EDAA Trust Seal

DATA PROCESSING ADDENDUM

This Data Processing Addendum (DPA) applies to the Processing of Personal Data under a Master Services Agreement, Statement of Work, Insertion Order, or any other agreement that incorporates this DPA (as applicable, the Agreement) by and between Epsilon Data Management, LLC (Epsilon) and your company (Client). Any breach of this DPA shall be deemed a breach of the Agreement. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will control. Unless otherwise defined in this DPA, all capitalized terms used in this DPA shall have the meanings ascribed to them in the Agreement. Epsilon and Client may be referred to herein each as a party or collectively as the parties. In exchange for the mutual consideration described in the Agreement, the parties agree as follows:

1. Definitions.

1.1. Applicable Data Protection Law means any and all laws or regulations of the United States relating to the protection of Personal Data to the extent such law or regulation is applicable to the party and to the Personal Data Processed by the party pursuant to the Agreement.

1.2. Data Subject is a natural person or household that can be identified, directly or indirectly.

1.3. Disclosing Controller means a party that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, and that discloses to or makes available (including collection digitally) of Personal Data to a Recipient.

1.4. Permitted Purpose(s) means the purpose(s) for which Recipient is authorized to Process the Personal Data disclosed or made available by the Disclosing Controller.

1.5. Personal Data means any information relating to a Data Subject and includes personal data, personal information, personally identifiable information, and any substantially similar term as defined under Applicable Data Protection Law.

1.6. Personal Data Breach shall include personal data breach, data breach, breach of security safeguards, data security breach, or any substantially similar term as defined under Applicable Data Protection Law.

1.7. Process(ing) means any operation or set of operations performed on Personal Data.

1.8. Recipient means a party that receives Personal Data from a Disclosing Controller.

1.9 Regulator means a data protection regulator, law enforcement, or other government authority.

1.10. Services means the services supplied by Agency to Client under the Agreement.

1.11. Sub-Processor means a person or entity contracted by the Recipient that will Process Personal Data disclosed or made available by Disclosing Controller to Recipient solely (a) in accordance with Disclosing Controllers instructions (as provided by Recipient to Sub-Processor) and (b) for Disclosing Controllers purpose.

2. Compliance with Applicable Data Protection Law. Each party understands and agrees that it will comply with Applicable Data Protection Law. In the event of a material change to Applicable Data Protection Law, such as any change that results in a different classification of a party in relation to the Services, data localization, or if a transfer mechanism is deemed invalid, the parties will negotiate a suitable resolution in good faith, which may constitute an additional scope of Service to be detailed in a statement of work or change order. If the parties fail to reach such a resolution or if either party reasonably deems a change in Applicable Data Protection Law to present a material risk to its business or operations, either party may suspend or terminate the impacted Services. If the change pertains only to a particular jurisdiction or specific Service, the party may terminate the Service only as to that jurisdiction and/or the impacted Service specifically. Any suspension or termination under this Section shall be deemed to be without fault by either party and shall be subject to the terms of the Agreement.

3. Processing of Personal Data. Where Disclosing Controller makes available Personal Data to Recipient (or Recipients Sub-Processor), the following provisions will apply to the Processing of such Personal Data:

3.1. Permitted Purposes. The Recipient will process the Personal Data solely in accordance with the Permitted Purposes identified within the specific description(s) of Processing included in the Agreement, which may be updated by the parties in writing (email to suffice). If the Agreement does not contain a description of Processing and the services include the serving of digital advertisements by Epsilon or the provision of the Epsilon Clean Room (also known as PeopleCloud Prospect/Discovery), the description of Processing for these Services can be found at https://legal.epsilon.com/us/description-of-processing.

3.2. TOMS. The Recipient will provide the same level of privacy protection to the Personal Data as required of Disclosing Controller by Applicable Data Protection Law. The Recipient will implement technical and organizational measures appropriate to the nature of the Personal Data received from the Disclosing Controller that are designed to protect the Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Applicable Data Protection Law, which are at minimum such measures as identified in Schedule 1 Technical and Organizational Measures.

3.3. Data Subject Requests. In the event a Data Subject makes a lawful request directly to Recipient seeking to exercise any right available to it under Applicable Data Protection Law that references Disclosing Controller, Recipient shall not respond to such communication directly without Disclosing Controllers prior authorization, unless required by applicable law.

3.4. Cooperation. To the extent Disclosing Controller has a legal obligation to fulfill a request from a Data Subject, an inquiry from a Regulator, or record keeping responsibilities under Applicable Data Protection Law related to Recipients Processing of the Personal Data made available by Disclosing Controller, and Disclosing Controller is unable to fulfill its obligation without assistance from Recipient, Recipient shall:

(a) upon Disclosing Controllers request, provide commercially reasonable cooperation to assist Disclosing Controller in its response or to provide information about Recipients Processing of the Personal Data disclosed by Disclosing Controller;

(b) upon Disclosing Controllers request and where Recipient is Processing Personal Data disclosed by Disclosing Controller in accordance with Disclosing Controllers explicit instructions, supply a copy of Recipients available third-party data protection audit report(s), which reports shall be subject to the confidentiality provisions of the Agreement; and

(c) respond to any written audit questions submitted to it by Disclosing Controller related directly to the Processing of Personal Data disclosed by Disclosing Controller each time there is a new or modified Processing of such Personal Data by Recipient.

Any audit related to data protection shall be governed solely and exclusively by this Section 3.4.

3.5. Deletion of Personal Data. Upon termination or expiration of the Agreement and this DPA and upon request by Disclosing Controller, Recipient shall delete all Personal Data received from Disclosing Controller that is in Recipients possession or control. This requirement shall not apply to the extent Recipient is permitted by the Agreement or required by law to retain some or all of such Personal Data and shall not apply to Personal Data that Recipient has archived on back-up systems which is isolated and encrypted.

3.6. Confidentiality. Recipients personnel shall be subject to confidentiality obligations related to Personal Data received from Disclosing Controller.

3.7. Personal Data Breach. Where Recipient does not have its own obligation(s) under Applicable Data Protection Law for Personal Data Breach and upon becoming aware of a Personal Data Breach affecting Personal Data disclosed by Disclosing Controller that is in the possession or control of Recipient, the parties agree:

(a) Recipient shall without undue delay and within the timeframes required by Applicable Data Protection Law, notify Disclosing Controller of such Personal Data Breach, in accordance with the notice provision in the Agreement, and provide reasonable information relating to the Personal Data Breach to the extent known to Recipient;

(b) Recipient shall take commercially reasonable steps to mitigate or remediate such Personal Data Breach where possible and as required of Recipient under Applicable Data Protection Law, to the extent such Personal Data Breach arose from the acts or omissions of Recipient or any of its Sub-Processors;

(c) Disclosing Controller shall also take commercially reasonable steps to mitigate or remediate such Personal Data Breach to minimize any costs related to mitigation and remedy;

(d) Disclosing Controller shall be solely responsible for breach notification obligations to applicable Regulators and/or Data Subjects; and

(e) Prior to sending any such notification, the parties will consult in good faith as to the content of such notification; without limiting the generality of the foregoing, Disclosing Controller agrees that it will not refer to Recipient by name in any such notice except with Recipients prior written consent.

3.8. Engagement of Sub-Processors. Disclosing Controller authorizes Recipient to use Sub-Processors to assist in Processing the Personal Data for the Permitted Purpose(s). If required by Applicable Data Protection Law, Recipient will: (i) provide an up-to-date list of the Sub-Processors it has appointed upon written request from Disclosing Controller; and (ii) notify Disclosing Controller (email to suffice) of any intended changes concerning the addition or replacement of Sub-Processors and give Disclosing Controller the opportunity to object to such changes within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. Recipient will: (i) enter into a written agreement with each Sub-Processor imposing data protection terms that require the Sub-Processor to protect the Personal Data made available by Disclosing Controller in accordance with Applicable Data Protection Law, to the extent applicable to the nature of the services provided by the Sub-Processor; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor consistent with this DPA.

3.9. Additional Requirements under Applicable Data Protection Law. The parties shall adhere to the following terms if required under Applicable Data Protection Law:

(a) Notice of Inability to Comply. The Recipient will notify Disclosing Controller if Recipient determines it can no longer meet its obligations under Applicable Data Protection Law related to Recipients Processing of the Personal Data, and the parties will negotiate a suitable resolution in good faith.

(b) Non-compliance. In the event that Recipient has failed to comply with the requirements within this DPA, Disclosing Controller may require Recipient to stop Processing the Personal Data immediately until Recipient can confirm its compliance.

(c) Deidentified Data. To the extent Recipient receives deidentified data (as defined by Applicable Data Protection Law) from Disclosing Controller, Recipient will (i) take reasonable measures to ensure that such data cannot be associated with a Data Subject or household, (ii) maintain and use the information in deidentified form, and (iii) not attempt to reidentify such data.

(d) Additional Processing Prohibitions. Where Recipient is Processing Personal Data solely under the explicit instructions of Disclosing Controller for the Disclosing Controllers purpose and as required under Applicable Data Protection Law, Recipient will not: (i) sell or share (as defined by Applicable Data Protection Law) the Personal Data; (ii) retain, use, or disclose the Personal Data (a) except as necessary to perform the Disclosing Controllers business purpose, or (b) outside the direct business relationship between the parties; or (iii) combine the Personal Data with other Personal Data that Recipient receives from or on behalf of a third party, or collects from its own interaction with a Data Subject, provided that Recipient may combine such information to perform any business purpose as defined under Applicable Data Protection Law. If Disclosing Controller instructs Recipient to combine or match the Personal Data with Personal Data provided by a third party, Disclosing Controller represents and warrants that it maintains a data sharing agreement with such third party.

4. SURVIVAL. To the extent that Recipient continues to Process the Personal Data disclosed or made available by Disclosing Controller after the termination or expiration of the Agreement, the terms of this DPA shall survive such termination or expiration, and Recipient may continue to Process the Personal Data for the period identified in the description of Processing or Agreement, provided that such Processing complies with the requirements of this DPA and Applicable Data Protection Laws.

5. Entire Agreement. Except as expressly set forth herein, the terms of the Agreement remain unmodified and in full force and effect. The parties agree that this DPA shall replace any existing data processing agreement the parties may have previously entered in connection with the Services, as such data processing agreement and terms relate to Personal Data within the scope of this DPA.

###################################################################################

SCHEDULE 1 - TECHNICAL AND ORGANIZATIONAL MEASURES

Recipient must maintain an effective Information Security Program (in line with industry standards such as ISO 27001, NIST, etc.) and security measures requirements while handling Personal Data and confidential information of the Disclosing Controller including but not limited to the below requirements.

1. Security policies and procedures: Recipient shall maintain a management approved documented Information Security Policy and an established security risk management process to continually assess and evaluate new security risk and manage them through adequate security controls or safeguards.

2. Confidentiality, integrity, and availability: Recipient shall maintain confidentiality, integrity, and availability of the Personal Data disclosed to it by the Disclosing Controller by identifying assets that store, process, or transmit such data and deploying adequate technical and organization measures such as, but not limited to, data encryption, physical and logical access control, strong password control, malware and content protection, security vulnerability assessment and patching, secure hardening, and network/data segregation controls.

3. Vulnerability management: Wherever applicable, a party must ensure that any software component (such as code or API) provided to the other party is free from any security vulnerability or issues and ensure security of data processed using such component.

4. Asset management: Recipient shall maintain an IT asset management program to manage allocation and ownership of assets. Such program shall require, at a minimum, that (a) employees must return Recipients assets upon termination of employment; (b) assets shall be disposed of securely when they are no longer required; and (c) retired assets shall be decommissioned in accordance with industry standards regarding secure wiping and physical destruction of software, hardware, and removable media.

5. Identity and access management: Any employee of Recipient having access to Personal Data shall be assigned a unique login ID that is managed by authorized persons or departments. Access to Personal Data is to be granted on a need-to-know basis and as appropriate to the sensitivity of the Personal Data.

6. Availability controls: Recipient shall maintain a comprehensive business continuity and disaster recovery plan to prevent any interruption of services and business impact to the Disclosing Controller.

7. Security risk management program relating to third parties: The Recipient will ensure a similar level of security controls wherever the Personal Data disclosed or authorized to be collected by the Disclosing Controller is exchanged with a third party.

8. Encryption: To the extent the parties have agreed in writing that the Disclosing Controller can share sensitive data (as defined by Applicable Data Protection Laws) with the Recipient, Recipient will ensure that any such sensitive data is encrypted at rest and in transit.