GDPR DPA Schedule B: Processor Addendum

1. Definitions.

1.1 “Publisher Data” has the meaning set forth in the Agreement.

1.2 “Publisher Instructions” means: (i) Processing to provide the services and perform Adagio’s obligations in the Agreement (including this Processor DPA) and (ii) other reasonable documented instructions of Publisher consistent with the terms of the Agreement.

2. Scope and Duration.

2.1 Roles of the Parties. This Processor Addendum applies to Adagio as a Processor of Publisher Data and to Publisher as a Controller of Publisher Data.

2.2 Scope of Processor DPA. This Processor Addendum applies to Adagio’s Processing of Publisher Data under the Agreement to the extent such Processing is subject to European Data Protection Law. 

3. Processing of Personal Data.

3.1 Publisher Instructions.

(a) Adagio will Process Publisher Data as a Processor only: (i) in accordance with the Publisher Instructions or (ii) to comply with Adagio’s obligations under applicable European Data Protection Law, subject to any notice requirements under applicable European Data Protection Law.

(b) Details regarding the Processing of Publisher Data by Adagio are set forth in the Agreement describing the Services, and the duration of the processing will be for the duration of the Services.  The types of Publisher Data are online identifiers such as cookie IDs and mobile ad identifiers, information based on the Consumer’s browsing activity, information about browsers and devices used, and geolocation information. The limited and specific purposes of Processing for the Processor Services are set forth in the GDPR General Terms. 

(c) Adagio will notify Publisher if it receives an instruction that Adagio reasonably determines infringes European Data Protection Law (but Adagio has no obligation to actively monitor Publisher’s compliance with European Data Protection Law).

3.2 Confidentiality.

(a) Adagio will protect Publisher Data in accordance with its confidentiality obligations as set forth in the Agreement.

(b) Adagio will ensure personnel who Process Publisher Data either enter into written confidentiality agreements or are subject to statutory obligations of confidentiality.

3.3. Compliance with Laws.

(a) Adagio and Publisher will each comply with European Data Protection Law in their respective Processing of Publisher Data.

(b) Publisher warrants and represents that it will comply with European Data Protection Law in its issuing of Publisher Instructions to Adagio. Publisher warrants that it has established and will maintain all necessary lawful bases under European Data Protection Law to enable Adagio to lawfully Process Publisher Data for the purposes contemplated by the Agreement (including under this Processor Addendum), including, as applicable, by obtaining all necessary consents from, and giving all necessary notices to, Data Subjects. Publisher shall indemnify, defend and hold harmless Adagio from any claims, damages, losses, liabilities, costs and expenses (including reasonable attorneys' fees) arising from Publisher's failure to establish or maintain such lawful bases.

3.4 Changes to Laws. The parties will work together in good faith to negotiate an amendment to this Processor Addendum as either party reasonably considers necessary to address the requirements of European Data Protection Law from time to time.

4. Subprocessors.

4.1 Use of Subprocessors.

(a) Publisher hereby provides general written authorization for Adagio to engage Subprocessors to Process Publisher Data as necessary to provide the services, subject to the requirements in this DPA. Publisher specifically authorizes Adagio to engage its Affiliates as Subprocessors. Publisher acknowledges that Adagio may update its Subprocessor list from time to time, and Publisher shall have the opportunity to object to such changes within 30 days of notification.

(b) Adagio will: (i) enter into a written agreement with each Subprocessor imposing data Processing and protection obligations substantially the same as those set out in this Processor Addendum and (ii) remain liable for compliance with the obligations of this Processor Addendum and for any acts or omissions of a Subprocessor that cause Adagio to breach any of its obligations under this Processor Addendum.

4.2 Subprocessor List. Adagio will maintain an up-to-date list of its Subprocessors, including their functions and locations, as specified in its Subprocessor List.

4.3 Notice of New Subprocessors. Adagio may update the Subprocessor List from time to time. Adagio will notify Publisher of any new Subprocessor through updates to the Subprocessor List available at https://adagio.io/legal/sub-processors through its standard notification procedures.

4.4 Objection to New Subprocessors.

(a) If, within 30 days after notice of a new Subprocessor, Publisher notifies Adagio in writing that Publisher objects to Adagio’s appointment of such new Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith.

(b) If the parties are unable to reach a mutually agreeable resolution to Publisher’s objection to a new Subprocessor, Publisher, as its sole and exclusive remedy, may terminate the Order for the affected services for its convenience in accordance with the Agreement.

5. Security.

5.1 Security Measures. Adagio will implement and maintain appropriate technical and organizational measures to protect Publisher Data and protect against Data Breaches, in accordance with Adagio’s Security Measures referenced in the Agreement and as further described the technical and organizational measures set forth at https://adagio.io/legal/tom. Adagio will regularly monitor its compliance with its Security Measures.

5.2 Incident Notice and Response.

(a) Adagio will implement and follow procedures to detect and respond to Data Breaches.

(b) Adagio will: (i) notify Publisher without undue delay after becoming aware of a Data Breach affecting Publisher Data and (ii) make reasonable efforts to identify the cause of the Data Breach, mitigate the effects and remediate the cause to the extent within Adagio’s reasonable control.

(c) Upon Publisher’s request and taking into account the nature of the applicable Processing, Adagio will assist Publisher by providing, when available, information reasonably necessary for Publisher to meet its Data Breach notification obligations under European Data Protection Law.

(d) Publisher acknowledges that Adagio’s notification of a Data Breach is not an acknowledgement by Adagio of its fault or liability.

(e) Data Breaches do not include unsuccessful attempts or activities that do not compromise the security of Publisher Data, including unsuccessful login attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.

5.3 Publisher Responsibilities.

(a) Publisher is responsible for reviewing the information made available by Adagio relating to data security and making an independent determination as to whether the Service meets Publisher’s requirements and legal obligations under European Data Protection Law.

(b) Publisher is solely responsible for complying with Data Breach notification laws applicable to Publisher and fulfilling any obligations to give notices to government authorities, affected individuals or others relating to any Data Breaches.

6. Data Protection Impact Assessment. Upon Publisher’s request and taking into account the nature of the applicable Processing, to the extent such information is available to Adagio, Adagio will assist Publisher in fulfilling Publisher’s obligations under European Data Protection Law to carry out a data protection impact or similar risk assessment related to Publisher’s use of the Services, including, if required by European Data Protection Law, by assisting Publisher in consultations with relevant government authorities.

7. Data Subject Requests.

7.1 Assisting Publisher. Upon Publisher’s request and taking into account the nature of the applicable Processing, Adagio will assist Publisher by appropriate technical and organizational measures, insofar as possible, in complying with Publisher’s obligations under European Data Protection Law to respond to requests from individuals to exercise their rights under European Data Protection Law, provided that Publisher cannot reasonably fulfill such requests independently (including through use of the Services).

7.2 Data Subject Requests. If Adagio receives a request from a Data Subject in relation to the Data Subject’s Publisher Data, Adagio will notify Publisher and advise the Data Subject to submit the request to Publisher (but not otherwise communicate with the Data Subject regarding the request except as may be required by European Data Protection Law), and Publisher will be responsible for responding to any such request.

8. Data Return or Deletion.

8.1 During the Term. During the Term, Publisher may, through the features of the Adagio Platform or such other means specified by Adagio, access, return to itself or delete Publisher Data.

8.2 Post Termination.

(a) Following termination or expiration of the Agreement, Adagio will, in accordance with its obligations under the Agreement, delete all Publisher Data from Adagio’s systems.

(b) Deletion will be in accordance with industry-standard secure deletion practices. Adagio will issue a certificate of deletion upon Publisher’s request.

(c) Notwithstanding the foregoing, Adagio may retain Publisher Data: (i) as required by European Data Protection Law or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, Adagio will (x) maintain the confidentiality of, and otherwise comply with the applicable provisions of this Processor Addendum with respect to, retained Publisher Data and (y) not further Process retained Publisher Data except for such purpose(s) and duration specified in such applicable European Data Protection Law.

9. Audits.

9.1 Adagio Records Generally. Adagio will keep records of its Processing in compliance with European Data Protection Law and, upon Publisher’s request, make available to Publisher any records reasonably necessary to demonstrate compliance with Adagio’s obligations under this Processor Addendum and European Data Protection Law.

9.2 Third-Party Compliance Program.

(a) Adagio will describe its third-party audit and certification programs (if any) and make summary copies of its audit reports (each, an “Audit Report”) available to Publisher upon Publisher’s written request at reasonable intervals (subject to confidentiality obligations).

(b) Publisher may share a copy of Audit Reports with relevant government authorities as required upon their request.

(c) Publisher agrees that any audit rights granted by European Data Protection Law will be satisfied by Audit Reports and the procedures of Section 9.3 (Publisher Audit) below.

9.3 Publisher Audit.

(a) Subject to the terms of this Section 9.3, Publisher has the right, at Publisher’s expense, to conduct an audit of reasonable scope and duration pursuant to a mutually agreed-upon audit plan with Adagio that is consistent with the Audit Parameters (an “Audit”), provided that Publisher gives Adagio at least thirty (30) days prior written notice of any proposed audit.

(b) Publisher may exercise its Audit right solely: (i) to the extent Adagio’s provision of an Audit Report does not provide sufficient information for Publisher to verify Adagio’s compliance with this Processor Addendum or the parties’ compliance with European Data Protection Law, and Publisher has first attempted in good faith to resolve any compliance concerns through written documentation from Adagio, (ii) as necessary for Publisher to respond to a government authority audit, or (iii) in connection with a confirmed Data Breach directly attributable to Adagio.

(c) Each Audit must conform to the following parameters (“Audit Parameters”): (i) be conducted by an independent third party auditor mutually agreed upon by the Parties (such agreement not to be unreasonably withheld) that will enter into a confidentiality agreement with Adagio in a form reasonably acceptable to Adagio, (ii) be limited in scope to matters reasonably required for Publisher to assess Adagio’s compliance with this Processor Addendum and the parties’ compliance with European Data Protection Law, (iii) occur at a mutually agreed date and time and only during Adagio’s regular business hours, (iv) occur no more than once annually (unless required by a competent supervisory authority with jurisdiction over the matter), and Publisher shall bear all costs and expenses associated with the audit, including reasonable costs incurred by Adagio in facilitating and supporting the audit, (v) cover only facilities controlled by Adagio, (vi) restrict findings to Publisher Data only and (vii) treat any results as confidential information to the fullest extent permitted by European Data Protection Law.

10. Cross-Border Transfers/Region-Specific Terms.

10.1 Cross-Border Data Transfers.

(a) Adagio (and its Affiliates) may Process and transfer Publisher Data globally as necessary to provide the Services.

(b) For any transfers of Publisher Data from GDPR Countries, the Restricted Transfer Addendum applies.