Data License Agreement

This Data License Agreement (“License Agreement”) is made part of an Order Form between Outlogic, LLC, a Virginia limited liability company (“Licensor”) and the customer or licensee identified in such Order Form (“Licensee”), by virtue of being attached to such Order Form or incorporated by reference through a URL link embedded in such Order Form, and sets forth additional terms and conditions relating to the provision and use of Licensed Data (defined below) licensed under such Order Form which the Licensor and Licensee agree to be bound by.  This License Agreement also forms a part of any additional Order Form that both Licensor and Licensee may execute and deliver from time to time which attaches this License Agreement or otherwise incorporates its terms by reference through a URL link embedded in such Order Form.  This License Agreement, all such Order Forms to which this License Agreement is a part (each, an “Order Form”), and all exhibits, annexes, appendices, addenda, and schedules hereto and thereto shall collectively be the “Agreement”.  Capitalized terms that are not defined in this License Agreement (or in an addendum or exhibit hereto) shall have the meanings given those terms under the Order Form.

1. Definitions.  As used in the Agreement, the following terms shall have the following meanings:

1.1 “Applicable Laws” means applicable laws, rules, regulations, treaties, regulatory guidelines and self-regulatory guidelines, including, without limitation, (a) the Self-Regulatory Principles of the Digital Advertising Alliance (“DAA”), the Codes of Conduct of the Network Advertising Initiative (“NAI”), and the Principles of the European Interactive Digital Alliance (“EDAA”), as each may be amended from time to time and (b) data protection and privacy laws applicable in the jurisdiction or jurisdictions where data is collected or held or otherwise processed, including the European Union General Data Protection Regulation 2016/679 (“GDPR”) and the California Consumer Privacy Act of 2018 (“CCPA”), in each case as amended from time to time and including the accompanying federal or state regulations related thereto.

1.2“Audience Segment” means a grouping of Users based on common interests or behaviors created in connection with Licensee’s use case or vertical identified in the respective Order Form.

1.3“EEA” or “European Economic Area” means the European Union, Switzerland and the United Kingdom.

1.4“Insights” means any analysis or research based on Licensed Data, alone or in combination with other data received from other sources, that is conducted or created in connection with Licensee’s use case or vertical identified in the respective Order Form.

1.5“Licensed Data” means the data and/or data productsspecified in one or more Order Forms executed by the parties hereto.

1.6“Personally Identifiable Information” means information that identifies or may be used to identify a particular individual, including, without limitation, name, address, email address, social security number, telephone number, social media user ID or handle, financial account number and government-issued identifier.

1.7“User” means a visitor to a website, mobile website, application or other digital property to which Licensed Data relates.

2. License.

2.1 Grant of Rights.  Subject to the restrictions in Section 2.3 belowand the other limitations set forth herein, Licensor hereby grants Licensee a limited, non-exclusive, non-transferable, non-sublicensable (except to the extent set forth in the Order Form), worldwide right and license to use the Licensed Data solely to create Audience Segments and Insights (the “Permitted Uses”).  If Licensee elects to receive Licensed Data via Licensor’s export application program interface (“Export API”), which election is reflected on one or more Order Forms, Licensor hereby grants Licensee a limited, non-exclusive, non-transferable, non-sublicenseable, worldwide right and license to use Licensor’s Export API to load up geospatial files to extract specific areas of Licensed Data.

2.2 Reserved Rights; Ownership.  The Licensed Data is licensed and not sold by Licensor to Licensee, and nothing in this License Agreement shall be construed as conferring upon Licensee any right, title or interest in or to the Licensed Data other than the limited use rights expressly granted hereunder.  As between the parties hereto, Licensor is the sole owner of the Licensed Data and any patents, copyrights, trademarks, trade secrets and any other proprietary rights associated with the Licensed Data. Subject to Licensee’s compliance with the terms of the Agreement, including, without limitation, Sections 2.3 and 4 of this License Agreement, Licensee shall be the sole owner of the Audience Segments and Insights created during the Term in compliance with the Agreement.  Licensee shall not, directly or indirectly, contest the validity of, or seek to register anywhere in the world, any rights in the Licensed Data.  Nothing in this License Agreement shall in any way restrict Licensor’s or its other customers’ use of the Licensed Data.

2.3 Restrictions.  Except as expressly set forth herein and in the applicable Order Form, Licensee shall not, directly or indirectly, and shall ensure that its permitted sublicensees (if applicable) do not:

(a)Use the Licensed Data for any purpose other than the Permitted Uses, including, without limitation, for the purpose of developing a standalone geo/IP targeting database or data product;

(b)Resell, sublicense, distribute or otherwise provide access to the Licensed Data in any form to any third party, including, without limitation, to those persons or entities identified as “Prohibited Parties” or similar designation in any Order Form;

(c)Copy, modify, adapt, translate, or prepare derivative works (other than Audience Segments and Insights) from the Licensed Data;

(d)Reverse engineer, disassemble, or decompile the Licensed Data in any form for any purpose, including, without limitation, to re-identify an anonymous user, such as by associating any Personally Identifiable Information obtained by third party data sources directly with the Licensed Data (including, without limitation, linking an advertiser ID, device ID or any other unique identifier with associated latitude/longitude coordinates to any Personally Identifiable Information);   

(e)Further license the Licensed Data alone in its raw and unaltered form or further license an advertiser ID (such as an IDFA or Android Ad ID), unless required for Licensee’s “AdTech” use case, as defined by and set forth in the respective Order Form(s);

(f)Use Licensed Data obtained from a User operating iOS version 14.5 or higher for the purpose of tracking such User’s activity across mobile applications and/or websites, unless the User has provided affirmative, opt-in consent to such usage;

(g)Further license, sublicense, distribute, use, market, or sell the Licensed Data, or information derived from Licensed Data (whether alone or combined with other third party data sources):

(i) to law enforcement agencies or to any governmental agency to be used for a law enforcement purpose;

(ii) for any unlawful tracking or unlawful surveillance;

(iii) to promote any illegal product or engage in any illegal purpose;

(iv) to associate any User, device or individual to create profiles or inferences related to social networks, health status or ailments, sexual orientation or activity, political activity or beliefs, or religious convictions;

(v) to associate any User, device or individual with any venue that is related to medical care, substance abuse or rehabilitation, mental health, family planning or pregnancy (or pregnancy termination);

(vi) for purposes related to political campaigns or fundraising; 

(vii) to make decisions about any individual’s eligibility for employment, health care, credit or insurance, or for any other purpose that is covered by the Fair Credit Reporting Act; or

(viii) in a manner that violates Applicable Laws, any contract into which Licensee has entered, or any privacy policy posted by Licensee.

2.4 Mapped Displays Prohibited.  Notwithstanding any provision herein or in any Order Form, Licensee agrees not to use and not to authorize or permit any entity (including any permitted sublicensees) to use any Licensed Data (in whole or in part) in a manner that makes available to the general public any display of population, traffic or movement patterns against a map, except (a) as confined to census-tract level display or (b) displayed by (i) a minimum data aggregation threshold of twenty-five (25) for the number of unique advertiser IDs (whether obfuscated or unobfuscated) or a unique identifier established by Licensor that is  required to underpin a reported value or distribution, and (ii) ensuring that the minimum data aggregation threshold value for an extrapolated estimate of the number of individuals related to a specific combination of location and time will be twenty-five (25).  Solely as an example (and without limitation), License shall not use Licensed Data to publicly display the fact or likelihood that an individual or device (regardless how represented or described, and whether or not identified or identifiable) has been located at or near a particular street, address, intersection or venue.  

2.5 Data Security.  Licensee acknowledges and agrees that it is solely responsible for the security of the Licensed Data and other Confidential Information of Licensor (collectively, the “Licensor Proprietary Data”) to the extent it resides on Licensee’s computer system, and Licensee shall use its best efforts to safeguard and to prevent unauthorized disclosure of the Licensor Proprietary Data.  Further, Licensee shall implement and maintain internal technical and procedural security measures that conform to industry best practices and are designed to (a) identify reasonably foreseeable threats and hazards to the security and confidentiality of the Licensor Proprietary Data and (b) protect the security and confidentiality of the Licensor Proprietary Data from such threats and hazards.  Licensee shall have in place and maintain appropriate processes and procedures that conform to industry practices and are designed to ensure that any data security breach involving the Licensor Proprietary Data (a “Security Incident”) is detected in a timely manner.  In the event of a Security Incident, Licensee shall notify Licensor within twelve (12) hours of becoming aware of it and provide to Licensor (within such timescales as Licensee requires) all support and information, necessary to enable Licensor to manage the Security Incident, mitigate the impact of the Security Incident and comply with its notification obligations set out in any Applicable Law.

3. Order Form.  The parties may enter into one or more Order Form(s) during the Term (defined below).  Upon execution and delivery by both parties, each Order Form will be deemed incorporated into the Agreement by reference.  In the event of any conflict between this License Agreement and an Order Form, the terms of this License Agreement shall govern, except (a) for fees payable, and (b) to the extent the Order Form expressly states that it should override this License Agreement and specifically identifies the overridden clause, in which case, the override applies only to that particular Order Form and not to other Order Forms.  

4. Fees and Payment.

4.1 Fee.  Licensee shall pay Licensor all amounts set forth in the applicable Order Form, without offset or deduction. 

4.2 Payment Terms.  Unless otherwise stated in the Order Form, fees calculated on a CPM basis will be invoiced (a) on or around the first of each following month; and (b) payment will be due regardless of the date of invoice on the 15th of the following month in which the Licensed Data is provided (“Variable Payment Terms”).  Fixed fees will be invoiced (x) on or around the first of each month; and (y) payment will be due regardless of the date of invoice on the 15th of the month in which the Licensed Data is provided (“Fixed Payment Terms”).  Payments shall be paid to Licensor with immediately available funds in United States Dollars by wire transfer or other method as mutually agreed by the parties.

4.3 Taxes.  The fees set forth in the Order Form and due hereunder are exclusive of any taxes, levies, duties or similar governmental assessments of any nature, including value-added, sales, use or withholding taxes (“Taxes”).  Licensee is solely responsible for paying all Taxes associated with its purchases hereunder.  If Licensor is legally required to pay or collect Taxes for which Licensee is responsible, Licensor shall invoice Licensee therefor and Licensee shall pay such amount; provided that, Licensor is solely responsible for Taxes on its income, property and employees.

4.4Late Payment.  Amounts not paid by Licensee on their due date will be subject to a delinquency charge on any outstanding balance, including accrued interest, at a rate of the lesser of (a) one and one-half percent (1.5%) per month and (b) the maximum rate permitted by Applicable Laws.  Failure to make timely payment shall be considered a material breach of this License Agreement.  Failure of Licensee to use the Licensed Data shall not affect the payments owed hereunder. 

5. Confidentiality

5.1 Confidential Information.  For purposes of this License Agreement, “Confidential Information” shall include all non-public, confidential or proprietary information disclosed by one party to the other, including, without limitation, the terms set forth in this License Agreement or any Order Form, the Licensed Data, and any information regarding a party’s business activities, operations, customers and vendors.  Confidential Information shall not include information that: (a) is already legitimately known to the other party at the time of disclosure without a breach of the License Agreement or the breach of a duty by any third party to keep such information confidential, (b) is or otherwise becomes available to the public other than by breach of this License Agreement by the receiving party, (c) was received without restriction from any person or entity that the receiving party reasonably believes was not in violation of any duty of non-disclosure, or (d) the receiving party developed independently without reference to or use of the Confidential Information received from the other party.

5.2 Restrictions; Permitted Disclosures.  Each party will use a reasonable standard of care to protect the Confidential Information of the other, and will use the other party’s Confidential Information only for purposes of the Agreement and only to the extent necessary for such purposes.  Neither party will disclose (whether orally or in writing, or by press release or otherwise) to any third party any Confidential Information of the other party, or any information with respect to the terms and provisions of the Agreement, except:

(a) To each party’s respective officers, directors, employees, subcontractors, auditors and attorneys who have a need to know such Confidential Information, in their capacity as such, are informed by such party of the confidential nature of the Confidential Information, and have a duty or obligation to comply with the non-use and non-disclosure terms herein that are applicable to such party; provided, however, that such party shall be responsible for any breach of the provisions of this Section committed by its officers, directors, employees, subcontractors, auditors or attorneys to the same extent as if such party committed such breach itself;

(b) To the extent strictly necessary (and then redacted to the greatest extent possible) to comply with a judicial or other governmental order or as may be required by Applicable Laws; provided, however, that a party so disclosing Confidential Information will give the other party as much advance notice as reasonably possible of any such disclosure so that such party may seek a protective order or other remedy;

(c) In order to exercise or enforce its rights under the Agreement, provided that prior to disclosure, such party will to the greatest extent reasonably possible seek confidential treatment of the information; or

(d) As mutually agreed by the parties in writing.

6. Privacy; Compliance.

6.1 Compliance.  Licensee shall not use the Licensed Data in violation of any Applicable Law, including, to the extent limited by Applicable Law, combining the Licensed Data with Personally Identifiable Information acquired by Licensee.  If the licensing of Licensed Data contemplated hereunder is subject to regulation under the GDPR, then the parties acknowledge and agree that (a) each party shall constitute a “Controller”, as defined by the GDPR, and (b) the additional terms and conditions set forth in the Data Processing Addendum attached hereto as Exhibit A shall apply and each party agrees to be bound thereby.  Licensee shall also delete and purge the Licensed Data on a periodic basis as further described in the applicable Order Form.

6.2 Privacy Policies. Each party shall prominently post a link on its website to a privacy policy, which shall comply with all Applicable Laws and in a legally sufficient manner describe: (a) the types of data it collects; (b) the material ways in which it uses and shares such data, and (c) how Users may opt out through mobile device settings.

6.3 Respect for User Preferences. Each party shall honor mobile opt-out signals. If Licensor transmits to Licensee any opt-out signals it receives through device settings (e.g., “LMT” signal, flag or integer) or in-app opt-out mechanisms, then Licensee shall not knowingly store or use for any purpose Licensed Data regarding any device that has opted out for commercial purposes (except for purposes of honoring suppression).

7. Representations and Warranties.

7.1 Mutual Representations.  Each party covenants, represents and warrants, as applicable, to the other that (a) it has the power and authority to enter into and perform its obligations under the Agreement, and (b) it shall comply with all Applicable Laws in connection with the provision or use of Licensed Data and the other activities contemplated hereunder, including, without limitation, those laws relating to User privacy, the collection, use, and sale of Personally Identifiable Information, and data security.

7.2 Disclaimer of Warranties.  EXCEPT AS EXPRESSLY SET FORTH HEREIN LICENSOR MAKES NO WARRANTIES OR REPRESENTATIONS OF ANY KIND, WHETHER EXPRESS, IMPLIED, ORAL OR STATUTORY, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT OR FITNESS FOR A PARTICULAR PURPOSE. LICENSOR DOES NOT MAKE ANY REPRESENTATION OR WARRANTIES REGARDING THE BENEFIT THAT MAY BE OBTAINED FROM USE OF THE LICENSED DATA OR THAT THE LICENSED DATA MAY BE ERROR-FREE. THE LICENSED DATA IS PROVIDED STRICTLY ON AN “AS IS” AND “AS AVAILABLE” BASIS.

8. Term; Termination.

8.1 Term.  This License Agreement shall be in effect as of the effective date of the first Order Form entered into hereunder and shall continue until all Order Forms hereunder have terminated or expired.  Each Order Form shall set forth an initial term for the Licensed Data provided under that Order Form (the “Initial Term”) and shall be subject to renewal as set forth in such Order Form (each such renewal period, a “Renewal Term”, and together with the Initial Term, the “Term”).

8.2 Termination.   In addition, either party may terminate this License Agreement or any Order Form (a) upon immediate written notice if the other party commits a material breach of this License Agreement or the Order Form and fails to cure the breach within thirty (30) days of receiving notice thereof from the non-breaching party; and (b) upon immediate written notice if the other party becomes insolvent, files a voluntary petition in bankruptcy or has an involuntary petition filed against it that is not dismissed within sixty (60) days after filing, makes arrangements for the benefit of creditors, has a receiver or trustee appointed for the benefit of its creditors, or initiates reorganization proceedings or takes any step toward liquidation.  Without limiting the definition of a material breach, Licensee’s failure to pay any amount due hereunder shall constitute a material breach of this License Agreement.  Without limiting the foregoing, Licensor may either suspend the provision of Licensed Data or terminate any Order Form or this License Agreement, in its sole discretion and without liability to Licensee, immediately upon written notice if: (w) Licensee violates or threatens to violate the terms of Section 2 or Section 5, including, without limitation, by providing the Licensed Data to persons or entities included on any “Prohibited Parties” list or similar list included in an Order Form, (x) Licensor is directed or ordered to do so by any regulatory or supervisory authority, (y) Licensor reasonably determines that the suspension or termination is necessary to comply with any change in Applicable Laws (including, without limitation, any guidelines, regulations or opinions issued by a regulatory or supervisory authority), or (z) third party platform provider agreements to which Licensor or any of its data suppliers is a party are implemented, revised, amended, updated or otherwise modified such that Licensor, in its sole discretion, reasonably believes it can no longer continue to provide some or all of the Licensed Data in accordance with its obligations under the Agreement.

8.3 Effect of Termination. If this License Agreement is terminated, the Agreement and all Order Forms then in effect shall also terminate, but if an Order Form expires or is terminated, this License Agreement and any other Order Forms then in effect shall continue in accordance with their terms.  Upon termination or expiration of an Order Form for any reason, (a) all rights and licenses of Licensee to use the Licensed Data provided under such Order Form shall immediately cease, (b) Licensee shall make no further use of the Licensed Data and shall immediately completely and permanently purge and erase all copies of the Licensed Data under Licensee’s control and require any sublicensees to do the same; provided that, Licensee may retain any Audience Segments and Insights created prior to the termination or expiration, and (c) any amounts outstanding shall become immediately due and payable.  Termination or expiration of this License Agreement or any Order Form shall be without prejudice to any other right or remedy that it may have at law or in equity and will not relieve either party from liability arising from a breach, act or omission occurring prior to the effective date of such termination or expiration.

9. Indemnification

9.1 Licensee.  Licensee shall indemnify, defend and hold harmless Licensor and its affiliates and their respective officers, directors, members, employees and agents (“Licensor Indemnified Parties”) from and against any and all claims, proceedings and demands asserted or alleged against a Licensor Indemnified Party by any third party, and from and against any damages, liabilities, losses, costs and expenses, including reasonable legal fees, arising in connection therewith, that arise out of or relate to (a) Licensee’s or its permitted sublicensee’s use of the Licensed Data in breach of this Agreement or Applicable Law, (b) breach of any representation, warranty or covenant or other term of the Agreement by Licensee, or (c) any allegation that the Audience Segments, Insights or other Licensee information or products infringe, violate, dilute, or misappropriate any copyright, trade secret, patent, trademark, database rights, or other intellectual property or proprietary rights of a third party; provided, however, that Licensee shall not have any obligation to indemnify, defend, or hold harmless any Licensor Indemnified Party from or against, and Licensee shall not have any liability for, any claims, proceedings, demands, damages, liabilities, losses, costs, or expenses to the extent resulting from any breach of the Agreement, violation of law, negligence, or willful misconduct, in each case, on the part of any Licensor Indemnified Party.

9.2 Licensor.  Licensor shall indemnify, defend and hold harmless Licensee and its affiliates and their respective officers, directors, members, employees and agents (“Licensee Indemnified Parties”) from and against any and all claims, proceedings and demands asserted or alleged against a Licensee Indemnified Party by any third party, and from and against any damages, liabilities, losses, costs and expenses, including reasonable legal fees, arising in connection with such third party claim, that arise out of or relate to any allegation that the Licensed Data infringe, violate, dilute, or misappropriate any copyright, trade secret, patent, trademark, database rights, or other intellectual property or proprietary rights of a third party; provided, however, that Licensor shall not have any obligation to indemnify, defend, or hold harmless any Licensee Indemnified Party from or against, and Licensor shall not have any liability for, any claims, proceedings, demands, damages, liabilities, losses, costs, or expenses to the extent resulting from any breach of the Agreement, violation of law, negligence, or willful misconduct, in each case, on the part of any Licensee Indemnified Party.

9.3 Procedure.  The person or entity entitled to indemnification under this Section 9 (“Indemnified Party”) agrees that the party obligated to provide such indemnification (“Indemnifying Party”) may assume sole and exclusive control over the defense and settlement of any claim with respect to which the foregoing indemnity obligations apply.  The Indemnified Party shall promptly notify the Indemnifying Party of any claim against it of which it becomes aware; provided that, Indemnified Party’s failure to provide timely notice will not relieve the Indemnifying Party of any liability that it may have to any Indemnified Party, except to the extent that the Indemnifying Party demonstrates that the Indemnifying Party is actually and materially prejudiced by the Indemnified Party’s failure to give such notice.  The Indemnified Party shall provide reasonable cooperation to the Indemnifying Party in connection with the defense or settlement of any such claim.  The Indemnified Party shall be entitled to participate in the defense of any such claim at its sole cost and expense, but neither party may agree to any settlement with respect to such claim or consent to the entry of any judgment in connection with such claim without the prior written consent of the other party, which consent shall not be unreasonably withheld, conditioned or delayed. 

10. Limitation of Liability.  EXCEPT FOR LIABILITY IN RESPECT OF THE INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION 9 OR DAMAGES RESULTING FROM GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, A PARTY’S BREACH OF CONFIDENTIALITY OBLIGATIONS UNDER SECTION 5, OR A BREACH OF SECTION 2 (EXCLUSIVE OF SUBSECTION 2.5) BY LICENSEE OR ITS PERMITTED SUBLICENSEES (“EXCLUDED DAMAGES”), IN NO EVENT SHALL A PARTY BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF REVENUE AND/OR PROFIT AND WHETHER OR NOT FORESEEABLE), ARISING OUT OF THE AGREEMENT, REGARDLESS OF WHETHER THE LIABILITY IS BASED ON BREACH OF CONTRACT, TORT, STRICT LIABILITY, BREACH OF WARRANTIES OR OTHERWISE, AND EVEN IF THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF THOSE DAMAGES.  EXCEPT FOR EXCLUDED DAMAGES, IN NO EVENT SHALL EITHER PARTY’S TOTAL LIABILITY UNDER THE AGREEMENT EXCEED THE AGGREGATE FEES PAID UNDER THE AGREEMENT FOR THE SIX (6) MONTH PERIOD PRECEDING THE DATE THE APPLICABLE LIABILITY FIRST AROSE.  NOTWITHSTANDING THE FOREGOING, LICENSEE’S OBLIGATION TO PAY FEES AND ANY OTHER AMOUNTS DUE TO LICENSOR PURSUANT TO THE AGREEMENT SHALL BE EXCLUDED FROM ALL LIMITATIONS ON LIABILITY AND REMAIN AN INDEPENDENT OBLIGATION UNTIL PAID IN FULL.

11. Audit.

11.1 Licensor.  During the Term Licensee shall have the right upon reasonable prior written notice, but no more often than bi-annually, to request to inspect and audit the consent language presented by certain of Licensor’s data providers to Users solely to verify Licensor’s compliance with the terms and conditions of the Agreement and Applicable Laws.  Licensor shall use commercially reasonable efforts to respond to all audit requests within thirty (30) days of receipt of written notice thereof; provided that, in the event that Licensor is unable to respond to such audit request without disclosing the identity of one or more of Licensor’s data providers, Licensor shall not be obligated to fulfill the audit request, and Licensor shall not have any obligation to disclose to Licensee the identities of any of Licensor’s data providers as part of such audit.  All costs and expenses of such audit shall be paid by Licensee.  Any information provided in connection with such audit shall constitute “Confidential Information” of Licensor under this License Agreement.   

11.2 Licensee.  Licensee shall keep accurate and complete records regarding the activities contemplated hereunder, including, without limitation, information regarding use of the Licensed Data.  During the Term and for a period of two (2) years thereafter, Licensor shall have the right upon reasonable prior notice to, or to cause an independent third party to, inspect, audit and copy such records and Licensee’s systems solely to verify Licensee’s compliance with the terms and conditions of this Agreement and Applicable Laws.  All costs and expenses of such audit shall be paid by Licensor, unless (a) the audit reveals an underpayment of more than three percent (3%) for any invoice period, in which case Licensee shall (i) promptly reimburse Licensor for all reasonable out-of-pocket costs and expenses related to the audit, and (ii) immediately pay Licensor  the underpaid amount with interest in accordance with Section 4.4 of this License Agreement from the date such amount is due until the date such amount is paid in full, or (b) the audit reveals a violation of the terms and conditions of this Agreement or any Applicable Law by Licensee or its permitted sublicensees, in which case Licensee shall promptly reimburse Licensor for all reasonable out-of-pocket costs and expenses related to the audit.

12. Miscellaneous.

12.1 Governing Law; Venue.  The Agreement will be governed by and construed in accordance with the laws of the State of Delaware, U.S.A., as it applies to contracts made and performed in such state and, to the extent applicable, the intellectual property laws of the United States.  The Agreement shall not be governed by the United Nations Convention on Contracts for the Sale of International Goods, the application of which is expressly excluded by the parties.  Each party irrevocably consents to the exclusive jurisdiction and venue of the Delaware Court of Chancery and any state appellate court therefrom within the State of Delaware (or, only if the Delaware Court of Chancery declines to accept jurisdiction over a particular matter, any state or federal court within the State of Delaware) in connection with any dispute, claim or controversy arising out of or relating to the Agreement, and waives any objections in the nature of jurisdiction or venue.

12.2 Independent Contractors.  Licensor and Licensee are, and shall be deemed to be, independent contractors under the Agreement, and nothing herein shall be construed to create a joint venture, partnership, agency, franchise or fiduciary relationship between them.  Neither party has any authority to enter into agreements of any kind on behalf of the other party, and neither party will attempt to or will create any representation or warranty or other obligation, express or implied, on behalf of the other party.

12.3 Survival.  The provisions of Sections 2.3, 5, 8, 10, 11.2, and 12 shall survive any expiration or termination of the Agreement.

12.4 Remedies.  Licensee acknowledges and agrees that a breach of Section 2 or Section 5 by Licensee or its permitted sublicensees would subject Licensor to irreparable harm for which there would be no adequate remedy at law and, therefore, in the event of any actual or threatened breach of Section 2 or Section 5, Licensor shall be entitled to equitable relief, including injunctive relief and specific performance, without any requirement to post any bond or security or prove the inadequacy of any monetary remedy at law.

12.5 Publicity.  The parties shall consult with each other before issuing any press release or other similar public statements incorporating Licensed Data in connection with the Permitted Uses (including the subject matter of this Agreement) and shall not issue any such press release or make any such public statements without the prior written consent of the other party, which may be provided via electronic mail. Notwithstanding the foregoing, (i) either party may, without the prior consent of the other party make such public statements or third party disclosures as may be required by any applicable law, rules, or regulations; and (ii) Licensor may disclose Licensee’s publicly available information, including, but not limited to, Licensee’s business name and privacy policy (where applicable) on Licensor’s Trusted Partner List in compliance with Applicable Laws, which Trusted Partner List shall be made available only to Users.

12.6 Severability.  In the event that any one or more of the provisions contained in the Agreement shall for any reason be held to be invalid, illegal or unenforceable in any respect, such invalidity, illegality or unenforceability shall not affect any other provision of the Agreement, and both parties shall negotiate in good faith to substitute for such invalid, illegal, or unenforceable provision a mutually acceptable provision that is consistent with the original intent of the parties.

12.7 Modification and Waiver.  The Agreement may be modified by a written document signed by an authorized representative of each party.  In addition, Licensor may, at any time and from time to time during the Term, propose amendments or modifications to the Agreement by delivering to Licensee written notice of Licensor’s proposed amendment and modification, which notice shall identify the sections or paragraphs hereof that are being amended.  If Licensee does not object to such amendment or modification by delivery to Licensor written notice of objection within thirty (30) days after Licensor delivers to Licensee notice of the proposed amendment, then such amendment or modification will be deemed accepted and agreed to by Licensee, and the Agreement shall be automatically amended to include such amendment or modification without any further action by the parties.  If Licensee validly and timely objects to the proposed amendment or modification in accordance with the preceding sentence, then Licensee and Licensor will endeavor to negotiate a mutually acceptable amendment or modification in good faith.  A waiver by either party of its rights hereunder shall not be binding unless contained in a writing signed by an authorized representative of the party waiving its rights.  Further, the non-enforcement or waiver of any provision of the Agreement on one occasion shall not constitute a waiver of such provision on any other occasion unless expressly so agreed in writing.  It is agreed that no use of trade or other regular practice or method of dealing between the parties hereto shall be used to modify, interpret, supplement, or alter in any manner the terms of the Agreement.  The parties acknowledge and agree that each person or entity that is entitled to indemnification under Section 9 which is not a party to this License Agreement is an express third party beneficiary of its terms.

12.8 Assignment.  Licensee shall not assign or otherwise transfer the Agreement or any rights or obligations hereunder without the prior written consent of Licensor.  Licensor may assign or transfer the Agreement or any of its rights or obligations hereunder to an affiliate or in connection with a sale of assets or all or part of the business of Licensor without the prior written consent of Licensee. The Agreement shall be binding upon and inure to the benefit of the parties and their respective successors and permitted assigns.

12.9 Notices.  All notices or other communications required to be given hereunder shall be in writing and delivered to the applicable party at its mailing address, e-mail address, or facsimile number specified on the Order Form (or as such party may hereafter specify for that purpose by notice to the other party).  All notices shall be deemed delivered if delivered as indicated:  (a) by personal delivery, (b) by overnight courier upon written verification of receipt, (c) by email upon delivery (except that if such delivery is after normal business hours, such email will be deemed delivered on the following business day), (d) by facsimile transmission upon confirmation of receipt, or (e) by certified or registered mail, return receipt requested, upon verification of receipt.  All notices shall be effective upon delivery as provided herein.

12.10 Entire Agreement.  The Agreement, including the exhibits hereto, the Order Form, and any amendments hereto and thereto, embodies the entire understanding and agreement of the parties hereto with respect to the subject matter hereof and supersedes all prior and contemporaneous written or oral agreements. 

12.11 Counterparts.  Each Order Form and any amendment thereof may be executed in any number of counterparts, including via facsimile, PDF transmission, and/or electronic signatures, each of which, when so executed and delivered, shall be deemed to be an original and all of which taken together shall constitute one and the same instrument.  In producing an Order Form, it shall not be necessary to produce or account for more than one such counterpart signed/accepted by the party against whom enforcement is sought.

 


 EXHIBIT A

Data Processing Addendum

This Data Processing Addendum, including any appendices or annexes attached hereto, (DPA) is made part of the Data License Agreement and Order Form between Outlogic, LLC (Provider) and the customer or licensee identified in such Order Form (such customer or licensee, Customer, and the Order Form and License Agreement, collectively, the “Agreement), pursuant to which Provider transfers Personal Data (as defined herein) to and shares Personal Data with the Customer, as further described in the Agreement and in this DPA.  The parties agree to comply with the following provisions with respect to Personal Data provided or made available by Provider to the Customer.  This DPA relates only to Personal Data provided or made available by Provider to the Customer and the parties agree and acknowledge that nothing in this DPA creates or adds any rights or obligations for either party for any other data. 
References to the “Agreement” will be construed as including this DPA, and, except as modified below, the terms of the Agreement shall remain in full force and effect.  Reference to the “Agreement” includes any Order Forms, exhibits, annexes or other documentation incorporated into the Agreement.  Any capitalized terms not defined herein shall have the meanings given to them in the Agreement.  In the event of a conflict or inconsistency regarding the Processing of Personal Data between this DPA and the Agreement, this DPA will prevail. To the extent any provisions in the Standard Contractual Clauses in Appendix A of this DPA conflict with any provisions elsewhere in the DPA or the Agreement, the Standard Contractual Clauses in Appendix A shall govern.
For purposes of this DPA, and as further described below, the parties (1) acknowledge that each party is a Controller (as defined herein) of the Personal Data that it collects, Processes, or employs to deliver its services; and (2) agree that the Controller to Controller Standard Contractual Clauses as laid out in Appendix A form a part of this DPA.   

1. DEFINITIONS

“Controller” means the entity that determines the purposes and means of the Processing of Personal Data.   For purposes of this DPA, each party is a Controller of the Personal Data that it collects, Processes or employs to deliver its services, absent a further amendment that sets forth circumstances in which either party is a Processor.

“Processor” means an entity that Processes Personal Data on behalf of a Controller.  

“Data Protection Laws” means all laws and regulations, including, without limitation, laws and regulations of the EU applicable to the Processing of Personal Data, such as:  (i) prior to 25 May 2018, the EU Data Protection Directive (Directive 95/46/EC); (ii) on and after 25 May 2018, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC), including subsequent variations, such as the Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (“ePrivacy Regulation”), if enacted; and (iv) any national data protection laws made under or pursuant to (i), (ii) or (iii).

“Data Subject” means the individual to whom Personal Data relates.

Standard Contractual Clauses” shall mean the Standard Contractual Clauses for the Transfer of Personal Data to Controller as set out in EU Commission Decision 2004/915/ECC currently available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en ) as well as any new laws, rules, regulations, and/or contracts that replace, supersede, or are required to be implemented in connection with the Standard Contractual Clauses.

“Personal Data” means any information relating to an identified or identifiable person processed pursuant to the Agreement and as to which a party is a Controller.  The types of Personal Data and categories of Data Subjects Processed under this DPA are set forth in Appendix A attached hereto.    

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Processing” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning). For avoidance of doubt, the term “Processing” is intended to describe such operations whether the entity performing such operations is deemed (or deems itself) a Controller or a Processor. 

Transfer” means the access by, transfer or delivery to, or disclosure of Personal Data to a person, entity or system located in a country or jurisdiction other than the country or jurisdiction where the Personal Data originated from.

2. PURPOSE OF PROCESSING

    2.1 Provider and Customer are parties to the Agreement, under which Provider provides Personal Data to Customer.  Provider and Customer each shall Transfer and Process such Personal Data only for the purposes described in the Agreement and this DPA.  

    2.2 The parties agree that Customer may Process the Personal Data for its own purposes, which may include providing services for the benefit of other platforms and clients, to the extent set forth in the License Agreement or other agreements between the parties. 

    2.3 Neither party shall Process special categories of personal data or criminal conviction data as defined by Data Protection Laws under or pursuant to the Agreement.

    2.4 Neither party shall provide the other party with any special categories of personal data or criminal conviction data as defined by Data Protection Laws.

3. CONTROLLER OBLIGATIONS

4. PRIVACY POLICY DISCLOSURES

    4.1 Each party shall post a privacy notice on its website, mobile application, or where otherwise appropriate, that is in compliance with Data Protection Laws, reflects the nature of the relationship and Transfer of data between the parties, describes how data subjects may exercise their applicable rights (including as applicable a right to withdrawal of consent) and identifies a contact point for Data Subjects

    4.2 Customer shall authorize Providerer to disclose Customer’s publicly available information, including but not limited to Customer’s business name and privacy policy (where applicable) to reflect the nature of the data Transfer relationship on Provider’s Trusted Partner List in compliance with Data Protection Laws.

5. OBLIGATIONS SPECIFIC TO OBTAINING CONSENT FROM DATA SUBJECTS

     5.1 Customer uses mobile device identifiers and geolocation data (“Device Data”) to provide its services, such as tracking for advertising and data analytics.  Provider shall, and as applicable shall contractually require its data sources to, implement appropriate notice and consent mechanisms upon their digital properties so that Customer can capture applicable Personal Data lawfully through applicable mobile applications in order to perform its services under the Agreement, and engage in further commercially reasonable measures to ensure that such consent is obtained. 

    5.2 Each party shall honour mobile opt-out signals it receives through (i) device settings (e.g., LMT=1); or (ii) in-app opt-out mechanisms (“Opt-Out Mechanism”), and Customer shall not knowingly collect or use for commercial purposes (except for purposes of honouring suppression) Device Data regarding any device that has opted out through an Opt-Out Mechanism.  

    5.3 Upon the development of an industry standard in-app consent mechanism (such as an in-app consent mechanism developed by the Interactive Advertising Bureau (IAB)), each party shall make good faith efforts to deploy, list itself in, or otherwise comply with such mechanism and related consent standards.  The parties shall cooperate in good faith regarding the deployment of any such mechanism.

6. INDEMNITY

    6.1 Each party (“Indemnifying Party”) shall indemnify and hold harmless the other party (“Indemnified Party”), its officers, directors, employees, contractors, and agents from and against all claims, liabilities, administrative fines, suits, judgments, actions, investigations, settlements, penalties, fines, damages and losses, demands, costs, expenses, and fees including reasonable attorneys’ fees and expenses, arising out of or in connection with any claims, demands, investigations, proceedings, or actions (a “Claim”) brought by Data Subjects, legal persons (e.g., corporations and organizations), or supervisory authorities under the Data Protection Laws, where such Claim arises from (a) the Indemnifying Party’s breach of any covenant, representation or warranty herein, or (b) the Indemnifying Party’s Processing of any Personal Data, exclusive, however, of any Claim regarding the sufficiency of consent obtained by either party on behalf of the other.    

    6.2 Such indemnification shall be contingent upon the Indemnified Party notifying the Indemnifying Party of such Claim in a prompt manner upon learning of such Claim, and Indemnified Party reasonably cooperating with Indemnifying Party as to such Claim including provision of all relevant materials to Indemnifying Party.  Indemnifying Party shall be entitled to control such litigation, including as to choice of litigation counsel. 

7. SECURITY

    7.1 Each party will implement and maintain security measures for protection of the security, confidentiality and integrity of Personal Data, including all measures required pursuant to Article 32 of the GDPR.

    7.2 Pursuant to Article 28, Section 3(c) of the GDPR, each party will ensure (and contractually require) that any Processors with which it contracts take all measures required pursuant to Article 32 of the GDPR.

    7.3 Each party will immediately notify the other party if it becomes aware of any advance in technology and methods of working, which indicate the parties should adjust their security measures. 

    7.4 Each party shall promptly notify the other party if it becomes aware of any Personal Data Breach relating to the Processing of Personal Data pursuant to the Agreement.

    7.5 Immediately following any Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Each party will reasonably co-operate with the other party in its handling of the matter. 

    7.6 Each party will not inform any third party of any Personal Data Breach without first obtaining the other party’s prior written consent, except when law or regulation requires it.

8. TRANSFERS OF PERSONAL DATA

    8.1 To the extent the Processing of Personal Data involves a Transfer, including if Provider and Customer Transfer Personal Data through its affiliates, subcontractors or other third parties, and such Transfers of Personal Data originated from the European Economic Area (“EEA”), Switzerland, the United Kingdom (“UK”) or other countries or jurisdictions recognizing EU Directive 95/46/EC, each party represents and warrants that its Processing and/or Transfer of Personal Data does and will comply with applicable Data Protection Laws. 

    8.2 The Customer and the Provider hereby authorise each other to transfer Personal Data for the purposes referred to in the Agreement to recipients outside of the UK and the EEA provided that:

    (a)the party transferring the Personal Data shall take all necessary steps to ensure that transfers of Personal Data outside the UK and the EEA are effected by way of valid adequacy mechanisms recognised under UK and European Union law that ensure appropriate safeguards are in place for the Personal Data;

    (b)the party transferring the Personal Data shall maintain accurate and comprehensive records of all transfers of Personal Data outside of the UK and the EEA and shall document the adequacy mechanism relied upon in each case;

    (c)the party transferring the Personal Data shall take all necessary steps to ensure that the recipient of the Personal Data can comply with the adequacy mechanism relied upon, including (without limitation) by carrying out and documenting due diligence on all recipients of Personal Data prior to any transfer occurring;

    (d)if the adequacy mechanism relied upon becomes invalid or if the recipient of the Personal Data is not able to comply with the requirements of the adequacy mechanism due to local laws or for any other reason, the party transferring the Personal Data shall immediately stop all transfers of Personal Data to the relevant recipient and shall either put in place an alternative adequacy mechanism to the reasonable satisfaction of the other party or demand immediate return of all Personal Data from that recipient; and

    (e)upon request, the party transferring the Personal Data shall provide evidence of compliance with the obligations set out in this section.

    8.3 The provisions of this DPA shall constitute the parties’ instructions with respect to transfers of Personal Data for the purposes of the Agreement.

    8.4 Without limitation of the foregoing provisions of this Section 8, upon signing the DPA, the parties have entered into the attached Standard Contract Clauses in Appendix A, which is attached hereto and hereby incorporated by reference.

9. MISCELLANEOUS PROVISIONS

    9.1 Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.

    9.2 This DPA takes effect as of the Effective Date and shall remain in effect during the existence of the Agreement.  All provisions of the DPA will remain in force with respect to Personal Data that is transferred between the parties regardless of the existence of the Agreement as long as that data remains in the recipient’s possession in a form where it is considered Personal Data.  Without prejudice the remedies as set forth elsewhere herein or in the Agreement, if either party violates this Agreement, the other is entitled to terminate this Agreement in its sole discretion and without any extra costs of expenses (provided any payments due and owing shall remain so).

    9.3 Customer and Provider each mutually represent and warrant that (i) the person entering into this DPA on its respective behalf has the legal authority to bind such party, and (ii) it has right, power, and authority to (a) enter into this DPA, (b) make the representations and warranties contained herein, and (c) commit to and perform the respective duties, obligations and covenants set forth hereunder.

 



APPENDIX A TO DATA PROCESSING ADDENDUM

Standard Contractual Clauses – Controller to Controller

Standard contractual clauses for the transfer of personal data from the Community to third countries (Controller to Controller transfers) by and between Outlogic, LLC, P.O. Box 1724, Arlington, VA 22216 (hereinafter “Data exporter”) and the customer or licensee referenced in the Order Form to which the Data Processing Addendum is attached or which incorporates such Data Processing Addendum by reference (hereinafter “Data importer”). 

Definitions
For the purposes of the clauses:

personal data”, “special categories of data/sensitive data”, “process/processing”, “controller”, “processor”, “data subject” and “supervisory authority/authority” shall have the same meaning as in Directive 95/46/EC of 24 October 1995 (whereby “the authority” shall mean the competent data protection authority in the territory in which the data exporter is established);

the data exporter” shall mean the controller who transfers the personal data;

the data importer” shall mean the controller who agrees to receive from the data exporter personal data for further processing in accordance with the terms of these clauses and who is not subject to a third country’s system ensuring adequate protection;

clauses” shall mean these contractual clauses, which are a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.

The details of the transfer (as well as the personal data covered) are specified in Annex B, which forms an integral part of the clauses.

I. Obligations of the data exporter:

The data exporter warrants and undertakes that:

    (a)The personal data have been collected, processed and transferred in accordance with the laws applicable to the data exporter.

    (b) It has used reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses.

    (c) It will provide the data importer, when so requested, with copies of relevant data protection laws or references to them (where relevant, and not including legal advice) of the country in which the data exporter is established.

    (d) It will respond to enquiries from data subjects and the authority concerning processing of the personal data by the data importer, unless the parties have agreed that the data importer will so respond, in which case the data exporter will still respond to the extent reasonably possible and with the information reasonably available to it if the data importer is unwilling or unable to respond. Responses will be made within a reasonable time

    (e) It will make available, upon request, a copy of the clauses to data subjects who are third party beneficiaries under clause III, unless the clauses contain confidential information, in which case it may remove such information. Where information is removed, the data exporter shall inform data subjects in writing of the reason for removal and of their right to draw the removal to the attention of the authority. However, the data exporter shall abide by a decision of the authority regarding access to the full text of the clauses by data subjects, as long as data subjects have agreed to respect the confidentiality of the confidential information removed. The data exporter shall also provide a copy of the clauses to the authority where required.

II. Obligations of the data importer:

The data importer warrants and undertakes that:

    (a) It will have in place appropriate technical and organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.

    (b) It will have in place procedures so that any third party it authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorised or required by law or regulation to have access to the personal data.

    (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws.

    (d) It will process the personal data for purposes described in Annex B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses.

    (e) It will identify to the data exporter a contact point within its organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e).

    (f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under clause III (which may include insurance coverage).

    (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion.

    (h) It will process the personal data in accordance with the data processing principles set forth in Annex A.

    (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area (EEA) unless it notifies the data exporter about the transfer and the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection.

III. Liability and third party rights

    (a)Each party shall be liable to the other parties for damages it causes by any breach of these clauses. Liability as between the parties is limited to actual damage suffered. Punitive damages (i.e. damages intended to punish a party for its outrageous conduct) are specifically excluded. Each party shall be liable to data subjects for damages it causes by any breach of third party rights under these clauses. This does not affect the liability of the data exporter under its data protection law.

    (b)The parties agree that a data subject shall have the right to enforce as a third party beneficiary this clause and clauses I(b), I(d), I(e), II(a), II(c), II(d), II(e), II(h), II(i), III(a), V, VI(d) and VII against the data importer or the data exporter, for their respective breach of their contractual obligations, with regard to his personal data, and accept jurisdiction for this purpose in the data exporter’s country of establishment. In cases involving allegations of breach by the data importer, the data subject must first request the data exporter to take appropriate action to enforce his rights against the data importer; if the data exporter does not take such action within a reasonable period (which under normal circumstances would be one month), the data subject may then enforce his rights against the data importer directly. A data subject is entitled to proceed directly against a data exporter that has failed to use reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses (the data exporter shall have the burden to prove that it took reasonable efforts).

IV. Law applicable to the clauses

These clauses shall be governed by the law of the country in which the data exporter is established, with the exception of the laws and regulations relating to processing of the personal data by the data importer under clause II(h), which shall apply only if so selected by the data importer under that clause.

V. Resolution of disputes with data subjects or the authority

    (a) In the event of a dispute or claim brought by a data subject or the authority concerning the processing of the personal data against either or both of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.

    (b) The parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.

    (c) Each party shall abide by a decision of a competent court of the data exporter’s country of establishment or of the authority which is final and against which no further appeal is possible.

VI. Termination

    (a)In the event that the data importer is in breach of its obligations under these clauses, then the data exporter may temporarily suspend the transfer of personal data to the data importer until the breach is repaired or the contract is terminated.

    (b)In the event that:

    i. the transfer of personal data to the data importer has been temporarily suspended by the data exporter for longer than one month pursuant to paragraph (a);

    ii. compliance by the data importer with these clauses would put it in breach of its legal or regulatory obligations in the country of import;

    iii. the data importer is in substantial or persistent breach of any warranties or undertakings given by it under these clauses;

    iv. a final decision against which no further appeal is possible of a competent court of the data exporter’s country of establishment or of the authority rules that there has been a breach of the clauses by the data importer or the data exporter; or

    v. a petition is presented for the administration or winding up of the data importer, whether in its personal or business capacity, which petition is not dismissed within the applicable period for such dismissal under applicable law; a winding up order is made; a receiver is appointed over any of its assets; a trustee in bankruptcy is appointed, if the data importer is an individual; a company voluntary arrangement is commenced by it; or any equivalent event in any jurisdiction occurs then the data exporter, without prejudice to any other rights which it may have against the data importer, shall be entitled to terminate these clauses, in which case the authority shall be informed where required. In cases covered by (i), (ii), or (iv) above the data importer may also terminate these clauses.

    (c) Either party may terminate these clauses if (i) any Commission positive adequacy decision under Article 25(6) of Directive 95/46/EC (or any superseding text) is issued in relation to the country (or a sector thereof) to which the data is transferred and processed by the data importer, or (ii) Directive 95/46/EC (or any superseding text) becomes directly applicable in such country.

    (d) The parties agree that the termination of these clauses at any time, in any circumstances and for whatever reason (except for termination under clause VI(c)) does not exempt them from the obligations and/or conditions under the clauses as regards the processing of the personal data transferred.

 

IV. Variation of these clauses

The parties may not modify these clauses except to update any information in Annex B, in which case they will inform the authority where required. This does not preclude the parties from adding additional commercial clauses where required.

V. Description of the Transfer

The details of the transfer and of the personal data are specified in Annex B. The parties agree that Annex B may contain confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency, or as required under clause I(e). The parties may execute additional annexes to cover additional transfers, which will be submitted to the authority where required. Annex B may, in the alternative, be drafted to cover multiple transfers.



Annex A to Standard Contractual Clauses

Data Processing Principles

1. Purpose limitation: Personal data may be processed and subsequently used or further communicated only for purposes described in Annex B or subsequently authorised by the data subject.

2. Data quality and proportionality: Personal data must be accurate and, where necessary, kept up to date. The personal data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.

3. Transparency: Data subjects must be provided with information necessary to ensure fair processing (such as information about the purposes of processing and about the transfer), unless such information has already been given by the data exporter.

4. Security and confidentiality: Technical and organisational security measures must be taken by the data controller that are appropriate to the risks, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process the data except on instructions from the data controller.

5. Rights of access, rectification, deletion and objection: As provided in Article 12 of Directive 95/46/EC, data subjects must, whether directly or via a third party, be provided with the personal information about them that an organisation holds, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law of the country of the data exporter. Provided that the authority has given its prior approval, access need also not be granted when doing so would be likely to seriously harm the interests of the data importer or other organisations dealing with the data importer and such interests are not overridden by the interests for fundamental rights and freedoms of the data subject. The sources of the personal data need not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the individual would be violated. Data subjects must be able to have the personal information about them rectified, amended, or deleted where it is inaccurate or processed against these principles. If there are compelling grounds to doubt the legitimacy of the request, the organisation may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the data have been disclosed need not be made when this involves a disproportionate effort. A data subject must also be able to object to the processing of the personal data relating to him if there are compelling legitimate grounds relating to his particular situation. The burden of proof for any refusal rests on the data importer, and the data subject may always challenge a refusal before the authority.

6. Sensitive data: The data importer shall take such additional measures (e.g. relating to security) as are necessary to protect such sensitive data in accordance with its obligations under clause II.

7. Data used for marketing purposes: Where data are processed for the purposes of direct marketing, effective procedures should exist allowing the data subject at any time to “opt-out” from having his data used for such purposes.

8. Automated decisions: For purposes hereof “automated decision” shall mean a decision by the data exporter or the data importer which produces legal effects concerning a data subject or significantly affects a data subject and which is based solely on automated processing of personal data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. The data importer shall not make any automated decisions concerning data subjects, except when:

(a)            

(i) such decisions are made by the data importer in entering into or performing a contract with the data subject, and
(ii) (the data subject is given an opportunity to discuss the results of a relevant automated decision with a representative of the parties making such decision or otherwise to make representations to that parties; or

(b) where otherwise provided by the law of the data exporter.



Annex B to Standard Contractual Clauses

Description of the Transfer

Data Subjects: The personal data transferred may include the following categories of data subjects:

  • End User of data exporter’s mobile applications or other properties
  • End Users of data exporter’s customers’ mobile applications or other properties

Purposes of the Transfer(s): The transfer is made for the following purposes:

  • The data exporter providing data importer with Precise Location Data, Relative Location Data, Unique Device Identifiers, Time and Date Information, IP Addresses,  and related information, to facilitate tracking for digital advertising and data analytics or other licensed use cases set forth in the underlying agreements between the parties.

Categories of Data: The personal data transferred concern the following categories of data:

  • Precise Location Data
  • Relative Location Data
  • Unique Device Identifiers
  • Time and Date Information
  • IP Addresses

Recipients: The personal data transferred may be disclosed only to the following recipients or categories of recipients:

  • Transfer of personal data is limited to the data importer.

Sensitive Data: The personal data transferred concern the following categories of sensitive data

  • Not applicable

Data Protection Registration Information of Data Exporter (where applicable):

  • Not applicable

Additional useful information (storage limits and other relevant information):

  • None

Contact Points for Data Protection Inquiries:

  • Data Importer: Please see the information provided on the Order Form.
  • Data Exporter: Data Protection Officer | privacy@outlogic.io