DATA PROTECTION ADDENDUM (ARCHIVED)

This is an archived version of Tapjoy’s Data Protection Addendum, provided as a courtesy. As of December 4th, 2024, this version of Tapjoy’s Data Protection Addendum is no longer in effect.

This Tapjoy Data Protection Addendum (“Tapjoy DPA”) is incorporated into and part of the agreement between Tapjoy, Inc. (“Tapjoy”) and you (“you”, and “Advertiser” or “Publisher” as applicable) relating to your use of Tapjoy’s Advertising Service, Publisher Services, or both (such services collectively, the “Tapjoy Services”, and the agreements applicable to you (“Advertising Agreement” and/or “Publisher Agreement”, as applicable, and collectively, your “Tapjoy Agreements” or “Agreement”), available at Legal Resources.

If and to the extent you provide Tapjoy with personal data, you and Tapjoy agree that this DPA governs our respective collection, transfer, and processing of personal data in the course of our provision and your use of our Services.

Definitions

The terms in this DPA, whether capitalized or not, have the meanings set forth below, and shall, to the greatest extent possible, have the meanings given to them in Applicable Data Protection Laws. Terms not defined here have the definition set forth in your applicable Tapjoy Agreement.

“Advertising Conversion Signal Data”

Means personal data that signals a user conversion (e.g., completion of an ad offer’s requirements or install of an advertised app) in connection with the Advertising Service.

Advertising Service

Means mobile in-app advertising services provided by Tapjoy pursuant to one or more insertion orders executed under your Advertising Agreement.

“Advertising Service Data”

Means personal data provided by you to Tapjoy used solely for your benefit in connection with your use of the Advertising Service, such as campaign targeting or suppression lists.

“Applicable Data Protection Laws”

Means all applicable international, federal, national and state privacy and data protection laws, rules, regulations, self-regulatory guidelines, or implementing legislation that apply to the processing of personal data covered by this Tapjoy DPA, including but not limited to: (i) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, “UK GDPR”); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”); (v) the California Consumer Privacy Act of 2018, California Civil Code §1798.100 et seq. (“CCPA”); and (vi) any national data protection laws made under or pursuant to (i) or (ii) or otherwise applicable to you; in each case as amended, superseded or replaced from time to time.

“Controller”

Means the entity that determines the purposes and means of the Processing of personal data and shall also mean a Business, where applicable, pursuant to the CCPA.

“EEA”

Means the European Economic Area.

“Personal Data”

Means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to, directly or indirectly, a particular individual, consumer, data subject, or (for purposes of CCPA) household, processed pursuant to the Agreement and as to which one or both of us is a Controller, and is defined as “personal information,” “personal data,” or similar term under Applicable Data Protection Laws.

Processor

Means an entity that processes personal data solely at the direction of a Controller, and shall also mean a Service Provider, where applicable, pursuant to the CCPA.

“Processing”

Has the meaning set forth under Applicable Data Protection Laws.

“Publisher Monetization Data”

Means personal data provided, via the Tapjoy SDK as integrated in your mobile application, for use in connection with Tapjoy’s Publisher Monetization Services, including mobile device identifiers and IP addresses of data subjects who are end users of your mobile application.

“Publisher Service Data”

Means personal data provided by you to Tapjoy used solely for your benefit in connection with your use of Tapjoy’s ancillary Publisher Services (those other than Monetization).

“Publisher Services”

Means the Tapjoy publisher services used by you pursuant to your Publisher Agreement, which may include Monetization Services, Analytics Services, and Virtual Currency Management Services, each as defined in Tapjoy’s Publisher Terms of Service.

“Security incident”

Means a breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data stored or otherwise processed.

Standard Contractual Clauses

Means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021, a copy of which is available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN.

“Sub-processor”

Means any third party engaged by Tapjoy or its affiliates to process Advertising Service Data or Publisher Service Data on your behalf, not including Tapjoy employees or contractors.

“Transfer”

Means the access by, transfer or delivery to, or disclosure of personal data to a person, entity or system located in a country or jurisdiction other than the country or jurisdiction where the personal data originated from.

Purpose and Details of Processing

Respective Roles

You and Tapjoy agree that each of us will process and transfer personal data only for the purposes described in your Tapjoy Agreement(s) and this Tapjoy DPA, or as otherwise agreed in writing between us.

Advertising Conversion Signal Data

You, as Controller, acknowledge that you and Tapjoy each serve as an independent Controller with respect to Advertising Conversion Signal Data provided in connection with the Advertising Service in accordance with this Tapjoy DPA.

Advertising Service Data

You, as Controller, appoint Tapjoy as Processor to process Advertising Service Data in connection with the Advertising Service pursuant to your Advertising Agreement and in accordance with this Tapjoy DPA.

Publisher Monetization Data

You, as Controller, acknowledge that you and Tapjoy each serve as an independent Controller with respect to Publisher Monetization Data provided in connection with the Publisher Monetization Services and in accordance with this Tapjoy DPA.

Publisher Service Data

You, as Controller, appoint Tapjoy as Processor to process Publisher Service Data pursuant to your Publisher Agreement and in accordance with this Tapjoy DPA.

Other Publisher Services

You, as Controller, appoint Tapjoy as Processor to process Publisher Service Data pursuant to your Publisher Agreement and in accordance with this Tapjoy DPA.

No Special Category Data

Neither you nor Tapjoy shall transfer, provide each other, or have responsibility for processing special categories of personal data under this DPA, as defined under Applicable Data Protection Laws.

Service Provider Certification

Where acting as a Processor, Tapjoy will not(a) sell the personal data received from a Controller; (b) retain, use or disclose the personal data for any purpose other than for the specific purpose of performing the Services on behalf of a Controller; (c) retain, use, or disclose the personal data for a commercial purpose other than providing the Services; or (d) retain, use, or disclose the personal data outside of the direct business relationship between Tapjoy and a Controller. As to Tapjoy’s role as a Processor, Tapjoy certifies that it understands these restrictions and will comply with them.

Obligations As Controllers

Compliance with Obligations

You and Tapjoy each agree, when acting as a Controller of personal data to comply with all applicable laws, including Applicable Data Protection Laws, in your use and our provision of the Tapjoy Services, including fulfillment of all duties required of Controllers under Applicable Data Protection Laws. Each of us will implement and maintain security measures to protect personal data from any Security Incident.

Data Subject Requests

Each of us, when acting as a Controller, has the sole and independent obligation (as between the parties) to receive and manage data subject requests regarding our respective personal data, including without limitation any request to access, know, correct, amend, restrict processing of, port, object to the Processing of, block or delete, or, where applicable, stop the sale of personal data. If applicable, and to the extent legally permitted, each of us will provide the other with reasonable cooperation and assistance in relation to the handling of a data subject’s request. Each of us acknowledges that fulfilling a request may not be possible where doing so would interfere with the ability of either party to comply with applicable law or legal obligation, or protect its rights or those of a third party.

Requests from Others

If applicable, and to the extent legally permitted, each of us will provide the other upon request with reasonable cooperation and assistance in relation to any correspondence, inquiry, or complaint received from a regulator, individual, supervisory authority, court, or other third party. Each of us acknowledges that fulfilling a request may not be possible where doing so would interfere with the ability of either party to comply with applicable law or legal obligation, or protect its rights or those of a third party.

Appointing Processors

Where you and Tapjoy are independent Controllers, each party may appoint third-party Processors to Process personal data for the purposes set forth in this Tapjoy DPA and your Publisher Agreement, provided that such Processors (i) agree in writing to Process personal data in accordance with the Publisher Agreement (and any other contractual agreements between the parties); (ii) implement appropriate technical and organizational security measures, no less protective than those in this Tapjoy DPA, to protect personal data subject to the Publisher Agreement against a Security Incident, in compliance with the standards required by this Tapjoy DPA; and (iii) otherwise provide sufficient guarantees that they will process the personal data in a manner that will meet the requirements of Applicable Data Protection Laws. Each of us will be liable for the acts and omissions of its Processors to the same extent each of us would be liable if performing the services of each Processor directly under the Publisher Agreement.

International Transfer Obligations

European Data

Each of us agrees that personal data originating in the EEA, Switzerland or the United Kingdom (such locations collectively, the “Covered Areas” and such data, “European Data”) shall not be Transferred to a jurisdiction outside the Covered Areas unless the transfer is subject to an Approved Transfer Mechanism, meaning that (i) the recipient is located in the EEA, Switzerland, the United Kingdom, or another country that has been specified by the European Commission, Swiss Federal Data Protection Authority, or United Kingdom authorities (as applicable) as providing an adequate level of protection for personal data, or (ii) the recipient (a) receives the European Data pursuant to a binding corporate rules authorization in accordance with Applicable Data Protection Laws; (b) has executed the Standard Contractual Clauses with respect to the personal data; or (c) receives the personal data pursuant to another approved transfer mechanism under Applicable Data Protection Laws.

Standard Contractual Clauses as Data Transfer Mechanism

You hereby agree to and hereby enter into the Model Clauses applicable to you with The parties hereby enter into the Standard Contractual Clauses with respect to European Data, the terms of which are hereby incorporated by reference into and form part of your Tapjoy Agreement(s) in accordance with Attachment 1: Standard Contractual Clauses.

UK Data Transfers

To extent that and for so long as the Standard Contractual Clauses as implemented in accordance with Section 4(b) cannot be relied on to lawfully Transfer personal data in compliance with the UK GDPR, the applicable standard data protection clauses issued, adopted or permitted by the United Kingdom authorities shall be incorporated by reference, and the annexes, appendices or tables of such clauses shall be deemed populated with the relevant information set out in Attachment 1: Standard Contractual Clauses.

Future Requirements

You and Tapjoy agree to work together as commercially reasonable to allow each other to apply for and obtain any permit, authorization or consent that may be required under current and future Applicable Data Protection Laws or policies. In addition, if and to the extent that a court of competent jurisdiction or a supervisory authority with binding authority orders (for whatever reason) that the measures described in this Tapjoy DPA cannot be relied on by the parties to lawfully transfer and process European Data, you and Tapjoy agree to work together as commercially reasonable to implement any additional measures or safeguards not described in this Tapjoy DPA or alternative transfer mechanism to enable the lawful transfer and processing of European Data.

Privacy Policy Disclosures

Each party shall designate a contact point for Data Subjects in its publicly posted privacy policy.

Each party shall post a privacy policy on its web site and in its mobile application(s) that reflects the nature of the relationship and transfer of data between the parties as required by Applicable Data Protection Laws.

Your Data Subject Consent Obligations

You acknowledge that we use mobile device advertising identifier and IP address data to provide the Tapjoy Services; accordingly, for personal data that you provide under this Tapjoy DPA as to which you are Controller, you represent that, where required by Applicable Data Protection Laws, you have implemented notice and consent mechanisms sufficient to ensure that any data subject consent is freely given, informed, specific and unambiguous, and (for Publisher Monetization Data and Advertising Conversion Signal Data) covers use for audience segmentation and targeting in connection with online behavioral advertising.

You and Tapjoy will each honor mobile opt-out signals where required by Applicable Data Protection Laws. You will not provide Tapjoy with personal data from any device that has opted out through device settings (“Opt-Outs”) unless you also provide any accompanying opt-out signal. Tapjoy will not knowingly collect or use personal data from any Opt-Outs for purposes of online behavioral advertising and where required by Applicable Data Protection Laws.

You agree to provide Tapjoy, on request, with documentation explaining your consent processes or mechanisms for obtaining consent from data subjects, where required by Applicable Data Protection Laws, with respect to Publisher Monetization Data and Advertising Conversion Signal Data.

You and Tapjoy each agree to use and honor any applicable OpenRTB specifications that pass any signal regarding underage status, consent status, or Opt-Outs.

If and to the extent that we, in our sole discretion, opt to provide you with a notice or consent mechanism or template (e.g., a privacy notice and consent screen or interstitial enabled via Tapjoy’s SDK) (“SDK Tool”), you acknowledge that the decision of whether to implement it is at your discretion.  You understand and agree that any such SDK Tool is provided solely on an “As Is” basis, and that you should not rely on it or our provision of it as legal advice; as between you and Tapjoy, you are solely liable for the nature and sufficiency of your compliance with data subject consent obligations.

Tapjoy Obligations As Processor

Tapjoy, when acting as your Processor, agrees as follows:

Requests

We will, to the extent legally permitted, promptly notify you if we receive a request from an individual or data subject wishing to exercise rights under Applicable Data Protection Law in connection with our processing of personal data processed for you, or any other correspondence, enquiry or complaint from an individual, regulator, court or other third party in connection with our processing of personal data for you (“Request”). Taking into account the nature of the processing and the Request, we will assist you insofar as possible in fulfillment of your obligation to respond to the Request under Applicable Data Protection Laws. At your request, to the extent you do not have the ability to fulfill the Request, we will provide commercially reasonable efforts to help you in responding, to the extent we are legally permitted to do so and the response is required under Applicable Data Protection Laws and Regulations. You acknowledge that Tapjoy may not be able to fulfill Requests where doing so would interfere with Tapjoy’s ability to comply with applicable law or legal obligation, or protect its rights or those of a third party.

Confidentiality and Security

We agree to maintain reasonable and appropriate technical and organizational measures for the protection, confidentiality, and integrity of personal data that we process for you, in accordance with the confidentiality provisions of your Tapjoy Agreement(s). We require our personnel involved in the processing of personal data for you to have executed written confidentiality agreements that survive the termination of their work for us, and we limit access to personal data processed by us for you to those personnel with a business need to know, in accordance with your Tapjoy Agreement(s). Upon request, we will provide you with a copy of our written privacy and information security policies and procedures. You acknowledge that Tapjoy may update or modify its privacy and information security policies and procedures from time to time, provided that such updates and modifications do not materially decrease the overall security of the protection afforded to the personal data. In the event of a Security Incident affecting you, Tapjoy will promptly notify you, take reasonable steps to mitigate any effects and damage from the Security Incident, and will provide you with timely information and cooperation as reasonably requested by you for you to fulfill your own Security Incident reporting obligations pursuant to Applicable Data Protection Laws. You agree that an attempted security breach, meaning an event which does not result in unauthorized access to your personal data or to our equipment or facilities storing your personal data, does not give rise to any obligations on our part to you, and that our compliance with this paragraph shall not be deemed an acknowledgement of fault or liability on our part in connection with any actual or attempted Security Incident.

Treatment at Termination

Upon termination or expiration of the Tapjoy Agreements under which Tapjoy is a Upon termination or expiration of the Tapjoy Agreement(s) under which Tapjoy is a Processor for you, Tapjoy will, at your written request, return, destroy, de-identify, aggregate, or anonymize all associated personal data, including copies and personal data held by Sub-processors, except that Tapjoy may retain certain personal data for its legal, accounting and auditing purposes.

Data Privacy Audit

To the extent that Applicable Data Protection Laws require you to be in a position to audit Tapjoy’s Processing of your Personal Data and subject to the confidentiality provisions of the Tapjoy Agreement(s), Tapjoy grants you, as the Controller, to the extent reasonably possible, and through mutually-agreed, reputable and independent third-party auditors, the right to request an audit, at your expense, solely for the purposes of, and as absolutely necessary for, meeting your audit requirements pursuant to Applicable Data Protection Laws, and solely those of our systems and documents directly related to that purpose for the  twelve (12) months prior to the audit, or the maximum period required by Applicable Data Protection Laws (if longer). Your audit right is conditioned upon your providing a detailed audit request specifying the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, the audit, at least four (4) weeks in advance of the proposed audit date. Audit requests must be sent in a written form to your designated Tapjoy contact person, with a copy to legal@tapjoy.com. The auditor must execute a written confidentiality agreement acceptable to us prior to conducting the audit. The audits shall take place during normal business hours, subject to our policies and reasonable confidentiality obligations, and must not unnecessarily disrupt our operations. This audit right may be exercised up to once per year, except to the extent (i) when sooner required by instruction of a competent data protection authority; or (ii) you reasonably believe a further audit is necessary due to a Security Incident affecting us. Where applicable, you agree that you will exercise your audit rights under the Standard Contractual Clause by instructing us to comply with the measures described in this Section 8(d). Nothing in this Section will require us to disclose to you or any auditor, or otherwise to allow you or any auditor to access any third-party data, internal financial information, trade secret, or data that we reasonably determine not to have been requested in good faith, resulting in an interference with Tapjoy’s business, or for purposes other than conducting an audit as required by Applicable Data Protection Laws. We may, at our option, provide you with a copy of our most recent third-party audits or certifications by an independent third-party auditor, as applicable, or any summaries thereof. You acknowledge that any audit results, findings, or third-party certifications or audits are  Tapjoy confidential information, and you agree to keep the audit results in strict confidentiality, and not to disclose them to any third party without our prior express written approval. If you are required to disclose the audit results to a competent authority, you shall provide us with a prior written notice explaining the details and necessity of the disclosure, and agree to provide all necessary assistance to prevent or reduce the scope of such disclosure. In the event that such disclosure occurs despite your best efforts to prevent or reduce such disclosure, you will disclose only the portion of the results of the audit that is expressly required to be disclosed.

Sub-Processors

You provide Tapjoy with general written authorization and consent to engage Sub-processors to process personal data provided that: (i) if and to the extent you provide us with European Data, Tapjoy will provide you, upon request, with a list of our then-current Sub-processors and provide you at least fourteen (14) days’ notice of the addition of any Sub-processor (including details of the processing to be performed); (ii) Tapjoy requires its Sub-processors to abide by data protection terms as protective as the terms of this Tapjoy DPA; and (iv) Tapjoy remains fully liable for any breach of this Tapjoy DPA caused by its Sub-processors’ acts, errors or omissions. If you reasonably object, for reasons related to the protection of personal data, to our appointment of a new Sub-processor, then we will either not appoint the Sub-processor or you may opt to terminate this Tapjoy DPA and cease your use of our Services. You acknowledge that Tapjoy complies with its obligations under clause 9 of the Standard Contractual Clauses by complying with this Section 8(e).

Indemnity

Each party (the “Indemnifying Party“) shall indemnify and hold harmless the other, including its officers directors, employees, contractors, and agents (the “Indemnified Party“) from and against all claims, losses, costs, liabilities, damages, and expenses, including reasonable attorneys’ fees (“Claims“) brought by data subjects, supervisory authorities under the Applicable Data Protection Laws, or other third parties, suffered or incurred by the Indemnified Party to the extent arising from the Indemnifying Party’s breach of this Tapjoy DPA.

Indemnification under this Section is conditioned upon (i) the Indemnified Party providing the Indemnifying Party (A) prompt notice of any circumstances of which it is aware that give rise to an indemnity claim under this Tapjoy DPA and (B) reasonable cooperation as to such claim, including provision of all relevant materials to it; (ii) the Indemnified Party taking reasonable steps and actions to mitigate any ongoing Damage it may suffer as a consequence of the Indemnifying Party’s breach**.**

The Indemnifying Party reserves the right, at its expense, to assume the exclusive defense and control of any matter for which it is required to indemnify the Indemnified Party, and the Indemnified Party shall have the right to participate with counsel of its own choosing at its own expense. The Indemnifying Party will not enter into any settlement of any claim without the prior written consent of the Indemnified Party, such consent not to be unreasonably withheld or conditioned.

Limitation of Liability

Each of our respective liability, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of your applicable Tapjoy Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and its affiliates under the Tapjoy Agreement including this Tapjoy DPA together; for the avoidance of doubt, each reference to this Tapjoy DPA includes all applicable Attachments and Appendices.

Miscellaneous

Nothing in this Tapjoy DPA shall confer any benefits or rights on any person or entity other than the parties to this Tapjoy DPA; the foregoing shall not (where applicable) limit any third-party beneficiary rights under the Standard Contractual Clauses.

Except as modified by this Tapjoy DPA, your Tapjoy Agreement(s) remains in full force and effect. In the event of any conflict between your Tapjoy Agreement(s), this Tapjoy DPA, and (where applicable) the Standard Contractual Clauses, the terms shall apply in the following order of precedence: (i) the Standard Contractual Clauses; (ii) this Tapjoy DPA; and then (iii) your applicable Tapjoy Agreement.

Tapjoy and you mutually represent and warrant that we each, respectively, have the right, power, and authority (a) to enter into this Tapjoy DPA, (b) to make the representations and warranties contained herein, and (c) to perform our respective duties, obligations and covenants set forth in this Tapjoy DPA.

This Tapjoy DPA is coterminous with your Tapjoy Agreements, terminating automatically This Tapjoy DPA is coterminous with your Tapjoy Agreement(s), terminating automatically with your last Tapjoy Agreement. Sections 8(c) (Treatment at Termination), 9 (Indemnity), 10 (Limitation of Liability), and this Section 11 (Miscellaneous) survive termination. Without prejudice to remedies set forth elsewhere in this DPA or in your Tapjoy Agreement(s), if either of us breaches this Tapjoy DPA, the other is entitled to terminate the Tapjoy Agreement(s) in its sole discretion effective upon written notice; such termination shall be without any extra costs or expenses, and without effect on any payments then due and owing.

ATTACHMENT 1: STANDARD CONTRACTUAL CLAUSES

The Standard Contractual Clauses are incorporated by reference into and apply and form part of your Tapjoy Agreement(s) as follows: (i) either you are the ‘data exporter’ and Tapjoy is the ‘data importer’ or you are the ‘data importer’ and Tapjoy is the ‘data exporter’,  (ii) the Module One (C2C) and Module Two (C2P) terms apply as set out in ‘List of Parties’ below and the Module Three (P2P) terms are not used, (iii) in Clause 7, the optional docking clause applies; (iv) in Clause 9, Option 2 (General Written Authorization) applies and the time period for notifying of the addition or replacement of Sub-processors is set out in Section 8(e) of the DPA; (v) in Clause 11, the optional language does not apply, (vi) in Clause 17, Option 1 applies and the Standard Contractual Clauses are governed by Irish law, (vii) in Clause 18(f), disputes will be resolved before the courts of Ireland, and (viii) the Annexes of the Standard Contractual Clauses are populated with the information set out below.

To the extent the personal data is protected by the UK GDPR or Swiss DPA, the Standard Contractual Clauses apply with the following modifications (as applicable): (i) references to ‘Regulation (EU) 2016/679’ are interpreted as references to the UK GDPR or Swiss DPA, (ii) references to specific articles of ‘Regulation (EU) 2016/679’ are replaced with the equivalent article or section of the UK GDPR or Swiss DPA, (iii) references to ‘EU’, ‘Union’ and ‘Member State’ are replaced with ‘United Kingdom’ or ‘Switzerland’, (iv) Clause 13(a) and Part C of Annex 2 are not used and the ‘competent supervisory authority’ is the United Kingdom Information Commissioner or Swiss Federal Data Protection Information Commissioner, (v) references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘United Kingdom Information Commissioner’ and ‘courts of England and Wales’ or the ‘Swiss Federal Data Protection Information Commissioner’ and ‘competent courts of Switzerland’, (vi) in Clause 17, the Standard Contractual Clauses are governed by the laws of England and Wales or Switzerland, and (vii) in Clause 18(f), disputes will be resolved before the competent courts of England and Wales or Switzerland.

Annex I

Part A – List of Parties

Data Exporter

Data Importer

Name

The Advertiser or Publisher accepting the DPA containing these SCCs

Tapjoy, Inc.

Address

As specified in your Agreement

353 Sacramento St., 6th FL
San Francisco, CA 94111 USA

Contact person’s name, position, and contact details

As specified in your Agreement

Data Protection Officer

dpo@tapjoy.com

Activities relevant to the data transferred; role of party (controller or processor)

Publisher Monetization Data (C2C, Module One)

Controller:
Publisher of mobile apps using Tapjoy Publisher Monetization Service

Controller:
Tapjoy

Publisher Service Data (C2P, Module Two)

Controller:
Publisher of mobile apps using Tapjoy Publisher Services other than monetization

Processor:
Tapjoy

Advertising Conversion Signal Data (C2C, Module One)

Controller:
Advertiser using Tapjoy Advertising Services

Controller:
Tapjoy

Advertising Service Data (C2P, Module Two)

Controller:
Advertiser using Tapjoy Advertising Service

Processor:
Tapjoy

Data Exporter

Data Importer

Name

Tapjoy, Inc.

The Advertiser or Publisher accepting the DPA containing these SCCs

Address

353 Sacramento St., 6th FL
San Francisco, CA 94111 USA

As specified in your Agreement

Contact person’s name, position, and contact details

Data Protection Officer

dpo@tapjoy.com

As specified in your Agreement

Activities relevant to the data transferred; role of party (controller or processor)

Publisher Monetization Data (C2C, Module One)

Controller:
Tapjoy

Controller:

Publisher of mobile apps using Tapjoy Publisher Monetization Services

Publisher Service Data (P2C, Module Four)

Processor:
Tapjoy

Controller:

Publisher of mobile apps using Tapjoy Publisher Services other than Monetization Services

Advertising Conversion Signal Data (C2C, Module One)

Controller:
Tapjoy

Controller:

Advertiser using Tapjoy Advertising Services

Advertising Service Data (P2C, Module Four)

Processor:
Tapjoy

Controller:

Advertiser using Tapjoy Advertising Service

Part B – Description of Transfer

Publisher Monetization Data

Publisher Service Data

Advertising Conversion Signal Data

Advertising Service Data

Categories of data subjects whose personal data is transferred

End users of mobile applications

Categories of personal data transferred

Mobile device identifiers (e.g., advertising IDs), mobile device IP address, device information (e.g., OS, manufacturer, model), and as otherwise specified in our Privacy Policy

Mobile device identifiers (e.g., advertising IDs), mobile device IP address, device information (e.g., OS, manufacturer, model), and as otherwise specified in our Privacy Policy

Mobile device identifiers (e.g., advertising IDs), mobile device IP address, conversions

Mobile device identifiers (e.g., advertising IDs)

Sensitive data transferred

None

Frequency of transfer

Data is transferred on a continuous basis

Data is provided at a frequency chosen by Advertiser in its discretion

Nature of the processing

Publisher Monetization Data is processed to provide Publisher Monetization Services to Publishers in the form of in-app advertising, including ad filtering, ad targeting, user rewards, and behavioral profiling

Publisher Service Data is processed to provide non-Monetization Services to Publishers, such as publisher analytics and virtual currency management

Advertising Conversion Signal Data is processed to provide Monetization Services to Publishers, Advertising Services to Advertisers, and virtual currency rewarded advertising to end users, in the form of in-app advertising, including ad filtering, ad targeting, user rewards, and behavioral profiling

Advertising Service Data is processed to provide Advertiser with campaign-specific targeting or suppression Advertising Services

Purpose(s) of the data transfer and further processing

To provide Publishers with Publisher Monetization Services and end users of mobile apps with in-app virtual currency rewards earned through engaging with in-app campaign content

To provide Publishers with services such as publisher analytics and virtual currency management

To provide Advertisers with Advertising Services, and end users of mobile apps with in-app virtual currency rewards earned through engaging with in-app campaign content

To provide Advertisers with services such as campaign-specific targeting or suppression

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Retained as described in our Privacy Policy

Retained as described in our Privacy Policy

Retained as described in our Privacy Policy

Until campaign end

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

Tapjoy’s list of (sub-)processors and processing activities may be accessed here or by sending an email request to subprocessorlist@tapjoy.com.

Part C – Competent Supervisory Authority

For the purposes of Clause 13 of the Standard Contractual Clauses, the competent supervisory authority is either (i) where Publisher or Advertiser (as applicable) is established in the EEA, the supervisory authority responsible for ensuring Publisher’s or Advertiser’s compliance with the GDPR; or (ii) where Publisher or Advertiser (as applicable) is not established in the EEA, the supervisory authority in the EEA member state where Publisher’s or Advertiser’s representative has been appointed pursuant to Article 27(1) of the GDPR or where the data subjects relevant to the transfer are located. In relation to personal data that originates in Switzerland or the United Kingdom, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner or the United Kingdom Information Commissioner (as applicable).

Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Technical and organisational measures applicable

C2C

C2P

Measures of pseudonymization and encryption of personal data:

  • Data is encrypted in transit and at rest
  • Primary identifier collected (device advertising identifier (IDFA/GAAID)) is inherently   somewhat pseudonymized

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services:

  • Systems protections include use of SSO with 2FA/MFA and required complex passwords
  • For critical systems, all access must be approved by a vice-president or higher, with access requests captured by audit trail
  • User accounts, access permissions, and suspicious activity are regularly reviewed and updated

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident:

  • Backup procedures, remote storage, and antivirus/firewall systems are implemented to protect data against accidental destruction or loss and enable systems and access recovery

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing:

  • Access requests are captured by audit trail
  • Formal Security Incident plan, including post-event review
  • Cross-functional infosec group meets regularly to review obligations

Measures for user identification and authorization:

  • Systems protections include use of SSO with 2FA/MFA, required complex passwords, enforced rotation, and lockout after failed attempts

Measures for the protection of data during transmission for the protection of data during storage:

  • Data is encrypted in transit and at rest

Measures for ensuring physical security of locations at which personal data are:

  • Individual employee badges/keycards
  • Door lock schedules
  • HQ office location has on-site security personnel

Measures for ensuring events logging:

  • Logging and reporting systems implemented to maintain full documentation for data management and maintenance

Measures for ensuring system configuration, including default configuration for internal IT and IT security governance and management:

  • Peer-reviewed changes to application and data infrastructure
  • All changes are specified as Infrastructure as Code (IaC) and thereby logged to the production infrastructure

Measures for ensuring data quality:

  • Whenever possible, data is collected directly via proprietary SDK
  • DSAR processes require validation of device identifier before data is accessed/opted-out

Measures for ensuring data minimization and limited data retention:

  • Data minimization considered in product planning and development
  • Data retention schedule periodically reviewed
  • New product developments reviewed quarterly by DPO for data minimization and retention guidelines.

Measures for ensuring accountability:

  • Access requests are captured by audit trail
  • Formal Security Incident plan, including post-event review
  • Cross-functional infosec group meets regularly to review obligations

Measures for allowing data portability and ensuring erasure:

  • DSAR processes in place allowing timely execution of data subject access and deletion/opt-out requests