OpenWeb – Publisher Data Sharing Addendum

This Data Processing Addendum (“DPA”) applies to the Processing of Personal Data carried out in connection with the provision of the relevant services by OpenWeb Technologies Ltd. (“OpenWeb"), PowerInbox Inc. (d/b/a “Jeeng”), and/or AdYouLike Ltd. (“AYL”) (collectively - the “Company”), and the legal entity that entered into an agreement for the provision of services described in OpenWeb Services Agreement (“Publisher”) (each a “Party”), as indicated by the agreement established between the Parties (“Agreement"). The Parties hereby agree that this DPA shall be added as an addendum integral to the Agreement.

This DPA is organized around the following sections:

  • The GENERAL TERMS apply when any type of Services is provided, by either OpenWeb, Jeeng or AYL. 
  • Annex 1 applies when OpenWeb provides its Community Engagement Services to Publisher, as set out in the relevant Agreement.
  • Annex 2 applies when OpenWeb and/or AYL perform Cross Advertising and Ad Monetization, as set out in the relevant Agreement.
  • Annex 3 applies when Jeeng provides Email Distribution Services to Publisher, as set out in the relevant Agreement.
  • Annex 4 applies when Jeeng performs Email & Newsreader Monetization, as set out in the relevant Agreement.

The GENERAL TERMS of this DPA always apply to the Parties. Application of Annexes 1, 2, 3 or 4 will depend on the Services performed in accordance with the Agreement.‎

GENERAL TERMS

  1. Definitions and Interpretation. In this DPA:
    1. "Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
    2. "US Data Protection Laws" means, to the extent applicable, Colorado Privacy Act 2021 Colo. SB. 190; Connecticut Data Privacy and Online Monitoring Act, Conn. Gen. Stat. §42 et. Seq.; Utah Consumer Privacy Act, Utah Code Ann. §13-61; Virginia Consumer Data Protection Act, Va. Civ. Code § 59.1 ; and the California Consumer Privacy Act of 2018, Cal. Civ. §§ 1798.100 et. seq. and its implementing regulations ("CCPA"); each, as may be amended or replaced from time to time.
    3. Community Engagement Services” means the OpenWeb proprietary technology for deploying, operating and managing End-Users’ comments on the Publisher Properties.
    4. Cross Advertising and Ad Monetization” means the collection of data through websites or applications owned or operated by different entities on a particular device for the purpose of delivering advertising based on the preferences or interests known or inferred from the data collected. 
    5. The terms, "Controller", "Member State", “Joint Controller”, "Processor", "Processing", “Data Subject” and ‎‎"Supervisory Authority" shall have the same ‎meanings as in the GDPR.‎ The terms "Business", "Service Provider", "Third Party", "Selling" (including "Sell" and "Sale"), "Sharing" (including "Share" and "Shared"), "Business Purpose", "Deidentified" and "Cross-Context Behavioral Advertising" shall have the same meanings as in the CCPA. Where applicable, a Controller shall be deemed a “Business“, a Processor shall be deemed to be a “Service Provider“ or a "Contractor", and a Data Subject shall be deemed a "Consumer", as these terms are defined in the CCPA.
    6. "Data Incident" means accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to ‎Personal Data.
    7. Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Israel and the United States of America, as applicable to the Processing of the Personal Data under the Agreement including (without limitation) the GDPR, the UK GDPR and the US Data Protection Laws, as applicable to the Parties in relation to the Personal Data hereunder and in effect at the time of the Parties’ performance hereunder. For the purpose of this DPA, Data Protection Laws shall also include Relevant Privacy Requirements (as defined below) to the extent applicable to the Processing of Personal Data.
    8. "Direct Marketing Laws" means any and all laws, acts and regulations governing the sending of marketing communications by electronic mail, including as applicable, the Privacy and Electronic Communications Directive 2002/58/EC (as amended), the CAN-SPAM Act of 2003, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any and all applicable regulatory guidance and binding rules published by an competent supervisory authority or regulator, each as amended or replaced from time to time.
    9. Email Distribution Services” means the provision of the Email AdServer Services to Publisher.
    10. Email & Newsreader Monetization” means the performance of Cross Advertising and Ad Monetization in connection with the Email Monetization and Newsreader Monetization Services.
    11. End-User” means a Data Subject who interacts with the Publisher Properties where the Services are provided.
    12. FADP” means the Swiss Federal Act on Data Protection of 19 June 1992, ‎as revised as of 25 September ‎‎2020, the “Revised FADP”.
    13. ‎“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
    14. Personal Data” or “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or Consumer, which is processed by a Party, under this DPA and the Agreement.
    15. Publisher Properties” means the website(s) and/or other digital assets owned, operated or managed by Publisher, in connection with which the Services are provided.
    16. "Relevant Privacy Requirements" mean all (i) applicable self-regulatory rules and principles (SRPs), laws, governmental regulations and court or government agency orders and decrees relating in any manner to the collection, use or dissemination of information from or about Users, User traffic or otherwise relating to privacy rights or with respect to the sending of marketing and advertising communications; (ii) posted privacy policies; and (iii) for mobile applications, the terms of service for the applicable mobile operating system.
    17. "Security Documentation” means the documentation describing the technical and organizational measures implemented and maintained by a Party to protect Personal Data.
    18. "Services” means the services provided by either OpenWeb, Jeeng or AYL. The term “Services” may refer to each of the following services or activities (or any combination of them) in accordance with the Agreement: (a) the Community Engagement Services; (b) the performance of Cross Advertising and Ad Monetization by OpenWeb and/or AYL; (c) the Email Distribution Services, and/or; (d) the Email & Newsreader Monetization Services.  
    19. Standard Contractual Clauses” shall mean (i) where the GDPR applies, the applicable Module of the standard clauses set out in the Annex of Commission Implementing ‎Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs"); or (ii) where the UK GDPR applies, the International Data ‎Transfer Addendum to the EU SCCs as issued by the Information Commissioner’s Office under S119A(1) of the Data ‎Protection Act 2018 and in force as of 21 March 2022 ("UK Addendum").‎
    20. Sub-processor” means any third party that Processes Personal Data on behalf, or under the instruction of OpenWeb, Jeeng or AYL (as appropriate) when any of them Processes the Personal Data as a Processor on behalf of the Publisher.
    21. "UK GDPR" means the GDPR as it forms part of the law of the United Kingdom.
  2. Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data, the following shall apply:
    1. Community Engagement Services. Publisher and OpenWeb are each an independent and separate Controller of the Personal Data.  The Parties shall not be deemed to Process the Personal Data as Joint Controllers. For the avoidance of doubt, neither Party is a Processor of the other. The Parties’ Processing of Personal Data in connection with the Community Engagement Services shall be subject to the terms set forth in Annex 1 – Community Engagement Terms. 
    2. Cross Advertising and Ad Monetization. Publisher and OpenWeb and/or AYL (as appropriate) are each an independent and separate Controller of the Personal Data. The Parties shall not be deemed to Process the Personal Data as Joint Controllers. For the avoidance of doubt, neither Party is a Processor of the other. The Parties’ Processing of Personal Data in connection with Cross Advertising and Ad Monetization shall be subject to the terms set forth in Annex 2 – Cross Advertising and Ad Monetization Terms.
    3. Email Distribution Services. Publisher is a Controller of the Personal Data and Jeeng is a Processor of the Personal Data, Processing it on the Publisher’s behalf in accordance with the terms set forth in Annex 3 – Email Distribution Terms.
    4. Email & Newsreader Monetization. Publisher and Jeeng are each an independent and separate Controller of the Personal Data. The Parties shall not be deemed to Process the Personal Data as Joint Controllers. For the avoidance of doubt, neither Party is a Processor of the other. The Parties’ Processing of Personal Data in connection with Email & Newsreader Monetization shall be subject to the terms set forth in Annex 4 – Email & Newsreader Monetization Terms.
  3. Sub-processors.
    1. Current Sub-processors. The list of Sub-processors used to Process Personal Data by the Company is available here. Such Sub-processor list includes the identities of those Sub-processors and the entity’s country (“Sub-Processor List”). Company may engage new Sub-processors. Notifications of new Sub-processors will be provided to Publisher at least thirty (30) days prior to the commencement of the Processing by such new Sub-processors. Publisher may object within ten (10) days from the receipt of the notice to the engagement of any new Sub-processor on reasonable privacy, data protection, or security grounds by notifying Company in writing to privacy@openweb.com. If no objection is received, it is deemed the Publisher has authorized the intended changes. If within ninety (90) days from such objection, Company is unable to make available to Publisher a change in the applicable Services to avoid Processing by the objected-to Sub-processor without unreasonably burdening Publisher, then Publisher may terminate the Agreement and this DPA upon the provision of a prompt written notice.
    2. Notification of, and objection to, new Sub-processors. Publisher may reasonably object to the use of an existing Sub-processor for reasons relating to the protection of Personal Data intended to be Processed by such Sub-processor, by providing a written objection to the Company at privacy@openweb.com within three (3) business days following the first use of the relevant Services. In the event Publisher reasonably objects to an existing Sub-processor, as permitted in the preceding sentence, Publisher may, as a sole remedy, terminate the applicable Agreement and this DPA solely with respect to those Services which cannot be provided by the Company without the use of the objected-to Sub-processor, by providing written notice to the Company via privacy@openweb.com; provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to the Company. Publisher will have no further claims against the Company due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and the DPA in the situation described in this paragraph.
    3. Agreements with Sub-processors. The Company shall have a written agreement with each Sub-processor containing the same or materially similar data protection obligations as set out in this DPA, in particular with respect to obligations to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Laws. 

  4. Other
    1. Governing Law. To the maximum extent permitted by law, this DPA shall be governed by the laws governing the Agreement, except for those provisions of clauses which dictate the application of another law for particular purposes.
    2. Modifications. Each Party may by at least forty-five (45) calendar days' prior written notice to the other Party, request in writing any variations to this DPA solely if they are required as a result of any change in, or decision of a competent authority under Data Protection Laws, to allow Processing of Personal Data to be made (or continue to be made) in accordance with the Agreement or this DPA without breach of those Data Protection Laws. The Parties shall make commercially reasonable efforts to accommodate such modification requested by a Party. The Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within 30 days of such notice, then each Party may, by written notice to the other Party, with immediate effect, terminate this DPA and the Agreement.
    3. Point of Contact. Each Party shall appoint a single point of contact or contact person who will be responsible for any issue arising under this DPA, including ensuring that such Party complies with this DPA.
    4. Order of Precedence. In the event of any conflict between (i) provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail solely with respect to matters relating to the Processing of Personal Data; (ii) this DPA and Data Protection Laws, the Data Protection Laws shall prevail; (iii) clauses or sections of this DPA and clauses or sections of the Standard Contractual Clauses (where applicable), the clauses or sections of the Standard Contractual Clauses most favorable to the affected Data Subject shall prevail.

IN WITNESS WHEREOF, this DPA is entered into and becomes binding between the Parties with effect from the date first set out above.


ANNEX 1: COMMUNITY ENGAGEMENT TERMS

  1. Scope and Application. These Community Engagement Terms shall apply to the Processing of Personal Data as a part of the provision of the Community Engagement Services by OpenWeb to Publisher in accordance with the Agreement.
  2. Publisher’s Processing of Personal Data. Publisher shall use of the Community Engagement Services in compliance with applicable laws to which Publisher is subject, including Data Protection Laws. Publisher shall provide all required notices and information to the Data Subjects as required under Data Protection Laws and shall establish and have any and all required legal bases in order to collect (or, where appropriate, to allow OpenWeb to collect), Process, and transfer to OpenWeb the Personal Data.
  3. OpenWeb’s Processing of Personal Data. OpenWeb shall Process Personal Data for the following purposes: (i) in accordance with the Agreement and this DPA; (ii) as required to provide the Services including but not limited to, to ensure their safety and the safety of end users and of Company customer using these services, and to improve them and provide support; (iii) providing analytics regarding the manner in which End-Users interact with the Publisher Properties; (iv) in connection with AI models used internally by OpenWeb for its legitimate business purposes; (v) Processing as permitted under the laws applicable to OpenWeb.
  4. Details of Processing. With respect to the Community Engagement Services, the subject-matter, duration, nature and purposes of the Processing, the types of Personal Data Processed and categories of Data Subjects concerned are detailed below:
    1. Nature and Purposes of Processing: (i) Providing the Community Engagement Services; (ii) Performing the Agreement and this DPA and/or other contracts executed by the Parties; (iii) Complying with applicable laws and regulations; (iv) Any other processing activities necessary for the purposes specified in Section 3 of these Community Engagement Terms.
    2. Duration of Processing: subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or rumination thereof, the Parties will Process Personal Data pursuant to the DPA and the Agreement for the duration of the Agreement, on a continuous basis, unless otherwise agreed upon in writing by the Parties.
    3. Type of Personal Data: End-Users’ Personal Data associated with their account (e.g., name, date of birth, username, email address, user alias, and other information as may be required by the Publisher to create an account); (ii) End-Users’ content and comments (e.g., information written by the End-user and published online, to the extent it contains Personal Data); (iii) Electronic communication data (e.g., IP address, UUID, internet pages accessed, details of the terminal device used, operating system and browser).
    4. Categories of Data Subjects: End-Users.
  5. Compliance with Data Protection Laws. Without derogating from the foregoing, each Party shall be responsible independently and separately for complying with the respective obligations that apply to it as a Data Controller under Data Protection Laws. 
  6. Obtaining Consent & Transparency Requirements. Each party shall maintain a publicly-accessible privacy notice on its mobile apps and/or websites that is available via a prominent link that satisfies transparency disclosure requirements under Data Protection Laws applicable to each Party. Each party warrants and represents that it has provided Data Subjects with appropriate transparency and all required notices regarding data collection, use and share, and obtained any and all consents or permissions necessary under Data Protection Laws, as applicable. It is hereby clarified that Publisher is the initial Controller of Personal Data. 
  7. Consent Management. Without derogating from the generality of Section 6 above, Publisher represents and warrants that: (a) it shall obtain all necessary permissions and valid consents from End-Users in accordance with Data Protection Laws, to lawfully permit Publisher to collect, Process and transfer the Personal Data to OpenWeb, for the purposes contemplated in Section 3 of these Community Engagement Terms; and (b) it shall at all times maintain a mechanism for obtaining such consent from End-Users in accordance with the requirements of Data Protection Laws, as well as a mechanism for End-Users to withdraw such consent (opt-out) in accordance with Data Protection Laws. Publisher shall maintain a record of all consents obtained from End-Users, and all withdrawals of consent by End-Users, all as required under Data Protection Laws.
  8. Security. Each Party shall have implemented and will maintain appropriate technical and organizational measures for the protection of the Personal Data Processed hereunder as required by Data Protection Laws (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to the Personal Data, confidentiality and integrity of the Personal Data) (“Security Measures”), and shall maintain documentation describing such Security Measures (“Security Documentation”).‎ Without derogating from the foregoing, each Party shall be responsible to comply with security requirements apply to it as an independent and separate Controller under Data Protection Laws.
  9. Confidentiality. The Parties shall ensure that the Personal Data is kept confidential and their personnel and advisors engaged in the Processing of Personal Data have committed themselves to confidentiality.
  10. Cross-Border Data Transfers. If the Processing of Personal Data by the Parties includes a transfer from the EEA (“EEA Transfer”), the UK (“UK Transfer”), and/or Switzerland (“Swiss Transfer”), to other countries which have not been subject to a relevant adequacy decision of the relevant competent authorities of the EEA, EU, the UK or Switzerland, and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data (as defined in the GDPR, the FADP, or the UK GDPR, as applicable) outside the EEA, Switzerland or the UK, then (i) the terms set forth in Part 1 of Annex 5 (EEA Cross Border Transfers) shall apply to any EEA Transfer; (ii) the terms set forth in Part 2 of Annex 5 (UK Trans-Border Transfers) shall apply to any UK Transfer; (iii) and the terms set forth in Part 3 of Annex 5 (Switzerland Cross Border Transfers) shall apply to any such Swiss Transfer.
  11. CCPA Terms
    1. Scope, Application & Interpretation. These CCPA Terms shall (i) apply and bind the Parties if and to the extent the CCPA applies to the Processing of the Personal Information by the Parties; (ii) prevail over any conflicting terms of the Agreement or the DPA but does not otherwise modify them; (iii) be interpreted in favor of the Parties’ intent to comply with the CCPA, and therefore any ambiguity shall be resolved in favor of a meaning that complies and is consistent with the CCPA
    2. Processing of Personal Information
      1. In relation to the Processing of the Personal Information under the Agreement and solely for the purposes of this Section 11, (i) Publisher is a Business; and (ii) OpenWeb is a Third Party. 
      2. Publisher shall comply with the provisions of the CCPA that apply to it as a Business, including, without limitation, Title 1798.100.
      3. OpenWeb shall Process the Personal Information for the following purposes: (i) for the purposes described in Section 4 of these Community Engagement Terms; (ii) in accordance with the provisions of the CCPA, and in a manner that provides the same level of privacy protection to Personal Information as required by Title 1798.100 of the CCPA (collectively, the “Limited and Specified Purposes”). OpenWeb certifies that it understands the rules, requirements, and definitions of the CCPA and these CCPA Terms, and shall comply with them.
      4. Publisher may take reasonable and appropriate steps to ensure OpenWeb Processes the Personal Information in a manner consistent with the Publisher’s obligations under title 1798.100. of the CCPA.‎ Upon ten (10) business days prior notice from the Publisher, the Publisher may take reasonable and appropriate steps to stop and remediate unauthorized use of the Personal Information.
      5. OpenWeb shall notify Publisher if OpenWeb makes a determination that it can no longer meet its obligations under these CCPA Terms and/or the CCPA.

ANNEX 2: CROSS ADVERTISING AND AD MONETIZATION TERMS

  1. Scope and Application. These Cross Advertising and Ad Monetization Terms shall apply to the performance of Cross Advertising and Ad Monetization by OpenWeb and/or AYL in accordance with the Agreement.
  2. The Parties’ Processing of Personal Data. When Processing Personal Data for Cross Advertising and Ad Monetization, each Party shall Process Personal Data solely for the following purposes: (i) Processing in accordance with the Agreement and these Cross Advertising and Ad Monetization Terms; (ii) as required to perform Cross Advertising and Ad Monetization; (iii) Processing as required under Data Protection Laws.
  3. Details of Processing. The subject-matter, duration, nature and purpose of the Processing, the types of Personal Data Processed in relation to the performance of Cross Advertising and Ad Monetization in accordance with the Agreement, and respective categories of Data Subjects concerned are detailed below:
    1. Nature and Purpose of Processing: (i) Performance of Cross Advertising and Ad Monetization by the Parties; (ii) Performing the Agreement and this DPA and/or other contracts executed by the Parties; (iii) Complying with applicable laws and regulations; (iv) Any other processing activities necessary for the purposes specified in Section 2 of these Cross Advertising and Ad Monetization Terms.
    2. Duration of Processing: subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or rumination thereof, the Parties will Process Personal Data pursuant to the DPA and the Agreement for the duration of the Agreement, on a continuous basis, unless otherwise agreed upon in writing by the Parties.
    3. Type of Personal Data: Personal Data Processed for the purpose of programmatic advertising such as (but not limited to): IP addresses, location information (non-precise), device unique identifier, and other information as may be required to perform Cross Advertising and Ad Monetization.
    4. Categories of Data Subjects: End-Users.
  4. Compliance with Data Protection Laws. Without derogating from the foregoing, each Party shall be responsible independently and separately for complying with the respective obligations that apply to it as a Data Controller under Data Protection Laws, taking into account the nature of Processing activities performed by the Parties for the performance of Cross Advertising and Ad Monetization. 
  5. Obtaining Consent & Transparency Requirements. Each party shall maintain a publicly-accessible privacy notice on its mobile apps and/or websites that is available via a prominent link that satisfies transparency disclosure requirements under Data Protection Laws applicable to each Party. Each party warrants and represents that it has provided Data Subjects with appropriate transparency and all required notices regarding data collection, use and share, and obtained any and all consents or permissions necessary under Data Protection Laws, as applicable. It is hereby clarified that Publisher is the initial Controller of Personal Data. 
  6. Consent Management Platform. Without derogating from the generality of Section 4 above, Publisher represents and warrants that: (a) it shall obtain all necessary permissions and valid consents from End-Users in accordance with Data Protection Laws applicable to it, to lawfully permit Publisher to collect, Process and transfer the Personal Data to OpenWeb and/or AYL, for the purposes contemplated in Section 3 of these Cross Advertising and Ad Monetization Terms; and (b) it shall at all times maintain a mechanism for obtaining such consent from End-Users in accordance with the requirements of Data Protection Laws, as well as a mechanism for End-Users to withdraw such consent (opt-out) in accordance with Data Protection Laws. Publisher shall maintain a record of all consents obtained from End-Users, and all withdrawals of consent by End-Users, all as required under Data Protection Laws.
  7. Security. Each Party shall have implemented and will maintain appropriate technical and organizational measures for the protection of the Personal Data Processed hereunder as required by Data Protection Laws (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to the Personal Data, confidentiality and integrity of the Personal Data) which shall be described by the applicable Security Documentation.‎ Without derogating from the foregoing, each Party shall be responsible to comply with security requirements apply to it as an independent and separate Controller under Data Protection Laws.
  8. Confidentiality. The Parties shall ensure that the Personal Data is kept confidential and their personnel and advisors engaged in the Processing of Personal Data have committed themselves to confidentiality.
  9. Cross-Border Data Transfers. If the Processing of Personal Data by the Parties includes a transfer from the EEA (“EEA Transfer”), the UK (“UK Transfer”), and/or Switzerland (“Swiss Transfer”), to other countries which have not been subject to a relevant adequacy decision of the relevant competent authorities of the EEA, EU, the UK or Switzerland, and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data (as defined in the GDPR, the FADP, or the UK GDPR, as applicable) outside the EEA, Switzerland or the UK, then (i) the terms set forth in Part 1 of Annex 5 (EEA Cross Border Transfers) shall apply to any EEA Transfer; (ii) the terms set forth in Part 2 of Annex 5 (UK Trans-Border Transfers) shall apply to any UK Transfer; (iii) and the terms set forth in Part 3 of Annex 5 (Switzerland Cross Border Transfers) shall apply to any such Swiss Transfer.
  10. CCPA Terms
    1. Scope, Application & Interpretation. These CCPA Terms shall (i) apply and bind the Parties if and to the extent the CCPA applies to the Processing of the Personal Information by the Parties; (ii) prevail over any conflicting terms of the Agreement or the DPA but does not otherwise modify them; (iii) be interpreted in favor of the Parties’ intent to comply with the CCPA, and therefore any ambiguity shall be resolved in favor of a meaning that complies and is consistent with the CCPA. 
    2. Processing of Personal Information
      1. In relation to the Processing of the Personal Information under the Agreement and solely for the purposes of this Section 10, (i) Publisher is a Business; and (ii) OpenWeb and/or AYL is a Third Party that is specifically and contractually directed by Publisher to engage with other Third-Parties to perform Ad Monetization (including Cross-Context Behavioral Advertising) and related Processing activities. 
      2. Publisher shall comply with the provisions of the CCPA that apply to it as a Business, including, without limitation, Title 1798.100. Publisher shall at or before the point of collection of Personal Information, provide End-Users with all required privacy notices, including a description of their privacy rights under the CCPA
      3. Publisher shall provide End-Users the right to opt-out of the Sale or Sharing of their Personal Information as required by the CCPA, including via industry standard mechanisms (for example, the US Privacy String, the IAB Global Privacy Platform ‎‎(GPP), and Global Privacy Control). 
      4. Publisher shall configure the applicable code, other tracking technology, in accordance with specifications provided by  OpenWeb and/or AYL that will signal to OpenWeb and/or AYL if an End-User has opted out of Sale or Sharing. As applicable, Publisher shall implement a Cookie Management Platform that is able to transfer such signals to OpenWeb and/or AYL. 
      5. To the extent Publisher receives requests to opt-out of Sale or Sharing of Personal Information outside of automated mechanisms, Publisher shall inform OpenWeb and/or AYL of requests to opt-out without undue delay. 
      6. Publisher shall maintain a record of all opt-out requests received from End-Users. 
      7. Publisher may take reasonable and appropriate steps to ensure that OpenWeb and/or AYL Processes the Personal Information in a manner consistent with the Publisher’s obligations under title 1798.100. of the CCPA.‎‎
      8. OpenWeb and/or AYL shall Process the Personal Information for the following purposes: (i) for the purposes described in Sections 2 and 3 of these Terms; (ii) in accordance with the provisions of the CCPA, and in a manner that provides the same level of privacy protection to Personal Information as required by Title 1798.100 of the CCPA (collectively, the “Limited and Specified Purposes”). OpenWeb and/or AYL certifies that it understands the rules, ‎‎requirements, and definitions of the CCPA and these CCPA Terms, and shall comply with them.
      9. As applicable to the products or services provided, OpenWeb and/or AYL shall implement reasonable security measures as appropriate under the CCPA. ‎‎ 
      10. As applicable to the products or services provided, OpenWeb and/or AYL shall cooperate with Publisher or otherwise enable both Parties to comply with their obligations relating to requests to opt-out of Sale or Sharing of Personal Information. ‎‎
      11. OpenWeb and/or AYL acknowledges that with respect to End-User Personal Information, Publisher has the right to take reasonable and appropriate steps to ensure that OpenWeb and/or AYL uses such Personal Information in a manner consistent with Publisher’s obligations under the CCPA. Specifically, upon Publisher’s reasonable request, OpenWeb and/or AYL shall provide sufficient information to Publisher that would allow Publisher to have a reasonable belief that  OpenWeb and/or AYL is complying with the CCPA. 
      12. OpenWeb and/or AYL further acknowledges that Publisher has the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of End-User Personal Information by OpenWeb and/or AYL.
      13. OpenWeb and/or AYL shall notify Publisher if OpenWeb and/or AYL makes a determination that it can no longer meet its obligations under the CCPA. 

ANNEX 3: EMAIL DISTRIBUTION TERMS

  1. Publisher’s Processing of Personal Data. Publisher, in its use of the Email Distribution Services, and Publisher’s instructions to Jeeng, shall comply with Data Protection Laws and Direct Marketing Laws, as applicable. Publisher shall provide all required notices, unsubscribe options, and information to the Data Subjects under Data Protection Laws, and obtain any required consents, or shall establish and have any and all required legal bases in order to collect, Process and transfer to Jeeng the Personal Data, and to authorize the Processing by Jeeng, and for Jeeng’s Processing activities on Publisher’s behalf, including the pursuit of Business Purposes’ as defined under the CCPA.
  2. Jeeng’s Processing of Personal Data. When Processing on Publisher’s behalf under the Agreement, Jeeng shall Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and this DPA; (ii) Processing for the benefit of Publisher as part of the provision of the Email Distribution Services; (iii) Processing to comply with Publisher’s reasonable and documented instructions, where such instructions are consistent with the terms of the Agreement, regarding the manner in which the Processing shall be performed; (iv) rendering Personal Data fully anonymous, non-identifiable and non-personal in accordance with applicable standards recognized by Data Protection Laws and guidance issued thereunder ; (v) Processing as required under the laws applicable to Jeeng, and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that Jeeng shall inform Publisher of the legal requirement before Processing, unless such law or order prohibit such information on important grounds of public interest.
  3. Details of Processing. The subject-matter, duration, nature and purpose of the Processing, the types of Personal Data Processed as a part of the Email Distribution Services, and respective categories of Data Subjects concerned are detailed below:
    1. Nature and Purpose of Processing: (i) Providing the Email Distribution Services; (ii) Performing the Agreement and this DPA and/or other contracts executed by the Parties; (iii) Acting upon Publisher’s documented instructions, where such instructions are consistent with the terms of the Agreement; (iv) Complying with applicable laws and regulations; (v) all tasks related with any of the above.
    2. Duration of Processing: subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or rumination thereof, Jeeng will Process Personal Data pursuant to the DPA and Agreement for the duration of the Agreement, unless otherwise agreed upon in writing. 
    3. Type of Personal Data: End-Users’ Personal Data associated with Publisher newsletter account (e.g., name, email address, and other information as may be required by the Publisher); (ii) Electronic communication data (e.g., IP address, UUID, internet pages accessed, details of the terminal device used, operating system and browser).
    4. Categories of Data Subjects: ‎End-Users
  4. Data Subject requests. Jeeng shall provide reasonable assistance to Publisher with respect to Publisher's duty to respond to requests to exercise Data Subject rights under Data Protection Laws (“Data Subject Request(s)”). Jeeng shall notify Publisher, without undue delay, if it receives a Data Subject Request relating to Personal Data Processed in connection with the Email Distribution Services, and shall maintain electronic records of such Data Subject Requests. Jeeng will not respond to Data Subject Requests except on the documented instructions of Publisher or as required by Data Protection Laws. 
  5. Jeeng Personnel. Jeeng shall ensure that its personnel and advisors engaged in the Processing of Personal Data have committed themselves to confidentiality.
  6. Controls for the Protection of Personal Data. Jeeng will maintain all appropriate technical and organizational measures for the protection of Personal Data Processed hereunder (including for the prevention and management of Data Incidents, as defined below in Section 9), including those measures set forth in the Security Documentation. Upon Publisher reasonable request, Jeeng shall provide it with reasonable cooperation and assistance needed to fulfil Publisher’s obligations under Articles 32 to 36 of the GDPR or the UK GDPR.
  7. Audits and Inspections. Upon Publisher’s 45 days prior written request at reasonable intervals (no more than once every 12 months), at Publisher's sole cost and expense and subject to strict confidentiality undertakings by Publisher (or any third-party auditor mandated by Publisher), Jeeng shall make available to Publisher (or Publisher’s independent third-party auditor) information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by them of Jeeng's pertinent documentation and as necessary, its relevant personnel. In the event of an audit or inspection as set forth above, Publisher shall take reasonable steps to avoid causing any disruption to Jeeng’s operations while conducting such audit or inspection. Publisher hereby acknowledges and agrees that Jeeng audits its compliance with data protection and information security standards on a regular basis (either by Jeeng's internal audit team and/or by third party auditors) and result in the generation of an audit report (“Report”), which is Jeeng's confidential information. Publisher hereby agrees that Jeeng may, at its sole discretion, satisfy any audit or inspection requirements set out in this section by providing Publisher with a copy of the Report so that Publisher can reasonably verify Jeeng's compliance with its obligations under this DPA. 
  8. Data Incident Management and Notification. Jeeng maintains security incident management policies and procedures and shall notify Publisher without undue delay after becoming aware of:
    1. Any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data (a “Data Incident”). Jeeng shall provide Publisher with information on the nature of the Data Incident, including the categories of Data Subjects concerned and the categories of Personal Data and data records concerned. Jeeng shall take reasonable steps to identify and remediate and/or mitigate the cause of such Data Incident. Upon request, Jeeng shall provide Publisher with information available to it to allow Publisher to meet its obligations under Data Protection Laws;
    2. Any request for disclosure of Personal Data by a Supervisory Authority and/or any other law enforcement authority or court unless prohibited under applicable law. 
  9. Return and deletion of Personal data. Following termination of the Agreement, Jeeng shall delete all the Personal Data it Processes on behalf of Publisher, in the manner described in the Agreement or as otherwise reasonably requested by Publisher, unless applicable laws to which Jeeng is subject require otherwise. In such a case, Jeeng will guarantee the confidentiality of Personal Data and will not actively Process it anymore, and will guarantee the destruction of the Personal Data when such legal obligation to retain it has expired.
  10. Cross-border data transfers. If the Processing of Personal Data by Jeeng includes a transfer from the EEA (“EEA Transfer”), the UK (“UK Transfer”), and/or Switzerland (“Swiss Transfer”), to other countries which have not been subject to a relevant adequacy decision of the relevant competent authorities of the EEA, EU, the UK or Switzerland, and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data (as defined in the GDPR, the FADP, or the UK GDPR, as applicable) outside the EEA, Switzerland or the UK, then (i) the terms set forth in Part 1 of Annex 5 (EEA Cross Border Transfers) shall apply to any EEA Transfer; (ii) the terms set forth in Part 2 of Annex 5 (UK Trans-Border Transfers) shall apply to any UK Transfer; (iii) and the terms set forth in Part 3 of Annex 5 (Switzerland Cross Border Transfers) shall apply to any such Swiss Transfer.
  11. CCPA Terms
    1. Publisher hereby appoints Jeeng as a Service Provider to Process Personal Information on behalf of Publisher to provide the Email Distribution Services. Publisher, in its use of the Services, and Publisher’s instructions to Jeeng, shall comply with the CCPA. 
    2. Jeeng shall Process Personal Information solely for the purposes set forth in Sections 2-3 of this Annex 3 and as necessary to comply with this Annex 3 and the CCPA (collectively: the "Permitted Purposes"). 
    3. Jeeng shall Process Personal Information in accordance with the provisions of the CCPA, and in a manner that provides the same level of privacy protection to Personal Information as required by the CCPA. Jeeng certifies that it understands the rules, requirements, and definitions of the CCPA and shall comply with them.
    4. Jeeng acknowledges and confirms that it does not receive or process any Personal Information as consideration for any services or other items that Jeeng provides to Publisher under the Agreement. Jeeng will refrain from Selling and/or Sharing any Personal Information Processed as a part of the Email Distribution Services hereunder without Publisher’s prior written consent. Jeeng shall not have, derive, or exercise any rights or benefits regarding the Personal Information, and shall not retain, use, or disclose any Personal Information (i) for any purpose other than the Permitted Purposes, and/or (ii) outside of its direct business relationship with Publisher. 
    5. Jeeng shall not combine Personal Information with any other data if and to the extent that this would be inconsistent with the limitations on Service Providers under the CCPA.
    6. If Jeeng receives any Personal Information in Deidentified form, Jeeng shall take reasonable measures to ensure that such Deidentified Personal Information cannot be associated with a Consumer or household. 
    7. Jeeng shall notify Publisher without undue delay if Jeeng makes a determination that it can no longer meet its obligations under these CCPA Terms and/or the CCPA.

ANNEX 4: EMAIL & NEWSREADER MONETIZATION TERMS

  1. Scope and Application. These Email & Newsreader Monetization Terms shall apply to the performance of Email & Newsreader Monetization by Jeeng in accordance with the Agreement.
  2. The Parties’ Processing of Personal Data. When Processing Personal Data for Email & Newsreader Monetization, each Party shall Process Personal Data solely for the following purposes: (i) Processing in accordance with the Agreement and these Email & Newsreader Monetization Terms; (ii) as required to perform Email & Newsreader Monetization; (iii) Processing as required under Data Protection Laws.
  3. Details of Processing. The subject-matter, duration, nature and purpose of the Processing, the types of Personal Data Processed in relation to the performance of Email & Newsreader Monetization in accordance with the Agreement, and respective categories of Data Subjects concerned are detailed below:
    1. Nature and Purpose of Processing: (i) Performance of Email & Newsreader Monetization by the Parties (monetization of email & Newsreader impressions through real-time bidding of advertisers for the purposes of interest-based programmatic advertising); (ii) Improving the performance of Jeeng services including debugging, and development of new features; (iii) Rendering Personal Information fully anonymous, non-identifiable and non-personal in accordance with applicable standards and guidance; (iv) Performing the Agreement and this DPA and/or other contracts executed by the Parties; (v) Complying with applicable laws and regulations; (vi) Any other processing activities necessary for the purposes specified in Section 2 of these Email & Newsreader Monetization Terms.
    2. Duration of Processing: subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or rumination thereof, the Parties will Process Personal Data pursuant to the DPA and the Agreement for the duration of the Agreement, on a continuous basis, unless otherwise agreed upon in writing by the Parties.
    3. Type of Personal Data: Personal Data Processed for the purpose of programmatic advertising such as (but not limited to): IP addresses, location information, device unique identifier, and other information as may be required to perform Cross Advertising and Ad Monetization.
    4. Categories of Data Subjects: End-Users.
  4. Compliance with Data Protection Laws. Without derogating from the foregoing, each Party shall be responsible independently and separately for complying with the respective obligations that apply to it as a Data Controller under Data Protection Laws, taking into account the nature of Processing activities performed by the Parties for the performance of Email & Newsreader Monetization. 
  5. Obtaining Consent & Transparency Requirements. Each party shall maintain a publicly-accessible privacy notice on its mobile apps and/or websites that is available via a prominent link that satisfies transparency disclosure requirements under Data Protection Laws applicable to each Party. Each party warrants and represents that it has provided Data Subjects with appropriate transparency and all required notices regarding data collection, use and share, and obtained any and all consents or permissions necessary under Data Protection Laws, as applicable. It is hereby clarified that Publisher is the initial Controller of Personal Data. 
  6. Consent Management. Without derogating from the generality of Section 4 above, Publisher represents and warrants that: (a) it shall obtain all necessary permissions and valid consents from End-Users in accordance with Data Protection Laws and Direct Marketing Laws applicable to it, to lawfully permit Publisher to collect, Process and transfer the Personal Data to Jeeng and/or AYL, for the purposes contemplated in Sections 2-3 of these Email & Newsreader Monetization Terms; and (b) it shall at all times maintain a mechanism for obtaining such consent from End-Users in accordance with the requirements of Data Protection Laws, as well as a mechanism for End-Users to withdraw such consent (opt-out) in accordance with Data Protection Laws. Publisher shall maintain a record of all consents obtained from End-Users, and all withdrawals of consent by End-Users, all as required under Data Protection Laws.
  7. Security. Each Party shall have implemented and will maintain appropriate technical and organizational measures for the protection of the Personal Data Processed hereunder as required by Data Protection Laws (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to the Personal Data, confidentiality and integrity of the Personal Data) which shall be described by the applicable Security Documentation.‎ Without derogating from the foregoing, each Party shall be responsible to comply with security requirements apply to it as an independent and separate Controller under Data Protection Laws.
  8. Confidentiality. The Parties shall ensure that the Personal Data is kept confidential and their personnel and advisors engaged in the Processing of Personal Data have committed themselves to confidentiality.
  9. Cross-Border Data Transfers. If the Processing of Personal Data by the Parties includes a transfer from the EEA (“EEA Transfer”), the UK (“UK Transfer”), and/or Switzerland (“Swiss Transfer”), to other countries which have not been subject to a relevant adequacy decision of the relevant competent authorities of the EEA, EU, the UK or Switzerland, and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data (as defined in the GDPR, the FADP, or the UK GDPR, as applicable) outside the EEA, Switzerland or the UK, then (i) the terms set forth in Part 1 of Annex 5 (EEA Cross Border Transfers) shall apply to any EEA Transfer; (ii) the terms set forth in Part 2 of Annex 5 (UK Trans-Border Transfers) shall apply to any UK Transfer; (iii) and the terms set forth in Part 3 of Annex 5 (Switzerland Cross Border Transfers) shall apply to any such Swiss Transfer.
  10. CPA Terms
    1. Scope, Application & Interpretation. These CCPA Terms shall (i) apply and bind the Parties if and to the extent the CCPA applies to the Processing of the Personal Information by the Parties; (ii) prevail over any conflicting terms of the Agreement or the DPA but does not otherwise modify them; (iii) be interpreted in favor of the Parties’ intent to comply with the CCPA, and therefore any ambiguity shall be resolved in favor of a meaning that complies and is consistent with the CCPA. 
    2. Processing of Personal Information
      1. In relation to the Processing of the Personal Information under the Agreement and solely for the purposes of this Section 10, (i) Publisher is a Business; and (ii) Jeeng is a Third Party that is specifically and contractually directed by Publisher to engage with other Third-Parties to perform Email & Newsreader Monetization (including Cross-Context Behavioral Advertising) and related Processing activities. 
      2. Publisher shall comply with the provisions of the CCPA that apply to it as a Business, including, without limitation, Title 1798.100. Publisher Shares Personal Information with Jeeng, and Jeeng shall Process the Personal Information, solely for the Limited and Specified Purposes listed below. Publisher shall at or before the point of collection of Personal Information, provide End-Users with all required privacy notices, including a description of their privacy rights under the CCPA
      3. Publisher shall provide End-Users the right to opt-out of the Sale or Sharing of their Personal Information as required by the CCPA, including via industry standard mechanisms (for example, the US Privacy String, the IAB Global Privacy Platform ‎‎(GPP), and Global Privacy Control). 
      4. Publisher shall configure the applicable code, other tracking technology, in accordance with specifications provided by Jeeng that will signal to Jeeng if an End-User has opted out of Sale or Sharing. As applicable, Publisher shall implement a Cookie Management Platform that is able to transfer such signals to Jeeng. 
      5. To the extent Publisher receives requests to opt-out of Sale or Sharing of Personal Information outside of automated mechanisms, Publisher shall inform Jeeng of requests to opt-out without undue delay. 
      6. Publisher shall maintain a record of all opt-out requests received from End-Users. 
      7. Publisher may take reasonable and appropriate steps to ensure that Jeeng Processes the Personal Information in a manner consistent with the Publisher’s obligations under title 1798.100. of the CCPA.‎ 
      8. Jeeng shall Process the Personal Information for the following purposes: (i) for the purposes described in Sections 2 and 3 of these Email & Newsreader Monetization Terms; (ii) in accordance with the provisions of the CCPA, and in a manner that provides the same level of privacy protection to Personal Information as required by Title 1798.100 of the CCPA (collectively, the “Limited and Specified Purposes”). Jeeng certifies that it understands the rules, requirements, and definitions of the CCPA and these CCPA Terms, and shall comply with them.
      9. As applicable to the products or services provided, Jeeng shall implement reasonable security measures as appropriate under the CCPA. ‎‎
      10.  As applicable to the products or services provided, Jeeng shall cooperate with Publisher or otherwise enable both Parties to comply with their obligations relating to requests to opt-out of Sale or Sharing of Personal Information. 
      11. Jeeng shall notify Publisher if Jeeng makes a determination that it can no longer meet its obligations under the CCPA. 

ANNEX 5: INTERNATIONAL DATA TRANSFERS

Part 1 – EEA Cross Border Transfers.

  1. The EU SCCs are hereby incorporated by reference and shall apply to an EEA Transfer that is effectuated by the Parties.
  2. Module One (Controller to Controller) shall apply where the EEA Transfer is effectuated by the Parties, each as an independent Controller of the Personal Data.
  3. Module Two (Controller to Processor) shall apply where the EEA Transfer is effectuated by Publisher as a Controller of the Personal Data, and AYL as a Processor of such Personal Data.
  4. Clause 7: shall not apply.
  5. Option 2: GENERAL WRITTEN AUTHORISATION in Clause 9 of the Standard Contractual Clauses shall apply, and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in Section 3 of the GENERAL TERMS of the DPA.
  6. Clause 11: the optional language will not apply.
  7. Clause 17: Option 1 shall apply, and the Parties agree that the EU SCCs shall be governed by the laws of the Republic of Ireland.‎ Clause 18(b): disputes will be resolved before the courts of the Republic of Ireland.
  8. Annex I.A shall be completed as follows:
    1. Module One: The Data Exporter is the Publisher and the Data Importer is OpenWeb or Jeeng, as appropriate, and the Parties’ contact details shall be completed with the details provided under the Agreement. 
    2. Module Two: The Data Exporter is the Publisher and the Data Importer is AYL, and the Parties’ contact details shall be completed with the details provided under the Agreement.
    3. By entering into the Agreement and DPA, the Parties are deemed to have signed these EU SCCs, including their Annexes, as of the Effective Date of the Agreement.‎ 
  9. Annex I.B shall be completed with the details provided under the Details of Processing provided under the DPA.
  10. Annex I.C shall be completed as follows: The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section (g) of this Part 1.
  11. The Security Documentation referred to in the DPA shall serve as Annex II of the EU SCCs, as appropriate.
  12. To the extent there is any conflict between the EU SCCs and any other terms in this Part 1, the DPA, or the Agreement, the provisions of the EU SCCs will prevail.

Part 2 - UK Trans-Border Transfers. 

  1. The Parties agree that the UK Addendum is hereby incorporated by reference and shall apply to UK Transfers as set forth in this Part 2.
  2. Table 1: Parties: As stipulated in Section (h) of Part 1 of this Annex 5.
  3. Table 2: Selected SCCs, Modules and Selected Clauses: As stipulated in Part 1 of this Annex 5. 
  4. Table 3: Appendix Information: Annex 1A and Annex 1B: As stipulated in Section (h) of Part 1 of this Annex 5; Annex II: As stipulated in Section (k) of Part 1; Annex III: Module 1: N/A; Module 2: as stipulated in Section 6.1 of the Email Distribution Terms.
  5. Table 4: Ending this Addendum when the Approved Addendum Changes: Neither Party.
  6. Mandatory Clauses: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February ‎‎2022, as it is revised under Section 18 of those Mandatory Clauses.

Part 3 - Switzerland Cross Border Transfers. 

  1. The Parties agree that the EU SCCs as detailed in Part 1, shall be adjusted as set out below where the FADP applies to Swiss Transfers:
  2. References to the EU SCCs below mean the EU SCCs as amended by this Part 3;
  3. The Swiss Federal Data Protection and Information Commissioner shall be the sole Supervisory Authority for Swiss Transfers exclusively subject to the FADP;
  4. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the FADP with respect to Swiss Transfers;
  5. References to Regulation (EU) 2018/1725 are removed;
  6. Swiss Transfers subject to both the FADP and the GDPR, shall be dealt with by the EU Supervisory Authority named in Part 1;
  7. References to the “Union”, “EU” and “EU Member State” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; 
  8. Where Swiss Transfers are exclusively subject to the FADP, all references to the GDPR in the EU SCCs are to be understood to be references to the FADP;
  9. Where Swiss Transfers are subject to both the FADP and the GDPR, all references to the GDPR in the EU SCCs are to be understood to be references to the FADP insofar as the Swiss Transfers are subject to the FADP;

Updated: June 4, 2024