DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA“) is hereby entered by and between M.D. Primis Technologies (previously known as McCann Disciplines Ltd.) and its Affiliates (“Primis” or “Company“) and the Publisher identified in the Insertion Order (“IO“) executed between the parties (“Publisher” or “you“), for the purpose of using the Services, as defined under the Publisher Terms and Conditions which this DPA is attached to (“Terms“).

This DPA forms an integral part of the Terms. Capitalized terms not defined herein shall have the respective meanings given to them in the Terms.

This DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data during the course of the engagement between the parties.

APPLICATION OF THE DPA

1. This DPA reflect the parties’ agreement on the processing of Personal Data in connection with the Services and the Agreement and in accordance with Data Protection Laws. This DPA will only apply to the extent: (i) Primis processes Personal Data that is made available, directly or indirectly, by Publisher (or on its behalf) in connection with the Services and the Agreement; and (ii) Data Protection Laws apply to the processing of Personal Data.
2. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA.

DEFINITIONS

1. “Adequate Country” is a country that an adequacy decision from the European Commission.
2. “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018, including as modified by the California Privacy Rights Act (“CPRA”) once the CPRA takes effect as well as all regulations promulgated thereunder from time to time.
3. “Consent” means an End User informed and freely given consent, that meets the requirements stipulated under Article 7 of the GDPR or under Purpose 1 of the IAB TCF Policy (as such term is defined below).
4. “CPA” means the Colorado Privacy Act C.R.S.A. § 6-1-1301 et seq. (SB 21-190), including any implementing regulations and amendments.
5. “CTDPA” means the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022), including any implementing regulations and amendments thereto.
6. “Publisher Data” means any and all Personal Data provided by the Publisher to Primis during its use of the Service, as detailed in Annex I attached herein.
7. The terms “Controller”, “Personal Data”, “Processor”, “Data Subject”, “Processing” (and “Process“), “Personal Data Breach”, “Special Categories of Personal Data” and “Supervisory Authority”, shall all have the same meanings as ascribed to them in the EU Data Protection Law. The terms “Business Purpose”, “Consumer”, “Cross Context Advertising”, “Contractor”, “First-Party Business”, “Service Provider”, “Sell”, “Share”, “Sale”, “Targeted Advertising”, “Third-Party Business” shall have the same meaning as ascribed to them in the US Data Protection Laws. “Data Subject” shall also mean and refer to(under this DPA) a “Consumer”, as such term defined in the US Data Protection Laws, “Personal Data” shall include “Personal Information” under this DPA.
8. “Data Protection Law” means applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law, UK Data Protection Laws, Swiss Data Protection Laws, Israeli Law and the US Data Protection Laws) as may be amended or superseded from time to time.
9. “EEA” means the European Economic Area.
10. “End User” means an individual visiting or browsing the Publisher’s digital assets.
11. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (v) any legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
12. “IAB Consent Management Framework” means the IAB tech labs’ technical specification for the GDPR transparency & consent framework.
13. “IAB TCF Policies” means the (i) IAB Europe Transparency & Consent Framework – Policies Version 2023-05-15.4.0 available at: https://iabeurope.eu/wp-content/uploads/2023/05/230509-TCF-Policies-TransparencyConsentFramework_Policies_version_TCF-v2.2.pdf; (ii) IAB Global Privacy platform including the Multi State Privacy Framework available at https://www.iabprivacy.com/IAB%20First%20Amended%20and%20Restated%20Multi-State%20Privacy%20Agreement%20(MSPA).pdf.
14. “ID” means (i) a unique identifier stored on an End-User’s device; (ii) a unique identifier generated for a specific End User; (iii) an online identifier associated with a particular device; or (iii) a cookie ID, agent ID, IP address, URL or RTB tag, or any online identifier identifying an End User or a specific device.
15. “Israeli Law” means Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations.
16. “LGPD” means the Brazilian General Data Protection Law (as amended by Law No. 13,853/2019), as may be amended from time to time.
17. “Security Incident” means any significant accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Publisher Data.
18. “Signal” as such term is defined under the IAB TCF Policy.
19. “Standard Contractual Clauses” or “SCC” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, which may be found here: Standard Contractual Clauses.
20. “Swiss Data Protection Laws” or “FADP” shall mean (i) Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) (“FDPA”); (ii) The Ordinance on the Federal Act on Data Protection (“FODP“); (iii) any national data protection laws made under, pursuant to, replacing or succeeding and any legislation replacing or updating any of the foregoing.
21. “Swiss SCC” shall mean the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner.
22. ”UK Data Protection Laws” shall mean the Data Protection Act 2018 (DPA 2018), as amended, and EU General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as incorporated into UK law as the UK GDPR, as amended, and any other applicable UK data protection laws, or regulatory Codes of Conduct or other guidance that may be issued from time to time.
23. ”UK GDPR” shall mean the GDPR as it forms part of domestic law in the United Kingdom by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time).
24. “UK Standard Contractual Clauses” or “UK SCC” means the UK “International Data Transfer Addendum to The European Commission Standard Contractual Clauses” available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf as adopted, amended or updated by the UK Information Commissioner Office (“ICO”), Parliament or Secretary of State.
25. “US Data Protection Laws” means any U.S. federal and state privacy laws effective as of the Effective Date of this DPA and applies to Primis Processing of Publisher Data, and any implementing regulations and amendment thereto, including without limitation, the CCPA, the CPA, the CTDPA, and the VCDPA.
26. “VCDPA” means the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392), including any implementing regulations and amendments thereto.

Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable law. A reference to any term or section of US Data Protection Laws, UK Data Protection Laws or GDPR means the version as amended. Any references to the GDPR in this DPA shall mean the GDPR or UK GDPR depending on the applicable Law.

ROLES AND DETAILS OF PROCESSING

1. The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Publisher Data, Primis is acting as a Data Processor and Publisher is acting as a Data Controller.
2. The subject matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex I attached hereto.
3. For certain data sets and under certain circumstances, Primis and Publisher maybe considered as independent co-controllers (“ICC”) as further detailed in Section 10.
4. US Data Protection Laws specification are further detailed in Annex VII.

PROCESSING OF PERSONAL DATA

1. The Publisher represents and warrants that: (i) its Processing instructions shall comply with applicable Data Protection Law, and the Publisher acknowledges that, taking into account the nature of the Processing, Primis is not in a position to determine whether the Publisher’s instructions infringe applicable Data Protection Law; and (ii) as between the parties, the Publisher undertakes, accepts and agrees that the Data Subjects do not have a direct relationship with Primis and that Primis relies on Publisher’s lawful basis (as required under Data Protection Law). The Publisher represents and warrants that it has a lawful legal basis for the Processing of Publisher’s Data.
2. The Publisher represents and warrants that Special Categories of data shall not be Processed or shared in connection with the performance of the Services, unless agreed in writing by Primis.
3. IAB TCF Specifications where applicable: The Publisher acknowledges that Primis is a Vendor as defined under the IAB TCF Policy. Publisher acknowledges and agrees that the End User does not have a direct relationship with Primis, however, certain features of the Primis Services are dependent and based upon End User’s Consent or any other demonstrated lawful basis, that shall be obtained by Publisher and which Primis relies on, amongst others, in its capacity as a Vendor under the IAB TCF Policy. Publisher also acknowledges that it shall be able to demonstrate such Consent at any time and represents that such Consent is existed. Where the Publisher collects and obtain such Consent through a cookie management platform provider (CMP) the Publisher shall ensure such CMP is registered as an authorized CMP under (i) the IAB TCF (ii) Google. Primis shall not be liable for obtaining Consent or with respect to the Signals, if applicable, provided by the Publisher or the Publisher’s consent management, and shall transfer the Signal “as is” and as it was provided to the Advertiser partner. Publisher acknowledges and agrees that such requests are directly transmitted to the Advertiser, and such Advertiser will respond as per Publisher’s request. Therefore, Primis, as the technical provider, has no control over such parameters or over the Signal and shall not be responsible for any parameter or Signal that was unlawfully or misleadingly sent by Publisher, nor liable for any damage or damages resulted by it. Notwithstanding the above, and solely in the EEA, Primis requires Consent for Purpose 1, 3 and 4 of the IAB TCF Policy, the Publisher shall ensure to call Primis solely upon receiving Consent for Purpose 1, 3 and 4.
4. The Publisher shall, or obligate its CMP to, (i) provide users with link(s) to Primis’ privacy documentation; (ii) disclose in the initial layer of the user interface the number of third party vendors that are seeking consent or pursuing data processing purposes on the basis of their legitimate interest(s); (iii) Ensure that users can re-access the CMP user interface easily to manage their privacy choices. If requested by Primis, the Publisher shall provide Primis with applicable evidence of the CMP compliance with the IAB requirements and this section.

In the event Primis is required under applicable laws, including Data Protection Law or any union or member state regulation, to Process Publisher Data other than as instructed by Publisher, Primis shall make its best efforts to inform the Publisher of such requirement prior to Processing such Publisher Data, unless prohibited under applicable law.
Primis shall provide reasonable cooperation and assistance to the Publisher in ensuring compliance with its obligation to carry out data protection impact assessments.
Where applicable, Primis shall assist the Publisher in ensuring that Personal Data Processed is accurate and up to date, by informing the Publisher without delay if it becomes aware of the fact that the Personal Data it is Processing is inaccurate or has become outdated.
Primis shall ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Publisher Data; (ii) that persons authorized to process the Publisher Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
Notwithstanding the above, in any event that the Israeli Law shall apply, the parties hereby undertake that they comply with the aforesaid regulations as well as comply with the DPA.

DATA SUBJECTS REQUESTS

1. It is agreed that where Primis receives a request from a Data Subject or an applicable authority in respect of Publisher Data Processed by Primis, Primis will notify the Publisher of such request promptly and direct the Data Subject or the applicable authority to the Publisher in order to enable the Publisher to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.

SUB-PROCESSING

1. The Publisher acknowledges that Primis may transfer Publisher Data to and otherwise interact with third party data processors (“Sub-Processor”). The Publisher hereby authorizes Primis to engage and appoint such Sub-Processors to Process Publisher Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Primis may continue to use those Sub-Processors already engaged by Primis, as listed in Annex III, or to engage an additional or replace an existing Sub-Processor to process Publisher Data, subject to the provision of a thirty (30) day prior notice of its intention to do so to the Publisher. In case the Publisher has not objected to the adding or replacing of a Sub-Processor within thirty (30) days of Primis’s notice, such Sub-Processor shall be considered approved by the Publisher. In the event the Publisher objects to the adding or replacing of a Sub-Processor, Primis may, under Primis’s sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement.
2. Primis shall, where it engages any Sub-Processor, impose, through a legally binding contract between Primis and the Sub-Processor, data protection obligations similar to those set out in this DPA. Primis shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Law.
3. Primis shall remain responsible to the Publisher for the performance of the Sub-Processor’s obligations in accordance with this DPA. Primis shall notify the Publisher of any failure by the Sub-Processor to fulfill its contractual obligations.

TECHNICAL AND ORGANIZATIONAL MEASURES

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, Primis hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect the Publisher Data as required under Data Protection Laws to ensure lawful processing of Publisher Data and safeguard Publisher Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction. The parties acknowledge that security requirements are constantly changing and that effective security requires the frequent evaluation and regular improvement of outdated security measures.
2. The security measures implemented and maintained by Primis are further detailed in Annex II.

PERSONAL DATA SECURITY INCIDENT

1. Primis will notify the Publisher upon becoming aware of any Security Incident affecting the Publisher Data. Primis’s notification regarding or response to a Security Incident under this Section 8 shall not be construed as an acknowledgment by Primis of any fault or liability with respect to the Security Incident.
2. Primis will: (i) take necessary steps to remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Publisher and provide the Publisher with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; (iii) notify the Publisher in writing of any request, inspection, audit or investigation by a supervisory authority or other authority; (iv) keep the Publisher informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) co-operate with the Publisher and assist Publisher with its obligation to notify the affected individuals in the case of a Security Incident.

AUDIT RIGHTS

1. 1. Primis shall maintain accurate written records of any and all the processing activities of any Personal Data carried out under this DPA and shall make such records available to the Publisher and applicable supervisory authorities upon written request. Such records provided shall be considered Primis’s Confidential Information and shall be subject to confidentiality obligations.

Publisher may audit Primis compliance with this DPA and Data Protection Laws by requesting a certificate issued for security verification reflecting the outcome of an audit conducted by a third party auditor (e.g., ISO27001/ISO27701 certification, SOC2 certificate) or a comparable certification or other security certification of an audit conducted by a third-party auditor, within 12 months as of the date of Publisher’s request.

1. Alternatively in the event the records and documentation provided subject to Section 7.1 and 7.2 above are not sufficient for the purpose of demonstrating compliance, Primis shall make available, solely upon prior reasonable written notice and no more than once per calendar year, to a reputable auditor nominated by the Publisher, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Publisher Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to the terms of standard confidentiality obligations (including towards third parties). Primis may object to an auditor appointed by the Publisher in the event Primis reasonably believes the auditor is not suitably qualified or is a competitor of Primis. Publisher shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Primis’ premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit.
2. Nothing in this DPA will require Primis either to disclose to Publisher or its third-party auditor, or to allow Publisher or its third-party auditor to access: any data of any other customer; Primis’ internal accounting or financial information; any trade secret of a Primis or its Affilates; any information that, in Primis’ reasonable opinion, could compromise the security of any Primis’ systems or cause any breach of its obligations under applicable law or its security or privacy obligations to to any third party; or any information that Publisher or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Publisher’s obligations under the Data Protection Laws.

CROSS BORDER PERSONAL DATA TRANSFERS

1. If the processing of Publisher Data includes a transfer (either directly or through an onward transfer) to a third country outside the EEA, the UK and Switzerland, that is not an Adequate Country, such transfer shall be subject to an appropriate safeguard approved by Data Protection Law: the GDPR (Article 46), UK GDPR (Article 46) or Swiss FADP (as applicable).
2. If the Parties, or Primis or its Sub-processor, rely on the Standard Contractual Clauses to facilitate a transfer to a third country that is not an Adequate Country, then:
  1. transfer of Personal Data from the EEA the terms set forth in Annex IV shall apply.
  2. transfer of Personal Data from the UK, the terms set forth in Annex V shall apply; and
  3. transfer of Personal Data from Switzerland, the terms set forth in Annex VI shall apply.

INDEPENDENT CO-CONTROLLERS

1. 1. Primis will process Personal Data as an ICC under GDPR solely with respect to the following data sets: Primis ID used to identify the Publisher and the Publisher digital assets, Primis cookie ID or SDK ID, analysis data for detecting invalid traffic and anti-fraud purposes, End User location (city, state, zip/ post-code) (where applicable), Advertiser ID shared with the Advertisers for End User-syncing purposes, preference string, outcomes and impressions data and other Personal Data for Primis’s internal analytics and reporting purposes (“Controller Data Set”).
  2. All other data sets, which are detailed in Annex I, are processed by Primis as a “processor”.

When parties are ICC:

It is hereby clarified that in no event will the parties Process the data as joint controllers. Each party shall be individually and separately responsible for complying with the obligations that apply to it, in accordance with the Data Protection Laws.

If a party receives a request from a Data Subject or an applicable authority in respect to the Controller Data Sets, it will notify the other party of such request, and where applicable, direct the Data Subject or the applicable authority to the other party.

Each party shall notify the other party upon becoming aware of any Security Incident involving the Controller Data Sets.

In the event the Controller Data Sets shall be transferred to a third party country which is not an Adequate Country, and requires additional safeguards then Module One (Controller to Controller) of the EU Standard Contractual Clauses, the UK Standard Contractual Clauses, and the Swiss SCC, shall apply as applicable. Annexes IV, V, VI shall apply with the needed revisions.

Under the CCPA, the parties’ obligations shall be detailed in Annex VII.

TERM & TERMINATION

1. This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates or as long as Primis processes Personal Data.
2. Primis shall be entitled to terminate this DPA or terminate the Processing of Publisher Data in the event that Processing of Publisher Data under the Publisher’s instructions or this DPA infringe applicable legal requirements and Primis notified the Publisher of such infringement and the Publisher did not cure such infringement within 10-days. Alternately, Primis may, in its sole discretion, suspend the processing of the Personal Data until such infringement is cured without terminating the DPA.
3. Following the termination of this DPA, Primis shall, at the choice of the Publisher, delete all Publisher Data processed on behalf of the Publisher and certify to the Publisher that it has done so, or, return all Publisher Data to the Publisher and delete existing copies, unless applicable law or regulatory requirements requires that Primis continue to store Publisher Data. Until the Publisher Data is deleted or returned, the parties shall continue to ensure compliance with this DPA. Publisher’s choice shall be provided in writing to Primis, following effect of the termination.

ANNEX I

DETAILS OF PROCESSING

This Annex includes certain details of the Processing of Personal Data as required under the Data Protection Laws .

Categories of Data Subjects:

The End Users browse the Publisher’s digital assets (website, app, etc.) and view the advertisement placed by Primis and Primis advertising partners.

Categories of Personal Data:

IP addresses, IDFA/ AAID or any IDs, Consent String, cookies data, usage data, clickstream data, approximate location data, behavior data, referred URL, Publisher-uploaded segment data, End User behavior data- meaning, clicked the ad, viewed the ad, which is processed for reporting purposes for Publisher, impression data, optimization data, ad delivery data.

Special Categories of Personal Data:

Nature of the processing:

Collection, storage, organization, analysis, modification, retrieval, disclosure, communication and other uses in performance of the Services as set out in the Agreement

Purpose(s) of Processing:

Processing activities in performance of the Services as set out in the Agreement, including providing access to the Platform and Services.

Retention Period:

Personal data will be retained for the term of the Agreement, unless agreed otherwise in the Agreement and/or the DPA.

Process Frequency:

Continuous basis

Annex II – Technical Measures

Implement and maintain current and appropriate technical and organizational measures to protect Company Data against accidental, unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, disclosure or access;
Provide third-party attestation of static or dynamic application security testing or penetration testing on all software Processing Company Data, remediate any identified high vulnerabilities prior to delivery to Company, provide written remediation plans for medium and low vulnerabilities, and provide evidence of its remediation of any identified security vulnerabilities at Company’ request;
Maintain a level of security appropriate to the harm that may result from any unauthorized or unlawful Processing or accidental loss, destruction, damage, denial of service, alteration or disclosure, and appropriate to the nature of Company Data;
Oblige its employees, agents or other persons to whom it provides access to Company Data to keep it confidential; take reasonable steps to ensure the integrity of any employees who have access to Company Data; provide annual training to staff and subcontractors on the security requirements contained herein;
Maintain measures designed to ensure the ongoing confidentiality, integrity, availability and resilience of Service Provider’s systems and services;
Maintain a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing of Company Data, regularly testing such measures to validate their appropriateness and effectiveness, and implementing corrective action where deficiencies are revealed by such testing;
Log all individuals’ access to and activities on systems and at facilities containing Company Data. Upon Company’s request, and subject to applicable laws and the Service Providers retention policy, Service Provider will provide a report detailing a list of authorized users, their associated privileges, status of accounts, and history of activities;
For passwords applicable to Service Provider’s access, adhere to password policies for standard and privileged accounts consistent with industry best practices; protect both Service Providers and Company user accounts with access to Company Data using multi-factor authentication (e.g., using at least two different factors to authenticate such as a password and a security token or certificate);
Store and transmit Company Data using strong cryptography, consistent with industry best practices, and pseudonymize Personal Data where appropriate;
If connection is permitted by Company, only connect to Company’s networks via Virtual Private Network (VPN), without split tunneling, and utilizing strong cryptography consistent with industry best practices;
Ensure that only those Service Provider’s personnel who need to have access to Company Data are granted access, such access is limited to the least amount required, and only granted for the purposes of performing obligations under this DPA. Service Provider shall conduct access reviews upon each individual’s scope of responsibility change, Service Provider’s staffing change or other change impacting Service Provider’s personnel access to Company Data;
Maintain a physical security program that is consistent with industry best practices;
Ensure that any storage media (whether magnetic, optical, non-volatile solid state, paper, or otherwise capable of retaining information) that captures Company Data is securely erased or destroyed before repurposing or disposal;
Measures and assurances regarding US government surveillance (“Additional Safeguards”):

Primis agrees and hereby represents it maintains, and will continue to maintain, the following additional safeguards in connection with any Personal Data transferred under this Annex:

Primis maintains industry standard measures to protect the Personal Data from interception (including in transit from Publisher to Primis and between different systems and services). This includes maintaining encryption of Personal Data in transit and at rest.
Primis will make reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under the GDPR or the UK GDPR, including (if applicable) under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”).
If Primis becomes aware of any law enforcement agency or other governmental authority (“Authority”) attempt or demand to gain access to or a copy of the Personal Data (or part thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, Primis shall: inform the relevant Authority that Primis is a Processor of the Personal Data and that Publisher, as the Controller has not authorized Primis to disclose the Personal Data to the Authority; inform the relevant Authority that any and all requests or demands for access to the Personal Data should be directed to or served upon Publisher in writing; and use reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Primis’s control.
Notwithstanding the above, if, taking into account the nature, scope, context and purposes of the related Authority’s intended access to Personal Data, Primis has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, these subsections shall not apply. In such event, Primis shall notify Publisher, as soon as possible, following the access by the Authority, and provide Publisher with relevant details, unless and to the extent legally prohibited to do so.

Primis will inform Publisher, upon written request (and not more than once a year), of the types of binding legal demands for Personal Data Primis has received and complied with, including demands under national security orders and directives, specifically including any process under Section 702 of FISA.

Annex III- Sub-Processor List

Name	Server location	Description of the processing	Transfer Mechanism
Human Security, Inc. (WhiteOps)	USA	Anti Fraud Detection	SCC
Amazon Web Service	The EU or the USA	Hosting	SCC
IntentIQ	USA	Cookieless Advertising Revenue Optimization	Privacy Policy
Oracle Services (MOAT)	USA	Ad measurement and marketing analytics suite	DPA
Integral Ad Science, Inc.	USA	Digital ad verification helping brands, agencies, and publishers activate and optimize impactful campaigns	IAS_Global_Client_Data_Processing_Agreement

ANNEX IV

EU INTERNATIONAL TRANSFERS AND SCC

1. The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Personal Data from the EEA to other countries that are not deemed as Adequate Countries.
2. Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the transfer is effectuated by Publisher as the data controller of the Personal Data and Primis is the data processor of the Personal Data.
3. The Parties agree that for the purpose of transfer of Personal Data between Publisher (as Data Exporter) and the Primis (as Data Importer), the following shall apply:
  1. Clause 7 of the Standard Contractual Clauses shall not be applicable.
  2. In Clause 9, option 2 (general written authorization) shall apply and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in the Sub-Processing Section of the DPA.
  3. In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
  4. In Clause 17, option 1 shall apply. The parties agree that the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Publisher is established (where applicable).
  5. In Clause 18(b) the parties choose the courts of the Republic of Ireland, as their choice of forum and jurisdiction.
4. Annex I.A of the Standard Contractual Clauses shall be completed as follows:
  1. “Data Exporter“: Publisher
  2. “Data Importer“: Primis
  3. Roles: (A) With respect to Module Two: (i) Data Exporter is a data controller and (ii) the Data Importer is a data processor.
  4. Data Exporter and Data Importer Contact details: As detailed in the Agreement.
  5. Signature and Date: By entering into the Agreement and DPA, Data Exporter and Data Importer are deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
5. Annex I.B of the Standard Contractual Clauses shall be completed as follows:
  1. The purpose of the processing, nature of the processing, categories of data subjects, categories of personal data and the parties’ intention with respect to the transfer of special categories are as described in Annex I (Details of Processing) of this DPA.
  2. The frequency of the transfer and the retention period of the personal data is as described in Annex I (Details of Processing) of this DPA.
  3. The sub-processor which personal data is transferred are listed in Annex III.

Annex I.C of the Standard Contractual Clauses shall be completed as follows: the competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 3 above.

1. Annex II of this DPA (Technical and Organizational Measures) serves as Annex II of the Standard Contractual Clauses.
2. Annex III of this DPA (List of Sub-processors) serves as Annex III of the Standard Contractual Clauses.

Transfers to the US: Measures and assurances regarding US government surveillance (“Additional Safeguards”) are further detailed in Annex II, as well as:

Primis agrees and hereby represents it maintains, and will continue to maintain, the following additional safeguards in connection with any Personal Data transferred under this Annex IV:

Primis maintains industry standard measures to protect the Personal Data from interception (including in transit from Publisher to Primis and between different systems and services). This includes maintaining encryption of Personal Data in transit and at rest.
Primis will make reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under the GDPR or the UK GDPR, including (if applicable) under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”).
If Primis becomes aware of any law enforcement agency or other governmental authority (“Authority”) attempt or demand to gain access to or a copy of the Personal Data (or part thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, Primis shall: inform the relevant Authority that Primis is a Processor of the Personal Data and that Publisher, as the Controller has not authorized Primis to disclose the Personal Data to the Authority; inform the relevant Authority that any and all requests or demands for access to the Personal Data should be directed to or served upon Publisher in writing; and use reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Primis’s control.
Notwithstanding the above, if, taking into account the nature, scope, context and purposes of the related Authority’s intended access to Personal Data, Primis has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, these subsections shall not apply. In such event, Primis shall notify Publisher, as soon as possible, following the access by the Authority, and Publisher Customer with relevant details, unless and to the extent legally prohibited to do so.

ANNEX V

EU INTERNATIONAL TRANSFERS AND SCC

The parties agree that the terms of the Standard Contractual Clauses as amended by the UK Standard Contractual Clauses, and as amended in this Annex V, are hereby incorporated by reference and shall apply to transfer of Personal Data from the UK to other countries that are not deemed as Adequate Countries.
This Annex V is intended to provide appropriate safeguards for the purposes of transfers of Personal Data to a third country in reliance on Article 46 of the UK GDPR and with respect to data transfers from controllers to processors or from the processor to its sub-processors.
Terms used in this Annex V that are defined in the Standard Contractual Clauses, shall have the same meaning as in the Standard Contractual Clauses.
This Annex V shall (i) be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR, and (ii) not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.
Amendments to the UK Standard Contractual Clauses:
1. Part 1: Tables
  1. Table 1 Parties: shall be completed as set forth in Section 4 within Annex IV above.
  2. Table 2 Selected SCCs, Modules and Selected Clauses: shall be completed as set forth in Section 2 and 3 within Annex IV above.
  3. Table 3 Appendix Information:

Annex 1A: List of Parties: shall be completed as set forth in Section 2 within Annex IV above.

Annex 1B: Description of Transfer: shall be completed as set forth in Annex I above.

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: shall be completed as set forth in Annex II above.

Annex III: List of Sub processors: shall be completed as set forth in Annex III above.

Table 4 Ending this Addendum when the Approved Addendum Changes: shall be completed as “neither party”.

ANNEX VI

SUPPLEMENTARY TERMS FOR SWISS DATA PROTECTION LAW TRANSFERS ONLY

The following terms supplement the Clauses only if and to the extent the Clauses apply with respect to data transfers subject to Swiss Data Protection Law, and specifically the FDPA:

The term ’Member State’ will be interpreted in such a way as to allow data subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.
The clauses in the DPA protect the Personal Data of legal entities until the entry into force of the Revised Swiss FDPA.
All references in this DPA to the GDPR should be understood as references to the FDPA insofar as the data transfers are subject to the FDPA.

References to the “competent supervisory authority”, “competent courts” and “governing law” shall be interpreted as Swiss Data Protection Laws and Swiss Information Commissioner, the competent courts in Switzerland, and the laws of Switzerland (for Restricted Transfers from Switzerland).

In respect of data transfers governed by Swiss Data Protection Laws and Regulations, the EU SCCs will also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws and Regulations until such laws are amended to no longer apply to a legal entity.
The competent supervisory authority is the Swiss Federal Data Protection Information Commissioner

ANNEX VII

US Privacy Law Addendum

This US Privacy Law Addendum (“US Addendum”) adds specification applicable to US Data Protection Laws and is in addition to the obligations set forth in the DPA. All terms used but not defined in this CCPA Addendum shall have the meaning set forth in the DPA.

CCPA Specifications:

1. 1. For the purpose of the CCPA, Publisher is the Business and Primis is the Service Provider.
  2. Primis shall process Personal Data on behalf of the Publisher as a Service Provider under the CCPA and shall not: (1) sell or share the Publisher Data; (2) retain, use or disclose the Publisher Data for any purpose other than for Publisher purpose specified in the Agreement; or (3) combine the Publisher Data with other Personal Data that it receives from, or on behalf of, another customer, or collects from its own interaction with California residents, expect as otherwise permitted by the CCPA.
  3. Primis shall assist Publisher in respect of consumer request to limit the use of Sensitive Personal Information (“SPI”).
  4. Primis certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from Selling any Publisher Data.
  5. For the purpose of processing Personal Information made available through the Controller Data Sets, and when the Publisher has chosen the Cross-Contextual Behavior Advertising (“CCBA”) the following shall apply:
    1. Primis shall be the Third Party Business and Publisher is the First Party Business.
    2. Each party shall independently responsible for complying with the CCPA obligations as a “Business”.
    3. Primis requires and relies on the Publisher to provide the End Users with disclosure as applicable under the CCPA regarding Sharing and Selling Personal Information for CCBA with Primis.
    4. Primis required that the Publisher will enable the End User to opt-out from Selling and Sharing the Personal Information with Primis for CCBA and transfer the opt-out signal to Primis.

US Applicable States Specifications:

1. For the purpose of this US Addendum “Applicable States” shall mean Virginia, California, Colorado, and Connecticut.
2. Primis agrees to notify the Publisher if Primis makes a determination that it can no longer meet its obligations under this Addendum or US Data Protection Laws.
3. Primis shall provide information necessary to enable the Publisher to conduct and document any data protection assessments required by US Data Protection Laws. Notwithstanding the above, Primis is responsible for only the measures allocated to it.
4. Primis acknowledges and confirms that it does not receive any monetary goods, payments or discounts in exchange for processing the Publisher Data.
5. Each party shall, taking into account the context of processing, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures. Primis technical measures are detailed in the DPA and Annexes above.
6. The processing instructions, including the nature of processing, purpose of processing, the duration of processing, the type of personal data and data subjects, are set forth in Annex I above.
7. In addition to the Audit rights under Section 8 of the DPA, under US Data Protection Laws and subject to Publisher’s consent, Primis my alternately offer, in response to an on premises audit request, initiate a third-party auditor to verify Primiss’ compliance with its obligations under this US Data Protection Laws. During such an audit, Primis will make available to the third-party auditor all information necessary to demonstrate such compliance.
8. Each party will comply with the requirements set forth under US Data Protection Laws with regards to processing de-identified data, as such term defined under the applicable US Data Protection Law.
9. When processing Publisher Data or Usage Data (as defined in the Agreement) for the permitted purposes under US Data Protection Laws Primis shall ensure it complies with applicable laws and shall be liable for such processing.

Data Processing Agreement

DATA PROCESSING AGREEMENT

Navigate

Get in Touch

Follow us On

We’re a part of

DATA PROCESSING AGREEMENT

Main Traffic Geos*

Monthly Page Views*