This Data Processing Addendum (this “Addendum”) sets forth (a) the data processing roles as between Company and Fyllo for the Specified Business Purpose (defined below), and (b) the data processing roles as between Company and Media Vendors pursuant to which the discloser (the “Discloser”) may transmit, disclose, or otherwise make available Personal Data to the recipient (the “Recipient”) for Company’s Advertising Purposes (defined below); provided, however, Company’s relevant obligations for the Advertising Purposes apply only to the extent (i) Personal Data is subject to applicable Data Protection Laws; and (ii) an applicable Data Protection Law has taken effect. Capitalized terms not defined in this Addendum have the meaning as defined in the Agreement.
As used in this Agreement or in an IO (as defined below), the following terms shall have the meanings ascribed to them below:
1.1. “Business,” “Business Purpose,” “Commercial Purpose,” “Consumer,” “Consent” “Cross-Context Behavioral Advertising,” “Personal Data,” “Personal Information,” “Sale,” “Sell,” “Service Provider,” “Share,” “Targeted Advertising” and “Third Party” shall have the meanings ascribed to them in applicable Data Protection Laws, including State Privacy Laws (defined below).
1.2. “Covered Personal Data” means Personal Data Processed by Fyllo on behalf of Company in connection with Fyllo’s provision of the Services.
1.3. “Controller” has the meaning given to it (and any other analogous terms) under Data Protection Laws (e.g., “Business” as defined in the CCPA).
1.4. “Data Protection Laws” means all applicable federal, state, territorial, and local data protection and privacy laws, rules, directives, regulations, and governmental requirements currently in effect, or as they become effective, including without limitation the California Consumer Privacy Act of 2018 as amended (“CCPA”), the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”), the Virginia Consumer Data Protection Act (“VCDPA”), and the Colorado Privacy Act (“CPA”) (collectively and together with any additional state privacy laws as they become effective, the “State Privacy Laws”), and any laws implementing, replacing or supplementing any of them, as amended, consolidated, re-enacted, or replaced from time to time.
1.5. “Instructions” means Company’s instructions to Fyllo to Process the Covered Personal Data to provide the Services and Deliverables for the Specified Business Purpose, including as further documented in additional written instructions in an applicable IO; and for Fyllo to Process Covered Personal Data as Processor to Company in accordance with applicable Data Protection Laws.
1.6. “Permitted Territories” means the territories set forth in Attachment 1.
1.7. “Processor” has the meaning given to it (and any other analogous terms) under Data Protection Laws (e.g., “Service Provider” as defined in the CCPA).
1.8. “Processing” means any operation or set of operations performed on Personal Data as defined under applicable Data Protection Laws, including making available, accessing, collecting, recording, organizing, structuring, storing, adapting, retrieval, and use; “Process“, “Processes” and “Processed” will be interpreted accordingly.
1.9. “Purposes” means the following:
1.9.1. “Advertising Purposes” means advertising-related Processing for Business Purposes or Commercial Purposes, including (i) the Restricted Purposes, (ii) activities that constitute Targeted Advertising or Cross-Context Behavioral Advertising under State Privacy Laws, including any Processing that involves displaying ads to a Consumer that are selected based on the Consumer’s cross-context behaviors, and (iii) creating or supplementing user profiles for the purpose of creating audience segments for Targeted Advertising or Cross-Context Behavioral Advertising or creating contextual segments.
1.9.2. “Restricted Purposes” means advertising-related Processing that qualifies as a Business Purpose under applicable Data Protection Laws, including Processing for purposes of auditing; security and integrity; debugging; short term, transient uses; analytics; providing advertising or marketing services that do not include Cross-Contextual Behavioral Advertising, Targeted Advertising, or profiling; internal research; and efforts to improve quality and safety. Restricted Purposes includes first-party advertising, contextual advertising, frequency capping, measurement, fraud detection and prevention, and ensuring and measuring viewability, each only to the extent such activity (i) is permissible for a Processor to perform under the applicable State Privacy Laws; and (ii) does not result in a Sale or Sharing of Personal Data or constitute Processing of Personal Data for Targeted Advertising purposes.
1.9.3. “Specified Business Purpose” means the Business Purpose(s) for Fyllo’s Processing of Covered Personal Data on Company’s behalf, which are the media planning and buying Services as defined in the Agreement.
1.10. “Restricted Processing” means Processing only for Restricted Purposes.
1.11. “Restricted Processing Signal” means any flag or signal passed through a Signaling System indicating that a Consumer has opted out of the Sale, Sharing, or Processing for purposes of Targeted Advertising of their Personal Data.
1.12. “Sensitive Data” means Personal Data that is classified as sensitive or special categories of data under Data Protection Laws, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, sex life or sexual orientation data.
1.13. “Signaling System” means flags or signals indicating Consumer privacy choices as transmitted through any applicable advertising industry or other privacy framework, including without limitation the IAB CCPA Compliance Framework, Global Privacy Platform, or other signaling system.
Company is a Controller and Fyllo is a Processor of the Covered Personal Data. Company does not make Covered Personal Data available to Fyllo for consideration but only to enable Fyllo to provide the Services to Company, and Fyllo does not provide any consideration to Company in accessing the Covered Personal Data to provide the Services to Company.
Each Party will comply with applicable Data Protection Laws as applicable to its performance hereunder. Company warrants that for all of the Purposes of Processing set forth in this Addendum: (a) it has notified Consumers through appropriate means that would satisfy the obligations under applicable Data Protection Laws about the Processing of Covered Personal Data by Company, Fyllo, and Media Vendors (including through the use of Tracking Technologies), (b) it has obtained all required and legally enforceable Consents (or other lawful basis) or otherwise has the right under applicable Data Protection Laws to disclose Covered Personal Data to Fyllo or Media Vendors, and (c) where required under applicable Data Protection Laws, it has implemented a Signaling System to obtain Consent or facilitate opt-outs from Consumers on any Sites, Ads or other digital properties on which Company deploys Tracking Technologies to collect Covered Personal Data.
2.3. Processing Instructions
Company hereby appoints Fyllo as its Processor for the Services and instructs Fyllo to Process Covered Personal Data as required to provide the Services. Company’s Instructions to Fyllo shall be lawful and Company will not instruct Fyllo to take any action that would violate applicable Data Protection Laws. Fyllo will only Process the Covered Personal Data on behalf of Company in accordance with Company’s Instructions as necessary for the Specified Business Purpose, including with respect to any Covered Personal Data that Company makes available (directly or indirectly) to Media Vendors or that Media Vendors make available (directly or indirectly) to Company.
Fyllo shall ensure that any person who is authorized by Fyllo to Process Covered Personal Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
2.5. No Processing on Fyllo Systems
For the Services provided by Fyllo under the Agreement, Company acknowledges that Fyllo does not Process Covered Personal Data on Fyllo systems.
2.6. Processing on Media Vendor Systems
Fyllo shall not, and shall not authorize any Media Vendor to process, retain, use, sell, transfer, disclose, or otherwise share Covered Personal Data for any Purposes other than the Advertising Purposes as directed by Company under this Addendum and the Agreement. Company acknowledges that any Processing between Company and Media Vendors is not a data transfer between Fyllo and the Media Vendor but rather a data transfer between Company and the applicable Media Vendor. Where Company’s disclosure of Covered Personal Data to Media Vendor constitutes a Sale or Share or otherwise impacts Company’s legal obligations, Company (not Fyllo) will be deemed to have Sold or Shared the Covered Personal Data and Company is responsible for any resulting regulatory or contractual obligations as required under applicable Data Protection Laws.
2.7. No Assessment of Covered Personal Data by Fyllo
Fyllo has no obligation to assess the contents or accuracy of Covered Personal Data, including to identify information subject to any specific legal, regulatory, or other requirement. Company is responsible for making an independent determination as to whether the Services meet Company’s requirements and legal obligations under Data Protection Laws.
Each Party shall promptly notify the other if, in its opinion, it can no longer comply with its obligations under this Addendum. The Parties shall reasonably assist each other in meeting their respective obligations under applicable Data Protection Laws. Both parties have the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Covered Personal Data.
2.9. Data Protection Impact Assessments
Fyllo shall provide reasonably requested information regarding the Services to enable Company to demonstrate its compliance with Data Protection Laws and to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws, so long as Company does not otherwise have access to the relevant information. No more than once annually, Company may request documentation prepared by Fyllo in the ordinary course of its business evidencing Fyllo’s compliance with this Addendum. The scope of Company’s request may not extend beyond information applicable to Company and Company must share the results of any analysis it conducts related to the Services with Fyllo upon request. All information and materials related to such Company request are Fyllo Confidential Information.
2.10. Government, Law Enforcement, or Third Party Inquiries
If either party receives any correspondence, inquiry, or complaint from any individual, supervisory authority, other relevant regulator, or other third party in connection to the Services, then the parties shall cooperate in good faith as necessary to enable that party to respond. If Fyllo receives a demand to retain, disclose, or otherwise Process Covered Personal Data for any third party, including, but not limited to law enforcement or a government authority, then Fyllo shall attempt to redirect the demand to Company by providing Company contact information to such third party, or, if unable to redirect the demand, Fyllo shall provide Company reasonable notice of the demand as promptly as feasible.
2.11. Right to Suspend Services
If Fyllo reasonably believes that Company’s use of the Services violates Fyllo’s privacy standards and practices, is unauthorized, or violates applicable Data Protection Laws, Company grants Fyllo the right, upon notice, to take reasonable and appropriate steps to stop and remediate, including suspension of Services. Fyllo will endeavor to provide a 10-day notice; however, suspension may occur contemporaneously with such notice if the violation jeopardizes Fyllo’s ability to provide services to its other customers or exposes Fyllo to a violation of law, potential fines, or civil liability. The notice shall include a summary description of the violation. Such action will not limit any of Fyllo’s other rights or remedies at law or in equity.
2.12. California Specific Obligations
To the extent Covered Personal Data contains any data regulated by the CCPA, Fyllo certifies, as a Service Provider to Company, that it understands, and will comply with, the applicable restrictions set forth in the CCPA and agrees that:
2.12.1. Fyllo shall Process Covered Personal Data on behalf of Company only for the Specified Business Purpose; and
2.12.2. As between Company and Fyllo and for purposes of requirements under the CCPA and analogous requirements under applicable Data Protection Laws, Fyllo will not (i) Sell or Share the Covered Personal Data, (ii) retain, use, or disclose the Covered Personal Data for any purpose other than for the Specified Business Purpose, (iii) retain, use, or disclose the Covered Personal Data outside of the direct business relationship between Fyllo and Company, or (iv) combine the Covered Personal Data with Personal Data it receives from other parties except for the Specified Business Purpose or as permitted under applicable Data Protection Laws.
3.1. Signaling System
Company agrees to integrate with a Signaling System in order to pass Restricted Processing Signals to Media Vendors or, to the extent applicable, to receive Restricted Processing Signals from Media Vendors.
With respect to the Processing of Covered Personal Data by Media Vendors, each of Company and Media Vendor acts as a Controller, unless a Restricted Processing Signal is present, in which case the Recipient acts as a Processor and Processes the Covered Personal Data on behalf of the Discloser. Fyllo agrees to bind applicable Media Vendors to contractual terms in compliance with applicable Data Protection Laws and to require applicable Media Vendors to integrate with a Signaling System. For clarity, to the extent Fyllo activates on Fyllo Data in providing the Services, Fyllo provides such data in its separate capacity as a Media Vendor and acts as a Controller for such Processing in accordance with this Section 3.2. Nothing in the Agreement grants Company any rights in the Fyllo Data.
3.3. Mechanisms for Consumer Choices
Company will provide Consumers with a clear andconspicuous ability to opt out of the Sale, Sharing, or Processing of their Personal Data for purposes of Targeted Advertising, in compliance with applicable Data Protection Laws. If a Consumer opts out, Company will (i) not Process such Consumer’s Personal Data for Targeted Advertising purposes and (ii) will either (a) not disclose such Consumer’s Personal Data to any Media Vendor; or (b) transmit a Restricted Processing Signal in conjunction with any disclosures of such Consumer’s Personal Data to applicable Media Vendors. Company will not modify any Restricted Processing Signal received from a Media Vendor and will transmit all Restricted Processing Signals received in conjunction with Personal Data to any recipients of such Personal Data. Company shall act in accordance with the Consumer’s expressed privacy choices and requests at all times.
3.4. Notices for Consumer Choices
Company will (a) provide all notices and obtain any Consents required by applicable Data Protection Laws as necessary to permit each Party and applicable Media Vendors to Process Covered Personal Data in accordance with this Addendum; and (b) to the extent providing Covered Personal Data originally collected by another Controller, (i) contractually obligate such Controller to provide all notices and obtain any Consents required by applicable Data Protection Laws necessary to permit each Party and applicable Media Vendors to Process Covered Personal Data in accordance with this Addendum and (ii) take reasonable steps to ensure compliance with such contractual obligations.
3.5. Consumer Requests
Where Company receives a request from a Consumer to exercise any of its rights available under Data Protection Laws, Company is solely responsible for responding to rights asserted by Consumers, including as applicable, passing Consumer requests to Media Vendors using mechanisms offered by the applicable Media Vendors or through industry Signaling Systems. Fyllo will provide reasonable assistance to Company to the extent the applicable Media Vendor makes information available to Fyllo.
3.6. Sensitive Data
Company represents and warrants that it will not disclose or otherwise use any Sensitive Data as part of the Covered Personal Data unless it has obtained all legally required Consents for Processing of such data for its Advertising Purposes.
3.7. Tracking Technologies
Company understands and agrees that it will be sharing Covered Personal Data with Media Vendors via the placement of Tracking Technologies on its Sites or Ads in connection with the Services. In furtherance and not limitation of any other provisions of this Addendum, the following terms apply to Company’s use of such Tracking Technologies, including Company’s data protection obligations:
3.7.1. Where Company already has applicable Media Vendor Tracking Technologies on its Sites, Company hereby authorizes Fyllo to use data collected by such Tracking Technologies in connection with the Services.
3.7.2. For additional Tracking Technologies placed on Sites or Ads to facilitate Company’s Advertising Purposes, Fyllo will utilize standard Media Vendor tracking technologies, including as offered by DSPs who have integrations with Tracking Technology providers as part of their standard offering. Fyllo will obtain Company’s written authorization (email being sufficient) prior to utilizing any such Tracking Technologies. For Tracking Technology solutions offered via the DSPs, the Tracking Technologies are placed via the DSP’s technology. Fyllo is responsible for utilizing the DSP’s self-service options for Tracking Technologies placement in accordance with the DSP’s standard requirements and authorizations provided by Company.
3.7.3. Company may elect to contract directly with Tracking Technology providers, it being understood that Company is solely responsible for the activities of such providers. Fyllo will facilitate the provision of code from the applicable provider in accordance with instructions from Company, it being understood that in all cases Company, not Fyllo, is solely responsible for placing the Tracking Technologies on its Sites and ensuring such Tracking Technologies operate as intended.
3.7.4. Company is solely responsible for maintaining records of the Tracking Technologies on its Sites and Ads and understanding its legal obligations regarding its use of such Tracking Technologies.
3.8. Company Data
Company may elect to disclose its Company Data to Media Vendors for its Advertising Purposes. If Company elects to utilize Fyllo’s account with LiveRamp to facilitate the onboarding of such data to Media Vendors, the terms in Attachment 3 apply.
4.1. Further details on the subject matter, categories of Consumers, categories of Personal Data, and purposes and nature of the Processing are set forth in Attachment 2.
4.2. Supplemental terms and policies provided by Media Vendors are set forth in Attachment 4.
4.3. Nothing herein affects Fyllo’s or its Affiliates’ data processing obligations for products and services that are not media planning and buying Services as defined in the Agreement.
4.4. Except as otherwise required under applicable Data Protection Laws, the governing law and forum under this Addendum shall be the same as set out in the Agreement, without regard to conflict of laws principles. Disputes shall be determined in accordance with the manner specified in the Agreement, except to the extent applicable Data Protections Laws requires otherwise or as specifically provided in this Addendum.
4.5. Fyllo may update this Addendum from time to time, with such updated version posted to https://hellofyllo.com/DPA-media, or a successor website designated by Fyllo; any such updated version will apply automatically as of the date such updates take effect.
4.6. In the event of any conflict between this Addendum and the Agreement, this Addendum shall prevail. This Addendum will survive any expiration or termination of the Agreement.
4.7. Each Party’s liability (including liability for any regulatory penalties incurred by the other Party) arising out of or relating to this Addendum remain subject to the limitations on liability in the Agreement.
4.8. Company acknowledges that services, technology, tools, or data provided by Media Vendors are governed by separate contracts between Fyllo and the applicable Media Vendor (collectively “Media Vendor Contracts”). In the event of claims arising out of Processing of Covered Personal Data by Media Vendors, such claims are governed by the Media Vendor Contracts and not this Agreement. Company acknowledges that Media Vendors are intended third party beneficiaries of this Addendum with remedies against Company’s breach of this Addendum.
4.9. Certain Media Vendors may require Company to contract directly with the Media Vendor in order to receive certain services. Company may also otherwise elect to contract directly with certain Media Vendors, in whole or in part. Company is solely responsible for all activities under its separate contracts with Media Vendors. Nothing herein shall serve to limit Company’s ability to become a signatory to an industry framework contract, including by way of example the IAB’s MultiState Privacy Agreement available at https://www.iab.com/guidelines/how-the-iab-multi-state-privacy-agreement-can-help-advertisers-meet-their-2023-privacy-challenges/.
Permitted Territories: United States
To the extent Company requests Services that involve the processing of Personal Data of individuals who are residents of additional jurisdictions, Company will promptly notify Fyllo in writing so the parties can include appropriate supplemental jurisdictional terms to this Exhibit A. Company agrees to not instruct Fyllo to provide any Services in jurisdictions other than the Permitted Territories until appropriate supplemental jurisdictional terms are in place.
1. Subject Matter
The subject matter of the Processing under this Addendum is Covered Personal Data.
2. Nature and Purposes of Processing
Fyllo Processes the Covered Personal Data as needed for the Specified Business Purpose and to comply with Company’s Instructions during the Term of the Agreement. Company will Processes the Covered Personal Data for its Advertising Purposes during the Term of the Agreement.
3. Categories of Consumers
The categories of Consumers to which the Covered Personal Data relate are determined and controlled by Company in its sole discretion and generally include, but are not limited to, Company’s customers and Company’s prospective customers.
4. Types of Personal Data Processed
The types of Covered Personal Data Processed for Company’s Advertising Purposes may include: (i) identifiers (such as cookie, device or mobile identifiers, or IP address); (ii) attributes and interests associated with identifiers which may be inferred (such as demographic data or geographic location) or; (iii) Consumer network activity or browsing information.
Section 1. CRM Onboarding - Additional Requirements
With Fyllo’s prior written consent (email being sufficient), Company may utilize Fyllo’s account with LiveRamp for data onboarding services. Company is prohibited from further resale or providing access to third parties of the data onboarding services. Company is prohibited from onboarding to LiveRamp (i) a government-issued identification number (e.g., Social Security Number, driver’s license number, state identification number, or passport number); (ii) a financial or customer account number, including financial institution or bank account number or a credit or debit card number; (iii) information regarding an individual’s sexual orientation, religion, or health or medical condition, including Protected Health Information, as defined in 45 CFR 160.103, or any sensitive personal data or special categories of personal data as defined by applicable data protection law; (iv) unique biometric data or digital representation of biometric data; (v) an individual’s full date of birth; (vi) maiden name of the individual's mother; (vii) individual's digitized or other electronic signature; (viii) a user name, email address or other unique electronic identifier or routing code, which is sent in combination with a personal identification code, password, or security question and answer that would permit access to an online account, (ix) any data associated with an individual’s status as a person under the age of eighteen, or (x) any information that would permit Company to uniquely re- identify (a) specific individuals, (b) specific households or (c) groups smaller than 25 individuals. Company is prohibited from onboarding data to send or facilitate any advertising for (i) adult entertainment, i.e., pornography, (ii) firearms (iii) illegal gambling, (iv) any other product or service that is illegal in the country or locality in which it is sent or received, including without limitation to discriminate on the basis of race, gender, religion, sexual orientation, or in any way that could be deemed unfair under applicable law. Company is prohibited from onboarding data for the purposes of (i) employment eligibility, (ii) credit eligibility, (iii) health care eligibility, or (iv) insurance eligibility underwriting and pricing. Company is prohibited from attempting to re-identify, derive any data from, or otherwise reverse engineer data Company may receive through the data onboarding. Company must encrypt all files containing personally identifiable information. Company grants LiveRamp all licenses and authorizations necessary to provide its data onboarding services.
Section 2. LiveRamp DPA
Company agrees that the LiveRamp data processing addendum located at https://liveramp.com/legal/dpa/, as may be updated in LiveRamp’s sole discretion from time to time, including at a successor URL (the “LiveRamp DPA”), governs Company’s sharing of Personal Data with LiveRamp. Under the LiveRamp DPA, Company is the Data Controller and LiveRamp is the Data Processor (as those terms are defined in the LiveRamp DPA) of the Personal Data that Company shares with LiveRamp. LiveRamp is an intended third party beneficiary with respect to the terms set forth in Section 1 of this Attachment 3 and the LiveRamp DPA with enforcement rights directly against Company.
Section 3 Downstream Processing of Covered Personal Data.
Company acknowledges that the Personal Data it shares with LiveRamp for onboarding will be further shared with Media Vendors as a necessary part of the delivery of Company’s media campaigns, including but not limited to demand side platforms.
Where the following Media Vendors are used with the Services, Company represents and warrants it will comply with all obligations set forth in the associated links which are incorporated into this agreement: