Data Processing Addendum

Last Updated: 8-14-23

This Data Processing Addendum (“Addendum”) is incorporated by reference into the applicable product terms governing Company’s use of the Services, such as the Master Platform Agreement or product-specific terms (collectively, “Applicable Services Terms”). In the event of an express conflict between this Addendum and the Applicable Services Terms, this Addendum will govern solely to the extent of the conflict. 

1.    Definitions.

1.1    “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any regulations promulgated thereunder.

1.2   “Company Personal Information” means Personal Information contained within Company Data.    

1.3    “Data Protection Law” means applicable privacy laws, including but not limited to the CCPA, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring of 2022, the Utah Consumer Privacy Act of 2022, and the Virginia Consumer Data Protection Act, in each case as amended and including any regulations promulgated thereunder, and come into effect during the term of the Agreement, except as limited by Section 8 of this Addendum. 


1.4    “Security Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored or otherwise Processed under this Addendum.


1.5    “Business,” “Business Purpose,” “Commercial Purpose,” “Consumer,”  “Controller,” “Cross-Context Behavioral Advertising,” “Personal Information,” “Process,” “Processor,” “Sell,” “Share,” “Service Provider,” “Targeted Advertising,” and “Third Party” have the meanings given in applicable Data Protection Law. References in this Addendum to “Controller,” “Personal Data,” and “Processor” include “Business,” “Personal Information,” and “Service Provider” respectively.
Capitalized terms used but not defined in this Addendum have the meanings given in the Applicable Services Terms. 

2.    Roles of Parties.

The Parties acknowledge that, with respect to Company Personal Information, Company is a Controller under applicable Data Protection Law and tvScientific is a Processor to Company, except that, pursuant to Section 7 below, tvScientific will operate as a Third Party as to any Company Personal Information of California residents used for Cross-Context Behavioral Advertising. In addition, Section 7 governs Personal Information of California residents that is otherwise Sold to or Shared with tvScientific by Company.

3.      tvScientific Processor Obligations.

3.1  Except as set forth in Section 7 below, tvScientific will Process Company Personal Information in accordance with the Applicable Services Terms, and as further described in Exhibit 1. Company instructs tvScientific to Process such Company Personal Information for these purposes and other purposes permitted of Processors under Data Protection Law.

 

3.2    tvScientific will ensure that any person authorized to Process Company Personal Information under this Addendum is bound by appropriate obligations of confidentiality.

 

3.3    Taking into account the nature of Processing of Company Personal Information under this Addendum, tvScientific will assist Company, insofar as is reasonable and required by Data Protection Law, in meeting Company’s obligations under applicable Data Protection Law, including to respond to requests from users to exercise their rights under applicable Data Protection Laws, assist with data protection impact assessments, and breach notice obligations.

 

3.4    On termination of the Applicable Services Terms, Company instructs tvScientific to delete the Company Personal Information within forty-five days, unless applicable law requires further storage. 

 

3.5    tvScientific will implement technical and organizational measures designed to protect the Company Personal Information from unauthorized access, acquisition, disclosure, destruction, alteration, accidental loss, misuse, or damage.   

 

3.6 To the extent the CCPA applies to any Company Personal Information tvScientific Processes as a Processor, tvScientific will:

3.6.1 Not Sell or Share such Company Personal Information; 

 

3.6.2 Not retain, use, or disclose such Company Personal Information outside of the direct business relationship with Company or for purposes other than those set forth in Section 3.1, unless otherwise permitted for Processors to undertake pursuant to the CCPA;

 

3.6.3 Upon notice from Company of its reasonable belief that tvScientific is Processing Company Personal Information in an unauthorized manner, cooperate with Company in good faith to stop or remediate the allegedly unauthorized use of such Company Personal Information, as necessary, such as by providing documentation verifying certain practices; and

3.6.4   Notify Company without undue delay if tvScientific determines it can no longer meet its obligations under the CCPA.

 

4.    Subcontractors.

Company may review a list of subcontractors engaged by tvScientific as set forth in Exhibit 2 hereto. Before disclosing Company Personal Information to any new subcontractor, tvScientific will provide Company advance notice via email of at least ten (10) business days. Where required by Data Protection Law, Company may object to such subcontractor during the notice period. If the objection cannot be resolved, either Party may terminate use of the Services and the associated Applicable Services Terms. tvScientific will contractually require subcontractors to adhere to protections materially equivalent to those set forth in this Addendum. 

5.1    Upon request, tvScientific will provide to Company information reasonably necessary to demonstrate compliance with its obligations set forth in this Addendum, including, for example, a certificate issued for security verification reflecting the outcome of an audit conducted by a third party auditor. Company may conduct an audit to verify tvScientific’s compliance with this Addendum by reviewing such documentation. 

5.2    In addition, in response to a reasonable request from Company and solely as necessary to fulfill Company obligations under Data Protection Laws, Company may engage a reputable and independent third-party auditor to verify tvScientific’s compliance with this Addendum. Any such audit will (i) occur not more than once per 12-month period; (ii) be at Company’s expense; (iii) be subject to confidentiality and scope limitations set forth by tvSceintific; (iv) take place during regular business hours; and (v) not unreasonably interfere with tvScientific’s business operations.