DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) is effective by and between Client and Epsilon with respect to any Personal Data processed under the Master Services Agreement between the parties, including any statements of work, as amended from time to time (collectively, the “Agreement”). This DPA constitutes a part of the Agreement, and any breach of this DPA shall be deemed a breach of the Agreement. In the event of any conflict between the provisions of this DPA and the other provisions of the Agreement, the provisions of this DPA will control. Unless otherwise defined in this DPA, all capitalized terms used in this DPA shall have the meanings ascribed to them in the Agreement.

All references to “Epsilon” shall be deemed references to an Epsilon Affiliate that is a party to the Agreement, has adopted the Agreement through an affiliated adopting agreement, or fulfills orders under the Agreement. All references to “Client” shall be deemed references to a Client Affiliate that is a party to the Agreement, has adopted the Agreement through an affiliated adoption agreement or local market agreement, or places orders under the Agreement. Epsilon and Client may be referred to herein each as a “party” or collectively as the “parties”.

The parties agree as follows:

1. Definitions.
   1. “Affiliate” means any entity directly or indirectly Controlling, Controlled by, or under common Control with a party. “Control” means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of another entity (whether through the ownership of voting shares, by contract, or otherwise), the terms “Controls” and “Controlled” being construed accordingly.
   2. “Applicable Data Protection Law” means any and all laws or regulations of the Permitted Territories relating to the protection of Personal Data to the extent they apply to the Personal Data Processed by a party as part of a specific Service pursuant to the Agreement.
   3. “Client Data” means Personal Data Processed in connection with the Services that is: (a) made available or provided by Client (or a third party, including a Sub-Processor, on Client’s behalf) to Epsilon, or (b) collected by Epsilon or a Sub-Processor solely on Client’s behalf.
   4. “Controller” means a party that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
   5. “Data Subject” is an identified or identifiable natural person who can be identified, directly or indirectly.
   6. “Deidentified Data” means data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such person.
   7. “Device Tracking Technologies” means any technology, tool, or code (including cookies, pixels, SDKs, APIs, local shared objects, and scripts) that enables access to or storage of information on a device, including but not limited to, as embedded on Client’s digital properties, servers, adverts or creative materials.
   8. “License” shall mean license, provide, or otherwise give a right to use Personal Data.
   9. “Licensed Data” means Personal Data that Epsilon Licenses to Client.
   10. “Permitted Territories” means the United States of America and Canada.
   11. “Personal Data” means any information relating to a Data Subject and includes “personal data,” “personal information,” “personally identifiable information,” and any substantially similar term as defined under Applicable Data Protection Law.
   12. “Personal Data Breach” shall include “personal data breach”, “data breach,” “breach of security safeguards,” “data security breach,” or any substantially similar term as defined under Applicable Data Protection Law.
   13. “Processing” means any operation or set of operations performed on Personal Data.
   14. “Processor” means a party that Processes Personal Data on behalf of a Controller and in accordance with the Controller’s instructions.
   15. “Regulator” means a data protection regulator, law enforcement, or other government authority.
   16. “Sale” or “Sell” has the meaning set forth in Applicable Data Protection Law.
   17. "Services" means the services supplied by Epsilon to Client under the Agreement.
   18. “Share” has the meaning set forth in Applicable Data Protection Law.
   19. “Special Data” means Personal Data that is: (a) “Sensitive Information”, or substantially similar categories of Personal Data, as defined under Applicable Data Protection Law; (b) any Personal Data subject to the Payment Card Industry Data Security Standards, Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act, Fair Credit Reporting Act, or similar federal or state health or financial rule or regulation; (c) any Personal Data obtained from or relating to a Data Subject that is deemed a child or minor under Applicable Data Protection Law; (d) a Data Subject’s biometric or genetic data; and/or (e) any Personal Data that is accorded a higher level of protection under Applicable Data Protection Laws.
   20. “Sub-Processor” means a Processor contracted by Epsilon to Process Client Data in relation to the Services provided directly by Epsilon.
   21. “Vendor” means a third-party contracted by Epsilon, on behalf of or for the benefit of Client, which Processes Personal Data. A Vendor may be a Processor or Controller, depending on Applicable Data Protection Law and the Vendor’s interpretation thereof, which interpretation Epsilon does not control.
2. Schedules. The following schedules (the “Schedules” and each a “Schedule”) are attached and incorporated herein. To the extent a provision in a Schedule conflicts with the body of this DPA, the provision in the Schedule shall control.
   1. Schedule 1. Technical and Organizational Measures. This Schedule addresses the technical and organizational measures a Recipient (as defined in Section 5 below) of Personal Data will adhere to while Processing Personal Data related to the Services.
   2. Schedule 2. Epsilon Services that Process Personal Data as a Processor. This Schedule addresses the terms applicable to the Services provided by Epsilon that involve the Processing of Client Data by Epsilon as a Processor. The body of this DPA addresses the general obligations of the parties.
   3. Schedule 3. Epsilon Services that Process Personal Data as a Controller. This Schedule addresses the terms applicable to the Services provided by Epsilon that involve the Processing of Personal Data by Epsilon as a Controller. The body of this DPA addresses the general obligations of the parties.
   4. Schedule 4. Description of Processing. Schedule 4 shall detail the Processing activities of each Recipient.
3. SUPPLEMENTAL JURISDICTIONAL TERMS. To the extent the Services require Epsilon to Process Personal Data originating from and protected by laws in a jurisdiction other than the Permitted Territories, Client shall notify Epsilon so the parties can include appropriate supplemental jurisdictional terms. Client agrees not to provide Client Data originating from and protected by laws in a jurisdiction other than the Permitted Territories to Epsilon until such supplemental jurisdictional terms and/or appropriate data export mechanism are in place.
4. Compliance with Applicable Data Protection Law. Each party understands and agrees that it will comply with Applicable Data Protection Law. In the event of a material change to Applicable Data Protection Law, such as any change that results in a different classification of a party in relation to the Services, data localization, or if a transfer mechanism is deemed invalid, the parties will negotiate a suitable resolution in good faith, which may constitute an additional scope of Service to be detailed in a statement of work or change order. If the parties fail to reach such a resolution or if either party reasonably deems a change in Applicable Data Protection Law to present a material risk to its business or operations, either party may suspend or terminate the impacted Services. If the change pertains only to a particular jurisdiction or specific Service, the party may terminate the Service only as to that jurisdiction and/or the impacted Service specifically. Any suspension or termination under this Section shall be deemed to be without fault by either party and shall be subject to the terms of the Agreement.
5. DISCLOSURE OF PERSONAL DATA. Where a party that is a Controller of Personal Data (“Disclosing Controller”) either (1) discloses such Personal Data to or (2) allows the collection of such Personal Data from its digital properties (e.g., websites, mobile applications, online advertisements) by the other party (“Recipient”), the following provisions shall apply:
   1. TOMS. The Recipient will provide the same level of privacy protection to the Personal Data as required of Disclosing Controller by Applicable Data Protection Law. The Recipient will implement technical and organizational measures appropriate to the nature of the Personal Data received from the Disclosing Controller that are designed to protect the Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Applicable Data Protection Law which are at minimum such measures as identified in Schedule 1 – Technical and Organizational Measures.
   2. Cooperation. Upon written request, the Recipient shall provide the Disclosing Controller with such information as the Disclosing Controller may reasonably require about the Recipient’s Processing of Personal Data disclosed by the Disclosing Controller under this Agreement (including any use of Device Tracking Technologies) so that Disclosing Controller can ensure that such information is presented to Data Subjects or to assist with data protection assessments.
   3. Regulator Requests. If the Recipient receives a lawful request relating directly to the Personal Data disclosed by the Disclosing Controller that is Processed under the Agreement from a Regulator, the Recipient (i) shall, to the extent the Recipient is Processing the Personal Data as a Processor, not respond to such request unless required by applicable law, (ii) will use commercially reasonable efforts to provide Disclosing Controller notice of the Regulator request if such request references Disclosing Controller, unless Recipient is legally prohibited from doing so, and (iii) if Recipient becomes aware that any Regulator wishes to obtain access to the Personal Data disclosed by Disclosing Controller under this DPA, Recipient will only make available the Personal Data to the extent Recipient is legally required to do so.
   4. Notice and Collection. The Disclosing Controller warrants that for the purposes of the Agreement, it maintains and has provided to Data Subjects (i) a privacy notice(s) compliant with Applicable Data Protection Law and industry self-regulatory standards to which the Disclosing Controller is a member or subject to (such as Digital Advertising Alliance) about the Processing of the Personal Data under this Agreement and (ii) any other necessary disclosures under applicable law. Disclosing Controller shall ensure that in respect of any Personal Data that it discloses to Recipient that such Personal Data was collected fairly and in compliance with Applicable Data Protection Law
   5. US Specific Provisions. For any Personal Data that relates to Data Subjects in the United States, the following shall apply:
      1. Permitted Purposes. The Recipient will process the Personal Data in solely in accordance with the description of Processing to include the specifics as required by Schedule 4 – Description of Processing, which may be updated by the parties in writing for which email is sufficient.
      2. Attestation. The Recipient will upon the request of Disclosing Controller, provide an attestation confirming Recipient’s Processing of the Personal Data is consistent with Disclosing Controller’s obligations under Applicable Data Protection Law.
      3. Notice of Inability to Comply. The Recipient will within five (5) business days of making such a determination, notify Disclosing Controller if Recipient determines it can no longer meet its obligations under Applicable Data Protection Law related to Recipient’s Processing of the Personal Data and the parties will negotiate a suitable resolution in good faith.
      4. Collection from Digital Properties. If the Disclosing Controller authorizes the Recipient to collect Personal Data from a Data Subject through the Disclosing Controller’s digital properties (either on behalf of the Disclosing Controller or for the Recipient’s own purposes), the Recipient will check for and comply with a Data Subject’s opt-out preference signal unless informed by the Disclosing Controller that the Data Subject consented to the sale or sharing of their personal information.
      5. Non-compliance. In the event that Recipient has failed to comply with these requirements, Disclosing Controller may require Recipient to stop Processing the Personal Data immediately until Recipient can confirm its compliance.
      6. Sale or Share. Client is responsible for determining whether the disclosure of Client Data to Epsilon or Vendors is a Sale or Share or otherwise impacts Client’s legal obligations. If such sharing of Client Data constitutes a Sale or Share, Client (not Epsilon) shall be deemed to have Sold or Shared the Client Data and shall be responsible for any resulting regulatory or contractual obligations in relation to such Sale or Sharing which includes but is not limited to providing notice and choice to Data Subjects as described in Applicable Data Protection Law.
6. Supplemental, Custom, or Additional Requirements or Functionality. In the event Client requests supplemental, custom, or additional requirements or functionality beyond those required of Epsilon under Applicable Data Protection Law, the parties will discuss the request and if mutually accepted will agree in writing to additional terms which may be detailed in a statement of work or change order. Client shall be responsible for any reasonable costs arising from Epsilon's provision of any supplemental, custom, or additional functionality and related cooperation.
7. Client Responsibilities.
   1. Transmission. Client will transmit all Personal Data in a secure manner using methods mutually agreed to by the parties.
   2. Special Data. Client shall not (and shall not permit any Data Subject to) disclose to Epsilon any Personal Data that is Special Data, unless and until Epsilon expressly agrees in writing to Process such Special Data.
8. International Transfers. The parties may Process Personal Data throughout the world provided that such transfer is subject to an appropriate data export mechanism as required by Applicable Data Protection Law.
9. Deidentified Data. Each party agrees that to the extent it is a recipient of Deidentified Data from the other party, it will (i) take reasonable measures to ensure that such data cannot be associated with a Data Subject or household, (ii) will maintain and use the information in deidentified form, and (iii) not attempt to reidentify such data, unless otherwise mutually agreed by the parties in writing and approved by each party’s privacy counsel.
10. LIMITATION OF Liability.
    1. To the extent permitted by laws, in no event will Epsilon have an indemnification obligation to Client, or be liable for any direct, indirect, incidental, or consequential damages to any Client, arising out of or relating to: (a) Epsilon’s acts or omissions that follow the instructions of Client, including but not limited to the terms of the Agreement; (b) where Epsilon has acted in accordance with laws; or (c) the acts or omissions of a third party incidental or necessary to the performance of the Services (not including Sub-Processors).
    2. ANY AND ALL LIABLITIES ARISING FROM A PARTY’S BREACH OF THIS DPA OR VIOLATION OF APPLICABLE DATA PROTECTION LAW, INCLUDING BUT NOT LIMITED TO THOSE RESULTING FROM EPSILON’S INDEMNIFICATION OBLIGATION TO CLIENT UNDER THIS DPA WILL IN NO EVENT EXCEED THE AGGREGATE AMOUNT OF FEES PAID OR PAYABLE TO EPSILON UNDER THE AGREEMENT, WHERE APPLICABLE, DURING THE PRECEDING 12-MONTH PERIOD.
11. Governing Law. Except as otherwise required under Applicable Data Protection Law, the governing law and forum under this DPA shall be the same as set out in the Agreement, without regard to conflict of law principles.
12. Dispute Resolution. Each party irrevocably agrees that any disputes shall be determined in accordance with the manner specified in the Agreement, except to the extent that Applicable Data Protection Law requires otherwise or as specifically provided in this DPA, in which case disputes will be governed in accordance with Applicable Data Protection Law or as specifically provided in this DPA.
13. Term; Termination. This DPA shall be effective as of the Effective Date and will terminate simultaneously and automatically with the termination or expiry of the Agreement or for as long as Epsilon Licenses Licensed Data to Client and/or Epsilon Processes Client Data (whichever is longer). The termination or expiration of the DPA or Agreement for any reason shall not release either party from any liabilities or obligations set forth in this DPA that (i) the parties have expressly agreed shall survive any such termination or expiration, or (ii) remain to be performed or by their nature would be intended to be applicable following any such termination or expiration.
14. Entire Agreement. Except as expressly set forth herein, the terms of the Agreement remain unmodified and in full force and effect. The parties agree that this DPA shall replace any existing data processing agreement the parties may have previously entered in connection with the Services, as such data processing agreement and terms relate to Personal Data within the scope of this DPA.
15. Choice of Language. It is the express wish of the parties that this DPA and any related documents be drawn up and to be executed in English. Les parties conviennent que la présente DPA et tous les documents s’y rattachant soient rédigés et signés en anglais.

SCHEDULE 1 - TECHNICAL AND ORGINIZATIONAL MEASURES

Recipient must maintain an effective Information Security Program (in line with industry standards such as ISO 27001, NIST, etc.) and security measures requirements while handling Personal Data and confidential information of the Disclosing Controller including but not limited to the below requirements.

1. Security policies and procedures: Recipient shall maintain a management approved documented Information Security Policy and an established security risk management process to continually assess and evaluate new security risk and manage them through adequate security controls or safeguards.
2. Confidentiality, Integrity and Availability: Recipient shall maintain confidentiality, integrity and availability of the Personal Data disclosed to it by the Disclosing Controller by identifying assets that store, process or transmit such data and deploying adequate technical and organization measures such as, but not limited to, data encryption, physical and logical access control, strong password control, malware and content protection, security vulnerability assessment and patching, secure hardening, network/data segregation controls.
3. Vulnerability management: Wherever applicable, Recipient must ensure that any software component (such as code or API) provided to Recipient is free for any security vulnerability or issues and ensure security of data processed using such component.
4. Availability controls: Recipient shall maintain a comprehensive business continuity and disaster recovery plan to prevent any interruption of services and business impact to the Disclosing Controller.
5. Incident Handling: In the event of a confirmed personal data breach (as defined by Applicable Data Protection Law), Recipient must inform the Disclosing Controller about any impact to its Personal Data within 72 hours and designate a security point of contact (POC) to interact and notify the Disclosing Controller on security matters.
6. Notification obligation: Any operational change that impacts the security of the Disclosing Controller’s Personal Data and confidential information or systems that handles such data must be notified to the Disclosing Controller without undue delay.
7. Secure destruction of data: At the end of the Agreement or as otherwise in accordance with Schedule 4– Description of Processing, on Disclosing Controller’s request, the Recipient must destroy all Personal Data disclosed or authorized to be collected by the Disclosing Controller in a secure manner making the Personal Data un-readable and un-recoverable. If the Personal Data cannot be deleted, the Personal Data must be archived and protected from unauthorized access, modification, and disclosure until securely deleted. The Disclosing Controller at its discretion may request for a data destruction certification that includes method of data destruction used.
8. Security risk management program relating to Third Parties: The Recipient will ensure a similar level of security controls wherever the Personal Data disclosed or authorized to be collected by the Disclosing Controller is exchanged with a third party.
9. Encryption: To the extent the Personal Data disclosed by the Disclosing Controller includes sensitive data (as defined by Applicable Data Protection Laws), Recipient will ensure that such Personal Data is encrypted at rest and in transit.

SCHEDULE 2 - EPSILON SERVICES FOR WHICH EPSILON IS PROCESSING PERSONAL DATA AS A PROCESSOR

1. Applicability. This Schedule shall apply in addition to the obligations set out in in the body of the DPA, but only where Epsilon is providing Services to Client that involve the Processing of Client Data by Epsilon as a Processor.
2. Client Instructions; Details of Processing. Epsilon will Process Client Data only for the purposes of providing the Services in accordance with Client’s written instructions in the Agreement and this DPA, including Schedule 4 – Description of Processing, which will comply with applicable laws, including Applicable Data Protection Law.
3. Data Subject Requests. In the event that a lawful request referencing Client from a Data Subject seeking to exercise any right available to it under Applicable Data Protection Law is made directly to Epsilon, Epsilon shall not respond to such communication directly without Client's prior authorization, unless required by applicable law. To the extent Client does not have direct access to Client Data through its use of the Services, and therefore does not have the ability to address such Data Subject request itself, Epsilon shall, upon Client's request, provide commercially reasonable cooperation to assist Client to respond, to the extent required under Applicable Data Protection Law, and in accordance with any Data Subject request handling plan(s) mutually agreed upon by the parties (which may differ depending on the specific Services relevant to the Data Subject request(s) at issue).
4. Deletion of Personal Data. Upon termination or expiration of the Agreement and this DPA, Epsilon shall delete all Client Data in its possession or control. This requirement shall not apply to the extent Epsilon is required by applicable laws to retain some or all Client Data, and shall not apply to Client Data Epsilon has archived on back-up systems, which Client Data Epsilon shall securely isolate and protect from any further Processing.
5. Engagement of Sub-Processors. Client authorizes Epsilon to use Sub-Processors, to assist in providing the Services. If required by Applicable Data Protection Law, Epsilon will: (i) provide an up-to-date list of the Sub-Processors it has appointed upon written request from Client; and (ii) notify Client (for which email will suffice) of any intended changes concerning the addition or replacement of Sub-Processors; thereby, giving the Client the opportunity to object to such changes within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. Client acknowledges that the inability to use a Sub-Processor may result in delay in or inability to performing the Services, and/or increased fees, and Epsilon shall not be responsible or liable for such delay or inability. Epsilon will: (i) enter into a written agreement with each Sub-Processor imposing data protection terms that require the Sub-Processor to protect Client Data to the same standards provided for by this DPA, to the extent applicable to the nature of the services provided by the Sub-Processor; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor consistent with this DPA.
6. Confidentiality. Epsilon’s personnel and Sub-Processors shall be subject to confidentiality obligations related to Client Data that Epsilon and such Sub-Processors Process as a Processor.
7. Records and Audit. Client acknowledges that Epsilon is regularly audited against appropriate security standards. Upon request, Epsilon shall supply a summary copy of its available audit report(s) to Client, which reports shall be subject to the confidentiality provisions of the Agreement. Epsilon shall also respond to any written audit questions submitted to it by Client, provided that Client shall not exercise this right more than once per year. In responding to such written audit questions, Epsilon is not required to provide access to information or data not directly related to the Services provided by Epsilon to Client or to Epsilon’s confidential information as it relates to its information security or data privacy program, as determined in Epsilon’s sole discretion. Client shall not have access to information about: (i) Epsilon’s other clients; (ii) Epsilon’s affiliates; or (iii) accounting or financial information. Client may discuss its findings with Epsilon and, if appropriate, the parties will agree on a plan to address concerns identified in the audit. Notwithstanding anything to the contrary in the Agreement and except as otherwise mutually agreed in a writing signed by the authorized representatives of the parties that specifically references this Section, any audit related to data protection shall be governed solely and exclusively by this Section.
8. Personal Data Breach. Epsilon shall, upon becoming aware of a Personal Data Breach affecting Client Data in the possession, and resulting from the acts or omissions, of Epsilon or any of its Sub-Processors, without undue delay and within the timeframes required by Applicable Data Protection Law, notify Client and provide reasonable information relating to the Personal Data Breach to the extent known to Epsilon. Epsilon and Client will, in good faith, discuss mitigation or remediation efforts, where possible and as required of Epsilon under Applicable Data Protection Law, in relation to any such Personal Data Breach arising solely from the acts or omissions of Epsilon or any of its Sub-Processors. Client agrees that it will also take reasonable steps designed to minimize any costs related to mitigation and remedy. Client shall be solely responsible for breach notification obligations to applicable Regulators (as defined below) and/or Data Subjects. Prior to sending any such notification, the parties will consult in good faith as to the content of such notification; without limiting the generality of the foregoing, Client agrees that it will not refer to Epsilon by name in any such notice except with Epsilon’s prior written consent, which shall not be unreasonably withheld or delayed.
9. US Specific Provisions. For any Personal Data that relates to Data Subjects in the United States, the following shall apply:
   1. Processing Prohibitions. Epsilon will not: (i) retain, use or disclose Client Data other than for the specific purpose of performing the Services, as set out in the Agreement (including this DPA), or as otherwise permitted by law or authorized by Client; (ii) further collect, Sell (or, effective January 1, 2023, Share), or use the Client Data except as necessary to perform the business purpose or outside the direct business relationship between Epsilon and Client; (iii) effective January 1, 2023, combine Client Data that Epsilon receives with Personal Data that Epsilon receives from or on behalf of another person or persons, or collects from its own interaction with a Data Subject, provided that Epsilon may combine such information to perform any business purpose as defined under Applicable Data Protection Law. Epsilon; or (iv) effective January 1, 2023, Process Client Data for cross-contextual behavioral advertising. Where Epsilon engages a Vendor to provide cross-contextual behavioral advertising services for Client’s benefit, Epsilon does so as Client’s agent, and the Vendor’s processing of Client Data for cross-contextual advertising purposes is subject to the Vendor’s contract, not the Agreement or this DPA. Epsilon certifies that it understands the restrictions in this Section and will comply with them.
   2. Opt-Outs of Sale or Share: Client will regularly provide to Epsilon accurate lists of those Data Subjects who have opted-out of having their information Processed by Client in order for Epsilon to legally combine Client Data with (1) Personal Data provided by a third party or (2) Epsilon data where Epsilon is acting as a Processor, as may be required for the Services.
   3. Processing of Third Party Data or Processing of Client Data for Third Party’s Purpose. Client may instruct Epsilon to Process a third party’s Personal Data for Client’s benefit/purpose, or for Epsilon to Process the Client Data for a third party’s benefit/purpose. Unless Epsilon has agreed in writing that it is Processing the Client Data or the third party Personal Data as a Processor to joint Controllers, then the following terms apply:
      1. where Epsilon is Processing the third party’s Personal Data for the benefit of Client, Epsilon will process the third party’s Personal Data as a Processor only to Client;
      2. where Epsilon is Processing the Client Data for the benefit of the third party, Epsilon will process the Client Data as a Processor only to the third party; and
      3. Client represents and warrants that it has a data sharing agreement with the third party for such Processing.

SCHEDULE 3 – EPSILON SERVICES FOR WHICH EPSILON IS PROCESSING PERSONAL DATA AS A CONTROLLER

1. Applicability. This Schedule shall apply in addition to the obligations set out in in the body of the DPA, but only where Epsilon is providing Services to Client that involve the Processing of Personal Data, which may include Client Data, by Epsilon as a Controller.
2. Controller Services. Epsilon acts as a Controller when Processing Personal Data for each of the following Services (collective, the “Controller Services”). Epsilon may modify this list from time to time, in its sole discretion, and will provide notice of such modification to Client in writing (email sufficient).
   1. Epsilon Services that utilize the CORE ID (“CORE ID Services”), include but are not limited to:
3. PeopleCloud Discovery
4. PeopleCloud Prospect
5. PeopleCloud Digital Media Solutions (aka PeopleCloud Loyalty Digital Media Member Engagement Loyalty Module)
6. Bridge
7. Signals
8. Real Time Interactions (aka PeopleCloud Messaging Content Personalization Module or Agility IQ)
9. Agility Events (aka PeopleCloud Messaging Site Behavior and Intent Messaging, or PeopleCloud Loyalty Digital Messaging Triggers Modules)
10. Real Time Recognition and Data (aka Site Decisions)
11. Multichannel Measurement
12. Retail Media Network (CitrusAd)
    1. Digital CDP or CDP Identity Essentials (“Identity Services”)
    2. Abacus Cooperative (US/Canada) (“Abacus US/Canada”)
    3. The provision of Licensed Data (“Licensed Data Services”), including but not limited to:
13. Abacus US/Canada
14. Total Source Plus
15. TX Spend
16. Shopper’s View
17. Shoppers Voice
18. New Movers
19. Contact Complete
20. PMX Lift
21. Attribute licensing
22. Optimized audiences produced by PVE
23. Custom data set list, such as linkage data
24. Definitions
    1. “CORE ID” means Epsilon’s proprietary identity graph.
    2. “Metrics Data” means Personal Data about visitors to third party digital properties on which advertising has been delivered.
25. Disclosure of Personal Data. Related to the Core ID Services, Identity Services, and Abacus US/Canada, Client may disclose Personal Data, which may include Client Data, or otherwise permits Epsilon to collect certain Personal Data about visitors to Client's digital properties and/or about Client’s customers and prospective customers (“Data”). Client acknowledges that it is a Controller of the Data that it discloses or otherwise permits Epsilon to collect, and that Epsilon will also Process such Data as a Controller. Epsilon may share the Data back with Client for Client to use solely in connection with the Services and always in accordance with Applicable Data Protection Law.
26. Data Subject Requests. Client and Epsilon shall each be individually responsible for responding to lawful data protection requests that it receives from Data Subjects in respect of the Personal Data that it Processes. To the extent that either Client or Epsilon (the "Receiving Party") receives a lawful data protection request relating to Processing performed by the other party (the "Other Party"), the Other Party shall provide such information and assistance as is reasonably necessary to the Receiving Party to enable the Receiving Party to respond to such request in accordance with Applicable Data Protection Law.
27. Notice and Choice. Client warrants that for the purposes of the Agreement and the provision of the Services: (i) it has notified Data Subjects through appropriate means that would satisfy the obligations under Applicable Data Protection Law about the Processing of Personal Data by Client, Epsilon, Vendors, and other third parties providing services related to the Agreement, including the use of Device Tracking Technologies; (ii) it has obtained all required and legally enforceable consents (as applicable) and otherwise has the right under Applicable Data Protection Law to disclose Personal Data to Epsilon, Vendors, and/or and other third party providing services related to the Agreement, including to the use of Device Tracking Technologies; (iii) where required by Applicable Data Protection Law or applicable self-regulatory principles, it has implemented a mechanism to obtain consent or facilitate opt-outs from Data Subjects on any digital properties on which Client deploys Device Tracking Technologies to collect Personal Data; and (iv) will not disclose or make available to Epsilon any Personal Data relating to Data Subjects that have not consented, opted-out of, or otherwise exercised other rights that bar the Processing performed under the Agreement (as applicable) unless this is for the purpose of suppressing such Data Subject(s) from marketing. Where requested by Epsilon, required pursuant to Applicable Data Protection Law, or by order, request or other instruction by a Regulator, Client agrees to provide documentation evidencing that such consent has in fact been obtained from Data Subjects.
28. CORE ID SERVICES. The following obligations apply only to the CORE ID Services.
    1. Metrics Data. Epsilon may make available to Client certain Metrics Data. Client may solely process Metrics Data for the purpose of measuring advertising performance, unless specified otherwise in a statement of work and/or order. The categories of Metrics Data that Client may process, and the nature of processing activities that Client may perform, are set out in more detail in the Agreement.
    2. Attribution Data. If Epsilon agrees, at Client’s request, to place Client’s or a third party's (each such third party an "Attribution Partner") Device Tracking Technologies in advertising disseminated under the Agreement, Client acknowledges and agrees that: (1) it shall be solely responsible for the Attribution Partner; (2) it shall be solely responsible for ensuring the Attribution Partner has the rights to Process any data (including Personal Data) collected by the Attribution Partner’s Device Tracking Technologies (the "Attribution Data") for the permitted uses listed below; and (3) it shall use the Attribution Data and shall contractually require any Attribution Partner to use the Attribution Data solely for one or more of the following applicable permitted uses: (a) attribution analysis; (b) click and impression tracking; (c) campaign measurement; (d) customization of creatives; and/or (e) any other purpose approved in writing by Epsilon. For the avoidance of doubt, Attribution Data cannot be used by Client and/or any party for any other purposes including but not limited to retargeting or audience creation. Client will be responsible, and will indemnify and hold harmless Epsilon, for any breach of the aforementioned obligation by Client or by such Attribution Partner.
    3. Industry Tools. Client acknowledges that it may need to integrate its digital properties with certain industry tools or mechanisms that provide Data Subjects with notice and choice regarding the Processing of their Personal Data (“Industry Tools”), including by way of example only the IAB Transparency and Consent Framework and/or the IAB Global Privacy Framework, or opt-out signals like the Global Privacy Control, in order to receive certain Services or the full functionality of certain Services, such as digital interest-based advertising.
29. Survival. This Schedule shall survive termination or expiry of the Agreement. Upon termination or expiry of the Agreement, each party may continue to Process the Data or Metrics Data under its control provided that such Processing complies with the requirements of this DPA and Applicable Data Protection Laws.

SCHEDULE 4 – DESCRIPTON OF PROCESSING

1. Controller to Processor
   1. Applicable Services

The following Description of Processing applies to any Epsilon service that is not classified as a “Controller Service”.

• 1. Parties

Controller is Client

Processor is Epsilon

• 1. Instructions for Processing

Client’s instructions are contained in the Agreement which may include the Master Services Agreement and any statements of work or order forms.

• 1. Data Subjects

The data to be processed concerns the following categories of Data Subjects (please specify):

• Client’s customers and any other consumer personal data that Client discloses to Epsilon
  1. Purpose(s) of the Processing

The data may be processed for the following purposes:

• 1. Categories of Personal Data

The data to be processed may concern the following categories of Personal Data:

• 1. Duration of the Processing

The data will be processed solely during the term of the Agreement

• 1. Approved Sub-Processors

Amazon Web Services

1. Disclosing Controller to Recipient Controller
   1. Applicable Services

This description of processing applies to Core ID Services.

• 1. Parties

Disclosing Controller is Client

Recipient Controller is Epsilon

• 1. Data Subjects

The data to be processed concerns the following categories of Data Subjects (please specify):

• Client’s customers
• Visitors to Client’s digital properties (websites, mobile applications, and digital advertisements)
  1. Purpose(s) of the Processing

The data may be processed for the following purposes:

• Cross-context behavioral advertising (aka targeted advertising or interest based advertising) and identity resolution. The personal data disclosed by Client or collected from Client’s digital properties via the Epsilon pixel will be used by Epsilon to inform its Core ID graph which is used for interest-based advertising activation and identity resolution.
  1. Categories of Personal Data

The data to be processed concern the following categories of Personal Data:

• 1. Duration of the Processing

The Personal Data will be Processed for as long as is necessary for the purposes for which the personal data is processed, unless otherwise agreed in the Agreement.

1. Disclosing Controller to Recipient Controller – Identity services
   1. Applicable Services

This description of processing applies to Identity Services.

• 1. Parties

Disclosing Controller is Client

Recipient Controller is Epsilon

• 1. Data Subjects

The data to be processed concerns the following categories of Data Subjects (please specify):

• Client’s customers
• Applicable to Digital Identity only: Visitors to Client’s digital properties (websites, mobile applications, and digital advertisements)
  1. Purpose(s) of the Processing

The data may be processed for the following purposes:

• Identity resolution.
  1. Categories of Personal Data

The data to be processed concern the following categories of Personal Data. As part of the services, Client will disclose commercial or transactions information but Epsilon will not use this category of Personal Data as a Controller.

• 1. Duration of the Processing

The Personal Data will be Processed for as long as is necessary for the purposes for which the Personal Data is processed, unless otherwise agreed in the Agreement.

1. Disclosing Controller to Recipient Controller – EPSILON DATA
   1. Applicable Services

This description of processing applies to Licensed Data Services

• 1. Parties

Disclosing Controller is Epsilon

Recipient Controller is Client

• 1. Data Subjects

The data to be processed concerns the following categories of Data Subjects:

• Consumers
  1. Purpose(s) of the Processing

The data may be processed for the following purposes:

• Advertising and Marketing
• Cross-context behavioral advertising (aka Targeted Advertising or Interest Based Advertising)
  1. Categories of Personal Data

The data to be processed concern the following categories of Personal Data and depends on the data set provided by Epsilon (e.g. (i) TX Spend includes offline commercial or transaction information; (ii) precise geolocation is only available in Prospect & Discovery; (iii) contextual online labels are only available in Prospect & Discovery; (iv) Total Source Plus includes only offline data, not online data)

• 1. Duration of the Processing

The Personal Data will be Processed only for the term of the Agreement.

1. Disclosing Controller to Recipient Controller – ABACUS COOPERATIVE (US/CANADA)
   1. Applicable Services

This description of processing applies to the Abacus US/Canada.

• 1. Parties

Disclosing Controller is Client

Recipient Controller is Epsilon

Client will disclose its customers’ personal data as a contributor to the cooperative.

• 1. Data Subjects

The data to be processed concerns the following categories of Data Subjects (please specify):

• Client’s customers
• Other cooperative members’ customers
  1. Purpose(s) of the Processing

The data may be processed for the following purposes:

• Advertising and marketing (does not include cross-context behavioral advertising)
  1. Categories of Personal Data

The data to be processed concern the following categories of Personal Data:

• 1. Duration of the Processing

The Personal Data will be Processed for as long as is necessary for the purposes for which the personal data is processed, unless otherwise agreed in the Agreement.