AdCellerant Data Privacy Terms

The following data protection terms and conditions (“Data Privacy Terms”), form an integral part of the underlying Master Services Agreement (“Agreement”) between AdCellerant UK Ltd, incorporated and registered in England and Wales with company number 16397522 whose registered office is at 10 John Street, London, United Kingdom, WC1N 2EB (the “Company”), and the client specified in the relevant Agreement (“Client”) (each, a “Party” or together, the “Parties”) with respect to the Processing of Personal Data in the course of performing work and services on behalf of the Client (“Services”). The Parties agree that these Data Privacy Terms replace or supersede any existing Data Privacy Terms or similar documents that the Parties may have previously entered into with regard to the Processing of Personal Data in connection with the Services. In the case of conflict or ambiguity between:

any provision contained in the body of these Data Privacy Terms and any provision contained in the Attachments (excluding any executed SCC), the provision in the body of these Data Privacy Terms will prevail;
any of the provisions of these Data Privacy Terms and the provisions of the Agreement or these Data Privacy Terms, the provisions of these Data Privacy Terms will prevail; and
any of the provisions of these Data Privacy Terms or any other provision contained in the Attachments or any of the documents referred to above and any executed SCCs, the provisions of the executed SCC will prevail.

1. DEFINITIONS

Unless otherwise defined herein, all capitalized terms are as defined in the Agreement. The following definitions shall apply to the Data Privacy Terms and the Agreement:

“Applicable Privacy Laws” means all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the Data Protection Act 2018 (as amended or reenacted, and regulations made thereunder) (“DPA 2018”); the UK GDPR; (as defined by the DPA 2018, or where applicable, as defined by any reenacted legislation); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; the General Data Protection Regulation ((EU) 2016/679) (“EU GDPR”); all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the Commissioner or other relevant regulatory authority and which are applicable to a party.
“Commissioner” means the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
“Consumer” means an identified or identifiable natural person to whom the Personal Data relates.
“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Data Breach”, and “Processing”: have the meanings given in the Applicable Privacy Laws.
“Client Personal Data” means Personal Data Processed by Company on behalf of Client in connection with the Services, including but not limited to Personal Data provided and/or disclosed by Client’s Advertisers to Client in connection with the Services.
“Purpose” means the purposes for Processing the Personal Data, being the Processing required to enable the Client to provide the Services to the Client as described in the Agreement, or as otherwise confirmed and agreed in writing by the Parties (or either of them).
“Sensitive Personal Data” shall take the same meaning as the analogous term “Special Category Data” is defined under Applicable Privacy Laws, including, but not limited to Personal Data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life and sexual orientation, genetic data or biometric data. Sensitive Personal Data do not include data relating to criminal offences and convictions are addressed separately.
“Standard Contractual Clauses” (“SCCs”) means the ICO’s International Data Transfer Agreement for the transfer of Personal Data from the UK and/or the ICO’s International Data Transfer Addendum to EU Commission Standard Contractual Clauses and/or the European Commission’s Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 as set out in the Annex to Commission Implementing Decision (EU) 2021/914 and/or the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to Processors established in third countries (Controller-to-Processor transfers), as set out in the Annex to Commission Decision 2010/87/EU as adapted for the UK.
“Subprocessor” means any Processor engaged by and contracted with Company for purposes of Processing Client Personal Data.
“Regulator” means any governmental authority that regulates Applicable Privacy Laws, and in respect of the UK GDPR and the DPA 2018, shall include the Commissioner.

In this Agreement, a reference to legislation or a legislative provision is a reference to it as amended, extended or re-enacted from time to time, and includes all subordinate legislation made from time to time under that legislation or legislative provision. For the avoidance of doubt, a reference to writing or written includes email.

2. ROLES OF THE PARTIES

The Parties acknowledge that for purposes of Applicable Privacy Laws:

the Client is the “controller,” or any similar term provided under Applicable Privacy Laws;
the Company is the “processor,” “contractor,” or any similar term provided under Applicable Privacy Laws;
the Client retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Applicable Privacy Laws, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Company; and
Attachment 1 describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Company may process the Personal Data to fulfil the Purposes.

3. COMPANY OBLIGATIONS

The Company will only process the Personal Data to the extent, and in such a manner, as is necessary for the Purposes in accordance with the Client’s written instructions. The Company will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Applicable Privacy Laws. The Company must promptly notify the Client if, in its opinion, the Client’s instructions do not comply with the Applicable Privacy Laws.
The Company must comply promptly with any Client written instructions requiring the Company to amend, transfer, delete, or otherwise process the Personal Data, or to stop, mitigate, or remedy any unauthorised processing.
The Company will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Client or this Agreement specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner). If a domestic law, court or regulator (including the Commissioner) requires the Company to process or disclose the Personal Data to a third party, the Company must first inform the Client of such legal or regulatory requirement and give the Client an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.
The Company will reasonably assist the Client, at the Client’s cost, with meeting the Client’s compliance obligations under the Applicable Privacy Laws, taking into account the nature of the Company’s processing and the information available to the Company, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner, or other relevant Regulator, under the Applicable Privacy Laws.
The Company must promptly notify the Client of any changes to the Applicable Privacy Laws that may reasonably be interpreted as adversely affecting the Company’s performance of the Agreement or these Data Privacy Terms.
At the Client’s request, the Company will give the Client, or a third party nominated in writing by the Client, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Client.
The Company shall ensure that all of its personnel or affiliates:
are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
have undertaken training on the Applicable Privacy Laws relating to handling Personal Data and how it applies to their particular duties; and
are aware of both the Company’s duties and their personal duties and obligations under the Applicable Privacy Laws and these Data Privacy Terms.

4. GENERAL OBLIGATIONS

Client shall:
1. Comply with its obligations under Applicable Privacy Laws, and all Client Personal Data has been lawfully collected, and shall ensure that any instructions that it issues to Company shall comply with Applicable Privacy Laws. The Parties agree that the Agreement constitutes Client’s instructions regarding the Processing of Personal Data.
2. Ensure that it and its Advertisers (as defined by the Agreement) have obtained any and all necessary and legally required consents from any individual, provided any and all necessary and legally required notices to consumers in order to collect, process, share or use such consumer data in connection with Services, and implemented any legally required consent withdrawal or opt out mechanisms (whether by applicable publishers, industry initiatives, Client, or otherwise) so as to enable Company to obtain and Process Client Personal Data lawfully in accordance with Applicable Privacy Laws in connection with the Services.
Each Party shall:
1. Security: Put in place industry-standard technical and organizational measures to ensure a level of security and confidentiality for Personal Data appropriate to the risks of the Processing, including to protect against unauthorized or unlawful Processing and accidental loss, destruction, or damage.
2. Personal Data Breach: When required by Applicable Privacy Laws, timely notify the other Party after becoming aware of a Data Breach, in which case the Party that has suffered the Data Breach shall provide reasonable assistance in relation to remediating the Data Breach and complying with related obligations under clause 5 below and the Applicable Privacy Laws.
3. Complaints and Requests: When required by Applicable Privacy Laws, provide reasonable assistance to another Party in the event of any complaint, request, or communication from a Regulator or Consumer alleging non-compliance with Applicable Privacy Laws or these Data Privacy Terms as a result of the Processing carried out under the Agreement.
4. Impact Assessments: When required by Applicable Privacy Laws, perform all legally required data protection impact assessments and/or privacy impact assessments.
5. Access Limits: Limit access to those personnel and Subprocessors performing the Services and related business operations.

5. PERSONAL DATA BREACH

The Company shall, without undue delay, notify the Client if it becomes aware of:
1. the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Company will restore such Personal Data at its own expense as soon as possible.
2. any accidental, unauthorised or unlawful Processing of the Personal Data; or
3. any Personal Data Breach.
Where the Company becomes aware of the above, it shall, without undue delay, also provide the Client with the following information:
1. description of the nature of the above event, including the categories of in-scope Personal Data and the approximate number of both Data Subjects and the Personal Data records concerned;
2. the likely consequences; and
3. a description of the measures taken or proposed to be taken to address such an event, including measures to mitigate its possible adverse effects.
Immediately following any accidental, unauthorised or unlawful Personal Data Processing or Personal Data Breach, the Parties will co-ordinate with each other to investigate the matter. Further, the Company will reasonably co-operate with the Client at the Client’s cost, in the Client’s handling of the matter, including but not limited to:
1. assisting with any investigation;
2. providing the Client with physical access to any facilities and operations affected;
3. facilitating interviews with the Company’s employees, former employees, and others involved in the matter, including, but not limited to, its officers and directors;
4. making available all relevant records, logs, files, data reporting, and other materials required to comply with all Applicable Privacy Laws or as otherwise reasonably required by the Client; and
5. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.
The Company will not inform any third party of any accidental, unauthorised or unlawful Processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Client’s written consent, except when required to do so by domestic law.
The Company agrees that, as the Controller, the Client has the right to determine:
1. whether to provide notice of the accidental, unauthorised or unlawful Processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope Regulators, law enforcement agencies or others, as required by law or regulation or in the Client’s discretion, including the contents and delivery method of the notice; and
2. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
The Company will reimburse the Client for actual reasonable expenses that the Client incurs when responding to an incident of accidental, unauthorised or unlawful Processing and/or a Personal Data Breach to the extent that the Company caused such Personal Data Breach.

6. TRANSFERS OF PERSONAL DATA

The Parties acknowledge that the Client has provided its general authorisation to transfer Personal Data where required in order to provide the Services, subject to the Company’s compliance with the IDTA set out at Attachment 2.
If any Personal Data transfer between the Client and the Company requires execution of additional SCCs in order to comply with the Applicable Privacy Laws (where the Client is the entity exporting Personal Data to the Provider outside the EEA), the Parties will complete all relevant details in, and execute, the relevant SCCs, and take all other actions required to legitimise the transfer.
The Company shall not transfer any Personal Data unless and until it can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR.

7. SUBCONTRACTORS

The subcontractors deemed approved as at the commencement of these Data Privacy Terms are as set out in the list of subcontractors as available at the link provided in Attachment 1.
The Company may only authorise a third party (subcontractor) to process the Personal Data if:
1. the Client is provided with an opportunity to object to the appointment of each subcontractor within 5 working days after the Company supplies the Client with full details in writing regarding such subcontractor, such notice shall include the Company updating its list of subcontractors as available at the link provided in Attachment 1;
2. the Company enters into a written contract with the subcontractor that contains terms materially the same as those set out in these Data Privacy Terms, in particular, in relation to requiring appropriate technical and organisational data security measures;
3. the Company maintains control over all of the Personal Data it entrusts to the subcontractor; and
4. the subcontractor’s contract terminates automatically on termination of these Data Privacy Terms for any reason.
Where the subcontractor fails to fulfil its obligations under the written agreement with the Company, which contains terms substantially the same as those set out in these Data Privacy Terms, the Company remains fully liable to the Client for the subcontractor’s performance of its agreement obligations.
The Parties agree that the Company will be deemed to control legally any Personal Data controlled practically by or in the possession of its subcontractors.

8. COMPLAINTS AND REQUESTS

The Company shall, at the Client’s cost, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Client as the Client may reasonably require, to enable the Client to comply with:
1. the rights of Data Subjects under the Applicable Privacy Laws, including subject access rights, the rights to rectify, port and erase Personal Data, object to the Processing and automated Processing of Personal Data, and restrict the Processing of Personal Data; and
2. information or assessment notices served on the Client by the Commissioner, or other relevant Regulator, under the Applicable Privacy Laws.
The Company shall notify the Client without undue delay in writing if it receives any request, complaint, notice, or communication that relates directly or indirectly to the Processing of the Personal Data or to either Party’s compliance with the Applicable Privacy Laws.

9. RECORDS AND AUDITS

The Company will keep detailed, accurate and up-to-date written records regarding any Processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, approved subcontractors, the Processing purposes, categories of Processing, any transfers of Personal Data to a third country and related safeguards, and a general description of the technical and organisational security measures.
The Company will ensure that such records are sufficient to enable the Client to verify the Company’s compliance with its obligations under these Data Privacy Terms , and the Company will provide the Client with copies of such records upon request.
The Company will permit the Client and its third-party representatives to audit the Company’s compliance with the obligations set out in these Data Privacy Terms, on at least 30 days’ notice, during the Term. The Company will give the Client and its third-party representatives all necessary assistance to conduct such audits. The assistance may include: (i) access to the relevant records; (ii) inspection of the relevant records, software, and relevant infrastructure; and (iii) explanation of any records and decisions made in respect of the Agreement.

10. INDMNIFICATION

Each Party (the “Indemnifying Party”) agrees to indemnify, keep indemnified and defend at its own expense the other Party (the “Indemnified Party”) against all costs, claims, damages or expenses incurred by the Indemnified Party or for which the Indemnified Party may become liable due to any failure by the Indemnifying Party or its employees, subcontractors or agents to comply with any of its obligations under these Data Privacy Terms or the Applicable Privacy Laws.

11. TERMINATION

These Data Privacy Terms shall remain in full force and effect for so long as the Agreement remains in effect, or otherwise for so long as the Company retains any Personal Data related to the Agreement.
On termination of the Agreement for any reason or expiry of its term, the Company will securely delete or destroy or, if directed in writing by the Client, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control.
If any law, regulation, or government or regulatory body requires the Company to retain any documents or materials or Personal Data that the Company would otherwise be required to return or destroy, it will notify the Client in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

12. CHANGES TO DATA PRIVACY TERMS

Company may need to update these Data Privacy Terms from time to time, including to accurately reflect or comply with Applicable Privacy Laws and other applicable laws to the Parties. Company may change these Data Privacy Terms if the change:

Is permitted by these Data Privacy Terms;
Reflects a change in the name or form of a legal entity;
Is necessary to comply with Applicable Privacy Laws, or a binding regulatory or court order; or
Does not: (i) result in a degradation of the overall security of the Services; (ii) expand the scope of, or remove any restrictions on, either Party’s right to use or otherwise Process Client Personal Data for the Services; and (iii) otherwise have a material adverse impact on the Parties’ rights under these Data Privacy Terms, as reasonably determined by Company.

Company shall use commercially reasonable efforts to provide notice to Client of any material updates or changes to these Data Privacy Terms, including posting a revised version of these Data Protections Terms available here. By instructing the Processing of Personal Data under the Agreement, Client agrees to review and comply with the latest version of these Data Privacy Terms, and Client waives any objection to the means and manner of Client’s acceptance of these Data Privacy Terms that may be specified in or required by the Agreement.

ATTACHMENT 1 - Personal Data processing purposes and details

Subject matter of processing The Services as set out in the Agreement.
Duration of Processing The Processing shall take place for the duration of the Agreement.
Nature and Purpose of Processing The purpose of the Processing shall be as defined in the main Data Privacy Terms. To include:
The provision of the Services described in the orders initiated by the Client from time to time under the Agreement	including:
Performing services on behalf of the Business	such as maintaining and servicing Client accounts	processing or fulfilling Client’s orders and other transactions; verifying Client’s information; and providing analytic services to Client.
Providing advertising and marketing services	such as providing a platform for advertising inventory management; and offering services to optimize advertising performance.
Auditing related to counting	verifying	and quality control of ad impressions.
Debugging to identify and repair errors that impair intended functionality.

Personal Data Categories First Name	Last Name	Home Address	Email Address	Phone Number
Data Subject Types Clients: Client provided data	including Business Email	First Name	Last Name	and Phone Number	is used to create individual user accounts that provide access our services and applications.
Consumer Data: Client provided data may be used for internal analytical purposes to optimize campaign performance. This data may include First Name	Last Name	Home Address	Email Address	Phone Number
Website Visitors: Tracking technologies may be used to capture user activity when visiting any of the Company websites to help facilitate and personalize the website.
Approved Subcontractors AdCellerant Subprocessors List
Security Measures Physical access controls
Access to Company office space requires a Company issued and managed electronic badge along with rotating elevator code. CCTV is monitored and positioned at every entry point. Data Centre is cloud based with physical locations protected by security guards	electronic badging	CCTV and periodic security reviews.
System access controls
Systems are protected with RBAC aligning to the minimum-need-know standard. Access rights are reviewed quarterly. Access is deprovisioned immediately upon termination.
Data access controls
Data is protected with RBAC aligning to the minimum-need-know standard. Access rights are reviewed quarterly. Access is deprovisioned immediately upon termination.
Transmission controls
The Transmission of data and the connectivity to any systems	APIs	or other services requires SSL and TLS 1.2	or above	encryption.
Input controls
Technical protections are in place to prevent the input and uploading of inaccurate data and malicious file types.
Data backups
Backups are performed every hour and housed in a separate geo-location than the primary. Data validation is performed on a continual basis to ensure data integrity. Data at rest is encrypted to a minimum cipher of AES-256.
Data segregation
Client data is not comingled with that of other clients and production data is not used for development purposes.
Activity Monitoring
All user activity and data transmissions are monitored 24/7/365 to alert Security Operations personnel of unauthorized or unusual activity that needs to be investigated.
Vulnerability Patching
Vulnerabilities must be resolved or reduced to a LOW rating using severity-based timelines: URGENT/CRITICAL within 5 calendar days	HIGH within 30 calendar days	and MEDIUM within 60 calendar days

Subject matter of processing	The Services as set out in the Agreement.
Duration of Processing	The Processing shall take place for the duration of the Agreement.
Nature and Purpose of Processing	The purpose of the Processing shall be as defined in the main Data Privacy Terms. To include: The provision of the Services described in the orders initiated by the Client from time to time under the Agreement, including: Performing services on behalf of the Business, such as maintaining and servicing Client accounts, processing or fulfilling Client’s orders and other transactions; verifying Client’s information; and providing analytic services to Client. Providing advertising and marketing services, such as providing a platform for advertising inventory management; and offering services to optimize advertising performance. Auditing related to counting, verifying, and quality control of ad impressions. Debugging to identify and repair errors that impair intended functionality.
Personal Data Categories	First Name, Last Name, Home Address, Email Address, Phone Number
Data Subject Types	Clients: Client provided data, including Business Email, First Name, Last Name, and Phone Number, is used to create individual user accounts that provide access our services and applications. Consumer Data: Client provided data may be used for internal analytical purposes to optimize campaign performance. This data may include First Name, Last Name, Home Address, Email Address, Phone Number Website Visitors: Tracking technologies may be used to capture user activity when visiting any of the Company websites to help facilitate and personalize the website.
Approved Subcontractors	AdCellerant Subprocessors List
Security Measures	Physical access controls Access to Company office space requires a Company issued and managed electronic badge along with rotating elevator code. CCTV is monitored and positioned at every entry point. Data Centre is cloud based with physical locations protected by security guards, electronic badging, CCTV and periodic security reviews. System access controls Systems are protected with RBAC aligning to the minimum-need-know standard. Access rights are reviewed quarterly. Access is deprovisioned immediately upon termination. Data access controls Data is protected with RBAC aligning to the minimum-need-know standard. Access rights are reviewed quarterly. Access is deprovisioned immediately upon termination. Transmission controls The Transmission of data and the connectivity to any systems, APIs, or other services requires SSL and TLS 1.2, or above, encryption. Input controls Technical protections are in place to prevent the input and uploading of inaccurate data and malicious file types. Data backups Backups are performed every hour and housed in a separate geo-location than the primary. Data validation is performed on a continual basis to ensure data integrity. Data at rest is encrypted to a minimum cipher of AES-256. Data segregation Client data is not comingled with that of other clients and production data is not used for development purposes. Activity Monitoring All user activity and data transmissions are monitored 24/7/365 to alert Security Operations personnel of unauthorized or unusual activity that needs to be investigated. Vulnerability Patching Vulnerabilities must be resolved or reduced to a LOW rating using severity-based timelines: URGENT/CRITICAL within 5 calendar days, HIGH within 30 calendar days, and MEDIUM within 60 calendar days

ATTACHMENT 2 – International Data Transfer Agreement

(VERSION A1.0, in force 21 March 2022)

This International Data Transfer Agreement (“IDTA”) has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

This IDTA forms a part of the Data Privacy Terms, and the Agreement, and governs any Restricted Transfers of the Personal Data types and categories listed in Attachment 1 of these Data Privacy terms.

PART 1: TABLES

TABLE 1: PARTIES AND SIGNATURES

Start date	Shall have the same meaning as the Effective Date in the Agreement.
The Parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
Parties’ details and Key Contact	The details of the Exporter/Controller, in particular the legal name and information on the contact person for this IDTA, are specified in the Agreement, in which the Controller is referred to as the Client.	Name: AdCellerant UK Ltd Company Number: 16397522 Address: 10 John Street, London, United Kingdom, WC1N 2EB. Contact person’s name, position, and contact details: Douglas Ljung – Director of GRC / Data Protection Officer [email protected] +1 303.656.1355 Data Protection contact details: Douglas Ljung – Director of GRC / Data Protection Officer [email protected] +1 303.656.1355
Signatures confirming each Party agrees to be bound by this IDTA	This IDTA are an integral part of Exporter’s Agreement with the Importer/Company. As such, the parties agree that their conclusion of the Agreement shall constitute the conclusion of this IDTA as well.	This IDTA are an integral part of the Importer/Company’s Agreement with the Client. As such, the parties agree that their conclusion of the Agreement shall constitute the conclusion of this IDTA as well.

TABLE 2: TRANSFER DETAILS

UK country’s law that governs the IDTA:	☒ England and Wales ☐ Northern Ireland ☐ Scotland
Primary place for legal claims to be made by the Parties	☒ England and Wales ☐ Northern Ireland ☐ Scotland
The status of the Exporter	In relation to the Processing of the Transferred Data: ☒ Exporter is a Controller ☐ Exporter is a Processor or Sub-Processor
The status of the Importer	In relation to the Processing of the Transferred Data: ☐ Importer is a Controller ☒ Importer is the Exporter’s Processor or Sub-Processor ☐ Importer is not the Exporter’s Processor or Sub-Processor (and the Importer has been instructed by a Third Party Controller)
Whether UK GDPR applies to the Importer	☒ UK GDPR applies to the Importer’s Processing of the Transferred Data ☐ UK GDPR does not apply to the Importer’s Processing of the Transferred Data
Linked Agreement	If the Importer is the Exporter’s Processor or Sub-Processor – the agreement(s) between the Parties which sets out the Processor’s or Sub-Processor’s instructions for Processing the Transferred Data: The Agreement and any associated Statement of Work, as defined in the main body of the Data Privacy Terms.
Term	The Importer may Process the Transferred Data for the following time period: ☒ the period for which the Linked Agreement is in force ☐ time period: ☐ (only if the Importer is a Controller or not the Exporter’s Processor or Sub-Processor) no longer than is necessary for the Purpose. See Part 5, Annex I for the current description of processing, for further information.
Ending the IDTA before the end of the Term	☒ the Parties cannot end the IDTA before the end of the Term unless there is a breach of the IDTA or the Parties agree in writing. ☐ the Parties can end the IDTA before the end of the Term by serving: months’ written notice, as set out in Section 29 (How to end this IDTA without there being a breach).
Ending the IDTA when the Approved IDTA changes	Which Parties may end the IDTA as set out in Section ‎29.2: ☐ Importer ☐ Exporter ☒ neither Party
Can the Importer make further transfers of the Transferred Data?	☒ The Importer MAY transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data). ☐ The Importer MAY NOT transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data). See Part 5, Annex II for the current list of Sub-processors.
Specific restrictions when the Importer may transfer on the Transferred Data	The Importer MAY ONLY forward the Transferred Data in accordance with Section 16.1: ☐ if the Exporter tells it in writing that it may do so. ☐ to: ☐ to the authorised receivers (or the categories of authorised receivers) set out in: ☒ there are no specific restrictions.
Review Dates	☐ No review is needed as this is a one-off transfer and the Importer does not retain any Transferred Data First review date: The Parties must review the Security Requirements at least once: ☐ each month(s) ☐ each quarter ☐ each 6 months ☒ each year ☐ each year(s) ☐ each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment

TABLE 3: TRANSFERRED DATA

Transferred Data	The personal data to be sent to the Importer under this IDTA consists of: ☒ The categories of Transferred Data will update automatically if the information is updated in the Linked Agreement referred to. ☐ The categories of Transferred Data will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3. See Part 5, Annex I for the current description of processing.
Special Categories of Personal Data and criminal convictions and offences	The Transferred Data includes data relating to: ☒ racial or ethnic origin ☒ political opinions ☒ religious or philosophical beliefs ☒ trade union membership ☒ genetic data ☒ biometric data for the purpose of uniquely identifying a natural person ☒ physical or mental health ☒ sex life or sexual orientation ☐ criminal convictions and offences ☐ none of the above ☐ set out in: And: ☒ The categories of special category and criminal records data will update automatically if the information is updated in the Linked Agreement referred to. ☐ The categories of special category and criminal records data will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3. See Part 5, Annex I for the current description of processing for further information.
Relevant Data Subjects	The Data Subjects of the Transferred Data are: ☒ The categories of Data Subjects will update automatically if the information is updated in the Linked Agreement referred to. ☐ The categories of Data Subjects will not update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3. See Part 5, Annex I for the current description of processing for further information.
Purpose	☒ The Importer may Process the Transferred Data for the following purposes: As required for the purposes set out in the Agreement, as noted in the Data Privacy Terms, or as otherwise agreed in writing between the Parties. In both cases, any other purposes which are compatible with the purposes set out above. ☒ The purposes will update automatically if the information is updated in the Linked Agreement referred to. ☐ The purposes will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3.

TABLE 4: SECURITY REQUIREMENTS

Security of Transmission	Data transmissions must be encrypted to a minimum of TLS 1.2. This includes all data transfers including API’s, email and other like services.
Security of Storage	Data shall be stored at a minimum of AES-256 with Role Based Access Controls (RBAC) so only those requiring access to the data for their direct job duties have such access.
Security of Processing	Data shall be processed with appropriate controls including: Physical ( access to processing area is protected from unauthorized access) Technical: Users have Role Based Access. Data is not shared, managed, transmitted, or stored by any vendor, sub-processor or person unless they meet the minimum requirements of Table 4. User: Users that have access to the data are properly vetted and have a direct job responsibility to access or process the data. Solutions: Solutions used to process data shall meet the requirements as outlined in Table 4
Organisational security measures	Organizations shall have comprehensive and current policies that are updated annually to govern the management of data and protections as described in Table 4 as well as those for Access management, Employee Security/Compliance training, Alignment to GDPR, and other applicable regulatory requirements as applicable to the services and data included within this agreement.
Technical security minimum requirements	Data must be encrypted at all times to TLS 1.2, AES-256 or equivalent ciphers. Multi-Factor Authentication of some type, which includes SSO, shall be in place to access data and data processing systems.
Updates to the Security Requirements	☒ The Security Requirements will update automatically if the information is updated in the Linked Agreement referred to. ☐ The Security Requirements will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3.

PART 2: EXTRA PROTECTION CLAUSES 1

Extra Protection Clauses:	Security awareness training shall be performed annually and include a primary pereson that can be contacted to report active incidents and risks.
(i) Extra technical security protections	Data shall be protected and security standards maintained at all times including when engaged in disaster recovery efforts.
(ii) Extra organisational protections	An owner shall be identified to address all compliance and security requirements so as to ensure that protections are continually in place and vulnerabilities are addressed in a timely manner.
(iii) Extra contractual protections	Meeting the requirements as outlined in this document can be satisfied with a comprehensive and current third-party audit, such as SOC 2 Type II, that is conducted by a reputable audit firm and updated no less than annually.

PART 3: COMMERCIAL CLAUSES

Commercial Clauses

Further clauses in respect of the processing of personal data are to be found in the Linked Agreement.

PART 4: MANDATORY CLAUSES

Mandatory Clauses

Mandatory Clauses of the Approved IDTA, being the template IDTA A.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎5.4 of those Mandatory Clauses.

See how we make
digital advertising easy

Better campaigns. Greater experiences. More revenue. It’s all within your grasp.

Acquire Knowledge

View Resource Hub

Integrations