Legal

Data Sharing Addendum

This Data Sharing Addendum and attached Schedules (together, “Addendum”), to the extent it is expressly incorporated by reference into an agreement between You and Chartboost (each a “Party” and together, the “Parties”), forms part of such agreement and all further agreements executed under it with respect to the subject matter thereof (collectively the “Agreement”) and applies to the extent that Chartboost Processes Personal Data in connection with the Agreement.

In the event of any conflict between the terms of this Addendum, the SCCs and those of the Agreement, the terms shall apply in the following order of precedence: the (i) SCCs, (ii) this Addendum, and (iii) terms of the Agreement. Except as modified herein, all terms and conditions of the Agreement shall remain in full force and effect.

THE PARTIES NOW HEREBY AGREE AS FOLLOWS:

  1. DEFINITIONS

    In this Addendum, the capitalized expressions shall have the following meanings

    i) “Applicable Data Protection Laws”

    All international, national, federal, state, provincial and local laws, regulations, orders, statutes, administrative orders, treaties, judgments, court orders, and any other requirements of any relevant government or government agency or regulatory authority applicable to a Party with regard to the Processing of Personal Data (which may include without limitation European Data Protection Law, CCPA and LGPD);

    ii) “CCPA”

    The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., as may be amended, superseded or replaced from time to time, including without limitation any and all applicable implementing regulations;

    iii) “EEA”

    The European Economic Area;

    iv) “European Data Protection Law”

    (1) the EU General Data Protection Regulation 2016/679 (“GDPR”); (2) the EU e-Privacy Directive (Directive 2002/58/EC); (3) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s (“UK”) European Union (Withdrawal) Act 2018 (the “UK GDPR”); (4) the Swiss Federal Act on Data Protection 1992 (“Swiss DPA”); and (5) any and all applicable national laws made under or pursuant to (1), (2), (3) and (4); in each case as may be amended, superseded or replaced from time to time;

    v) “LGPD”

    The Lei Geral de Proteção de Dados (Law No. 13.709/2018), as may be amended, superseded or replaced from time to time, including without limitation any and all applicable implementing regulations;

    vi) “Personal Data”

    Any personal data (as defined under Applicable Data Protection Laws) which is either supplied by You to Chartboost, or which is collected or generated by Chartboost, in both cases in order for Chartboost to provide its Services under the Agreement. For these purposes, personal data shall be deemed to include any personal information and personally identifiable information (or any analogous concept), as those terms are defined under Applicable Data Protection Laws;

    vii) “Processing”

    Any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. “Process”, “Processes”, “Processing” and “Processed” shall be construed accordingly;

    viii) “Restricted Processing”

    Means: (i) where the GDPR applies, a transfer of Personal Data from the EEA to or a use of Personal Data in a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to or a use of Personal Data in any country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; (iii) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to or a use of Personal Data in any country which is not determined to provide adequate protection for Personal Data by the Federal Data Protection and Information Commission or Federal Council (as applicable); and (iv) where another Applicable Data Protection Law applies, a cross-border transfer of or use of Personal Data from that jurisdiction to any other country which is not based on adequacy regulations pursuant to that Applicable Data Protection Law;

    ix) “SCCs”

    Means: (i) where the GDPR or Swiss DPA applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 (“EU SCCs”); (ii) where the UK GDPR applies, the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”); and (iii) where another Applicable Data Protection Law applies, the standard contractual clauses or other appropriate cross-border transfer mechanisms approved or adopted by an appropriate data protection authority or similar body under that Applicable Data Protection Law; and

    x) “Services”

    The services provided by one Party to the other as specifically set out in the Agreement.

    Other capitalized expressions that are used but not defined in this Addendum shall have the meanings given to them in the Agreement.

  2. COMPLIANCE WITH APPLICABLE DATA PROTECTION LAWS

    2.1 Pursuant to the Agreement, You may disclose to Chartboost certain Personal Data, as further described in Schedule A of this Addendum. The Parties acknowledge and agree that: (i) both You and Chartboost act as independent controllers in relation to the Processing of Personal Data in the context of the Services; (ii) Chartboost shall Process the Personal Data for the purposes described in Chartboost’s privacy policy as published at https://docs.chartboost.com/en/legal/privacy-policy/ (the “Permitted Purpose”) and (iii) each Party shall be individually and separately responsible for ensuring its Processing of Personal Data complies with Applicable Data Protection Laws.

    2.2 You represent and warrant that: (i) You have or shall obtain all necessary consents and provide all relevant notices as required under Applicable Data Protection Laws relating to the Processing of Personal Data under the Agreement and to enable the transfer and subsequent Processing of Personal Data by Chartboost pursuant to the Agreement (including by providing a link to Chartboost’s privacy policy in each of your Online Services App (https://docs.chartboost.com/en/legal/privacy-policy); and (ii) where consent is the lawful basis for Processing Personal Data or otherwise required for the use of the Services, You shall, at all times, make available, maintain, and make operational on Your properties: (a) a mechanism for obtaining such consent from data subjects in accordance with the requirements of Applicable Data Protection Laws; and (b) a mechanism for data subjects to withdraw such consent (opt-out) in accordance with the Applicable Data Protection Laws. You shall retain evidence of compliance with any such requirements for the duration of the Agreement and provide it promptly to Chartboost upon request.

    2.3 With respect to CCPA, You may take reasonable and appropriate steps to (i) ensure that Chartboost Processes the Personal Data in a manner consistent with Your obligations under CCPA and (ii) upon notice, stop and remediate unauthorized Processing by Chartboost of the Personal Data. Chartboost will notify You if Chartboost can no longer comply with its obligations under CCPA.

    2.4 You may not include in the data that You share with Chartboost any Personal Data about an individual’s racial or ethnic origin, political opinions, religious or philosophical affiliation or beliefs, trade-union membership, health, sex life or sexual orientation, criminal convictions or alleged commission of an offense, genetic data, or biometric data. You may not use any feature or functionality of the Online Services to send, collect, share, track, infer, or identify such categories of data.

    2.5 Chartboost does not knowingly collect personal information from children or serve advertisements to children. You must comply with (and must ensure that your Online Services App(s) and Online Services Ad(s) comply with) the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501, et seq.) and any applicable laws of similar effect in any applicable jurisdiction (collectively “Children Regulations”), in the collection and use of personal information from children. The terms “personal information” and “children”/”child” as used in this Section 2.5 shall be defined in accordance with applicable Children Regulations. In addition, unless otherwise agreed by the Parties via a specific addendum, You shall: (i) not provide Chartboost with personal information of children; (ii) not use the Online Services in connection with any Online Services App or Online Services Ad designed for, or directed to, children or to target or retarget children; and (iii) include and honor all appropriate age-related and other flags.

  3. PROTECTION OF THE PERSONAL DATA

    3.1 Chartboost shall implement appropriate technical, physical and organizational security measures, including those specified in Schedule B and such other security measures as may be required from time to time by Applicable Data Protection Laws, to protect against the accidental, unlawful or unauthorized access to or transfer, destruction, loss, alteration, disclosure or processing of the Personal Data. Notwithstanding the foregoing, Chartboost shall provide the same level of privacy protection to Personal Data as is required of You under CCPA.

    3.2 Each Party shall, where necessary and in close coordination with the other Party, take appropriate additional safeguards to ensure a level of protection of the Personal Data that is essentially equivalent to that guaranteed under Applicable Data Protection Laws. This includes safeguards to prevent any access to the Personal Data by public authorities, including national security authorities, against which no enforceable rights and effective legal remedies are available to the data subjects.

    3.3 Notwithstanding other obligations in the Agreement (including this Addendum) to implement appropriate technical and organizational measures, the Parties are obliged, as far as possible, to encrypt Personal Data Processed under the Agreement immediately upon receipt and to only transmit Personal Data using robust end-to-end encryption. All Processing of Personal Data is subject to each Party’s obligation of confidentiality under the Agreement. A Party will not disclose Personal Data to law enforcement, other governmental authority, or other persons unless such Party receives a civil or criminal subpoena, warrant, or other official and written request which (i) is issued by such competent law enforcement, other governmental authority with the authority and jurisdiction to demand the disclosure, and (ii) is legally binding on such Party and requires such Party to disclose Personal Data in response thereto. Such Party will only provide Personal Data if, and to the extent that, it is necessary and proportionate to comply with such a request for disclosure.

  4. INTERNATIONAL TRANSFERS OF DATA

    4.1 Chartboost is a company based in the US. As such, You acknowledge that in the context of the provision of the Services, Personal Data may be transferred to Chartboost in the US for Chartboost to Process for the Permitted Purpose.

    4.2 Specifically, where the Services involve Restricted Processing of the Personal Data, the appropriate SCCs shall be deemed incorporated into this Addendum by reference and will apply between You (acting as “Data Exporter”) and Chartboost (acting as “Data Importer”) as follows (with module, clause, option, and annex references being references to the modules, clauses, options, and annexes of the SCCs unless otherwise stated):

    4.2.1. In relation to Personal Data that is protected by the GDPR, the EU SCCs will apply as follows:

    (i) Module One will apply;

    (ii) in Clause 7, the optional docking clause will not apply;

    (iv) in Clause 11, the optional language will not apply;

    (v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

    (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;

    (vii) Annex I shall be deemed completed with the information set out in Schedule A to this Addendum; and

    (viii) Annex II shall be deemed completed with the information set out in Schedule B to this Addendum.

    4.2.2. In relation to Personal Data that is protected by the UK GDPR, the UK SCCs will apply as follows:

    (i) as set out above in Section 4.2.1 of this Addendum and the EU SCCs shall be deemed amended as specified by Part 2 of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018 (“UK Addendum”) in respect of the transfer of such Personal Data; and

    (ii) Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above in Section 4.2.1, Schedule A and Schedule B of this Addendum (as applicable), the option “Neither Party” shall be deemed checked in Table 4, and the start date of the UK Addendum (as set out in Table 1 of the UK Addendum) shall be the date of the Agreement.

    4.2.3. In relation to Personal Data that is protected by the Swiss DPA, the EU SCCs will apply as set out in Section 4.2.1 of this Addendum amended as follows:

    (i) references to ‘Regulation (EU) 2016/679’ in the EU SCCs will be deemed to refer to the Swiss DPA;

    (ii) references to specific articles of ‘Regulation (EU) 2016/679’ will be deemed replaced with the equivalent article or section of the Swiss DPA;

    (iii) references to ‘EU’, ‘Union’ and ‘Member State’ will be deemed replaced with ‘Switzerland’;

    (iv) references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘competent Swiss courts’;

    (v) in Clause 17, the EU SCCs are governed by the laws of Switzerland; and

    (vi) in Clause 18(b), disputes shall be resolved before the competent courts of Switzerland.

    4.3 In relation to Personal Data that is protected by another Applicable Data Protection Law, the Data Exporter and the Data Importer agree that such SCCs shall automatically apply to the transfer of Personal Data from the Data Exporter to the Data Importer and, where applicable shall, as far as possible, be deemed completed on a mutatis mutandis basis to the completion of the SCCs as described above.

  5. NOTICE AND COOPERATION

    5.1. Each Party shall provide all required mechanisms for, and give effect to, data subject rights pursuant to Applicable Data Protection Laws and respond to inquiries by governmental authorities. Additionally, if a Party receives a complaint, inquiry or communication from a data subject, a government or regulatory authority or other third party which relates to the processing of Personal Data in the context of the Services or the Agreement, it shall, to the extent required by Applicable Data Protection Laws, promptly notify the other Party and cooperate as necessary with the other Party with respect to such complaint, inquiry or communication. If Chartboost receives a request from a government or regulatory authority, Chartboost may share the terms of this Addendum, the Agreement, and other information necessary to demonstrate compliance with Applicable Data Protection Laws.

    5.2. Should a court of competent jurisdiction or a supervisory authority deem (for whatever reason) that the Processing of the Personal Data in the context of the Agreement is unlawful, then You shall fully cooperate with Chartboost and take such action as may be necessary to ensure future compliance with the Applicable Data Protection Laws.

    5.3 In the event that either Party suffers a reportable breach of security affecting Personal Data or any unauthorized, accidental or unlawful access, destruction, loss, alteration or disclosure of the Personal Data Processed pursuant to the Agreement (a “Personal Data Breach”), such Party shall, without undue delay, and in no event longer than 72 hours after discovery, inform the other Party of the Personal Data Breach and take such steps as such Party in its sole discretion deems necessary and reasonable to remediate such Personal Data Breach (to the extent that remediation is within such Party reasonable control). Notice to Chartboost shall be sent to: security-notification@take2games.com with read receipt enabled and a copy to Your primary business contact within Chartboost. The other Party shall provide the Party that has suffered the Personal Data Breach with reasonable cooperation and assistance as may be necessary to notify affected data subjects and/or the relevant supervisory authority (as applicable) and to mitigate or remedy the effects of such Personal Data Breach. Without prejudice to the foregoing, each Party shall be responsible for the notification of a Personal Data Breach to the supervisory authority and/or data subjects to the extent such Personal Data Breach is as a result of a breach of its systems.

  6. GENERAL

    6.1 This Addendum is subject to all the other terms set forth in the Agreement, including limitations of liability and indemnity.

    6.2 To the extent required by Applicable Data Protection Laws, this Addendum will be governed by the laws of the applicable jurisdiction. In all other cases, this Addendum shall be governed by the laws of the jurisdiction set forth in the Agreement.

    SCHEDULE A – DATA PROTECTION DESCRIPTION LIST OF PARTIES

    Data exporter(s)

    Name: The entity identified as “You” in the Agreement

    Address: As per the Agreement

    Contact person’s name and contact details: As per the Agreement

    Activities relevant to the data transferred under these Clauses: The Services as set out in the Agreement

    Signature and date: This Schedule A shall be deemed executed upon execution of the Agreement.

    Role (controller/processor): Controller

    Data importer(s)

    Name: Chartboost, Inc.

    Address: As per the Agreement

    Contact person’s name and contact details: Privacy Counsel, privacypolicy@take2games.com

    Activities relevant to the data transferred under these Clauses: The Services as set out in the Agreement

    Signature and date: This Schedule A shall be deemed executed upon execution of the Agreement.

    Role (controller/processor): Controller

    DESCRIPTION OF TRANSFER Categories of data subjects whose personal data is transferred: End users whose personal data are being processed in the context of the Services as set out in the Agreement and this Addendum.

    Categories of personal data transferred: Personal Data may include identifiers (such as unique personal identifiers, online identifiers, IP addresses), demographic information, online activity (such as interaction with websites, applications or advertisements), device-related data and geolocation data.

    Sensitive data: The Services are not intended to process sensitive data.

    The frequency of the transfer: The Personal Data will be processed on a continuous basis for the duration of the Agreement.

    Nature and purposes of the transfer and processing: Performance of the Services (as defined in the Agreement)

    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The Personal Data will be retained for as long as necessary for the Permitted Purpose and/or in accordance with applicable statutes of limitations and applicable law.

    Identify the competent supervisory authority/ies:

    For Personal Data protected under the GDPR: Agencia Española de Protección de Datos (AEPD) in Spain. For Personal Data protected under the Swiss DPA: Federal Data Protection and Information Commissioner (FDPIC) For Personal Data protected under the UK GDPR: Information Commissioner’s Office

    SCHEDULE B – TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES The technical and organizational security measures implemented by Chartboost include:

    1. Access control to premises and facilities (physical):

      Chartboost will maintain commercially reasonable physical security systems at all Chartboost sites which are used to deliver the Services.

    2. Access control to systems (virtual)

      Chartboost will establish and maintain the following safeguards against accidental or unauthorized access to, destruction of, loss of, or alteration of the Personal Data:

      Access will be granted to employees through documented access request procedures. The employees’ managers or other responsible individuals must authorize or validate access before it is given. Access control policy is to enable SSO, Multi-Factor Authentication, and password complexity rules on all third party systems that support these features.

      Password requirements: at least 8 characters long with at least one capital letter, one lowercase, one number, and one special character. Password cannot be repeated from the last 10 used passwords. Administrative access will be restricted to prevent changes to systems or applications. Users will be assigned a single account and prohibited from sharing accounts.

    3. Access control to data:

      Individuals will request access and justify a need to retain access as part of a documented access request process. Their managers or other responsible individuals must authorize or approve access before it is authorized.

      Access will be granted only after verifying identity through an approved “access control form”, i.e. LAN Logon ID, application access ID, or other similar identification. Unique User IDs and passwords will be issued to the users.

      Users, once authenticated, will be authorized for access levels based on their job functions. Chartboost will promptly act to revoke access due to termination, a change in job function, or in observance of user inactivity or extended absence.

    4. Disclosure control:

      Chartboost will deliver technology and processes designed to minimize access for illegitimate processing.

      Printing access, and outbound email will be restricted for agents, unless provided by You over Your own services or if access to such applications is specifically required to meet business requirements.

    5. Input control:

      Chartboost will maintain system and database logs for access to user data under Chartboost control. All Chartboost systems must be configured to provide event logging to identify a system compromise, unauthorized access, or any other security violation. Logs must be protected from unauthorized access or modification.

    6. Job control:

      Technical and organizational measures to segregate the responsibilities between You and Chartboost would include:

      Processing activities will be carried out in a secure remote cloud location and not on employee workstations.

      All employee workstations have disk encryption.

    7. Availability control:

      Back ups are once a day or immediately depending on the application/system being used on shared/team drives

      Upon detection of a virus or malware, Chartboost will promptly seek to stop/limit the spread and damage of the virus or malware.

This Addendum was last revised on 30 June 2023.

Version applicable prior to 30 June 2023 🔗

Data Sharing Addendum This Data Sharing Addendum ( “Addendum”) applies to the Processing of Personal Data in the context of the Services provided by Chartboost, Inc. to Customer (as set forth below in the signature block below) (Chartboost and Customer are hereinafter jointly referred to as the “Parties” and separately as a “Party”), as agreed in the Chartboost RTB Demand-Side Agreement between Parties dated —————— (the “ Agreement”). In the event of any conflict between the Addendum and the Agreement, this Addendum shall prevail to the extent of such conflict. The Schedules to this Addendum form an integral part of it. Both Chartboost and Customer act as a controller in relation to the processing of Personal Data in the context of the Services (as defined below) provided by Chartboost to Customer.

THE PARTIES NOW HEREBY AGREE AS FOLLOWS:

  1. DEFINITIONS

    In this Addendum, the capitalized expressions shall have the following meanings:

    i) “Applicable Data Protection Laws”

    All applicable international national, federal, state, provincial or local laws, regulations, orders, statutes, administrative orders or treaties, judgments, court orders, and any other requirements of any relevant government or government agency or regulatory authority with regard to the processing of Personal Data (including without limitation and where applicable, European Data Protection Law, CCPA and LGPD);

    ii) “CCPA”

    The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., as amended, including without limitation any and all applicable implementing regulations;

    iii) “EEA”

    The European Economic Area;

    iv) “European Data Protection Law”

    (1) the EU General Data Protection Regulation 2016/679 (“GDPR”); (2) the EU e-Privacy Directive (Directive 2002/58/EC); (3) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s (“UK”) European Union (Withdrawal) Act 2018 (the “UK GDPR”); (4) the Swiss Federal Act on Data Protection 1992 (“Swiss DPA”); and (5) any and all applicable national laws made under or pursuant to (1), (2), (3) and (4); in each case as may be amended or superseded from time to time;

    v) “LGPD”

    The Lei Geral de Proteção de Dados (Law No. 13.709/2018), as amended, including without limitation any and all applicable implementing regulations;

    vi) “Personal Data”

    Any personal data (as defined under Applicable Data Protection Laws) which is either supplied by Customer to Chartboost, or which is collected or generated by Chartboost, in both cases in order for Chartboost to provide its Services under the Agreement. For these purposes, personal data shall be deemed to include any personal information and personally identifiable information (or any analogous concept), as those terms are defined under Applicable Data Protection Laws;

    vii) “Processing”

    Any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. “Processes”, “Processing” and “Processed” shall be construed accordingly;

    viii) “Restricted Transfer”

    Means: (i) where the GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; (iii) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not determined to provide adequate protection for Personal Data by the Federal Data Protection and Information Commission or Federal Council (as applicable); and (iv) where another Applicable Data Protection Law applies, a cross-border transfer of personal data from that jurisdiction to any other country which is not based on adequacy regulations pursuant to that Applicable Data Protection Law;

    ix) “SCCs”

    Means: (i) where the GDPR or Swiss DPA applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”); and (iii) where another Applicable Data Protection Law applies, the standard contractual clauses or other appropriate cross-border transfer mechanisms approved or adopted by an appropriate data protection authority or similar body under that Applicable Data Protection Law; and

    x) “Services”

    The services provided by Chartboost to Customer under the Agreement (see Agreement for a description of the services).

    Other capitalized expressions that are used but not defined in this Addendum shall have the meanings given to them in the Agreement.

  2. SCOPE AND PURPOSE OF THE ADDENDUM

    2.1. This Addendum relates to the Processing of the Personal Data by Chartboost to provide the Services to Customer under the Agreement. The purpose of this Addendum is to specify the Parties’ responsibilities with respect to Processing of Personal Data pertaining to the Services provided by Chartboost.

    2.2. To provide the Services, Customer acknowledges and agrees that Chartboost shall process the Personal Data for the purposes described in Chartboost’s privacy policy as published at https://docs.chartboost.com/en/legal/privacy-policy/ (the “Permitted Purpose”).

    2.3. The Parties acknowledge and agree that any Processing of Personal Data for the Permitted Purpose must at all times be in strict compliance with Applicable Data Protection Laws. Each party shall be individually and separately responsible for ensuring its Processing of Personal Data complies with Applicable Data Protection Laws.

  3. INTERNATIONAL TRANSFERS OF DATA

    3.1. Chartboost is a company based in the U.S. Customer acknowledges that in the context of the provision of Services under the Agreement, Personal Data may be transferred to Chartboost in the US to Process for the Permitted Purpose, provided that any such transfer will comply with the conditions imposed by Applicable Data Protection Laws on international transfers of data.

    3.2. Specifically, where Customer makes a Restricted Transfer of Personal Data to Chartboost, the SCCs will be incorporated into this Addendum between the Customer (as “Data Exporter“) and Chartboost (as “Data Importer“) by reference and form an integral part of this Addendum, with each Party deemed to have entered into the SCCs in its own name and on its own behalf as follows:

    3.2.1. In relation to Personal Data that is protected by the GDPR, the EU SCCs will apply completed as follows:

    (i) Module One will apply; (ii) in Clause 7, the optional docking clause will not apply; (iv) in Clause 11, the optional language will not apply; (v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law; (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule A to this Addendum; and (viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule B to this Addendum. 3.2.2. In relation to Personal Data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:

    (i) as set out above in clause 3.2.1 of this Addendum and the EU SCCs shall be deemed amended as specified by Part 2 of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018 (“UK Addendum“) in respect of the transfer of such Personal Data; and (ii) tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above at clause 3.2.1 (as applicable), in Schedule A and Schedule B of this Addendum and table 4 in Part 1 shall be deemed completed by selecting “neither party”. 3.2.3. In relation to Personal Data that is protected by the Swiss DPA, the EU SCCs will apply as set out in Section 3.2.1 of this Addendum amended as follows:

    (i) references to ‘Regulation (EU) 2016/679’ in the EU SCCs will be deemed to refer to the Swiss DPA; (ii) references to specific articles of ‘Regulation (EU) 2016/679’ will be deemed replaced with the equivalent article or section of the Swiss DPA; (iii) references to ‘EU’, ‘Union’ and ‘Member State’ will be deemed replaced with ‘Switzerland’; (iv) references to the ‘competent supervisory authority’ are replaced with the ‘Swiss Federal Data Protection Information Commissioner’; and (v) in Clause 18(b), disputes shall be resolved before the competent courts of Switzerland; 3.2.4. In relation to Personal Data that is protected by another Applicable Data Protection Law, the Data Exporter and the Data Importer agree that such SCCs shall automatically apply to the transfer of Personal Data from the Data Exporter to the Data Importer and, where applicable shall be deemed completed on a mutatis mutandis basis to the completion of the SCCs as described above.

    3.3. In addition to Section 3.2. prior to, and in regular intervals following any Restricted Transfer, Chartboost and Customer shall assess whether Applicable Data Protection Laws prevent either party from fulfilling the applicable obligations under the SCCs, and is likely to have a substantial adverse effect on the guarantees provided by the SCCs. Each Party shall, where necessary and in close coordination with the other Party, take appropriate additional safeguards to ensure a level of protection of the Personal Data that is essentially equivalent to that guaranteed under Applicable Data Protection Laws. This includes safeguards to prevent any access to the Personal Data by public authorities, including national security authorities, against which no enforceable rights and effective legal remedies are available to the data subjects.

    3.4. Notwithstanding other obligations in the Agreement (including this Addendum) to implement appropriate technical and organizational measures, the Parties are obliged, as far as possible, to encrypt Personal Data processed under this Addendum immediately upon receipt and to only transmit Personal Data using robust end-to-end encryption. All processing of Personal Data is subject to each Party’s obligation of confidentiality under the Agreement (including this Addendum). A Party will not disclose Personal Data to law enforcement, other governmental authority, or other persons unless such Party receives a civil or criminal subpoena, warrant, or other official and written request which (a) is issued by such competent law enforcement, other governmental authority with the authority and jurisdiction to demand the disclosure, and (b) is legally binding on such Party and requires such Party to disclose Personal Data in response thereto. Such Party will only provide Personal Data if, and to the extent that, it is necessary and proportionate to comply with such a request for disclosure.

  4. COMPLIANCE WITH APPLICABLE DATA PROTECTION LAWS

    4.1. In performing the Agreement, Parties shall comply with their respective obligations under Applicable Data Protection Laws.

    4.2. Chartboost shall respond promptly and in good faith with reasonable enquiries from Customer relating to its Processing of Personal Data in the context of the Agreement.

    4.3. If a Party receives a complaint, notice or communication from a competent data protection authority which relates to the processing of Personal Data in the context of Chartboost’s Services under the Agreement, it shall, to the extent permitted by law, promptly notify the other party and provide such information as it may reasonably request.

    4.4. Should a competent data protection authority deem the Processing of the Personal Data in the context of the Agreement unlawful, Parties shall take action to ensure future compliance with the Applicable Data Protection Laws, and notify the other Party of these actions.

  5. RIGHTS OF DATA SUBJECTS

    5.1. Chartboost shall implement appropriate technical and organizational measures to fulfill any request from a data subject to exercise its rights under Applicable Data Protection Laws with respect to Personal Data that Chartboost Processes for the Permitted Purpose. Chartboost shall respond to any such requests in the manner, and within any timescale required by, Applicable Data Protection Laws.

    5.2. In the event a Party (the “Receiving Party”) receives a request from a data subject exercising its statutory rights under Applicable Data Protection Laws with respect to the other Party’s Processing of their Personal Data (the “Other Party”), the Receiving Party shall promptly inform the Other Party and the Parties shall co-operate in good faith to the extent necessary to fulfill the data subject’s statutory rights.

  6. CONFIDENTIALITY AND SECURITY

    6.1. Chartboost shall keep the Personal Data confidential and shall not disclose the Personal Data to any third party unless that party acts as a processor to Chartboost, disclosure is required by applicable law, or unless the Personal Data has been aggregated so that identification of individuals is not reasonably possible. Chartboost undertakes that any person within its organization that it authorizes to have access to the Personal Data has committed to act in accordance with its instructions and shall respect and maintain the confidentiality and security of such Personal Data.

    6.2. Chartboost shall implement all technical, physical and organizational security measures, as specified in Schedule B and such other security measures as may be required from time to time by Applicable Data Protection Laws to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other forms of unlawful Processing (including, but not limited to unnecessary collection or further Processing).

  7. GOVERNING LAW AND JURISDICTION

    7.1. This Addendum and the relationship between the Parties and all matters arising out of or in any way relating to this Addendum (whether in contract, tort or otherwise) shall be governed by, and interpreted in accordance with, the laws of California, excluding its conflict of law rules and except as may otherwise be required by Applicable Data Protection Laws. The application of the Vienna Convention 1980 is expressly excluded.

    7.2. Each of the Parties irrevocably agrees that the courts in the Northern District of California, shall have exclusive jurisdiction to hear and determine any suit, action or proceeding arising out of or in connection with this Addendum, except as may otherwise by required by Applicable Data Protection Laws.

    Signed by duly authorized representatives of the Parties:

    SCHEDULE A – DATA PROTECTION DESCRIPTION LIST OF PARTIES

    Data exporter(s)

    Name: The entity identified as the Customer in the Agreement Address: As per the Agreement Contact person’s name, position and contact details: As per the Agreement Activities relevant to the data transferred under these Clauses: The Services as set out in the Agreement Signature and date: This Schedule A shall be deemed executed upon execution of the Agreement. See signature page to the Agreement Role (controller/processor): Controller Data importer(s)

    Name: Chartboost, Inc. Address: As per the Agreement Contact person’s name, position and contact details: As per the Agreement Activities relevant to the data transferred under these Clauses: The Services as set out in the Agreement Signature and date: This Schedule A shall be deemed executed upon execution of the Agreement. See signature page to the Agreement Role (controller/processor): Controller DESCRIPTION OF TRANSFER

    Categories of data subjects whose personal data is transferred: End users of Online Services Apps (as defined in the Agreement) and Customer personnel Categories of personal data transferred: Device-related Personal Data of the data subjects described above, including: bundle ID, language ID, operating system version, device model, software developer kit (SDK) version, unique device identifier, IP address, and similar data related to the provision of Online Services Apps
    Sensitive data: Not Applicable The frequency of the transfer: Happening on a continuous basis for the length of the Agreement The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The Personal Data will be retained for the length of the Agreement. The criteria used to determine that period will be based on the length of time necessary to fulfill the purposes for which personal data is collected and any period of time required to comply with legal and regulatory obligations or to defend Chartboost’s interests (in case of a dispute) Identify the competent supervisory authority/ies: For Personal Data protected under the GDPR: Agencia Española de Protección de Datos (AEPD) in Spain. For Personal Data protected under the Swiss DPA: Federal Data Protection and Information Commissioner (FDPIC). For Personal Data protected under the UK GDPR: Information Commissioner’s Office.

    SCHEDULE B – TECHNICAL AND ORGANISATIONAL SECURITY MEASURES The technical and organizational security measures implemented by Chartboost include:

    Access control to premises and facilities (physical): Chartboost will maintain commercially reasonable physical security systems at all Chartboost sites which are used to deliver services to the Customer. Access control to systems (virtual): Chartboost will establish and maintain safeguards against accidental or unauthorized access to, destruction of, loss of, or alteration of the Personal Data: Access will be granted to employees through documented access request procedures. The employees’ managers or other responsible individuals must authorize or validate access before it is given. Access control policy is to enable SSO, Multi-Factor Authentication, and password complexity rules on all third party systems that support these feature. Password requirements: at least 8 characters long with at least one capital letter, one lowercase, one number, and one special character. Password cannot be repeated from the last 10 used passwords Administrative access will be restricted to prevent changes to systems or applications. Users will be assigned a single account and prohibited from sharing accounts. Access control to data: Individuals will request access and justify a need to retain access as part of a documented access request process. Their managers or other responsible individuals must authorize or approve access before it is authorized. Access will be granted only after verifying identity through an approved “access control form”, i.e. LAN Logon ID, application access ID, or other similar identification Unique User IDs and passwords will be issued to the users. Users, once authenticated, will be authorized for access levels based on their job functions. Chartboost will promptly act to revoke access due to termination, a change in job function, or in observance of user inactivity or extended absence. Disclosure control: Chartboost will deliver technology and processes designed to minimize access for illegitimate processing. Printing access, and outbound email will be restricted for agents, unless provided by the Customer over Customer-provided services or if access to such applications is specifically required to meet business requirements. Input control: Chartboost will maintain system and database logs for access to user data under Chartboost control. All Chartboost systems must be configured to provide event logging to identify a system compromise, unauthorized access, or any other security violation. Logs must be protected from unauthorized access or modification. Job control: Technical and organizational measures to segregate the responsibilities between the Customer and Chartboost would include: Data Processing activities will be carried out in a secure remote cloud location and not on employee workstations. All Employee workstations have disk encryption. Availability control: Back ups are once a day or immediately depending on the application/system being used on shared/team drives Upon detection of a virus or malware, Chartboost will take immediate steps to arrest the spread and damage of the virus or malware and to eradicate the virus or malware.