, where appropriate, measures to mitigate its possible adverse effects; and
  2. A Data Subject request, Consumer user right request (“DSR Notice”) or otherwise and regulatory, authority or a complaint, investigation, inquiry, warrant, subpoena, or proceedings from or brought by any public, governmental, or judicial agency or authority that relates to the Personal Data Processed under this Agreement (“SAR Notice”).
  3. In the event of a Security Incident Notice, a DSR or SAR Notice, the parties undertake to cooperate in good faith to ensure compliance with applicable laws.
2. Each party shall implement and maintain an information security program with appropriate technical and organizational measures. This program is to ensure a level of security that will be appropriate to the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the Processing, which includes at a minimum (i) the security measures set forth in ANNEX II; and (ii) where required by Data Protection Laws, the appointment of a Data Protection Officer to oversee the privacy program.
3. Each party shall provide reasonable cooperation and assistance to the other party in ensuring compliance with its obligation to carry out data protection impact assessments.
4. Each party shall ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to Personal Data; (ii) that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5. In addition, and if applicable based on the applicable jurisdiction, each party shall Process the Personal Data solely as provided through the Privacy Signals, including the IAB Policies and the IAB Framework, and similar industry frameworks or guidelines applicable to the Agreement.
6. Where the Company process the Personal Data as a Processor for the purpose of providing the CMP services in addition to the requirements and obligation section 3 of this DPA and Company shall comply with the following:
  1. Upon Developer’s reasonable request, Company shall provide Developer with commercially reasonable cooperation and assistance needed to fulfill Developer’s obligation under the GDPR to carry out a data protection impact assessment related to Developer’s use of the services, to the extent Developer does not otherwise have access to the relevant information, and to the extent such information is available to Company. Company shall provide commercially reasonable assistance to the Developer in the cooperation or prior consultation with the Supervisory Authority to the extent required under the GDPR or other applicable data protection laws.
  2. Following the termination of this DPA, Company shall, at the choice of the Developer, delete all Personal Data processed on behalf of the Developer and certify to the Developer that it has done so, or otherwise, return all Personal Data to the Developer and delete existing copies unless applicable law or regulatory requirements requires that Overwolf continue to store the Personal Data. Until the Personal Data is deleted or returned, Company shall continue to ensure compliance with this DPA.
  3. The Developer acknowledges that Company may transfer Developer Data to and otherwise interact with third party data processors (“Sub-Processor”). The Developer hereby, authorizes Company to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub Processor on its behalf. Company may replace its existing Sub-Processors or add additional Sub-Processors provided it notifies the Developer before authorizing such Sub-Processor(s) to Process Personal Data in connection with the provision of the Services (email will suffice). Developer may reasonably object to the use of a new Sub-Processor by notifying Company promptly in writing within 10 days after receipt of Company’s notice. Developer shall explain its reasonable grounds for objection. In the event Developer objects to a new Sub-processor, Company will use commercially reasonable efforts to make available to Developer a change in the Services or recommend a commercially reasonable change to Developer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Developer. If Company is unable to make available such change within a reasonable period of time, either party may terminate without penalty with respect only to those Services which cannot be provided by Company without the use of the objected-to new Sub-processor by providing written notice to the other party. Where Company engages a Sub-Processor, it shall impose on the Sub-Processor data protection obligations no less onerous than those set out in this DPA, through a legally binding contract between Company and the Sub-Processor (“Contract”). Company shall ensure that the Contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Law. 5.3. Company shall remain fully responsible to the Developer for the performance of the Sub-Processor’s obligations in accordance with the DPA. Company shall notify the Developer of any known failure by the Sub-Processor to fulfill its contractual obligations.
DATA TRANSFER
1. Any transfer of Personal Data Processed in connection with the Agreement outside of the jurisdiction from which it was collected shall be transferred subject to and in compliance with an approved transfer mechanism.
2. Personal Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland), and the United Kingdom (collectively, “EEA”) to Adequate Country, without any further safeguard being necessary.
3. If the transfers of Personal Data include transfers from the EEA to countries that are not Adequate Country, then parties agree to rely on the Standard Contractual Clauses to facilitate such transfer:
  1. Transfer of Personal Data from the EEA The terms set forth in ANNEX III shall apply.
  2. Transfer of Personal Data from the UK, the terms set forth in ANNEX IV shall apply; and
  3. Transfer of Personal Data from Switzerland, the terms set forth in ANNEX V shall apply.
CONFLICT
1. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event that the Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA solely with regards to international transfer of Personal Data. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.
TERM AND TERMINATION
1. This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates.

ANNEX I: DETAILS OF PROCESSING

This Annex I include certain details of the Processing of the Developer Data as required by Article 28(3) GDPR.

Categories of Data Subjects:

Developer’s End Users / Data Subjects that viewed ads or content which are placed on the Developer’s Application or the Company Platform/s (as such term defined in the Agreement) or any ads displayed through the Company Services to the Developer.

Categories of Personal Data:

Independent Controllers: IDs, Privacy String, tracking data, usage data, approximate location data, referred URL, aggregated insights such as ads viewed, impression data, optimization data, ad delivery data, ad effectiveness data, ad viewability data.

Controller – Processor: IDs, Privacy String.

Purpose of processing:

Independent Controllers: To display ad campaigns within the Customer properties; Analytics and attribution of such advertising campaigns; Frequency capping, audience verification, system maintenance, fraud detection, tracking and measurement of such advertising campaigns;

Controller – Processor: providing consent management platform (CMP) services.

Special Categories of Personal Data:

Not Applicable

Process Frequency:

The Personal Data is transferred on a continuous basis.

Nature of the processing:

Collection, storage, organization, analysis, modification, retrieval, disclosure, communication, and other uses in the performance of the Services as set out in the Agreement

Retention Period:

For as long as needed to provide the Services.

ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES

Each party shall implement and maintain current and appropriate technical and organizational measures to protect Personal Data against accidental, unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, disclosure or access, as set forth below:

Conduct security testing or penetration testing, remediate any identified high vulnerabilities, provide written remediation plans for medium and low vulnerabilities;
Maintain a level of security appropriate to protect against any unauthorized or unlawful Processing or accidental loss, destruction, damage, denial of service, alteration or disclosure, and appropriate to the nature of Personal Data;
Oblige its employees, agents, or other persons to whom it provides access to Personal Data to keep it confidential; take reasonable steps to ensure the integrity of any employees who have access to Personal Data; provide annual training to staff and subcontractors on the security requirements contained herein;
Adhere password policies for standard and privileged accounts consistent with industry best practices;
Ensure that only those personnel who need to have access to Personal Data are granted access, such access is limited to the least amount required, and only granted for the purposes of performing the Services and the obligations under this DPA;
Maintain a physical security program that is consistent with the corresponding industry practices;
Ensure that any storage media (whether magnetic, optical, non-volatile solid state, paper, or otherwise capable of retaining information) that captures Personal Data, if applicable, is securely erased or destroyed before repurposing or disposal;
Measures and assurances regarding US government surveillance (“Additional Safeguards”) see Annex III.

ANNEX III: EU INTERNATIONAL TRANSFERS AND SCC

The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Personal Data from the EEA to other countries that are not deemed as Adequate Countries.
Module One (Controller to Controller) of the Standard Contractual Clauses shall apply where the transfer is effectuated by the Developer as the Data Controller of the Personal Data and Vendor as the Data Controller of the Personal Data.
The parties agree that for the purpose of transfer of Personal Data between the Developer (as Data Exporter) and the Vendor (as Data Importer), the following shall apply:
1. a. Clause 7 of the Standard Contractual Clauses shall not be applicable.
2. b. In Clause 9, shall not be applicable.
3. c. In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
4. d. In Clause 17, option 1 shall apply. The parties agree that the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Developer is established (where applicable).
5. e. In Clause 18(b) the parties choose the courts of the Republic of Ireland, as their choice of forum and jurisdiction.
Annex I.A of the Standard Contractual Clauses shall be completed as follows:
1. 1.a.1 “Data Exporter”: Developer
2. 1.a.2 “Data Importer”: Vendor
3. 1.a.3 Roles: (A) With respect to Module One: (i) Data Exporter is a Data Controller and (ii) the Data Importer is a Data Controller.
4. 1.a.4 Data Exporter Contact Details: As detailed in the Agreement;
5. 1.a.5 Signature and Date: By entering into the Agreement and DPA, Data Exporter and Data Importer are deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Annex I.B of the Standard Contractual Clauses shall be completed as follows:
1. a. The purpose of the processing, nature of the processing, categories of data subjects, categories of personal data and the parties’ intention with respect to the transfer of special categories are as described in ANNEX I (Details of Processing) of this DPA.
2. b. he frequency of the transfer and the retention period of the personal data is as described in ANNEX I (Details of Processing) of this DPA.
Annex I.C of the Standard Contractual Clauses shall be completed as follows: the competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 3 above.
Annex II of this DPA (Technical and Organizational Measures) serves as ANNEX II of the Standard Contractual Clauses.
Transfers to the US: Measures and assurances regarding US government surveillance (“Additional Safeguards”) are further detailed below:
1. a. Maintain industry standard measures to protect the Personal Data from interception (including in transit from Developer to Vendor and between different systems and services). This includes maintaining encryption of Personal Data in transit and at rest.
2. b. Make reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under the GDPR or the UK GDPR, including (if applicable) under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”).
3. c. If either party becomes aware of any law enforcement agency or other governmental authority (“Authority”) attempt or demand to gain access to or a copy of the Personal Data (or part thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, each party shall: inform the other party, in writing without undue delay, of such Authority demand for access to the Personal Data; and provide reasonable cooperation and assistance to the other party by using reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the it’s control.
4. d. Each party shall inform the other party, upon written request (and not more than once a year), of the types of binding legal demands for Personal Data each party has received and complied with, including demands under national security orders and directives, specifically including any process under Section 702 of FISA.

ANNEX IV: UK INTERNATIONAL TRANSFERS AND SCC

The parties agree that the terms of the Standard Contractual Clauses as amended by the UK Standard Contractual Clauses, and as amended in this ANNEX IV, are hereby incorporated by reference and shall apply to transfer of Personal Data from the UK to other countries that are not deemed as Adequate Countries.
This ANNEX V is intended to provide appropriate safeguards for the purposes of transfers of Personal Data to a third country in reliance on Article 46 of the UK GDPR and with respect to data transfers from Controllers to Controllers.
Terms used in this ANNEX V that are defined in the Standard Contractual Clauses, shall have the same meaning as in the Standard Contractual Clauses.
This ANNEX V shall (i) be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfills the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR, and (ii) not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.
Amendments to the UK Standard Contractual Clauses:
1. Part 1: Tables
2. Table 1 Parties: shall be completed as set forth ANNEX III above.
3. Table 2 Selected SCCs, Modules and Selected Clauses: shall be completed as set forth in ANNEX III above.
4. Table 3 Appendix Information:
  Annex 1A: List of Parties: shall be completed as set forth in ANNEX III above. Annex 1B: Description of Transfer: shall be completed as set forth in ANNEX I above. Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: shall be completed as set forth in ANNEX II above.
5. Table 4 Ending this Addendum when the Approved Addendum Changes: shall be completed as “neither party”.

ANNEX V: SUPPLEMENTARY TERMS FOR SWISS DATA PROTECTION LAW TRANSFERS ONLY

The following terms supplement the Clauses only if and to the extent the Clauses apply with respect to data transfers subject to Swiss Data Protection Law, and specifically the FDPA:

The term ’Member State’ will be interpreted in such a way as to allow Data Subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.
The clauses in the DPA protect the Personal Data of legal entities until the entry into force of the Revised Swiss FDPA.
All references in this DPA to the GDPR should be understood as references to the FDPA insofar as the data transfers are subject to the FDPA.
References to the “competent supervisory authority”, “competent courts” and “governing law” shall be interpreted as Swiss Data Protection Laws and Swiss Information Commissioner, the competent courts in Switzerland, and the laws of Switzerland (for Restricted Transfers from Switzerland).
In respect of data transfers governed by Swiss Data Protection Laws and Regulations, the EU SCCs will also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly to Personal Data under Swiss Data Protection Laws and Regulations until such laws are amended to no longer apply to a legal entity.
The competent supervisory authority is the Swiss Federal Data Protection Information Commissioner.

ANNEX VI: US PRIVACY LAWS ADDENDUM

This US Privacy Law Addendum (“US Addendum”) adds specifications applicable to US Data Protection Laws and is in addition to the obligations set forth in the DPA. All terms used but not defined in this US Addendum shall have the meaning set forth in the DPA.
ROLES:
1. As set forth in the DPA, parties shall act as a separate independent Controllers, except when the Processing is for a Restricted Purpose, in which Vendor may be deemed a Processor.
2. For the purpose of this US Addendum the “Restricted Purposes” means advertising-related processing that qualifies as a Business Purpose, including (i) auditing, security and integrity purposes, debugging, short term, transient uses, and internal research or improvement of the Services; (ii) technical advertising services that are not targeted, cross-contextual or profiling and include frequency capping, measurement, fraud detection and prevention, and ensuring and measuring viewability; and (iii) contextual advertising which includes first-party advertising to the extent such activity does not result in a Sale or Share of Personal Data or constitute processing of Personal Data for Targeted Advertising purposes.
3. The subject matter, duration, nature, and purpose of the Processing, types of Personal Information Processed, and categories of Data Subjects are as described in ANNEX I.
CONTROLLER TO CONTROLLER:
In their roles as independent Controllers, each party shall, when Processing End User Personal Data:
1. Be individually and separately responsible for complying with applicable US Data Protection Laws, and to the extent applicable to the IAB Policies.
2. Provide End Users with clear and conspicuous disclosures and notices on how the Personal Information is Processed, the purpose of Processing, the categories of Personal Information shared and the categories of the recipients, as well as the End Users’ rights, including the right to appeal and the ability to opt out of the Sale, Share of Personal Information or from Targeted Advertising, all in compliance with and as required by the US Data Protection Laws.
3. Ensure that it provides an opt-out mechanism and it enables the End User to send a Privacy Signal and transfer the Privacy Signal down the advertising chain. When a Privacy Signal is received, neither party will process such End Users’ Personal Information for Targeted Advertising, or Cross Contextual Advertising purposes.
4. Comply with requirements for processing Deidentified Information, including by not attempting to re-identify it, using reasonable, technical, and organizational measures to prevent re-identifying it, and publicly committing to such actions.
CONTROLLER TO PROCESSOR
In addition to the requirements and obligation set forth under the DPA and applicable Data Protection Laws, and solely for the Restricted Purpose processing, in its role as a Processor, Vendor shall comply with the following:
1. Representation and Undertaking: a party shall process the End User Personal Information only on behalf of and under the instructions of the other party and in accordance with US Data Protection Laws and shall not: (i) Sell or Share the Personal Information; (ii) retain, use or disclose the Personal Information for any purpose other than for a Business Purpose or Restricted Purpose as specified in the Agreement; (iii) combine the End User Personal Information with other Personal Information that it receives from, or on behalf of, another partner, or collects from its own; or (iv) if and to the extent applicable limit the use of its Sensitive Personal Information (“SPI”).
2. Sub-processors or Sub-contractors: The Controller party provides a general authorization to engage sub-processors to the extent the Processor party undertakes it will restrict the onward sub-processor’s access only to what is strictly necessary, and will prohibit the sub-processor from Processing the Personal Information for any other purpose other than for a Business Purpose or Restricted Purpose as specified in the Agreement. The Processor party shall impose contractual obligations as required by US Data Protection Laws on such sub-processors, and shall inform the other party in the event of replacing a sub-processor or engaging a new sub-processor.
3. Audit: A Controller party has the right to ensure the Processor party is in compliance with US Data Protection Laws. For this purpose, the Processor party, upon receiving a reasonable written request from the Controller party, will make available to the Controller party information necessary to demonstrate compliance with this DPA and US Data Protection Laws. To the extent required by applicable US Data Protection Laws, and upon receiving prior written notice, the Processor party will allow audits, including inspections, by the Controller party (or an auditor on its behalf). Any such audit must be tailored to what is reasonably necessary to verify compliance with this DPA, and must occur during normal business hours, and not more than once per calendar year. The results of the audit will be the confidential information of the Processor party. Notwithstanding the above, under US Data Protection Laws and subject to the Developer’s consent, the Processor party may alternately, in response to the Controller party's on-premise audit request to initiate an independent auditing on its own, to verify its compliance with its obligations under US Data Protection Laws and provide the Developer with the results. In any case, the expenses of the audit shall be paid by the Controller party. The Processor party may refuse audit or access to certain information if it determines it may harm other partners or customers, or it may cause a security breach, or it is not related or necessary for the purpose of demonstrating compliance with US Data Protection Laws.
4. Certification: The Processor party certifies that it understands the rules, requirements, and definitions of the CCPA and agrees to refrain from Selling or Sharing Personal Information. The Processor party acknowledges and confirms that it does not receive any monetary goods, payments, or discounts in exchange for processing the Personal Information for a Business Purpose or Restricted Purpose as specified in the Agreement.

ANNEX I: DETAILS OF PROCESSING​

Categories of Data Subjects:​

Categories of Personal Data:​

Purpose of processing:​

Special Categories of Personal Data:​

Process Frequency:​

Nature of the processing:​

Retention Period:​

ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES​

ANNEX III: EU INTERNATIONAL TRANSFERS AND SCC​

ANNEX IV: UK INTERNATIONAL TRANSFERS AND SCC​

ANNEX V: SUPPLEMENTARY TERMS FOR SWISS DATA PROTECTION LAW TRANSFERS ONLY​

ANNEX VI: US PRIVACY LAWS ADDENDUM​