Publisher Data Processing Terms

These data processing terms (Data Terms) apply to any Personal Data Processing under the applicable MSA or Addendum.

Definitions from the applicable MSA or Addendum apply in these Data Terms. Additionally, in these Data Terms:

(a) Applicable Privacy Laws means all applicable global privacy laws, regulations, and guidance (as amended and/or replaced from time to time) relating to data protection, including, but not limited to, European Data Protection Laws, U.S. Data Protection Laws, and any modification, extension, or re-enactment of the above from time to time;

(b) European Data Protection Laws means: (i) the European Union (EU) General Data Protection Regulation (GDPR) (Regulation 2016/679); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) national data protection laws made pursuant to (i) or (ii), including the United Kingdom (UK) GDPR, the UK Data Protection Act, 2018, and the Swiss Federal Act on Data Protection), and any modification, extension, or re-enactment of the above from time to time;

(c) The terms Controller, Data Subject, Personal Data, Personal Data Breach, Processor, and Processing (or Process or Processed) will have the same meanings as given to them in the GDPR or other relevant Applicable Privacy Laws; Third Party and Business will have the same meaning as given to them in the CCPA; provided, however: (i) to the extent the CCPA or other privacy law is applicable, the definition of Personal Data includes Personal Information; and (ii) the definition of Data Subject includes Consumer;

(d) Framework Signal(s) means technical privacy signals developed by Industry Standard bodies, including the Network Advertising Initiative (NAI) opt-out for tailored advertising, the International Advertising Bureau (IAB) Transparency and Consent Framework, the IAB U.S. Privacy String, the Children’s Online Privacy Protection Act (COPPA) flag, and any other signal(s) whether now known or hereafter created that transmit affirmative action by a Data Subject with respect to their Personal Data Processing;

(e) Industry Standards means any industry guidelines to which the Party is or has agreed to be bound (as applicable), including from the IAB and the NAI, as amended or superseded;

(f) Third-Party Property means any website, mobile site, or application for which Company has the authority to sell Ad Inventory or otherwise use the Index Services, but which is not owned and/or operated by Company; Third-Party Owner means the owner and operator of the Third-Party Property; and

(g) U.S. Data Protection Laws means United States of America state or federal privacy laws, including, but not limited to, the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020), and its implementing regulations, including any amendments thereto (collectively, the CCPA), and any modification, extension, or re-enactment of the above from time to time.

The Parties acknowledge and agree that any Personal Data Processed by Index in connection with the the applicable MSA or Addendum may only be used to: (a) deliver and receive the Index Services, which include, but are not limited to, facilitating targeted advertising and delivery of Ads, fraud detection, and honouring Data Subject preferences expressed through the Framework Signals that Index receives, as applicable; (b) provide reporting to the parties to a transaction on the Index Platform (including, without limitation, DSPs, intermediaries, and Company), where: (i) the disclosure of Personal Data is limited to the extent necessary to provide information on the transaction; and (ii) such reporting is kept strictly confidential and is never disclosed beyond the parties to a transaction or shared publicly except to the extent necessary to be disclosed to advisors (i.e. lawyers, advisors, auditors) who are bound to confidentiality terms at least as restrictive as outlined in the applicable MSA or Addendum; and (c) to respond to a court order or a request from a governmental agency, or to comply with Applicable Law or Industry Standards (subsections (a)-(c), collectively, the Purpose).

Under Applicable Privacy Laws, pursuant to the applicable MSA or Addendum, Index is an independent Controller and Third Party, and Company is an independent Controller and Business. Each Party acknowledges no provision of the applicable MSA or Addendum will be interpreted as a joint-controllership or co-controllership between the Parties.

(a) Index will: (i) Process or share Personal Data in connection with the applicable MSA or Addendum only for the Purpose; (ii) contractually require its partners to comply with Applicable Privacy Laws; and (iii) notify Company without undue delay upon becoming aware of a Personal Data Breach in connection with the applicable MSA or Addendum; and (iv) notify Company without undue delay if Index makes a determination that it can no longer meet its obligations under the CCPA or other Applicable Privacy Laws.

(b) Each Party will: (i) comply with its obligations under Applicable Privacy Laws and Industry Standards; (ii) notify the other Party without undue delay if a Data Subject makes a specific inquiry about their Personal Data Processing that directly identifies the other Party (for example, if a Data Subject makes a request to Company about Index’s Processing of Personal Data); (iii) implement appropriate technical and organizational security measures to protect Data Subjects’ Personal Data, consistent with Applicable Privacy Laws; (iv) assist the other Party in complying with data security obligations; and (v) cooperate in demonstrating its compliance with Applicable Privacy Laws.

Upon reasonable written notice and not more than once per calendar year, Company agrees that it may review and audit, at Company’s expense, Index’s privacy and security program specific to its compliance with its obligations in these Data Terms. Any audit is subject to a mutually agreed-upon plan that ensures the use of an independent third party auditor and restricts the scope of the audit to what is relevant to Company. Company agrees, to the extent permitted by law or regulation, to keep confidential any information or findings related to the audit. In addition, the parties agree that third party auditors are subject to confidentiality obligations no less stringent than those within the applicable MSA or Addendum.

If Company shares Personal Data of Data Subjects from a Third-Party Property due to Company’s use of, or integration with, the Index Platform, or the Index Services, Company will ensure that the Third-Party Owner complies with terms at least as stringent as those in this Schedule. Company will be responsible for any breach of this Schedule caused by such Third-Party Owner, as if Company had caused such breach.

Upon reasonable written request from Company (email to suffice), Index will provide an up-to-date list of all Processors involved in the Processing of Personal Data in connection with the applicable MSA or Addendum and any reasonable information relevant to such Processing.

Where Applicable Privacy Laws require supplementary measures to protect the international transfers of Personal Data, each Party will ensure the transfer occurs in compliance with approved supplementary measures under Applicable Privacy Laws.

For each Framework Signal sent to Index by Company (provided they are transmitted correctly), Index will: (a) action the Framework Signal(s) in accordance with the Industry Standard to which the Framework Signal(s) applies; and (b) also pass the signal to downstream partners (as appropriate). Index is not responsible for any Personal Data that may be Processed due the incorrect technical transmission of a Framework Signal(s) (e.g. if Index does not receive a Framework Signal from Company).

In the event of any conflict or discrepancy between Applicable Privacy Laws and the applicable MSA or Addendum, the following order of precedence will apply: (a) Applicable Privacy Laws and (b) the applicable MSA or Addendum.