Publishers Terms & Conditions

TAPTICA PUBLISHERS TERMS & CONDITIONS

The following terms and conditions shall govern the placement and delivery of advertising as set forth in any insertion orders or service agreements (“IO”) executed by and between Nexxen International Ltd. or Taptica Inc. as applicable (hereafter: “Taptica”) and Publisher, each a “Party” and together the “Parties”.

  1. Services. Taptica will enable the provision of commercial advertisement ads on Publisher’s Site(s) and properties (as defined below) through the use of the Taptica platform (the “Services”). Publisher may implement the Services only on such approved Publisher’s properties as set forth in a given IO (the “Site(s)“) and in accordance with the instructions agreed to by the Parties hereto. Any change or amendment to the list of Site(s) must be done in writing and approved in advance by Taptica. Publisher shall be responsible and solely liable for all actions of its partners and affiliates, including without limiting to, compliance with the terms of this Agreement and any IO.
  2. Consideration. (i) In return for the Services, Taptica shall retain a percentage of the Net Revenues (as defined below) derived from the Services, as set forth in the IO. “Net Revenue” means the revenue actually received from advertisers in relation to Qualified Transactions as part of the Services, less any taxes that Taptica is required to pay or collect in relation to the supply of Services, any credit card processing fees, bad debt and charge-backs, commissions or discounts allowed or paid to advertising agencies, refunds to advertisers and third-Party partners and other payments to third parties if applicable. Taptica will pay Publisher in accordance with the revenue statement forty-five (45) business days following the end of the calendar month for which payment is due. (ii) It is hereby clarified that non-qualified transactions are not payable. Taptica may, at its discretion, discount, credit back or accrue a credit against revenue shares already provided to the Publisher for transactions which were deemed to be non-Qualified Transactions following payment. To the extent that inventory is determined by Taptica to be a result of non-qualified transactions, then, in addition to any other remedy available to Taptica, Publisher agrees that invalid impressions and actions shall not be payable by Taptica. Any and all payments previously made by Taptica to Publisher on account of Publisher Sites which are subsequently deemed to include non-qualified transactions shall be promptly refunded to Taptica. Taptica shall have the right to off-set any amounts owed to it pursuant to this paragraph against any amounts owing to Publisher under this Agreement. A “Qualified Transaction” means a transaction that occurs when a bona fide Internet user views or fulfills some kind of actions (as agreed between the Parties) in relation to the ad that appears in the Site(s); Without limiting the above, it is hereby clarified that transactions due to injection traffic, bot traffic or automatic injections by toolbars shall not be considered Qualified Transactions (iii) All payments due are exclusive of taxes, duties, levies, tariffs, and other governmental charges (including without limitation VAT) (collectively, “Taxes”). Publisher will be responsible for payment of all Taxes and any related interest and penalties resulting from any payments made hereunder.
  3. Reporting. Calculation of all payments made hereunder to Publisher will be made based solely on Taptica’s reporting system and statistics, or the Advertiser’s reporting system and statistics, where applicable. Taptica will provide Publisher with access to its reporting interface that will enable Publisher to view an estimate of any amounts owed to it under the IO 
  4. Representations and WarrantiesPublisher represents and warrants that (a) any and all information provided to Taptica is correct, complete and current; (b) Publisher is the owner of each Site or it is legally authorized to act on behalf of the owner of such Site(s) for the purposes of this Agreement and IO and Publisher has secured all necessary licenses, consents and authorizations for operation of the Services; (c) Publisher has all necessary right, power and authority to enter into this Agreement and IO and to perform the acts required hereunder and the Publisher’s performance under this Agreement and IO shall at all times comply with all applicable laws, rules and regulations, including without limitation, privacy laws, data protection laws and regulations (including, Applicable Data Protection Law, as defined in Appendix I, Data Protection Addendum) , propriety laws, intellectual property laws; and (d) it shall put in place and maintain on the Site(s) a clearly labeled and easily accessible privacy policy that provides users with clear and comprehensive information and which complies with all applicable laws and regulations regarding data protection and the privacy of the users’ personal information (including Applicable Data Protection Laws)),), and which clearly explains to users its policies and procedures regarding the collection, processing and use of personal data; and (e) it has obtained and will continue to obtain all necessary approvals and consent (in accordance with applicable law including Applicable Data Protection Law) in relation to any Personal Data Controlled by the Publisher and Processed (each as defined in Appendix  I) by Taptica.  Publisher further represents and warrants that the Site(s) and any material displayed therein: (i) complies with all applicable laws, statutes, ordinances and regulations and do not contain or promote links to any website(s) or app(s) that contains defamatory, abusive, violent, sexually explicit, inappropriate or illegal content; (ii) does not breach and has not breached any duty or rights of any third party or entity including, without limitation, rights of intellectual property, publicity or privacy, or rights or duties under consumer protection, product liability, tort, or contract theories; (iii) does not include content that is pornographic, illegal, racist, libelous, defamatory, contrary to public policy or otherwise inappropriate or unlawful or content that or contain viruses or similar programs that might harm data or computer systems, hate speech, “spam”, malicious code, adware, spyware or drive-by download applications, racism, mail fraud, pyramid schemes or investment opportunities or advice not permitted by law; (iv) do not and will not interact with end users’ browsers in any manner including without limitation by the installation or offering of any toolbars or toolbar applications, advertising texts, coupons, intext, ad injections, search enhancement and data exchange modules or price comparison applications; and (v) do not and will not engage in any fraudulent activity, including without limitation fictitious downloads or installations, automated and/or fraudulent clicks, malware; or violating any applicable law prohibiting “spam” or other electronic messages. Taptica makes no guarantee regarding the level of impressions of, actions or views on any ad, the timing of delivery of such impressions, actions and/or views and the revenue for the Publisher. Publisher shall comply with the Code of Conduct available at https://nexxen.com/partner-code-of-conduct/.
  5. Confidentiality. Publisher agrees to keep confidential the terms herein, the terms of the IO and any and all numbers, statistics and information with respect to the Services. Publisher agrees to keep all and any non-public information which is given by Taptica confidential, unless otherwise approved in writing by Taptica . Taptica may disclose the terms of the IO to third party processors on its behalf and to its advisors as necessary.
  6. Term and Termination/Pause/Optimization Notifications. This Agreement shall be in full force and effect for a period of one (1) year beginning on the Effective Date of the IO and shall automatically renew for successive one (1) year terms, provided that, Taptica may from time to time, send Publisher a Termination/Pause/Optimization Notification (any and all, the “Notification”) requiring Publisher to stop and/or pause traffic sent to Taptica as detailed in such Notification. Publisher must adhere to the Notification, immediately and no later than 24 hours after Publisher receives such Notification whereby failure to do so will: (i) constitute a material breach of the IO, allowing Taptica to immediately cancel any and all IOs with Publisher (“Notification Cancellation Right”) and; (ii) release Taptica from any and all payment obligations pursuant to any and all existing IOs with Publisher.
  7. Publicity. Publisher agrees that Taptica may use Publisher’s name and logo in presentations, marketing materials, financial reports and listings.  Publisher must seek Taptica’s written consent prior to using Taptica’s name and/or logo for any purpose.
  8. Indemnification. Publisher agrees to defend, indemnify and hold harmless Taptica and each of its affiliates and their respective directors, officers, shareholders, employees, agents and representatives from and against any and all damages, injuries, costs, losses, liabilities and expenses (including court costs and reasonable attorneys’ fees) in relation to any proceeding, legal action, arbitration or other claim, whether or not involving third party’s claim, in relation to (i) alleged breach of Publisher’s representations, warranties and obligations made hereunder , or (ii) Publisher’s collection or use of any data or failure to collect and pass any consents or opt-outs, as required under applicable law, in connection with this Agreement or any IO; or (ii) the Site(s), the content of the Sites and the use by Taptica and its advertising partners and affiliates of the Sites or Publisher’s services and materials (iii) any claim related to the modified or amended ads or materials or based on an assertion that the Publisher, the Sites or the content linked therewith, infringe any right of a third party, including without limited to, intellectual property right.
  9. No Warranty; Limitation of LiabilityTaptica’s services are made available to publisher on an “as is” basis and without any warranty or representation, whether expressed or implied, of any kind including, but not limited to, warranties of merchantable quality, satisfactory quality, fitness for a particular purpose, noninfringement, or those arising by law, statute, usage of trade, or course of dealing. Taptica does not warrant or guarantee that the service or the operation thereof will be uninterrupted or will meet publisher’s needs. Publisher understands and agrees that the Services and actions in relation thereto are being affected by automated means and third parties, and Taptica is not responsible for, nor does it give any warranty or representation as to the outcome of such process. Taptica will not be liable for any consequential, incidental, indirect, punitive, special or other similar damages and any loss of profits, loss of revenues, loss of savings, loss of clientele, loss of use or loss or corruption of data, whether under tort, contract or other theories of recovery, even if Taptica should have been aware or advised of the possibility of such damages.
    In no event will Taptica’s liability arising out of this agreement from any cause of action whatsoever will exceed the aggregate amounts actually paid under this agreement to Publisher during the three (3) months prior to the date the cause of action arose. Taptica is not responsible for any web sites, application(s) or material that can be linked to or from the ads or for the results of any act or omission of any advertiser or any other provider of or for Taptica .
  10. Data Protection:  Publisher shall ensure that its use of Taptica’s Services is compliant with all applicable Privacy Laws and the data protection terms regarding the processing of Personal Data, set forth in Appendix 1, as may be updated by Taptica from time to time and incorporated into the Agreement.
  11. Miscellaneous. This Agreement will be governed and construed in accordance with the laws of a) the State of Israel if your IO is with Nexxen International or b) the State of California if your IO is with Taptica Inc., without giving effect to conflict of laws principles. Any dispute or claim arising out of or in connection with an IO or these terms shall be adjudicated in a) Tel-Aviv-Jaffe for Nexxen International, or b) San Francisco, California for Taptica Inc. Neither Party may assign or transfer its rights under this Agreement without the prior written consent of the other Party; provided that such consent is not required in the case of merger, acquisition or sale of all, or substantially all, of the assigning Party’s assets, stock or business. The Parties hereto are independent contractors and this Agreement does not create an agency, joint venture or partnership. Any notice permitted or required apby this Agreement will be in writing and transmitted by e-mail to the receiving Party at the address provided. Any such notice will be deemed to have been received on the same business day if sent by during normal business hours of the recipient, and if not sent during normal business hours, then on the recipient’s next business day. The waiver by either Party of any default or breach of this Agreement will not constitute a waiver of any other or subsequent default or breach. Any provision of this Agreement which is prohibited or unenforceable in any jurisdiction shall be ineffective only to the minimum extent necessary without invalidating the remaining provisions of this Agreement or affecting the validity or enforceability of such provisions in any other jurisdiction. Neither Party will be liable to the other for any delay or failure to perform any obligation under this Agreement if the delay or failure is due to circumstances beyond the reasonable control of the non-performing Party. This Agreement, including all applicable Attachments and addendums hereto, constitutes the entire agreement between the Parties concerning the Services and related Confidential Information. It supersedes, and its terms govern, all prior proposals, agreements, or other communications between the Parties, oral or written, regarding such subject matter. Taptica reserves the right to modify, from time to time and in its sole discretion, any of the terms of this Agreement and Publisher waives the right to receive notifications for changes. In the event that Publisher continue the use of the services, it shall be deemed as acceptance by Publisher of the modifications or changes. If Publisher does not agree to the modifications or changes, Publisher shall provide Taptica with written notification and stop using the services. No online click-through or online terms and conditions or policies shall be deemed to have modified this Agreement and the terms herein or any applicable IO signed in relation thereto, notwithstanding any requirement to technically click on or accept any such terms.

Appendix I 

TAPTICA DATA PROCESSING ADDENDUM (FOR PUBLISHERS)

 This Taptica Data Processing Addendum (hereafter the “DPA”) supplements and is incorporated into the Taptica Publishers Terms & Conditions. 

This DPA describes the protection and security obligations of the Parties with respect to any Processing of Personal Data carried out in connection with the Agreement in accordance with the requirements of Data Protection Laws.

  1. Definitions

Definitions set out below shall apply to this DPA. 

“Consent”means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her. 
“Controller”      “Data Breach”means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. The term “Controller” shall also mean “Business” under the CCPA and CPRA.  means “breach of the security of the system,” “security breach,” “breach of security,” “breach of system security,” and other analogous terms. 
“Data Protection Laws”means, to the extent applicable in the relevant jurisdiction(s) for the Services, (a) the GDPR as defined herein and any regulations promulgated thereunder, (b) the UK Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), (c) the Swiss Federal Act on Data Protection of 2020, (d) “State Privacy Laws” as defined herein  “and (j) all legally binding requirements issued by the competent data protection authorities governing the processing and security of information relating to individuals and providing rules for the protection of such individuals’ rights and freedoms with regard to the processing of data relating to them, specifying rules for the protection of privacy in relation to data processing and electronic communications, or enacting rights for individuals which are enforceable towards organizations with respect to the processing of their personal data, including rights of access, rectification and erasure.
“Data Subject”means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier (e.g., a name, an online identification number such as a cookie or browser ID, IP address or a device ID, or location data) or to one or more factors specific to that natural person. For the purpose of this DPA, “Data Subject” refers to the natural persons whose Personal Data is processed as part of the provision of the relevant Taptica Services.
“GDPR”means the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. 
“Joint Controller” means a Controller acting jointly with one or several others.   
“Personal Data”means any information identifying, relating to, describing, or is capable of being associated with, or can reasonably be linked with, an identified or identifiable natural person or household Processed in connection with the provision of the relevant Taptica Services. 
“Processing”means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 
“Services” or“Taptica Services” means the platform and related services made available by Taptica and its affiliates to deliver contextual advertising to and across browsers and other personal and household devices, detect and fill advertising inventory made available by Publisher, and provide ancillary features, functions, data and reporting to enable, improve, operate (or otherwise related to) the same.
 “State Privacy Laws”    means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., (“CCPA”), together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 (collectively, “CPRA”) and any regulations promulgated thereunder; the Virginia Consumer Data Protection Act of 2021, Va. Code Ann. § 59.1-571 to -581;  the Colorado Privacy Act of 2021, Co. Rev. Stat. § 6-1-1301 et seq.; Connecticut Act Concerning Personal Data Privacy and Online Monitoring of 2022, Public Act No. 22-15; the Utah Consumer Privacy Act of 2022, Utah Code Ann. § 13-61-101 et seq.; all state privacy laws that draw a distinction between a data “Controller” and a data “Processor”, in each case as amended, and including any regulations promulgated thereunder.

“Business,” “Business Purpose,” “Commercial Purpose,” “Consumer,” “Contextual Advertising,” “Deidentified,” “De-identified Data,” “Personal Information,” “Processor,” “Sale,” “Sell,” “Service Provider,” “Share,” and “Third Party” shall have the meanings ascribed to them in the relevant Data Protection Laws.“Controller” shall also mean “Business” and “Data Subject” shall mean “Consumer” under State Privacy Laws.

2. Authorizations  A Party shall not disclose Personal Data to the other Party, except where the disclosing Party warrants to the other Party that this disclosure is compliant with Data Protection Law and that it has complied with any applicable requirement(s) of information, notification to, or of authorization or Consent from the relevant public authority(ies) or the relevant Data Subjects, with respect to any Personal Data provided by the disclosing Party to the other Party.  Nothing in this DPA shall prohibit or limit Taptica’s rights to implement anonymization of Personal Data processed in connection with the Agreement. For the sake of clarity, data resulting from effective and compliant anonymization is not subject to this DPA. 

3. Cooperation Between the Parties

3.1           The Parties shall cooperate to comply with Data Protection Laws and with the other Party to           meet and perform its respective obligations pursuant to this DPA; 

3.2           The Parties shall keep appropriate documentation on the Processing activities carried out by           each of them and on their compliance with Data Protection Laws and with this DPA.

3.3           In the event of an investigation, proceeding, formal request for information or documentation,      or any similar event in connection with a data protection authority and in relation to this DPA, the Parties shall promptly and adequately deal with enquiries from the other Party that relate to the Processing of Personal Data under the Agreement.

3.4           To the extent legally required, Taptica and the Publisher have each appointed a data protection     officer and shall upon request provide the contact information of their respective data                             protection officer to the other. 

3.5           Publisher shall ensure that it obtains legally sufficient Consent for Taptica to the extent required   under Data Protection Laws, including for purposes of permitting device identifiers to be                                collected and used by Taptica affiliates, Taptica and third parties to deliver mobile device ads to    Data Subjects

4. Obligations of the Respective Parties as Controllers

4.1           Except to the extent Data Protection Laws deem the Parties to be “joint” controllers, the Parties   are independent Controllers of the Personal Data and all such obligations are set forth in this    Section 4. When Processing Personal Data as Controllers under this DPA, each Party agrees that    it shall:

  • Comply with all requirements under Data Protection Laws applicable to it as a Controller, and not perform its obligations under this DPA in such a way as to cause the other Party (where such other Party is otherwise in compliance with Data Protection Laws) to breach any of its obligations under Data Protection Law; 
    • Take into account all the data protection principles provided for in the Data Protection Laws, including but not limited to the principles of purpose limitation, data minimization, accuracy, storage limitation, security, integrity and confidentiality, transparency and protection of Personal Data by design and by default;
    • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the Processing of the Personal Data that it carries out (including, for the Publisher, in relation to Publisher’s digital properties), in particular to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access;
    • Take all the measures reasonably necessary to address any Data Breach relating to the Personal Data it processes, mitigate its effects, reasonably act to prevent a recurrence of such Data Breach, promptly notify the other Party without undue delay after becoming aware of such Data Breach, provide in such notification information to enable the other Party to respond to  data protection authority(ies) and the affected Data Subjects as required under Data Protection Laws;
    • Cooperate in the preparation of required data protection impact assessments;
    • Carry out any required assessment, consultation and/or notification to competent data protection authorities or Data Subjects, in relation to the Processing it carries out; 
    • Handle any Data Subject’s requests and/or complaints it receives, in particular requests relating to the exercise of a Data Subject’s rights under Data Protection Law, including the rights of access, rectification, erasure and objection and the right to withdraw Consent, and inform the other Party (without undue delay) in the event that it receives a Data Subject request related to the other Party’s respective Processing activities; 
    • Prominently post (or as applicable, describe in detail) a legally sufficient, publicly available, privacy policy/ privacy notice, describing (in a legally sufficient manner) all categories of Personal Data collected, used and disclosed including the use of identifiers, pixels, beacons, locally stored objects, or other similar technologies by third parties, and providing, to the extent legally required (through such notice and elsewhere on its website (for Taptica) or mobile application (for Publisher)) a legally sufficient manner for Data Subjects to “delete” their Personal Data or “opt out” of uses of their Personal Data as required by Data Protection Laws (including the “sharing” of their Personal Data or use of their Personal Data for “targeted advertising”, as each of those terms are defined in Data Protection Laws).   
    • Provide Data Subjects with all necessary information pursuant to Data Protection Law in respect of the Processing of the Personal Data hereunder; and
    • Without limitation of the above exercise all obligations required of a Controller, under any Data Protection Law.

4.2           Publisher shall not provide precise location information to Taptica, and Taptica shall not                      intentionally process such information should it receive it. 

4.3           Publisher will ensure that each Data Subject whose Personal Data Publisher provides to Taptica     (or otherwise allows Taptica to collect from Publisher properties) has provided Consent to (a) Taptica’s processing of the Personal Data as a Controller  for purposes of ad selection,                          measurement, delivery, reporting and analytics.  Publisher will also ensure that such Data               Subjects will be presented with or provided Taptica’s privacy policy available at                                     

https://nexxen.com/privacy-policy/.  Upon request, Publisher will provide Taptica with an                 accurate visual representation of its consent mechanism (and how Taptica is included in it), or a             way to access such consent mechanism for purposes of auditing and diligence.

5. Cross-Border Data Transfers Between the Parties.  The Parties acknowledge that their activities   under the Agreement may involve cross-border transfers of Personal Data. Each Party may only   engage in cross-border Processing of Personal Data or onward cross-border transfers of Personal Data if it has put in place a data transfer mechanism deemed to be valid under Data Protection Law.  To the extent legally required, by entering into this DPA, the Parties are deemed to be signing the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://data.europa.eu/eli/dec_impl/2021/914/oj (“SCCs”), which form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, and (except as described further below) will be deemed completed as follows:

  • Module 1 applies.
    • Clause 7 (the optional docking clause) is included.
    • Under Clause 13 (Supervision), the supervisory authority shall be of one of the Member States in which the Data Subjects whose Personal Data is transferred in relation to the offering of goods or services to them, or whose behaviour is monitored shall act as competent supervisory authority. Such supervisory authorities may be found at:  https://edpb.europa.eu/about-edpb/about-edpb/members_en  
    • Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
    • Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the law of Ireland.
    • Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland.
    • Annexes I and II of the SCCs are set forth as Annex I and Annex II in this DPA.
    • Annex III of the SCCs (List of subprocessors) is inapplicable.

To the extent legally required under UK Data Protection Law, by entering into this DPA, the               Parties are deemed to be signing the United Kingdom International Data Transfer Addendum to                the EU Commission Standard Contractual Clauses, available at https://ico.org.uk/media/for-                  organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK SCC                    Addendum”), which forms part of this DPA and takes precedence over the rest of this DPA as set             forth in the UK SCC Addendum. Undefined capitalized terms used in subsections (a)-(d) below       shall have the definitions set forth in the UK SCC Addendum. For purposes of the UK SCC                        Addendum:

  • Table 1 of the UK SCC Addendum: the Parties and their contact information are set forth in the SCCs as described above.
    • Table 2 of the UK SCC Addendum: the Approved Standard Contractual Clauses are the SCCs as set forth above.
    • Table 3 of the UK SCC Addendum: Completed as set forth above for the SCCs.
    • Table 4 of the UK SCC Addendum: neither Party has the termination right set forth in Section 19 of the UK SCC Addendum.

To the extent legally required, with respect to transfers of Personal Data that are subject to the     Swiss Federal Act on Data Protection (“FADP”), the SCCs shall be deemed to have the following           differences to the extent required by the FADP:

  • References to the GDPR in the SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.
    • The term “member state” in SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the SCCs. 
    • Under Annex II of the SCCs (Competent supervisory authority): (I) where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and (II) where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the SCCs insofar as the transfer is governed by the GDPR.

6. Updates.  If Taptica updates this DPA to account for changes in Data Protection Laws concerning   privacy or data security, or changes in the legal landscape based on enforcement or guidance      related to Data Protection laws (“Updates”), provided Taptica shall not materially reduce its            obligations hereunder or materially impact Suppliers obligations hereunder, the Parties agree                such Updates to the DPA will apply to this DPA automatically as of the date such Updates are    posted.                

7. Order of Precedence.  Unless stated otherwise, in case of a conflict between the provisions of A)                   the DPA to the provisions of State Privacy laws, or B) the DPA to the provisions of the SCCs, the   UK SCC Addendum or the FADP, the provisions providing the more stringent protection to Personal Data and the rights of individuals shall govern. For the avoidance of doubt, any changes required under State Privacy laws, or the SCCs, the UK SCC Addendum or the FADP shall only apply to the Processing of Personal Data which is subject to the applicable Data Protection Law. If the SCCs, the UK SCC Addendum or the FADP are superseded by new or modified mechanism, the new or modified mechanism shall be deemed to be incorporated into this DPA, and the Parties will promptly begin complying with such mechanism.  In the event of any conflict or discrepancy between the Data Protection Laws, the SCCs, this DPA, and the Agreement, the following order of precedence will apply: (a) Data Protection Laws; (b) the SCCs (where applicable); (c) this DPA; and (d) the Agreement. 

ANNEX I: Controller-to-Controller Processing of Personal Data

The Parties are deemed to have signed Annex I of the SCCs by entering into the DPA. 

The data exporter’s and data importer’s address and contact person are set forth in the Agreement.

Data Exporter and Data ImporterThe data exporter is the Publisher. Publisher is a Controller.The data importer is Taptica. Taptica is a Controller. Taptica or Publisher is a data exporter or data importer, as the case may be. Each data exporter and each data importer is a Controller. The Parties’ activities relevant to the transfer, each as data importer or data exporter, are Taptica providing and Publisher receiving the Services, as set forth in the Agreement.
Categories of Data Subjects Whose Personal Data is Processed Data Subjects who visit Publisher’s digital properties and each Party’s employees. 
Categories of Personal Data Processed Identifiers consisting of a series of characters (contained in a cookie or other) provided or made available by data exporter, including IP addresses and mobile or other app/device visits, installs or activity.  Name and email addresses of authorized Controller employees/representatives. 
Nature and Purpose of Transfer and further ProcessingDigital processing to generate online advertising, measurement, analytics and related operations. Taptica providing and Publisher receiving the Services: Delivery of services and related information, payment, providing service and platform functions and features.
Retention of Transferred Personal DataPersonal Data will be retained by each Party in accordance with the Party’s data retention policies.
Transfers to Sub-ProcessorsNot applicable.
Sensitive or Special Category DataNone.
Frequency of the TransferContinuous for the Term of the Agreement. 

ANNEX II – Taptica Security Schedule  

This security schedule (the “Schedule”) represents security controls to be complied with when either Party acts as a data importer of Personal Data.   

1. Security Controls. Data importer shall implement the following information security practices and procedures, as to Personal Data it receives as a data importer: 

Security Governance and Management:  Data importer will maintain a Security Management System similar to ISO 27001, inclusive of other industry known privacy and security best practices and supporting security controls.  This will include appropriate documentation (security policies, processes, guidelines, standards, configuration standards and associated security controls to assure adequate protection to Taptica and Publisher data assets throughout the Service lifecycle.   

Security Assessments: No more than once per calendar year and only upon receipt of a written request with no less than thirty (30) business days’ notice, data importer may request a copy of data importer’s prior security assessment as to the environment(s) and system practices by which it processes and maintains Personal Data, which Data importer may redact as necessary for purposes of protecting proprietary or confidential matters or information. 

3rd Party Security Assurance:  Data importer will maintain appropriate security assurance controls to appropriate manage data security risks for 3rd Party services to ensure the protection of Personal Data.    

Security Training: Data importer will maintain appropriate security and privacy security awareness programs to proactively protect Personal Data.  

Physical and Environmental Security Controls:  Data importer will maintain appropriate physical and environmental security controls to protect Personal Data against data security risks, protect against risks to confidentiality, integrity, and availability.  Such controls will be aligned to applicable industry, operational and security best practices protecting against physical and environmental security risk, including physical access controls, physical security monitoring and environmental protections against power disruptions, fire hazards, and related operational risks. 

Access Control:  Data importer will maintain a comprehensive access control management system aligned industry best practices to protect Personal Data, with appropriate governance for the access, ensuring appropriate controls for authorization and authentication, based on the principle of least privileged.  These controls shall include identification of privilege accounts with appropriate multifactor authentication (MFA) applied to permissions with access to Confidential Security Information.  All authorized accounts, general or administrative, will have access logs collected, monitored, with permissions reviewed on a regular basis.  

Business Continuity Management (BCM) System:   Data importer will maintain a Business Continuity Management (“BCM”) System that will detail continuity controls, roles, responsibilities, and recovery measures to maintain contracted Service availability requirements in response to a broad spectrum of potential disasters and operations risks that could disrupt operations and timely delivery of materials and services. Data importer will maintain a BCM System that includes regular testing intervals to ensure effectiveness of controls. Upon specific written request of data importer, data importer will support reasonable assessments and questions relating to the effectiveness of its BCM System controls. 

Application and Software Security: Data importer will maintain appropriate Secure Software Development (“SDL”) processes that ensure effective release, change and configuration controls are operated and appropriate application security controls are maintained to protect company and client data assets.  This shall include maintaining software versions and components at appropriate levels to ensure adequate protection. 

Device Security: Data importer will maintain appropriate device security for its employees that includes 24x7x365 security monitoring, detection and response through EDR endpoint protection and configuration baselines applied.

Network Security: Data importer will maintain appropriate network security controls to protect against disruption of Service availability or a Security Breach. This will include 24x7x365 security incident monitoring and detection response, and application of security best practices, including segmentation and vulnerability scanning.  

Encryption:  Data importer will maintain appropriate encryption ciphers and protocols to protect data in transit, with appropriate encryption or equivalent controls applied if data assets are required to transferred through external media if requested. 

Security Incident: means any actual or potential unauthorized access to or use, disclosure, alteration, or destruction of Personal Data or confidential information (i.e., information that has been designated or demarcated as confidential to data importer, by any method agreed to by the Parties) by a third party, or any act or omission that compromises Personal Data transmitted pursuant to the processing under the Agreement or any data relevant to the Services that relate to the protection of the security, confidentiality or integrity of confidential information.

Security Incident Reporting: Data importer will notify data importer of any Security Incident within 72 hours, where that Security Incident reveals confidential information or details about data importer.   Data importer, at its own expense, will mitigate, investigate, and provide an appropriate relevant data and information in a security incident report, detailing the impacted data and necessary related information, if a Security Incident is detected impacts data importer’s confidential information.   

Security Incident Management: Data importer will maintain 24x7x365 security detection and response capabilities to assure appropriate detection and response to actual and potential data security risks to data importer data assets.   These Security Incident management controls will be operated and maintain by a dedicated Security Team.  

Vulnerability Management: Data importer will maintain and operate a comprehensive vulnerability management system, with appropriate controls aligned to industry best practices and standards.  These controls include vulnerability scans across production environment platforms, with reporting, analysis and mitigation of detected vulnerabilities appropriately managed, such scans will be applied internally and externally.