ROKT® United States Data Processing Agreement for Advertisers on IAB Terms

This United States Data Processing Agreement (“USDPA”) is effective as of the date Agency and Media Company execute an IO that incorporates the Standard Terms and Conditions for Internet Advertising for Media Buys One Year or Less, Version 3.0 (“Terms”). Agency, on behalf of Advertiser, agrees to be bound by this USDPA. All capitalized terms not defined herein shall have the meaning ascribed to them in the Terms, and the following terms shall have the meaning given to them under United States Privacy Law: “personal data” (which includes “personal information” as defined under United States Privacy Law), “data subject” (which includes “consumer” as defined under United States Privacy Law), and “processing”.

1. Background

In connection with Media Company’s provision of Deliverables under an IO, Media Company will have access to and process certain personal data as a Service Provider on Advertiser’s behalf (“Advertiser Personal Data”). The Advertiser Personal Data is described in Annex A to this USDPA. Each party shall comply with its obligations under this USDPA with respect to the personal data that it processes and according to its responsibilities as a Business or Service Provider (as appropriate) for the relevant personal data. In particular: (i) Media Company shall be a Business with regard to information supplied by Media Company in relation to the Deliverables or a campaign, end customer, or customer, including performance data; (ii) Advertiser shall be a Business with regard to Advertiser Personal Data; and (iii) Media Company shall be a Service Provider with regard to Advertiser Personal Data.

2. Security

Media Company shall implement appropriate technical and organizational measures designed to protect the Advertiser Personal Data from: (i) accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to, the Advertiser Personal Data (a “Security Incident“). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

3. Business Obligations

3.1 Whenever a party is acting in a capacity as a Business in relation to personal data, it shall comply in all respects with United States Privacy Law, including by processing such personal data fairly and lawfully, providing any legally required privacy notices and disclosures, obtaining any legally required consents for personal data processing, and implementing appropriate physical, technical, and administrative safeguards designed to protect the security and integrity of personal data under its control.

3.2 A Business shall provide assistance reasonably requested by the other party (and at that other party's cost) in order for that other party to comply with United States Privacy Law, including with respect to data subject access requests and privacy notices.

4. Service Provider Obligations

4.1 Purpose limitation: Media Company shall process the Advertiser Personal Data as necessary to provide the Deliverables under the IO, for such other purposes as may be described in this USDPA (including Annex A) and strictly in accordance with Agency’s documented instructions (the “Permitted Purpose”), except where otherwise required by any applicable law. Media Company shall inform Agency if, in its opinion, an instruction violates United States Privacy Law. In furtherance of the foregoing, and except where otherwise required by United States Privacy Law, Media Company shall not: (i) sell or share for purposes of cross-context behavioral advertising any Advertiser Personal Data for monetary or other consideration; (ii) retain, use, or disclose Advertiser Personal Data for any purpose other than the Permitted Purpose; (iii) retain, use, or disclose Advertiser Personal Data outside of the direct business relationship between the parties; or (iv) combine Advertiser Personal Data with personal data that it receives from other sources or collects from its own interactions with an individual; provided that Media Company may combine, merge, or integrate Advertiser Personal Data as necessary to perform any legitimate business purpose, including those business purposes described in applicable United States Privacy Laws.

4.2 Confidentiality of processing: Media Company shall ensure that any person that it authorizes to process the Advertiser Personal Data (including Media Company’s staff, agents and subcontractors) (an “Authorized Person“) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not authorize any person to process the Advertiser Personal Data who is not under such a duty of confidentiality.

4.3 Subprocessing: Media Company may subcontract its processing of the Advertiser Personal Data to a third party subprocessor without the prior written consent of Agency or Advertiser. Media Company shall, however, inform Agency when it adds to or removes sub-processors (which may be done via a website link notified to Agency) and give Agency a reasonable opportunity to object to the appointment of a new subprocessor. Agency, on behalf of Advertiser, consents to and authorizes Media Company to use the subprocessors listed at https://rokt.com/rokt-subprocessors/ in its provision of the Deliverables and performance under the Terms.

4.4 Cooperation and data subjects’ rights: Media Company shall provide all reasonable and timely assistance (including by appropriate technical and organizational measures) to Advertiser (at the Advertiser’s expense) to enable Advertiser to respond to: (i) any verified and valid request from a data subject to exercise any of its statutory rights granted under United States Privacy Law; and (ii) any written correspondence, inquiry, or complaint received from a regulator in connection with the processing of the Advertiser Personal Data. In the event that any request, correspondence, inquiry, or complaint is made directly to Media Company, Media Company will inform Agency of same.

4.5 Data Protection Impact Assessment: If Media Company determines that its processing of the Advertiser Personal Data is likely to result in a high risk to the privacy rights and freedoms of data subjects, Media Company will provide such reasonable and timely assistance as Advertiser or Agency may request in order to conduct a data protection impact assessment, at Advertiser’s cost.

4.6 Security incidents: Upon becoming aware of a confirmed Security Incident, Media Company shall inform Agency or Advertiser without undue delay and shall provide all such timely information and cooperation as Agency or Advertiser may reasonably require in order for Advertiser to fulfil its data breach reporting obligations under United States Privacy Law.

4.7 Deletion or return of Advertiser Personal Data: Upon termination or expiry of the Terms, Media Company shall (if Agency so requests) destroy or return to Advertiser or Agency all Advertiser Personal Data (including all copies of same) in its possession or control (including any Advertiser Personal Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Media Company is required by any United States Privacy Law to retain some or all of that Advertiser Personal Data, in which case Media Company shall protect the Advertiser Personal Data from any further processing except to the extent required by such law.

4.8 Audit: Upon Agency’s written request, Media Company shall make available to Agency all information, systems, and staff necessary for Agency (or its third party auditors) to assess Media Company’s compliance with the material terms of this USDPA. Agency must give Media Company reasonable prior written notice of its intention to conduct any such assessment, conduct the assessment during normal business hours, and take all reasonable measures to prevent unnecessary disruption to Media Company’s operations. Agency will not exercise its audit rights more than once in any twelve (12) calendar month period.

4.9 Certification: Media Company certifies that it understands and will comply with the foregoing restrictions.

5. Definitions

In this USDPA:

• (i) “Business” means the entity that, alone or jointly with others, determines the purpose and means of processing of personal data, and includes the term “controller” as used in United States Privacy Law;
• (ii) “Service Provider” means the entity that processes personal data on behalf of a Business, and includes the term “processor” as used in United States Privacy Law;
• (iii) “United States Privacy Law” means the California Consumer Privacy Act, California Privacy Rights Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, Virginia Consumer Data Protection Act, and any other state or federal law relating to the protection of the privacy of United States residents, each of the foregoing upon such law’s effective or implementation date.

6. ANNEX A TO USDPA

Data Processing Description

This Annex A forms part of the USDPA and describes the processing that Media Company will perform on behalf of Advertiser with respect to Advertiser Personal Data.