This Data Processing Agreement (the "Agreement") is entered into by and between PulsePoint, Inc. a Delaware corporation with an office at 360 Madison Avenue, 14th Floor, New York, NY 10017 ("PulsePoint") and the entity referenced in the applicable MSA ("Company"). The parties hereby agree to the following:
a) Company is a controller of certain personal data that it wishes to share with PulsePoint in connection with the MSA (as defined below).
b) The parties have entered into this Agreement to ensure that, in sharing such personal data pursuant to the MSA, they both are in compliance with Privacy Laws and the fundamental data protection rights of the data subjects whose personal data will be processed.
a) "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in the applicable Privacy Laws;
b) "EU Data Protection Law" means (i) prior to May 25, 2018, the EU Data Protection Directive (Directive 95/46/EC); (ii) on and after May 25, 2018, the EU General Data Protection Regulation (Regulation 2016/679); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any national data protection laws made under or pursuant to (i), (ii) or (iii).
c) “Privacy Laws” means all applicable federal, state and international laws, rules, regulations, self-regulatory guidelines and prevailing industry standards that govern the activities of PulsePoint and Company under this Agreement.
a) PulsePoint and Company are parties to an existing Master Services Agreement - Supply, under which Company may send ad calls for its available inventory via PulsePoint’s services for the purpose of receiving bids from PulsePoint’s advertiser and agency clients (the “MSA”). In connection with this purpose, Company will submit certain advertising inventory bid requests to PulsePoint, and PulsePoint acknowledges that such bid requests may contain data that qualify as personal data under Privacy Laws (such as IP addresses and similar unique device identifiers) ("Data"). Company agrees to not pass any such Data unless it has received consent from the data subject pursuant to Privacy Laws.
b) PulsePoint shall process such Data for the purpose of assessing whether to submit bids for the advertising inventory made available by Company and/or as otherwise described in the MSA or otherwise agreed in writing by the parties (the "Permitted Purpose"). Upon Company's request, PulsePoint will restrict the processing of Data identified by Company. PulsePoint will process the Data in accordance with the requirements of Privacy Laws and Company will ensure that any instructions for the processing of Data will comply with the Privacy Laws.
If Company, in its use or receipt of PulsePoint’s services, does not have the ability to correct, amend, restrict, block or delete Data, Company will promptly notify PulsePoint of such inability and PulsePoint will use all reasonable efforts to facilitate such actions to the extent PulsePoint is legally permitted and able to do so.
The parties acknowledge that Company is a controller of the Data it discloses to PulsePoint, and that PulsePoint will process the Data as a separate and independent controller strictly for the Permitted Purpose. In no event will the parties process the Data jointly as joint controllers.
Each party shall be individually and separately responsible for complying with the obligations that apply to it as a controller under Privacy Laws. Without limitation to the foregoing, each party shall maintain a publicly-accessible privacy policy on its website(s) that satisfies the transparency disclosure requirements of Privacy Laws
PulsePoint will not disclose the Data to any third party without Company's prior written consent except: (i) where necessary for the Permitted Purpose; (ii) as permitted or required pursuant to the MSA; or (iii) where required by applicable law.
PulsePoint shall implement appropriate technical and organizational measures to protect the Data from (i) accidental or unlawful destruction; and (ii) loss, alteration, unauthorized disclosure of, or access to, the Data (a "Security Incident"). In the event that PulsePoint suffers a confirmed Security Incident, it shall notify Company without undue delay and both parties shall cooperate in good faith to agree and take action upon such measures as may be necessary to mitigate or remedy the effects of the Security Incident.
PulsePoint may appoint third party processors to process Data for the Permitted Purpose, provided that such processors: (i) agree in writing to process Data in accordance with PulsePoint’s documented instructions; (ii) implement appropriate technical and organizational security measures to protect the Data against a Security Incident; and (iii) otherwise provide sufficient guarantees that they will process the Data in a manner that will meet the requirements of Privacy Laws. PulsePoint accepts responsibility for any breach of this Agreement that is caused by an act, error or omission of a processor it has appointed.
Where EU Data Protection Law applies, PulsePoint shall not transfer any Data (nor permit any Data to be transferred) to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include, without limitation, transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data; to a recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; to a recipient in the United States that has certified compliance with the EU-US Privacy Shield framework; or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission. Company acknowledges that PulsePoint is headquartered in the United States of America and has certified its compliance to the EU-US Privacy Shield. Accordingly, Company agrees that PulsePoint may lawfully receive and process the Data in the United States of America for as long as PulsePoint maintains a valid and up-to-date EU-US Privacy Shield certification.
PulsePoint uses cookies and similar tracking technologies (such as mobile device identifiers and digital fingerprinting) ("Cookies") to provide its services, including for the purpose of tracking data subject interactions with digital advertising supplied through PulsePoint’s services. Company shall contractually require its customers to implement appropriate notice and consent mechanisms upon their digital properties so that PulsePoint can serve Cookies lawfully through such properties in order to perform its services under the MSA. Upon request, PulsePoint shall provide Company with such information as Company or its customers may reasonably require about PulsePoint’s Cookies in order that Company's customers may provide Cookie notice and consent mechanisms that comply with Privacy Laws. PulsePoint shall not use Cookies to collect data from any individual who has opted-out of PulsePoint’s Cookies.
This Agreement shall survive termination or expiration of the MSA. Upon termination or expiration of the MSA, PulsePoint may continue to process the Data provided that such processing complies with the requirements of this Agreement and Privacy Laws.
PulsePoint and the Company have entered into the above Data Processing Agreement, which supplement the PulsePoint Supplier or Demand, as the case may be Master Service Agreements, or other agreements entered into between the parties. This Addendum to the PulsePoint Data Processing Agreement (the “Addendum”) is entered into by PulsePoint and the Company and also supplements the Agreement. This Addendum will be effective as of January 1, 2020. This Addendum reflects the parties’ agreement on the processing of Company Personal Information in connection with the California Consumer Privacy Act of 2018 (“CCPA”).
Subject to the terms of this Addendum, and any Master Service Agreement between PulsePoint and Company, and solely with respect to Company Personal Information processed, if PulsePoint receives an opt out signal, PulsePoint will act as Company’s service provider, and as such, will not retain, use or disclose Company processed Personal Information, other than (a) for a business purpose under the CCPA on behalf of Company and the limited specific purpose set out in the agreements between PulsePoint and the Company, or as otherwise permitted under the CCPA or (b) as may otherwise be permitted for service providers or under a comparable exemption from “sale” in the CCPA, as reasonably determined by PulsePoint.
The provisions of this Addendum are effective solely to the extent the CCPA applies. Company is solely liable for its compliance with the CCPA in its use of PulsePoint services. In the event of changes to the CCPA or issuance of any applicable regulation or court order or governmental guidance relating to the CCPA, PulsePoint may change this Addendum, if such change does not have a material adverse impact on Company, as reasonably determined by PulsePoint, with respect to exemptions from “sales” under the CCPA. The terms “business purpose”, “personal information”, “sale” and “service provider” as used in this Addendum have the meanings given in the CCPA. “Company Personal Information” means personal information that is processed by PulsePoint on behalf of Customer in PulsePoint’s provision of services. If there is any conflict or inconsistency between the terms of this Addendum and the remainder of the Agreement, the terms of this Addendum will govern.
1 January 2020