Online Data Processing Agreement

This Data Processing Addendum (“DPA“) supplements any associated services agreements or insertion orders (the “Agreement“) agreed between Captify Technologies Limited, of 5 Langley Street, London, WC2H 9JA (“Captify“) and the party identified in the Agreement (“you“, or the “Controller“) into which this DPA is incorporated by reference.

1. In this DPA, the following terms shall have the following meanings:

“controller“, “processor“, “data subject” and “processing” (and “process“) shall have the meanings given in European Data Protection Law; and

“Applicable Data Protection Law” means all international, national, state, or local data protection and privacy laws and regulations applicable to the personal data in question, including, where in force and applicable to a party’s activities under the Agreement: (i) European Data Protection Law, (ii) UK Data Protection Law, and (iii) any Jurisdiction Specific Terms, as set out in Appendix C.  

“European Data Protection Law” means (i) all EU regulations applicable (to the processing of personal data (such as Regulation (EU) 2016/679 (the “GDPR“)), (ii) the national laws of each EEA member state implementing any EU directive applicable to the processing of personal data (such as Directive 2002/58/EC (the “e-Privacy Directive“)), and (iii) any other national laws of each EEA member state applicable to the processing of personal data; in each case, as may be amended, superseded or replaced.

“personal data” means any data protected under Applicable Data Protection Law, and includes data designated as “personal data”, “personal information”, “personally identifiable information”, or similar terms.

“UK Data Protection Law” means (i) the GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR“), (ii) the Data Protection Act 2018 (the “DPA 2018“), (iii) the Privacy and Electronic Communications (EC Directive) Regulations 2003 as they continue to have effect by virtue of section 2 of the European Union (Withdrawal) Act 2018 (“PECR“); in each case, as may be amended, superseded or replaced from time to time.  

 2. In performing its obligations under the Agreement, Captify may receive and process on behalf of Controller certain personal data of Controller’s customers or potential customers (or if Controller is an agency, those of Controller’s advertiser clients), together “Users“. This DPA relates to the processing activities detailed in the relevant Agreement.

 3. Controller must only provide personal data to Captify in compliance with all Applicable Data Protection Law. 

4. Controller shall ensure that it has a valid legal basis to process and provide such personal data to Captify for the specified purpose, including all necessary consents for storage of, or access to, pixels, cookies or similar technologies or information on any user’s device. Controller shall indemnify Captify in relation to any claims, loss, damage, costs and expenses caused to Captify by Controller’s breach of Applicable Data Protection Law and/or this provision. Controller will list Captify as a recipient of personal data in any consent tool and user information applicable to the personal data.

5. Captify will only process personal data on behalf of Controller and in accordance with Controller’s documented instructions. Captify will inform Controller if, in Captify’s opinion, any such instructions may infringe Applicable Data Protection Law. Captify will not be required to combine such personal data with any additional data, e.g. search data, that Captify may hold in relation to the same data subject for other purposes.

6. Captify shall:

a) have in place appropriate technical and organisational measures (as described in Appendix B) to safeguard the personal data against accidental or unlawful destruction, alteration, loss, access, unauthorised disclosure or any other unlawful forms of processing (a “Security Incident“);

b) notify Controller as soon as practicable of any Security Incident affecting any User personal data;

c) ensure that its staff are required to keep User personal data confidential; and

d) only engage subprocessors who will process User personal data (“Subprocessors“) in accordance with Applicable Data Protection Law. Captify’s list of Subprocessors can be provided on request.

7. Controller consents to Captify engaging third party subprocessors as set out in Section 6(d). Controller may object to the use of any new or replacement subprocessor provided such objection is based on reasonable grounds relating to data protection. In such event, Captify will either not appoint or replace the subprocessor or, if this is not possible, Controller may suspend or terminate the Agreement (without prejudice to any fees incurred by Controller prior to suspension or termination).

8. Captify shall cooperate with Controller:

a) in enabling data subjects to exercise their legal rights under Applicable Data Protection Law. Where Captify cannot identify the Controller from a data subject request, Captify may respond to, and deal with, the data subject request as if Captify is the controller;

b) to assist with compliance with Controller’s data processing obligations, including in relation to security measures and Security Incidents, and where required for the performance of Controller’s data protection impact assessments or prior consultations required to be made to competent authorities; and

c) if Captify or Controller receives an inquiry, subpoena or request for personal data, information, inspection or audit from a competent authority, relating to the processing (except where a party is prohibited by law from disclosing the request to the other party).

9. Captify shall not transfer the personal data to (nor permit the personal data to be processed in or from) a country outside of Europe unless it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. For the purpose of this clause, “Europe” means (i) the European Economic Area, and (ii) the United Kingdom. Notwithstanding this, Controller consents to Captify transferring the personal data to a recipient in a country that the European Commission (or, for transfers from the UK, the Secretary of State) has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission (or, for transfers from the UK, the Secretary of State), which are incorporated herein by reference and which may be amended or superseded from time to time.

 10. To the extent Captify processes User personal data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Appendix C, then the terms specified in Appendix C with respect to the applicable jurisdiction(s) apply in addition to the terms of this DPA. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this DPA, the applicable Jurisdiction Specific Terms will take precedence.

 11. Upon Controller’s request, or at the termination or expiry of the Agreement, Captify shall at Controller’s option delete or return all personal data (unless required to retain it under Applicable Data Protection Law).

 12. Upon Controller’s written request, Captify shall (i) provide written responses (on a confidential basis) to all reasonable requests for information made by Controller related to its processing of User personal data, including responses to information security and audit questionnaires that are necessary to confirm Captify’s compliance with this DPA; or where written responses would be insufficient (ii) cooperate with audits conducted by or on behalf of the Controller, upon reasonable prior written notice, limited to Users’ personal data, and without disrupting Captify’s other business. Controller shall not exercise its rights under this section more than once in any 12 month rolling period, unless required by Applicable Data Protection Law or order of a competent data protection supervisory authority, or immediately following a Security Incident.

 13. Captify’s total liability arising out of or in relation to this DPA, whether in contract, tort or under any other theory of liability, shall be subject to the limitations and exclusions of liability in the Agreement, and any reference to liability means the aggregate liability under and in connection with the Agreement and this DPA together.

 14. This DPA is incorporated into the Agreement and, except as expressly modified and supplemented by this DPA, the Agreement shall continue in full force and effect. In case of any conflict or ambiguity between any terms of this DPA and the Agreement, the term in this DPA will take precedence.

APPENDIX A: Data Processing Description

This Appendix A forms part of the DPA and describes the processing that the processor will perform on behalf of the controller.

Controller

The controller is (please specify briefly the controller’s activities relevant to the processing):

A client of Captify and user of the services referred to in the Agreement.

Processor

The processor is (please specify briefly the processor’s activities relevant to the processing):

Captify Technologies Ltd (or the relevant Captify entity which is party to the Agreement). Captify provides services for the Controller as referred to in the Agreement. 

Data subjects

Users as referred to in the Agreement

Categories of data

Data from searches made by Users, which may include:

COOKIE DATA (desktop web and mobile web)

Cookie ID (AppNexus or DBM ID) = “7832112024900048695“

User_agent = “Mozilla/5.0 (Linux; U; Android 4.4.2; en-gb; SM-T210 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30“

Timestamp = “2017-11-16 02:00:52”

Page_url = “http://www.imdb.com/find?ref_=nv_sr_fn&q=alien&s=all”

Referrer = “http://search.bt.com/result?p=test&y=&pr=dp”

IP Address (last octet can be removed/hashed)= “255.255.255.0”

MOBILE ADVERTISING ID DATA (MAID)

adid = “1F31480F-133C-4610-BCFD-69762AA1117C”;

aname = “com.captify.CPLoggerExample”;

contype = WiFi;

dev = “Iphone of john”;

did = “74E2C427-A8BE-484E-A54E-5A5303AB03C2”;

kw = Search Term;

lat = “37.785834”;

long = “-122.406417”;

os = iOS;

osver = “11.0”;

time = “2017-10-12 17:57:27”;

uid = 123456;

“wifi_ip” = “192.168.205.60”

Special categories of data (if appropriate)

The personal data to be processed concern the following special categories of data (please specify):

N/A. Controller shall not transfer to Captify any special categories of data.

Processing operations

The transfer is made for the following purposes:

•   Display of Impressions to Users
•   Provision of services to customers (e.g. measurement / reporting / planning / activation / data classification / User classification)
•   Product development 

 

APPENDIX B: Minimum Security Measures

This Appendix A forms part of the DPA and describes the processing that the processor will perform on behalf of the controller.

Captify has implemented and shall maintain commercially reasonable and appropriate technical and organisational measures to protect personal data against accidental loss, destruction or alteration, unauthorised disclosure or access, or unlawful destruction, including the policies, and procedures and internal controls set forth in this Appendix B.

More specifically, Captify’s security program shall include, at a minimum:

1. Access controls. Captify will implement suitable measures in order to prevent unauthorised persons from gaining access to the data processing equipment. This will be accomplished by:
• Access authorizations for employees and third parties
• Restrictions on keys
• Requirements for third parties (through DPAs)
• Identifying of the persons having authorised access

2. Access control to data. Captify commits that persons entitled to use the data processing system will only access personal data within the scope and to the extent covered by the respective access permission (authorization). This will be accomplished by:
• Locking of workstations
• Requirements for user authorisation
• Confidentiality obligations
• Differentiated access policies (e. g. partial blocking)
• Processes for the development and release of programs

3. User Control. Captify will implement suitable measures to prevent its data processing systems from being used by unauthorised persons. Further, Captify will implement suitable measures to prevent unauthorised reading, copying alteration or removal of the data media, unauthorised input into memory, reading, alteration or deletion of the stored data. This will be accomplished by:
• Access authorization requirements
• Workstation identification and / or the users accessing Captify systems
• Enforce MFA access to sensitive systems
• Logging of events and activities (monitoring of break-in attempts)
• Issuing and safeguarding the identification codes
• Authenticating authorised personnel
• Use of encryption where deemed appropriate by Captify
• Separating production and test environment
• Automatic log-off of user IDs that have not been used for a substantial period of time

4. Transmission control. Captify will secure the personal data processed through the use of the Captify’s Service. This will be accomplished by:
• Authenticating authorised personnel
• Policies controlling the production of backup copies
• Documentation of the transfer, retrieval, and transmission programs
• Authorization policy
• Encrypting external online transmission

5. Input Control. Captify will provide for the retrospective ability to review and determine the time and the point of the data subject’s personal data entry into the Captify’s data processing system. This will be accomplished by:
• Electronic recording of data processing, in particular usage of data

6. Organisational control. Captify will maintain its internal organisation in a manner that meets the requirements of Applicable Data Protection Law. This will be accomplished by:
• Internal data processing policies and procedures, guidelines, instructions, and/or process descriptions for programming, testing and release
• Implementing an emergency/backup contingency plan

7. Instructional control. The personal data transferred by Controller to Captify may only be processed in accordance with the instructions of the Controller.

8. Control of separation of data. Captify will implement suitable measures to allow the separate processing of data which have been collected for different purposes.

9. Technical Measures. Captify shall implement the following measures as appropriate, to ensure a level of security appropriate to the risks presented by the personal data:
• Firewalls
• Anti-malware
• Encryption
• Access controls
• Penetration testing/ Vulnerability scanning

 

APPENDIX C: Jurisdiction Specific Terms

1. California:

In this Appendix, the expressions “business”, “business purpose”, “commercial purpose”, “consumer”, “personal information”, “sell”, “share”, and “service provider” shall have the same definitions as in the CCPA/CPRA, and “California Personal Information” refers to personal data relating to a California consumer.

To the extent Controller provides California Personal Information to Captify, then in relation to such California Personal Information:

A. Controller is a business, and Captify is a service provider;

B. Controller discloses such California Personal Information to Captify for the limited and specific business purposes set out in the Agreement and Captify will process such California Personal Information solely on Controller’s behalf and only as necessary to perform such business purposes for Controller;

C. Captify will not:

(i) sell or share such California Personal Information; or

(ii) retain, use, or disclose such California Personal Information for any purpose (including a commercial purpose) other than for the specific business purposes of performing for Controller the services specified in the Agreement; or

(iii) retain, use, or disclose such California Personal Information outside of the direct business relationship between Controller and Captify; or

(iv) combine such California Personal Information with personal information that Captify receives from, or on behalf of, another person or persons, or collect from Captify’s own interaction with

Users (save to the extent that such combination forms part of the business purpose of the Services specified in the Agreement or as specified by Applicable Data Protection Law);

D. Controller may monitor Captify’s compliance with the Agreement, as set out in Section 12 of this DPA, and as otherwise agreed in writing;

E. If Captify engages any other person to assist Captify in processing California Personal Information on your behalf, such engagement shall be pursuant to a written contract binding such other person to observe all the requirements of this Appendix, and Captify shall notify Controller of that engagement in accordance with the provisions of Sections 6 and 7 of this DPA;

F. Captify will comply with its obligations, and provide the same level of privacy protection as is required, under the CCPA/CPRA;

G. Captify grants to Controller the rights:

(i) to take reasonable and appropriate steps to help to ensure that Captify uses such California Personal Information in a manner consistent with Controller’s obligations under the CCPA/CPRA; and

(ii) upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorised use of such California Personal Information; and

H. Captify shall notify Controller promptly if it makes a determination that it can no longer meet its obligations under the CCPA/CPRA.

2. Canada:

A. The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).

B. Captify’s Subprocessors, as described in this DPA, are third parties under Applicable Data Protection Law, with whom Captify has entered into a written contract that includes terms substantially similar to this DPA. Captify has conducted appropriate due diligence on its Subprocessors.

C. Captify will implement technical and organisational measures as set forth in this DPA, Appendix B.

3. Australia:

A. The definition of “Applicable Data Protection Law” includes the Australian Privacy Act and the Australian Privacy Principles.

B. Where personal data is or includes information that is subject to the Australian Privacy Act, its provision to Captify is a disclosure, and Captify acts as a contractor.

C. The parties acknowledge that the Applicable Data Protection Law to which Captify is subject (including in particular the UK GDPR):

(i) have the effect of protecting personal data in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect such information; and
(ii) provide mechanisms that individuals can access to take action to enforce such protections.

D. In any event the parties will cooperate in order ensure that processing (including any collection, use, disclosure, storage and destruction, or de-identification) of such personal data by Captify and Captify’s Subprocessors does not cause Customer to breach its obligations under Applicable Data Protection Law.