Data Processing Addendum
This Data Processing Addendum consists of the terms and conditions set forth below, and in the Standard Contractual Clauses (as defined below) (the "Addendum") that defines how Monetize360, Inc. and Customer agree to treat personal data (as defined below) that is contained in Customer Data. This Addendum forms part of the agreement between the parties.
1. Definitions.
Unless otherwise defined below, capitalized terms used in this Addendum shall have the meaning set forth in the Agreement.
a. "Agreement” means, as applicable, the Platform Service Terms, or similar commercial agreement by and between Monetize360 and Customer with respect to the Platform Service, exclusive of this Addendum.
b. "Applicable Privacy Laws" means all applicable laws concerning privacy, data protection and the cross border transfer of data, including, where applicable, the California Consumer Privacy Act, the California Privacy Rights Act (together, the “CCPA”), the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), and 2002/58/EC, each as amended, superseded, or replaced. The term “Applicable Privacy Laws” excludes any laws of the Russian Federation or the Peoples Republic of China.
c. “controller” has the meaning set forth in the GDPR and other Applicable Privacy Laws using such terminology, and also means “business” as defined in the CCPA or other Applicable Privacy Laws using such terminology.
d. "Customer Personal Data" means the personal data that is contained in Customer Data.
e. “IDTA” means the then-current International Data Transfer Addendum to the EU Commission Standard Contractual Clauses that was issued by the UK ICO, a current version found at https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transferagreement.pdf.
f. "personal data" means (a) any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or (b) is defined as “Personal Information” or “Personal Data” by Applicable Privacy Laws (e.g., CCPA § 1798.140(o) or GDPR Art. 4)..
g. "processing" has the meaning given to it in the Applicable Privacy Laws, and "process" will be interpreted accordingly.
h. “processor” and “subprocessor” have the meaning set forth in the GDPR and other Applicable Privacy Laws using such terminology, and also mean “service provider” to the relevant party as defined in the CCPA or other Applicable Privacy Laws using such terminology.
i. "Standard Contractual Clauses" or “SCC” means (A) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs") and (b) where the UK GDPR applies, the EU SCCs as amended by the IDTA (“UK SCCs”). incorporated into this Addendum as described in Attachment 1.
j. “UK ICO” means the United Kingdom Information Commissioners Office.
k. “UK GDPR” means the GDPR as implemented by the UK.
2. Scope and Application.
This Addendum shall apply when Customer Personal Data is transferred to Monetize360 from any Customer or Customer affiliates who are subject to the Applicable Privacy Laws. In this context, Customer acts as controller and Monetize360 acts as processor respectively with respect to the Customer Personal Data. Customer shall act as the "data exporter," and Monetize360 shall act as the "data importer" for the purposes of (and as defined in) the Standard Contractual Clauses.
3. Data Processing.
a. No Sale of Personal Information under CCPA. Monetize360 will not “sell” any “personal information” (as those terms are defined in the CCPA) Monetize360 processes on Customer’s behalf.
b. Instructions for Data Processing. Monetize360 will process Customer Personal Data only in accordance with Customer's lawful instructions and in compliance with the Agreement, and will not process Customer Personal Data for any purpose other than as set forth in the Agreement. Processing outside of the scope of the Agreement will require the prior written agreement of the parties on the additional instructions for processing.
c. Customer Responsibility.
(i) Customer’s instructions for the Processing of Personal Data shall comply with Applicable Privacy Laws, and where applicable, any other laws concerning privacy, data protection and the cross border transfer of data to which Customer is subject. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data. Customer represents and warrants that it has obtained and/or will obtain all necessary consents and permissions required for the transfer of Customer Personal Data to, and processing of Customer Personal Data by, Monetize360 by the Agreement.
(ii) Customer shall not use the Platform Service to collect or process any personal data in the “special categories of personal data” under the GDPR except in compliance with the conditions for such processing set forth in the GDPR (e.g., explicit consent by the individual, or the individual has made the relevant personal data manifestly public).
(iii) Customer shall not use the Platform Service to collect or process other personal data that is subject to heightened restrictions relating to the transmission or processing of data for the jurisdictions in which Monetize360 and Customer operate, such as (by way of example only) the Health Insurance Portability and Accountability Act, the Children’s Online Privacy Protection Act, any personal data regarding children under 16, and the standards promulgated by the PCI Security Standards Council.
d. Compliance with Laws. Each party will comply with all applicable laws, rules, and regulations (including all Applicable Privacy Laws) in its performance of this Addendum. For the avoidance of doubt, Monetize360 expressly disclaims any compliance with any laws of the Russian Federation or the Peoples Republic of China.
4. Monetize360 Security Responsibilities.
a. Security Measures. Monetize360 shall implement and maintain appropriate technical and organizational security measures designed to protect and preserve the security, integrity and confidentiality of the Customer Personal Data described in Attachment 2 to this Addendum.
b. Disclosure. Monetize360 will not disclose the Customer Personal Data to any third party except (a) as directed by Customer, (b) if such disclosure is made by Monetize360 in response to a court order, subpoena or other legal process, and provided that Monetize360 has given Customer reasonable notice of such court order, subpoena or other legal process if permitted by such process, or (c) to subprocessors.
c. Monetize360 Personnel. Monetize360 shall restrict access by Monetize360 personnel to Customer Personal Data (i) to only those personnel who need to access the Customer Personal Data in order to provide the Service and (ii) as set out in the Attachment 2 to this Addendum.
d. Records. Monetize360 shall maintain relevant records with respect to Monetize360’s information security practices and shall provide copies of such records as reasonably required by Customer to verify Monetize360's compliance with this Addendum.
e. Audit by Customer. Customer (or its third party independent auditors) may audit Monetize360's compliance with the security measures set out in Attachment 2 to this Addendum. Any such audit: (i) will be subject to Customer giving reasonable prior written notice to Monetize360; (ii) will be 3 performed at Customer's sole expense; and (iii) will be carried out by Customer in such a way as to mitigate any disruption to Monetize360's business.
f. Security Breach Notification. If Monetize360 becomes aware of any unauthorized access to any Customer Personal Data stored on Monetize360's equipment or in Monetize360's facilities, then Monetize360 shall promptly notify Customer of such access and provide to Customer a report that, at a minimum, includes the following information: (1) a description of the Security Incident; (2) the date the Security Incident occurred; (3) the date the Security Incident was discovered; (4) the identity and last known mailing address of affected individuals; (5) the affected categories of Personal Data for each affected individual; (6) a description of the steps taken to mitigate the Security Incident; (7) an identification of any law enforcement agency that has been contacted about the Security Incident and contact information for the relevant official; (8) a description of the steps that have been, or will be, taken to prevent a recurrence; (9) contact information for the person at Monetize360 principally responsible for handling the Security Incident; and (10) any other information reasonably requested by Customer for purposes of responding to the Security Incident. The report shall not be construed as an acknowledgement by Monetize360 of any fault or liability with respect to the unauthorized access.
5. Subprocessors.
a. Authorized Subprocessors. Customer agrees that Monetize360 may use subprocessors to fulfill its obligations under the Agreement. The Monetize360 Security Policy and Privacy Guidelines lists the subprocessors that are currently authorized by Monetize360 to process Customer Personal Data. Customer hereby consents to Monetize360's use of subprocessors as described in this Section 5.
b. New or Different Subprocessors. Monetize360 shall make available to Customer a mechanism to subscribe to notifications of new subprocessors for the Platform Service, to which Customer may subscribe, and if Customer subscribes to such mechanism, Monetize360 shall provide notification of a new subprocessor before authorizing such new subprocessor to process Customer Personal Data in connection with the provision of the applicable Platform Service. If Customer has a reasonable objection to such new subprocessor, Customer may object by notifying Monetize360 in writing within ten (10) days after the date of Monetize360’s notice, explaining the grounds for the objection. Upon receipt of such notice, Monetize360 will use reasonable efforts to make available to Customer a change in the Platform Service or recommend a commercially reasonable change to Customer’s configuration or use of the Platform Service to avoid processing of Customer Personal Data by the rejected new sub-processor. If Monetize360 is unable to make such a change available within a reasonable period of time, which shall not exceed sixty (60) days, either Customer or Monetize360 may by written notice terminate the applicable Agreement with respect only to those elements of the Platform Service which cannot be provided by without the use of the rejected new sub-processor. Upon such termination, Monetize360 will refund any unused prepaid fees covering the remainder of the then-current subscription period.
c. Subprocessor Obligations. Where Monetize360 authorizes a subprocessor to process Customer Personal Data as described in this Section 5, Monetize360 will enter into a written agreement with each such subprocessor consistent with the Applicable Privacy Laws. Except as set forth in this Addendum or as otherwise authorized in writing by Customer, Monetize360 will not permit any subprocessors to process Customer Personal Data. Monetize360 shall be liable for the acts and omissions of its subprocessors to the same extent it would be liable if performing the services of each subprocessor directly under the terms of the Agreement and this Addendum.
6. Cooperation.
a. Individual Data Requests. Monetize360 shall notify Customer of any requests received directly by Monetize360 from individuals regarding the Customer Personal Data and shall provide to Customer such reasonable assistance as is required for Customer to comply with such requests. 4 Monetize360 shall only respond directly to such requests on receiving Customer's written request and consent.
b. Cooperation Specific to GDPR. To the extent required under Article 28(3) GDPR, Monetize360 will assist Customer to comply with Articles 35 & 36 of the GDPR; in particular, Monetize360 will promptly notify Customer if it believes that its processing of Customer Personal Data is likely to result in a high risk to the privacy rights of data subjects, and upon reasonable request, will assist Customer to carry out data protection impact assessments and to consult where necessary with data protection authorities.
c. Return or Destruction. Following Customer’s request, Monetize360 shall destroy or return to Customer all Customer Personal Data in its possession. This requirement shall not apply to the extent that Monetize360 is required by any applicable law to retain some or all of the Customer Personal Data, in which case, Monetize360 shall use reasonable efforts to isolate and protect the Customer Personal Data from any further processing except to the extent required by such law.
7. Standard Contractual Clauses. To the extent any personal data of European Economic Area (“EEA”) or United Kingdom (“UK”), or Swiss data subjects is processed, the Standard Contractual Clauses (“SCC”) as detailed in Attachment 1 of this Addendum apply, provided that for Swiss data subjects the SCC extends protection to the personal data of legal entities and personality profiles. For the avoidance of doubt, with respect to transfers of EEA, UK and Swiss personal data for processing by Monetize360 in a jurisdiction other than an EU member state, Monetize360 agrees to comply with Applicable Privacy Laws in connection with that cross-border transfer of data (e.g., Art. 46 of the GDPR).
8. Limitation of Liability. Each party's liability arising out of or in relation to this Addendum (whether in contract, tort, or under any other theory of liability) is subject to the limitations of liability set forth in the Agreement.
9. General.
a. Compensation. To the extent legally permitted, Customer shall be responsible for any costs arising from Monetize360’s provision of any assistance and cooperation required to be provided by Monetize360 hereunder, including any fees associated with the provision of additional functionality; provided, however, that this paragraph shall not apply to activities undertaken by Monetize360 under Section 4(e) if the relevant security breach was caused by Monetize360.
b. Termination. This Addendum will terminate automatically upon termination of the Agreement; provided however that the provisions of this Addendum shall survive any termination or expiration of the Agreement for so long as Monetize360 or its sub-processors have custody, control or possession of Customer Personal Data.
c. Conflict. In the event of a conflict between the Agreement (other than this Addendum) and this Addendum, the terms of this Addendum will take precedence to the extent of the conflict. In the event of a conflict between the Standard Contractual Clauses and the remaining terms of this Addendum, the Standard Contractual Clauses will take precedence to the extent of the conflict. Nothing in this Addendum modifies the Standard Contractual Clauses or affects any third party's rights under the Standard Contractual Clauses.
Attachment 1 to the Data Processing Addendum
Applicable Standard Contract Clauses and Supplemental Terms
1. The Parties agree that the SCCs are hereby incorporated by reference into this Addendum as follows: Module 2: Transfer controller to processor, as to Customer Personal Data originating in the EEA, UK, or Switzerland.
2. Cross-Border Transfers Mechanisms – EU and Switzerland. If the Agreement requires the transfer of personal data of data subjects who reside in or based out of the EU or Switzerland to countries that are not recognized by the European Commission as providing an adequate level of protection of Personal Data, then such transfers will be made pursuant to the transfer mechanisms outlined in Module Two (Transfer controller to processor) of the EU SCCs. Where the EU SCCs identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:
a. In Clause 7 (Docking Clause) (Module 2) – the Optional provision shall apply;
b. In Clause 9(a) (Use of subprocessors) (Module 2) – Option 2 shall apply with the specified time period being 10 business days.
c. In Clause 11(a) (Redress) (Module 2) – the Optional provision shall NOT apply;
d. In Clause 17 (Governing Law) (Module 2) – Option 1 shall apply with the laws of Ireland shall govern; and
e. In Clause 18 (Choice of forum and jurisdiction) (Module 2) – the courts of Ireland shall have jurisdiction.
3. Cross-Border Transfers Mechanisms–UK.
If the Agreement requires the transfer of personal data of data subjects who reside in the UK to countries that are not recognized by the UK ICO as providing an adequate level of protection of personal data, then such transfers will be made pursuant to the EU SCCs detailed in Sections 1 and 2 of this Attachment and as amended by the IDTA. With respect to Table 1 of the IDTA, the “Exporter” is the Data Exporter and the “Importer” is the Data Importer, as both are identified in Annex I oif the SCC (below)). By entering and signing the Agreement, Addendum or Order Form, Importer and Exporter are deemed to have signed the IDTA.
a. With respect to Table 2 of the IDTA:
(i) the optional provisions of Clause 7 (Docking Clause) (Module 2) shall apply;
(ii) Option 2 in Clause 9(a) (Use of subprocessors) (Module 2) shall apply with the specified time period being 10 business days;
(iii) and Clause 11(a) (Redress) (Module 2) shall NOT apply.
b. With respect to Table 3 of the IDTA, the information is provided in Section 2 of this Attachment.
c. With respect to Table 4 of the IDTA, only Exporter (aka Subscriber) may end the IDTA as is detailed in Section 19 of the IDTA if the UK ICO issues new changes to IDTA.
4. Annex 1 to the SCCs is appended to this Attachment 1.
5. In Annex 2 to the SCCs, Data Importer will at a minimum institute the technical and organizational measures set forth in Attachment 2 to the Addendum.
6. Supplementary Terms:
a. This Addendum and the Agreement are Customer’s complete and final instructions for the processing of Customer Personal Data as of the date of entry into the current version of the Agreement and the current version of this Addendum. Any different instructions must be consistent with the current version of this Agreement and the current version of this Addendum. For the purposes of clause 8.1(a) of the SCC, the instructions for the processing of personal data 6 include onward transfers to third parties located outside of Europe for the provision of the Platform Service.
b. For the purposes of clause 8.6(a) of the SCC, Customer is solely responsible for determining whether the technical and organizational measures set forth in Attachment 2 to this Addendum and as otherwise described to Customer by Monetize360 meet Customer’s requirements, and agrees that such technical and organisational measures provide an appropriate level of security, taking due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing the Customer Personal Data and the risks to individuals.
c. For the purposes of clause 8.6 of the SCC, Monetize360 shall delete Customer Personal Data in accordance with respective data deletion and certification of deletion provisions set out in the Agreement. For the avoidance of doubt, if no such provisions are set out in the Agreement, Monetize360 shall delete all Customer Personal Data within 30 days of termination of the Agreement. Any certification of deletion of Customer Personal Data from Monetize360 as described in the SCC shall be provided only upon Customer’s written request.
d. For the purposes of clause 8.6(c) of the SCC, personal data breaches will be addressed in accordance with Section 4(e) of this Addendum.
e. The audits permitted to be carried out under clause 8.9 of the SCC shall be conducted in accordance with Section 4(d) of this Addendum.
f. For the purposes of clause 9 of the SCC, Customer grants Monetize360 a general authorization to engage subprocessors, subject to the procedures set forth in Section 5 of this Addendum, and further grants such subprocessors a general authorization to engage further sub-processors, and the authority to add or replace such further sub-processors.
g. For the purposes of clause 11 of the SCC, Monetize360 will without undue delay inform Customer if it received a complaint by or on behalf of an individual concerning Customer Personal Data, and shall not otherwise have any obligation to address such request except as agreed between Monetize360 and Customer.
h. Monetize360’s liability under the SCC under clause 12 shall be limited to any damage caused by its processing of Customer Personal Data only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to of Customer’s lawful instructions, and to the extent permitted under the SCC, each party’s liability under the SCC shall be subject to the provisions of the Agreement concerning limitation of liability.
i. For notices required under clause 15.1(a), Monetize360 will provide notice only to Customer, and Customer shall be responsible for notifying any affected individuals.
j. The Parties acknowledge and agree that where Monetize360 is required by the SCCs to notify the competent Supervisory Authority, Monetize360 shall first provide Customer with the details of the notification, permitting Customer to have prior written input into the relevant notification, where Customer so desires and is able to do so without delaying the timing of the notification unduly.
k. Enforcement. The Data Exporter may enforce the terms of the SCCs against the Data Importer (and vice versa).
l. Signatories. Notwithstanding the fact that the SCCs are incorporated herein by reference without the signature page of the SCCs actually being signed by the parties, it is agreed that the execution of the Agreement is deemed to constitute each party’s execution of the SCCs as Data Exporter or Data Importer (as applicable), and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly.
m. The provisions in this Addendum shall be without prejudice to the parties’ ability to rely on any other legally valid international data transfer mechanism for the transfer of data out of the EEA.
7 ANNEX I to the SCC
A. LIST OF PARTIES
Data exporter(s):
-
Name: As set forth in the Order Form between Customer and Monetize360.
-
Address: As set forth in the Order Form between Customer and Monetize360.
-
Contact person’s name, position and contact details: As set forth in the Order Form between Customer and Monetize360.
-
Activities relevant to the data transferred under these Clauses: Provision of the Platform Service pursuant to the Agreement.
-
Signature and date: As set forth in the Order Form between Customer and Monetize360.
-
Role (controller/processor): Controller
Data importer(s):
-
Name: Monetize360, Inc.
-
Address: 4793 Ridgewood Drive, Fremont, CA 94555
-
Contact person’s name, position and contact details: Murali Saravu, Data Protection Officer, dpo@monetize360.io Activities relevant to the data transferred under these Clauses: Provision of the Platform Service pursuant to the Agreement.
-
Signature and date: As set forth in the Order Form between Customer and Monetize360.
-
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Customer personnel, individual contractors, individual consultants
Categories of personal data transferred
Any personal data within the Customer Data, as contemplated in the Agreement.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Customer has agreed not to provide any sensitive data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis during Customer use of Platform Service.
Nature of the processing
Provision of the Platform Service to Customer
Purpose(s) of the data transfer and further processing
In order to allow Monetize360 to provide the Platform Service to Customer pursuant to the Agreement, and as otherwise instructed by Customer consistent with the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Monetize360 will retain and process personal data for the duration of the Agreement, unless agreed in writing.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Subprocessors will process personal data in order to allow Monetize360 to provide the Platform Service to Customer pursuant to the Agreement, and as otherwise instructed by Customer consistent with the Agreement and will process personal data for the duration of the Agreement, unless agreed in writing.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
-
Where the data exporter is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
-
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
-
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
Attachment 2 to the Data Processing Addendum
Monetize360 Security and Privacy Standard
Subprocessors
Monetize360 uses the following subprocessors:
Technical and Organizational Security Measures
Monetize360 will adopt and maintain appropriate security, organizational and technical measures prior to and during processing of any Customer Personal Data in order to protect against (i) unauthorized or accidental access, loss, alteration, disclosure or destruction of such data and (ii) all other unlawful forms of processing.
Monetize360 will implement at least the following security measures:
-
Monetize360 will have access management controls commensurate with industry-standard practices to prevent unauthorized use or abuse of Customer Personal Data and systems.
-
Monetize360 will have network security controls commensurate with industry-standard practices to ensure Customer Personal Data remains secure, available to authorized entities, and is protected against deliberate or unintentional alteration.
-
Monetize360 will ensure that Customer Personal Data remains secure throughout the lifecycle of the engagement.
-
Monetize360 will ensure that all devices that access Customer Personal Data are secured.
-
Monetize360 will have formal personnel security and organizational security policies commensurate with industry-standard best practices.
-
Monetize360 will conduct periodic internal and external security assessments against their physical and logical environment commensurate with industry-standard best practices.
-
Monetize360 will use industry-standard and commercially-reasonable organizational and technical safeguards to protect Customer Personal Data.