This Data Protection Addendum (this “DPA”) is entered into between Sabio, Inc. (“Sabio”) and the entity identified as “Company” in the Agreement, and forms a part of and is incorporated by reference into the Agreement. All capitalized terms not defined in in this DPA will have the meanings set forth in the Agreement.

1. ‍Definitions.
   
   a. “Advertising Purposes” means all Restricted Purposes in addition to (i) activities that constitute Targeted Advertising or Cross-Context Behavioral Advertising under US Privacy Laws, including any Processing that involves displaying Ads to a Consumer that are selected based on the Consumer’s cross-context behaviors, and (ii) creating or supplementing user profiles for such purposes.
   
   b. “Agreement” means the Supply Master Service Agreement or other services agreement between Sabio and Company.  
   
   c. “Data Protection Laws” means all applicable laws, rules and regulations governing privacy, data protection, security and/or the Processing of Personal Data, including but not limited to EC Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) and the EU e-Privacy Directive (Directive 2002/58/EC) (the “e-Privacy Directive”), data protection and privacy laws of the United Kingdom in effect from time to time (collectively with the GDPR, “EU Data Protection Law”), the local law of the place(s) where Processing by a party and its Personnel takes place, the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act (the “CPRA”), the Virginia Consumer Data Protection Act (the “VCDPA”), the Colorado Privacy Act (the “CPA”), the Connecticut Data Protection Act (the “CTDPA”) the Utah Consumer Privacy Act (the “UCPA”), the Federal Trade Commission’s FTC Act Section 5, and all other applicable laws and regulations in the United States (collectively “US Privacy Laws”), in each case, all of the foregoing as applicable, and as they take effect or are amended, replaced or supplemented from time to time, and all subordinate legislation made under them, together with any binding codes of practice, regulations or other guidance issued by the governments, agencies, data protection regulators, or other authorities in the relevant countries, states or other jurisdictions.
   
   d. “Data Subject” or “Consumer” means a natural person to whom any Personal Data Processed under the Agreement pertains. e. “IAB TCF Framework” means the IAB Europe’s Transparency & Consent Framework for processing Personal Data for Data Subjects in the EU and UK, and any successors thereto.  
   
   f. “Personal Data” means information provided by Company to Sabio or collected by Sabio on Company’s behalf that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, or as otherwise defined under Data Protection Laws (including any equivalent terminology such as “Personal Information” or “Personally Identifiable Information”).
   
   g. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed, by Sabio for Company.
   
   h. “Restricted Purposes” means advertising-related Processing that qualifies as a Business Purpose under CPRA,  which includes first-party advertising, contextual advertising, internal research, frequency capping, measurement, auditing, security and integrity, debugging, fraud detection and prevention, ensuring and measuring viewability, and advertising or marketing services that do not include Cross-Contextual Behavioral Advertising, Targeted Advertising or profiling, each of the foregoing only to the extent such activity (i) is permissible for a Processor to perform under the applicable US Privacy Laws; and (ii) does not result in a Sale or Sharing of Personal Data or constitute Processing of Personal Data for Targeted Advertising or Cross-Context Behavioral Advertising.  
   
   i. “Restricted Processing Signal” means any flag or signal indicating that a Consumer has opted out of the Sale, Sharing, or Processing of their Personal Data for purposes of Targeted Advertising or Cross-Context Behavioral Advertising, which flag or signal is sent by Company to Sabio through a method mutually agreed to by the parties as further described in Section 3(c) hereof.
   
   j. “Business Purpose”, “Business”, “Controller”, “Cross-Context Behavioral Advertising”, “Processor”, “Process”, “Processing”, “Sell”, “Selling”, “Sales”, “Service Provider”, “Share”, “Sharing”, “special categories of personal data”, “Sensitive Information” “Sensitive Personal Information”, “Cross-Context Behavioral Advertising”, “Targeted Advertising” and “Third Party” shall have the meanings assigned to them in applicable Data Protection Laws.
   
   k. “Sub-Processor” or “Subprocessor” means an entity engaged by a party that will Process Personal Data on behalf of such party, or as otherwise defined in Data Protection Laws.  

2. Compliance; Role of the Parties.  
   ‍
   a. Each party represents, warrants and covenants that it shall comply with Data Protection Laws.  
   ‍
   b. With respect to Personal Data Processed in connection with Company’s use of Services, each party is an independent Controller of the Personal Data that it collects or Processes pursuant to the Agreement. Each Party may use such Personal Data for its lawful business purposes in compliance with Data Protection Laws, and each Party shall be individually and separately responsible for complying with the obligations that apply to it as a Controller under Data Protection Laws with respect to such Personal Data. The Parties agree that they are not joint Controllers of any Personal Data. Each Party will individually determine the purposes and means of its Processing of the Personal Data. For purposes of the CCPA and CPRA, Company is considered to be the “Business” and Sabio is considered to be a “Third Party” with respect to such Personal Data.
   ‍
   c. Restricted Processing. Where a Data Subject exercised their rights to opt out of the Sale or Sharing of Personal Information or to opt out of the use of their Personal Information for Targeted Advertising or Cross-Context Behavioral Advertising, Company shall communicate such choice to Sabio through the submission of batch files at a cadence mutually agreed upon by the parties in writing (email sufficient) and using a transmission method mutually agreed upon by the parties in writing (email sufficient) , or via such other method as is mutually agreed by the parties in writing (email sufficing) from time to time. For such impressions for which an opt out has been communicated to Sabio using the foregoing process(es), Company is considered to be the “Business” or “Controller” and Sabio is considered to be a “Service Provider” or “Processor” (or if applicable, Company is a “Service Provider” or Processor” and Sabio is a “sub-service provider” or “Subprocessor”).
   ‍
3. Mutual Responsibilities.
   
   Each party agrees that: (i) all of its personnel engaged in processing Personal Data are and will remain committed to confidentiality; (ii) it shall take industry appropriate technical and organizational measures designed to ensure the security of processing, which may include as appropriate: (a) encryption and pseudonymization; (b) ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services and to restore access to Personal Data in the event of an incident; and (c) processes for regularly testing and assessing the effectiveness of its security measures.
   ‍
4. Assistance and Cooperation.
   ‍
   The parties will make available all information reasonably necessary available to each other as may be required to demonstrate compliance with Data Protection Laws, and may allow for and contribute to audits and inspections in this regard. Each party will process requests it has received from Data Subjects to exercise their rights. With respect to requests from, or on behalf of Data Subjects to the Processing of Personal Data that is shared between the parties, the parties will collaborate to honor such objections or opt-out requests.
   ‍
5. Restricted Transfers.
   
   ‍Where the Services involve the transfers of Personal Data out of the European Economic Area or the UK to a jurisdiction that is not the beneficiary of an adequacy decision under EU Data Protection Laws (“Transferred Personal Data”), both Parties agree that such transfers shall be governed as follows: (i) for Data Subjects located in the EEA, by the unchanged version of the standard contractual clauses in Commission Decision 2021/914/EU as can be found at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN) (the “EU SCC”). Module 1 (Controller to Controller) therein shall apply. Clause 7 (Docking Clause), but not the option under Clause 11 (independent dispute resolution) of the EU SCC, shall apply; (ii) for Data Subjects located in the UK, by the EU SCC plus the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as can be found at  https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (or as it may be amended or replaced) (the “UK Addendum”). The EU SCC and if applicable the UK Addendum shall be incorporated into this DPA by reference and form an integral part of this DPA. For the purposes of the descriptions in the EU SCC and only as between the Parties, Company agrees that it is a “data exporter” and Sabio is the “data importer”. The Annexes attached to this DPA provide the information required by Annexes I, II and III of the EU SCC and by the UK Addendum as set out in Annex I.B to this DPA. The Parties may store and Process Transferred Personal Data in the United States of America, the United Kingdom and/or any other country in which either Party or any of its Processors maintains facilities so long as such Party and any of its Processors: (1) transfer such data via a valid legal mechanism such as the appropriate EU SCC and/or UK Addendum, or a UK International Data Transfer Agreement; and (2) provides at least the same level of protection to such Transferred Personal Data as is required by such mechanism to ensure an adequate level of protection for such Transferred Personal Data in accordance with the requirements of European Data Protection Laws. In the event of inconsistencies between the provisions of the EU SCC or UK Addendum and this DPA or other agreements between the Parties, then the terms of the EU SCC or UK Addendum as applicable shall prevail.
   ‍
6. Company Responsibility.  
   ‍
   a. Compliance. Company represents and warrants that: (1) Company and each owner or operator of a Company Property with whom Company works (the “Publisher”) is a participant in the IAB TCF Framework, and that Company and Publisher will adhere to the rules and guidelines of the IAB TCF Framework; (2) Company and each Publisher has provided all required disclosures to Consumers and all required opt-out opportunities (including without limitation all “do not sell my Personal Information” and “do not share my Personal Information” options where applicable) and the ability to opt out of Targeted Advertising and Cross-Context Behavioral Advertising in accordance with and as required under applicable Data Protection Law. Company represents and warrants that, in any event, Company and each Publisher has obtained any legally required consent and/or the necessary lawful basis, and has provided all necessary disclosures and opt-out opportunities for the collection, use and disclosure of Personal Data to allow Sabio and its and their respective Affiliates and advertising partners to Process such Personal Data for Advertising Purposes.
   
   b. Company represents and warrants that: (i) the Company Properties and Ad Inventory with respect to which any Services are utilized are not directed to children under 16 years old and that no portion of the Personal Data has been or will be collected in connection with any site, application, advertisement or other online service directed towards children under 16 years old, unless Company has otherwise agreed in writing with Sabio; and (ii) no Sensitive Information or special categories of Personal Data will be made available or passed to Sabio under the Agreement.
   
   c. Company shall implement appropriate technical and organizational measures to ensure, and to be able to demonstrate, that Company is in compliance with Data Protection Laws with respect to Company making Personal Data accessible to, or providing it to, Sabio. Company shall, and shall cause each Publisher to, conspicuously post a link to and abide by, a privacy policy that complies with all Data Protection Laws, as well as with guidelines of any generally recognized industry self-regulatory organizations (including without limitation the Self-Regulatory Guidelines of the Digital Advertising Alliance and the European Digital Advertising Alliance), and that: (i) discloses its data collection, sharing, and use practices; (ii) discloses the use of third parties for ad serving activities and the use of technologies such as cookies and pixels; (iii) provides the ability to opt-out of interest-based advertising, Targeted Advertising, Cross-Context Behavioral Advertising and profiling; and (iv) provides, where required by Data Protection Laws, the ability to opt-out of Personal Data Sales or Sharing.
   ‍
7. Personal Data Breach; Subprocessors
   
   a. Sabio shall provide Company written notice of any Personal Data Breach without undue delay. Such notice shall summarize in reasonable detail, to the extent known, the nature of the incident, number of Data Subjects affected, the number of Personal Data records involved, the likely consequences, and the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
   
   b. Where Sabio acts as a Processor pursuant to Section 3(c), Sabio may engage one or more third parties to act as a sub-processor for the Personal Data; provided that if required under Data Protection Laws, Sabio first notifies Company and provides Company with the opportunity to object to the engagement, and provided in any event that: (i) Sabio remains responsible for its sub-processors’ compliance with this DPA, and (ii) the engagement is pursuant to a written contract that requires the sub-processor to meet the obligations of Sabio under this DPA with respect to Personal Data.
   ‍
8. US State Privacy Law Compliance.
   
   a. The Parties acknowledge that in cases where Sabio acts as a Service Provider and/or a Processor under US Privacy Laws pursuant to Section 3(c) hereof: (i) it will not Sell or Share any such Personal Information, (ii) will not use, retain or disclose such Personal Information outside of the direct business relationship between Sabio and Company; (iii) Sabio acknowledges that the Personal Information is disclosed by Company only for limited and specified Restricted Purposes set forth in the Agreement; and (iv) it will comply with applicable obligations under US Privacy Laws and provide the same level of privacy protection as is required under same. Company hereby certifies that it understands the restrictions on Company’s processing of Personal Information hereunder and will comply with them. Sabio grants Company the right to take reasonable and appropriate steps to help to ensure that Sabio uses Personal Information in a manner consistent with the Company’s obligations under US Privacy Laws. Sabio shall notify Company if it makes a determination that it can no longer meet its obligations under US Privacy Laws. Sabio grants Company the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use Personal Information Processed under the Agreement. In the event that Company notifies Sabio of any verified request by a Consumer to exercise its rights under US Privacy Laws, Sabio shall fulfil its obligations under Data Protection Laws with respect to same.
   ‍
9. Modifications to DPA; Entire Agreement.
   
   a. Sabio may modify this DPA from time to time by posting the modified version on its website. Company is responsible for checking such page for updates periodically. Such modifications shall be binding upon being posted. This DPA supersedes all data protection agreements and addenda previously entered into by the parties with respect to its subject matter.
   ‍
10. Miscellaneous.
    
    The liability of the parties under or in connection with this DPA will be subject to the exclusions and limitations of liability in the Agreement. If any provision or condition of this DPA is held or declared invalid, unlawful or unenforceable by a competent authority or court, then the remainder of this DPA shall remain valid. The provision or condition affected shall be construed to be amended in such a way that ensures its validity, lawfulness and enforceability while preserving the parties’ intentions, or if that is not possible, as if the invalid, unlawful or unenforceable part had never been contained in this DPA. This DPA shall be governed by and construed in accordance with the laws governing the Agreement, and any disputes shall be resolved by the courts agreed for resolution of disputes under the Agreement.
    

ANNEX I

A. LIST OF PARTIES

1. Data Exporter

‍

2. Data Importer

‍

‍

B. DESCRIPTION OF TRANSFER / PROCESSING ACTIVITIES

Categories of data subjects whose Personal Data is transferred

​​​(a) end users of websites, mobile websites, videos, channels, connected TVs, platforms and/or applications on which the Services are utilized;  

(b) the Parties’ employees, contractors and representatives.

Categories of Personal Data transferred  

(a) pseudonymous data collected through or in relation to the Services (e.g. IP addresses, device identifiers, cookie identifiers and/or mobile advertising identifiers). The above may be accompanied by other information about the data subjects whose Personal Data is being transferred, such as browser or device type and version, contextual metadata, time stamp, device operating system and platform, and country associated with the data subject;  

(b) names and contact details.

Sensitive data transferred (if applicable)

• None.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

• Continuous.

Nature of the processing

• As set out in the Agreement.

Purpose(s) of the data transfer and further processing  

• The Parties will process the Personal Data as part of the Services in accordance with the Agreement.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period

• The later of 12 months from the date of collection, or for the Term of the Agreement (unless earlier deletion is required by the data exporter).

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

• As above.

C. COMPETENT SUPERVISORY AUTHORITY

The Irish Data Protection Commissioner.
‍

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Each party will implement and maintain a comprehensive written information security program designed to protect Personal Data from unauthorized access, use, modification, disclosure or destruction. Without limiting the generality of the foregoing, as part of its information security program, each party will:

• limit access to Personal Data to the minimum number of its personnel who require such access in order to perform its obligations under the Agreement;

• provide appropriate training to its personnel who process Personal Data;

• use reputable services and/or tools to continuously monitor for malicious or unauthorized behavior; and

• encrypt Personal Data at rest and in transit.  

ANNEX III

​​​LIST OF SUB-PROCESSORS
‍

ANNEX I.B (UK Addendum)

UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

Part 1: Tables

Table 1: Parties
‍‍

Table 2: Selected SCCs, Modules and Selected Clauses
‍

‍

‍

Table 3: Appendix Information

‍

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
‍

‍

‍

Table 4: Ending this Addendum when the Approved Addendum Changes

‍

Part 2: Mandatory Clauses

‍