EPSILON DIGITAL MEDIA SOLUTIONS DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) applies to the Processing of Personal Data under a General Services Agreement, Service Order, Data Collection and Use Agreement, or any other agreement that incorporates this DPA (as applicable, the “Agreement”) by and between Epsilon Data Management, LLC, its subsidiaries and/or its affiliate Conversant, LLC (collectively “Epsilon”) and your company (“Marketing Partner”). This DPA also applies to the Processing of Personal Data pursuant to an Insertion Order between Epsilon and an advertising agency acting on Marketing Partner’s behalf (“Agency”), which Insertion Order will also be referred to herein as the Agreement.

Epsilon and Marketing Partner may be referred to herein each as a “party” or collectively as the “parties”.

The parties agree as follows:

1. Definitions.
   1. “Applicable Data Protection Law” means any and all laws or regulations of the United States or Canada relating to the protection of Personal Data to the extent they apply to the Personal Data Processed by a party as part of a specific Service pursuant to the Agreement.
   2. “Controller” means a party that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data and includes a “Third Party” and “Business” under Applicable Data Protection Law.
   3. “Data Subject” is an identified or identifiable natural person who can be identified, directly or indirectly.
   4. “Device Tracking Technologies” means any technology, tool, or code (including cookies, pixels, SDKs, APIs, local shared objects, and scripts) that enables access to or storage of information on a device, including but not limited to, as embedded on Marketing Partner’s digital properties, servers, adverts or creative materials.
   5. “Disclosing Controller” means a Controller that discloses to or makes available (including collection digitally) of Personal Data by a Recipient.
   6. “Personal Data” means any information relating to a Data Subject and includes “personal data,” “personal information,” “personally identifiable information,” and any substantially similar term as defined under Applicable Data Protection Law.
   7. “Processing” means any operation or set of operations performed on Personal Data.
   8. “Recipient” means a party that receives Personal Data from a Controller.
   9. “Regulator” means a data protection regulator, law enforcement, or other government authority.
   10. “Special Data” means Personal Data that is: (a) “Sensitive Information”, or substantially similar categories of Personal Data, as defined under Applicable Data Protection Law; (b) any Personal Data subject to the Payment Card Industry Data Security Standards, Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act, Fair Credit Reporting Act, or similar federal or state health or financial rule or regulation; (c) any Personal Data obtained from or relating to a Data Subject that is deemed a child or minor under Applicable Data Protection Law; and/or (d) a Data Subject’s biometric or genetic data.
   11. "Services" means the services supplied by Epsilon to Marketing Partner under the Agreement.
2. Compliance with Applicable Data Protection Law. Each party understands and agrees that it will comply with Applicable Data Protection Law. In the event of a material change to Applicable Data Protection Law, such as any change that results in a different classification of a party in relation to the Services, data localization, or if a transfer mechanism is deemed invalid, the parties will negotiate a suitable resolution in good faith, which may constitute an additional scope of Service to be detailed in an amendment or change order. If the parties fail to reach such a resolution or if either party reasonably deems a change in Applicable Data Protection Law to present a material risk to its business or operations, either party may suspend or terminate the impacted Services. If the change pertains only to a particular jurisdiction or specific Service, the party may terminate the Service only as to that jurisdiction and/or the impacted Service specifically. Any suspension or termination under this Section shall be deemed to be without fault by either party and shall be subject to the terms of the Agreement.
3. DISCLOSURE OF PERSONAL DATA. Where a Disclosing Controller makes available Personal Data to a Recipient, the following provisions shall apply:
   1. TOMS. The Recipient will provide the same level of privacy protection to the Personal Data as required of Disclosing Controller by Applicable Data Protection Law. The Recipient will implement technical and organizational measures appropriate to the nature of the Personal Data received from the Disclosing Controller that are designed to protect the Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Applicable Data Protection Law which are at minimum such measures as identified in Schedule 2 – Technical and Organizational Measures.
   2. Permitted Purposes. The Recipient will process the Personal Data solely in accordance with the Description of Processing set forth on Schedule 1 – Description of Processing, which may be updated by the Parties in writing (email to suffice)
   3. Cooperation. Upon written request, the Recipient shall provide the Disclosing Controller with such information as the Disclosing Controller may reasonably require about the Recipient’s Processing of Personal Data disclosed by the Disclosing Controller under this Agreement (including any use of Device Tracking Technologies) so that Disclosing Controller can ensure that such information is presented to Data Subjects or to assist with data protection assessments.
   4. Data Subject Requests. Marketing Partner and Epsilon shall each be individually responsible for responding to lawful data protection requests that it receives from Data Subjects in respect of the Personal Data that it Processes.
   5. Regulator Requests. If the Recipient receives a lawful request relating directly to the Personal Data disclosed by the Disclosing Controller that is Processed under the Agreement from a Regulator, the Recipient (i) will use commercially reasonable efforts to provide Disclosing Controller notice of the Regulator request if such request references Disclosing Controller, unless Recipient is legally prohibited from doing so, and (ii) if Recipient becomes aware that any Regulator wishes to obtain access to the Personal Data disclosed by Disclosing Controller under this DPA, Recipient will only make available the Personal Data to the extent Recipient is legally required to do so.
4. Additional Requirements under Applicable Data Protection Law. The Parties shall adhere to the following terms if required under Applicable Data Protection Law:
   1. Certification. Upon Disclosing Controller’s request, Recipient shall provide Disclosing Controller with an accurate description of its use of the Personal Data and certify to the Disclosing Controller its use of the Personal Data complies with the Agreement, this DPA, and Applicable Data Protection Law.
   2. Notice of Inability to Comply. The Recipient will promptly notify Disclosing Controller if Recipient determines it can no longer meet its obligations under Applicable Data Protection Law related to Recipient’s Processing of the Personal Data and the parties will negotiate a suitable resolution in good faith.
   3. Collection from Digital Properties. If the Disclosing Controller authorizes the Recipient to collect Personal Data from a Data Subject through the Disclosing Controller’s digital properties (either on behalf of the Disclosing Controller or for the Recipient’s own purposes), the Recipient will check for and comply with a Data Subject’s opt-out preference signal unless informed by the Disclosing Controller that the Data Subject consented to the Sale or Share of their personal information.
   4. Non-compliance. In the event that Recipient has failed to comply with these requirements, Disclosing Controller may require Recipient to stop Processing the Personal Data immediately until Recipient can confirm its compliance.
5. Marketing partner responsibilities.
   1. Transmission. Marketing Partner, and any third party on Marketing Partner’s behalf, will transmit all Personal Data in a secure manner using methods mutually agreed to by the parties.
   2. Special Data. Marketing Partner shall not (and shall not permit any Data Subject to) disclose to Epsilon any Personal Data that is Special Data, unless and until Epsilon expressly agrees in writing to Process such Special Data.
   3. Notice and Choice. Marketing Partner warrants that for the purposes of the Agreement and the provision of the Services: (i) it has notified Data Subjects through appropriate means that would satisfy the obligations under Applicable Data Protection Law about the Processing of Personal Data by Marketing Partner and Epsilon, including the use of Device Tracking Technologies (as applicable); (ii) it has obtained all required and legally enforceable consents (as applicable) and otherwise has the right under Applicable Data Protection Law to disclose Personal Data to Epsilon, including to the use of Device Tracking Technologies (as applicable); (iii) where required by Applicable Data Protection Law or applicable self-regulatory principles, it has implemented a mechanism to obtain consent or facilitate opt-outs from Data Subjects on any digital properties on which Marketing Partner deploys Device Tracking Technologies to collect Personal Data; and (iv) will not disclose or make available to Epsilon any Personal Data relating to Data Subjects that have not consented, opted-out of, or otherwise exercised other rights that bar the Processing performed under the Agreement (as applicable) unless this is for the purpose of suppressing such Data Subject(s) from marketing. Where requested by Epsilon, required pursuant to Applicable Data Protection Law, or by order, request or other instruction by a Regulator, Marketing Partner agrees to provide documentation evidencing that such consent has in fact been obtained from Data Subjects.
6. Deidentified Data. To the extent Recipient receives deidentified data (as defined by Applicable Data Protection Law) from Disclosing Controller, Recipient will (i) take reasonable measures to ensure that such data cannot be associated with a Data Subject or household, (ii) will maintain and use the information in deidentified form, and (iii) not attempt to reidentify such data.
7. INDEMNIFICATION AND LIMITATION OF Liability.
   1. Each party (the “Indemnitor”) shall indemnify and hold the other party (the “Indemnitee”) harmless from any third party claims and resulting losses, costs, damages, and expenses incurred by the Indemnitee that arise from the Indemnitor’s breach of its obligations under the DPA or failure to comply with Applicable Data Protection Law.
   2. To the extent permitted by laws, in no event will Epsilon have an indemnification obligation to Marketing Partner, or be liable for any direct, indirect, incidental, or consequential damages to any Marketing Partner, arising out of or relating to the acts or omissions of a third party incidental or necessary to the performance of the Services.
   3. ANY AND ALL LIABLITIES ARISING FROM A PARTY’S BREACH OF THIS DPA OR VIOLATION OF APPLICABLE DATA PROTECTION LAW, INCLUDING BUT NOT LIMITED TO THOSE RESULTING FROM EPSILON’S INDEMNIFICATION OBLIGATION TO MARKETING PARTNER UNDER THIS DPA WILL IN NO EVENT EXCEED THE AGGREGATE AMOUNT OF FEES PAID OR PAYABLE TO EPSILON BY MARKETING PARTNER OR AGENCY, WHERE APPLICABLE, UNDER THE AGREEMENT DURING THE PRECEDING 12-MONTH PERIOD.
8. SURVIVAL. To the extent that Recipient continues to Process the Personal Data disclosed or made available by Disclosing Controller, the terms of this DPA shall survive termination or expiry of the Agreement, and Recipient may continue to Process the Personal Data for the period identified in the description of processing, provided that such Processing complies with the requirements of this DPA and Applicable Data Protection Law.
9. Entire Agreement. Except as expressly set forth herein, the terms of the Agreement remain unmodified and in full force and effect. The parties agree that this DPA shall replace any existing data processing agreement the parties may have previously entered in connection with the Agreement, as such data processing agreement and terms relate to Personal Data within the scope of this DPA.

SCHEDULE 1 - DESCRIPTION OF PROCESSING

1. Disclosing Controller to Recipient Controller
   1. Parties: The Disclosing Controller is Marketing Partner; the Recipient Controller is Epsilon
   2. Data Subjects: The Personal Data to be processed concerns Marketing Partner’s customers; Visitors to Marketing Partner’s digital properties (websites, mobile applications, and digital advertisements).
   3. Purpose(s) of the Processing: The Personal Data may be processed for cross-context behavioral advertising (aka targeted advertising or interest-based advertising) and identity resolution.
   4. Duration of the Processing: The Personal Data will be Processed for as long as is necessary for the purposes for which the personal data is processed, unless otherwise agreed to in the Agreement.
   5. Categories of Personal Data: The Personal Data to be processed concern the following categories of Personal Data.

1. Disclosing Controller to Recipient Controller – Ad Logs
2. Applicable Service: PMX Lift
3. Parties: The Disclosing Controller is Client; The Recipient Controller is Epsilon
4. Data Subjects: The Personal Data to be processed concerns Client’s customers; Visitors to Client’s digital properties (websites, mobile applications, and digital advertisements)
5. Purpose(s) of the Processing: The Personal Data may be processed for Media Measurement
6. Categories of Personal Data: The Personal Data to be processed concerns the following categories of Personal Data. As part of the services, Client may disclose commercial or transactions information, but Epsilon will not use this category of personal data as a Controller.

SCHEDULE 2 - TECHNICAL AND ORGANIZATIONAL MEASURES

Recipient must maintain an effective Information Security Program (in line with industry standards such as ISO 27001, NIST, etc.) and security measures requirements while handling Personal Data and confidential information of the Disclosing Controller including but not limited to the below requirements.

1. Security policies and procedures: Recipient shall maintain a management approved documented Information Security Policy and an established security risk management process to continually assess and evaluate new security risk and manage them through adequate security controls or safeguards.
2. Confidentiality, Integrity and Availability: Recipient shall maintain confidentiality, integrity and availability of the Personal Data disclosed to it by the Disclosing Controller by identifying assets that store, process or transmit such data and deploying adequate technical and organization measures such as, but not limited to, data encryption, physical and logical access control, strong password control, malware and content protection, security vulnerability assessment and patching, secure hardening, network/data segregation controls.
3. Vulnerability management: Wherever applicable, a party must ensure that any software component (such as code or API) provided to the other party is free for any security vulnerability or issues and ensure security of data processed using such component.
4. Availability controls: Recipient shall maintain a comprehensive business continuity and disaster recovery plan to prevent any interruption of services and business impact to the Disclosing Controller.
5. Asset management: Recipient shall maintain an IT asset management program to manage allocation and ownership of assets. Such program shall require, at a minimum, that (a) employees must return Recipient’s assets upon termination of employment; (b) assets shall be disposed of securely when they are no longer required; and (c) retired assets shall be decommissioned in accordance with industry standards regarding secure wiping and physical destruction of software, hardware, and removable media.
6. Identity and access management: Any employee of Recipient having access to Personal Data shall be assigned a unique login ID that is managed by authorized persons or departments. Access to Personal Data is to be granted on a need-to-know basis and as appropriate to the sensitivity of the Personal Data.
7. Availability controls: Recipient shall maintain a comprehensive business continuity and disaster recovery plan to prevent any interruption of services and business impact to the Disclosing Controller.
8. Security risk management program relating to third parties: The Recipient will ensure a similar level of security controls wherever the Personal Data disclosed or authorized to be collected by the Disclosing Controller is exchanged with a third party.
9. Encryption: To the extent the Parties have agreed in writing that the Disclosing Controller can share sensitive data (as defined by Applicable Data Protection Laws) with the Recipient, Recipient will ensure that any such sensitive data is encrypted at rest and in transit.