Data Sharing Addendum

This Data Sharing Addendum (“Addendum”) applies to the Processing of Personal Data in the context of the services provided by Chartboost to Customer (Chartboost and Customer are hereinafter jointly referred to as the “Parties” and separately as a “Party”), as agreed in the Chartboost Terms and Conditions (the “Agreement”) which are currently located at https://answers.chartboost.com/en-us/articles/200780239. In the event of any conflict between the Addendum and the Agreement, this Addendum shall prevail to the extent of such conflict. Schedule A (Security measures) forms an integral part of this Addendum. Both Chartboost and Customer act as a controller in respect to the processing of Personal Data in the context of the services provided by Chartboost to Customer.
 
THE PARTIES NOW HEREBY AGREE AS FOLLOWS:
 

1. DEFINITIONS

In this Addendum, the capitalized expressions shall have the following meaning:
i) “Applicable Data Protection Laws” All international, European Union, national, provincial or local law, regulation, order, statute, administrative order or treaty, judgment, court order, or any other requirement of any relevant government or government agency or regulatory authority with regard to the processing of personal data,;
ii) “Model Clauses” (d) The standard contractual clauses for Controllers as approved by the European Commission (Decision C(2004)5271) and available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32004D0915&from=EN (as amended or updated from time to time) (with “subclause (iii)” inserted in Article II, subclause h(iii));
iii) “Personal Data” Information, relating to an identified or identifiable natural person, which is either supplied by Customer to Chartboost, or which is collected or generated by Chartboost, in both cases in order for Chartboost to provide its services under the Agreement;
iv) “Processing” An operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. “Processes”, “Processing” and “Processed” shall be construed accordingly.
Capitalized expressions used but not defined in this Addendum shall have the meaning set forth in the Agreement.
 

2. SCOPE AND PURPOSE OF THE ADDENDUM

2.1. This Addendum relates to the Processing of the Personal Data by Chartboost in the context of providing the services under the Agreement, as further described in Chartboost’s privacy policy as published on its website at https://answers.chartboost.com/en-us/articles/115001489623. Customer declares that it is fully aware of the contents of Chartboost’s privacy policy.
 
2.2. The Parties acknowledge the importance that any Processing of Personal Data in the context of the Agreement must at all times be in strict compliance with Applicable Data Protection Laws. The purpose of this Addendum is to further specify the Parties’ mutual responsibilities with respect to Processing of Personal Data pertaining to the services provided by Chartboost.
 
2.3. Chartboost is a company based in the U.S. Customer acknowledges that in the context of the provision of services under the Agreement, Personal Data may be transferred from the European Economic Area to Chartboost in the US, provided that this transfer will take place with due observance of the conditions imposed by Applicable Data Protection Laws to such international transfers of data. Specifically, where Customer Processes Personal Data under this Addendum that originates from the EEA, Switzerland and/or the United Kingdom, any such processing shall be conditional on the Parties complying with (and procuring any of its sub-processors comply with) the Model Clauses, which are incorporated by reference and form an integral part of this Addendum. Purely for the purposes of the descriptions in the Model Clauses and only as between Customer and Chartboost, Chartboost agrees that it is a “data importer” and Customer is the “data exporter” under the Model Clauses (notwithstanding that Customer may be located outside the EEA and may itself be a processor acting on behalf of third party controllers). Further, Schedule B of this Addendum will take the place of Annex B of the Model Clauses. In any case, the Model Clauses shall prevail over this Addendum to the extent of any conflict.
 
2.4. In addition to Section 2.3. prior to, and in regular intervals following any transfer, Chartboost and Customer shall jointly assess whether Applicable Data Protection Laws prevent either party from fulfilling the applicable obligations under the Model Clauses, and is likely to have a substantial adverse effect on the guarantees provided by the Model Clauses. Each Party shall, where necessary and in close coordination with the other Party, take appropriate additional safeguards to ensure a level of protection of the personal data that is essentially equivalent to that guaranteed under European Data Protection Law.  This includes safeguards to prevent any access to the Personal Data by public authorities, including national security authorities, against which no enforceable rights and effective legal remedies are available to the data subjects.
 
2.5. Notwithstanding other obligations in the Agreement (including this Addendum) to implement appropriate technical and organizational measures, the Parties are obliged, as far as possible, to encrypt Personal Data processed under this Addendum immediately upon receipt and to only transmit Personal Data using robust end-to-end encryption. All processing of Personal Data is subject to each Party’s obligation of confidentiality under the Agreement (including this Addendum).  A Party will not disclose Personal Data to law enforcement, other governmental authority, or other persons unless such Party receives a civil or criminal subpoena, warrant, or other official and written request which (a) is issued by such competent law enforcement, other governmental authority with the authority and jurisdiction to demand the disclosure, and (b) is legally binding on such Party and requires such Party to disclose Personal Data in response thereto.  Such Party will only provide Personal Data if, and to the extent that, it is necessary and proportionate to comply with such a request for disclosure.
 

3. COMPLIANCE WITH APPLICABLE DATA PROTECTION LAWS

3.1. In performing the Agreement, Parties shall comply with their respective obligations under Applicable Data Protection Laws.
 
3.2. Chartboost shall endeavour to deal promptly and in good faith with reasonable enquiries from Customer relating to its Processing of Personal Data in the context of the Agreement.
 
3.3. If a Party receives a complaint, notice or communication from a competent data protection authority which relates to the processing of Personal data in the context of Chartboost’s services under the Agreement, it shall, to the extent permitted by law, promptly notify the other party and provide such information as it may reasonably request.
 
3.4. Should a competent data protection authority deem the Processing of the Personal Data in the context of the Agreement unlawful, Parties shall take action to ensure future compliance with the Applicable Data Protection Laws, and notify the other Party of these actions.
 

4. RIGHTS OF DATA SUBJECTS

4.1. Chartboost shall implement appropriate technical and organizational measures for the fulfilment of its obligation to comply with right afforded to data subjects under Applicable Data Protection Laws.
 
4.2. In the event a data subject exercises their statutory rights under Applicable Data Protection Laws with respect to the Parties’ respective Processing of their Personal Data, the Parties shall co-operate in an expedited manner to the extent this is necessary to fulfil the statutory obligations towards the data subject.
 

5. CONFIDENTIALITY AND SECURITY

5.1. Chartboost shall keep the Personal Data confidential and shall not disclose the Personal Data to any third party unless that party acts as a processor to Chartboost or unless the Personal Data has been aggregated so that identification of individuals is not reasonably possible. Chartboost undertakes that any person within its organization that it authorizes to have access to the Personal Data has committed to act in accordance with its instructions and shall respect and maintain the confidentiality and security of such Personal Data.
 
5.2. Chartboost shall implement all technical, physical and organizational security measures, as specified in Schedule A and such other security measures as may be required from time to time by Applicable Data Protection Laws to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other forms of unlawful Processing (including, but not limited to unnecessary collection or further Processing).
 

6. GOVERNING LAW AND JURISDICTION

6.1. This Addendum and the relationship between the Parties and all matters arising out of or in any way relating to this Addendum (whether in contract, tort or otherwise) shall be governed by, and interpreted in accordance with, the laws of California, excluding its conflict of law rules. The application of the Vienna Convention 1980 is expressly excluded.
 
6.2. Each of the Parties irrevocably agrees that the courts in the Northern District of California, shall have exclusive jurisdiction to hear and determine any suit, action or proceeding arising out of or in connection with this Addendum.
 

SCHEDULE A – SECURITY MEASURES

The technical and organizational security measures implemented by Chartboost include:
  1. Access control to premises and facilities (physical)
    • Chartboost will maintain commercially reasonable physical security systems at all Chartboost sites which are used to deliver services to the Customer.
 
  1. Access control to systems (virtual)
Chartboost will establish and maintain safeguards against accidental or unauthorized access to, destruction of, loss of, or alteration of the Personal Data:
 
  • Access will be granted to employees through documented access request procedures. The employees’ managers or other responsible individuals must authorize or validate access before it is given.
  • Access control policy is to enable SSO, Multi-factor Authorisation, and password complexity rules on all third party systems that support these feature.
  • Password requirements: at least 8 characters long with at least one capital letter, one lowercase, one number, and one special character. Password cannot be repeated from the last 10 used passwords
  • Administrative access will be restricted to prevent changes to systems or applications.
  • Users will be assigned a single account and prohibited from sharing accounts.
 
  1. Access control to data:
Individuals will request access and justify a need to retain access as part of a documented access request process. Their managers or other responsible individuals must authorize or approve access before it is authorized.
  • Access will be granted only after verifying identity through an approved “access control form”, i.e. LAN Logon ID, application access ID, or other similar identification
  • Unique User IDs and passwords will be issued to the users.
  • Users, once authenticated, will be authorized for access levels based on their job functions.
  • Chartboost will promptly act to revoke access due to termination, a change in job function, or in observance of user inactivity or extended absence.
 
  1. Disclosure control:
Chartboost will deliver technology and processes designed to minimize access for illegitimate processing.
  • Printing access, and outbound email will be restricted for agents, unless provided by the Customer over Customer-provided services or if access to such applications is specifically required to meet business requirements.
 
  1. Input control:
  • Chartboost will maintain system and database logs for access to user data under Chartboost control.
  • All Chartboost systems must be configured to provide event logging to identify a system compromise, unauthorized access, or any other security violation. Logs must be protected from unauthorized access or modification.
 
  1. Job control:
Technical and organizational measures to segregate the responsibilities between the Customer and Chartboost would include,
  • Data Processing activities will be carried out in a secure remote cloud location and not on employee workstations.
  • All Employee workstations have disk encryption .
 
  1. Availability control:
  • Back ups are once a day or immediately depending on the application/system being used on shared/team drives
  • Upon detection of a virus or malware, Chartboost will take immediate steps to arrest the spread and damage of the virus or malware and to eradicate the virus or malware.
 

SCHEDULE B – DETAILS OF PROCESSING

 
Data Subjects: End users of Online Services Apps and Customer personnel.
 
Purposes of the transfer(s): Provision and optimization of the Online Services
 
Categories of data: Personal data of Data Subjects, amongst which are:  bundle ID, language ID, operating system version, device model, software developer kit (SDK) version, unique device identifier, IP address, and similar data related to the provision of Online Services.
 
Recipients: Chartboost personnel and third parties including Chartboost’s approved business partners: DSPs, advertisers, measurement/attribution companies, and advertising services companies.
 
Sensitive data: N/A
 
Data protection registration information of the exporter (where applicable): N/A
 
Additional useful information: N/A
 
Contact points for data protection inquiries: privacy@chartboost.com