Data Processing Addendum for Advertisers

The terms of this Data Processing Addendum for Advertisers (“DPA”) apply whereby Adtelligent Inc. (“ADTELLIGENT”) and You (“Advertiser”) (each a “Party” and together the “Parties”) entered into a mutual agreement relating to the General Terms of Service whereby either one or both of the Parties will be sharing Personal Data (as defined herein) to the other Party in order to provide and/or receive the Services via our website clicknetic.media. This DPA shall be incorporated into the General Terms of Service and shall be binding on the Parties.

1. CONFLICT

In the event of any conflict between the provisions of the General Terms of Service and the provisions of this DPA, the provisions of this DPA shall take precedence.

2. DEFINITIONS AND INTERPRETATION

In this DPA, the following terms shall have the meanings set out below:

3. DATA PROTECTION
   • “Adtelligent Services” means the list of services provided by Adtelligent to Advertisers via its platform;
   • Scope of processing. Unless otherwise and separately agreed between the Parties, the Parties agree and understand that: (i) in connection with the Adtelligent Services, Adtelligent may collect data and transfer to Advertiser Data (including Personal Data) about or related to Data Subjects; as more particularly described in Annex A of this DPA  (ii) Adtelligent and its Publishers use Tracking Technologies in order to collect certain Data, and (iii) Adtelligent and Advertiser may process the Data for the purposes set for by the General Terms of Service and for any other purposes described in their Privacy Statements (“Permitted Purposes”).
   • Relationship of the parties. The Parties acknowledge that to the extent the Data is Personal Data, each party shall process such Data as an independent Controller only for the Permitted Purposes.
   • Shared Personal Data. A Party shall share (“Data Exporter”) the Shared Personal Data with the other Party (“Data Importer”) for the purpose of performing under provisions of the General Terms of Service by the Parties. The Parties are separate and independent Data Controllers, and in no event will the Parties process the Shared Personal Data as joint controllers.
   • Effect of non-compliance with Data Protection Legislation. Each Party shall comply with all the obligations imposed on a Data Controller under the Data Protection Legislation, and any material breach of the Data Protection Legislation by one Party shall, if not remedied within 30 (thirty) days of written notice from the other Party, give grounds to the other Party to terminate this DPA with immediate effect.
   • The Data Exporter obligations. The Data Exporter shall: (a) ensure that it has all necessary notices and consents, where applicable, to enable the lawful transfer of the Shared Personal Data to the Permitted Recipients for the Agreed Purposes, including but not limited to, any notices and consents required under the e-Privacy Legislation; (b) record, document, store and make available to the Data Importer upon request the legal bases and consents that are being relied on to request the Services; (c) when required, list the Data Importer, with a link to its privacy policy, to its list of vendors as a Data Controllers with respect to the Services; and (d) give full information to any Data Subject whose Personal Data may be processed under the General Terms of Service of the nature of such processing and their rights regarding such processing as required under the Data Protection Legislation.
   • The Data Importer obligations. The Data Importer shall: (a) only process the Shared Personal Data for the Agreed Purposes; (b) process the Shared Personal Data in accordance with Applicable Laws; (c) maintain appropriate technical and organizational measures for the protection, security, confidentiality and integrity of the Shared Personal Data; (d) notify the other Party within 72 hours of discovering a data incident involving the Shared Personal Data and fully cooperate with the Data Exporter to remedy the incident; (e) not disclose the Shared Personal Data to any third party unless permitted by the Data Exporter in writing and if such permission is granted, it shall ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this Data Processing Addendum; and (f) not retain the Shared Personal Data for longer than the period during which it has a legitimate need to retain the Shared Personal Data for or in connection with the Agreed Purposes.
   • US State Privacy Laws Compliance. For data of California residents, each party agrees to comply with California Consumer Protection Act (CCPA) and will employ reasonable efforts to provide a Do Not Sell My Information link on the home page of any Property where Shared Personal Data will be provided.  For users who exercise the CCPA Do Not Sell right, each Party agrees to limit the uses of Shared Data as restricted by the CCPA. For data of Virginia residents, each party agrees to comply with Virginia Consumer Data Protection Act (VCDPA) and not to use “dark patterns” to obtain the consumer consent. For data of New York residents, each party agrees to comply with New York Privacy Act (NYPA). For data of Washington residents, each party agrees to comply with Washington Privacy Act (WPA). For data of Colorado residents, each party agrees to comply with Colorado Privacy Act (CPA). There are also Connecticut Data Privacy Act (CDPA), and the Utah Consumer Privacy Act (UCPA) and the Parties are obligated to comply with.
   • Industry Standards. Each Party will use reasonable efforts to provide or require partners to provide end users with notice of the use and sharing of Shared Personal Information and to provide end users with the ability to opt-out of the uses of Shared Personal Information for cross-contextual advertising, as defined by industry best practices.
   • Mutual assistance. Each Party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular, each Party shall:
     • if required, consult with the other Party about any notices given to Data Subjects in relation to the Shared Personal Data;
     • promptly inform the other Party about the receipt of any Data Subject access or deletion request or any other request permissible under applicable Data Protection Legislation;
     • provide the other Party with reasonable assistance in complying with any Data Subject access or deletion request;
     • inform the other Party before or after disclosing or releasing any Shared Personal Data in response to a Data Subject access request;
     • assist the other Party in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators;
     • notify the other Party without undue delay on becoming aware of any breach of the Data Protection Legislation;
     • use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from transfers of such Shared Personal Data;
     • maintain complete and accurate records and information to demonstrate its compliance with this paragraph; and
     • provide the other Party with contact details of at least one employee as a point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the Parties’ compliance with the Data Protection Legislation.
   • International Transfers. The Recipient Party shall not process, nor permit the processing of, any of the Shared Personal Data, in a territory outside the European Economic Area or the United Kingdom or Switzerland (“EEA”) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Data Protection Legislation. Such measures may include, without limitation, transferring the Shared Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data for internal transfers by a recipient that has achieved binding corporate rules authorization in accordance with Applicable Laws, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
   • Storage limitation. The Data Importer shall retain the Shared Personal Data for no longer than necessary for the purpose(s) determined according to the General Terms of Service for which it is processed. It shall put in place appropriate technical and organizational measures to ensure compliance with this obligation, including the erasure or anonymization of the data and all backups at the end of the retention period.
   • Measure to ensure the security of processing. Each Party undertakes to observe the principles of due and proper data processing in accordance with Art. 32 in conjunction with Art. 5 (1) GDPR. Each Party shall take all necessary measures to safeguard the data and the security of the processing, in particular taking into account the state of the art, as well as to reduce possible adverse consequences for the affected parties. Measures to be taken include, in particular, measures to protect the confidentiality, integrity, availability, and resilience of systems and measures to ensure continuity of processing after incidents. In order to ensure an appropriate level of processing security at all times, each Party shall regularly evaluate the measures implemented and make any necessary adjustments. The Data Importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security. The Data Importer shall ensure that persons authorized to process the Shared Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. In the event of a personal data breach concerning personal data processed by the Data Importer under this DPA, the Data Importer shall take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effects.
   • Noncompliance. If Data Exporter is unable to comply with its consent and notice obligations under the General Terms of Service (including this DPA) in respect of the Shared Personal Data, the Data Exporter shall promptly notify Data Importer and cease the transfer until mitigation.

4. DATA TRANSFERS
   • Standard Contractual Clauses. The parties agree that when the transfer of Personal Data from Adtelligent (as Data Exporter) to Advertiser (as Data Importer) is a Restricted Transfer and European Data Protection Law applies, the transfer shall be subject to the Standard Contractual Clauses, which shall be deemed incorporated into and shall form part of this DPA, as follows:
   • in relation to transfers of Personal Data protected by the GDPR, the Standard Contractual Clauses shall apply, completed as follows: (i) in Clause 7, the optional docking clause will apply, (ii) in Clause 11, the optional language will not apply; (iii) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by laws of Ireland; (iv) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (v) Annex I of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex A to this DPA; and (vii) Annex II of the Standard Contractual Clauses shall be deemed completed with the information set out in Annex B to this DPA;

• in relation to transfers of Personal Data protected by UK Privacy Law, the Standard Contractual Clauses shall also apply completed in accordance with paragraph (a) above, but as modified and interpreted by Part2: Mandatory Clauses of the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annexes A and B of this DPA, and Table 4 in Part 1 shall be deemed completed by selecting “neither party”; and
• in relation to transfers of Personal Data protected by the Swiss DPA, the Standard Contractual Clauses shall also apply completed in accordance with paragraph (a) above, with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA; (ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (iii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”; (iv) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (v) Clause 13(a) and Part C of Annex A are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner; (vi) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (vii) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and (viii) Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
  • Adequacy Mechanisms. The terms of the Standard Contractual Clauses will not apply where and to the extent Adtelligent (as Data Exporter) and the applicable transfer of Personal Data are covered by an alternative, suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection or appropriate safeguards for Personal Data (provided that it is deemed legally valid in jurisdictions subject to European Data Protection Law), including any U.S. – EU cross-border data transfer program which supersedes the Privacy Shield (an “Adequacy Mechanism”). Where an Adequacy Mechanism applies, Adtelligent shall process the Personal Data in compliance with the Adequacy Mechanism, and the Standard Contractual Clauses shall not apply.
  • Alternative Transfer Mechanisms. The Parties agree that if European Data Protection Law no longer allows the lawful transfer of Personal Data under the Standard Contractual Clauses and/or a relevant regulator or court of competent jurisdiction requires the parties to adopt additional measures (“Additional Measures“) or an alternative data export solution (“Alternative Transfer Mechanism“) to enable the lawful transfer of data outside of Europe and such requirements are not satisfied by an Adequacy Mechanism in line with the paragraph above (if applicable), both Parties agree to cooperate and agree any Additional Measures or Alternative Transfer Mechanism that may be required (but only to the extent such Additional Measures or Alternative Transfer Mechanism extend to the territories to which data is transferred).
  • It is not the intent of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses. Accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the General Terms of Service, including this DPA, the Standard Contractual Clauses shall prevail to the extent of such conflict.

5. MISCELLANEOUS PROVISIONS
   • Contact. Advertiser shall notify Adtelligent of a representative within its organization authorized to respond from time to time to inquiries regarding the data and shall deal with such inquiries promptly. The representative within Adtelligent authorized to respond from time to time to inquiries regarding the data and who shall deal with such inquiries promptly can be contactable here: legal@clicknetic.media.
   • Changes in Law. In the event that there is a change in the privacy requirements that apply to the processing of data, that would, in the reasonable opinion of a Party, require changes to the Adtelligent Services, the means by which the Adtelligent Services are provided or used and/or terms and conditions of this DPA, that Party reserves the right (acting reasonably) to request such changes; provided that, to the extent possible, the Party requesting the change will provide at least thirty (30) days prior notice (including by email or via Advertiser account on the Adtelligent Platform) of such changes and agrees to discuss such changes in good faith. If the requested changes will cause material harm to any Party (which includes for the avoidance of doubt, causing a Party to be in breach of European Data Protection Law) or materially alter any Party’s provision or use (as applicable) of the Adtelligent Services, such Party may terminate the effect of the General Terms of Service for the affected Adtelligent Services upon written notice without liability for such termination.
   • Indemnity. Advertiser shall indemnify Adtelligent against all liabilities, costs, expenses, damages, and losses (including but not limited to any direct, indirect, or consequential losses, loss of profit, loss of reputation, and all interest, penalties, and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by Adtelligent arising out of or in connection with the breach of the Applicable Laws by the Advertiser, its employees or agents, provided that Adtelligent gives to the Advertiser prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and sole authority to manage, defend and/or settle it.
   • Security. Both Parties shall implement appropriate technical and organizational measures to protect the copy of the data in their possession or control (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the data.
   • General. With effect from the effective date, this DPA is part of and incorporated into the General Terms of Service. To the extent there are any prior agreements with regard to the subject matter of this DPA, this DPA supersedes and replaces such prior agreements. This shall survive termination or expiry of the General Terms of Service. Upon termination or expiry the General Terms of Service Parties may continue to process the data provided that such processing complies with the requirements of this DPA and the Applicable Laws. This DPA may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. This DPA may be executed by means of accepting the General Terms of Service by the Advertiser upon registration on the Adtelligent’s platform and may be signed, scanned, and emailed, and any such copies shall be treated as original for all applicable purposes.

ANNEX A

Description of the Transfer

1. List of Parties

Controller/ Data importer:

Controller / Data exporter:

2. Description of Data Transfer

Defined terms are as set out in the Data Processing Addendum agreed between the parties.

ANNEX B

Technical-organizational Measures

Version 1.5 as of June 24, 2022

1. Confidentiality

1.1. Physical Access Control

Procedures applied:

Establishment of secure areas

Securing of access paths

Determination of access authorisations for

− employees of the company

− external parties (maintenance staff, visitors, etc.)

− authentication of persons with access authorisation

− monitoring of access

Measures for physical access control:

a) Definition/classification of security zones

b) Implementing of protection against access

• Fences
• Identity checks by the gatekeeper/reception
• A security fence surrounds entire land area/building with a permanently staffed perimeter guard house.
• Video surveillance
• Biometric
• Mandatory access authentication (via key, chip card etc.) for all persons
• Securing all building shafts
• Use of electronic physical access control

c) Securing zones/rooms by means of safety glass

d) Determining individuals with authorised access by means of roles and groups

e) Administration and documentation of personal physical access authorisations by means of organisational regulations regarding system access authorisations for the business area

f) Accompanying of visitors and external personnel

• Monitoring visitors (accompaniment, visitor ID, signing in)
• Regulations regarding cleaning staff (careful selection, cleaning during office hours, requiring data secrecy, signing in etc.)
• Careful selection of security staff
• Regulations regarding maintenance personnel (accompaniment, prior registration, proof of identity, signing in etc.)

g) Monitoring of the zones/rooms outside of office hours by means of

• video surveillance
• alarm system (connected to police/fire department/external security firm/central office/gatekeeper)
  
  
  

1.2 System Access Control

Procedures applied

Determination of access authorisations for

• employees of the company
• authentication of persons with access authorisation
• monitoring of access
• access to PC work stations and mobile computers like laptops

Measures for system access control

a) Protection of access to all data processing systems by means of user authentication

b) Availability of boot passwords (Desktop and Notebooks) (login password)

c) Wi-Fi security control with password policy for Wi-Fi passwords (min. 20 characters, upper-case and lower-case letters, numbers and non-alphanumeric character etc.)

d) Login credentials are managed within a password manager

e) Strict authentication for highest-level protection by means of use of mechanisms that require possession and knowledge for authentication

f) Simple authentication (user name/password) for high-level protection

• Requirements for the passwords (such as using at least 8 characters, at least 1 upper-case letter, at least 1 number)
• Expiration of the password (after 90 days)

g) Authentication data is solely transmitted in an encrypted form (Active Directory)

h) Blocking of access in the case of failed attempts/inactivity and procedure for resetting blocked access identifiers

• Secure procedure for resetting blocked access
• Blocking a user’s access after long periods of inactivity

i) Determination of authorised persons

• The existence of role concepts (predefined user profiles)
• Always assigning access rights individually (personally)
• The circle of authorised persons is to be reduced to the minimum number required for operation of the company
• Regularly reviewing individual authorisations to assess whether they are necessary

j) Administration and documentation of personal means of authentication and access authorisations

• A process for the application, approval, allocation and resetting of means of authorisation and access is established, described and in use
• A responsible person is named for the allocation of access authorisations
• Absence substitution rules

k) Measures at the user’s workplace

• When there are more than 15 (fifteen) minutes of inactivity at the workstation or the terminal, the password-protected screen saver is automatically activated by means of the operating system’s own mechanisms
• Workstations and terminals will be locked by employees against unauthorised use during temporary absence from the workstation during temporary absence

1.3. Data Access Control

Procedures applied

1. Determination of the data access and usage authorisations enabling access to data by individuals via automated devices
2. Determination of the data access authorisations enabling access to data via automated devices for the data areas
3. Authentication of the individuals authorised to access and use the data
4. Implementation of data access control
5. Implementation of a use control for data processing systems

Measures for data access control

a) Existence of regulations and procedures governing the creation, alteration and erasure of authorisation profiles or user roles

b) Use of passwords and defined password rules

c) Authorised individuals can only access data that is established in their individual authorisation profiles

d) Limitation of the scope of authorisations to the absolute minimum necessary for the performance of the relevant tasks or functions (in terms of logistics, timeframes etc.)

e) Administration and documentation of personal physical data access authorisations

A process for the application, approval, allocation and resetting of means of authorisation and access is established, described and in use

Authorisations are tied to a personal user identifier and to an account

If the foundation for an authorisation ceases to apply (e.g. due to a change in function), this authorisation is to be immediately withdrawn

The process is to be documented and the documentation saved for 12 months. (Admin zone & Member zone)

f) Suitable measures have been implemented in order to prevent any single person being assigned a combination of various roles or rights of access which results in his or her acquiring an excessive degree of power

g) All transactions where data are read, entered, changed and deleted are logged (user identifiers, transaction details) and archived in an audit-proof form for at least 6 months

h) Secure storage of data media

1.4. Data Separation Control

Procedures applied

1. Monitoring for compliance with regulations and measures
2. Verification and permanent adjustment of the effectiveness of regulations and measures
3. Determination of a data protection officer

Measures for data separation control

a) Implementation and documentation of the separation of functions

b) Availability of guidelines and operating instructions

c) Availability of procedural documentation

d) Implementation of regulations governing programming

e) Regulations governing system and program reviews

f) There are technical and organisational regulations and measures for ensuring separate processing

g) And/or there are technical and organisational regulations and measures for storing data and/or data media with different contractual purposes

h) Implementation of a coordination and control system

1.5. Pseudonymisation

Procedures applied

1. Assessing whether the specific data processing can also take place without direct reference to individual persons.
2. Assessing which options for pseudonymisation are available.

Measures for pseudonymisation

a) Pseudonymized user ID

b) Separate pseudonymized data storage

Integrity

2.1. Transfer Control

Procedures applied

• Specification of the bodies to which data may be forwarded by using data transfer facilities.
• Documentation in such a manner as to render possible the identification of any ‘third parties’
• Specification of the parties authorised to transmit or transport the data
• Specification of areas in which data media may be located
• Securing of areas in which data media are located
• Authentication of persons and companies authorised to transport the data

Measures for transfer control

a) Encryption of data transmitted between clients and servers

b) A regulation is in place for the preparation of copies

c) Back-end transmissions

• Connection to the back-end systems is protected
• Connections between back-end systems is protected
• Data requiring a high level of protection are encrypted
• Data leaving the protected area (e.g. a data centre) is encrypted

d) Secure storage of data

• Data are encrypted and stored in a database of reliable processors
• Data are also encrypted and stored in a backup

e) Regulations governing consignments

• There are packaging and forwarding instructions for the transportation of personal data by way of data storage devices
• It is mandatory to encrypt personal data before it is transferred

f) Procedure for collection and disposal

• The destruction of data storage devices is regulated to take place in a manner that conforms with data protection and is to be recorded
• The destruction of documents is regulated to take place in a manner that conforms with data protection and is to be recorded and stored for 9 (nine) months

g) Procedure for erasure/destruction of data in accordance with data protection legislation

h) Systems can only be accessed from outside of the company network by means of secured VPN access.

2.2. Input Control

Procedure applied

Documentation of the data entry process, with the possibility of subsequently verifying the data entries made

Measures for input control

a) Traceability of any entering, altering and erasure of data through the use of individual user names (not user groups)

3. Availability and resilience

Procedures applied

1. Development of a concept of back-up policy
2. Development of a disaster recovery plan
3. Development of a concept to counteract overloading and external attacks

Measures for availability and resilience

a) Back-up concept

• There is a backup concept
• Backups occur daily
• Regular checks are carried out to verify that it is possible to restore the backup

b) There is a disaster recovery plan in place which lists and defines the steps to be initiated and the individuals (particularly on the side of the client) who are to be notified of the incident.

c) Storage of data back-ups in fire- and waterproof data security cabinets by reliable processors

d) Regular checking of the condition and labelling of data media used for data back-ups

e) Availability and regular testing of emergency generators and overvoltage protection devices

f) Permanent monitoring of operational parameters

g) Devices for monitoring the temperature and humidity in server rooms held by reliable processors

h) Fire and smoke alarms

i) Alarms signalling any unauthorised access to server rooms

4. Process for regularly testing, assessing and evaluation

4.1. Privacy Management

Procedures applied

1. Development of a concept for regular verification of the technical and organisational measures
2. Determining an evaluation schedule
3. Definition of the required human and organizational responsibilities

Measures for testing, assessing and evaluation

a) Selecting a data protection officer

b) Determining auditing schedules and procedures

c) Monitoring execution

d) Evaluating the findings

e) If necessary, adjusting the TOMs

4.2. Incident Response Management

Procedures applied

1. Determining a concept for providing incident response management
2. Determining an incident response plan
3. Determining an incident response team

Measures for incident response management

a) Determining possible cases of data breaches

b) Describing the process that is to take place in case of a data breach

c) Describing the responsibilities

4.3. Data protection-oriented default settings

Procedure

1. Determining which data are strictly necessary
2. Determining measures for reducing unnecessary data