ClearLine Data Terms
Last Updated: October 9, 2023
These Data Terms are incorporated into the Agreement between ʪƵ and Customer. Capitalized terms used but not otherwise defined herein shall have the meanings ascribed to them in the Agreement.
DATA AND PRIVACY
Privacy Policies. Customer agrees to post on its website a privacy policy that (i) complies with Applicable Law and (ii) accurately discloses all applicable data collection, use and disclosure practices, including, but not limited to, an explanation of the purposes for which data is collected by or will be transferred to, third parties, the use of cookies, pixels, beacons, locally stored objects, or other similar technologies by third parties for purposes of targeting individual end users with interest-based, and other types of Advertisements. Customer shall comply with its privacy policy. Customer further agrees that its privacy policy will provide end users with a conspicuous link to a functional opt-out page. If Customer uses the ʪƵ Materials to buy Inventory directly or indirectly on behalf of any third party, Customer will ensure that such third party complies with this provision.
Customer Data Use. Customer may not use, sell, or otherwise disclose the ʪƵ Data, except that, subject in each case to the restrictions below, Customer may use and disclose ʪƵ Data: (a) to evaluate and purchase Inventory through the ʪƵ Platform in connection with this Agreement, (b) to provide aggregate reporting to the applicable Advertiser for which Customer is purchasing Inventory, and (c) as required by court order, law, or governmental or regulatory agency (after, if permitted, giving prior written notice to ʪƵ). Customer may not use any ʪƵ Data to create or supplement user profiles or targetable segments. All such use of the ʪƵ Materials by Customer must comply with Customer’s privacy polic(ies), all applicable laws, regulations, self-regulatory principles, the Digital Advertising Alliance principles, and European Interactive Digital Advertising Alliance. Customer may not combine any pseudonymous personal data received via the ʪƵ Materials with any personal data that will directly identify an end user, without the end user’s consent. To the extent that, pursuant to (a) above, Customer either (1) shares ʪƵ Data with a third party (or requests that ʪƵ do so on Customer’s behalf) for measurement purposes (with such third party being referred to herein as a ”Measurement Provider”), or (2) permits a Measurement Provider to obtain ʪƵ Data via a pixel, Customer shall be fully responsible and liable for that Measurement Provider’s use of the ʪƵ Data and compliance with the restrictions specified in this paragraph. Further, where ʪƵ Data is obtained for measurement purposes via a pixel, Customer will ensure that the Measurement Provider only obtains the data necessary to facilitate the specific measurement offering being provided to Customer.
Required Consent. To the extent that any data, including persistent identifiers (such as IP address or device identifiers) or precise geo-location data, about end users are collected, used, transmitted, or processed by or on behalf of Customer or a party on behalf of which Customer is directly or indirectly buying Inventory using ʪƵ Materials, Customer represents and warrants that all necessary disclosures have been provided to and appropriate consents have been or will be obtained from such end user (“Required Consents”), as applicable. These Required Consents include, but are not limited to, those necessary to collect information about individual end users through the use of technologies, such as cookies and pixels, located on the End User’s device, and to pass such information to ʪƵ for processing in accordance with the Agreement. All Required Consents shall be obtained by Customer before any such technologies are set on the applicable End User’s device, regardless of whether such technologies are set directly by Customer or by or through ʪƵ.
ʪƵ Data Use. ʪƵ shall have the right to collect, use, and disclose data transmitted through or otherwise derived from Customer’s use of the ʪƵ Materials as described in the applicable ʪƵ privacy polic(ies).
DATA PROCESSING
ʪƵ will process any Personal Information that Customer includes in its use of the ʪƵ Materials (the “Customer Personal Data“) on Customer’s behalf as a processor, and Customer shall be the controller of such data. Customer represents and warrants that it will not, and it shall not, send any Restricted Personal Information to ʪƵ or the ʪƵ Materials. With regard to Customer Personal Data, ʪƵ shall:
(a) process Customer Personal Data only in accordance with Customer’s documented instructions and not for ʪƵ’s own purposes. If ʪƵ is required to process Customer Personal Data for any other purpose by a law to which ʪƵ is subject, ʪƵ shall inform Customer of this requirement before the processing, unless that law prohibits this on grounds of public interest;
(b) promptly notify Customer if it determines that it cannot comply with its data processing obligations under these Data Terms. In such event, ʪƵ shall work with Customer and take all reasonable and appropriate steps to remediate (if remediable) any processing until such time as the processing complies with the subject requirements. ʪƵ shall immediately cease processing Customer Personal Data if Customer determines ʪƵ has not or cannot correct any non-compliance with these processing requirements within a reasonable time frame;
(c) taking into account the nature of the processing, reasonably cooperate with Customer to respond to any requests, complaints, or other communications from data subjects and regulatory or judicial bodies relating to the processing of Personal Information under the Agreement, including requests from data subjects seeking to exercise their rights under Applicable Laws. In the event that any such request, complaint, or communication is made directly to ʪƵ, ʪƵ shall promptly pass this onto Customer and shall not respond to such communication without Customer’s express authorization;
(d) taking into account the nature of the processing and the information available to ʪƵ, reasonably assist Customer, at Customer’s cost, to ensure compliance with the obligations under the GDPR with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators;
(e) upon termination of this Agreement or upon Customer’s request, destroy all Customer Personal Data (unless a law requires storage of the Customer Personal Data); and
(f) make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in these Data Terms and, upon prior written notice, and not more than once per calendar year, with 30 days’ written notice, contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer at Customer’s cost.
Customer acknowledges and agrees that ʪƵ may retain its Affiliates and other third parties as sub-processors (all together “Sub-Processors“) in connection with the provision of the ʪƵ Materials. ʪƵ shall not subcontract any processing of Personal Information to a sub-Processor without the prior written consent of Customer. Notwithstanding this, Customer consents to ʪƵ engaging in Sub-Processors to process Personal Information provided that ʪƵ:
(1) provides at least 30 days’ prior written notice to Customer of the engagement of any new Sub-Processor;
(2) imposes the same data protection obligations as are imposed on ʪƵ under this Agreement; and
(3) will be liable to Customer for any breach of these Data Terms that is caused by an act, error or omission of such Sub-Processor.
RESTRICTED TRANSFERS
The Parties agree that, when the transfer of Personal Information from Customer to ʪƵ is a Restricted Transfer, it shall be subject to the appropriate SCCs as follows:
(a) in relation to data that is protected by the GDPR, the EU SCCs will apply completed as follows:
1) Module Two will apply;
2) in Clause 7, the optional docking clause will apply;
3) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be done with 30 days’ prior written notice;
4) in Clause 11, the optional language will not apply;
5) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
6) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
7) Annex I of the EU SCCs shall be deemed completed with the information in Annex I below; and
8) Annex II of the EU SCCs shall be deemed completed with the information in Annex II below.
(b) in relation to data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:
1) Appendix 1 of the UK SCCs shall be deemed completed with the information in Annex I below; and
2) Appendix 2 of the UK SCCs shall be deemed completed with the information in Annex II below.
(c) in the event that any provision of this Agreement contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
SECURITY
ʪƵ maintains records in accordance with the Sarbanes-Oxley Act. ʪƵ will ensure that its personnel and subcontractors who have access to the Customer Personal Data have committed themselves to confidentiality and are aware of and comply with ʪƵ’s duties and their personal duties and obligations under this Agreement.
ʪƵ will maintain appropriate technical and organizational security measures to ensure a level of security appropriate to the risks that are presented by the processing of Customer Personal Data (“Security Measures”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for tA. DESCRIPTION OF TRANSFERhe rights and freedoms of natural persons. At a minimum, ʪƵ agrees to the following Security Measures (i) Personal Information is not changed while stored, transferred or otherwise processed, unless such change constitutes a functionality of the ʪƵ Services, and Customer has provided its acknowledgement thereof; (ii) Personal Information that is stored, transferred or otherwise processed is encrypted or kept in another equally secure format; (iii) the availability of and access to Personal Information can be ensured in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing is in place; (v) logs are kept of all processing performed under the Agreement; and (vi) appropriate safeguards are in place to restrict and/or limit access to Personal Information to those employees who (a) have a strict need to know in order to perform the ʪƵ Services; (b) have been provided with appropriate training on the handling of Personal Information; and (c) have agreed to confidentiality obligations consistent with the terms herein.
In the event of a Security Incident, ʪƵ shall promptly (and in no event later than 48 hours of becoming aware of such Security Incident) inform Customer and provide written details of the Security Incident, including the type of data affected and the identity of affected person(s) as soon as such information becomes known or available to ʪƵ, and take any measures and actions reasonably appropriate to remedy or mitigate the effects of a Security Incident.
CCPA
With respect to the Parties’ obligations under the California Consumer Privacy Act of 2018 (Title 1.81.5 of the Civil Code of the State of California), together with all effective regulations adopted thereunder the (“CCPA”) relating to a California consumer’s personal information or household, then (and with respect to such Personal Information): (a) ʪƵ is a “service provider” (as defined by CCPA); and Customer is and will be disclosing such Personal Information hereunder to ʪƵ for a “business purpose” (as defined by CCPA), and ʪƵ will process such Personal Information solely on behalf of Customer and only as necessary to perform such business purpose for Customer; and (b) ʪƵ will not: (i) “sell” (as defined by CCPA) Personal Information; or (ii) retain, use, or disclose Personal Information for any purpose (including a “commercial purpose” (as defined by CCPA)) other than the specific purpose of performing services to Customer under this Agreement or outside of the direct business relationship between Customer and ʪƵ. The Parties represent that they understand the restrictions set forth in this section and will comply with them, and, if directed by Customer with regard to a particular California “consumer” (as defined by CCPA), ʪƵ will delete such consumer’s Personal Information.
Annex I
Data Processing Description
This Annex I forms part of the Agreement and describes the processing that ʪƵ (as the processor) will perform on behalf of Customer (as the controller).
A. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: | Visitors of online properties. (i.e., visitors to websites and CTV) |
Categories of personal data transferred: | pseudonymous identifiers relating to consumer devices (including IP address, device identifiers, cookie identifiers); geo location data |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: | N/A |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): | Continuous |
Nature of the processing: | Collection, storage, and dissemination of data to deliver digital advertisements on websites and other devices such as CTV |
Purpose(s) of the data transfer and further processing: | The data processing activities consist of serving and tracking digital advertisements |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | For as long as necessary for the purposes of the engagement |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: | N/A |
Categories of data subjects whose personal data is transferred: |
Categories of personal data transferred: |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): |
Nature of the processing: |
Purpose(s) of the data transfer and further processing: |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: |
Visitors of online properties. (i.e., visitors to websites and CTV) |
pseudonymous identifiers relating to consumer devices (including IP address, device identifiers, cookie identifiers); geo location data |
N/A |
Continuous |
Collection, storage, and dissemination of data to deliver digital advertisements on websites and other devices such as CTV |
The data processing activities consist of serving and tracking digital advertisements |
For as long as necessary for the purposes of the engagement |
N/A |
B. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs) | Where the EU GDPR applies, the Irish Data Protection Authority shall be the competent supervisory authority; where the UK GDPR applies, the UK Information Commissioner’s Office shall be the competent supervisory authority |
Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs) |
Where the EU GDPR applies, the Irish Data Protection Authority shall be the competent supervisory authority; where the UK GDPR applies, the UK Information Commissioner’s Office shall be the competent supervisory authority |
Annex II
Technical and Organizational Security Measures
Description of the technical and organizational measures implemented by ʪƵ as the processor to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
ʪƵ has implemented the following security measures:
1. Systems Security.
(a) System Adequacy. ʪƵ has obtained and has configured, with no single points of failure, adequate hardware, software, power, and human capital redundancies to perform its security-related obligations under the Agreement in accordance with commercially reasonable practices. The operating system and software of ʪƵ’s web server(s) and third-party platforms utilized to perform its obligations under the Agreement will be properly configured to commercially reasonable standards, including, but not limited to, disabling all unnecessary services, closing all known and published security deficiencies therein, and permitting access thereto only to authorized personnel, subject to password protection. All currently available security-related software patches for the operating system and software will be applied as soon as practicable (depending on the nature of the security flaw) but not later than thirty (30) days of the release of such patches; provided however if a patch negatively impacts the operating system or software or other systems of ʪƵ, then ʪƵ shall as soon as commercially reasonable correct such security flaws.
(b) Firewall. ʪƵ has implemented and will maintain continuously throughout the Term of the Agreement firewall protection for all of ʪƵ’s networks, databases, technology, platforms, and computer systems. ʪƵ will update such firewall software promptly after such updates become available, provided such updates do not negatively impact the firewall software. ʪƵ will periodically test such perimeter router and firewall devices for effectiveness. Without limiting the foregoing, ʪƵ will promptly report within 24 hours to Customer any known security deficiencies (whether arising from software, network, or facilities deficiencies) discovered by ʪƵ that may affect user information that is personally identifiable or sensitive and/or Confidential Information. ʪƵ will keep a log of all actions taken in response to security incidents related to the systems involved in performing ʪƵ’s obligations under the Agreement. The log will be time and date stamped.
(c) Encryption. ʪƵ will encrypt or hash the passwords in password and username files for their networks, databases, platform, technology, and computer systems involved in performing the Agreement using commercially reasonable encryption levels.
(d) Passwords. ʪƵ will protect networks, databases, software, and computer systems involved in performing the Agreement with a user name and password system. ʪƵ also has two-factor authorization available on the ʪƵ Platform. Customer will be prompted to comply with ʪƵ’s password policy when creating its account credentials. ʪƵ will, when possible, securely log (with time and date) those commands that require additional privileges, to enable a complete audit trail of activities. When individuals terminate their employment with ʪƵ, their passwords and access to privileged password facilities will be terminated immediately.
(e) Accountability. ʪƵ will ensure that individual access and accountability controls are in place with respect to its employees who will have access to the networks, databases, software, technology, platform, Confidential Information, and computer systems involved in performing the Agreement.
(f) Archival Records. ʪƵ will daily (including weekends) create and maintain archival backups of all ʪƵ networks, databases, technology, platform, and software utilized to perform ʪƵ’s obligations to Customer under the Agreement for the sole purpose of enabling restoration of these systems but not necessarily restoration of any user data stored on these systems. Archival backups will be stored on a secure server or on other secure media to which access is restricted only to employees of ʪƵ or authorized third parties on a need to know basis. ʪƵ, with reasonable best efforts, will ensure business continuity during a Disaster (“Disaster” to include, but not limited to: earthquake, flood, fire, storm or other natural disaster, act of God, civil disturbance or commotion, acts of terrorism, disruption of the public markets, war or armed conflict) with three primary objectives: 1) to identify and respond to Disasters; 2) to protect personnel and systems; and 3) to limit damage. ʪƵ is committed to resuming partial operations as soon as reasonably possible depending on the nature and severity of the Disaster.
(g) Maintenance. All networking, software, technology, the platform, and computer systems necessary to perform the Agreement will be maintained in good working order in accordance with commercially reasonable standards throughout the Term pursuant to hardware maintenance support available from trusted, reputable maintenance organizations.
(h) Disposal. ʪƵ will ensure that computer storage devices containing user information are not disposed of unless all such information has been or is to be completely obliterated or destroyed.
2. Security of Physical Premises. ʪƵ will limit access to its facilities related to its obligations under the Agreement throughout the Term to ʪƵ’s employees, employee-accompanied visitors, and contractors using reasonable standard physical security methods. At a minimum, such methods will include restricted access key cards for ʪƵ’s employees, limited access to server rooms and archival backups, and security cameras at key entry points.
3. Background Checks and Security Training. ʪƵ will conduct security background checks and verifications of employment, educational background, and references for all ʪƵ individuals and contractors involved who have access to personally identifiable information and/or Customer’s facilities/servers.
ʪƵ will ensure ongoing awareness in information security and in the protection of information resources for all personnel of ʪƵ whose duties bring such ʪƵ personnel into contact with critical or sensitive information of the Customer or of end users, including ʪƵ IDs and passwords and Client IDs and passwords.
4. Confidentiality Agreements; Use of Subcontractors. Prior to commencing work for Customer, all individuals (employees, contractors, subcontractors, agents, etc.) performing work on behalf of ʪƵ pursuant to the Agreement will be required to agree to be bound by confidentiality agreements.
The parties acknowledge that security requirements change continuously and that effective security demands frequent evaluation and regular improvements of outdated security measures. ʪƵ will therefore continuously evaluate the security measures and update, supplement, and improve them as required.