This Data Processing Agreement (“DPA”) forms part of the OpenX Ad Exchange Supply Agreement between Customer and OpenX (the “Agreement”) pursuant to which OpenX will provide the Services (as defined in the Agreement) to Customer. OpenX agrees to comply with the following provisions with respect to any Personal Data Processed for Customer in connection with the provision of the Services. References to the Agreement will be construed as including this DPA. For the purpose of this DPA, Customer is the Data Controller and OpenX is the Data Processor. Any capitalized terms not defined herein shall have the respective meanings given to them in the Agreement.
“Affiliates” means any entity which is controlled by, controls or is in common control with OpenX.
“Customer” means the Customer that has executed the Agreement for Services.
“Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
“Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the individual to whom Personal Data relates.
“OpenX” means the OpenX entity that is a party to the Agreement.
“Personal Data” means any information relating to an identified or identifiable person. The types of Personal Data and categories of Data Subjects Processed under this DPA include but are not limited to the following: IP addresses, location data, interest segments, device data, retargeting data, advertising data, browser generated data, and online identifiers of the end users of digital properties.
“Privacy Shield” means the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).
“Security Breach” has the meaning set forth in Section 7 of this DPA.
“Sub-processor” means any Data Processor engaged by OpenX.
2) PROCESSING OF PERSONAL DATA
2.1 The parties agree that with regard to the Processing of Personal Data, Customer is the Data Controller and OpenX is the Data Processor.
2.2 Customer shall, in its use or receipt of the Services, Process Personal Data in accordance with the requirements of the Data Protection Laws and Customer will ensure that its instructions for the Processing of Personal Data shall comply with the Data Protection Laws. If OpenX believes or becomes aware that any of Customer’s instructions conflicts with any Data Protection Laws, OpenX shall inform Customer. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer obtained the Personal Data.
2.3 During the Term of the Agreement, OpenX shall only Process Personal Data on behalf of and in accordance with the Supply Agreement and Customer’s instructions and shall treat Personal Data as confidential information. Customer instructs OpenX to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and any applicable orders; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement. OpenX may Process Personal Data other than on the instructions of the Customer if it is required under applicable law to which OpenX is subject. In this situation OpenX shall inform the Customer of such a requirement unless the law prohibits this on important grounds of public interest. The objective of Processing of Personal Data by OpenX is the performance of the Services pursuant to the Agreement.
3) RIGHTS OF DATA SUBJECTS
3.1 To the extent Customer, in its use or receipt of the Services, does not have the ability to correct, amend, restrict, block or delete Personal Data, as required by Data Protection Laws, OpenX may use commercially reasonable efforts to comply with reasonable requests by Customer to facilitate such actions to the extent OpenX is legally permitted to do so.
3.2 OpenX shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the Processing of that person’s Personal Data. OpenX shall not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer. OpenX shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request, to the extent legally permitted and to the extent Customer does not have access to such Personal Data through its use or receipt of the Services.
4) OPENX PERSONNEL
4.1 OpenX shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, and are subject to obligations of confidentiality and such obligations survive the termination of that individual’s engagement with OpenX.
4.2 OpenX shall ensure that access to Personal Data is limited to those personnel who require such access to perform the Services.
5.1 Customer acknowledges and agrees that (i) OpenX Affiliates may be retained as Sub-processors; and (ii) OpenX may engage third-party Sub-processors in connection with the provision of the Services. Any such Sub-processors will be permitted to obtain Personal Data only to deliver the services OpenX has retained them to provide, and are prohibited from using Personal Data for any other purpose. OpenX agrees that any agreement with a Sub-processor will include substantially the same data protection obligations as set out in this DPA.
5.2 A list of Sub-processors is available in the OpenX Community. OpenX may change the list of such other Sub-processors by no less than 5 business days’ notice via the OpenX user interface. If Customer objects to OpenX’s change in such other Sub-processors, Customer may, as its sole and exclusive remedy terminate the portion of any Agreement relating to the Services that cannot be reasonably provided without the objected-to new Sub-processor by providing 30 days’ written notice to OpenX.
5.3 OpenX shall be liable for the acts and omissions of its Sub-processors to the same extent OpenX would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
6) SECURITY; AUDIT RIGHTS; PRIVACY IMPACT ASSESSMENTS
6.1 OpenX shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data.
6.2 No more than once per year, Customer may engage a mutually agreed upon third party to audit OpenX solely for the purposes of meeting its audit requirements pursuant to Article 28, Section 3(h) of the General Data Protection Regulation (“GDPR”). To request an audit, Customer must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to firstname.lastname@example.org. The auditor must execute a written confidentiality agreement acceptable to OpenX before conducting the audit. The audit must be conducted during regular business hours, subject to OpenX’s policies, and may not unreasonably interfere with OpenX’s business activities. Any audits are at Customer’s expense.
6.3 Any request for OpenX to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law. Customer shall reimburse OpenX for any time spent for any such audit at the rates agreed to by the parties. Before the commencement of any such audit, Customer and OpenX shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by OpenX. Customer shall promptly notify OpenX with information regarding any non-compliance discovered during the course of an audit.
6.4 OpenX will reasonably cooperate with Customer, at Customer’s expense, to assist Customer in ensuring compliance with Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to OpenX.
7) SECURITY BREACH MANAGEMENT AND NOTIFICATION
7.1 If OpenX becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Customer Personal Data transmitted, stored or otherwise Processed on OpenX’s equipment or in OpenX’s facilities (“Security Breach”), OpenX will promptly notify Customer of the Security Breach.
7.2. Customer agrees that an unsuccessful Security Breach attempt will not be subject to this Section. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Customer Personal Data or to any of OpenX’s equipment or facilities storing Customer Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.
7.3. Notification(s) of Security Breaches, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by any means OpenX selects, including via email. It is Customer’s sole responsibility to ensure it maintains accurate contact information on OpenX’s support systems at all times.
8) RETURN AND DELETION OF CUSTOMER DATA
OpenX shall delete or return Customer Data to Customer after the end of the provision of Services under the Agreement and shall delete existing copies unless applicable law requires storage of such data.
9) PRIVACY SHIELD
OpenX self-certified to and complies with the Privacy Shield, and OpenX shall maintain its self-certification to and compliance with the Privacy Shield with respect to the Processing of Personal Data that is transferred from the European Economic Area or Switzerland to the United States.
10) PARTIES TO THIS DPA
Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.