U.S. Data Processing Agreement Addendum

This Madhive, Inc. (”Madhive”) U. S. Data Processing Addendum (“DPA”) shall be incorporated by reference into any and all services agreements, insertion orders and addendums currently in place between Client and Madhive (the “Agreement(s)”). This DPA applies to the Processing of Personal Information in connection with the services provided by Madhive (the “Services”) to the Client and the Client’s Affiliates. 

1. Definitions:
   
   1. “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Client or Madhive respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
   2. “Applicable Privacy Laws” means any U.S. state or federal privacy or security law and/or self-regulatory code that are in effect during the Term, and which apply to Personal Information processed pursuant to the Agreement, including but not limited to the Virginia Consumer Data Protection Act, the California Consumer Privacy Act, the Colorado Privacy Act, the Connecticut Data Protection Act, the Utah Consumer Privacy Act, each as amended, replaced or supplemented from time to time, and all subordinate legislation made under them, together with any codes of practice, regulations or other guidance issued by the governments, agencies, data protection regulators, or other authorities in the relevant countries, states or other jurisdictions, and (to the extent applicable to the parties) the NAI and DAA self-regulatory codes. 
   3. “Sub-processor” means a third-party entity that processes data on behalf of and as specifically directed by Madhive pursuant to a written contract and is thereby bound by obligations that are substantially similar to the obligations set out in this DPA. 
   4. "Client" means Madhive client and its Affiliate companies worldwide.
   5. "Personal Information" or “Personal Data” shall mean any information defined as “personally identifiable information,” “personal information,” “personal data” or similar terms as such terms are defined under Applicable Privacy Laws.
   6. "Client Personal Information" shall mean the Personal Information of persons provided by Company which Madhive Processes in connection with Services, exclusive of IP addresses. Such persons may include, but are not limited to, Client's current or prospective customers and site/app visitors, consumers, employees, contractors or business partners.  For clarity, Client Personal Information shall not include any data collected during the provision of the Services from sources other than Client.
   7. “Client Third Party Partner” means any entity, exclusive of Madhive, engaged by Client for the processing of Personal Information.
   8. “Data Subject” means any person or household as defined by Applicable Privacy Laws.
   9. "Incident" means the known accidental or unlawful destruction, loss, alteration, unauthorized disclosure of Personal Information, or access to, transmission of, storage of, or otherwise processing by Madhive or a Sub-processor of Madhive.
   10. “Process” or “Processing” means any set of operations performed upon Personal Information, whether or not by automatic means, including the following activities: collect, retain, process, transfer, share or otherwise use.
   11. “Sensitive Information” means information defined as “sensitive” or “special category” about an individual or household under Applicable Privacy Laws, including but not limited to: financial account numbers, insurance plan numbers, precise information about health or medical conditions, medical records or pharmaceutical prescriptions, government-issued identifiers (such as a Social Security number), race, ethnicity, religion, trade union membership, sexual orientation, genetic or biometric information and precise location information such as GPS coordinates.

All capitalized terms not defined in this DPA shall have the meanings set forth in the Master Services Agreement or in the Applicable Privacy Laws, as applicable.

2. Scope of this DPA: This DPA applies to the collection, retention, use and disclosure of the Client Personal Information to provide Services to Client pursuant the MSA or to perform a Business Purpose, as defined below. 

3. Role of the Parties: The parties acknowledge and agree that with respect to the processing of Client Personal Information, Client is a Business and Madhive shall be a Service Provider. 

4. The Nature of Data Processed: Client Personal Information shall include pseudonymous user IDs (e.g., IP address, cookie ID, HEM or MAID) and/or logfile data collected via Client websites, mobile applications or other forms of digital media or provided in data feeds or flat files, as well as any inferences drawn from this information and any non-sensitive profiles created therefrom. 

5. The Business Purpose(s): Madhive shall not sell or share Client Personal Information except as directed in writing by Client including as described herein and shall use Client Personal Information to provide the Services as described in the Agreement only on behalf of Client and its Affiliates and only for the following business purpose(s): (a) to target ads and customize content on websites, mobile applications and other forms of digital media via the Services, including using cross-context behavioral advertising, targeted advertising, first-party advertising, and/or profiling; (b) for operational purposes such as contextual advertising, frequency capping, measurement, fraud detection and prevention, and ensuring and measuring viewability, auditing,  security and integrity,  debugging, short term, transient uses, analytics, internal research, and efforts to improve quality  and safety; (c) to verify or maintain the quality of a model created for Client; and (d) to improve, upgrade, or enhance the Service without using Client Personal Information on behalf of other of Madhive’s customers. Madhive further operates as a Service Provider with respect to the use of Client Personal Information for onboarding via LiveRamp and the use of the pseudonymized / de-identified data to create targeted segments solely for Client. Each of the above is deemed a “Business Purpose” of Client Personal Information.

6. Mutual Warranties: Each of the parties represents and warrants that it understands the rules, restrictions, requirements and definitions of the Applicable Privacy Laws and agrees to adhere to the requirements of the Applicable Privacy Laws that applies to each party’s Processing of Personal Information of consumers for the Services stated in the Agreement, including, but not limited to: a) having a privacy policy in compliance with Applicable Privacy Laws; b) providing Data Subjects with a privacy notice and opt-out choice where required by Applicable Privacy Laws; c) collecting affirmative consents from Data Subjects, where required by Applicable Privacy Laws; d) providing each other reasonable cooperation with respect to verifiable Data Subject requests as required under Applicable Privacy Laws. Client shall not provide “Sensitive Information” or Personal Information of Non-U.S. Data Subjects to Madhive except as otherwise agreed in writing (e.g., to provide each other with bank details to facilitate payments between the parties). Both parties further agree that Madhive is not responsible for the privacy or security practices of any of Client’s Third Party Partners.

7. Media Partner Warranties: Madhive agrees that: a) it shall Process all Client Personal Information using the same standard of commercially reasonable care as Client uses to ensure the protection of such data in compliance with Applicable Privacy Laws; b) except as specifically allowed under Applicable Privacy Laws, it shall not Process Client Personal Information except for the specific business purposes and Permitted Purposes described herein, unless as required by law or a government authority (in which case Madhive shall use its reasonable efforts to notify Client before such disclosure or as soon thereafter as reasonably possible); and c) except for Sub-processors, it shall only transfer Client Personal Information to a third-party, including a Client Third-Party Partner as specifically directed by Client. Any Sub-processors will be permitted to obtain Client Personal Information only to deliver the Services Madhive has retained them to provide. Madhive shall remain fully liable for all acts or omissions of its Sub-processors. Madhive certifies that it understands the restrictions in this DPA and will comply with them.

8. Client Warranties: Client agrees that it is responsible for providing legally sufficient privacy notices to applicable Data Subjects and (where required by Applicable Privacy Laws) must obtain appropriate consent from Data Subjects for Client’s information collection and use practices relating to the Services including but not limited to the use of cookies and similar technologies for tracking purposes in connection with the Services. Client further represents and warrants that: (i) it shall collect Client Personal Information in compliance with all applicable laws, regulations, and industry standards including but not limited to the Applicable Privacy Laws, (ii) it has secured all necessary rights to provide the Client Personal Information; and (iii) the person signing this Agreement or otherwise indicating acceptance of this Agreement has the requisite power and authority to execute this Agreement and bind the Client and (as applicable) any ClientAffiliate(s) to perform the obligations and make the promises set forth herein, including on behalf of any customer of Client. Client further represents and warrants  that Client Personal Information does not include  information: (a) that Client knows or reasonably should know is from or about children under the age of 16; (b) that contains “protected health information” as defined under the Health Insurance Portability and Accountability Act (“HIPAA”);  or (c) that is obtained from websites, mobile apps or other forms of media which are “covered entities” under HIPAA or are child-directed as defined under the Children’s Online Privacy Protection Act.

9. Data Retention: Madhive shall retain Client Personal Information only for as long as necessary to provide Services to Client.  Upon termination of the parties Agreement for any reason, Media Partner shall, upon request from Client, erase, delete, or destroy all or any part of such Client Personal Information in accordance with Madhive’s then current policy. Madhive may keep a copy of the Client Personal Information if required to comply with any Applicable Privacy Laws.

10. Security: ‍
    
    1. ‍Information Security Standard.  Madhive  agrees that it will use commercially reasonable efforts to maintain administrative, technical, and physical safeguards that are no less rigorous than industry standard practices to ensure the security and confidentiality of Personal Information, protect against any anticipated threats or hazards to the confidentiality, availability or integrity of Personal Information, and protect against unauthorized access, use, or alteration of Personal Information.
    2. Written Information Security Program.   Madhive shall maintain, in writing, reasonable security procedures and practices (“Written Information Security Program” or “WISP”) that are necessary to protect Personal Information within its control from unauthorized access, destruction, use, modification, or disclosure.
    3. Incident Procedures.  Any Incident involving the nonencrypted or nonredacted Client Personal Information as defined under section 1798.81.5(d)(1) of the California Civil Code (each a “Reportable Incident”) shall be subject to the following procedures:
       
       1. Madhive shall notify Client without undue delay (within 48  hours of discovery) of any Reportable Incident by sending an email with all available and relevant details to Company’s designated email address(es).
       2. Madhive shall investigate the Reportable Incident, and provide reasonable and necessary cooperation with Client, including facilitating interviews with relevant personnel, and making available all relevant records, logs, files, data reporting and other materials.
       3. Unless required by law, Madhive shall not inform any third party of any Reportable Incident without first obtaining Company’s prior written consent in as much it relates to Client Personal Information, other than to inform a complainant that the matter has been forwarded to Client’s legal counsel. 
       4. Following a Reportable Incident, Madhive shall document responsive actions taken in connection with the Incident and shall conduct a post-breach review of events and actions taken, if any, to make changes in security practices and procedures to prevent such Incident from occurring again in the future.
    4. Incident Remediation.  Madhive shall use commercially reasonable efforts to mitigate and remedy any Incident and prevent any further Incident at its sole expense. ‍
    5. ‍Third Party notification.  Madhive agrees that, unless applicable law states otherwise, Client shall have the sole right to determine (i) whether notice of the Reportable Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as required by law or regulation, or otherwise in Client’s discretion, (ii) the contents of such notice, and (iii) whether any type of remediation may be offered to affected persons, as well as the nature and extent of any such remediation. Madhive agrees to reimburse Client for reasonable costs described in this section for Reportable Incidents and/or as required by applicable law.

11. Data Subject Requests:
    
    1. For any Data Subject Request that Madhive receives as a Service Provider for Client, Madhive shall, at no additional cost, assist Client to provide reasonably appropriate technical and organizational measures, and any reasonably necessary product features and functionality to allow the Client to effectively fulfill its obligations to respond to Data Subject requests for information, access, correction, rectification, restriction, portability, objection, and deletion requests pertaining to Client Personal Information as required under Applicable Privacy Laws (each, a “Data Subject Request”). At the direction of a Client Affiliate, Madhive shall promptly, and in any event within thirty (30) days, unless otherwise agreed in writing, use commercially reasonable efforts to completely respond to and fulfill a Client’s request for further Data Subject Request assistance. 
    2. Madhive shall maintain complete and accurate records in connection with each of Client’s Data Subject Requests. 
    3. Madhive shall notify the Client of any Data Subject Requests that it receives, without responding to the individual except to acknowledge receipt of the Data Subject Request.
12. Legal Compliance:  Both parties agree to notify the other party within five (5) business days if it (i) has reason to believe that it is unable to comply with any of its obligations under this DPA and it cannot cure this inability to comply within a reasonable timeframe; or (ii) becomes aware of any circumstances or change in applicable Applicable Privacy Laws that is likely to prevent it from fulfilling its obligations under this DPA.  If this DPA, or any actions to be taken or contemplated to be taken in performance of this DPA, does not or would not satisfy either party’s obligations under such Applicable Privacy Laws, the Parties will negotiate in good faith an amendment to this DPA.

13. Term:  The term of this Addendum commences as of the Addendum Effective Date and will end upon the latter of: (i) Madhive’s secure destruction (to be confirmed in writing) of all Client Personal Information Processed by Madhive under the Agreement, or (ii) such date that Madhive ceases to provide Services to Client.