This Data Protection Addendum – Processor (“DPA”) sets out the mutual responsibilities of xAD, Inc. dba GroundTruth, and, where applicable, its Affiliates (collectively, “GroundTruth”), and the GroundTruth client and, where applicable, its Affiliates who GroundTruth is directly or indirectly Processing Personal Information for or on behalf of pursuant to the Agreement (collectively, “Client”, collectively with GroundTruth, the “Parties”, each a “Party”).

1. Background.

The Services involve GroundTruth’s Processing of Personal Information obtained from or on behalf of Client, its Affiliates, and/or its clients as a Processor. This DPA includes terms designed to address requirements imposed on contracts with Processors under Data Protection Laws.

2. Definitions.
  1. Affiliate” means any entity which is controlled by, controls, or is under common control with, a Party.
  2. Agreement” means the GroundTruth Ads Manager Terms of Use entered into by and between the parties, including all terms and conditions attached thereto, for the provision of services by GroundTruth for Client.
  3. CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and regulations promulgated thereunder, as each may be amended from time to time, including without limitation by the California Privacy Rights Act and regulations promulgated thereunder.
  4. Controller” means an entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information, and includes without limitation any “business” as that term is defined under the CCPA and any similar concepts as defined by Data Protection Laws.
  5. Data Protection Laws” means all laws and regulations of the United States applicable to the protection or Processing of Personal Information under the Agreement, which may include without limitation the CCPA.
  6. Data Subject” means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier.
  7. Digital Property” means any online or digital property or service (which includes without limitation websites, videos, advertisements and applications).
  8. Personal Information” means (i) any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, indirectly or directly, with a particular Data Subject or household or that is otherwise defined as “personal information,” “personal data,” or a similar term under Data Protection Laws; and (ii) that is Processed by or on behalf of GroundTruth under the Agreement for or on behalf of Client.
  9. Personnel” means any and all personnel and Subprocessors, including without limitation employees, agents, temporary resources, independent contractors, officers, and managers.
  10. Privacy Controls” means any opt-out or opt-in signals, flags, cookies, or other technological mechanisms for communicating information about a Data Subject’s exercise of rights under Data Protection Laws (including without limitation rights to object to Processing, restrict Processing, or opt-in or opt-out of Sales or Sharing of Personal Information), consent and/or withdrawal of consent to Processing, or other Data Subject choice or exercise of rights regarding the Processing of Personal Information.
  11. Process” and all conjugations thereof mean any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  12. Processor” means an entity that processes Personal Information for or on behalf of a Controller and does not determine the purposes and means of the Processing of Personal Information, and includes without limitation any “service provider” as that term is defined under the CCPA and any similar concepts as defined by Data Protection Laws.
  13. Rights Request” means a valid and enforceable request from or on behalf of a Data Subject to exercise rights with respect to Personal Information under Data Protection Laws.
  14. Sale” and all conjugations thereof have the meaning provided in Data Protection Laws.
  15. Security Incident” means any event that (i) compromises the confidentiality or security of Personal Information that requires notification to impacted Data Subjects, Client, or a governmental authority under Data Protection Laws; (ii) accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information; or (iii) constitutes a “security incident,” “personal data breach,” “breach of the security of the system,” or similar term defined by Data Protection Laws.
  16. Services” means the services provided by or on behalf of GroundTruth to or on behalf of Client under the Agreement.
  17. Share” and all conjugations thereof have the meaning provided in the CCPA.
  18. Subprocessor” means a Processor engaged by or on behalf of a Processor that Processes Personal Information.
3. Relationship of the Parties – GroundTruth as Processor.

As between the Parties, Client shall be a Controller and GroundTruth shall be a Processor with respect to any Personal Information Processed or made available to GroundTruth hereunder, except that where Client acts as a Processor, such as when Processing Personal Information to provide products and services to Client’s customers, then GroundTruth will be a Subprocessor. The nature and purpose of GroundTruth’s Processing of Personal Information and the types of Personal Information to be Processed by GroundTruth are described in Schedule 1 hereto. The duration of the Processing of Personal Information is for the duration of the Agreement or as otherwise specified by the Parties in the Agreement.

4. Processing Restrictions.

GroundTruth shall Process Personal Information only for the limited and specified purposes of providing the Services to or on behalf of Client as provided in the Agreement, as otherwise agreed by the Parties in writing consistent with the Agreement (collectively, “Instructions”), or as required by applicable law. Except as required pursuant to the Instructions or necessary to comply with applicable law or legal obligation, GroundTruth shall not: (a) Sell Personal Information; (b) Share Personal Information; (c) retain, use or disclose Personal Information outside of the business relationship between GroundTruth and Client; or (d) combine Personal Information with other information as prohibited of a Processor by Data Protection Laws.

5. Compliance and Cooperation.
  1. Compliance. The Parties will comply with Data Protection Laws. GroundTruth will provide Personal Information the same level of privacy protection as required of Client under Data Protection Laws. GroundTruth will notify Client if GroundTruth makes a determination that it can no longer meet its obligations under Data Protection Laws with respect to Personal Information.
  2. Reasonable and Appropriate Steps. Upon prior notice to and coordination with GroundTruth, Client has the right to take reasonable and appropriate steps to (i) ensure that GroundTruth uses the Personal Information consistent with the Agreement, this DPA, and applicable Data Protection Laws, which shall be met by review of Independent Assessment(s) and/or conducting of Client Assessment(s) as described in Section 5(e) below; and (ii) work with GroundTruth to stop and remediate unauthorized Processing of Personal Information upon notice of such unauthorized Processing.
  3. Cooperation and Assistance Under Data Protection Laws. GroundTruth shall, taking into account the nature of GroundTruth’s Processing of Personal Information and the information available to GroundTruth, assist Client in meeting Client’s obligations under Data Protection Laws by promptly providing upon Client’s request: (i) reasonable assistance to Client in fulfilling Client’s obligation to respond to Rights Request(s), including without limitation stopping Processing of certain Personal Information where instructed by Client and required pursuant to a Rights Request; (ii) all information reasonably necessary to Client or Client’s designee to demonstrate GroundTruth’s and/or Client’s compliance with Data Protection Laws and/or this DPA; (iii) all information reasonably necessary to enable Client to conduct and document any data protection assessments and/or privacy impact assessments required by Data Protection Laws; and (iv) reasonable assistance to Client, through appropriate technical and organizational measures, in complying with Client’s requirement to implement reasonable security procedures and practices appropriate to the nature of the Personal Information to protect the Personal Information from a Security Incident.
  4. Privacy Controls. Client or GroundTruth may provide information to the other Party regarding Privacy Controls used or implemented by such Party with respect to some or all Digital Property(ies) and will work together in good faith to find Privacy Controls that the Parties can agree upon and operationalize. If the Parties agree on a particular set or standard of Privacy Controls, the Parties will implement mechanisms for receiving and complying with Privacy Controls in accordance with applicable Data Protection Laws and Section 1798.135(f) of the CCPA.
  5. Audits and Assessments. At GroundTruth’s discretion, GroundTruth may arrange for a qualified and independent assessor to conduct, at least annually and at GroundTruth’s expense, an assessment of GroundTruth’s policies and technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure (“Independent Assessment”), and GroundTruth will provide a report of the Independent Assessment to Client upon request. If GroundTruth does not conduct an Independent Assessment, then GroundTruth shall allow for and cooperate with reasonable audits and assessments of GroundTruth’s Processing of Personal Information by Client or Client’s designated assessor (“Client Assessment”).
6. Data Security.
  1. Technical and Organizational Measures. GroundTruth shall implement and maintain reasonable technical and organizational security measures and safeguards that (i) comply with Data Protection Laws; and (ii) are designed to protect the Personal Information within GroundTruth’s or its Personnel’s possession or control.
  2. Security Incident Notification. GroundTruth shall notify Client without undue delay if it becomes aware of a Security Incident affecting Client Personal Data and provide all information and assistance reasonably requested by Client to allow Client to investigate, remediate, and fulfill notification obligations regarding the Security Incident.
7. Personnel and Subprocessors.
  1. Personnel Confidentiality. GroundTruth will ensure that all GroundTruth Personnel that Process Personal Information are subject to a duty of confidentiality with respect to such Personal Information.
  2. Engagement of Subprocessors. GroundTruth shall engage Subprocessors pursuant to a written contract that requires the Subprocessor to comply with Data Protection Laws with respect to Personal Information and is not materially less protective of Personal Information than this DPA. GroundTruth may engage a Subprocessor to Process Personal Information so long as GroundTruth notifies Client at least ten (10) business days in advance of such engagement and provides Client with the opportunity to object to the engagement of the Subprocessor. If Client so objects pursuant to applicable Data Protection Laws on reasonable grounds relating to data protection, the Parties will work together in good faith to reasonably address Client’s concerns regarding such Subprocessor.
  3. Responsibility for Personnel. Subject to any limitations or waivers of liability in the Agreement, each Party shall be responsible and liable for the acts, omissions, Processing, and noncompliance with Data Protection Laws of its Personnel as if such Party had carried out such acts, omissions, Processing, or noncompliance.
8. Return and Deletion.

GroundTruth shall securely delete Personal Information within its possession or control within a reasonable time after expiration or termination of the Agreement. If Client instead requests the return of Personal Information, GroundTruth shall securely return the Personal Information within GroundTruth’s possession or control using an industry standard method agreeable to GroundTruth at Client’s sole expense. The foregoing deletion obligations shall not apply with respect to any Personal Information that GroundTruth is required to retain or continue to Process to comply with applicable law, legal obligation, or reasonable data retention, backup, and/or archival policy consistent with Data Protection Laws. If any Personal Information is not returned, deleted or destroyed in compliance with the foregoing, for any reason, then GroundTruth shall Process such Personal Information in accordance with this DPA and the Agreement and only for the purposes for which it is required to be retained.

9. Costs of Assistance.

GroundTruth reserves the right to charge Client a reasonable hourly fee plus reasonable costs incurred by GroundTruth in connection with any and all cooperation, assistance, or provision of information to or on behalf of Client pursuant to [Sections 5(b)-(e), 6(b), and 8] of this DPA. Client shall pay any such amounts to GroundTruth within thirty (30) days of receipt of GroundTruth’s invoice therefor.

10. Order of Precedence.

This DPA controls and supersedes the Agreement in all respects with respect to any inconsistent, contrary, or conflicting (directly or indirectly) provision or term, except to the extent the applicable provision or term of the Agreement expressly states that such provision or term supersedes this DPA. The limitations, waivers, and allocations of liability set forth in the Agreement shall apply with respect to this DPA.

SCHEDULE 1 – DETAILS OF PROCESSING

The nature and purpose of the Processing of Personal Information are:

  1. the provision of the Services identified in the Agreement to or on behalf of Client, including:
    1. activation of mobile advertising campaigns;
    2. targeted advertising;
    3. building or supplementing user profiles and/or audiences;
    4. advertising measurement and attribution; and
    5. campaign reporting.
  2. the maintenance of the Client account, administration of the relationship between GroundTruth and Client, and for customer support and Client outreach;

The types of Personal Information made available to GroundTruth for Processing hereunder are:

  1. Client contact information, including without limitation names, email addresses, telephone numbers, contents of communications with Client Personnel, and similar information;
  2. Any Personal Information collected by, or passed to, GroundTruth in connection with the provision of the Services as set forth in the Agreement, which may include without limitation device or advertising identifiers, hashed email address, IP addresses, geolocation information (latitude/longitude), and other such information; and
  3. Such other Personal Information as the Parties may agree in writing.