U.S. Data Processing Agreement Addendum
This Wunderkind (the “Supplier”) U. S. Data Processing Addendum (“DPA”) incorporated by reference into any and all services agreements, order forms insertion orders and addendums currently in place between Company and Wunderkind (the “Agreement(s)”). This U.S. DPA applies to the Processing of Personal Information in connection with the Services provided to the Company and the Company’s Affiliates.
a. “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Company or Supplier respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
b. “Applicable Privacy Laws” means any U.S. state or federal privacy or security law and/or self-regulatory code that are in effect during the Term, and which apply to Personal Information processed pursuant to the Agreement, including but not limited to the Virginia Consumer Data Protection Act, the California Privacy Rights Act, the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Protection Act, the Utah Consumer Privacy Act, each as amended, replaced or supplemented from time to time, and all subordinate legislation made under them, together with any codes of practice, regulations or other guidance issued by the governments, agencies, data protection regulators, or other authorities in the relevant countries, states or other jurisdictions, and (to the extent applicable to the parties) the NAI and DAA self-regulatory codes.
c. “Approved Sub-processor” means a third-party entity that processes data on behalf of and as specifically directed by Supplier pursuant to a written contract and is thereby bound by obligations that are substantially similar to the obligations set out in this DPA. A list of Approved Sub-processors is available https://www.wunderkind.co/privacy/data-subprocessors/.
d. “Company” means Wunderkind Client and its Affiliate companies worldwide.
e. “Personal Information” or “Personal Data” shall mean: (1) any information relating to an identified or identifiable natural person or household; and (2) any information defined as “personally identifiable information,” “personal information,” “personal data” or similar terms as such terms are defined under Applicable Privacy Laws.
f. “Company Personal Information” shall mean the Personal Information provided by Company which Supplier Processes in connection with Services provided by Supplier. Such individuals may include, but are not limited to, Company’s current or prospective customers and site/app visitors, consumers, employees, contractors or business partners.
g. “Company Third Party Partner” means any entity, exclusive of Supplier, engaged by Company for the processing of Personal Information.
h. “Data Subject” means any person or household as defined by Applicable Privacy Laws.
i. “Process” or “Processing” means any set of operations performed upon Personal Information, whether or not by automatic means, including the following activities: collect, retain, process, transfer, share or otherwise use.
j. “Incident” means the known accidental or unlawful destruction, loss, alteration, unauthorized disclosure of Personal Information, or access to, transmission of, storage of, or otherwise processing by Supplier or a Sub-processor of Supplier.
k. “Sensitive Information” means information defined as “sensitive” or “special category” about an individual or household under Applicable Privacy Laws, including but not limited to: financial account numbers, insurance plan numbers, precise information about health or medical conditions, medical records or pharmaceutical prescriptions, government-issued identifiers (such as a Social Security number), race, ethnicity, religion, trade union membership, sexual orientation, genetic or biometric information and precise location information such as GPS coordinates.
l. “Service Provider” means the Processing of Company Personal Information by Supplier as directed by Company and for no other purpose as defined under Applicable Privacy Laws whereby Service Provider does not sell or share such information unless directed in writing by Company.
- The Nature of Data Processed: Company Personal Information shall include email addresses (which will be de-identified and/or rendered as psedudonymous personal information by Supplier) and/or pseudonymous user IDs (e.g., cookie ID, HEM or MAID) and logfile data collected via Company websites, mobile applications or other forms of digital media.
- The Business Purpose(s); Supplier shall provide the Services as described in the Agreement only for the following business purpose(s): (a) providing advertising and marketing services, (b) undertaking internal research for technological development and demonstration, (c) operating the Program, and (d) undertaking activities to verify or maintain the quality or safety of a Service that is manufactured for Company, and to improve, upgrade, or enhance the Service. Each of the below is deemed a “Permitted Purpose” of Company Personal Information where Supplier is a Service Provider as indicated on the applicable order form:
- The Ad Serving Platform – Company Personal Information is used to help Client better understand how Client websites are being utilized, draw insights on how to better engage Client’s site visitors, to deliver more relevant advertising messages based upon the those site visits, and to provide Clients with ad delivery reports.
- The Behavioral Automation Platform – Company Personal Information is used to target ads and emails powered by data that each Client collects from direct interactions with its customers and/or site visitors.
- The Identity Platform – Company Personal Information is used to generate a pseudonymous ID in order: (i) to help us understand whether two devices are likely to be used by the same User or household, (ii) enable Clients to onboard demographic data and other data onto profiles linked to a User or household, and (iii) purchase digital media as directed by Client.
- The Performance Advertising Platform – Personal Information is used to create and utilize interest segments to target and deliver ads as well as report on ad campaigns run by Client. To the extent that Client provides profile data, such data is Company Personal Information and shall only be used the benefit of Client.
- The Audiences Platform – Company Personal Information is used to provide a customer data platform that enables Client to unify its information for analytics and market research purposes and to send targeted email, text (e.g., SMS/MMS) marketing messages using such information.
- Consumer Integrity Program. Company grants to Supplier, the right to access and use data derived from Company Personal Information (including pseudonymous identifiers) (the “Program Data”) in connection with the provision of its device and consumer integrity program (the “Program”) in which Company and other companies participating in the Program (together, the “Participants”) permit Supplier additional rights to collect and use data generated by Company’s use of Platforms and Services to better identify the end-users of Participants’ websites for the benefit of Company and other Participants in the Program. A Participant’s cookie or other first-party ID data included in the Program Data will not be accessed by or transferred to any other Participant. Company also grants Supplier the right to disclose Program Data for use in connection with the Program and related Supplier services, as long as any disclosure of such data is aggregated, anonymized or otherwise does not individually identify Company. Supplier is not obligated to disclose to Company the identity of any Participant. Company must cease all use of Program Data upon notification by Supplier. As between Supplier and Company, Supplier will own all rights in and to all Program Data and shall use Program Data in accordance with Applicable Privacy Laws.
- Supplier Warranties: Supplier agrees that: a) it shall Process all Personal Information using the same standard commercially reasonable care as Company to ensure the protection of such data in compliance with Applicable Privacy Laws; b) except as specifically allowed under Applicable Privacy Laws, it shall not Process Company Personal Information except for the specific Business Purposes described herein unless as required by law or a government authority (in which case Supplier shall use its reasonable efforts to notify Company before such disclosure or as soon thereafter as reasonably possible); c) except as specifically allowed under Applicable Privacy Laws, it shall not Process (for purposes of clarity, such Processing may not include the sale, transfer to a third-party or combination with other data) Company Personal Information for any commercial purpose outside of the direct business purpose except to provide the Services; and d) except for Approved Sub-processors, it shall only transfer Company Personal Information to a third-party, including a Company Third-Party Partner as specifically directed by Company. Any Approved Sub-processors will be permitted to obtain Company Personal Information only to deliver the Services Supplier has retained them to provide. Supplier shall remain fully liable for all acts or omissions of its Approved Sub-processors.
- Data Retention: Supplier shall retain Company Personal Information only for as long as necessary to provide Services to Company. Upon termination of the parties Agreement for any reason, Supplier shall erase, delete, or destroy all or any part of such Company Personal Information in accordance with Supplier’s policy.
a. Information Security Standard. Supplier agrees that it will use commercially reasonable efforts to maintain administrative, technical, and physical safeguards that are no less rigorous than industry standard practices to ensure the security and confidentiality of Personal Information, protect against any anticipated threats or hazards to the confidentiality, availability or integrity of Personal Information, and protect against unauthorized access, use, or alteration of Personal Information.
b. Written Information Security Program. Supplier shall maintain, in writing, reasonable security procedures and practices (“Written Information Security Program” or “WISP”) that is necessary to protect Personal Information within its control from unauthorized access, destruction, use, modification, or disclosure. Without limiting the generality of the foregoing statement, the WISP shall at a minimum encompass each of the elements set forth below.
c. Incident Procedures. Any Incident involving the nonencrypted or nonredacted Company Personal Information as defined under section 1798.81.5(d)(1) of the California Civil Code (each a “Reportable Incident”) shall be subject to the following procedures:
i. Supplier shall notify Company without undue delay (within 48 hours) of any Reportable Incident by sending an email with all available and relevant details to Company’s designated email address(es).
ii. Supplier shall investigate the Reportable Incident, and provide reasonable and necessary cooperation with Company, including facilitating interviews with relevant personnel, making available all relevant records, logs, files, data reporting and other materials, and providing Company with reasonable physical access to the facilities affected.
iii. Unless required by law, Supplier shall not inform any third party of any Reportable Incident without first obtaining Company’s prior written consent, other than to inform a complainant that the matter has been forwarded to Company’s legal counsel.
iv. Following a Reportable Incident, Supplier shall document responsive actions taken in connection with the Incident and shall conduct a post-breach review of events and actions taken, if any, to make changes in security practices and procedures to prevent such Incident from occurring again in the future.
d. Incident Remediation. Supplier shall use its commercially reasonable efforts to mitigate and remedy any Incident and prevent any further Incident at its sole expense.
e. Third Party notification. Supplier agrees that, unless applicable law states otherwise, Company shall have the sole right to determine (i) whether notice of the Reportable Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as required by law or regulation, or otherwise in Company’s discretion, (ii) the contents of such notice, and (iii) whether any type of remediation may be offered to affected persons, as well as the nature and extent of any such remediation. Supplier agrees to reimburse Company for reasonable costs described in this section for Reportable Incidents and/or as required by applicable law.
- Compliance Audits: Once per year, Company (or its appointed representatives) may carry out an inspection of Supplier’s operations and facilities at Company’s expense and during normal business hours and subject to reasonable prior notice where Company considers it necessary or appropriate (for example, without limitation, where Company has reasonable concerns about Supplier’s compliance with Applicable Privacy Laws, following a Reportable Incident or following instruction from a data protection authority).
- Data Subject Requests:
a. Supplier shall, at no additional cost, assist Company to provide appropriate technical and organizational measures, and any necessary product features and functionality to allow the Company to effectively fulfill its obligations to respond to Data Subject requests for information, access, correction, rectification, restriction, portability, objection, and deletion requests pertaining to Company Personal Information as required under Applicable Privacy Laws (each, a “Data Subject Request”). At the direction of a Company, Supplier shall promptly, and in any event within thirty (30) days, unless otherwise agreed in writing, completely respond to and fulfill a Company’s request for further Data Subject Request assistance.
b. Supplier shall maintain complete and accurate records in connection with each of Company’s Data Subjet Requests.
c. Supplier shall notify the Company of any Data Subject Requests that it receives, without responding to the individual except to acknowledge receipt of the Data Subject Request.
- Legal Compliance: Both parties agree to notify the other party within five (5) business days if it (i) has reason to believe that it is unable to comply with any of its obligations under this DPA and it cannot cure this inability to comply within a reasonable timeframe; or (ii) becomes aware of any circumstances or change in applicable Applicable Privacy Laws that is likely to prevent it from fulfilling its obligations under this DPA. If this DPA, or any actions to be taken or contemplated to be taken in performance of this DPA, does not or would not satisfy either party’s obligations under such Applicable Privacy Laws, the Parties will negotiate in good faith an amendment to this DPA.
- Term: The term of this Addendum commences as of the Addendum Effective Date and will end upon Supplier’s secure destruction (to be confirmed in writing) of all Company Personal Information Processed by Supplier under the Agreement.