This Data Processing Agreement (the "Agreement") is entered into by and between PulsePoint, Inc. a Delaware corporation with an office at 360 Madison Avenue, 14th Floor, New York, NY 10017 ("PulsePoint") and the entity referenced in the applicable MSA ("Company"). The parties hereby agree to the following:
a) PulsePoint is a controller of certain personal data that it wishes to share with Company in connection with the MSA (as defined below).
b) The parties have entered into this Agreement to ensure that, in sharing such personal data pursuant to the MSA, they both are in compliance with Privacy Laws and the fundamental data protection rights of the data subjects whose personal data will be processed.
a) "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in the applicable Privacy Laws;
b) "EU Data Protection Law" means (i) prior to 25 May 2018, the EU Data Protection Directive (Directive 95/46/EC); (ii) on and after 25 May 2018, the EU General Data Protection Regulation (Regulation 2016/679); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any national data protection laws made under or pursuant to (i), (ii) or (iii).
c) “Privacy Laws” means all applicable federal, state and international laws, rules, regulations, self-regulatory guidelines and prevailing industry standards that govern the activities of PulsePoint and Company under this Agreement.
a) PulsePoint and Company are parties to an existing Master Services Agreement - Demand, under which Company may bid on available ad inventory via PulsePoint’s services (the “MSA”). In connection with its services, PulsePoint may submit certain advertising inventory bid requests to Company, and Company acknowledges that such bid requests may contain data that qualify as personal data under Privacy Laws (such as IP addresses and similar unique device identifiers) ("Data").
b) Company shall process such Data for the purpose of assessing whether to submit bids for the advertising inventory made available by PulsePoint and/or as otherwise described in the MSA or otherwise agreed in writing by the parties (the "Permitted Purpose"). Company shall process Data in accordance with the requirements of Privacy Laws, and shall only process the Data on behalf of and in accordance with PulsePoint’s written instructions and shall treat Data as confidential information.
c) Upon PulsePoint’s request at any time during the term of this Agreement, Company shall restrict the processing of Data identified by PulsePoint. The restriction of processing will be conducted in such a manner that all or parts of the Data is not subject to further processing operations, and cannot be changed. The fact that the processing of such Data is restricted should be clearly flagged in Company's systems.
If PulsePoint, in its provision of its services, does not have the ability to correct, amend, restrict, block or delete Data, then Company shall promptly comply with reasonable requests by PulsePoint to facilitate such actions to the extent Company is legally permitted and able to do so. Company shall, to the extent legally permissible, promptly notify PulsePoint if it receives a request from a data subject for access to, correction, amendment, deletion of, or objection to the processing of that data subject’s Data.
The parties acknowledge that PulsePoint is a controller of the Data it discloses to Company, and that Company will process the Data pursuant to PulsePoint’s instructions as a processor.
Company will not disclose the Data to any third party without PulsePoint’s prior written consent except: (i) where necessary for the Permitted Purpose; (ii) as permitted or required pursuant to the MSA; or (iii) where required by applicable law.
Company shall implement appropriate technical and organizational measures to protect the Data from (i) accidental or unlawful destruction; and (ii) loss, alteration, unauthorized disclosure of, or access to, the Data (a "Security Incident"). In the event that Company suffers a confirmed Security Incident, it shall notify PulsePoint without undue delay and both parties shall cooperate in good faith to agree and take action upon such measures as may be necessary to mitigate or remedy the effects of the Security Incident.
Company may appoint third party processors to process Data for the Permitted Purpose, provided that such processors: (i) agree in writing to process Data in accordance with Company's documented instructions; (ii) implement appropriate technical and organizational security measures to protect the Data against a Security Incident; and (iii) otherwise provide sufficient guarantees that they will process the Data in a manner that will meet the requirements of Privacy Laws. Company accepts responsibility for any breach of this Agreement that is caused by an act, error or omission of a processor it has appointed.
Upon PulsePoint’s request, Company shall delete or return Data to PulsePoint and shall delete existing copies unless applicable Privacy Law requires storage of such data.
Where EU Data Protection Law applies, Company shall not transfer any Data (nor permit any Data to be transferred) to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include, without limitation, transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data; to a recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; to a recipient in the United States that has certified compliance with the EU-US Privacy Shield framework; or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
This Agreement shall survive termination or expiration of the MSA. Upon termination or expiration of the MSA, or at any time upon PulsePoint’s request, Company shall either: (a) render all or part of the Data anonymous in such a manner that the Data no longer constitutes personal data; or (b) permanently delete or render all or parts of the Data unreadable.
CCPA Service Provider Addendum to PulsePoint Data Processing Agreement
PulsePoint and the Company have entered into the above Data Processing Agreement, which supplement the PulsePoint Supplier or Demand, as the case may be, Master Service Agreements, or other agreements entered into between the parties. This Addendum to the PulsePoint Data Processing Agreement (the “Addendum”) is entered into by PulsePoint and the Company and also supplements the Agreement. This Addendum will be effective as of January 1, 2020. This Addendum reflects the parties’ agreement on the processing of Company Personal Information in connection with the California Consumer Privacy Act of 2018 (“CCPA”).
Subject to the terms of this Addendum, and any Master Service Agreement between PulsePoint and Company, and solely with respect to Company Personal Information processed, if PulsePoint receives an opt out signal, PulsePoint will act as Company’s service provider, and as such, will not retain, use or disclose Company processed Personal Information, other than (a) for a business purpose under the CCPA on behalf of Company and the limited specific purpose set out in the agreements between PulsePoint and the Company, or as otherwise permitted under the CCPA or (b) as may otherwise be permitted for service providers or under a comparable exemption from “sale” in the CCPA, as reasonably determined by PulsePoint.
The provisions of this Addendum are effective solely to the extent the CCPA applies. Company is solely liable for its compliance with the CCPA in its use of PulsePoint services. In the event of changes to the CCPA or issuance of any applicable regulation or court order or governmental guidance relating to the CCPA, PulsePoint may change this Addendum, if such change does not have a material adverse impact on Company, as reasonably determined by PulsePoint, with respect to exemptions from “sales” under the CCPA. The terms “business purpose”, “personal information”, “sale” and “service provider” as used in this Addendum have the meanings given in the CCPA. “Company Personal Information” means personal information that is processed by PulsePoint on behalf of Customer in PulsePoint’s provision of services. If there is any conflict or inconsistency between the terms of this Addendum and the remainder of the Agreement, the terms of this Addendum will govern.
1 January 2020