EU Data Processing Addendum
Last Updated: February 28, 2023
Intro
ExplorAds Ltd (“ExplorAds”, “we”, “our” or “us”) uses reasonable efforts to provide participating advertisers/Demand Side Platform (“DSP” or “Demand Partner”), or publishers/Supply side Platform (“SSP”) a safe, transparent, and fair RTB platforms. Your use (“you” or “your”) of ExplorAds’s platforms (“Platform(s)”), is governed by your contract with ExplorAds, which requires compliance with this Addendum (hereinafter the “DPA”) as it may be updated by ExplorAds from time to time.
In case you are participating on the supply side (publisher/SSP), please refer to the “Publisher DP Addendum”;
in case your participation refers to the demand side (advertiser/DSP) please refer to the “Demand Partner DP Addendum”.
ExplorAds may update this DPA at any time and without prior notice. All amendments will be posted to this website located at: ExplorAds (hereinafter the “Website” or “Site”) and will be effective when posted without any notice to you. By using our platform, you agree to any updated version of this DPA.
With respect to ensuring compliance with the foregoing, please note that ExplorAds reserves the right to suspend your participation and your platform using if it reasonably suspects or determines, in its sole discretion, that any of this ExplorAds EU DPA rules or any applicable laws have been violated.
Publisher DP Addendum
This Publisher DP Addendum (hereinafter the “DPA“) is entered into by and between ExplorAds Ltd a Cypriot company located at 2 Filiou Zannetou St. 3021 Limassol Cyprus (hereinafter “ExplorAds”) and you (hereinafter the “Publisher” or “you”), supplements and forms part of ExplorAdss Publisher’s Master Services Agreement (hereinafter the “Agreement”) or other written or electronic agreement, between ExplorAds and Publisher/SSP (or any other supply side partner) to reflect the parties’ agreement regarding the processing of Personal Data (as defined below). This DPA is effective as of the date of ExplorAds Publisher’s Agreement entered into force (“Effective Date”).
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement.
IT IS AGREED:
1. Definitions
“Controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data;
“Processor” means a natural or legal person, public authority, agency or other body which processes the Personal Data on behalf of the Controller;
“Sub-processor” means any person appointed by or on behalf of ExplorAds to process the Personal Data on behalf of ExplorAds in connection with the Agreement;
“CPRA” mean the California Privacy Rights Act of 2020, Cal. Civ. Code §§ 1798.100 et. Seq;
“Government Authority Request” means any subpoena, warrant or other judicial, regulatory, governmental or administrative order, proceeding, demand or request (whether formal or informal) by a government or quasi-governmental or other regulatory authority (including law enforcement or intelligence agencies) seeking or requiring access to or disclosure of Personal Data.
“Demand Partners” means Explorads’ media buying clients, including but not limited to advertisers, demand side platforms, DSP, ad exchanges, agencies and ad networks;
“Applicable Privacy Law” means as applicable to a party in its Processing of Data: (i) Regulation 2016/679 (the European General Data Protection Regulation (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC) (“e-Privacy Directive”); (iii) all national implementations of (i) and (ii); (iv) in respect of the United Kingdom, the Data Protection Act 2018 and any applicable national legislation that replaces or converts the GDPR and e-Privacy Directive in domestic law or that relates to data and privacy and is enacted as a consequence of the United Kingdom leaving the European Union; CPRA; any applicable data protection laws; in each case, as may be amended, superseded or replaced from time to time;.
“European Economic Area” means, for the purposes of this DPA, the European union (EU), the United Kingdom, Iceland, Lichtenstein, Norway and Switzerland;
“Industry Rules” means the Transparency and Consent Framework developed by the IAB Europe, its policies, its global vendor list and specifications and/or any other mutually agreed upon industry protocols;
“Personal Data” means any information which are related to an identified or identifiable natural person to the extent that such information is protected as “personal data” under applicable European Data Protection Law, CPRA and any applicable data protection laws;
“Privacy Requirements” means: (i) European Data Protection Law, as applicable to Publisher, ExplorAds, its Demand Partners, and their respective processing of Data under this DPA; and (ii) any applicable self-regulatory codes, rules or guidelines, including without limitation, the IAB Transparency and Consent Framework (TCF) (in each case, as amended, superseded or replaced);
“Publisher Assets” means the websites, applications and/or other digital media properties owned or operated by the Publisher and accessible through the ExplorAds Platforms or via which the Personal Data used in connection with the Services;
“ExplorAds Services” means ExplorAds RTB platform services;
“ExplorAds Privacy Policy” means the privacy policy available at: ExplorAds (as updated or amended from time to time);
“Standard Contractual Clauses” means: the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council;
“Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other Party’s Personal Data will comprise a Security Incident.
The terms “Commission“, “Member State“, “Personal Data Breach“, “Supervisory Authority“, “Data subject“, “personal data“, “processing” (and “process“) and “special categories of personal data” and any other terms not stated herein shall have the meanings given to them in the Applicable Privacy Law.
2. Scope of processing
The parties agree that, unless otherwise agreed between the parties in connection with the Services, ExplorAds may receive from Publisher data (including Personal Data) about or related to end-users of the Publisher Assets as more particularly described in Annex B of this DPA. The parties agree that ExplorAds (and its Demand Partners) may process the Personal Data for the purposes contemplated by the Agreement and this DPA.
The parties also agree that at the moment of the registration and/or signing of the Agreement Publisher may provide data (including Personal Data) about or related to its own personnel as more particularly described in Annex B of this DPA.
3. Relationship of the parties
(a) Publisher agrees that it shall and shall ensure that its affiliates, agents, vendors, processors, sub-processors, buyers, partners, customers, clients, or any other third party using ExplorAds Services (hereinafter the “Publisher’s Third Parties”) functioned as the Controller of the Personal Data, they process and collect the Personal Data solely under lawful grounds or under the purposes expressly permitted under the Agreement and in a manner that complies with this DPA, the Applicable Privacy Laws, and the Agreement.
(b) The parties acknowledge that Publisher is a controller of the Personal Data and that ExplorAds will process as the processor, and strictly for the designated Purposes as provided in Annex B (the “Purposes”). In no event will the parties process the Personal Data jointly as joint controllers.
(c) Compliance with law: Each party shall be individually and separately responsible for complying with the obligations that apply to it under Applicable Privacy Law as per the designated roles. Without limitation to the foregoing, each party shall maintain a publicly accessible and updated privacy policy on its website that satisfies the requirements of Applicable Privacy Law.
(d) Consent Signals: Publisher shall and shall ensure that the Publisher’s Third Parties provide all “consent”, “no consent” and “opt-out” signals to ExplorAds (or any of its clients or other sub-processors enabled by ExplorAds through the ExplorAds Services) in compliance with Applicable Privacy Laws.
(e) Deletion: Publisher will not permit any third party, to retain the Personal Data for longer than the period during which Publisher has a lawful basis to retain the Data for the designated Purposes and in compliance with the Applicable Privacy Law.
4. Legal Base and Requesting Consent
Publisher hereby expressly agrees that both ExplorAds and any of its Demand Partners (e.g., advertisers) do not have direct relationship with any data subject visiting the Publisher Properties or viewing ads delivered to the Publisher Assets through the ExplorAds Platform.
Thus, in each case where consent is the lawful basis for processing the Personal Data pursuant to the Privacy Requirements, Publisher agrees that it shall be responsible for obtaining all necessary consents from the relevant data subjects on behalf of applicable Demand Partners (acting as the Data Controller) to lawfully permit ExplorAds and all applicable Demand Partners to collect, process and share Data via the Platform for lawful Purposes and in connection with the Agreement and this DPA. Publisher represents and warrants that it shall, at all times, maintain and make operational on Publisher Assets a mechanism for obtaining and recording such consent and that enables such consent to be withdrawn in accordance with applicable legal requirements.
The parties hereby agree that for the purposes of the processing of the Publisher’s Personnel Data, the legal basis will be the Agreement between the parties, as well as ExplorAds’ legal interests.
5. Notice Requirements
Publisher agrees that it is responsible for ensuring that all data subjects (and end-users) are appropriately notified about the data collection and use practices on the Publisher Assets through the Services. Publisher represents and warrants that it shall prominently post, maintain and comply with a publicly available privacy notice regarding all Publisher Assets from which the Data is collected that satisfies the requirements of the Privacy Requirements and this DPA and Applicable Privacy Law. The notice shall at a minimum include the following information:
(I) a clarification that Personal Data may be collected for advertising purposes concerning the Services;
(ii) a description of the Personal Data categories collected by Publisher and/or its affiliates and the purposes of processing thereof, including for delivering ads across the Publisher Assets over time;
(iv) the Publisher’s details;
(v) a visible link to or description of how to access a relevant choice mechanism; and/or
(vi) all other information required to comply with Privacy Requirements and Applicable Privacy Law, including any tracking tools applied by Publisher.
6. Prohibited Data Sharing
The Publisher shall not use ExplorAds Services to publish or launch any content that is intended for or likely to be accessed by children under Applicable Privacy Law in the country where the child resides. Before launching any Publisher Assets on the ExplorAds Services, the Publisher must either flag the content within the ExplorAds Services or notify ExplorAds in writing. In addition, the Publisher must provide any Personal Data of children to ExplorAds or its demand partners in accordance with Applicable Privacy Law.
7. Non-compliance
If the Publisher is unable to fulfill its obligations related to obtaining consent and providing notice with respect to Personal Data (as outlined in the Agreement, including this DPA), the Publisher must immediately inform ExplorAds in writing.
8. Data Subject Rights
If ExplorAds receives a request from a Data Subject to exercise its right to be informed, right of access, right to rectification, erasure, restriction of Processing, data portability, right to object, or its right not to be subject to a decision solely based on automated processing, including profiling (“Data Subject Access Request”), ExplorAds shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Publisher. Considering the nature of the Processing, ExplorAds shall use commercially reasonable efforts to assist Publisher by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Publisher’s obligation to respond to a Data Subject Request under Applicable Privacy Law. To the extent legally permitted, Publisher shall be responsible for any costs arising from ExplorAds’s provision of such assistance.
If ExplorAds receives other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data (hereinafter the “Correspondence”), it shall promptly inform Publisher if it receives any Correspondence directly from a data subject in relation to the Personal Data.
Subject to obligations of confidentiality and policies on disclosure of information, where a party has a concern that the other party has not complied with this DPA, the parties agree to share information in order to ascertain the cause of such non-compliance and take reasonable steps to correct. Publisher shall not disclose to any third parties any of such Correspondence without ExplorAds’ advanced written approval.
9. Sub-Processors
ExplorAds’s current list of Sub-processors is included in Annex D (“Sub-processor List”) and is hereby approved by the Publisher.
Where ExplorAds engages a Sub-processor for carrying out specific Processing activities, the same or materially similar data protection obligations as set out in this DPA will be imposed on such new Sub-processor by way of a contract, or other undertaking.
10. Personal Data Breach and Security Incident
The Publisher must promptly inform ExplorAds if it or any of its subprocessors become aware of a Personal Data Breach or a Security Incident affecting Personal Data and provide sufficient information to allow ExplorAds to notify its subprocessors and demand partners. Such notification shall as a minimum:
(I) describe the nature of the Personal Data Breach, numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
(ii) communicate the name and contact details of the Publisher’s data protection functionary or other relevant contact from whom more information may be obtained;
Publisher shall co-operate with ExplorAds and take such reasonable commercial steps as are directed by ExplorAds to assist in the investigation, mitigation and remediation of each such Security Incident and/ or Personal Data Breach and shall not disclose any information to other third parties, unless required by Applicable Privacy Law. The Publisher must also inform affected data subjects of the data breach to the extent required under Applicable Privacy laws.
11. Standard Contractual Clauses
For the purposes of the SCCs the parties agree:
(i) ExplorAds shall be deemed the “data importer” and Publisher shall be deemed the “data exporter”; (ii) Module 2 (Transfer controller to processor) will apply to the processing of the data submitted based on the Agreement (Annex A); (iii) in Clause 7, the optional docking clause will apply; (iv) in Clause 17, the SCCs will be governed by laws of Cyprus; (v) in Clause 18(b), disputes shall be resolved by the applicable courts located in Cyprus; (vi) Annex A to this DPA shall replace Annex I of the SCCs; and (vii) Annex B to this DPA shall replace Annex II of the SCCs. It is not the intention of either party to contradict or restrict any of the provisions set forth in the SCCs (as applicable). Accordingly, if and to the extent the SCCs conflict with any provision of the Agreement, including this DPA, the SCCs (as applicable) shall prevail to the extent of such conflict (see Annex E).
12. California region
The following additional terms shall apply with respect to data subjects who are California residents:
For the purpose of this section, the definitions of: “Controller” includes “Business”; “Processor” includes “Service Provider”, or “Contractor” or “Third Party”, “Sub-Processor” includes “Sub-Provider”; “Data Subject” includes “Consumer”; “Personal Data” includes “Personal Information”, “Purpose” includes “Business Purpose”; “in each case as defined under CPRA.
- For this “California” section shall include processing Customer Data for the purposes described in this DPA and in accordance with the applicable Controller’s documented lawful instructions as (a) set forth in this DPA, and (b) as necessary to comply with applicable Data Protection Law, (c) as otherwise agreed in writing, or (d) as otherwise may be permitted for “Service Providers” as defined under the CPRA.
- Notwithstanding any use restriction contained elsewhere in this DPA, Company shall process Personal Data only to perform the Services, for the Permitted Purposes and/or in accordance with Customer’s documented lawful instructions, except where otherwise required by applicable law. company may de-identify or aggregate Consumer Data as part of performing the Services specified in this DPA and the Agreement.
- Each party shall disclose any sale and/or share of personal information by request according to the CPRA requirements and enable an opt-out mechanism by demand.
13. Inspection and Audit Rights.
Publisher shall reasonably make available to ExplorAds or any qualified auditor mandated by Company, upon ExplorAds’s request, all available material and information necessary to enable ExplorAds to confirm compliance with this DPA, and shall allow for audits, including inspections, by the Company or an auditor on its behalf in relation to the processing of the Company Personal Data by the ExplorAds. Publisher shall not unreasonably restrict access to its premises and systems in a manner that obstructs the performance of the audit.
The audit shall be conducted following reasonable prior notice, at Publisher’s business hours; except if the audit is requested immediately following a Personal Data Breach or other security incident. Vendor shall promptly rectify any findings in such audits.
Publisher is responsible for periodically auditing it Subprocessors and shall share the findings with Company. To the extent Publisher is itself certified or receives any report or certification relating to data security and privacy of a Subprocessor, such as ISO 27001 or similar certifications, Publisher shall share the report or certification with ExplorAds.
14. Government Authority Requests.
Where Publisher receives a Government Authority Request concerning Personal Data subject to this DPA, Publisher shall: (i) To the fullest extent permitted by law, without undue delay notify ExplorAds, in writing of such Government Authority Request so that ExplorAds may contest or seek to narrow such disclosure or seek a protective order or other appropriate remedy; (ii) reasonably cooperate with and take all reasonable steps to assist ExplorAds to contest or seek to narrow such Government Authority Request, obtain a protective order or seek another remedy; (iii) Where any attempt to contest, or to seek to narrow such Government Authority Request, or obtain a protective order or seek another remedy is not successful so that some or all of the Personal Data is required to be disclosed, Publisher shall take reasonable steps to furnish only the minimum amount of the Personal Data legally required to be disclosed; (iv) Publisher shall maintain a written record of all Government Authority Requests and provide a copy to ExplorAds, upon request.
15. Contact
The Publisher shall provide ExplorAds with the contact information of an authorized representative who can respond to inquiries about the data. The Publisher agrees to address any such inquiries
promptly. The authorized representative at ExplorAds, who can be contacted for inquiries about the data, can be reached at: privacy@explorads.media.
16. Changes in Law
If any changes to Privacy Requirements or Applicable Privacy Law would require material changes to the ExplorAds Services, the way the ExplorAds Services are provided or used, or the terms and conditions of this DPA, either party may request such changes by giving at least 30 days’ written notice (email is sufficient) and discussing the changes in good faith. If the requested changes would cause material harm to any party or significantly alter their use of the ExplorAds Services, the affected party may terminate the Agreement for the affected ExplorAds Services without liability by providing written notice.
17. Security
The parties hereby covenant and guarantee to implement appropriate technical and organizational measures to protect the Data in their possession or control (i) from accidental or unlawful destruction, and (ii) loss, alteration, non-authorized disclosure or access to the Data.
18. General
(a) Subcontracting: Publisher may appoint third parties to process Data for the purposes expressly permitted under this DPA, provided that such third parties: (a) agree in writing to process Data in accordance with Publisher’s documented instructions; (b) implement appropriate technical and organizational measures that are at least as protective as those described in Annex C (where applicable) to protect the Data against a Security Incident; and (c) otherwise provide sufficient guarantees that they will process the Data in a manner that will meet the requirements of Applicable Privacy Law and this DPA.
(b) Security: Publisher shall implement appropriate technical and organizational measures that are at least as protective as those described in Annex C (where applicable) to protect the Personal Data from Security Incidents (“Security Measures”). Such Security Measures shall at a minimum comply with the requirements of Applicable Privacy Laws. In the event that Publisher suffers a Security Incident, it shall notify ExplorAds without undue delay and both parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident.
(c) International transfers: Where GDPR or any other data protection laws in the European Economic Area applies to the Personal Data, Publisher shall not process any such Personal Data (nor permit any Personal Data to be processed) in a territory outside of European Economic Area (whether directly or via onward transfer) unless it has taken such measures as are necessary to ensure the transfer is in compliance with the GDPR or other European Data Protection Law (including such measures as may be communicated by ExplorAds to Publisher from time to time) and this DPA.
(d) Cooperation and data subject rights: In the event that either party receives (i) any request from a data subject to exercise any of its rights under Applicable Privacy Law (including its rights of access, correction, objection, deletion and data portability, as applicable); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Personal Data. then, where such application relates to processing conducted by the other party, it shall promptly inform the other party and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfil their respective obligations under Applicable Privacy Law.
(e) Change in Law: Notwithstanding anything to the contrary in the Agreement or this DPA, in the event of a change in Applicable Privacy Law or a determination or order from a supervisory authority or competent court affecting this DPA or any processing activities under this DPA, ExplorAds may, in its sole discretion, amend this DPA as reasonably necessary to ensure continued compliance with Applicable Privacy Law or compliance with any such orders.
(f) Survival: This DPA shall survive termination or expiry of the Agreement. Upon termination or expiry of the Agreement, Publisher may continue to process the Data provided that such processing complies with the requirements of this DPA and Applicable Privacy Law.
(g) Miscellaneous: This DPA shall be governed by and construed in all respects in accordance with the governing law and jurisdiction provisions set out in the Agreement, unless required otherwise by Applicable Privacy Laws. With effect from the effective date of the Agreement, this DPA shall be deemed a part of and incorporated into the Agreement. Except for the changes made by this DPA, the Agreement shall remain unchanged and in full force and effect. In the event of any conflict or inconsistency between this DPA and any other term or terms of the Agreement, this DPA shall prevail in respect of the subject matter.
Annex A
List of parties
Processor / Data Importer
| Name: | ExplorAds LTD |
| Address: | 2 Filiou Zannetou St. 3021 Limassol Cyprus |
| Contact person’s name, email, and position: | Eran Cohen, DPO, privacy@explorads.media |
| Activities relevant to personal data transfers: | See Annex B |
| Signature and date: | See Agreement |
| Role: | Processor |
Controller / Data Exporter
| Name: | See Agreement |
| Address: | See Agreement |
| Contact person’s name, email, and position: | Annex B |
| Activities relevant to personal data transfers: | See Agreement |
| Signature and date: | See Agreement |
| Role: | Controller |
Annex B
Description of transfer
Defined terms are as set out in the Publisher Agreement agreed between the parties.
Categories of Data Subjects whose Personal Data is transferred:
§ End users of the Publisher Assets or end users viewing ads delivered to the Publisher Assets;
§ Publisher Personnel;
Categories of Personal Data transferred:
End users:
§ Identifiers: Identifier for Advertising (IFA); User ID; Buyer ID; Device ID, IP address, User Agent
§ Demographic information: location, year of birth, gender
Publisher Personnel:
§ Contact details (first name, last name, email, country (region), address, telephone)
§ Bank details
Recipients:
Sub-processors (vendors), supervisory authority
Sensitive data transferred (if applicable):
None.
Frequency of the transfer:
End Users – Continuous
Publisher Personnel – Only at the moment of registration and when required to update the information.
Nature of the Processing: The provision of the Services.
Purpose(s) of the data transfer and further processing:
End Users: For the designated Purposes (as defined in this Agreement)
Publisher Personnel: For business relationship and account management purposes.
Period for which Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
Personal Data will be retained in accordance with ExplorAds Privacy Policy
Contact points for data protection enquiries:
Data Importer: See Annex A
Data Exporter: See Annex A
Competent Supervisory Authority
The competent supervisory authority, in accordance with Clause 13 of the EU SCCs will be, for Data protected by the EU GDPR, the EU supervisory authority determined to be appropriate in the event that a relevant situation arises, and for Data protected by the Cypriot DPA, Commissioner for personal data protection.
Annex C
Technical and organizational security measures
EXPLANATORY NOTE: The technical and organizational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
| Type of measure | Terms |
| Measures for ensuring confidentiality | ExplorAds has implemented measures to ensure the integrity, availability and security of personal information, including vulnerability scans Aggregated data is being stored ,– access is available for authorize personell only using proper identification methods |
| Measures for ensuring ongoing availability and adaptability of services | ExplorAds maintains personal data availability through a variety of technical, physical, and administrative measures. DBs access and availability is being monitored using different monitoring methods (and problem with accessing data if occurs will be handled by the designated team |
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Further measures include regular backups and disaster recovery plans |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | At least once a year, security measures relevant to the processing of personal data are reviewed and tested for alignment with industry good practices |
| Measures for user identification and authorisation | ExplorAds has in place procedures that comply with applicable law to authenticate requests from data subjects who have submitted rights reques ExplorAds has operational and technical controls in place to ensure that access to systems that process personal data is only granted to authorized personnel with a “need to know” |
| Measures for the protection of Data during storage | ExplorAds does not process any sensitive personal information, personal data processing is limited in scope and cannot be directly identified with a natural person by ExplorAds Data is only stored for as long as necessary for legitimate business purposes. |
| Measures for ensuring physical security of locations at which personal data are processed | Facilities involved in the processing of data are accessible only by authorized personnel. Technical controls in place to secure processing facilities include access controls, firewalls and anti-malware. Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required in order to deliver services under the Principle Agreement ExplorAds provides personnel who access personal data with appropriate information security and data protection training |
Annex D Sub-processors List
| Entity Name | Sub-Processing Activities | Entity Country |
| AdKernel | Process of data | US |
| Amazon Web Services (AWS) | data center services | US |
| MySQL | Database services | DE |
| MongoDB | Database services | DE |
| DynamoDB | Database services | DE |
Annex E
Standard Contractual Clauses
1. Preamble: According to the GDPR, Standard Contractual Clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU or the EEA to Third Countries. This includes model contract clauses, so-called Standard Contractual Clauses (SCC) that have been pre-approved by the European Commission.
On 4 June 2021, the European Commission issued modernized Standard Contractual Clauses under the GDPR for Data Transfers from Controllers or Processors in the EU/EEA (or otherwise subject to the GDPR) to Controllers or Processors established outside the EU/EEA (and not subject to the GDPR).
These modernized SCCs will replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46., and are available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en.
2. The Parties herein agree to be bound by Standard Contractual Clauses (SCC)
- MODULE TWO: Transfer Controller to Processor
When applicable, Client shall ensure to have an approved and completed SCC in place with authorized Sub-Processors, as per Module 2– transfers Processor to Controller.
The parties shall complete, attach and sign the applicable Module of the SCC.