DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) is entered by and between Rounds AI Ltd (“Advertiser”) and the Media Company corresponding Insertion Order (“Media Company" and “IO”), and is entered into force on the date on which the Media Company accepted the corresponding IO (“Effective Date” and “Agreement”). 

Capitalized terms used herein but not defined herein shall have the meanings ascribed to them in the Agreement (each of Advertiser and Media Company, a “party” and together the “parties”).

WHEREAS, Media Company and Advertiser have entered into a the Agreement pursuant to which Media Company will provide certain services to the Advertiser; 

WHEREAS, during the use of the Services, the parties will process and share Personal Data (as such terms are defined below) subject to the terms and conditions of this DPA; and 

WHEREAS, the parties desire to supplement this DPA to achieve compliance with the UK, EU, Swiss, United States, and other data protection laws and agree on the following:

1. DEFINITIONS

1.1. “Adequate Country” is a country that has an adequacy decision from the European Commission.

1.2. The terms “Business”, “Business Purpose“, “Consumer”, “Controller”, “Data Subject”, “Holder”, “Personal Data”, “Personal Information”, “Personal Data Breach”, “Processing” (and “Process”), “Processor”, “Sale” (or “Sell”), “Service Provider”, “Sensitive Data”, “Share”, “Special Categories of Personal Data” and “Supervisory Authority”, shall all have the same meanings as ascribed to them in the applicable Data Protection Law. Under this DPA: “Controller” shall also mean and refer a “Business”; “Processor” shall also mean and refer to a “Services Provider” and a “Holder”; “Data Subject” shall also mean and refer a “Consumer”; “Personal Data” shall also mean and refer to “Personal Information”, and; “Sensitive Data” shall also mean and refer to “Special Categories of Personal Data” or "Highly Sensitive Data" as applicable 

1.3. “Data Protection Law” means any and all applicable privacy and data protection laws and regulations, including, where applicable, the Israeli Data Protection Privacy Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations (“Israeli Law”), the EU Data Protection Law, Swiss Data Protection Laws, the UK Data Protection Law and the CCPAUS Data Protection Laws, as all may be amended or superseded from time to time.

1.4. “EEA” means the European Economic Area.

1.5. “End User” means an individual visiting or browsing the Media Company Sites or any other digital property operated by the Media Company. 

1.6. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) – (iii); and (iv) any legislation replacing or updating any of the foregoing. (v) the Data Protection Act 2018 (DPA 2018), as amended, and the EU GDPR as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (iv) the Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) (“FDPA”) as well as the Ordinance on the Federal Act on Data Protection ("FODP"); and (vii) any legislation replacing or updating any of the foregoing; and binding judicial or administrative interpretation of any of the above, or approved certification mechanisms issued by any relevant Supervisory Authority. The EU GDPR, together with the UK GDPR shall be collectively referred to under this DPA as “GDPR.

1.7. “Israeli Law” means, collectedly, the: (i) Israeli Protection of Privacy Law, 5741-1981 (as amended under Amendment 13), the regulations promulgated pursuant thereto, including the Israeli Protection of Privacy (Data Security) Regulations, 5777-2017 and the Israeli Protection of Privacy (Transfer of Data to Databases Abroad) Regulations, 5761-2001; (iii) any amendments or legislation replacing or updating any of the foregoing, and; (iv) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or certification mechanisms approved by the Israeli Privacy Protection Authority.

1.8. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other party’s Personal Data will comprise a Security Incident.

1.9. “Standard Contractual Clauses” or “SCC” mean, collectively and as applicable,  the: (i) standard contractual clauses for the transfer of  Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, available HERE (“EU SCC”) (ii) the UK “International Data Transfer Addendum to The European Commission Standard Contractual Clauses” available HERE (“UK SCC”); and (iii) the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (“Swiss SCC”) .

1.10. “"US Data Protection Laws" means any and all applicable federal and state privacy laws and regulations applicable to the Processing activities of Personal Data under this DPA, and any implementing regulations and amendment thereto, including without limitation the: (i) California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018 including as modified by the California Privacy Rights Act as well as all regulations promulgated thereunder from time to time (‘CCPA’); (ii) the Colorado Privacy Act C.R.S.A. § 6-1-1301 et seq. (SB 21-190)  (‘CPA’); (iii) the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022)  (‘CTDPA’); (iv) the Florida Digital Bill of Rights S.B 262 (‘FDBR’); (v) the Montana Consumer Data Privacy Act 68th Legislature 2023, S.B. 0384 (‘MTCDPA’); (vi) the Oregon Consumer Data Privacy Act ORS 646A.570-646A.589 (‘OCDPA’); (vii) the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code Ann. § 541.001 et seq (‘TDPSA’); (viii) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq (‘UCPA’); and (ix) the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392).  All as amended or superseded from time to time and including any implementing regulations and amendments thereto.

Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Law. A reference to any term or section of US Data Protection Laws, UK Data Protection Laws, or GDPR means the version as amended. Any references to the GDPR in this DPA shall mean the GDPR and/or UK GDPR depending on the applicable Law.

1. RELATIONSHIP OF THE PARTIES

1.1. Except for specifications under the US Privacy Law Addendum (detailed in ANNEX III), each party is an independent Controller with respect to Personal Data Processed under the Agreement. In no event will the parties be referred to as joint Controllers. 

1.2. Each party shall be individually and separately responsible for complying, and shall be able to demonstrate compliance, with applicable Data Protection Laws in connection with the Processing of Personal Data. The purpose, subject matter, and duration of the Processing, the type of Personal Data, and categories of Data Subjects are described in ANNEX I attached hereto.

2. REPRESENTATIONS AND WARRANTIES

2.1. Each party shall notify the other party, in writing without undue delay (unless prohibited by law) upon becoming aware of:

2.1.1. A security incident that may affect the other party or the Processing of Personal Data provided to or made available by the other party (“Security Incident Notice”). A Security Incident Notice shall include, to the extent available: (i) a description of the nature of the Security Incident, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) a description of the likely consequences of the company that has been exposed;  and (iii) a description of the measures taken or proposed to be taken to address the company that has been exposed, including, where appropriate, measures to mitigate its possible adverse effects; and 

2.1.2. A Data Subject request, Consumer user right request (“DSR Notice”) or otherwise and regulatory, authority or a complaint, investigation, inquiry, warrant, subpoena, or proceedings from or brought by any public, governmental, or judicial agency or authority that relates to the Personal Data Processed under this Agreement (“SAR Notice”). 

2.1.3. In the event of a Security Incident Notice, a DSR or SAR Notice, the parties undertake to cooperate in good faith to ensure compliance with applicable laws.

2.2. Each party shall implement and maintain an information security program with appropriate technical and organizational measures. This program is to ensure a level of security that will be appropriate to the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the Processing, which includes at a minimum (i) the security measures set forth in ANNEX II; and (ii) where required by Data Protection Laws, the appointment of a Data Protection Officer to oversee the privacy program.

2.3. Each party shall provide reasonable cooperation and assistance to the other party in ensuring compliance with its obligation to carry out data protection impact assessments. 

2.4. Each party shall ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to Personal Data; (ii) that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

2.5. each Party shall provide all applicable notices, disclosures, and privacy policy to End Users as required under Data Protection Laws for the lawful Processing by it of Personal Data (“Transparency Notices“).  Media Company shall disclose its use of the Services, its sharing or otherwise making available of Personal Data with/to Advertiser, and how Advertiser Processes Personal Data in its Transparency Notices; 

2.6. Media Company represents and warrants it has provided (and shall maintain) all required notices in compliance with Section 2.5 and obtained all necessary permissions and consents required under the Data Protection Laws from the relevant End Users on behalf of Advertiser to lawfully permit Advertiser to Process Personal Data as contemplated in the Agreement and Applicable Data Protection Laws.  

2.7. Where consent is the lawful basis for Processing Personal Data or otherwise required for the use of the Services, Media Company represents and warrants that it shall, at all times, make available, maintain, and make operational on the Media Company’s properties: (i) a mechanism for obtaining such consent from End User in accordance with the requirements of the Data Protection Laws; and (ii) a mechanism for End Users to withdraw such consent (opt-out) in accordance with the Data Protection Laws. 

3. DATA TRANSFER

3.1. Any transfer of Personal Data Processed in connection with the Agreement outside of the jurisdiction from which it was collected shall be transferred subject to and in compliance with an approved transfer mechanism.

3.2. If the Media Company is required to transfer of Personal Data to entity that is located in a third country outside the EEA or the UK that is not an Adequate Country, such transfer shall only occur if an appropriate safeguard approved by the applicable Data Protection Law (including Article 46 under the EU GDPR or the UK GDPR, as applicable) for the lawful transfer of Personal Data is in place. Such measures may include the following: (i) transferring Service Data to a recipient that is certified  by a suitable framework or other legally adequate transfer mechanism recognized by the relevant Supervisory Authorities in the EEA or UK as providing an adequate level of protection for Personal Data, including in compliance with the EU-U.S. Data Privacy Framework or the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded or replaced; (ii) transferring Service Data to a recipient that has achieved binding corporate rules authorization in accordance with applicable Data Protection Law; or (iii) transferring Service Data to a recipient that has executed the Standard Contractual Clauses.

3.3. As between the Media Company and the Advertiser, if a party relies on the Standard Contractual Clauses to facilitate a transfer to a third country then:

3.3.1. Transfer of Service Data from the EEA – the EU SCC shall apply and completed as follows: (1) Module 1 (Controller to Controller) will apply; (2) in Clause 7 the optional docking clause will not apply; (3) in Clause 11, the optional language will not apply, and Data Subjects shall not be able to lodge a complaint with an independent dispute resolution body; (4) in Clause 17, option 1 shall apply, and the EU SCC shall be governed by the laws of England and Wales; (5) In Clause 18(b) the parties choose the competent courts of England and Wales, as their choice of forum and jurisdiction; (6) Annex I(A) of the EU SCC is completed as set out in ANNEX I of this DPA; (7) Annex I(B) of the EU SCC is completed as set out in ANNEX I of this DPA; (8) Annex I(C) of the EU SCC shall identify the competent supervisory authority/ies as the supervisory authority of England and Wales; (9) Annex II of the EU SCC is deemed completed with the information set out in ANNEX II of this DPA.

3.3.2. Transfer of Service Data from the UK – the UK SCC shall apply and completed as follows: (1) Table 1 shall be completed as set forth in section (3.2.1.)(6) above; (2) Table 2 shall be completed as set forth in Section (3.2.1.)(1) – (3.2.1)(3) above; (3) Table 3 shall be completed as follows: Annex 1A shall be completed with relevant information as set out in Section (3.2.1.)(6) above; Annex 1B  shall be completed with relevant information as set out in ANNEX I of this DPA; Annex II shall be completed with relevant information as set out in ANNEX II of this DPA; (4) Table 4 shall be completed with the “neither party” option; and (5) any conflict between the terms of the EU SCC and the UK SCC will be resolved in accordance with Section 10 and Section 11 of the UK SCC. 

4. CONFLICT

4.1. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event that the Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA solely with regards to international transfer of Personal Data. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.

5. TERM AND TERMINATION

5.1. This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates.  

ANNEX I

DETAILS OF PROCESSING

This Annex I include certain details of the Processing of the Media Company Data as required by Article 28(3) GDPR.

Categories of Data Subjects: 

Individuals who are end-users of Media Company Sites. 

Categories of Personal Data:

Mobile device advertising identifiers (e.g., IDFA/Google Ad ID, IP address); 

Device data such as make, model, operating system, device properties and settings, coarse location data; 

Click attribution data and transactional data; 

Special Categories of Personal Data:

Not Applicable

Process Frequency:

The Personal Data is transferred on a continuous basis.

Nature of the processing:

Collection, storage, organization, analysis, modification, retrieval, disclosure, communication, and other uses in the performance of the Services as set out in the Agreement

Retention Period:

For as long as needed to provide the Services and/or comply with applicable logs. 

ANNEX II

TECHNICAL AND ORGANISATIONSL MEASURES

Each party shall implement and maintain current and appropriate technical and organizational measures to protect Personal Data against accidental, unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, disclosure or access, as set forth below:

  1. Conduct security testing or penetration testing, remediate any identified high vulnerabilities, provide written remediation plans for medium and low vulnerabilities;

  2. Maintain a level of security appropriate to protect against any unauthorized or unlawful Processing or accidental loss, destruction, damage, denial of service, alteration or disclosure, and appropriate to the nature of Personal Data;

  3. Oblige its employees, agents, or other persons to whom it provides access to Personal Data to keep it confidential; take reasonable steps to ensure the integrity of any employees who have access to Personal Data; provide annual training to staff and subcontractors on the security requirements contained herein;

  4. Adhere password policies for standard and privileged accounts consistent with industry best practices; 

  5. Ensure that only those personnel who need to have access to Personal Data are granted access, such access is limited to the least amount required, and only granted for the purposes of performing the Services and the obligations under this DPA;

  6. Maintain a physical security program that is consistent with the corresponding industry practices;

  7. Ensure that any storage media (whether magnetic, optical, non-volatile solid state, paper, or otherwise capable of retaining information) that captures Personal Data, if applicable, is securely erased or destroyed before repurposing or disposal;

ANNEX III

US PRIVACY LAWS ADDENDUM

  1. This US Privacy Law Addendum (“US Addendum”) adds specifications applicable to US Data Protection Laws and is in addition to the obligations set forth in the DPA. All terms used but not defined in this US Addendum shall have the meaning set forth in the DPA.

  2. ROLES:

    2.1. As set forth in the DPA, parties shall act as a separate independent Controllers, except when the Processing is for a Restricted Purpose, in which Advertiser may be deemed a Processor. 

    2.2. For the purpose of this US Addendum the “Restricted Purposes” means advertising-related processing that qualifies as a Business Purpose, including (i) auditing, security and integrity purposes, debugging, short term, transient uses, and internal research or improvement of the Services; (ii) technical advertising services that are not targeted, cross-contextual or profiling and include frequency capping, measurement, fraud detection and prevention, and ensuring and measuring viewability; and (iii) contextual advertising which includes first-party advertising to the extent such activity does not result in a Sale or Share of Personal Data or constitute processing of Personal Data for Targeted Advertising purposes.

    2.3. The subject matter, duration, nature, and purpose of the Processing, types of Personal Information Processed, and categories of Data Subjects are as described in ANNEX I.

3. CONTROLLER TO CONTROLLER:

In their roles as independent Controllers, each party shall, when Processing End User Personal Data: 

3.1. Be individually and separately responsible for complying with applicable US Data Protection Laws, and to the extent applicable to the IAB Policies. 

3.2. Provide End Users with clear and conspicuous disclosures and notices on how the Personal Information is Processed, the purpose of Processing, the categories of Personal Information shared and the categories of the recipients, as well as the End Users’ rights, including the right to appeal and the ability to opt out of the Sale, Share of Personal Information or from Targeted Advertising, all in compliance with and as required by the US Data Protection Laws. 

3.3. Ensure that it provides an opt-out mechanism and it enables the End User to send a Privacy Signal and transfer the Privacy Signal down the advertising chain. When a Privacy Signal is received, neither party will process such End Users’ Personal Information for Targeted Advertising, or Cross Contextual Advertising purposes. 

3.4. Comply with requirements for processing Deidentified Information, including by not attempting to re-identify it, using reasonable, technical, and organizational measures to prevent re-identifying it, and publicly committing to such actions. 

4. CONTROLLER TO PROCESSOR 

In addition to the requirements and obligation set forth under the DPA and applicable Data Protection Laws, and solely for the Restricted Purpose processing, in its role as a Processor, Media Company shall comply with the following:  

4.1. Representation and Undertaking: a party shall process the End User Personal Information only on behalf of and under the instructions of the other party and in accordance with US Data Protection Laws and shall not: (i) Sell or Share the Personal Information; (ii) retain, use or disclose the Personal Information for any purpose other than for a Business Purpose or Restricted Purpose as specified in the Agreement; (iii) combine the End User Personal Information with other Personal Information that it receives from, or on behalf of, another partner, or collects from its own; or (iv) if and to the extent applicable limit the use of its Sensitive Personal Information (“SPI”). 

4.2. Sub-processors or Sub-contractors: The Controller party provides a general authorization to engage sub-processors to the extent the Processor party undertakes it will restrict the onward sub-processor’s access only to what is strictly necessary, and will prohibit the sub-processor from Processing the Personal Information for any other purpose other than for a Business Purpose or Restricted Purpose as specified in the Agreement. The Processor party shall impose contractual obligations as required by US Data Protection Laws on such sub-processors, and shall inform the other party in the event of replacing a sub-processor or engaging a new sub-processor.  

4.3. Audit: A Controller party has the right to ensure the Processor party is in compliance with US Data Protection Laws. For this purpose, the Processor party, upon receiving a reasonable written request from the Controller party, will make available to the Controller party information necessary to demonstrate compliance with this DPA and US Data Protection Laws. To the extent required by applicable US Data Protection Laws, and upon receiving prior written notice, the Processor party will allow audits, including inspections, by the Controller party (or an auditor on its behalf). Any such audit must be tailored to what is reasonably necessary to verify compliance with this DPA, and must occur during normal business hours, and not more than once per calendar year. The results of the audit will be the confidential information of the Processor party. Notwithstanding the above, under US Data Protection Laws and subject to the Media Company’s consent, the Processor party may alternately, in response to the Controller party's on-premise audit request to initiate an independent auditing on its own, to verify its compliance with its obligations under US Data Protection Laws and provide the Media Company with the results. In any case, the expenses of the audit shall be paid by the Controller party. The Processor party may refuse audit or access to certain information if it determines it may harm other partners or customers, or it may cause a security breach, or it is not related or necessary for the purpose of demonstrating compliance with US Data Protection Laws.  

4.4. Certification: The Processor party certifies that it understands the rules, requirements, and definitions of the CCPA and agrees to refrain from Selling or Sharing Personal Information. The Processor party acknowledges and confirms that it does not receive any monetary goods, payments, or discounts in exchange for processing the Personal Information for a Business Purpose or Restricted Purpose as specified in the Agreement.