adops.com Data Processing and Protection Terms 

This Data Processing and Protection Exhibit (“DPA”) supplements the Agreement made by and between Company and Outsourced Ad Ops, LLC, d/b/a adops.com (“Agreement”). 

1.   adops.com PROCESSING OF PERSONAL INFORMATION AS A PROCESSOR 

The following provisions apply when adops.com provides Services to Company that involve the Processing of Company Personal Information by adops.com as a Processor.

a.     Restrictions on Use of Company Personal Information.  The Parties agree that Company Personal Information is disclosed, used and retained only for the Business Purposes set out in Schedule 1.  The Parties further agree that the Categories of Company Personal Information processed by adops.com and the Processing activities performed under the Agreement are set out in Schedule 1.  

adops.com shall Process Company Personal Information to provide the Services and perform Company’s obligations under and in accordance with the Agreement only.  adops.com will not: (i) sell or share any Company Personal Information; (ii) use, retain or disclose Company Personal Information outside of the direct business relationship between adops.com and Company unless expressly permitted by Applicable Laws, or for any commercial purposes other than the business purposes specified in this DPA; and (ii) combine Company Personal Information with Personal Information that adops.com received from or on behalf of another person or client, or collects from its own interaction with a person.   

The Parties agree that adops.com may use Company Personal Information to: (i) build or improve the quality of its services; (ii) comply as required with and in compliance with federal, state and local laws; (iii) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by governmental authorities; (iv) exercise or defend legal claims; and (v) prevent, detect or investigate security incidents, fraud or illegal activity.

b.     Protection of Company Personal Information. adops.com and its permitted Personnel shall maintain and enforce reasonable physical, technical and administrative security procedures and processes for all Company Personal Information that it Processes, consistent with the industry standards and Applicable Laws.  adops.com is not responsible for security measures implemented for Personal Information within the possession or control of Company, on Company’s computer networks and systems or within the control of Company’s third party provider networks and systems.

Subprocessor. All persons appointed by adops.com to process Company Personal Information (“Subprocessors”) will be subject to contract terms that are the same or substantially similar to those in this DPA.  All known adops.com Subprocessors are listed

a.     in Schedule 1.  adops.com agrees that it is liable to Company for the breach of the terms of this DPA by a Subprocessor.  Any additional Subprocessor shall be provided to Company for approval upon 30 days prior notice and if approved shall be added to an amended Schedule 1. 

b.      Data Subject Access Requests.  In the event Company notifies adops.com of any Data Subject Access Request adops.com shall honor such request in accordance with Company’s instruction and Applicable Laws. If adops.com receives a request directly from a person, adops.com will forward the request to Company for handling and implement such request in accordance with Company’s instruction and Applicable Laws.

c.      Return or Disposal.  Unless retention of Company Personal Information is required by law, adops.com shall delete or return (and delete existing copies of) such Company Personal Information within a reasonable period of time following the earlier of: (i) a request by Company, or (ii) following the expiration or termination of the Agreement and the termination or completion of Services.  If adops.com is unable to delete the Company Personal Information for reasons permitted by law, adops.com shall (i) ensure the privacy, confidentiality and security of such Company Personal Information, and (ii) delete the Company Personal Information promptly after the legal reason(s) for the refusal to delete has expired.

d.     Compliance with Laws.  adops.com shall: (i) permit Company to take reasonable and appropriate steps to confirm that adops.com uses Company Personal Information in a manner consistent with Company’s obligations under Applicable Laws; (ii) permit Company to take reasonable and appropriate steps to stop and remediate unauthorized use of Company Personal Information; (iii) subject its employees and each Subprocessor Processing Company Personal Information to a duty of confidentiality with respect to Company Personal Information; and (iv) notify Company if adops.com determines that it can no longer meet its obligations under this DPA and the Agreement.

e.     Data Breach. In the event adops.com becomes aware of an actual or reasonably suspected Data Breach, adops.com shall: (i) promptly communicate the nature and a description of the Data Breach to Company; and (ii) take commercially reasonable steps to assist Company with mitigating or remediating the Data Breach.

f.       Audit. adops.com shall permit Company to perform a data privacy and security audit as set out in the Agreement.

Vendors. adops.com may contract with third parties on behalf of or for the benefit of Company (each, a “Vendor”). Company acknowledges that each Vendor’s processing of Company Personal Information is governed by the Vendor’s agreement and not this DPA.

2.         adops.com PROCESSING OF PERSONAL INFORMATION AS A THIRD PARTY

If required by Applicable Law, solely to the extent adops.com Processes Company Personal Information as a Third Party adops.com shall: (i) process Company Personal Information for the Services.  The Processing activities, purposes and limitations are set out in Schedule 1; (ii) grant Company the right to take reasonable and appropriate steps to ensure adops.com Processes Company Personal Information in a manner consistent with Company’s obligations under Applicable Law; (ii) notify Company if adops.com determines it can no longer meet its obligations under this DPA and the Agreement as related to adops.com’s Processing of Company Personal Information; and (iv) grant Company the right to take reasonable and appropriate steps to stop and remediate adops.com’s unauthorized use of Company Personal Information.

3.         BUSINESS CONTACT DATA

Each party acknowledges that it is an independent data controller with respect to Business Contact Data. “Business Contact Data” is Company Personal Information used in relation to the business relationship between the parties for the purpose of facilitating the Services. Each party represents and warrants that it shall limit the use of Business Contact Data to: (i) perform its obligations under the Agreement in connection with the party’s provision or receipt of the Services and other business or administrative purposes; (ii) comply with applicable legal and regulatory requirements, requests and communications, including from supervisory authorities, courts or tribunals; and (iii) protect its rights and the rights of others in accordance with applicable law. A party may disclose Business Contact Data with third parties for one or more of the purposes in (i) – (iii) above. To the extent required by law, the parties agree that Module One of the standard contractual clauses issued pursuant to EU Commission Decision 2021/914/EU of 4 June 2021, available at http://data.europa.eu/eli/dec_impl/2021/914/oj (the “SCCs”), apply when Business Contact Data originating from the European Economic Area, the United Kingdom (“UK”), or Switzerland is Processed by adops.com under the Agreement. For transfers of Business Contact Data subject to the UK’s Data Protection Act 1998, the SCCs and the UK Addendum, available at international-data-transfer-addendum.pdf (ico.org.uk), apply. Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum.

4.         INSURANCE

adops.com will obtain and maintain at its own expense the following insurance coverage for the benefit of Company:

a.     Commercial general liability insurance written on an occurrence basis with limits of at least Two Million Dollars ($2,000,000) per occurrence and Four Million Dollars ($4,000,000) in the aggregate; and

b.     Professional liability insurance, including cybersecurity, with excess limits of at least Five Million Dollars ($5,000,000) in the aggregate.

5.         INDEMNIFICATION; LIMITATION OF LIABILITY

Each party acknowledges and agrees that this DPA is subject to the indemnification and limitation of liability provisions in the Agreement.

6.         DEFINITIONS

For the purposes of this DPA, the following terms will have the meaning ascribed below:

a.     “Applicable Law(s)” shall mean all privacy, security, and data protection laws, rules, regulations, ordinances and regulatory guidance applicable to adops.com’s Processing of Company Personal Information under this DPA, including all related amendments and implementing regulations, all as may be amended, restated or replaced from time to time.

b.     “Data Breach” shall mean a “security breach,” “data breach,” or comparable terms as defined under Applicable Law.

c.      “Data Subject Access Request” shall mean a verified request by an individual under Applicable Law to disclose, correct, or delete any Personal Information, or to opt-out of the Sale or Sharing of Personal Information, or to limit the use and disclosure of Sensitive

d.     “Company Personal Information” shall mean all Personal Information, including Sensitive Personal Information, that is Processed by or on behalf of, or made available to, adops.com in the course of providing the Services under the Agreement.

e.     “Personnel” means any employees, agents, contractors or affiliates, that a party uses to perform its obligations or exercise its rights under the Agreement.

f.       “Services” means the services supplied by adops.com to Company under the Agreement.

g.     “Subprocessor” means subcontractors, which process Personal Information on behalf of adops.com under this DPA.

h.     The terms  “Business”, “Business Purpose”, “Consumer”, “Controller”, Personal Information”, “Processor”, “Processing”, “Sale”, “Sensitive Personal Information”, “Share”, “Service Provider”, “Third Party” and similar terms as otherwise defined under Applicable Law, shall have the same meaning ascribed to them under Applicable Law.

Schedule I: Description of Personal Information Processing

1.      adops.com Solutions and Purpose of Processing

The purposes of the processing to enable adops.com to provide Company with the following Services (as applicable):

Google Ad Manager, AdX, and Open Bidding:  Reporting analytics and ad metrics (adops.com DPA required for Business Contact Data only as adops.com processes aggregated data access only and has no access to any other Company Personal Information). 

adops.com Ad Sales:  Ad inventory placement, troubleshooting and trafficking.  (adops.com DPA required for Business Contact Data only as adops.com has no access to any other Company Personal Information). 

Adwallet:  Software that automates the tear-sheet process for  advertisements actively running on publishers’ online properties. (adops.com DPA required for Business Contact Data only as adops.com has no access to any other Company Personal Information).

iAdOps: Campaign reporting metrics platform. (adops.com DPA required for Business Contact Data only as adops.com has no access to any other Company Personal Information).

Burt Intelligence:  Advertising reporting platform which pulls in data from third party ad servers.  (adops.com DPA is required for Business Contact Data only as adops.com has no access to any other Company Personal Information).

Magnite Demand Manager ~and~ PubMatic OpenWrap:  Header platform for reporting analytics and ad targeting.  (adops.com DPA required as adops.com has access to Company Personal Information for consumer ad analytics and targeting).

adops.com Alpha Video:  Ad server platform for reporting analytics and ad targeting.  (adops.com DPA required as adops.com has access to Company Personal Information for consumer ad analytics and targeting).

adops.com Email Ad Connector:  Email campaign trafficking, management and reporting.  (adops.com DPA required as adops.com has access to Company Personal Information for consumer ad analytics and targeting).

SpringServe Reseller:  SpringServe platform for reporting analytics and ad targeting.  (adops.com DPA required as adops.com has access to Company Personal Information for consumer ad analytics and targeting).

Professional Services:  adops.com professional services. (adops.com DPA required if, and solely to the extent, adops.com has access to Company Personal Information in adops.com’s provision of professional services to Company).

2.      Subject matter of Processing

 The subject matter of the processing of Company Personal Information is set out in the Agreement and this adops.com DPA.

3.       Duration of Processing

The duration of the processing activities shall be for the term set forth in the Agreement and the duration of the Services.

4.      Frequency of Transfer

The Company Personal Information transferred is transferred for the duration of the Services.

5.      Categories of Personal Information

Company may transfer and adops.com may process the following Company Personal Information in order for adops.com to perform Services:

Company Personal Information: online identifier (any unique identifier), Internet Protocol address, email address, Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a Consumer’s interaction with an Internet Web site, application, or advertisement, and geolocation data (imprecise, such as location based on IP address, zip code, or city)

Business Contact Data: name or alias, postal address, online identifier (any unique identifier), Internet Protocol address, email address, telephone number, employment or professional information, Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a Consumer’s interaction with an Internet Web site, application, or advertisement, and geolocation data (imprecise, such as location based on IP address, zip code, or city)

6.      Business Purposes and Services

The purpose of the processing of Company Personal Information by adops.com is the performance of the Services on behalf of Company, including the following business purposes:

  • For the specific services above utilized by Company and only for those purposes.

  • Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.

  • Debugging to identify and repair errors that impair existing intended functionality.

  • Performing analytic services or similar services.

  • Providing advertising and marketing services, except for cross-context behavioral advertising, to the Consumer.

  • Undertaking internal research for technological development and demonstration.

7.      Data Subjects

Consumers whose personal information is subject to processing may include: (1) customers of Company, and (2) Consumers visiting Company’s website and (3) employees and other personnel working for or on behalf of a Company or its agents.

8.    Permitted Subprocessors

As applicable, per the Services utilized under the Agreement.

9.     Email contact address for DSARs

adops.com’s email address for receiving notices of exercises of Data Subject Rights is privacy@adops.com

Schedule II: EU Addendum 

The terms used in this EU Addendum will have the meanings set forth herein. Capitalized terms not otherwise defined herein will have the meaning given to them in the Agreement and DPA. Except as modified below, the terms of the Agreement and DPA will remain in full force and effect.

The Parties agree that the standard contractual clauses issued pursuant to EU Commission Decision 2021/914/EU of 4 June 2021, available at http://data.europa.eu/eli/dec_impl/2021/914/oj (the “SCCs”), apply when Company Personal Information originating from the European Economic Area (“EEA”), the United Kingdom (“UK”), or Switzerland is Processed by Company under the Agreement (collectively “Personal Information”). In addition the following terms of this EU Addendum shall apply:

1.     Parties

1.1   Effective Date:

1.2  Data Exporter (Company; as defined in the Agreement):

1.3  Data Importer (adops.com; as defined in the Agreement):

2.    The EU SCCs, together with Schedule I and this EU Addendum, shall be deemed to be incorporated by reference into the DPA, apply for the benefit of both parties, all in accordance with the following: 

2.1   Module 2 of the SCCs applies as follows:

2.1.1     Clause 7 of Module 2 is not included;

2.1.1     Under Clause 9 of Module 2, the parties select Option 2 (General Written Authorisation) for the engagement of the sub-processor(s) set out in Schedule I (Permitted Subprocessors) of the DPA upon 30 days’ notice;

2.1.2    Under Clause 17 of Module 2, these SCCs shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland;

2.1.3    Under Clause 18 of Module 2, the Parties select the courts of the Republic of Ireland;

2.1.4    Annex I(A), I(B), and I(C) of Module 2 are completed as set forth in Schedule I of the DPA and as follows:

2.1.4.1         Maximum data retention periods, if applicable. The EU Personal Information transferred is retained for so long as is necessary for adops.com to perform its obligations under the Agreement or as otherwise necessary for adops.com’s compliance with its legal and regulatory obligations.

2.1.4.2         EU Personal Information transferred to and processed by sub-processors

2.1.4.2.1 Subject matter, nature, and duration of Processing by sub-processors:  See Schedule I (Permitted Subprocessors) above.

2.1.4.2.2 Subprocessor Technical and Organisational Measures (“TOMs”): Subprocessors, in order to provide assistance to the data exporter shall implement and maintain technical and organisational measures that meet or exceed adops.com’s Security Statement (defined below).

2.1.4.2.3 Supervisory Authority. To the extent applicable, the competent supervisory authority/ies in accordance with Clause 13 shall be the Republic of Ireland.

2.1.5     Annex II of Module 2 is completed as set forth at in our Security Statement.

3.    For transfers of EU Personal Information subject to the UK’s Data Protection Act 1998, the SCCs and the UK Addendum, apply as follows:

3.1        Start date: See the Effective Date above. 

3.2       Key Contact: As set out in the EU Addendum and the Agreement.

3.3       SCCs: The version of the Approved EU SCCs as referenced above, including the Appendix Information are incorporated into this EU Addendum.

3.4       Signature: See Signature Block below.

3.5       Annex 1A: List of Parties: See above.

3.6       Annex 1B: Description of Transfer: See Schedule I of the DPA.

3.7    Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Security Statement.

3.8     Annex III: List of Subprocessors (Module 2): See Schedule I of the DPA.

3.9     Ending Addendum: Neither Party may end this UK Addendum as set out in Section 19.

3.10 Part 2: Mandatory Clauses: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with S119A (1) of the Data Protection Act 2018 on 2 February 2022.

4.  Order of Applicability. The SCCs are subject to the terms and conditions of the DPA and the Agreement.  In the event of a conflict between the DPA, the SCCs and the Agreement, the SCC’s and the UK Addendum, as is applicable shall prevail.  Each party acknowledges that it has had the opportunity to review the SCCs and the UK Addendum.

adops.com – Classification of Services

What is Personal Information?

When we use the term “Personal Information” we mean the information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, to a person.  This includes a consumer, a California/EU job applicant/employee, and California/EU business-to-business contact. 

What is and is not included in Personal Information?

  • It does include emails, names, address, devices identifiers, online identifiers, shopping behavior, browsing behavior, employment related information, government identification, social security number, bank account or financial account information, education information, mobile and telephone numbers, date of birth, device and computer information, olfactory and thermal data, ethnicity, citizenship or immigration status, health insurance data, medical or health related data, race, religious beliefs, union membership, genetic information, marital status, biometric data, geolocation data, other sensitive data, and inferences from the above data to create a profile. 

  • It does not include aggregated, deidentified, or information that does not identify or can be reasonably linked to a person, (Check with us if you want to use those exceptions as they are specifically defined under applicable laws).

The above mentioned terms are incorporated herein by reference and govern our processing of any personal data on your behalf.