1.“Ad” or “Advertisement” means a commercial notice, announcement or message made in a public medium to an advertiser’s customers or prospective customers to promote a person, entity, brand, product, service, or event.
2. “Additional Terms and Conditions” means any additional terms and conditions specified by Zeta DSP from time to time for certain Services and attached to an applicable Order or made available to the Customer.
3. “Ad Technologies” means, collectively, digital advertising technologies that include advertising tags (such as pixels, clear GIFs and similar methods), cookies, device identifiers or other identifiers and similar technologies.
4. “Affiliate” of a party means an entity that, directly or indirectly through one or more entities, controls, is controlled by or is under common control with that party, where “control” means the possession, direct or indirect, of the power to direct the management and policies of such party, whether through the ownership of at least fifty percent (50%) of the voting interest of such party, through contractual provisions, or otherwise, and includes that entity’s officers, directors, agents, employees, successors and assigns.
6. “Customer”, “you” and “your” means the individuals or organization(s) identified in the MSA and/or the applicable Order, that are responsible for payment to Zeta DSP pursuant to the Agreement.
7. “Customer Data” means all campaign data collected by Zeta DSP hereunder on behalf of or received from Customer, its advertisers or the agencies representing Customer, including any data that Customer, its Affiliates, or any third party vendors or partners on Customer’s behalf may disclose or submit to Zeta DSP and any and all Customer Reports; provided however, Customer Data does not include Non-Proprietary Data, even if such data is identical to a portion of data comprising Customer Data. References to Customer Data include Customer Personal Data (as defined in Section 6.2) unless Customer Personal Data is specifically excluded from the MSA and/or Order.
8. “Customer Material(s)” means any Advertisement, creative, content, data, information or material of any kind created, managed, or delivered by or on behalf of Customer or its Third Party Users using the Services, and includes, without limitation, any creative works, content, data, information, media plan or material of any kind referenced by or accessed via an Advertisement, such as by a URL or other method.
9. “Customer Report” means any report or summary prepared for Customer in connection with the Services containing information about user activity or engagement with Advertisements.
10. “Fees” means the fees or rates for the use of the Services as set forth in each Order.
11. “Intellectual Property Rights” means all rights including future rights in inventions, patents, designs, copyrights, trademarks, service marks, databases and topography rights (whether or not any of those is registered and including applications for registration of the foregoing, renewals, extensions, continuations, divisions and reissues) together with all trade secrets, know-how and all rights or forms of protection of a similar nature or having equivalent or similar effect to any others which may subsist anywhere in the world.
12. “MSA” means any Master Services Agreement or similar contractual agreement entered into between you and Zeta, including all schedules and attachments thereto, as amended from time to time.
13. “Non-Proprietary Data” means data that is generated or obtained by Zeta DSP in connection with the Services that may include Personal Data as defined by applicable laws, and which Zeta DSP processes as a controller. Non-Proprietary Data includes data included in a HTTP header or HTTP response, such as user agent strings and time stamps; IP addresses; URLs not provided by or on behalf of Customer; and persistent and non-persistent identifiers, such as session IDs, cookie IDs, cache-based IDs, mobile advertising identifiers and device IDs.
14. “Order” means an ordering document for Services that is signed by Customer or submitted to Zeta DSP by means of an online click-thru and is accepted by Zeta, which may include, without limitation, an order, statement of work, schedule, attachment, or insertion order, as amended from time to time.
15. “Payment Terms” means the payment terms set forth in the MSA or the applicable Order.
16. “Platform(s)” means any of the Zeta DSP service platforms accessible via the Internet for the provision and use of the Services, including any administration websites through which Zeta DSP provides access to such platforms and all software (including source and object code), updates, enhancements, documentation or other materials (excluding Customer Materials) in or related to the platforms that Zeta DSP makes available in the course of providing the Services.
17. “Privacy Rules” means, to the extent each is applicable: (i) the requirements of any privacy and data protection laws, treaties, inter-governmental agreements, and regulations to which a party is subject in the conduct of its business; (ii) with respect to all processing of personal data relating to individuals in the European Economic Area by or on behalf of a party to this Agreement in, or transfer of personal data to, the United States of America, the EU Standard Contractual Clauses set forth below in Section 16; (iii) the following digital advertising industry rules to the extent applicable to the conduct of a party’s business in the territories where such rules apply: (a) all United States Federal Trade Commission (“FTC”) rules and guidelines regarding the collection, use and/or disclosure of information from or about a unique user of a website, application and/or mobile website and/or the device associated with such user; (b) the California Consumer Privacy Act (CCPA), as amended; (c) all enacting legislation of European Union member states of directives of the European Parliament and Council related to the processing of personal data or the storage of or access to information stored on an individual person’s computing equipment, including mobile devices; (d) the advertising industry self-regulatory codes and principles promulgated by the Digital Advertising Alliance (“DAA”), and the European Interactive Digital Advertising Alliance (“EDAA”), as each such rules, guidelines, codes or set of principles may be amended from time to time by the promulgating entity or any successor entity; (iv) any other relevant FTC, DAA, or EDAA code or principles relating to the collection and use of data obtained from individual persons for advertising purposes; and (v) any amendments, modifications, extensions, supplements or replacements of or to any of the foregoing. For the purposes of the descriptions in the Standard Contractual Clauses as between Zeta DSP and Customer, Zeta DSP agrees that it is a “data importer” and Customer is the “data exporter” under the Standard Contractual Clauses (notwithstanding that Customer may be located outside the EEA and may itself be a Processor acting on behalf of third party Controllers).
18. “Services” means, collectively, the products and services specified in the MSA or the applicable Order, which may include, without limitation: (i) provision of digital advertising solutions or services in or through any Platform; (ii) professional, creative, media buying or selling and related trading services for agencies and their customers using Zeta DSP professional services, any Platform, or the technology and services of third party service providers and Zeta DSP alliances; and (iii) the data, products and services of third parties that Zeta DSP may make available to Customer from time to time.
19. “Site(s) Content” means all materials, data, images, texts, sounds, information or other content contained in or around and/or linked to any Site (as defined in Section 6.9).
20. “Standard Contractual Clauses” means the applicable module(s) of the European Commission’s standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as set out in the Annex to Commission Implementing Decision (EU) 2021/914.
21. “Zeta”, “we” and “us” means the Zeta Global Corp.
22. “Term” has the meaning given to such term in the MSA or the applicable Order.
23. “Territory of Domicile” means Customer’s territory of domicile as set forth in the MSA or the applicable Order.
24. “Third Party User” means any third party contractor, client, advertiser, agency, or publisher, as applicable, that accesses and uses the Services through Customer’s Account (as defined in Section 3.1).
2. Ordering and Use of Services
2. Subject to payment by Customer to Zeta DSP of the Fees as set forth in the MSA or the applicable Order and pursuant to Section 3, Zeta DSP will make the Services available to Customer (and its Third Party Users, as applicable) in accordance with the terms of this Agreement. Notwithstanding the foregoing, Customer acknowledges and agrees that certain Services, including, without limitation, professional, creative, media buying, trading or third party services, may be subject to Additional Terms and Conditions which will be provided or referenced in the applicable Order.
3. Zeta DSP does not pay for any suggestions regarding the Services, or any improvement to processes, procedures, marketing or any other matter (collectively “Suggestions”). Any Suggestions that the Customer submits to Zeta DSP becomes the property of Zeta. Zeta DSP will not (i) compensate the Customer for any such Suggestion; (ii) have any obligation of confidentiality with respect to any such Suggestion; or (iii) be liable to the Customer for any use or disclosure of any such Suggestion. Customer grant Zeta DSP a royalty-free, irrevocable, unrestricted, non-exclusive, sub-licensable, assignable, worldwide license to use, modify, copy, sublicense, transmit, publish, create derivative works from, publicly perform and display any Suggestion for any purpose, commercial or otherwise, without compensation or liability to the Customer or to any third party.
3. Access to Platform and Account
1. Customer may access certain Services through an administrative website or, subject to Section 3.5, an application programming interface (“API”) for the Platforms maintained and controlled by Zeta. For access to the Platforms, Zeta DSP will provide Customer with one or more logins and passwords for access to Customer’s account and corresponding administrative controls (“Customer’s Account”) by authorized personnel of Customer and/or Third Party Users (“Customer’s Representatives”). In order to use any Platform, Customer will, and will ensure that Customer’s Representatives represent, warrant and covenant that they will, provide Zeta DSP with accurate, truthful and complete registration information and agree to the terms of this Agreement and any other Additional Terms and Conditions applicable to each Platform that Zeta DSP may otherwise reasonably require. Upon acceptance of any application made by Customer, each of Customer’s Representatives will be assigned with a user name and password that will allow access to the applicable Platform, and will become a registered user. Customer will ensure that each of Customer’s Representatives that is provided registered user access to any Platform keeps its registration information accurate and up-to-date and does not share its password or registered user name with any third party except as otherwise set forth in this Agreement, and Customer agrees that any failure by any Customer Representative to do so will constitute a breach of this Agreement by Customer, which may result in immediate termination of Customer’s Account. Customer will immediately notify Zeta DSP in writing of any change in authorization, any unauthorized use of any Customer’s Account or any other account-related security breach of which it becomes aware. Upon termination of this Agreement for any reason, Zeta DSP will have the right to disable and delete each Customer Representative’s access to Customer’s Account immediately and to delete all Customer Data thirty (30) days after termination or expiration of this Agreement. Customer and Zeta DSP will ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2. Zeta DSP reserves the right to suspend or delete any account in its sole discretion for any reason. If Zeta DSP suspends or deletes Customer’s Account: (i) Zeta DSP is not obligated to provide the Customer with a reason for its actions; and, (ii) Zeta DSP will refund the full unused balance remaining in the Customer’s Account, if any, within 30 days of receiving written instructions from the Customer as to where to refund the balance. If Zeta DSP deletes Customer’s Account, the Customer’s right to access the Services and use any applicable Platform shall immediately terminate. Customer will not be permitted to open a new account. If Zeta DSP suspects that the Customer is operating, or associated with, another account (based on its analysis of subscriber data, account content and other information), Zeta DSP may suspend or delete such ‘related’ account as well.
3. Zeta DSP will use commercially reasonable efforts to make the applicable Platform accessible to Customer 24 hours per day, 7 days per week, subject to any downtime for maintenance, updating and repair. Notwithstanding the foregoing, Customer acknowledges and agrees that Zeta DSP will have no responsibility for Customer’s inability to use the Services or access any Platform due to Internet or other network interruption, communications failure, server downtime or other force majeure event.
4. The internet is an inherently insecure medium and the transmission of data over the internet (such as sending an email or logging onto a website) is subject to possible loss, interception or alteration while in transit. Accordingly, Zeta DSP does not assume any liability for any damage the Customer may experience or costs it may incur as a result of any loss, interception or alteration of transmissions over the internet.
5. If Customer authorizes Zeta DSP to set up API access under Customer’s Account: (a) Customer’s use of the API is deemed to be a use of the applicable Platform and is subject to the terms of this Agreement and any Additional Terms and Conditions Zeta DSP may require regarding API use; (b) Zeta DSP will provide access to the API in accordance with Customer’s written instructions and any additional usage terms set forth in the Order; (c) Customer acknowledges and agrees that Zeta’s only obligations with respect to Customer and/or any Third Party User provided access to Zeta’s API (“3rd Party API User”) are those specifically undertaken by Zeta DSP in the Order and Zeta DSP otherwise has no responsibility or liability for Customer’s or any 3rd Party API User’s performance or obligations under any separate agreement that may exist among Customer, any of Customer’s clients and any 3rd Party API Users; (d) Customer is solely responsible for obtaining any 3rd Party API User’s written agreement to any Additional Terms and Conditions required for access to the API and returning a copy thereof to Zeta; and (e) Zeta DSP may suspend providing API access without liability to Customer or any 3rd Party API User, or any of their respective Affiliates or clients, if Zeta DSP believes, in its sole discretion, that the receipt or processing of any Customer Data via the API violates any Privacy Rules or otherwise may result in liability for Zeta DSP or any of its Affiliates or any of their respective customers.
4. Limited Rights; Ownership.
1. Zeta DSP hereby grants to Customer, and Customer hereby accepts, a non-exclusive, non-transferable (except as expressly provided in this Agreement), and limited right for Customer to access and use the Platform specified in the Order in accordance with this Agreement solely during the Term and for the sole purpose of using the Services for its internal business purposes. Except as expressly permitted by this Agreement, Customer may not, directly or indirectly or by itself or through any other person or entity, use, rent, lease, sell, transfer (by sublicense, assignment, operation of law, change in control or otherwise), time share, modify, reproduce, copy, make derivative works from, distribute, publish, use to provide service bureau services, or publicly display the applicable Platform. Moreover, Customer will not (and will ensure that Customer’s Representatives do not) reverse engineer, decompile, or otherwise attempt to discover the source code for the applicable Platform or any of the Services. All rights not expressly assigned or licensed in this Agreement are reserved by Zeta DSP in full.
2. Except as expressly provided herein, Zeta DSP has and will have the sole and exclusive ownership of all right, title and interest in and to all the Platforms and all applicable Services and all Intellectual Property Rights in applicable Platform and Services, any enhancements thereto, any documentation or other materials regarding the use thereof and related thereto, any machine learning and the results and outputs of such machine learning that occur prior to, during, or after Customer’s use of the Services, and any Zeta DSP proprietary data provided to Customer by Zeta DSP in whatever form or media (collectively, “Zeta DSP Intellectual Property”). Neither this Agreement, nor anything contained herein, will be construed as a sale of any Platform or any of the Services or any Intellectual Property Right or any other Zeta DSP Intellectual Property or any proprietary right or title therein or thereto.
3. If any deliverable to Customer produced by Zeta DSP’s Services includes Zeta DSP Intellectual Property, then Zeta DSP will remain the sole and exclusive owner of such included Zeta DSP Intellectual Property, and Zeta DSP grants Customer only a non-exclusive, perpetual, worldwide, royalty-free license to use such Zeta DSP Intellectual Property, for any purpose, including to sell, sublicense, disclose, publicly display, and create derivative works from such Zeta DSP Intellectual Property, but solely as incorporated into or embedded in such deliverables and not separately therefrom. Subject to the preceding sentence, Customer will own all right, title and interest in and to such deliverables, including the Intellectual Property Rights therein.
4. As between Zeta DSP and Customer, Customer has and will have the sole and exclusive ownership of all right, title and interest in and to the Customer Materials, Customer Data, and the Site Content where applicable, and all Intellectual Property Rights in the same, except for any Zeta DSP Intellectual Property embedded therein.
5. Customer grants Zeta DSP a non-exclusive license during the Term to use, copy, modify, process and distribute Customer Materials and Customer Data solely for the purpose of providing the Services in accordance with this Agreement and subject to its terms.
6. Customer agrees that Zeta DSP may use and disclose certain data, including Customer Data and Non-Proprietary Data, derived from Customer’s use of the applicable Platform and Services (assuming no user opt-out of such use has been communicated to Zeta, including as provided in Section 6.7) to create aggregated data and statistics about the Services and its features, which Zeta DSP may provide to others, including Zeta’s customers, potential customers and the general public, provided that such aggregated data and statistics do not contain any Customer Personal Data (as defined in Section 6.2) or identify any living individual, Customer, Customer’s clients, or any of their respective products or brands. Customer further acknowledges that Zeta will cookie-match between rfihub cookies used by Zeta DSP and other cookies deployed by Zeta, in order to leverage online segment data for other marketing channels.
7. Customer grants Zeta DSP a non-exclusive license during the Term to use its and its Third Party Users’, as applicable, name and trademarks in marketing materials, the customer ad showcase area of the applicable Platform, and customer lists; provided, that Customer has the right to notify Zeta DSP in writing if it does not agree to any of the foregoing uses of its name and trademarks.
8. “Zeta”, “Zeta Global”, “ZetaGlobal.com,” ‘Zeta DSP” and Zeta’s logos are, and remain, trademarks of Zeta, its affiliated companies, and/or its licensors; you may not copy, imitate or use any of these without Zeta’s prior written consent.
5. Confidential Information.
1. Any information provided hereunder by either party which is clearly marked as “confidential” or designated to be confidential by the terms of this Agreement, including, in particular, the terms and Fees set forth in the MSA and any Orders (“Confidential Information”) will not be used, disclosed or reproduced by the other party without the express written consent of the party providing such information, other than for the performance of such party’s obligations under this Agreement. “Confidential Information” includes all information furnished by or on behalf of either party to the other party, whether furnished before or after the date of this Agreement and regardless of the form in which it is or was communicated or maintained, that is marked as “confidential” or that, from all of the circumstances, the receiving party knows or has reason to know or could reasonably be expected to believe that the disclosing party intended or expected the secrecy of such information to be maintained, that contains or otherwise reflects information concerning the disclosing party, including, without limitation, technical data, know-how, unpublished patent applications, research, product plans or proposals, product applications, inventions, experimental results, trade secrets, processes, designs, drawings, business plans or proposals, implementation strategies, methods of operation, standard operating procedures, marketing information, presentations, programs and strategies, pricing information, promotional information and techniques, analytical procedures, agreements with or information of third parties, financial information and conditions, and information relating to engineering, markets, suppliers or vendors, services, customers, personnel data and marketing, and any other confidential information concerning the business and affairs of the disclosing party, and will include all notes, studies, reports, memoranda and other documents prepared by the receiving party or its representatives that contain or reflect any Confidential Information. Confidential Information does not include information that: (a) is or becomes generally known or available to the public through no act or failure to act by the receiving party; (b) is lawfully in the possession of the receiving party at the time of disclosure, as demonstrated by the receiving party’s written records immediately prior to the time of disclosure; (c) is hereafter furnished to the receiving party by a third party, as a matter of right and without restriction on its disclosure; (d) is required to be disclosed by applicable law or regulation; provided, that the receiving party, to the extent legally permitted, will promptly notify the disclosing party of such request, furnish only the minimum portion of Confidential Information that the receiving party is advised by legal counsel is legally required to be furnished, and assist the disclosing party, if requested, in obtaining a protective order or other reliable assurance that confidential treatment will be accorded to such portion of the Confidential Information as is required to be disclosed.
6. Data Protection and Privacy.
1. Zeta DSP and Customer (and its Third Party Users) each represents and warrants that it will at all times comply with the requirements of any applicable Privacy Rules and will refrain from engaging in any behavior that is reasonably likely to render the other party in breach of the Privacy Rules.
2. To the extent that Zeta DSP processes personal data about any natural person (“Personal Data”, which may also be referred to as “personally identifiable information” or “personal information” by applicable laws) supplied or collected by or on behalf of Customer (“Customer Personal Data”) in the course of providing the Services, it will do so as a processor acting on behalf of Customer (as data controller), however, Zeta DSP processes Non-Proprietary Data as a controller. To the extent that Non-Proprietary Data is disclosed by Customer to Zeta DSP, Zeta DSP processes such data as a co-controller. The terms “data processor,” “data controller,” “process” and their derivatives will have the meanings ascribed to them under the Privacy Rules enforceable in the geographic territories where such processing occurs, or if not defined in any territory, they will have their plain language meanings in that territory.
4. Zeta DSP will have in place and maintain throughout the Term appropriate technical and organizational measures to prevent accidental or unauthorized destruction, loss, alteration or disclosure of Customer Data. Customer acknowledges that Zeta DSP shall have the right to delete Customer Data in accordance with Zeta’s data retention policies and to disclose, modify or delete Customer Personal Data in accordance with this Agreement or as required by Privacy Rules.
5. Zeta DSP will promptly and without undue delay and in any case no later than seventy-two (72) hours of becoming aware, inform Customer in the event of: (i) any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosures of, or access to, Personal Information (altogether, a “Security Incident”), or (ii) any reasonable suspicion of a Security Incident, regardless of its cause. At Customer’s direction, Zeta DSP will provide all relevant information and assistance required by Customer to investigate, mitigate and respond to a Security Incident, including at a minimum, any information or assistance required by applicable privacy and data security laws, rules and regulations.
6. Zeta DSP agrees to reasonably assist Customer in performing any required audits. Customer will give advance notice and will conduct any such audit at its own cost during regular business hours and without unreasonable disruption to Zeta DSP’s operations. For the avoidance of doubt, this provision will not require Zeta DSP to provide any Customer with access to the confidential information of Zeta DSP’s other customers.
7. Customer authorizes Zeta DSP to subcontract processing of Customer Data under this Agreement to one or more third parties provided that Zeta: (a) complies with the Privacy Rules; (b) flows down its obligations to protect the Customer Data to any subcontractor it appoints; and (c) will remain responsible for any failure to comply with the Privacy Rules by any subcontractor it appoints to process Customer Data. In the case of general written authorisation, Zeta DSP shall inform Customer of any intended changes concerning the addition or replacement of other processors, thereby giving Customer the opportunity to object to such changes.
11. Customer will not append any third party tags to Zeta DSP’s tags, nor will Customer allow any third party tracking or tagging (collectively “Third Party Tags”) through the Platform unless any provider requesting to implement Third Party Tags is in full compliance with this Section 6 and the Privacy Rules, including, without limitation, by presenting users with notice and choice to opt-out of data collection and processing in connection with such Third Party Tags. Customer will provide Zeta DSP and any client it represents, where applicable, with notice of any Third Party Tags Customer wishes to implement in the Platform. Zeta DSP reserves the right to validate any Third Party Tags or provider thereof for compliance with this Section 6 and the Privacy Rules, and for authenticity, and is under no obligation to allow the implementation of Third Party Tags. Zeta DSP may create lists of providers of Third Party Tags who are certified to append Third Party Tags in the Platform, and reserves the right to block any providers who are not validated for compliance; and without derogating from the above, Customer will be solely responsible for any Third Party Tags implemented through the Platform by Customer or any provider or other person authorized to act on Customer’s behalf, including any damage, cost or claim resulting from appending such Third Party Tags.
7. Customer Responsibilities.
1. As between the parties, Customer is solely responsible for: (a) all aspects of any Customer Materials created, delivered, or managed through or processed or linked to the Services; (b) all campaign settings, including settings in the Platform designated as “Stop Serving”, as determined and inserted by or on behalf of Customer on the applicable Platform; and (c) all aspects of campaign management including data entry, ads, pricing, budget, maximum number of impressions, flight parameters, pacing, campaign set up and trafficking, targeting constraints, monitoring ad status, advertiser requirements and objectives, and campaign performance. Customer is solely responsible for any conditions, representations or warranties it makes to its advertisers regarding actual or expected campaign performance, and for any make-goods it may issue to advertisers. Customer will conduct (and ensure that its Third Party Users conduct) all of its marketing, business, and other activities related to the Customer Materials and its use of the Services in compliance with local, state, federal and international laws, rules, treaties, inter-governmental agreements and governmental orders, regulations and regulatory codes of practice applicable to its business.
2. Customer represents and warrants that it will not (and will procure that its Third Party Users do not) use the Services in connection with, or to promote campaigns, Advertisements or other Customer Materials or Site Content containing: (a) content that is an invasion of privacy, degrading, defamatory, libelous, unlawful, profane, obscene, pornographic, hate material or discriminatory; (b) content that promotes any illegal or fraudulent activity, including, without limitation, the promotion of gambling where prohibited, illegal substances, software piracy or hacking, or invalid advertising traffic; (c) content that infringes the personal rights or Intellectual Property Rights of any third party; (d) content, links or codes that promote or reference software piracy and/or activities generally understood as Internet abuse, including the sending of unsolicited bulk messages or the distribution or use of spyware, Malware (as defined below), worms, Trojan horses, time bombs, cancelbots, bots or other code that generate fraudulent or invalid advertising traffic, corrupted files or similar software; or (e) content that it knows or reasonably should have known to be false, fraudulent or misleading, including content, links or codes that facilitate the creation or use of fraudulent or invalid advertising traffic. “Malware” means software or applications, or websites associated with software or applications, that (i) may be used to disrupt, damage, take control of, misuse, or otherwise use or disable a computer or computer system or operation; (ii) impermissibly views or collects information; (iii) access computer systems to display or distribute unwanted or illicit advertising, content or software; or (iv) violates the written policies of any advertising exchange or publisher that Customer may have access to through the applicable Platform, as such policies may be updated and published from time to time. Customer shall use a reputable third party Malware detection vendor to scan all ads that are served to websites in connection with Customer’s use of the Services. Without limiting any of its rights under this Agreement, Zeta DSP may immediately suspend or terminate Customer’s access to the Services without notice and may terminate this Agreement without any liability to Customer, if Customer fails to comply with this Section 7.
3. Customer represents and warrants that: (a) it is a business, not a consumer, and has the rights, authority and any required permission and consent to enter into this Agreement, and, if applicable, that it is acting as an agent for a disclosed principal, its advertiser, and that as such, Customer has the authority as agent to incur the Fees charged by Zeta DSP for the Services requested on such advertiser’s behalf; (b) neither it nor its Third Party Users are currently the subject of any investigation or prosecution by any governmental or regulatory body or agency that may have a material detrimental effect on users of Customer’s products, services or advertising, or on Zeta, any of its Affiliates or any of their respective customers; or (c) if it or any of its Third Party Users becomes involved or is named in any investigation or prosecution by any governmental or regulatory body or agency that may have a material detrimental effect on Zeta DSP or users of Zeta’s products, services or advertising, then Customer will immediately provide notice to Zeta DSP of such action, investigation, complaint or other proceeding, in which event Zeta DSP may terminate this Agreement immediately.
4. Customer represents and warrants that: (a) it and its Third Party Users have all the necessary rights, licenses, consents, waivers and permissions, including, without limitation, from advertisers, publishers, users and other third parties, to allow Zeta: (i) to store and deliver the Customer Materials and otherwise provide the Services and operate the Platforms on behalf of Customer; (ii) to make any technical or other modifications that it may deem necessary to facilitate the delivery of the Advertisements and related Customer Materials; provided, that Zeta DSP will not make any amendments to the creative content of any Advertisements or Customer Materials except as requested by Customer; (iii) to use any Customer Data provided to or collected by Zeta DSP in the provision of the Services for Customer and according to Customer’s or its Third Party Users’ instructions; and (iv) to receive, transfer and process any Customer Data from or to any third party according to Customer’s or its Third Party Users’ instructions, whether by API, FTP or other data transfer method; (b) neither Customer nor its Third Party Users, nor any of their respective users, will use the applicable Platform or any of the Services in a way or for any purpose that infringes or misappropriates any third party’s Intellectual Property Rights or personal or other proprietary rights or in order to harass, abuse, or harm another person; (c) it will ensure that the Customer Materials, the contents of such Customer Materials, the Site Content and any data provided by, or delivered on behalf of, Customer or any Third Party Users to Zeta, and Customer’s and its Third Party Users’ promotional and marketing materials and activities in connection with their use of the applicable Platform or Services, will not be in violation of any third party’s rights, including Intellectual Property Rights, and will not be defamatory, fraudulent, obscene, misleading or otherwise illegal; (d) it will notify Zeta DSP of any errors in any Customer Materials and any complaints or claims made in respect of any Customer Materials as soon as the same comes to its attention; and (e) if Zeta DSP considers, in its sole discretion, that any Customer Materials breaches any of the requirements set forth in this Section 7, or may subject Zeta DSP to material adverse risks, and Zeta DSP requests that such Customer Materials be removed or amended, then Customer will withdraw such Customer Materials from the applicable Platform or amend such Customer Materials to Zeta’s satisfaction.
5. Customer will ensure that it and any Third Party Users comply with this Agreement. Zeta DSP may audit Customer’s use of the Services and observe all of Customer’s activity on the applicable Platform. Customer will promptly notify Zeta DSP of any suspected or alleged breach of this Agreement and will cooperate with Zeta DSP regarding: (a) any investigation by Zeta DSP of any suspected or alleged violation of this Agreement; and (b) any action by Zeta DSP to enforce the terms and conditions of this Agreement. Zeta DSP may suspend or terminate Customer’s or Third Party User’s access to the Services and/or applicable Platform upon notice to Customer if Zeta DSP determines in its reasonable discretion that Customer or Third Party User has breached this Agreement.
6. Customer agrees to indemnify, defend, and hold harmless Zeta, its subsidiaries, Affiliates and related entities, and their respective officers, directors, employees and agents from and against any and all losses, costs, damages or liabilities, including, without limitation, reasonable legal fees, costs and expenses, arising out of any third party claim or action related to Customer’s or any Third Party User’s (i) breach of any of the obligations and warranties set forth in this Section 7, or any other representations, warranties, terms, conditions or obligations of Customer as provided in this Agreement; (ii) gross negligence, willful misconduct or fraudulent actions; and (iii) violation or otherwise misappropriation of the Intellectual Property Rights of such third party in violation of this Agreement. The foregoing obligations are conditioned on Zeta: (a) notifying Customer promptly in writing of such action; (b) giving Customer sole control of the defense thereof and any related settlement negotiations; and (c) reasonably cooperating with the Customer, at the Customer’s expense, in the defense of such claim; and (d) giving the Customer the right to control the defense and settlement of any such claim, except that the Customer shall not enter into any settlement that affects Zeta’s rights or interest without Zeta’s prior written approval. Zeta DSP reserves its right prior to and during the notice period to file any motion, answer or other pleading and to take any other action that Zeta DSP shall deem necessary or appropriate to protect its interests.
8. Zeta DSP Responsibilities
1. Zeta DSP represents and warrants that: (a) it is duly authorized to enter into this Agreement and provide the Services hereunder; (b) it will perform the Services in a diligent and workmanlike manner consistent with applicable industry standards; (c) the Services will perform substantially in accordance with the latest version of documentation as made generally available in the applicable Platform or in an Order; (d) its provision and operation of the Services is in compliance with all applicable local, state, federal and international laws, rules, treaties, inter-governmental agreements and governmental orders, regulations and regulatory codes of practice; and (e) there are no actions, suits or proceedings, pending or threatened, that could reasonably be expected to have a material adverse effect on Zeta’s ability to fulfill its obligations under this Agreement.
2. Zeta DSP agrees to indemnify, defend, and hold harmless Customer, its subsidiaries, its Affiliates, and their respective officers, directors, employees and agents from and against any and all losses, costs, damages or liabilities, including reasonable legal fees, costs, and expenses, arising out of or related to any third party action to the extent it is based upon a claim that any Platform or Services, or use thereof by the Customer in accordance with and subject to the limitations set forth in this Agreement, infringes any Intellectual Property Right of a third party. The foregoing obligations are conditioned on Customer: (a) notifying Zeta DSP promptly in writing of such action; (b) giving Zeta DSP sole control of the defense thereof and any related settlement negotiations; and (c) reasonably cooperating with Zeta, at Zeta’s expense, in the defense of such claim; and (d) giving Zeta DSP the right to control the defense and settlement of any such claim, except that Zeta DSP shall not enter into any settlement that affects Customer’s rights or interest without Customer’s prior written approval. Customer shall have a right prior to and during the notice period to file any motion, answer or other pleading and to take any other action that Customer shall deem necessary or appropriate to protect its interests. If the applicable Platform or Services become, or in Zeta’s sole opinion are likely to become, the subject of an infringement claim, Zeta DSP may, at its option and expense: (i) procure for Customer the right to continue using the applicable Platform or Services; (ii) replace or modify the applicable Platform or Services so that they become non-infringing; or (iii) accept return of any deliverables provided as a result of the Services, terminate this Agreement, in whole or in part, as appropriate, upon written notice to Customer and refund Customer any Fees pre-paid in respect of the Services upon such termination. Notwithstanding the foregoing, Zeta DSP will be relieved of its obligation under this Section 8.2 to the extent that any third party action is based upon: (A) any Customer Materials; (B) any use of the Platform or Services not in accordance with this Agreement; (C) any use of the Services in combination with products, equipment, software, or data not supplied by Zeta DSP if such infringement would have been avoided if not for the combination with such products, equipment, software, or data; (D) any use of any release of the Platform or Services other than the most current release made available to Customer; or (E) any modification of the Platform or Services by Customer, its agents or subcontractors. THIS SECTION 8.2 STATES ZETA’S ENTIRE LIABILITY AND CUSTOMER’S EXCLUSIVE REMEDY FOR ANY THIRD PARTY CLAIMS OF INFRINGEMENT.
1. All Fees payable under this Agreement by Customer will be made in accordance with the Payment Terms, and are exclusive of any applicable taxes (except for taxes on Zeta’s net income) payable in connection with the Services or the use of the applicable Platform, including, without limitation, VAT or any relevant local sales taxes, for which Customer will be responsible. Unless stated otherwise in the applicable Order, all Fees shall be due within 30 days of the invoice date. Non-payment of any Zeta DSP invoice in accordance with the Payment Terms and this Agreement will be a material breach of this Agreement. Unless otherwise stated in the applicable Order, all Fees will be charged in U.S. dollars. If Customer pays the Fees in currency other than U.S. dollars, the payment will be exchanged at the rate available to Zeta DSP at the time. Customer is responsible for confirming the accuracy of all information it provides for each payment (such as contact information, payment amounts, credit card numbers and expiry dates, and wire information, as applicable).
2. With respect to ad serving services, Customer will be billed per the following scenarios with respect to Platform settings: (a) if the campaign is set to “Keep Serving as Usual,” then the Platform will keep serving even after the placement’s end date or volume goals are met; or (b) if the campaign is set to “Stop Serving” (based on: Volume Stop, Date Stop, soonest of Volume Stop/Date Stop or the latest of Volume Stop/Date Stop), then: (i) Out of Banner Formats (“OOB”) will stop serving on OOB Stop; and (ii) Banner Formats will continue to serve the designated Ad Format until the predefined stop event and afterwards continue to serve default images, and in this case, impressions served until the stop event will be billed at their applicable rate and any impression served afterwards will be billed at the default image rate. Notwithstanding any Stop Serving settings or termination of an Order by Customer, Customer will pay Zeta DSP at its standard rates for professional, creative, media buying and trading services rendered through the date of termination, cancellation or Stop Serving setting, regardless of the number of impressions served. If Customer uses any Services for which the Fees are not specified in an Order, then the Fees for such Services will be Zeta’s then applicable standard rates. Terms with initial capital letters in this Section 9.2 have the meanings ascribed to them within the Platform settings.
3. If Customer fails to pay any amount payable by it under this Agreement in accordance with the Payment Terms, Zeta DSP may charge Customer interest on the overdue amount (payable by Customer immediately on demand) from the due date up to the date of actual payment, after as well as before judgment, at the rate of 1.5% per month or the highest rate allowed by law, whichever is less. Such interest will accrue on a daily basis and be compounded on a monthly basis. Customer will also be responsible for payment of all reasonable expenses (including attorneys’ fees and costs) incurred by Zeta DSP in collecting any overdue amounts from Customer.
1. EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PLATFORM, AND THE SERVICES ARE PROVIDED “AS IS” AND ON AN “AS AVAILABLE” BASIS AND ZETA DSP DOES NOT MAKE OR GIVE ANY REPRESENTATION, WARRANTY, CONDITION OR OTHER TERM (COLLECTIVELY, “PROMISES”) OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE WITH RESPECT TO THE PLATFORM OR THE SERVICES AND EXCEPT TO THE EXTENT PROHIBITED BY APPLICABLE LAW, ZETA DSP DISCLAIMS ALL IMPLIED PROMISES WITH RESPECT TO THE PLATFORM AND THE SERVICES, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED PROMISES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT OR QUIET ENJOYMENT, AND ANY PROMISES ARISING OUT OF ANY COURSE OF DEALING, PERFORMANCE, OR TRADE USAGE.
2. ZETA DSP WILL NOT BE HELD RESPONSIBLE FOR: (A) ANY ERRORS OR INACCURACIES IN ANY CUSTOMER MATERIALS OR SITE CONTENT; (B) SERVICE INTERRUPTIONS DUE TO FACTORS REPRESENTING INHERENT RISKS ASSOCIATED WITH THE USE OF ELECTRONIC COMMUNICATIONS, INCLUDING NETWORK INTERRUPTIONS (INCLUDING THE INTERNET), COMMUNICATIONS FAILURES, THIRD PARTY SERVER DOWNTIME, POWER OUTAGES OR SYSTEM FAILURES; OR (C) ANY UNAUTHORIZED ACCESS TO, USE OF, ALTERATION OF OR DELETION, DESTRUCTION, DAMAGE OR LOSS OF CUSTOMER’S OR ANY THIRD PARTY USER’S CUSTOMER MATERIALS, SITE CONTENT OR OTHER MATERIALS, DATA, IMAGES, SOUNDS, TEXT INFORMATION OR CONTENT.
3. ZETA DSP MAY DISCONTINUE ANY ASPECT OF THE PLATFORM OR THE SERVICES, OR MAY CHANGE THE NATURE, FEATURES, FUNCTIONS, SCOPE OR OPERATION OF THE PLATFORM OR THE SERVICES, AT ANY TIME. ZETA DSP ALSO DOES NOT IN ANY WAY MAKE ANY PROMISES THAT THE PLATFORM OR THE SERVICES WILL BE PROVIDED IN AN UNINTERRUPTED MANNER, ERROR-FREE OR FREE FROM HARMFUL COMPONENTS. IN ADDITION, ZETA DSP MAKES NO PROMISES THAT THE PLATFORM OR THE SERVICES WILL MEET CUSTOMER’S REQUIREMENTS OR EXPECTATIONS OR THAT CUSTOMER WILL ACHIEVE ANY PARTICULAR RESULT FROM USING THE PLATFORM OR THE SERVICES.
4. CUSTOMER ACKNOWLEDGES AND AGREES THAT NEITHER CUSTOMER NOR ITS THIRD PARTY USERS HAVE ENTERED INTO THIS AGREEMENT IN RELIANCE ON ANY PROMISES (WHETHER INNOCENT OR NEGLIGENT) EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT.
11. Limitation of Liability.
1. EXCEPT AS EXPRESSLY SET FORTH IN SECTION 11.3, IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY (OR ANY THIRD PARTY) FOR ANY SPECIAL, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND WHATSOEVER (INCLUDING LOSS OF PROFITS, LOSS OF BUSINESS OPPORTUNITIES, COSTS OF SUBSTITUTES, LEGAL FEES AND COURT COSTS), EVEN IF SUCH DAMAGES ARE REASONABLY FORESEEABLE.
2. EXCEPT AS EXPRESSLY SET FORTH IN SECTION 11.3, IN NO EVENT WILL EITHER PARTY’S LIABILITY UNDER THIS AGREEMENT, WHETHER ARISING IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EXCEED THE TOTAL AMOUNT ACTUALLY PAID TO ZETA DSP BY CUSTOMER UNDER THIS AGREEMENT DURING THE SIX (6) MONTHS IMMEDIATELY PRECEDING THE DATE ON WHICH THE FIRST OF ANY CLAIMS IS MADE IN CONNECTION WITH THIS AGREEMENT.
3. THE EXCLUSIONS AND LIMITATIONS SET FORTH IN THIS SECTION 11 AND ELSEWHERE IN THIS AGREEMENT WILL APPLY TO THE FULLEST EXTENT PERMISSABLE AT LAW, BUT NEITHER PARTY WILL EXCLUDE OR LIMIT LIABILITY FOR: (A) DEATH OR PERSONAL INJURY CAUSED BY ITS NEGLIGENCE OR THAT OF ITS OFFICERS, EMPLOYEES, CONTRACTORS OR AGENTS ACTING IN THE COURSE OF THEIR DUTIES; (B) FRAUD OR FRAUDULENT MISREPRESENTATION; (C) BREACH OF SECTION 4, 6 OR 7 BY CUSTOMER OR THE BREACH OF SECTION 5 BY EITHER PARTY; (D) INDEMNIFICATION SET FORTH IN SECTION 7.6 AND 8.2; OR (E) ANY OTHER LIABILITY WHICH MAY NOT BE EXCLUDED OR LIMITED BY LAW.
13. Force Majeure.
1. Neither party will be responsible for delay or failure in performing obligations under this Agreement resulting from the occurrence of an event beyond the control of such party. Such force majeure events include, but not limited to, acts of God, acts of any government, war or other hostility, civil disorder, the elements, fire, flood, earthquake, explosion, embargo, acts of terrorism, power failure, equipment failure, industrial or labor disputes or controversies, acts of any third party data provider(s) or other third party information provider(s), third party software, or communication method interruptions.
2. Any party that wishes to invoke an event as set forth above will promptly notify the other party of the occurrence of the force majeure event. Should the force majeure event continue for more than thirty (30) days, the party claiming the force majeure event will have the right to terminate this Agreement with immediate effect by giving written notice to the other party.
3. In the event that Customer exercises its right to terminate this Agreement under this Section 13, it will immediately pay to Zeta DSP all Fees incurred, due and payable to Zeta DSP under the terms of this Agreement up to the effective date of such termination.
3. Zeta DSP may provide notices to Customer, at Zeta’s option, by email to the email address provided by Customer to Zeta, by mail to the postal address provided by Customer to Zeta, or by posting on the applicable Platform or any Zeta DSP website to which Customer has access in connection with this Agreement. It is Customer’s responsibility to ensure that the email address and any other contact information it provides to Zeta DSP is updated and correct at all times during the Term. Changes to Customer’s contact information should be sent to Customer’s designated Zeta DSP service representative.
4. Customer and Zeta DSP are independent contractors and nothing in this Agreement will give Customer the right, power or authority to create any obligation or responsibility on behalf of Zeta. Except as otherwise set forth in this Agreement, neither Customer nor Zeta DSP will have any right, power, or authority to create any obligation or responsibility on behalf of the other and this Agreement is not intended to benefit, nor will it be deemed to give rise to any rights in, any third party. Notwithstanding the foregoing, Customer acknowledges and agrees that Zeta’s Affiliates will be third party beneficiaries of this Agreement and will be entitled to directly enforce, and rely upon, any provision in this Agreement that confers a benefit on, or rights in favor of, Zeta DSP or any of its Affiliates.
5. Customer may not assign, sublicense, or transfer this Agreement or any right or duty under this Agreement. Any assignment, transfer, or attempted assignment or transfer in violation of this Section 14 will be void and of no force or effect. Zeta DSP and its subsequent assignees may assign, delegate, sublicense, or otherwise transfer from time to time this Agreement, or the rights or obligations hereunder, in whole or in part, to any person or entity, such as to Zeta DSP Affiliates.
6. No waiver of any right, power, condition or remedy is effective unless given in writing and signed by the party waiving such right or condition. No failure or delay on the part of a party in exercising any right, power, condition or remedy under this Agreement will operate as a waiver, nor will any single or partial exercise of any such right, power, condition or remedy preclude any other or further exercise or the exercise of any other right, power, condition or remedy.
7. Any provision of this Agreement that is prohibited or unenforceable in any jurisdiction will, as to such jurisdiction, be ineffective only to the minimum extent necessary without invalidating the remaining provisions of this Agreement or affecting the validity or enforceability of any provision in any other jurisdiction.
8. Any claim against Zeta DSP and/or its Affiliates will be adjudicated on an individual basis and will not be consolidated in any proceeding with any claim or controversy of any other party.
10. Zeta DSP may be subpoenaed by governmental entities or others to provide information relative to your account. Zeta DSP has no obligation to inform you of any subpoena or response to any subpoena, and you agree that Zeta DSP will have no liability to you for disclosing information in response to a subpoena.
12. This Agreement and every part of this Agreement is controlled by the English language and if the terms of this Agreement or any part thereof are translated into any language, for convenience or any other reason, the English language version will control and the English language interpretation will prevail with respect to any conflicts of interpretation.
15. Zeta DSP Entity You Are Contracting With in Your Territory of Domicile, Governing Laws, Jurisdiction, Venue, Notices.
1. This Agreement shall be governed by the laws of the State of New York, United States without regard to conflict of laws rules or principles. All parties agree that any claim, legal proceeding or litigation arising in connection with this Agreement will be brought solely in the United States District Court for the Southern District of New York (Manhattan) or, if federal jurisdiction is not available, in a court of competent jurisdiction in the County and State of New York. You and Zeta DSP consent to personal jurisdiction and venue of such courts and each party hereby expressly waives any objection or defense thereto.
2. THE PARTIES ACKNOWLEDGE AND AGREE THAT ANY CONTROVERSY WHICH MAY ARISE UNDER THIS AGREEMENT, ANY OTHER AGREEMENT RELATED HERETO OR WITH RESPECT TO THE TRANSACTIONS CONTEMPLATED HEREBY OR THEREBY WOULD BE BASED UPON DIFFICULT AND COMPLEX ISSUES, AND THEREFORE, THE PARTIES AGREE THAT ANY COURT PROCEEDING ARISING OUT OF ANY SUCH CONTROVERSY WILL BE TRIED IN A COURT OF COMPETENT JURISDICTION BY A JUDGE SITTING WITHOUT A JURY.
3. All notices to Zeta DSP will be made in writing to Zeta Global Corp., ATTN: Legal Department, 3 Park Avenue. 33rd Fl. New York, NY 10016, USA, with a copy via email to [email protected]. Notices should be sent by certified first-class mail, return receipt requested, or a nationally recognized delivery service. Notices will be deemed received based on the delivery date shown on the written delivery confirmation notice.
Last Modified: November 15, 2021
Appendix 1: Standard Contractual Clauses
The parties agree that to the extent that Customer transfers or makes available to Zeta DSP Personal Data relating to a resident of the European Economic Area the following terms will apply. Where Zeta DSP acts as a Processor for Customer Personal Data it will act as a processor and not as a controller with respect to such data, however, transfers of Non-Proprietary Data by Customer to Zeta DSP represent controller-to-controller transfers and so this form of the EU Standard Contractual Clauses has been used.
Controller to Controller
Purpose and scope
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ( ) for the transfer of personal data to a third country.
(b) The Parties:
the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’) have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Effect and invariability of the Clauses
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.5 (e) and Clause 8.9(b);
(iv) Clause 12(a) and (d);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
(b) Paragraph (a) is without prejudice to the rights of data subjects under Regulation (EU) 2016/679.
(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7 – Optional
(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
SECTION II - OBLIGATIONS OF THE PARTIES
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B. It may only process the personal data for another purpose:
(i) where it has obtained the data subject’s prior consent;
(ii) where necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iii) where necessary in order to protect the vital interests of the data subject or of another natural person.
(a) In order to enable data subjects to effectively exercise their rights pursuant to Clause 10, the data importer shall inform them, either directly or through the data exporter:
(i) of its identity and contact details;
(ii) of the categories of personal data processed;
(iii) of the right to obtain a copy of these Clauses;
(iv) where it intends to onward transfer the personal data to any third party/ies, of the recipient or categories of recipients (as appropriate with a view to providing meaningful information), the purpose of such onward transfer and the ground therefore pursuant to Clause 8.7.
(b) Paragraph (a) shall not apply where the data subject already has the information, including when such information has already been provided by the data exporter, or providing the information proves impossible or would involve a disproportionate effort for the data importer. In the latter case, the data importer shall, to the extent possible, make the information publicly available.
(c) On request, the Parties shall make a copy of these Clauses, including the Appendix as completed by them, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the Parties may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.
(d) Paragraphs (a) to (c) are without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.3 Accuracy and data minimisation
(a) Each Party shall ensure that the personal data is accurate and, where necessary, kept up to date. The data importer shall take every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose(s) of processing, is erased or rectified without delay.
(b) If one of the Parties becomes aware that the personal data it has transferred or received is inaccurate, or has become outdated, it shall inform the other Party without undue delay.
(c) The data importer shall ensure that the personal data is adequate, relevant and limited to what is necessary in relation to the purpose(s) of processing.
8.4 Storage limitation
The data importer shall retain the personal data for no longer than necessary for the purpose(s) for which it is processed. It shall put in place appropriate technical or organisational measures to ensure compliance with this obligation, including erasure or anonymisation ( ) of the data and all back-ups at the end of the retention period.
8.5 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the personal data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.
(b) The Parties have agreed on the technical and organisational measures set out in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(c) The data importer shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(d) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effects.
(e) In case of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the data importer shall without undue delay notify both the data exporter and the competent supervisory authority pursuant to Clause 13. Such notification shall contain i) a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), ii) its likely consequences, iii) the measures taken or proposed to address the breach, and iv) the details of a contact point from whom more information can be obtained. To the extent it is not possible for the data importer to provide all the information at the same time, it may do so in phases without undue further delay.
(f) In case of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the data importer shall also notify without undue delay the data subjects concerned of the personal data breach and its nature, if necessary in cooperation with the data exporter, together with the information referred to in paragraph (e), points ii) to iv), unless the data importer has implemented measures to significantly reduce the risk to the rights or freedoms of natural persons, or notification would involve disproportionate efforts. In the latter case, the data importer shall instead issue a public communication or take a similar measure to inform the public of the personal data breach.
(g) The data importer shall document all relevant facts relating to the personal data breach, including its effects and any remedial action taken, and keep a record thereof.
8.6 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences (hereinafter ‘sensitive data’), the data importer shall apply specific restrictions and/or additional safeguards adapted to the specific nature of the data and the risks involved. This may include restricting the personnel permitted to access the personal data, additional security measures (such as pseudonymisation) and/or additional restrictions with respect to further disclosure.
8.7 Onward transfers
The data importer shall not disclose the personal data to a third party located outside the European Union ( ) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) unless the third party is or agrees to be bound by these Clauses, under the appropriate Module. Otherwise, an onward transfer by the data importer may only take place if:
(i) it is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 with respect to the processing in question;
(iii) the third party enters into a binding instrument with the data importer ensuring the same level of data protection as under these Clauses, and the data importer provides a copy of these safeguards to the data exporter;
(iv) it is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings;
(v) it is necessary in order to protect the vital interests of the data subject or of another natural person; or
(vi) where none of the other conditions apply, the data importer has obtained the explicit consent of the data subject for an onward transfer in a specific situation, after having informed him/her of its purpose(s), the identity of the recipient and the possible risks of such transfer to him/her due to the lack of appropriate data protection safeguards. In this case, the data importer shall inform the data exporter and, at the request of the latter, shall transmit to it a copy of the information provided to the data subject.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.8 Processing under the authority of the data importer
The data importer shall ensure that any person acting under its authority, including a processor, processes the data only on its instructions.
8.9 Documentation and compliance
(a) Each Party shall be able to demonstrate compliance with its obligations under these Clauses. In particular, the data importer shall keep appropriate documentation of the processing activities carried out under its responsibility.
(b) The data importer shall make such documentation available to the competent supervisory authority on request.
Use of sub-processors
Data subject rights
(a) The data importer, where relevant with the assistance of the data exporter, shall deal with any enquiries and requests it receives from a data subject relating to the processing of his/her personal data and the exercise of his/her rights under these Clauses without undue delay and at the latest within one month of the receipt of the enquiry or request. ( ) The data importer shall take appropriate measures to facilitate such enquiries, requests and the exercise of data subject rights. Any information provided to the data subject shall be in an intelligible and easily accessible form, using clear and plain language.
(b) In particular, upon request by the data subject the data importer shall, free of charge:
(i) provide confirmation to the data subject as to whether personal data concerning him/her is being processed and, where this is the case, a copy of the data relating to him/her and the information in Annex I; if personal data has been or will be onward transferred, provide information on recipients or categories of recipients (as appropriate with a view to providing meaningful information) to which the personal data has been or will be onward transferred, the purpose of such onward transfers and their ground pursuant to Clause 8.7; and provide information on the right to lodge a complaint with a supervisory authority in accordance with Clause 12(c)(i);
(ii) rectify inaccurate or incomplete data concerning the data subject;
(iii) erase personal data concerning the data subject if such data is being or has been processed in violation of any of these Clauses ensuring third-party beneficiary rights, or if the data subject withdraws the consent on which the processing is based.
(c) Where the data importer processes the personal data for direct marketing purposes, it shall cease processing for such purposes if the data subject objects to it.
(d) The data importer shall not make a decision based solely on the automated processing of the personal data transferred (hereinafter ‘automated decision’), which would produce legal effects concerning the data subject or similarly significantly affect him/her, unless with the explicit consent of the data subject or if authorised to do so under the laws of the country of destination, provided that such laws lays down suitable measures to safeguard the data subject’s rights and legitimate interests. In this case, the data importer shall, where necessary in cooperation with the data exporter:
(i) inform the data subject about the envisaged automated decision, the envisaged consequences and the logic involved; and
(ii) implement suitable safeguards, at least by enabling the data subject to contest the decision, express his/her point of view and obtain review by a human being.
(e) Where requests from a data subject are excessive, in particular because of their repetitive character, the data importer may either charge a reasonable fee taking into account the administrative costs of granting the request or refuse to act on the request.
(f) The data importer may refuse a data subject’s request if such refusal is allowed under the laws of the country of destination and is necessary and proportionate in a democratic society to protect one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679.
(g) If the data importer intends to refuse a data subject’s request, it shall inform the data subject of the reasons for the refusal and the possibility of lodging a complaint with the competent supervisory authority and/or seeking judicial redress.
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
[OPTION: The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body ( ) at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.](b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.
(c) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(d) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
(e) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.
(a) [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III - LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Local laws and practices affecting compliance with the Clauses
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards ( );
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Obligations of the data importer in case of access by public authorities
(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV - FINAL PROVISIONS
Non-compliance with the Clauses and termination
(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of ______ (specify Member State).
Choice of forum and jurisdiction
(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of _____ (specify Member State).
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.
It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.
A. LIST OF PARTIES
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Contact person’s name, position and contact details: _________________________
Activities relevant to the data transferred under these Clauses:
Signature and date: ___________________________________________________
Role (controller/processor): Controller
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
Name: Zeta Global, LLC
Address: 3 Park Ave, 33rd Floor, New York, NY 10016
Contact person’s name, position and contact details: Benjamin Hayes, Chief Privacy Officer
Activities relevant to the data transferred under these Clauses:
The data are processed to facilitate online or mobile advertising, and relate to the observed or inferred interests or purchase behaviors of data subjects, as well as identifiers tied to browsers, devices, and similar data typically used to facilitate behavioral or “interest-based” advertising.
Signature and date: ___________________________________________________
Role (controller/processor): Controller
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Customers and Clients
Categories of personal data transferred
Personal details, including any information that identiﬁes the data subject and their personal characteristics, including: name, address, contact details, age, date of birth, sex, and physical description. Bid request data; data indicating the data subject’s interests, purchase intents or behaviors, or demographic categories (collectively “Segments”); other data related to the likelihood or propensity of a data subject to respond to a particular advertisement.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Sensitive data should not be provided by Customer to Zeta DSP unless Customer has duly obtained GDPR-compliant consent for the processing and transfer to Zeta DSP with respect to such data
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Nature of the processing
The data are processed for the purpose of facilitating online or mobile advertising and relate to the observed or inferred interests or purchase behaviors of data subjects, as well as identifiers tied to browsers, devices, and similar data typically used to facilitate behavioral or “interest-based” advertising.
Purpose(s) of the data transfer and further processing
- to enable performance of ZETA DSP services using technology based in the United States or India
- Advertising, marketing and public relations of the data exporter’s own business or activity, goods or services
- Accounting and auditing services
- Advertising, marketing and public relations for others, including public relations work, advertising and marketing, host mailings for other organisations, and list broking.
- Administration of justice, including internal administration and management of courts of law, or tribunals and discharge of court business.
- Data analytics, including profiling
- IT, digital, technology or telecom services, including provision of technology products or services, telecoms and network services, digital services, hosting, cloud and support services or software licensing
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data ex
LIST OF SUB-PROCESSORS
This Annex must be completed in case of the specific authorisation of sub-processors (Clause 9(a), Option 1).
The controller has authorised the use of the following sub-processors:
1. Name: …
Contact person’s name, position and contact details: …
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): …