Home
Roqad Terms & Conditions

Terms and Conditions

1. Definitions

1.1 The following terms, when used in this Agreement will have the following meanings:
“Affiliates” means an entity that directly or indirectly Controls, is Controlled by, or is under common Control with another entity, so long as such Control exists. For the purposes of this definition, “Control” means beneficial ownership of 50% or more of the voting power or equity in an entity.
“Confidential Information” means any information or data disclosed by either party that is marked or otherwise designated as confidential or proprietary or that should otherwise be reasonably understood to be confidential in light of the nature of the information and the circumstances surrounding disclosure. However, “Confidential Information” will not include any information which (a) is in the public domain through no fault of receiving party; (b) was properly known to receiving party, without restriction, prior to disclosure by the disclosing party; (c) was properly disclosed to receiving party, without restriction, by another person with the legal authority to do so; or (d) is independently developed by the receiving party without use of or reference to the disclosing party’s Confidential Information.
“Documentation” means the printed and digital instructions, on-line help files, technical documentation and user manuals made available by Roqad for the Roqad Data Product.
“Order Form” means an order form, quote or other similar document that sets forth the specific Roqad Data Product or services and their related pricing, and that references this Agreement and is mutually executed by the parties.
“Territory” means the territory as set forth in an applicable Order Form.

2. Roqad Data Product

2.1 Provision of the Roqad Data Product. Subject to the terms and conditions of this Agreement, and applicable Data Protection Agreement (“DPA”), and specific Order Form (“Order Form”) referencing this Agreement, Roqad will make the Roqad Data Product available to Customer pursuant to this Agreement, and hereby grants Customer a limited, non-exclusive, non-sublicensable, non-transferable right to access and use the Roqad Data Product for its business purposes solely during the Term and in the Territory. Roqad will provide Customer with reasonable technical support services in accordance with Roqad’s standard practices.

2.2 DPA. The parties will adhere to the DPA attached as Exhibit A.

2.3 Customer Limitations. The rights granted above are subject to the following restrictions (the “License Restrictions”). Customer will not directly or indirectly:

a. reverse engineer, decompile, disassemble, or otherwise create, attempt to create or derive, or permit or assist any third party to create or derive, the source code, matching algorithms, and other formulas, equations, or algorithms underlying the Roqad Data Product;
b. remove notices of any kind, including copyright notices, in or on the Roqad Data Product;
c. use or access the Roqad Data Product to develop a product or service that is competitive with Roqad’s products or Product or engage in competitive analysis or benchmarking;
d. transfer, distribute, resell, lease, license, or assign Roqad Data Product or otherwise offer the Roqad Data Product on a standalone basis,
e. use the Roqad Data Product for any illegal or unauthorized purpose, or otherwise in breach any laws or regulations;
f. combine the Roqad Data with (i) precise geolocation information or (ii) any information that may be used to personally identify an individual without the individual’s express opt-in consent; or
g. otherwise use the Roqad Data Product outside the scope expressly permitted in these Terms or in the applicable Order Form.

2.4. Customer Responsibilities.
a. Customer acknowledges that Roqad’s provision of the Roqad Data Product is dependent on Customer providing all reasonably required cooperation in a diligent and timely manner.
b. Customer will (i) be responsible for all use of the Roqad Data Product under its account (whether or not authorized), (ii) use commercially reasonable efforts to prevent unauthorized access to or use of the Roqad Data Product and notify Roqad promptly if any unauthorized access or use occurs and (iii) be responsible for obtaining and maintaining any equipment, software and ancillary services needed to connect to, access or otherwise use the Roqad Data Product, including as set forth in the Documentation. Customer will be solely responsible for its failure to maintain such equipment, software and services, and Roqad will have no liability for such failure (including under any service level agreement, if applicable). In addition, Customer will be responsible for ensuring that its systems (e.g., APIs) have sufficient bandwidth to use the Roqad Data Product.
c. Customer will not use the Roqad Data Product to transmit or provide to Roqad any financial or medical information of any nature, or any sensitive personal data (e.g., social security numbers, driver’s license numbers, birth dates, personal bank account numbers, passport or visa numbers and credit card numbers).
d. Customer will disclose to its applicable customers that it engages in cross-device linking. Customer will contractually require its customers that receive or utilize Data to (i) comply with applicable laws and self-regulatory principles, (ii) use precise geolocation information only in accordance with applicable self-regulatory guidelines, including but not limited to the IAB Transparency and Consent framework (“TCF”) and NAI’s “Guidance for NAI Members: Determining Whether Location is Imprecise”, (iii) not use any information that may be used to personally identify an individual without the individual’s express opt-in consent, (iv) disclose to their end users, as applicable, that they engage in cross-device linking, (v) and pass to Roqad any user consent flags required to maintain consent audit trails in territories that require them. Customer shall be responsible for any failure of its users to comply with such restrictions in connection with the Authorized Offerings.

    2.5 Affiliates

. Any Affiliate of Customer will have the right to enter into an Order Form executed by such Affiliate and Roqad and this Agreement will apply to each such Order Form as if such Affiliate were a signatory to this Agreement. With respect to such Order Forms, such Affiliate becomes a party to this Agreement and references to Customer in this Agreement are deemed to be references to such Affiliate. Each Order Form is a separate obligation of the Customer entity that executes such Order Form, and no other Customer entity has any liability or obligation under such Order Form

3. Fees

3.1 Fees. Customer will pay Roqad the fees set forth in the Order Form. Except as otherwise specified, (a) fees are quoted and payable in United States dollars and (b) payment obligations are non-cancelable and non-pro-ratable for partial months, and fees paid are non-refundable.

3.2 Late Payment. Roqad may suspend access to the Roqad Data Product immediately upon notice if Customer fails to pay any amounts at least five (5) days past the applicable due date.

3.3 Taxes. All amounts payable are exclusive of any sales, use and other taxes or duties, however designated (collectively “Taxes”). Customer will be solely responsible for payment of all Taxes, except for those taxes based on the income of Roqad. Customer will not withhold any taxes from any amounts due to Roqad.

3.4. Proprietary Rights and Confidentiality

4.1 Proprietary Rights. As between the parties, Roqad exclusively owns all right, title and interest in and to the Roqad Data Product and Roqad’s Confidential Information, and Customer exclusively owns all right, title and interest in and to the Customer Materials and Customer’s Confidential Information.

4.2 Feedback. Customer may from time to time provide Roqad suggestions or comments for enhancements or improvements, new features or functionality or other feedback (“Feedback”) with respect to the Roqad Data Product. Roqad will have full discretion to determine whether or not to proceed with the development of any requested enhancements, new features or functionality. Roqad will have the full, unencumbered right, without any obligation to compensate or reimburse Customer, to use, incorporate and otherwise fully exercise and exploit any such Feedback in connection with its products and services.

4.3 Confidentiality. Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose business, technical or financial information relating to the Disclosing Party’s business (referred to as “Proprietary Information” of the Disclosing Party). Proprietary Information of Roqad includes non-public information regarding features, functionality and performance of the Service. Proprietary Information of Customer includes non-public data provided by Customer to Roqad to enable the provision of the Services. The Receiving Party agrees: (i) to take reasonable precautions to protect such Proprietary Information, and (ii) not to use (except in performance of the Services or as otherwise permitted in this Agreement) or divulge to any third person any such Proprietary Information. The Disclosing Party agrees that the foregoing shall not apply with respect to any information after two (2) years following the disclosure thereof or any information that the Receiving Party can document (a) is or becomes generally available to the public, or (b) was in its possession or known by it prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party or (e) is required to be disclosed by law.
4.4 Performance Metrics. In the event Customer provides Roqad with access to any data, information, or other materials or technology for purposes of performing the Roqad Data Product (“Customer Materials”), the Customer agrees that Roqad may use the Customer Materials to improve Roqad’s products and service.

5. Term and Termination

5.1 Term. The term of this Agreement will commence on the Effective Date of the initial Order Form and continue for three (3) years. The initial term of each Order Form will begin on the Effective Date of such Order Form and will continue for the Term set forth in the Order Form. Except as otherwise set forth in the Order Form, the term of such Order Form will automatically renew for successive renewal terms equal to one (1) year or as otherwise set forth in such Order Form, unless either party provides the other party with written notice of non-renewal at least thirty (30) days prior to the end of the then-current term.
5.2 Termination. Each party may terminate this Agreement upon written notice to the other party if there are no Order Forms then in effect. Each party may also terminate this Agreement or the applicable Order Form upon written notice in the event (a) the other party commits any material breach of this Agreement or the applicable Order Form and fails to remedy such breach within thirty (30) days after written notice of such breach, (b) subject to applicable law, upon the other party’s liquidation, commencement of dissolution proceedings or assignment of substantially all its assets for the benefit of creditors, or if the other party become the subject of bankruptcy or similar proceeding that is not dismissed within sixty (60) days, or upon change of control of either Party.
5.3 Survival. Upon termination of this Agreement all rights and obligations will immediately terminate except that any terms or conditions that by their nature should survive such termination will survive, including the License Restrictions and terms and conditions relating to proprietary rights and confidentiality, disclaimers, indemnification, limitations of liability and termination and the general provisions below.

6. Warranty and Disclaimer

6.1 Roqad. Roqad warrants that it will provide the Roqad Data Product in a professional and workmanlike manner and the Roqad Data Product will conform in all material respects with the Documentation. For material breach of the foregoing express warranty, Customer’s exclusive remedy shall be the re-performance of the deficient Roqad Data Product or, if Roqad cannot re-perform such deficient Roqad Data Product as warranted, Customer shall be entitled to terminate the applicable Order Form in accordance with Section 6.2 and recover a pro-rata portion of the fees paid to Roqad for such deficient Roqad Data Product. In addition, Roqad warrants that it has all rights necessary to provide any information, data or other materials that it provides under this Agreement, and to permit Customer to use the same as contemplated under this Agreement.

6.2 Customer. Customer warrants that it has all rights necessary to provide the Customer Materials and any information, data or other materials under this Agreement, and to permit Roqad to use the same as contemplated under this Agreement.

6.3. Disclaimer. Customer acknowledges that Roqad’s ability to update the Roqad Data is subject to factors outside of Roqad’s reasonable control, including whether third parties responsible for generating the Roqad Data are updating the Roqad Data or making such updates to the Data generally available. Roqad cannot ensure that the Roqad Data is complete, accurate or up to date. If Roqad requests that Customer remove any Roqad Data, Customer will remove such Roqad Data from Customer’s system and cease using such Roqad Data immediately. EXCEPT AS EXPRESSLY SET FORTH IN THE AGREEMENT, EACH PARTY DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, TITLE, AND FITNESS FOR A PARTICULAR PURPOSE, AND THE ROQAD DATA IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND.

6.4 BETA PRODUCTS. FROM TIME TO TIME, CUSTOMER MAY HAVE THE OPTION TO PARTICIPATE IN A PROGRAM WITH ROQAD WHERE CUSTOMER GETS TO USE ALPHA OR BETA PRODUCTS, FEATURES OR DOCUMENTATION (COLLECTIVELY, “BETA PRODUCTS”) OFFERED BY ROQAD. THE BETA PRODUCTS ARE NOT GENERALLY AVAILABLE AND ARE PROVIDED “AS IS”. ROQAD DOES NOT PROVIDE ANY INDEMNITIES, SERVICE LEVEL COMMITMENTS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, TITLE, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE, IN RELATION THERETO. CUSTOMER OR ROQAD MAY TERMINATE CUSTOMER’S ACCESS TO THE BETA PRODUCTS AT ANY TIME.

7. Indemnity

7.1 Indemnity by Roqad. Roqad will defend Customer against any claim, demand, suit, or proceeding (“Claim”) made or brought against Customer by a third party alleging that the use of the Roqad Data Product as permitted hereunder infringes or misappropriates a patent, copyright or trade secret and will indemnify Customer for any damages finally awarded against (or any settlement approved by Roqad) Customer in connection with any such Claim; provided that (a) Customer will promptly notify Roqad of such Claim, (b) Roqad will have the sole and exclusive authority to defend and/or settle any such Claim (provided that Roqad may not settle any Claim without Customer’s prior written consent, which will not be unreasonably withheld, unless it unconditionally releases Customer of all related liability) and (c) Customer reasonably cooperates with Roqad in connection therewith. If the use of the Roqad Data Product by Customer has become, or in Roqad’s opinion is likely to become, the subject of any claim of infringement, Roqad may at its option and expense (i) procure for Customer the right to continue using and receiving the Roqad Data Product as set forth hereunder; (ii) replace or modify the Roqad Data Product to make it non-infringing (with comparable functionality); or (iii) if the options in clauses (i) or (ii) are not reasonably practicable, terminate this Agreement and provide a pro rata refund of any prepaid fees corresponding to the terminated portion of the applicable subscription term. Roqad will have no liability or obligation with respect to any Claim if such Claim is caused in whole or in part by (A) use of the Roqad Data Product by Customer not in accordance with this Agreement; or (B) the combination, operation or use of the Roqad Data Product with Customer Materials, other applications, portions of applications, or other product(s) or services where the Roqad Data Product would not by itself be infringing.
7.2 This Section states Roqad’s sole and exclusive liability and obligation, and Customer’s exclusive remedy, for any claim of any nature related to infringement or misappropriation of intellectual property.
7.3 Indemnification by Customer. Customer will defend Roqad against any Claim made or brought against Roqad by a third party arising from the Customer Materials or a breach of the Section 2.3 (License Restrictions) and Customer will indemnify Roqad for any damages finally awarded against (or any settlement approved by Customer) Roqad in connection with any such Claim; provided that (a) Roqad will promptly notify Customer of such Claim, (b) Customer will have the sole and exclusive authority to defend and/or settle any such Claim (provided that Customer may not settle any Claim without Roqad’s prior written consent, which will not be unreasonably withheld, unless it unconditionally releases Roqad of all liability) and (c) Roqad reasonably cooperates with Customer in connection therewith.

8. Limitation of Liability
EXCEPT FOR A PARTY’S INDEMNIFICATION OBLIGATIONS, A BREACH OF CONFIDENTIALITY, OR A BREACH OF THE LICENSE RESTRICTIONS, UNDER NO LEGAL THEORY, WHETHER IN TORT, CONTRACT, OR OTHERWISE, WILL EITHER PARTY BE LIABLE TO THE OTHER UNDER THIS AGREEMENT FOR (A) ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES OF ANY CHARACTER, INCLUDING DAMAGES FOR LOSS OF GOODWILL, LOST PROFITS, LOST SALES OR BUSINESS, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, LOST CONTENT OR DATA, EVEN IF A REPRESENTATIVE OF SUCH PARTY HAS BEEN ADVISED, KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES, OR (B) EXCLUDING CUSTOMER’S PAYMENT OBLIGATIONS, ANY DIRECT DAMAGES, COSTS, OR LIABILITIES IN EXCESS OF THE AMOUNTS PAID BY CUSTOMER UNDER THE APPLICABLE ORDER FORM DURING THE TWELVE (12) MONTHS PRECEDING THE INCIDENT OR CLAIM.

9. Publicity
Customer agrees that Roqad may refer to Customer’s name and trademarks in Roqad’s marketing materials and website; however, Roqad will not use Customer’s name or trademarks in any other publicity (e.g., press releases, customer references and case studies) without Customer’s prior written consent (which may be by email).

10. Audit
During the Term and for two (2) years thereafter, Customer shall maintain complete and adequate records regarding Customer’s compliance with this Agreement. Upon seven (7) days’ notice, Roqad and its agents may inspect and audit Customer’s books and records to confirm compliance of such party with its obligations of this Agreement. Any inspection will be conducted during normal business hours and will be at the expense of Roqad, except if the results of such inspection reveal non-compliance with this Agreement, then such examination costs shall be paid by Customer.

11. Miscellaneous
If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable. This Agreement is not assignable, transferable or sublicensable by either Party without the other Party’s prior written consent, which will not be unreasonably withheld, except either Party may transfer and assign any of its rights and obligations under this Agreement in a sale of all or substantially all its assets related to this Agreement. This Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement, and that all waivers and modifications must be in a writing signed by both parties, except as otherwise provided in this Agreement. No agency, partnership, joint venture, or employment is created as a result of this Agreement and Customer does not have any authority of any kind to bind Company in any respect whatsoever. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys’ fees. All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested. This Agreement shall be governed by the laws of the State of California without regard to its conflict of laws provisions. Neither Party will be deemed in breach hereunder for any cessation, interruption or delay in the performance of its obligations due to causes beyond its reasonable control, including earthquake, flood, or other natural disaster, act of God, labor controversy, civil disturbance, terrorism, war (whether or not officially declared), cyber attacks (e.g., denial of service attacks), or the inability to obtain sufficient supplies, transportation, or other essential commodity or service required in the conduct of its business, or any change in or the adoption of any law, regulation, judgment or decree.
________________

Exhibit A: Data Protection Agreement (Controller-to-Controller)
Roq.ad, Inc., as identified in the Agreement (“Company”) and Customer Name (“Recipient”; each a “Party”, together the “Parties”), have entered into a principal agreement (“Agreement”), in the context of which Personal Data is disclosed to or processed by the Recipient, and are agreeing to these Data Protection Addendum (“DPA”). This DPA is entered into by Company and Recipient and supplements the Agreement. This DPA will be effective, and replaces any previously applicable terms relating to its subject matter, from the Terms Effective Date.
If you are accepting this DPA on behalf of Recipient, you warrant that: (a) you have full legal authority to bind Recipient to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Recipient, to this DPA. If you do not have the legal authority to bind Recipient, please do not accept this DPA.

1. INTRODUCTION

1.1 This DPA reflects the Parties’ agreement on the processing of Personal Data in connection with the Data Protection Laws.
1.2 Any ambiguity in this DPA shall be resolved to permit the Parties to comply with all Data Protection Laws.
1.3 In the event and to the extent that the Data Protection Laws impose stricter obligations on the Parties than under this DPA, the Data Protection Laws shall prevail.

2. DEFINITIONS AND INTERPRETATION

2 In this DPA:

2.1.1 “Affiliate” means any person or entity directly or indirectly controlling, controlled by, or under common control with a Party. For the purpose of this definition, “control” (including, with correlative meanings, the terms “controlling”, “controlled by” and “under common control with”) means the power to manage or direct the affairs of the person or entity in question, whether by ownership of voting securities, by contract or otherwise.

2.1.2 “Approved Jurisdiction“ means a jurisdiction approved as having adequate legal protections for data by the European Commission, currently found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

2.1.3. “Data Protection Laws” means any and all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or federal or national level, pertaining to data privacy, data security and/or the protection of Personal Data, including the Privacy and Electronic Communications Directive 2002/58/EC (and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), including any amendments or replacements to them, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), Data Protection Act 2018 and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and including the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) and any amendment or replacements to the foregoing.

2.1.4 “Data Subject” means a natural person to whom Personal Data relates.

2.1.5 “Personal Data” means any information which could be used, either directly or by employing additional means, to identify a natural person, and that is shared with or processed by the Recipient in the context of the performance of the Agreement..

2.1.6 “Security Incident“ shall mean any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For the avoidance of doubt, any Personal Data Breach will comprise a Security Incident

2.1.7 “Standard Contractual Clauses” the applicable module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4th 2021, as available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en.

2.1.8. “Terms Effective Date” means the effective date of the Agreement.

2.1.9. The terms “controller”, “processing” and “processor” as used in this DPA have the meanings given to them in Data Protection Laws. Where applicable, controller shall be deemed as a “Business“ and processor shall be deemed to be a “Service Provider“, as these terms are defined in the CCPA.

2.1.10 Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

3. APPLICATION OF THIS DPA
1. This DPA will only apply to the extent all of the following conditions are met:
1. Either Party processes Personal Data that is made available by the other Party in connection with the Agreement;
2. The Data Protection Laws apply to the processing of Personal Data.
2. This DPA will only apply to the services for which the Parties agreed to in the Agreement, which incorporates the DPA by reference.

4. ROLES AND RESTRICTIONS ON PROCESSING
1. Independent Controllers. Each Party:
1. is an independent controller of Personal Data under the Data Protection Laws;
2. as required under the Data Protection Laws, maintain accurate written records of all the processing activities conducted by that Party in relation to any Personal Data for the purposes of performing its respective obligations under the Agreement;
3. will individually determine the purposes and means of its processing of Personal Data;
4. will be responsible to ensure that any Personal Data collected and processed by such Party is accurate and remains accurate for the duration of its processing;
5. will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data;
6. will be responsible to exercise and respond to any requests by data subjects to exercise their rights under Data Protection Law, including (but not limited to) Articles 15-22 of the GDPR (“Data Subject Rights”), and shall provide reasonable cooperation and assistance to the other Party in connection with exercising Data Subject Rights;
7. will promptly notify the other Party of any circumstances in which such Party is unable or becomes unable to comply with this DPA or Data Protection Laws, or any actual or potential changes to Data Protection Laws, if this shall affect the other Party’s ability to comply with its obligations under this DPA or Data Protection Laws.
1. Restrictions on Processing. Section 4.1 (Independent Controllers) will not affect any restrictions on either Party’s rights to use or otherwise process Personal Data under the Agreement.
2. Sharing of Personal Data. In performing its obligations under the Agreement, the Parties shall process Personal Data provided by the other Party (i) only for the purposes set forth in the Agreement or as otherwise agreed to in writing by the Parties, provided such processing strictly complies with (a) Data Protection Laws, and (b) its obligations under the Agreement (the “Permitted Purposes”), provided that it will not do or permit any act or omission which would cause the other Party to incur any liability under Data Protection Laws, and (ii) solely during the term of the Agreement, and shall securely delete or return the copies of the disclosed Personal Data to the Company (by secure file transfer in such format as the other Party reasonably requests) and cease the processing of the disclosed Personal Data, and shall certify to the other Party to that effect, unless and only insofar as the processing of the Personal Data is required for the fulfillment of the Permitted Purposes or is permissible under Data Protection Laws, and in which case the receiving Party will inform the disclosing Party of any such requirement and only further process the Personal Data as necessary to comply with the foregoing.
3. Lawful grounds and transparency. Each Party shall maintain a publicly-accessible privacy notice that satisfies transparency disclosure requirements of Data Protection Laws, and warrants and represents that it has provided Data Subjects with appropriate transparency regarding data collection and use and all required notices, in accordance with Data Protection Law, including Articles 13 and 14 of the GDPR. Where either Party collects Personal Data and discloses such Personal Data to the other Party, then the disclosing Party shall ensure it has obtained and recorded all consents or permissions necessary under Data Protection Laws in order for itself and the other Party to Process such Personal Data as set out herein. The foregoing shall not derogate from either Party’s responsibilities under the Data Protection Laws (such as the requirement to provide information to the data subject in connection with the processing of Personal Data). Both Parties will cooperate in good faith in order to identify the information disclosure requirements and each party hereby permits the other Party to identify it in the other Party’s privacy policy, and to provide a link to the other Party’s privacy policy in its privacy policy.
4. Subcontracting. Where either Party subcontracts the processing activities of Personal Data contemplated herein to a third party, it shall ensure that such third party enters into written contractual obligations which are (in the case of a third party controller) no less onerous than those imposed by this DPA or (in the case of a third party processor) compliant with Article 28 of the GDPR. Each Party shall be liable for the acts or omissions of its subcontractors to the same extent it is liable for its own actions or omissions under this DPA.

 

5. PERSONAL DATA TRANSFERS
1. Where the GDPR is applicable, either Party may transfer Personal Data outside the European Economic Area or an Approved Jurisdiction, subject to one of the appropriate safeguards in Article 46 of the GDPR.
2. Where the GDPR is applicable, to the extent that Recipient processes Personal Data outside the EEA or an Approved Jurisdiction, then the Parties shall be deemed to enter into module 1 of the Standard Contractual Clauses, subject to any amendments contained in Schedule A, in which event: (i) the Standard Contractual Clauses are incorporated herein by reference; and (ii) the Company shall be deemed as the data exporter and the Recipient shall be deemed as the data importer (as these terms are defined therein).

6. PROTECTION OF PERSONAL DATA.
1. The Parties will provide a level of protection for Personal Data that is at least equivalent to that required under Data Protection Laws. Both Parties shall implement appropriate technical and organizational measures to protect the Personal Data.
2. In the event that a Party suffers a confirmed Security Incident with respect to Personal Data disclosed from the other Party, such Party shall notify the other Party without undue delay and the Parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident. In the event that a Party suffers a confirmed Security Incident, then such Party shall be responsible to notify the supervisory authority and/or the Data Subjects with respect to such Security Incident, as required under Data Protection Laws.

7. MUTUAL ASSISTANCE

7.1 Each Party shall:

7.1.1 appoint at least one representative as point of contact and responsible manager for all issues arising out of the Data Protection Laws (a “Designated Representative”); the Designated Representative(s) of both Parties will work together in good faith to reach an agreement with regards to any issues arising from time to time in relation to the processing of Personal Data in connection with the Agreement and this DPA;

7.12. use reasonable measures to consult with the other Party about any notices given to Data Subjects in relation to the processing of Personal Data under the Agreement;

7.1.3 inform the other Party (without undue delay) in the event that it receives a Data Subject request related solely and exclusively to the other Party’s respective processing activities and provide all reasonable assistance to ensure Data Subject requests are completed within the timeframe set out in Data Protection Laws;

7.1.4 provide the other Party with reasonable assistance (having regard to the data available to it) to enable the other Party to comply with any Data Subject request received by the other Party and to respond to any other queries or complaints from Data Subjects;

7.1.5 provide the other Party with such assistance as the other Party may reasonably request from time to time to enable the other Party to comply with its obligations under the Data Protection Laws including (without limitation) in respect of security, breach notifications, impact assessments and consultations with supervisory authorities or other regulators;

7.1.6 provide the other Party with such information as it may reasonably request in order to: (a) monitor the technical and organizational measures being taken to ensure compliance with the Data Protection Laws, or (b) satisfy any legal or regulatory requirements, including information reporting, disclosure and other related obligations to any regulatory authority from time to time;

7.1.7 in the event of an actual or potential Security Incident which does or is reasonably likely to affect the respective processing activities of both Parties, liaise with the other Party in good faith to consider what action is required in order to resolve the issue in accordance with the Data Protection Laws, and provide such reasonable assistance as is necessary to the other Party to facilitate the handling of such Security Incident in an expeditious and compliant manner.

8. OBLIGATIONS UNDER THE CCPA

8.1 To the extent that the Parties processes Personal Data of California residents for a Business Purpose (as it is defined under the CCPA), they shall pass a clear indication of consent for that Personal Data to be used by the Parties that meets the Parties Obligations under CCPA specific to the purposes outlined in the Agreement.

9. RESOLUTION OF DISPUTES WITH DATA SUBJECTS OR SUPERVISORY AUTHORITIES

9.1 If either Party is the subject of a claim by a Data Subject or a supervisory authority or receives a notice or complaint from a supervisory authority relating to its respective processing activities (a “DP Claim”), it shall promptly inform the other Party of the DP Claim and provide the other Party with such information as it may reasonably request regarding the DP Claim.
9.2 Where the DP Claim concerns the respective processing activities of one Party only, then that Party shall assume sole responsibility for disputing or settling the DP Claim.
9.3 Where the DP Claim concerns the respective processing activities of both Parties, then the Parties shall use all reasonable endeavors to cooperate with a view to disputing or settling the DP Claim in a timely manner; provided always that neither Party shall make any admission or offer of settlement or compromise without using all reasonable endeavors to consult with the other Party in advance.

10. LIABILITY

10.1 Notwithstanding anything else in the Agreement, the total liability of either Party towards the other Party under or in connection with this DPA will be limited to the maximum monetary or payment-based amount at which that Party’s liability is defined under the Agreement.

11. PRIORITY

11.1 If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement then, the terms of this DPA will govern. Subject to the amendments in this DPA, the Agreement remains in full force and effect.
11.2 If there is any conflict or inconsistency between the terms of this DPA and the Standard Contractual Clauses, the terms of the Standard Contractual Clauses will govern.

12. CHANGES TO THIS DPA.

12.1 No changes, modifications or amendments to this DPA shall be valid or binding, unless made in writing and signed by both Parties.
12.2 If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this DPA, and each Party will promptly begin complying with such Data Protection Laws in respect of its respective processing activities.

________________

Schedule A – SCC
1. This Schedule A sets out the Parties’ agreed interpretation of their respective obligations under Module One of the Standard Contractual Clauses.

2. The Parties agree that for the purpose of transfer of Personal Data between the Company (Data Exporter) and the Recipient (Data Importer), the following shall apply:

2.1 In Clause 11, data subjects shall not be able to lodge a complaint with an independent dispute resolution body.

2.2 In Clause 13, the supervisory authority shall be the Data Protection Authority of Berlin Germany.

2.3 In Clause 17, option 1 shall apply. The Parties agree that the clauses shall be governed by the laws of Germany.

2.4 In Clause 18(b) the Parties choose the courts of Berlin, Germany as their choice of forum and jurisdiction.

3. The Parties shall complete Annexes I–II below, which are incorporated in the Standard Contractual Clauses by reference.
________________

Annex I – Description of processing activities

 

A. Identification of Parties

“Data Exporter”: the Company;

“Data Importer”: the Recipient.

 

B. Description of Transfer
Data Subjects
The Personal Data transferred concern the following categories of Data Subjects (please specify):
☐ Company’s end-users
☐ Company’s employees
☐ Company’s customers
☒ Other: ___End Uses of third-party websites & mobile applications in the US_____
Categories of Personal Data
The Personal Data transferred concern the following categories of data (please specify):
☐ Contact information (name, age, gender, address, telephone number, email address etc.)
☐ Financial and payment data (e.g. credit card number, bank account, transactions)
☐ Governmental IDs (passport, driver’s license)
☒ Device identifiers and internet or electronic network activity (IP addresses, GAID/IDFA, browsing history, timestamps)
☐ Geo-location information
☐ Other: ________
Special Categories of Data (if appropriate)
The Personal Data transferred concern the following special categories of data (please specify):
☒ None
☐ Genetic or biometric data
☐ Health data
☐ Racial or ethnic origin
☐ Political opinions, religious or philosophical beliefs
☐ Other: ________
The frequency of the transfer
The frequency of the transfer:
☐ One-off
☒ Continuous
☐ Other: ________
Nature of the processing
☒ Collection
☐ Recording
☐ Organization or structuring
☐ Storage
☒ Adaptation or alteration
☐ Retrieval
☐ Consultation
☐ Disclosure, dissemination or otherwise making available
☐ Analysis
☐ Erasure or destruction
☒ Other: Appending with other data to form a cross device graph; linking IDs of different types together to better understand consumers’ online behaviors
Purpose of the transfer and further processing
As defined in the Agreement.
Retention period
Personal Data will be retained for the term of the Agreement.
________________

Annex II – Technical and Organizational Measures including Technical and Organizational Measures to Ensure the Security of the Data

Description of the technical and organizational measures implemented by the data importer (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Security Management
The Parties maintain a written information security management system (ISMS), in accordance with this Annex, that includes policies, processes, enforcement and controls governing all storage/processing/transmitting of Personal Data, designed to (a) secure Personal Data against accidental or unlawful loss, access or disclosure; (b) identify reasonable foreseeable and internal risks to security and authorized access to the Party’s Network, and (c) minimize security risks, including through risk assessment and regular testing. The information security program will include the following measures:
* The Parties actively follow information security trends and developments as well as legal developments with regards to the services provided and especially with regards to Personal Data and uses such insights to maintain its ISMS, as appropriate.
* To the extent the Parties process cardholder or payment data (such as payment or credit cards), Recipient will maintain its ISMS in accordance with the PCI DSS standard, augmented to cover Personal Data, or such other alternative standards that are substantially equivalent to PCI DSS for the establishment, implementation, and control of its ISMS. Additionally, the Parties will be assessed against PCI DSS annually by an on-site assessment carried out by an independent QSA (Qualified Security Assessor) and upon the other Party’s request, not to exceed once annually, Recipient will provide Company with PCI DSS attestation of compliance.

Maintain an Information Security Policy
The Parties ISMS is based on its security policies that are regularly reviewed (at least yearly) and maintained and disseminated to all relevant Parties, including all personnel. Security policies and derived procedures clearly define information security responsibilities including responsibilities for:
* Maintaining security policies and procedures;
* Secure development, operation and maintenance of software and systems;
* Security alert handling;
* Security incident response and escalation procedures;
* User account administration;
* Monitoring and control of all systems as well as access to Personal Data.

Personnel is screened prior to hire and trained (and tested) through a formal security awareness program upon hire and annually. For service providers with whom Personal Data is shared or that could affect the security of Personal Data a process has been set up that includes initial due diligence prior to engagement and regular (typically yearly) monitoring.
Personal Data has implemented a risk-assessment process that is based on ISO 27005.

Secure Networks and Systems
The Parties have installed and maintain firewall configurations to protect Personal Data that controls all traffic allowed between Recipient’s (internal) network and untrusted (external) networks, as well as traffic into and out of more sensitive areas within its internal network. This includes current documentation, change control and regular reviews.
Recipient does not use vendor-supplied defaults for system passwords and other security parameters on any systems and has developed configuration standards for all system components consistent with industry-accepted system hardening standards.

Protection of Personal Data
The Parties keep Personal Data storage to a minimum and implement data retention and disposal policies to limit data storage to that which is necessary, in accordance with the needs of its customers.
The Parties uses strong encryption and hashing for Personal Data anywhere it is stored. The Parties have documented and implemented all necessary procedures to protect (cryptographic) keys used to secure stored Personal Data against disclosure and misuse. All transmission of Personal Data across open, public networks is encrypted using strong cryptography and security protocols.

Vulnerability Management Program
The Parties protect all systems against malware and regularly update anti-virus software or programs to protect against malware – including viruses, worms, and Trojans. Anti-virus software is used on all systems commonly affected by malware to protect such systems from current and evolving malicious software threats.
The Parties develops and maintains secure systems and applications by:
* Having established and evolving a process to identify and fix (e.g. through patching) security vulnerabilities, that ensures that all systems components and software are protected from known vulnerabilities,
* Developing internal and external software applications, including web-applications, securely using a secure software development process based on best practices, e.g. such as code reviews and OWASP secure coding practices, that incorporates information security throughout the software-development lifecycle,
* Implementing a stringent change management process and procedures for all changes to system components that include strict separation of development and test environments from production environments and prevents the use of production data for testing or development.

Implementation of Strong Access Control Measures

“Recipient Network” means the Recipient’s data center facilities, servers, networking equipment, and host software systems (e.g. virtual firewalls) as employed by the Recipient to process or store Personal Data.
The Recipient Network will be accessible to employees, contractors and any other person as necessary to provide the services to the Company. Recipient will maintain access controls and policies to manage what access is allowed to the Recipient Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. Recipient will maintain corrective action and incident response plans to respond to potential security threats.
Recipient strictly restricts access to Personal Data on a need to know basis to ensure that critical data can only be accessed by authorized personnel. This is achieved by:
* Limiting access to system components and Personal Data to only those individuals whose job requires such access; and
* Establishing and maintaining an access control system for system components that restricts access based on a user’s need to know, with a default “deny-all” setting.

Recipient identifies and authenticates access to all systems components by assigning a unique identification to each person with access. This ensures that each individual is uniquely accountable for its actions and any actions taken on critical data and systems can be traced to known and authorized users and processes. Necessary processes to ensure proper user identification management, including control of addition/deletion/modification/revocation/disabling of IDs and/or credentials as well as lock out of users after repeated failed access attempts and timely termination of idling session, have been implemented.

User authentication utilizes at least passwords that have to meet complexity rules, which need to be changed on a regular basis and which are cryptographically secured during transmission and storage on all system components. All individual non-console and administrative access and all remote access use multi-factor authentication.
Authentication policies and procedures are communicated to all users and group, shared or generic IDs/passwords are strictly prohibited.

“Company Network” means the Company’s data center facilities, servers, networking equipment, and host software systems (e.g. virtual firewalls) as employed by the Recipient to process or store Personal Data.
The Company Network will be accessible to employees, contractors and any other person as necessary to use and build derivative product from the services provided by Recipient. Company will maintain access controls and policies to manage what access is allowed to the Company Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. Company will maintain corrective action and incident response plans to respond to potential security threats.
Company strictly restricts access to Personal Data on a need to know basis to ensure that critical data can only be accessed by authorized personnel. This is achieved by:
* Limiting access to system components and Personal Data to only those individuals whose job requires such access; and
* Establishing and maintaining an access control system for system components that restricts access based on a user’s need to know, with a default “deny-all” setting.

Company identifies and authenticates access to all systems components by assigning a unique identification to each person with access. This ensures that each individual is uniquely accountable for its actions and any actions taken on critical data and systems can be traced to known and authorized users and processes. Necessary processes to ensure proper user identification management, including control of addition/deletion/modification/revocation/disabling of IDs and/or credentials as well as lock out of users after repeated failed access attempts and timely termination of idling session, have been implemented.

User authentication utilizes at least passwords that have to meet complexity rules, which need to be changed on a regular basis and which are cryptographically secured during transmission and storage on all system components. All individual non-console and administrative access and all remote access use multi-factor authentication.
Authentication policies and procedures are communicated to all users and group, shared or generic IDs/passwords are strictly prohibited.

Restriction of Physical Access to Personal Data
Any physical access to data or systems that house Personal Data are appropriately restricted using appropriate entry controls and procedures to distinguish between onsite personnel and visitors. Access to sensitive areas is controlled and includes processes for authorization based on job function and access revocation for personnel and visitors.
Media and backups are secured and (internal and external) distribution is strictly controlled. Media containing Personal Data no longer needed for business or legal reasons is rendered unrecoverable or physically destroyed.

Regular Monitoring and Testing of Networks
All access to network resources and Personal Data is tracked and monitored using centralized logging mechanisms that allow thorough tracking, alerting, and analysis on a regular basis (at least daily) as well as when something does go wrong. All systems are provided with correct and consistent time and audit trails are secured and protected, including file-integrity monitoring to prevent change of existing log data and/or generate alerts in case. Audit trails for critical systems are kept for a year.

Security of systems and processes is regularly tested, at least yearly. This is to ensure that security controls for system components, processes and custom software continue to reflect a changing environment. Security testing includes:
* Processes to test rogue wireless access points,
* Internal and external network vulnerability tests that are carried out at least quarterly. An external, qualified party carries out the external network vulnerability tests.
* External and internal penetration tests using Recipient’s penetration test methodology that is based on industry-accepted penetration testing approaches that cover the all relevant systems and include application-layer as well as network-layer tests

All test results are kept on record and any findings are remediated in a timely manner.
Recipient does not allow penetration tests carried out by or on behalf of its customers.
In daily operations IDS (intrusion detection system) is used to detect and alert on intrusions into the network and file-integrity monitoring has been deployed to alert personnel to unauthorized modification of critical systems.

Incident Management
Recipient has implemented and maintains an incident response plan and is prepared to respond immediately to a system breach. Incident management includes:
* Definition of roles, responsibilities, and communication and contact strategies in the event of a compromise, including notification of customers,
* Specific incident response procedures,
* Analysis of legal requirements for reporting compromises,
* Coverage of all critical system components,
* Regular review and testing of the plan,
* Incident management personnel that is available 24/7,
* Training of staff,
* Inclusion of alerts from all security monitoring systems,
* Modification and evolution of the plan according to lessons learned and to incorporate industry developments.
Recipient has also implemented a business continuity process (BCP) and a disaster recovery process (DRP) that is maintained and regularly tested. Data backup processes have been implemented and are tested regularly.

Physical Security
Physical Access Controls
Physical components of the Parties’ respective Networks are housed in nondescript facilities (“Facilities”). Physical barrier controls are used to prevent unauthorized entrance to Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorized employees or contractors while visiting the Facilities.

Limited Employee and Contractor Access
The Parties provide access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of Recipient of its affiliates.

Physical Security Protections
All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. Recipient also maintains electronic intrusion detection systems designed to detect unauthorized access to the Facilities, including monitoring points of vulnerability (e.g., primary entry doors, emergency egress doors, etc.) with door contacts, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.

Continued Evaluation
The Parties will conduct periodic reviews of the Security of its Recipient Network and adequacy of its information security program as measured against industry security standards and its policies and procedures. Recipient will continually evaluate the security of its Recipient Network to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.