Data Protection Addendum

Section 1 - Purpose

This Data Protection Addendum (“Addendum”) is entered into between Company and Dispel, LLC or Dispel Global, Inc as specified on your Order Form (“Dispel”) (each a “Party” and collectively, the “Parties”). This Addendum supplements and forms part of any existing, current, or future agreement between the Parties (any such agreement being individually or together referred to as the “Agreement”). This Addendum will be in effect as of the effective date of the Agreement (“Effective Date”); provided, however, the relevant obligations apply only to the extent that (i) Personal Data is subject to the Applicable Data Privacy Laws; and (ii) an Applicable Data Privacy Law has taken effect.

Section 2 - Relationship with the Agreement

In the event of a conflict between this Addendum and the Agreement, the Addendum will control to the extent necessary to resolve the conflict. In the event the Parties use an International Data Transfer Mechanism and there is a conflict between the obligations in that International Data Transfer Mechanism and this Addendum, the International Data Transfer Mechanism will control.

Section 3 - Definitions

Capitalized terms used but not defined have the meanings given in the Agreement.

  1. Applicable Data Privacy Laws” means all data protection and privacy laws applicable to the Processing of Personal Data under the Agreement, including the California Consumer Privacy Act (“CCPA”); the Colorado Privacy Act, the Connecticut Act of 2022 Concerning Personal Data Privacy and Online Monitoring, the Utah Consumer Privacy Act of 2022, the Virginia Consumer Data Protection Act, and Regulation 2016/679 (General Data Protection Regulation) (“GDPR”), in each case as amended from time to time and including any regulations promulgated thereunder.

  2. Consent” means a Data Subject’s freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.

  3. Controller” means the entity that determines the purposes and means of Processing Personal Data. “Controller” includes equivalent terms in other Applicable Data Privacy Laws, such as the CCPA-defined terms “Business” and “Third Party,” as context requires.

  4. Data Breach” means “breach of the security of the system,” “security breach,” “breach of security,” “breach of system security,” and other analogous terms referenced in Applicable Data Privacy Laws.

  5. Data Exporter” means the Party that (1) has a corporate presence or other stable arrangement in a jurisdiction that requires an International Data Transfer Mechanism and (2) transfers Personal Data, or makes Personal Data available to, the Data Importer.

  6. Data Importer” means the Party that (1) is located in a jurisdiction that is not the same as Data Exporter’s jurisdiction and (2) receives Personal Data from the Data Exporter or is able to access Personal Data made available by the Data Exporter.

  7. Data Subject” means an identified or identifiable natural person.

  8. Personal Data” means information that is linked or linkable, directly or indirectly, to an identified or identifiable natural person. “Personal Data” includes equivalent terms in Applicable Data Protection Laws, such as the CCPA-defined term “Personal Information,” as context requires.

  9. Processor” means an entity that Processes Personal Data on behalf of another entity. “Processor” includes equivalent terms in other Applicable Data Privacy Laws, such as the CCPA-defined term “Service Provider,” as context requires.

  10. Sensitive Data” means the following types and categories of data: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or immigration status; genetic data; biometric data; government identification numbers; payment card information; unencrypted identifier or username in combination with a password or other access code that would allow access to an account; precise geolocation information; and information from a known child.

  11. Standard Contractual Clauses” means the European Union standard contractual clauses for international transfers from the European Economic Area (“EEA”) to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

  12. Subprocessor” means a Processor engaged by a Party who is acting as a Processor.

  13. The following terms have the meanings assigned to them in Applicable Data Privacy Laws: “Business,” “Business Purpose,” “Cross-Context Behavioral Advertising,” “De-identified Data,” “Process” (and its cognates), “Pseudonymous Data,” “Sale” (and its cognates), “Service Provider,” “Share” (and its cognates), and “Third Party.”

Section 4 - Description of the Parties’ Personal Data Processing Activities and Status of the Parties

  1. Schedule 1 describes the purposes of Parties’ Processing, the types or categories of Personal Data involved in the Processing, and the Categories of Data Subjects affected by the Processing.

  2. Schedule 1 lists the Parties’ statuses under Applicable Data Privacy Laws.

Section 5 - International Data Transfer

  1. Some jurisdictions require that an entity transferring Personal Data to a recipient in another jurisdiction take extra measures to ensure that the Personal Data has special protections if the law of the recipient’s jurisdiction does not protect Personal Data in a manner equivalent to the transferring entity’s jurisdiction (an “International Data Transfer Mechanism”). Parties will comply with an International Data Transfer Mechanism, including the Standard Contractual Clauses, that may be required by Applicable Data Privacy Laws.

  2. If the International Data Transfer Mechanism on which Parties rely is invalidated or superseded, Parties will work together in good faith to find a suitable alternative.

  3. With respect to Personal Data of Data Subjects located in the EEA, Switzerland, or the United Kingdom that Data Exporter transfers to Data Importer, or permits Data Importer to access, the Parties acknowledge that Dispel has been certified under the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework.

  4. With respect to Personal Data of Data Subjects located in a jurisdiction that requires an International Data Transfer Mechanism (e.g., the EEA, Switzerland, or the United Kingdom) that Data Exporter transfers to Data Importer, or permits Data Importer to access, the Parties agree that by executing this Addendum they also execute the Standard Contractual Clauses, which will be incorporated by reference and form an integral part of the Agreement. Parties agree that, with respect to the elements of the Standard Contractual Clauses that require Parties’ input, Schedules 1-4 contain information relevant to the Standard Contractual Clauses and their Annexes. Parties agree that, for Personal Data of Data Subjects in the United Kingdom, Switzerland, or another country specified in Schedule 4, they adopt the modifications to the Standard Contractual Clauses listed in Schedule 4 to adapt the Standard Contractual Clauses to local law, as applicable.

Section 6 - General Data Privacy Obligations

  1. Compliance. The parties will comply with their respective obligations under Applicable Data Protection Laws, including by providing the level of privacy protection that is required of Businesses under theCCPA.

  2. Upon request, Dispel will provide reasonably relevant information to Company to enable Company to fulfill its obligations (if any) to conduct data protection assessments or prior consultations with data protection authorities.

  3. Notification. Dispel will notify Company if it determines that it can no longer meet its obligations under Applicable Data Privacy Laws.

Section 7 - Dispel’s Obligations as a Processor or Service Provider

  1. Dispel will have the obligations set forth in this Section 7 if it Processes the Personal Data of Data Subjects in its capacity as Company’s Processor or Service Provider.

  2. Scope of Processing

    1. Dispel will Process Personal Data solely for the Business Purposes specified in Schedule 1, to carry out its obligations under the Agreement, and to carry out Company’s documented instructions.

    2. Processing any Personal Data outside the scope of the Agreement and this Addendum will require prior written agreement between Dispel and Company.

    3. Dispel is prohibited from retaining, using, or disclosing the Personal Data (1) for any purpose other than the Business Purposes specified in Schedule 1, including retaining, using, or disclosing the Personal Data for a commercial purpose other than carrying out Company’s instructions, (2) outside of the Parties’ direct business relationship, unless permitted by Applicable Data Privacy Laws, or (3) by combining Personal Data that Dispel receives from, or on behalf of, Company with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the Data Subject, provided that Dispel may combine Personal Data to perform any Business Purposes permitted by Applicable Data Privacy Law.

    4. Dispel will not Sell or Share the Personal Data that it collects or obtains pursuant to the Agreement.

  3. Confidentiality. Dispel will ensure that each person who Processes Personal Data is subject to a duty of confidentiality with respect to such Personal Data.

  4. Compliance.

    1. Dispel will assist Company in complying with Data Subjects’ requests to delete and correct Personal Data under Applicable Data Protection Law when Company forwards such requests that it receives to Dispel and will make available to Company any Personal Data in its possession that Company needs to respond to Data Subjects’ requests to access their Personal Data.

    2. Dispel will make available to Company, upon the Company’s reasonable request, all information in its possession necessary to demonstrate Dispel’s compliance with its obligations under Applicable Data Privacy Laws.

  5. Permitted Activities. Notwithstanding the foregoing prohibitions, Parties agree that Dispel may, and Company instructs Dispel to, Process Personal Data for the following activities when necessary to support the Business Purposes specified in Schedule 1; detect data security incidents; protect against fraudulent or illegal activity; effectuate repairs; and maintain and improve the quality of the services provided for the Business Purposes specified in Schedule 1.

  6. Subprocessors.

    1. If Dispel discloses Personal Data to a Subprocessor for a Business Purpose, Dispel and Subprocessor will enter into a written contract that prohibits the Subprocessor from (i) Selling or Sharing Personal Data; or (ii) retaining, using, or disclosing Personal Data for any purpose other than for the specific Business Purpose for which the Personal Data was disclosed.

    2. Dispel will require any Subprocessor to comply with applicable obligations under Applicable Data Privacy Laws, including providing the same level of privacy protection required of Businesses by the CCPA.

    3. Company grants Supplier general authorization to engage Subprocessors if Dispel and those Subprocessors enter into an agreement that requires the subprocessor to meet obligations that are no less protective than this DPA. The Subprocessors currently engaged by Dispel are listed in Schedule 2.

    4. Dispel will notify Company of any additions to or replacements of its Subprocessors and make that list available on Company’s request. Dispel will provide Company with 30 days to object to the addition or replacement of Subprocessors in connection with Dispel’s performance under the Agreement, calculated from the date Dispel provides notice to Company. If Company reasonably objects to the addition or replacement of Dispel’s Subprocessor, the parties will enter into good faith negotiations to resolve the matter. If the parties are unable to resolve the matter within 15 days of Company’s reasonable objection (which deadline the parties may extend by written agreement), Company may terminate any statement of work or purchase order that require the continued use of the Subprocessor subject to objection.

    5. Dispel will be liable for the acts or omissions of its Subprocessors to the same extent as Supplier would be liable if performing the services of the Subprocessor directly under the DPA.

  7. Duration of Processing, Deletion and Return of Personal Data. Dispel shall retain Personal Data for a period coterminous with the term of the Agreement. At the expiration or termination of the Agreement, or upon request by Company, Dispel will, without undue delay: (1) upon request return all Personal Data to Company; or (2) upon request by Company, destroy all Personal Data, in each case unless applicable laws expressly require otherwise or the Parties agree otherwise expressly in writing. After deleting or returning Personal Data to Company, copies of such data may remain in Dispel data backups for limited periods of time until the backups are overwritten. For any Personal Data that Dispel retains after expiration or termination of the Agreement, Dispel will continue to comply with this Addendum.

  8. Assessment and Remediation.

    1. Company may take reasonable and appropriate steps, as provided in Applicable Data Privacy Laws, to ensure Dispel Processes the Personal Data in a manner consistent with Company’s obligations under Applicable Data Privacy Laws, including by conducting reasonable assessments or audits, as provided by Applicable Data Privacy Laws. If Company and Dispel agree to an audit or assessment by a qualified and independent third party, Dispel agrees to provide a report of such audit or assessment to Company upon request.

    2. If Company discovers unauthorized use of Personal Data by Dispel or Dispel’s Subprocessors, Company may, upon notice, take reasonable and appropriate steps to remediate such unauthorized use.

Section 8 - Security

  1. Dispel will implement appropriate technical and organizational measures to protect Personal Data from a Data Breach and to preserve the security and confidentiality of Personal Data.

  2. Upon becoming aware of a Data Breach, Dispel will:

    1. Notify Company without delay of the Data Breach, but in any case, no later than 72 hours after becoming aware of, or reasonably suspecting, the Data Breach;

    2. Promptly investigate or perform required assistance in the investigation of the Data Breach and provide Company with detailed information about the Data Breach, including a description of the Data Breach, the approximate number of Data Subjects affected, the Data Breach’s current and foreseeable impact, and the measures Dispel is taking to address the Data Breach and mitigate its effects; and

    3. Promptly take all commercially reasonable steps to mitigate the effects of the Data Breach or assist Company in doing so.

  3. Dispel will comply with this Section 8 at Dispel’s cost, unless the Data Breach arose from Company’s negligent or willful acts.

  4. Dispel must obtain Company’s written approval before notifying any governmental entity, individual, the press, or other third party of a Data Breach that affected or reasonably could affect Personal Data that Dispel obtained from, or Processed on behalf of, Company. Notwithstanding anything to the contrary in this Addendum, Dispel may notify a third party about a Data Breach affecting Personal Data if it is under a legal obligation to do so, provided that Dispel must: (1) make every effort to give Company prior notification, as soon as possible, if it intends to disclose the Data Breach to a third party; and (2) if it is not possible to give Company such prior notification, notify Company immediately once it becomes possible to give notification. For any disclosure of a Data Breach to a third party, Dispel will, as part of its notification to Company, disclose the identity of the third party and a copy of the notification (if the notification to the third party has not been sent, Dispel will provide the draft to Company and permit Company to offer edits or updates).

Section 9 - Miscellaneous

  1. Entire agreement. This Addendum is the Parties’ entire agreement on this subject and merges and supersedes all related prior and contemporaneous oral understandings, representations, prior discussions, letters of intent, or preliminary agreements.

  2. No further amendment. Except as modified by this Addendum, the Agreement remains unmodified and in full force and effect.


Schedule 1 - Description of Processing

Processing ActivityStatus of the PartiesCategories of Sensitive Data ProcessedCategories of Sensitive Data ProcessedStatus of the Parties as Data Exporter or Importer

Company discloses Personal Data to Dispel in connection with the Business Purpose(s) listed below.

Company is a Controller.

Dispel is a Processor/Service Provider.

Name and email address of end users Company registers with Dispel.

IP addresses of end users Company registers with Dispel.

None

Company is the Data Exporter.

Dispel is the Data Importer.

Module 2

Business Purposes

____ Processing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.

X Processing related to ensuring security and integrity, to the extent that the information is reasonably necessary for these purposes.

X Debugging to identify and repair errors that impair existing intended functionality.

____ Short-term, transient use, including but not limited to non-personalized (i.e., contextual) advertising shown as part of a Data Subject’s current interaction with the Business, in the course of which the Data Subject’s Personal Data is not disclosed to a Third Party and is not used to build a profile about the Data Subject or otherwise alter the consumer’s experience outside of the current interaction.

X Performing services on behalf of the Business, such as maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the Business.

____ Providing advertising and marketing services, not including Cross-Context Behavioral Advertising, to the Data Subject, in the course of which the Service Provider shall not combine the Personal Data of Data Subjects who have opted out of Sales or Sharing of Personal Data that the Service Provider received from or on behalf of the Business with Personal Data that the Service Provider receives from or on behalf of any other person or collects from its own interaction with Data Subjects.

X Undertaking internal research for technological development and demonstration.

X Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured for, or controlled by the Business, and to improve, upgrade, or enhance such a service or device.


Schedule 2 - Dispel Subprocessors

Dispel uses the Subprocessors listed here:

Sub Processor List

Last updated

Logo

© 2015 - 2024 Dispel, LLC & Dispel Global, Inc | Dispel and logos are Reg. U.S. Pat. & Tm. Off