Data Sharing Addendum

This Data Sharing Addendum ( “Addendum”) applies to the Processing of Personal Data in the context of the Services provided by Chartboost, Inc.  to Customer (as set forth below in the signature block below) (Chartboost and Customer are hereinafter jointly referred to as the “Parties” and separately as a “Party”), as agreed in the Chartboost RTB Demand-Side Agreement between Parties dated —————— (the “ Agreement”). In the event of any conflict between the Addendum and the Agreement, this Addendum shall prevail to the extent of such conflict. The Schedules to this Addendum form an integral part of it. Both Chartboost and Customer act as a controller in relation to the processing of Personal Data in the context of the Services (as defined below) provided by Chartboost to Customer.

THE PARTIES NOW HEREBY AGREE AS FOLLOWS:

1. DEFINITIONS

In this Addendum, the capitalized expressions shall have the following meanings:
i)       “Applicable Data Protection Laws” All applicable international national, federal, state, provincial or local laws, regulations, orders, statutes, administrative orders or treaties, judgments, court orders, and any other requirements of any relevant government or government agency or regulatory authority with regard to the processing of Personal Data (including without limitation and where applicable, European Data Protection Law, CCPA and LGPD);  
ii)      “CCPA” The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., as amended, including without limitation any and all applicable implementing regulations;  
iii)     “EEA” The European Economic Area;  
iv)     “European Data Protection Law” (1) the EU General Data Protection Regulation 2016/679 (“GDPR”); (2) the EU e-Privacy Directive (Directive 2002/58/EC); (3) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s (“UK”) European Union (Withdrawal) Act 2018 (the “UK GDPR”); (4) the Swiss Federal Act on Data Protection 1992 (“Swiss DPA”); and (5) any and all applicable national laws made under or pursuant to (1), (2), (3) and (4); in each case as may be amended or superseded from time to time;  
v)      “LGPD” The Lei Geral de Proteção de Dados (Law No. 13.709/2018), as amended, including without limitation any and all applicable implementing regulations;  
vi)     “Personal Data” Any personal data (as defined under Applicable Data Protection Laws) which is either supplied by Customer to Chartboost, or which is collected or generated by Chartboost, in both cases in order for Chartboost to provide its Services under the Agreement.  For these purposes, personal data shall be deemed to include any personal information and personally identifiable information (or any analogous concept), as those terms are defined under Applicable Data Protection Laws;  
vii)    “Processing” Any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. “Processes”, “Processing” and “Processed” shall be construed accordingly;  
viii)   “Restricted Transfer” Means: (i) where the GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission;  (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; (iii) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not determined to provide adequate protection for Personal Data by the Federal Data Protection and Information Commission or Federal Council (as applicable); and (iv) where another Applicable Data Protection Law applies, a cross-border transfer of personal data from that jurisdiction to any other country which is not based on adequacy regulations pursuant to that Applicable Data Protection Law;  
ix)     “SCCs” Means: (i) where the GDPR or Swiss DPA applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”); and (iii) where another Applicable Data Protection Law applies, the standard contractual clauses or other appropriate cross-border transfer mechanisms approved or adopted by an appropriate data protection authority or similar body under that Applicable Data Protection Law; and  
x)      “Services” The services provided by Chartboost to Customer under the Agreement (see Agreement for a description of the services).

Other capitalized expressions that are used but not defined in this Addendum shall have the meanings given to them in the Agreement.  

2. SCOPE AND PURPOSE OF THE ADDENDUM

  • 2.1.   This Addendum relates to the Processing of the Personal Data by Chartboost to provide the Services to Customer under the Agreement.  The purpose of this Addendum is to specify the Parties’ responsibilities with respect to Processing of Personal Data pertaining to the Services provided by Chartboost.
  • 2.2.   To provide the Services, Customer acknowledges and agrees that Chartboost shall process the Personal Data for the purposes described in Chartboost’s privacy policy as published   at https://answers.chartboost.com/en-us/articles/200780269 (the “Permitted Purpose”).
  • 2.3.   The Parties acknowledge and agree that any Processing of Personal Data for the Permitted Purpose must at all times be in strict compliance with Applicable Data Protection Laws. Each party shall be individually and separately responsible for ensuring its Processing of Personal Data complies with Applicable Data Protection Laws.
 

3. INTERNATIONAL TRANSFERS OF DATA

  • 3.1.   Chartboost is a company based in the U.S. Customer acknowledges that in the context of the provision of Services under the Agreement, Personal Data may be transferred to Chartboost in the US to Process for the Permitted Purpose, provided that any such transfer will comply with the conditions imposed by Applicable Data Protection Laws on international transfers of data.
  • 3.2.   Specifically, where Customer makes a Restricted Transfer of Personal Data to Chartboost, the SCCs will be incorporated into this Addendum between the Customer (as “Data Exporter“) and Chartboost (as “Data Importer“) by reference and form an integral part of this Addendum, with each Party deemed to have entered into the SCCs in its own name and on its own behalf as follows:
    • 3.2.1.   In relation to Personal Data that is protected by the GDPR, the EU SCCs will apply completed as follows:
      • (i) Module One will apply;
      • (ii) in Clause 7, the optional docking clause will not apply;
      • (iv) in Clause 11, the optional language will not apply;
      • (v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
      • (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
      • (vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule A to this Addendum; and
      • (viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule B to this Addendum.
 
    • 3.2.2.   In relation to Personal Data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:
      • (i) For so long as it is lawfully permitted to rely on the standard contractual clauses for the transfer of personal data to controllers set out in the European Commission’s Decision 2004/915/EC of 27 December 2004  (“Prior C2C SCCs”) for transfers of personal data from the United Kingdom, the Prior C2C SCCs shall apply between the transferring Data Exporter and the Data Importer on the following basis:
        • (A) in Clause II (h): the Data Importer and Data Exporter choose option (iii);
        • (B) in Annex B: with the information set out in the relevant part of Schedule B to this Agreement; and
        • (C) the “Illustrative Commercial Clauses (Optional)” shall be deemed deleted.
 
      • (ii) Where sub-section 3.2.2(i)  above does not apply, but the Data Exporter and Data Importer are lawfully permitted to rely on the EU SCCs for transfers of UK Personal Data subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, then:
        • (A) the EU SCCs, completed as set out above in section 3.2.1, shall also apply to transfers of such Personal Data, subject to sub-section 3.2.2(ii)(B) below;
        • (B) the UK Addendum shall be deemed executed between the transferring Data Exporter and the Data Importer, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Personal Data.
 
      • (iii) If neither sub-section 3.2.2(i) or sub-section 3.2.2(ii) applies, then the transferring Data Exporter and the Data Importer shall cooperate in good faith to implement appropriate safeguards for transfers of such Personal Data as required or permitted by the UK GDPR without undue delay.
 
    • 3.2.3.   In relation to Personal Data that is protected by the Swiss DPA, the EU SCCs will apply as set out in Section 3.2.1 of this Addendum amended as follows:
      • (i) references to ‘Regulation (EU) 2016/679’ in the EU SCCs will be deemed to refer to the Swiss DPA;
      • (ii) references to specific articles of ‘Regulation (EU) 2016/679’ will be deemed replaced with the equivalent article or section of the Swiss DPA;
      • (iii) references to ‘EU’, ‘Union’ and ‘Member State’ will be deemed replaced with ‘Switzerland’;
      • (iv) references to the ‘competent supervisory authority’ are replaced with the ‘Swiss Federal Data Protection Information Commissioner’; and
      • (v) in Clause 18(b), disputes shall be resolved before the competent courts of Switzerland;
 
    • 3.2.4.   In relation to Personal Data that is protected by another Applicable Data Protection Law, the Data Exporter and the Data Importer agree that such SCCs shall automatically apply to the transfer of Personal Data from the Data Exporter to the Data Importer and, where applicable shall be deemed completed on a mutatis mutandis basis to the completion of the SCCs as described above.
  • 3.3.   In addition to Section 3.2. prior to, and in regular intervals following any Restricted Transfer, Chartboost and Customer shall assess whether Applicable Data Protection Laws prevent either party from fulfilling the applicable obligations under the SCCs, and is likely to have a substantial adverse effect on the guarantees provided by the SCCs. Each Party shall, where necessary and in close coordination with the other Party, take appropriate additional safeguards to ensure a level of protection of the Personal Data that is essentially equivalent to that guaranteed under Applicable Data Protection Laws.  This includes safeguards to prevent any access to the Personal Data by public authorities, including national security authorities, against which no enforceable rights and effective legal remedies are available to the data subjects.
  • 3.4.   Notwithstanding other obligations in the Agreement (including this Addendum) to implement appropriate technical and organizational measures, the Parties are obliged, as far as possible, to encrypt Personal Data processed under this Addendum immediately upon receipt and to only transmit Personal Data using robust end-to-end encryption. All processing of Personal Data is subject to each Party’s obligation of confidentiality under the Agreement (including this Addendum).  A Party will not disclose Personal Data to law enforcement, other governmental authority, or other persons unless such Party receives a civil or criminal subpoena, warrant, or other official and written request which (a) is issued by such competent law enforcement, other governmental authority with the authority and jurisdiction to demand the disclosure, and (b) is legally binding on such Party and requires such Party to disclose Personal Data in response thereto.  Such Party will only provide Personal Data if, and to the extent that, it is necessary and proportionate to comply with such a request for disclosure.
 

4. COMPLIANCE WITH APPLICABLE DATA PROTECTION LAWS

  • 4.1.   In performing the Agreement, Parties shall comply with their respective obligations under Applicable Data Protection Laws.
  • 4.2.   Chartboost shall respond promptly and in good faith with reasonable enquiries from Customer relating to its Processing of Personal Data in the context of the Agreement.
  • 4.3.   If a Party receives a complaint, notice or communication from a competent data protection authority which relates to the processing of Personal Data in the context of Chartboost’s Services under the Agreement, it shall, to the extent permitted by law, promptly notify the other party and provide such information as it may reasonably request.
  • 4.4.   Should a competent data protection authority deem the Processing of the Personal Data in the context of the Agreement unlawful, Parties shall take action to ensure future compliance with the Applicable Data Protection Laws, and notify the other Party of these actions.

5. RIGHTS OF DATA SUBJECTS

  • 5.1.   Chartboost shall implement appropriate technical and organizational measures to fulfill any request from a data subject to exercise its rights under Applicable Data Protection Laws with respect to Personal Data that Chartboost Processes for the Permitted Purpose.  Chartboost shall respond to any such requests in the manner, and within any timescale required by, Applicable Data Protection Laws.
  • 5.2.   In the event a Party (the “Receiving Party”) receives a request from a data subject exercising its statutory rights under Applicable Data Protection Laws with respect to the other Party’s Processing of their Personal Data (the “Other Party”), the Receiving Party shall promptly inform the Other Party and the Parties shall co-operate in good faith to the extent necessary to fulfill the data subject’s statutory rights.

6. CONFIDENTIALITY AND SECURITY

  • 6.1.   Chartboost shall keep the Personal Data confidential and shall not disclose the Personal Data to any third party unless that party acts as a processor to Chartboost, disclosure is required by applicable law, or unless the Personal Data has been aggregated so that identification of individuals is not reasonably possible. Chartboost undertakes that any person within its organization that it authorizes to have access to the Personal Data has committed to act in accordance with its instructions and shall respect and maintain the confidentiality and security of such Personal Data.
  • 6.2.   Chartboost shall implement all technical, physical and organizational security measures, as specified in Schedule B and such other security measures as may be required from time to time by Applicable Data Protection Laws to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other forms of unlawful Processing (including, but not limited to unnecessary collection or further Processing).

7. GOVERNING LAW AND JURISDICTION

  • 7.1.   This Addendum and the relationship between the Parties and all matters arising out of or in any way relating to this Addendum (whether in contract, tort or otherwise) shall be governed by, and interpreted in accordance with, the laws of California, excluding its conflict of law rules and except as may otherwise be required by Applicable Data Protection Laws. The application of the Vienna Convention 1980 is expressly excluded.
  • 7.2.   Each of the Parties irrevocably agrees that the courts in the Northern District of California, shall have exclusive jurisdiction to hear and determine any suit, action or proceeding arising out of or in connection with this Addendum, except as may otherwise by required by Applicable Data Protection Laws.
 

SCHEDULE A – DATA PROTECTION DESCRIPTION

DESCRIPTION OF TRANSFER  
Categories of data subjects whose personal data is transferred: End users of Online Services Apps (as defined in the Agreement) and Customer personnel
Categories of personal data transferred: Device-related Personal Data of the data subjects described above, including:  bundle ID, language ID, operating system version, device model, software developer kit (SDK) version, unique device identifier, IP address, and similar data related to the provision of Online Services Apps  
Sensitive data: Not Applicable
The frequency of the transfer: Happening on a continuous basis for the length of the Agreement
Nature and purposes of the transfer and processing: Performance of the Services (as defined in the Agreement)  
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The Personal Data will be retained for the length of the Agreement. The criteria used to determine that period will be based on the length of time necessary to fulfill the purposes for which personal data is collected and any period of time required to comply with legal and regulatory obligations or to defend Chartboost’s interests (in case of a dispute)  
Identify the competent supervisory authority/ies:
 

SCHEDULE B – TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

  The technical and organizational security measures implemented by Chartboost include:
  1. Access control to premises and facilities (physical): Chartboost will maintain commercially reasonable physical security systems at all Chartboost sites which are used to deliver services to the Customer.
 
  1. Access control to systems (virtual)

Chartboost will establish and maintain safeguards against accidental or unauthorized access to, destruction of, loss of, or alteration of the Personal Data:

  • Access will be granted to employees through documented access request procedures. The employees’ managers or other responsible individuals must authorize or validate access before it is given.
  • Access control policy is to enable SSO, Multi-Factor Authentication, and password complexity rules on all third party systems that support these feature.
  • Password requirements: at least 8 characters long with at least one capital letter, one lowercase, one number, and one special character. Password cannot be repeated from the last 10 used passwords
  • Administrative access will be restricted to prevent changes to systems or applications.
  • Users will be assigned a single account and prohibited from sharing accounts.
 
  1. Access control to data:
  • Individuals will request access and justify a need to retain access as part of a documented access request process. Their managers or other responsible individuals must authorize or approve access before it is authorized.
  • Access will be granted only after verifying identity through an approved “access control form”, i.e. LAN Logon ID, application access ID, or other similar identification
  • Unique User IDs and passwords will be issued to the users.
  • Users, once authenticated, will be authorized for access levels based on their job functions.
  • Chartboost will promptly act to revoke access due to termination, a change in job function, or in observance of user inactivity or extended absence.
 
  1. Disclosure control:
  • Chartboost will deliver technology and processes designed to minimize access for illegitimate processing.
  • Printing access, and outbound email will be restricted for agents, unless provided by the Customer over Customer-provided services or if access to such applications is specifically required to meet business requirements.
 
  1. Input control:
  • Chartboost will maintain system and database logs for access to user data under Chartboost control.
  • All Chartboost systems must be configured to provide event logging to identify a system compromise, unauthorized access, or any other security violation. Logs must be protected from unauthorized access or modification.
 
  1. Job control:

Technical and organizational measures to segregate the responsibilities between the Customer and Chartboost would include:

  • Data Processing activities will be carried out in a secure remote cloud location and not on employee workstations.
  • All Employee workstations have disk encryption.
 
  1. Availability control:
  • Back ups are once a day or immediately depending on the application/system being used on shared/team drives
  • Upon detection of a virus or malware, Chartboost will take immediate steps to arrest the spread and damage of the virus or malware and to eradicate the virus or malware.