This Privacy and Data Protection Addendum (“Addendum”) is incorporated into and is subjectto the terms and conditions of the agreement (“Agreement”) entered into between BidMachine,Inc. (“BidMachine”) and the Supply Partner indicated in the Agreement (the “Company”) forthe disclosing of personal data through Company’s use of the services provided by BidMachinein accordance with the Agreement (“Services”). This Addendum is effective as of the Agreement Effective Date.
In this Addendum, both the BidMachine and the Company may be collectively referred to as the "Parties" or individually as a "Party".
To the extent you are using the Services, you shall be deemed to have accepted this Addendum upon acceptance or execution of the applicable Agreement.
In addition to the terms defined in the Agreement and above, the following terms shall have the following meanings for the purposes of this Addendum:
a. “Ad Partners” any supply-side partner or demand-side partner involved to provide the Services.
b. “Affiliates” means with respect to a party, all entities which, directly or indirectly, control, are being controlled by, or are under common control with such party.
c. “Publisher Properties” Property” means a “Publisher Properties” as defined in the Agreement.
d. “BidMachine Privacy Policy” means the privacy policy available at BidMachine’s official website: https://bidmachine.io/home/privacy-policy/
e. “Data Protection Laws” means the relevant data protection, data security, data retention, and data privacy laws, rules and regulations to which the Personal Data are subject. With respect to EU Personal Data, “Data Protections Laws” shall include the EU General Data Protection Regulation 2016/679 (hereinafter “GDPR”).
f. "Shared Personal Data" means Personal Data that is processed by one Party, provided that such Party received such Personal Data from the other Party as part of their obligations under the Agreement. A Party is also considered to have "received" Personal Data from the other Party when is granted access to the Personal Data.
g. “Standard Contractual Clauses” means the Standard Contractual Clauses as annexed to Commission Implementing Decision (EU) 2021/914 (the "EU SCCs"). The Parties acknowledge that the provided link to access the current version of the EU SCCs may change or become unavailable in the future. In such cases, the Parties shall make reasonable efforts to identify and use an alternative official source or platform designated by the European Commission to access the applicable and up-to-date version of the EU SCCs.
For clarity, “Controller”, “Data Subject”, “Personal Data”, “Data Transfer”, “Data Breach”, “Processing” (and “Process”) and “Processor" shall have the meanings given in the GDPR.
2. ROLES. Company and BidMachine acknowledges that each party Processes the Shared Personal Data under or in connection with the Agreement as separate Data Controllers. Each Controller will individually determine the purposes and means of its Processing of the Shared Personal Data and is responsible for processing Shared Personal Data in accordance with applicable Data Protection Laws.
The Parties shall process the Shared Personal Data for the purposes described in the Agreement (or as otherwise agreed in writing by the Parties) (the “Permitted Purposes”).
3. COMPLIANCE WITH LAWS/LIABILITY. Each Party complies and will continue to comply with its obligations relating to the Shared Personal Data under applicable Data Protection Laws, including:
a) In its role as an independent Controller of the Shared Personal Data, each Party is responsible for applying an appropriate legal ground for processing the Shared Personal Data.
As BidMachine has no direct relationship with any Data Subject viewing advertisements delivered to Publisher Property, Company will only transfer any Personal Data to BidMachine through a bid request on the basis of a lawful basis for processing such Personal Data.
In particular, because Company has a direct relationship with any Data Subject viewing advertisements delivered to Publisher Properties, and where Data Subject's consent is the only lawful basis for processing Personal Data, the Company agrees to obtain the Data Subject's consent for BidMachine and Ad Partners. Such consent shall be collected by implementing a mechanism on each Publisher Property on which the Services are to be provided. Company shall: (i) obtain a valid consent from the Data Subjects in accordance with the relevant Data Protection Laws, in particular, where GDPR applies, ensuring that the consent is express, freely given, specific, informed, and unambiguous; (ii) provide Data Subjects with a prominent notice that the Data Subject’s Personal Data will be processed by BidMachine and Ad Partners for the Permitted Purposes, specifically informing Data Subjects that this is a Data Transfer; (iii) provide Data Subjects with a link to BidMachine's Privacy Policy; (iv) provide Data Subjects with all necessary disclosures and obtain all necessary consents prior to providing the Service; (v) transmit consent signal to BidMachine in the format agreed by the Parties; and (vi) provide all necessary opt-out mechanisms, in each case as required to comply with Data Protection Law.
b) Each Party must establish and uphold the necessary mechanisms to comply with Data Subject Rights as outlined by Data Protection Laws and respond to inquiries from competent data protection authorities, without prejudice to the obligations outlined in Section 6 of this Addendum.
c) Neither Party may process the Shared Personal Data for any purpose other than what is specified in their respective privacy policies, unless such Processing is also authorized under Data Protection Laws.
d) Each Party must ensure that all employees or other authorized users involved in the Processing of the Shared Personal Data adhere to the terms of this Addendum.
e) Each Party must implement technical and organizational security measures to prevent accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, or access to the Shared Personal Data, as well as any other security incidents that qualify as a "personal data breach" under Data Protection Laws. This will include limiting access to the Shared Personal Data to those personnel who require such access only as necessary to fulfill such Party’s obligation under the Agreement.
f) Both Parties agree that any agreement with a subprocessor must comply with Data Protection Laws.
4. LIMITATION ON USE AND COMPLIANCE WITH LAWS AND REGULATIONS. Each Party shall only use or otherwise process the Personal Data in accordance with this Addendum and with all applicable Data Protection Laws. Each Party shall be individually and separately responsible for complying with the obligations under applicable Data Protection Laws that apply to it as independent Controller.
To the extent permitted under applicable Data Protection Laws, neither Party shall be liable (whether jointly or severally) for any compensation, damages, losses, fees, or costs resulting from the other Party’s Processing of the Personal Data.
If either Party receives the Shared Personal Data of the other Party in hashed or otherwise obfuscated format intended to conceal the identities of Data Subjects to whom it relates, such Party shall: (i) not attempt to reverse engineer or otherwise try to re-identify Data Subjects to whom the de-identified Personal Data relates unless instructed to do so by the other Party or in the cases established by Data Protection Laws; and (ii) only share the Shared Personal Data in the format it received it from the other Party. If a Party does not receive the Shared Personal Data in de-identified format, but the other Party instructs the receiving Party to only share the Shared Personal Data in a de-identified format, the receiving Party shall ensure it is de-identified (in accordance with industry standards) before it is shared with third parties.
5. SECURITY INCIDENTS. Each party shall provide the other party prompt written notice, without undue delay and within the time frame required by Applicable Data Protection Laws, if the notifying party knows or suspects that a security incident has occurred with respect to the Personal Data within a reasonable time (24 hours). If a security incident affects both parties, the parties agree to coordinate with respect to any communications or notifications that are sent to the Data Subject regarding such security incident.
6. ASSISTANCE. Both Parties are obligated to promptly notify each other, unless prohibited by applicable Data Protection Law, of any received requests to exercise Data Subject rights related to the Shared Personal Data. These notifications should be made in accordance with the requirements of Data Protection Law, ensuring that the Parties are informed of any such requests without any unreasonable delay. Each Party will provide the other Party with all necessary assistance, in connection with such requests by Data Subjects.
In the event of a dispute or claim brought by a Data Subject or any regulatory authority concerning the Processing of Personal Data against either or both Parties, the Parties will inform each other about any such disputes or claims and will cooperate with a view to resolving them within a reasonable time.
7. AUDIT. Each Party will make available all information necessary to demonstrate their compliance with this Addendum and will permit and contribute to any data audits reasonably required by the other Party upon prior written request and advanced notice. The auditing party will not exercise its audit rights more than once in any twelve-month period, unless when required by a data protection authority or if the auditing party reasonably believes a further audit is necessary due to a Data Breach or other data protection grounds.
Company agrees to provide evidence of consent collected according to clause 3.a).(i) promptly upon the Bidmachine's request.
8. STANDARD CONTRACTUAL CLAUSES. The Parties agree to use the EU SCC as the adequacy mechanism supporting the Data Transfer and Processing of the Shared Personal Data, if the Processing of the Shared Personal Data is subject to EU Data Protection Law. For the purposes of the SCCs:
(a) Module 1 (controller to controller) will apply;
(b) the optional docking clause in Clause 7, will apply;
(c) The optional language within clause 11(a) of the SCCs will not apply;
(d) Option 1 of clause 17 will apply and the SCCs will be governed by the laws of Spain;
(e) Pursuant to clause 18(b) of the SCCs, the Parties shall resolve disputes under the SCCs before the courts of Barcelona (Spain);
(f) Annex 1 shall be deemed to incorporate the information in Exhibit A;
(g) Annex 2 shall be deemed to incorporate the information in Exhibit B.
9. MISCELLANEOUS. Any alteration or modification of this Addendum is not valid unless made in writing and executed by duly authorized personnel of both Parties. Invalidation of one or more of the provisions under Addendum will not affect the remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially the same objectives. BidMachine acknowledges that Company and/or its Affiliates may disclose this Addendum and any relevant privacy provisions in the Agreement to any supervisory authority, regulator or other competent authority, to the extent required by applicable law. Such disclosure will not constitute breach of Company’s confidentiality obligation under the Agreement.
Each Party mutually represent and warrant that (i) the person executing this Addendum on its respective behalf has the legal authority to bind such party, and (ii) it has right, power, and authority to (a) enter into this Addendum, (b) make the representations and warranties contained herein, and (c) commit to and perform the respective duties, obligations and covenants set forth hereunder.
This Addendum shall be incorporated into and form part of the Agreement. In case of any conflict between a provision of the Addendum and the Agreement, as it relates to Personal Data, the provision of the Addendum shall prevail. Capitalized terms used herein and not defined herein will have the meaning set forth in the Agreement and/or the applicable Data Protection Laws.
Signature and date: Deemed signed and effective as of the date set forth in the Agreement.
Data exporter
Company (As specified in the Agreement)
Role: Controller
Data importer
BidMachine, Inc
Address: 201 West 5th Street, Floor 11, Office 58, Austin, TX, USA 78701
Emails: [email protected] [email protected]
Role: Controller
Activities relevant to the data transferred under the Addendum and the EU SCC
The Services as set out in the Agreement
Data subjects
The personal data transferred concern the following categories of data subjects:
For the Advertising Service:
- Publisher Property’s user s
For the Website:
- Company’s employees, agents, advisors, freelancers using BidMachine website or dashboard;
- Company prospects, customers, business partners and vendors’ employees using BidMachine website or dashboard.
Purposes of the transfer(s)
The transfer is made for the following purposes:
For the Advertising Service:
- to provide the Service
- to assess the performance of the Service For the
Website:
- Account Registration
- Communications with Service Provider
Categories of data
The personal data transferred concern the following categories of data:
For the Advertising Service:
- Online Identifiers: Location (Country level only), IP address, Advertisement ID
- User data: gender, language, age, relationship status, interests, device data, application data For the Website :
- email address
- IP address
Recipients
The personal data transferred may be disclosed only to the following recipients or categories of recipients:
- Data Importer’s employees and its business partner’s employees (according to the Data Importer’s Privacy Policy
- Ad Partners (as described in the Addendum).
Sensitive data (if appropriate)
The personal data transferred concern the following categories of sensitive data:
- No Sensitive data processed
Additional useful information (storage limits and other relevant information)
The transfer is made for the following purposes:
- The data importer will access, reproduce, display and store the relevant personal data in order to provide the services as set out in the Agreement and for no other purposes whatsoever.
Identify the competent supervisory authority/ies in accordance with Clause 13
AEPD (Agencia Española de Protección de Datos)
The technical and organizational security measures implemented by BidMachine include:
In alignment with the provisions outlined in the Data Protection Agreement (DPA), BidMachine has diligently instituted and continually maintains an array of appropriate administrative, physical, and technical safeguards designed to uphold the security, confidentiality, and integrity of Personal Data, as specified below:
1. Measures for Pseudonymization and Encryption of Personal Data:
- A. BidMachine integrates data minimization and privacy-by-design principles into its software and product/service development lifecycle, employing pseudonymized data to prevent incongruent use of Personal Data as stipulated in the Agreement. For instance, BidMachine exclusively operates with pseudonymized data, bolstered by global controls that forbid internal personnel and relevant subprocessors from re-identifying data to directly identifiable Personal Data (e.g., name, address).
- B. BidMachine refrains from utilizing sensitive Personal Data (e.g., “special categories of Personal Data” under GDPR) or directly identifiable Personal Data within its Services.
- C. Industry-standard cryptography is harnessed when storing Personal Data (e.g., encryption at rest) and when utilizing hashed or other cryptographically safeguarded identifiers, wherever feasible.
2. Measures for Ensuring Ongoing Confidentiality of Processing Systems and Services:
- A. BidMachine has methodically implemented and continuously maintains a comprehensive written information security program, complemented by measures that assure the integrity, availability, and security of Personal Data. This entails periodic vulnerability scans and the application of endpoint protection.
- B. BidMachine meticulously maintains a documented data retention/deletion schedule in accordance with the specified retention/deletion periods.
3. Measures for Ensuring Ongoing Integrity of Processing Systems and Services:
- A. BidMachine has diligently established and sustains a meticulously crafted written information security program encompassing administrative, technical, and physical safeguards. These safeguards are expressly designed to mitigate the risk of potential Data Breaches and adeptly address actual or reasonably suspected Data Breaches, in accordance with both industry best practices within BidMachine's sector and any security requisites mandated by Data Protection Laws.
4. Measures for Ensuring Ongoing Availability and Resilience of Processing Systems and Services:
- A. BidMachine ensures the availability and resilience of Personal Data via its comprehensive written information security program. This encompasses secure and monitored operational sites, auditable logs, a resilient infrastructure supported by judicious redundancies, processes and policies that facilitate incident response and vendor due diligence, business continuity plans, backup procedures, and disaster recovery plans.
5. Measures for Ensuring the Ability to Restore Availability and Access to Personal Data:
- A. As expounded above.
6. Processes for Regularly Testing, Assessing, and Evaluating the Effectiveness of Technical and Organizational Measures:
- A. BidMachine conducts annual reviews and testing of security measures and the written information security program. These activities are meticulously aligned with the stipulated requirements and industry best practices.
- B. Security compliance is seamlessly integrated into BidMachine's product/service development lifecycle. Regular collaborative efforts within BidMachine's teams ensure the perpetual currency of these standards.
7. Measures for User Identification and Authorization:
- A. BidMachine has instituted procedures to authenticate and effectively respond to requests from Data Subjects. These procedures steadfastly adhere to the tenets of Data Protection Laws.
- B. Operational and technical controls are firmly in place, assuring precise system access control concerning Personal Data and associated infrastructure. These controls grant access exclusively to authorized personnel in line with the principle of “need to know,” thereby ensuring that unauthorized current or former personnel cannot improperly access such systems.
8. Measures for the Protection of Personal Data During Storage:
- A. As elucidated earlier, and in the broader purview of the Agreement, BidMachine scrupulously adheres to limitations governing the Processing of Personal Data.
- B. BidMachine methodically implements and sustains data minimization procedures with regard to Personal Data stored on BidMachine's systems or those of its subprocessors.
9. Measures for Ensuring the Physical Security of Locations Where Personal Data is Processed:
- A. Facilities implicated in the Processing of Personal Data are accessible solely to authorized personnel. The security measures encompass both logical and physical controls, including but not limited to two-factor authentication, firewalls, anti-malware provisions, access controls, VPNs, access badges and logs, and physical barriers.
10. Measures for Ensuring Accountability:
- A. BidMachine has executed a data mapping exercise in compliance with Data Protection Laws, accompanied by the meticulous generation of a comprehensive record detailing Processing activities.
- B. BidMachine has judiciously implemented a privacy program tailored to the scope and character of Personal Data Processing. This encompasses a conscientious review and adherence to appropriate self-regulatory frameworks, meticulous execution of data protection impact assessments, and the appointment of a data protection officer (DPO) or other individuals vested with the responsibility for privacy and data security, as warranted.
For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.
