ENGDATA PROTECTION ADDENDUM (ARCHIVED)
This is an archived version of Tapjoy’s Data Protection Addendum, provided as a courtesy. As of June 6, 2022, this version of Tapjoy’s Data Protection Addendum is no longer in effect.
This Tapjoy Data Protection Addendum (“Tapjoy DPA”) is incorporated into and part of the agreement between Tapjoy, Inc. (“Tapjoy”) and you (“you”, and “Advertiser” or “Publisher” as applicable) relating to your use of Tapjoy’s Advertising Service, Publisher Services, or both (such services collectively, the “Tapjoy Services”, and the agreements applicable to you (“Advertising Agreement” and/or “Publisher Agreement”, as applicable, and collectively, your “Tapjoy Agreements”), available at Legal Resources. If and to the extent you provide Tapjoy with personal data, you and Tapjoy agree that this DPA governs our respective collection, transfer, and processing of personal data in the course of our provision and your use of our Services.
DEFINITIONS
The terms in this DPA, whether capitalized or not, have the meanings set forth below, and shall, to the greatest extent possible, have the meanings given to them in Applicable Data Protection Laws; terms not defined here have the definition set forth in your applicable Tapjoy Agreement.
“Advertising Service”
Means mobile in-app advertising services provided by Tapjoy pursuant to one or more insertion orders executed under your Advertising Agreement.
“Advertising Service Data”
Means personal data provided by you to Tapjoy used solely for your benefit in connection with your use of the Advertising Service.
“Applicable Data Protection Laws”
Means all applicable international, federal, national and state privacy and data protection laws, rules, regulations, self-regulatory guidelines, or implementing legislation that apply to the processing of Personal Data covered by this Tapjoy DPA, including but not limited to: (i) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), and if enacted, the EU e-Privacy Regulation from its effective date forward; (iii) from January 1, 2020 onward, the California Consumer Privacy Act of 2018, California Civil Code §1798.100 et seq. ( “CCPA”); and (iv) any national data protection laws made under or pursuant to (i) or (ii) or otherwise applicable to you.
“Controller”
Means the entity that determines the purposes and means of the Processing of Personal Data, for purposes of European Data, and shall also mean a Business, where applicable, pursuant to the CCPA .
“EEA”
Means the European Economic Area.
“Model Clauses”
Means the Standard Contractual Clauses for the Transfer of Personal Data available at HTTPS://EC.EUROPA.EU/INFO/LAW/LAW-TOPIC/DATA-PROTECTION/DATA-TRANSFERS-OUTSIDE-EU/MODEL-CONTRACTS-TRANSFER-PERSONAL-DATA-THIRD-COUNTRIES_EN, specifically (a) for transfer of Publisher Monetization Data, the Controller to Controller Standard Contractual Clauses 2004 (Set II) (Commission Decision 2004/915/EC); and (b) for transfer of Advertising Service Data and Publisher Service Data, the Controller to Processor Standard Contractual Clauses 2010 (Commission Decision 2010/87/EU).
“Personal Data”
Means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to, directly or indirectly, a particular individual, consumer, data subject, or (for purposes of CCPA) household, processed pursuant to the Agreement and as to which one or both of us is a Controller, and is defined as “personally identifiable information,” “personal information,” “personal data,” or similar term under Applicable Data Protection Laws.
“Privacy Shield”
Means the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce.
“Processor”
Means an entity that processes personal data solely at the direction of a Controller, for European Data, and shall also mean a Service Provider, where applicable, pursuant to the CCPA.
“Processing”
Has the meaning set forth under Applicable Data Protection Laws.
“Publisher Monetization Data”
Means personal data provided, via the Tapjoy SDK as integrated in your mobile application, for use in connection with use of Tapjoy’s Publisher Monetization Services, including mobile device identifiers and IP addresses of data subjects who are end users of your mobile application.
“Publisher Service Data”
Means personal data provided by you to Tapjoy used solely for your benefit in connection with your use of Tapjoy’s Publisher Services other than Monetization.
“Publisher Services”
Means the Tapjoy publisher services used by you pursuant to your Publisher Agreement, which may include Monetization Services, Analytics Services, and Virtual Currency Management Services, each as defined in Tapjoy’s publisher Terms of Service (Publisher-Terms-Of-Service).
“Security incident”
Means any destruction, loss, alteration, unauthorized disclosure of personal data processed for you by Tapjoy as a processor, arising due to unlawful or unauthorized access to your personal data within storage managed by us.
“Transfer”
Means the access by, transfer or delivery to, or disclosure of personal data to a person, entity or system located in a country or jurisdiction other than the country or jurisdiction where the personal data originated from.
PURPOSE AND DETAILS OF PROCESSING
Respective Roles
You and Tapjoy agree that each of us will process and transfer personal data only for the purposes described in your Tapjoy Agreement(s) and this Tapjoy DPA, or as otherwise agreed in writing between us. Each of us acknowledges and agrees as follows:
Advertising Service
You, as Controller, appoint Tapjoy as Processor to process Advertising Service Data in connection with the Advertising Service pursuant to your Advertising Agreement and in accordance with this Tapjoy DPA.
Publisher Monetization Service
You, as Controller, acknowledge that you and Tapjoy each serve as an independent Controller with respect to Publisher Monetization Data provided under your Publisher Agreement
Other Publisher Services
You, as Controller, appoint Tapjoy as Processor to process Publisher Service Data pursuant to your Publisher Agreement and in accordance with this Tapjoy DPA.
No Special Category Data
Neither you nor Tapjoy shall transfer, provide each other, or have responsibility for processing special categories of personal data, as referenced in Article 9 of the GDPR.
Service Provider Certification
Where acting as a Processor, Tapjoy will not (a) sell the Personal Data received from a Controller; (b) retain, use or disclose the Personal Data for any purpose other than for the specific purpose of performing the Services on behalf of a Controller; (c) retain, use, or disclose the Personal Data for a commercial purpose other than providing the Services; or (d) retain, use, or disclose the Personal Data outside of the direct business relationship between Tapjoy and a Controller. As to Tapjoy’s role as a Processor only, Tapjoy certifies that it understands these restrictions and will comply with them.
OBLIGATIONS AS CONTROLLERS
Compliance with Obligations
You and Tapjoy each agree, when acting as a Controller of personal data to comply with all applicable laws, including Applicable Data Protection Laws, in your use and our provision of the Tapjoy Services, including fulfillment of all duties required of Controllers under Applicable Data Protection Laws. Each of us will implement and maintain security measures to protect personal data from any Security Incident.
Data Subject Requests
Each of us, when we act as a Controller, has the sole and independent obligation (as between the parties) to receive and manage data subject requests regarding our respective personal data, including without limitation any request to access, know, correct, amend, restrict processing of, port, object to the Processing of, block or delete, or, where applicable, stop the sale of personal data. If applicable, and to the extent legally permitted, each of us will provide the other with reasonable cooperation and assistance in relation to handling of a data subject’s request. Each of us acknowledges that fulfilling a request may not be possible where doing so would interfere with the ability of either party to comply with applicable law or legal obligation, or protect its rights or those of a third party.
Requests from Others
If applicable, and to the extent legally permitted, each of us will provide the other upon request with reasonable cooperation and assistance in relation to any correspondence, inquiry, or complaint received from a regulator, individual, supervisory authority, court, or other third party. Each of us acknowledges that fulfilling a request may not be possible where doing so would interfere with the ability of either party to comply with applicable law or legal obligation, or protect its rights or those of a third party.
Appointing Processors
Where you and Tapjoy are independent Controllers, each party may appoint third-party Processors to Process personal data for the purposes set forth in this Tapjoy DPA and your Publisher Agreement, provided that such Processors (i) agree in writing to Process Personal Data in accordance with the Publisher Agreement (and any other contractual agreements between the parties); (ii) implement appropriate technical and organisational security measures, no less protective than those in this Tapjoy DPA, to protect Personal Data subject to the Publisher Agreement against a Security Incident, in compliance with the standards required by this Tapjoy DPA; and (iii) otherwise provide sufficient guarantees that they will process the Personal Data in a manner that will meet the requirements of Applicable Data Protection Laws. Each of us will be liable for the acts and omissions of its Processors to the same extent each of us would be liable if performing the services of each Processor directly under the Publisher Agreement.
INTERNATIONAL TRANSFER OBLIGATIONS
European Data
Each of us agrees that personal data originating in the EEA or Switzerland, or other countries or jurisdictions recognizing the GDPR or EU Directive 95/46/EC (such locations collectively, the “Covered Areas” and such data, “European Data”) shall not be transferred to a jurisdiction outside the Covered Areas unless the transfer is subject to an Approved Transfer Mechanism, meaning that (i) the recipient is located in the EEA or Switzerland, or another country that the European Commission or Swiss Federal Data Protection Authority (as applicable) has decided provides adequate protection for personal data, or (ii) the recipient (a) receives the European Data pursuant to a binding corporate rules authorization in accordance with Applicable Data Protection Laws; or (b) has executed Model Clauses with the Covered Area-based exporter of the personal data; or (c) is located in the United States and has certified compliance to the EU-US or Swiss-US Privacy Shield (as applicable); or (d) transfers the data pursuant to another approved transfer mechanism.
Model Clauses
You hereby agree to and hereby enter into the Model Clauses applicable to you with respect to European Data, the terms of which are hereby incorporated by reference into and form part of this Agreement. Please see Addendum 1: Standard Contractual Clauses (“SCCs”) below for both Tapjoy Monetization Services and Advertising Services, as they apply to you.
Order of precedence
In the event the terms of the applicable Model Clauses conflict with other terms of your Tapjoy Agreements, the Model Clauses will control.
Privacy Shield
You understand that Tapjoy is headquartered in the United States of America. Tapjoy represents that it is Privacy Shield certified. Accordingly, where applicable, you agree that Tapjoy may lawfully receive and process European Data in the United States of America for as long as we maintain a valid and up-to-date certification. If more than one Approved Transfer Mechanism applies, the transfer shall be governed first by Tapjoy’s Privacy Shield self-certification where applicable, and second, by the Model Clauses.
Future Requirements
You and Tapjoy agree to work together as commercially reasonable to allow each other to apply for and obtain any permit, authorization or consent that may be required under current and future Applicable Data Protection Laws or policies.
PRIVACY POLICY DISCLOSURES
Each party shall designate a contact point for Data Subjects in its publicly posted privacy policy.
Each party shall post a privacy policy on its web site and in its mobile application(s) that reflects the nature of the relationship and transfer of data between the parties as required by Applicable Data Protection Laws.
YOUR DATA SUBJECT CONSENT OBLIGATIONS
You acknowledge that we use mobile device identifier and IP address data to provide the Tapjoy Services; accordingly, for personal data that you provide under this Tapjoy DPA as to which you are Controller, you represent that, where required by Applicable Data Protection Laws, you have implemented notice and consent mechanisms sufficient to ensure that any data subject consent is freely given, informed, specific and unambiguous, and (for Publisher Monetization Data) covers use for audience segmentation and targeting in connection with online behavioral advertising.
You and Tapjoy will each honor mobile opt-out signals where required by Applicable Data Protection Laws. You will not provide Tapjoy with personal data from any device that has opted out through device settings (“Opt-Outs”) unless you also provide any accompanying opt-out signal. Tapjoy will not knowingly collect or use personal data from any Opt-Outs for purposes of online behavioral advertising and where required by Applicable Data Protection Laws.
You agree to provide Tapjoy, on request, with documentation explaining your consent processes or mechanisms for obtaining consent from data subjects, where required by Applicable Data Protection Laws, with respect to Publisher Monetization Data.
You and Tapjoy each agree to use and honor any applicable OpenRTB specifications that pass any signal regarding underage status, consent status, or Opt-Outs.
If and to the extent that we, in our sole discretion, opt to provide you with a notice or consent mechanism or template (e.g., a privacy notice and consent screen or interstitial enabled via Tapjoy’s SDK) (“SDK Tool”), you acknowledge that the decision of whether to implement it is at your discretion. You understand and agree that any such SDK Tool is provided solely on an “As Is” basis, and that you should not rely on it or our provision of it as legal advice; as between you and Tapjoy, you are solely liable for the nature and sufficiency of your compliance with data subject consent obligations.
Tapjoy Obligations As Processor
Tapjoy, when acting as your Processor, agrees as follows:
We will, to the extent legally permitted, promptly notify you if we receive a request from an individual or data subject wishing to exercise rights under Applicable Data Protection Law in connection with our processing of personal data processed for you, or any other correspondence, enquiry or complaint from an individual, regulator, court or other third party in connection with our processing of personal data for you (“Request”). Taking into account the nature of the processing and the Request, we will assist you insofar as possible in fulfilment of your obligation to respond to the Request under Applicable Data Protection Laws. At your request, to the extent you do not have the ability to fulfill the Request, we will provide commercially reasonable efforts to help you in responding, to the extent we are legally permitted to do so and the response is required under Applicable Data Protection Laws and Regulations. You acknowledge that Tapjoy may not be able to fulfill Requests where doing so would interfere with Tapjoy’s ability to comply with applicable law or legal obligation, or protect its rights or those of a third party.
Confidentiality and Security
We agree to maintain reasonable and appropriate technical and organizational measures for the protection, confidentiality, and integrity of Personal Data that we process for you, in accordance with the confidentiality provisions of your Tapjoy Agreements. We require our personnel involved in the processing of personal data for you to have executed written confidentiality agreements that survive the termination of their work for us, and we limit access to personal data processed by us for you to those personnel with a business need to know, in accordance with your Tapjoy Agreements. Upon request, we will provide you with a copy of our written privacy and information security policies and procedures. Upon determining that a Security Incident has occurred affecting personal data, Tapjoy will promptly notify you, take reasonable steps to mitigate any effects and damage from the Security Incident, and will provide you with timely information and cooperation as reasonably requested by you for you to fulfill your own Security Incident reporting obligations pursuant to Applicable Data Protection Laws. You agree that an attempted security breach, meaning an event which does not result in unauthorized access to your personal data or to our equipment or facilities storing your personal data, does not give rise to any obligations on our part to you, and that our compliance with this paragraph shall not be deemed an acknowledgement of fault or liability on our part in connection with any actual or attempted Security Incident.
Treatment at Termination
Upon termination or expiration of the Tapjoy Agreements under which Tapjoy is a Processor for you, Tapjoy will, at your written request, return, destroy, de-identify, aggregate, or anonymize all associated personal data, including copies and personal data held by sub-Processors, except that Tapjoy may retain certain personal data for its legal, accounting and auditing purposes.
Subject to the confidentiality provisions of the Tapjoy Agreement(s), Tapjoy grants you to the extent reasonably possible, and through reasonably acceptable third-party auditors, the right to audit, at your expense, our compliance with our obligations as your processor under this Addendum, including provision of access to information, systems and staff necessary for the conduct of the audit. Your audit right is conditioned upon your providing reasonable prior notice of your intention to audit, the audit taking place during normal business hours, and your auditors taking all reasonable measures to prevent unnecessary disruption to our operations. This audit right may be exercised up to once per year, except to the extent (i) when sooner required by instruction of a competent data protection authority; or (ii) you reasonably believe a further audit is necessary due to a Security Incident affecting us.
Sub-Processors (Subcontractors)
As your Processor, Tapjoy will not subcontract any processing of personal data to a third-party sub-Processor without your prior written consent. Notwithstanding the foregoing, you provide Tapjoy with general written authorization and consent to engage third-party sub-Processors to process personal data provided that: (i) if and to the extent you provide us with European Data, Tapjoy will provide you, upon request, with a list of our then-current subcontractors and at least fourteen (14) days’ notice of the addition of any sub-Processor (including details of the processing to be performed), whether by direct email, updating a publicly posted list of our sub-processors, or otherwise as generally communicated to our Advertisers and Publishers; (ii) Tapjoy requires its sub-Processors to abide by data protection terms as protective as the terms of this Tapjoy DPA; and (iv) Tapjoy remains fully liable for any breach of this Tapjoy DPA caused by its sub-Processor’s act, error or omission. If you reasonably refuse, for reasons related to the protection of personal data, to consent to our appointment of a third-party sub-Processor, then we will either not appoint the sub-Processor or you may opt to terminate this Tapjoy DPA and cease your use of our Services. Tapjoy certifies that it understands these restrictions and will comply with them.
INDEMNITY
Each party (the “Indemnifying Party”) shall indemnify and hold harmless the other, including its officers directors, employees, contractors, and agents (the “Indemnified Party”) from and against all claims, losses, costs, liabilities, damages, and expenses, including reasonable attorneys’ fees (“Claims”) brought by data subjects, supervisory authorities under the Applicable Data Protection Laws, or other third parties, suffered or incurred by the Indemnified Party to the extent arising from the Indemnifying Party’s breach of this Tapjoy DPA.
Indemnification under this Section is conditioned upon (i) the Indemnified Party providing the Indemnifying Party (A) prompt notice of any circumstances of which it is aware that give rise to an indemnity claim under this Tapjoy DPA and (B) reasonable cooperation as to such claim, including provision of all relevant materials to it; (ii) the Indemnified Party taking reasonable steps and actions to mitigate any ongoing damage it may suffer as a consequence of the Indemnifying Party’s breach**.**
The Indemnifying Party reserves the right, at its expense, to assume the exclusive defense and control of any matter for which it is required to indemnify the Indemnified Party, and the Indemnified Party shall have the right to participate with counsel of its own choosing at its own expense. The Indemnifying Party will not enter into any settlement of any claim without the prior written consent of the Indemnified Party, such consent not to be unreasonably withheld or conditioned.
LIMITATION OF LIABILITY
Each of our respective liability, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of your applicable Tapjoy Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and its affiliates under the Tapjoy Agreement including this Tapjoy DPA together; for the avoidance of doubt, each reference to this Tapjoy DPA includes all applicable Attachments and Appendices.
MISCELLANEOUS
Nothing in this Tapjoy DPA shall confer any benefits or rights on any person or entity other than the parties to this Tapjoy DPA; the foregoing shall not limit third-party beneficiary provisions of the Model Clauses.
Except as modified by this Addendum, your Tapjoy Agreement(s) remains in full force and effect; in the event of conflict between your Tapjoy Agreement and this Addendum, this Addendum will control.
Tapjoy and you mutually represent and warrant that we each, respectively, have the right, power, and authority (a) to enter into this Tapjoy DPA, (b) to make the representations and warranties contained herein, and (c) to perform our respective duties, obligations and covenants set forth in this Tapjoy DPA.
This Tapjoy DPA is coterminous with your Tapjoy Agreements, terminating automatically with your last Tapjoy Agreement. Sections 8(c), 9, 10, and 11 survive termination. Without prejudice to remedies set forth elsewhere in this DPA or in your Tapjoy Agreements, if either of us breaches this Tapjoy DPA, the other is entitled to terminate the Tapjoy Agreement in its sole discretion effective upon written notice; such termination shall be without any extra costs or expenses, and without effect on any payments then due and owing.
Effective Date: January 1, 2020