Data Sharing Addendum

This Data Sharing Addendum and attached Schedules (together, “Addendum”), to the extent it is expressly incorporated by reference into an agreement between You and Chartboost (each a “Party” and together, the “Parties”), forms part of such agreement and all further agreements executed under it with respect to the subject matter thereof (collectively the “Agreement”) and applies to the extent that Chartboost Processes Personal Data (as defined below) in connection with the Agreement.

In the event of any conflict between the terms of this Addendum, the SCCs and those of the Agreement, the terms shall apply in the following order of precedence: the (i) SCCs, (ii) this Addendum, and (iii) terms of the Agreement. Except as modified herein, all terms and conditions of the Agreement shall remain in full force and effect.

THE PARTIES NOW HEREBY AGREE AS FOLLOWS:

1.  DEFINITIONS
In this Addendum, the capitalized expressions shall have the following meanings:

i) "Applicable Data Protection Laws" Any (a) law or regulations, mandatory guidance, or statutory code of practice in force from time to time in any applicable jurisdiction; or (b) judgment or any other requirement of any competent court or regulatory authority applicable to a Party relating to the Processing, protection and privacy of Personal Data and the privacy of electronic communications as amended and/or superseded from time to time, including as applicable European Data Protection Law, CCPA and LGPD;
ii) “CCPA” The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., as may be amended, superseded or replaced from time to time, including without limitation any and all applicable implementing regulations;
iii) “EEA” The European Economic Area;
iv) “European Data Protection Law” (1) the EU General Data Protection Regulation 2016/679 (“GDPR”); (2) the EU e-Privacy Directive (Directive 2002/58/EC); (3) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's (“UK”) European Union (Withdrawal) Act 2018 (the "UK GDPR"); (4) the Swiss Federal Act on Data Protection 1992 and (from 1 September 2023) revised Federal Data Protection Act (“Swiss DPA”); and (5) any and all applicable national laws made under or pursuant to (1), (2), (3) and (4); in each case as may be amended, superseded or replaced from time to time;
v) “LGPD” The Lei Geral de Proteção de Dados (Law No. 13.709/2018), as may be amended, superseded or replaced from time to time, including without limitation any and all applicable implementing regulations;
vi) “Personal Data” Any and all data (regardless of format) that (i) is defined as “personal data”, “personal information”, “personally identifiable information” or any analogous concept under Data Protection Law, (ii) identifies or can be used to identify, contact or locate a natural person, or (iii) otherwise pertains in any way to or could be reasonably associated with an identified natural person or their device (whether computer, mobile, connected TV or otherwise), including (for example) IP address, MAC address, unique device identifiers, unique identifies set in cookies, and any information passively captured about a person’s online activities, browsing, application or hotspot usage or device location;
vii) “Processing” Any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. “Process”, “Processes”, “Processing” and “Processed” shall be construed accordingly;
viii) "Restricted Processing" Means: (i) where the GDPR applies, a transfer of Personal Data to, or Processing of Personal Data in, a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data to, or Processing of Personal Data in, any country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; (iii) where the Swiss DPA applies, a transfer of Personal Data to, or Processing of Personal Data in, any country which is not determined to provide adequate protection for Personal Data by the Federal Data Protection and Information Commission or Federal Council (as applicable); and (iv) where another Applicable Data Protection Law applies, a cross-border transfer of Personal Data to, or Processing of Personal Data in, any other country which which is contrary to any data transfer restrictions that apply under that Applicable Data Protection Law;
ix) “SCCs” Means: (i) where the GDPR or Swiss DPA applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 ("EU SCCs"); (ii) where the UK GDPR applies, the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner under s.119A(1) of the DPA 2018 (“UK Addendum”); and (iii) where another Applicable Data Protection Law applies, the standard contractual clauses or other appropriate cross-border transfer mechanisms approved or adopted by an appropriate data protection authority or similar body under that Applicable Data Protection Law; and
x) "Services" The services provided by one Party to the other as specifically set out in the Agreement.

Other capitalized expressions that are used but not defined in this Addendum shall have the meanings given to them in the Agreement.

2.  COMPLIANCE WITH APPLICABLE DATA PROTECTION LAWS

2.1  The terms of this Section 2.1 are applicable to the extent that you are a publisher pursuant to the Agreement.

  • 2.1.1  Pursuant to the Agreement, Chartboost will Process Personal Data, as further described in Schedule A of this Addendum. The Parties acknowledge and agree that: (i) You and Chartboost are both controllers of the Personal Data that is Processed pursuant to the Agreement; (ii) Chartboost shall Process the Personal Data for the purposes described in Chartboost’s privacy policy as published at https://docs.chartboost.com/en/legal/privacy-policy/ (the "Permitted Purpose") and (iii) each Party shall comply with the obligations that apply to that Party under this Addendum and under Applicable Data Protection Laws in its Processing of Personal Data.

  • 2.1.2  Without limitation, each Party agrees that it shall:

    • (a)  provide reasonable cooperation and assistance to the other Party as necessary for the other Party’s compliance with Applicable Data Protection Laws (at the other Party’s reasonable expense);

    • (b)  not perform its obligations under this Addendum and/or ask the other Party to perform its obligations in such a way as to cause the other Party to breach any of its obligations under Applicable Data Protection Laws;

    • (c)  take into account all the data protection principles provided for in Applicable Data Protection Laws, including but not limited to the principles of purpose limitation, data minimization, accuracy, storage limitation, security, integrity and confidentiality, transparency and protection of Personal Data by design and by default;

    • (d)  maintain a record of the Processing of the Personal Data under its responsibility;

    • (e)  cooperate to the preparation of the required data protection impact assessments;

    • (f)  carry out any assessment, consultation and/or notification to competent data protection authorities or data subjects, in relation to the Processing it carries out;

    • (g)  publish appropriate contact details that data subjects may contact to exercise their rights under Applicable Data Protection Laws, including the rights of access, rectification, erasure and objection and the right to withdraw consent; and

    • (h)  provide and maintain all necessary transparency information (including privacy notices) required by Applicable Data Protection Laws to data subjects whose Personal Data it Processes pursuant to this Addendum and the Agreement.

2.2  The terms of this Section 2.2 are applicable to the extent that you are an advertiser pursuant to the Agreement.

  • 2.2.1  Pursuant to the Agreement, Chartboost will Process Personal Data, as further described in Schedule A of this Addendum. The Parties acknowledge and agree that: (i) You and Chartboost are both controllers in relation to the Processing of Personal Data in the context of the Services; (ii) Chartboost shall Process the Personal Data for the purposes described in Chartboost’s privacy policy as published at https://docs.chartboost.com/en/legal/privacy-policy/ (the "Permitted Purpose") and (iii) each Party shall be responsible for ensuring its Processing of Personal Data complies with Applicable Data Protection Laws.

  • 2.2.2  Without limitation, each Party shall individually and separately: (a) provide all necessary transparency information (including privacy notices) required by Applicable Data Protection Laws to data subjects whose Personal Data it Processes pursuant to this Addendum and the Agreement, and (b) publish appropriate contact details that data subjects may contact to exercise their data subject rights under Applicable Data Protection Laws against that Party.

2.3  You represent and warrant that: (i) You have or shall obtain all necessary consents and provide all relevant notices as required under Applicable Data Protection Laws relating to the Processing of Personal Data under the Agreement and to enable the transfer and subsequent Processing of Personal Data by Chartboost pursuant to the Agreement (including by providing a link to Chartboost’s privacy policy in each of your Online Services App (https://docs.chartboost.com/en/legal/privacy-policy); and (ii) where consent is the lawful basis for Processing Personal Data or otherwise required for the use of the Services, You shall, at all times, make available, maintain, and make operational on Your properties: (a) a mechanism for obtaining such consent from data subjects in accordance with the requirements of Applicable Data Protection Laws; and (b) a mechanism for data subjects to withdraw such consent (opt-out) in accordance with the Applicable Data Protection Laws. You shall retain evidence of compliance with any such requirements for the duration of the Agreement and provide it promptly to Chartboost upon request.

2.4  With respect to CCPA, You may take reasonable and appropriate steps to (i) ensure that Chartboost Processes the Personal Data in a manner consistent with Your obligations under CCPA and (ii) upon notice to Chartboost, require Chartboost to stop and remediate unauthorized or unlawful Processing by Chartboost of the Personal Data. Chartboost will notify You if Chartboost can no longer comply with its obligations under CCPA.

2.5  You may not include in the data that You share with Chartboost any Personal Data about an individual’s racial or ethnic origin, political opinions, religious or philosophical affiliation or beliefs, trade-union membership, health, sex life or sexual orientation, criminal convictions or alleged commission of an offense, genetic data, or biometric data. You may not use any feature or functionality of the Online Services to send, collect, share, track, infer, or identify such categories of data.

2.6  Chartboost does not knowingly collect personal information from children or serve advertisements to children. You must comply with (and must ensure that your Online Services App(s) and Online Services Ad(s) comply with) the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501, et seq.) and any applicable laws of similar effect in any applicable jurisdiction (collectively “Children Regulations”), in the collection and use of personal information from children. The terms “personal information” and “children”/”child” as used in this Section 2.5 shall be defined in accordance with applicable Children Regulations. In addition, unless otherwise agreed by the Parties via a specific addendum, You shall: (i) not provide Chartboost with personal information of children; (ii) not use the Online Services in connection with any Online Services App or Online Services Ad designed for, or directed to, children or to target or retarget children; and (iii) include and honor all appropriate age-related and other flags.

2.7.  Each Party shall be responsible to the extent legally permitted for any costs and expenses arising from compliance with this Section 2.

3.  PROTECTION OF THE PERSONAL DATA

3.1  Both Parties shall implement appropriate technical, physical and organizational security measures, including for Chartboost those specified in Schedule B and such other security measures as may be required from time to time by Applicable Data Protection Laws, to protect against the accidental, unlawful or unauthorized access to or transfer, destruction, loss, alteration, disclosure or processing of the Personal Data. Notwithstanding the foregoing, Chartboost shall provide the same level of privacy protection to Personal Data as is required of You under CCPA.

3.2  Each Party shall, where necessary and in close coordination with the other Party, take appropriate additional safeguards to ensure a level of protection of the Personal Data that is essentially equivalent to that guaranteed under Applicable Data Protection Laws. This includes safeguards to prevent any access to the Personal Data by public authorities, including national security authorities, against which no enforceable rights and effective legal remedies are available to the data subjects.

4.  INTERNATIONAL TRANSFERS OF DATA

4.1  Chartboost is a company based in the US. As such, You acknowledge that in the context of the provision of the Services, Personal Data may be transferred to Chartboost in the US for Chartboost to Process for the Permitted Purpose.

4.2  Specifically, where the Services involve Restricted Processing of the Personal Data, the appropriate SCCs described below shall be deemed incorporated into this Addendum by reference and will apply between You (acting as “Data Exporter”) and Chartboost (acting as “Data Importer”) as follows (with module, clause, option, and annex references being references to the modules, clauses, options, and annexes of the SCCs unless otherwise stated):

  • 4.2.1.  In relation to Personal Data that is protected by the GDPR, the EU SCCs will apply as follows:
    • (i) Module One will apply;
    • (ii) in Clause 7, the optional docking clause will not apply;
    • (iii) in Clause 11, the optional language will not apply;
    • (iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
    • (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
    • (vi) Annex I shall be deemed completed with the information set out in Schedule A to this Addendum; and
    • (vii) Annex II shall be deemed completed with the information set out in Schedule B to this Addendum.

  • 4.2.2.  In relation to Personal Data that is protected by the UK GDPR, the EU SCCs as modified by the UK Addendum will apply as follows:
    • (i) the EU SCCs shall be deemed completed as set out above in Section 4.2.1 of this Addendum and shall be deemed modified by the UK Addendum as set out in sub-clause (ii) below;
    • (ii) Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above in Section 4.2.1, Schedule A and Schedule B of this Addendum (as applicable), the options “Exporter” and “Importer” shall be deemed checked in Table 4, and the start date of the UK Addendum (as set out in Table 1 of the UK Addendum) shall be the date of the Agreement.

  • 4.2.3.  In relation to Personal Data that is protected by the Swiss DPA, the EU SCCs will apply as set out in Section 4.2.1 of this Addendum amended as follows:
    • (i) references to ‘Regulation (EU) 2016/679’ in the EU SCCs will be deemed to refer to the Swiss DPA;
    • (ii) references to specific articles of ‘Regulation (EU) 2016/679’ will be deemed replaced with the equivalent article or section of the Swiss DPA;
    • (iii) references to ‘EU’, ‘Union’ and ‘Member State’ will be deemed replaced with ‘Switzerland’;
    • (iv) references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘competent Swiss courts’;
    • (v) in Clause 17, the EU SCCs are governed by the laws of Switzerland; and
    • (vi) in Clause 18(b), disputes shall be resolved before the competent courts of Switzerland.

4.3  In relation to Personal Data that is protected by another Applicable Data Protection Law, the Data Exporter and the Data Importer agree that such SCCs shall automatically apply to the transfer of Personal Data from the Data Exporter to the Data Importer and, where applicable shall, as far as possible, be deemed completed on a mutatis mutandis basis to the completion of the SCCs as described above.

5.  NOTICE AND COOPERATION

5.1.  Each Party shall provide all required mechanisms for, and give effect to, data subject rights pursuant to Applicable Data Protection Laws and respond to inquiries by governmental authorities. Additionally, if a Party receives a complaint, inquiry or communication from a data subject, a government or regulatory authority or other third party which relates to the processing of Personal Data in the context of the Services or the Agreement (“Correspondence”), it shall, to the extent required by Applicable Data Protection Laws, promptly inform the other Party giving full details of the same, and the Parties shall cooperate reasonably and in good faith in order to respond to the Correspondence in accordance with any requirements under Applicable Data Protection Laws. If Chartboost receives a Correspondence from a government or regulatory authority, Chartboost may share the terms of this Addendum, the Agreement, and other information necessary to demonstrate compliance with Applicable Data Protection Laws.

5.2.  Should a court of competent jurisdiction or a supervisory authority deem (for whatever reason) that the Processing of the Personal Data in the context of the Agreement is unlawful, then You shall fully cooperate with Chartboost and take such action as may be necessary to ensure future compliance with the Applicable Data Protection Laws.

5.3 In the event that either Party suffers a reportable breach of security affecting Personal Data or any unauthorized, accidental or unlawful access, destruction, loss, alteration or disclosure of the Personal Data Processed pursuant to the Agreement (a “Personal Data Breach”), such Party shall, without undue delay, and in no event longer than 72 hours after discovery, inform the other Party of the Personal Data Breach and take such steps as such Party in its sole discretion deems necessary and reasonable to remediate such Personal Data Breach (to the extent that remediation is within such Party reasonable control). Notice to Chartboost shall be sent to: security-notification@take2games.com with read receipt enabled and a copy to Your primary business contact within Chartboost. The other Party shall provide the Party that has suffered the Personal Data Breach with reasonable cooperation and assistance as may be necessary to notify affected data subjects and/or the relevant supervisory authority (as applicable) and to mitigate or remedy the effects of such Personal Data Breach. Without prejudice to the foregoing, each Party shall be responsible for the notification of a Personal Data Breach to the supervisory authority and/or data subjects to the extent such Personal Data Breach is as a result of a breach of its systems.

6.  GENERAL

6.1  This Addendum is subject to all the other terms set forth in the Agreement, including limitations of liability and indemnity.

6.2  To the extent required by Applicable Data Protection Laws, this Addendum will be governed by the laws of the applicable jurisdiction. In all other cases, this Addendum shall be governed by the laws of the jurisdiction set forth in the Agreement.



SCHEDULE A – DATA PROTECTION DESCRIPTION


LIST OF PARTIES

Data exporter(s)

Name: The entity identified as “You” in the Agreement
Address: As per the Agreement
Contact person’s name and contact details: As per the Agreement
Activities relevant to the data transferred under these Clauses: The Services as set out in the Agreement
Signature and date: This Schedule A shall be deemed executed upon execution of the Agreement.
Role (controller/processor): Controller

Data importer(s)

Name: Chartboost, Inc.
Address: As per the Agreement
Contact person’s name and contact details: Privacy Counsel, privacypolicy@take2games.com
Activities relevant to the data transferred under these Clauses: The Services as set out in the Agreement
Signature and date: This Schedule A shall be deemed executed upon execution of the Agreement.
Role (controller/processor): Controller

DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred: End users whose personal data are being processed in the context of the Services as set out in the Agreement and this Addendum.
Categories of personal data transferred: Personal Data may include identifiers (such as unique personal identifiers, online identifiers, IP addresses), demographic information, online activity (such as interaction with websites, applications or advertisements), device-related data and geolocation data.
Sensitive data: The Services are not intended to process sensitive data.
The frequency of the transfer: The Personal Data will be processed on a continuous basis for the duration of the Agreement.
Nature and purposes of the transfer and processing: Performance of the Services (as defined in the Agreement)
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The Personal Data will be retained for as long as necessary for the Permitted Purpose and/or in accordance with applicable statutes of limitations and applicable law.
Identify the competent supervisory authority/ies:
  • For Personal Data protected under the GDPR: Agencia Española de Protección de Datos (AEPD) in Spain.
  • For Personal Data protected under the Swiss DPA: Federal Data Protection and Information Commissioner (FDPIC)
  • For Personal Data protected under the UK GDPR: Information Commissioner’s Office



  • SCHEDULE B – TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES


    The technical and organizational security measures implemented by Chartboost include:

    1. Access control to premises and facilities (physical): Chartboost will maintain commercially reasonable physical security systems at all Chartboost sites which are used to deliver the Services.
    2. Access control to systems (virtual) Chartboost will establish and maintain the following safeguards against accidental or unauthorized access to, destruction of, loss of, or alteration of the Personal Data:
  • Access will be granted to employees through documented access request procedures. The employees’ managers or other responsible individuals must authorize or validate access before it is given.
  • Access control policy is to enable SSO, Multi-Factor Authentication, and password complexity rules on all third party systems that support these features.
  • Password requirements: at least 8 characters long with at least one capital letter, one lowercase, one number, and one special character. Password cannot be repeated from the last 10 used passwords.
  • Administrative access will be restricted to prevent changes to systems or applications.
  • Users will be assigned a single account and prohibited from sharing accounts.
  • 3. Access control to data:
  • Individuals will request access and justify a need to retain access as part of a documented access request process. Their managers or other responsible individuals must authorize or approve access before it is authorized.
  • Access will be granted only after verifying identity through an approved “access control form”, i.e. LAN Logon ID, application access ID, or other similar identification.
  • Unique User IDs and passwords will be issued to the users.
  • Users, once authenticated, will be authorized for access levels based on their job functions.
  • Chartboost will promptly act to revoke access due to termination, a change in job function, or in observance of user inactivity or extended absence.
  • 4. Disclosure control:
  • Chartboost will deliver technology and processes designed to minimize access for illegitimate processing.
  • Printing access, and outbound email will be restricted for agents, unless provided by You over Your own services or if access to such applications is specifically required to meet business requirements.
  • 5. Input control:
  • Chartboost will maintain system and database logs for access to user data under Chartboost control.
  • All Chartboost systems must be configured to provide event logging to identify a system compromise, unauthorized access, or any other security violation. Logs must be protected from unauthorized access or modification.
  • 6. Job control: Technical and organizational measures to segregate the responsibilities between You and Chartboost would include:
  • Processing activities will be carried out in a secure remote cloud location and not on employee workstations.
  • All employee workstations have disk encryption.
  • 7. Availability control: Back ups are once a day or immediately depending on the application/system being used on shared/team drives.

    Upon detection of a virus or malware, Chartboost will promptly seek to stop/limit the spread and damage of the virus or malware.

    This Addendum was last updated on February 28, 2024.

    Previous Versions: