Home/Privacy and Terms/

Pangle Publisher Service Agreement

Last update: August 2022

Previous version

This Pangle Publisher Agreement (“Agreement”) constitutes a legally binding agreement between you (“Partner”) and Bytedance Pte. Ltd (“Pangle”) with respect to your access to and use of the Pangle Platform, Technology and Services (defined below).

By providing your information and signing up to the Pangle Platform, or otherwise starting to use the Pangle Platform, Technology and Services, you acknowledge and represents that you have read and fully understand the provisions of this Agreement and have had sufficient time and opportunity to take appropriate advice prior to agreeing to be bound by this Agreement.  IF YOU DO NOT AGREE TO ALL OF THE PROVISIONS OF THIS AGREEMENT, YOU MUST NOT USE THE PANGLE PLATFORM, TECHNOLOGY OR SERVICES.

If you are using the Pangle Platform on behalf of a company or organisation, then you represent and warrant that you are an authorised representative of such company or organisation and have the authority to bind such company or organisation to this Agreement. “Partner” shall be taken to refer to the company or organisation you represent.


Terms and Conditions


1. DEFINITIONS AND INTERPRETATION

1.1. Definitions

In this Agreement, unless the subject or context otherwise requires, the following words and expressions shall have the following meanings respectively ascribed to them:


"Account" means Partner's registered account which Partner signed up for to access the Pangle Platform.

 

"Advertisements" means the advertising material which will be served by Pangle on the Properties and may be in the form of (i) images, text, videos; and/or (ii) links which will re-direct end users to visit advertisers' websites and/or mobile applications. 

 

"Affiliate" means, in relation to a Party, any entity which controls, is controlled by, or is under common control with such Party (where “control”, including its correlative meanings such as “controlled by”, “controls” and “under common control with”, means, the direct or indirect power to direct or cause the direction of the management and policies of a corporation, whether through the ownership of voting securities, by contract, or otherwise).

 

"Anti-Corruption Laws" means all anti-bribery or anti-corruption related laws or regulations that are applicable to the businesses and transactions of the Parties.

 

"Applicable Data Protection Law" means all data protection and privacy laws and regulations anywhere in the world applicable to the processing of Personal Data, including, where applicable, GDPR, national laws implementing European Directive 2002/58/EC, the Swiss DPA, the California Consumer Privacy Act Of 2018, the United States’ Children’s Online Privacy Protection Act and the Singapore Personal Data Protection Act 2012, the Brazilian Data Protection Law (LGPD) and any laws succeeding the same.


"Applicable Law" means all applicable laws, by-laws, enactments, regulations, regulatory policies, ordinances, protocols, industry codes, self-regulatory principles, regulatory permits, regulatory licences or requirements of any court, tribunal or governmental, statutory, regulatory, judicial, administrative or supervisory authority or body.

 

"Applicable Threshold" means USD 100.

 

“Business Day” means any day other than Saturday, Sunday or other day on which banking institutions in Singapore are authorised or obliged by law or executive order to close.

 

"Buyer" means a buyer that purchases Inventory utilising Pangle’s and/or its Affiliates’ products, technologies and/or services.

 

"Child" (or "Children" as applicable) means a Data Subject either (i) below the age of 13; or (ii) who is under the age of majority in the territory in which they reside who is not permitted under applicable local laws to consent on their own behalf to processing of their Personal Data (where consent is required for such processing under applicable local laws).


Confidential Information” means:

(a) all information, whether commercial, financial, technical or otherwise, in any medium or format, which a Party receives from the other Party, either directly or from any other person, or otherwise accesses in connection with this Agreement, whether before or after the date of this Agreement, which (i) is by its nature confidential; (ii) is marked as confidential or otherwise identified in advance of disclosure by the disclosing Party as being confidential; or (iii) ought reasonably to be understood by the receiving Party to be confidential; and

(b) all notes and other records prepared by the receiving Party based on or incorporating information referred to in paragraph (a); and

(c) all copies of the information, notes and other records referred to in paragraphs (a) and (b).

For the avoidance of doubt, Confidential Information includes any trade secrets, know-how, technical, scientific, commercial, financial, product, market or pricing or other information of or about a disclosing Party to which the receiving Party gains access under this Agreement.


"Data Subject" means an identified or identifiable natural person whose Personal Data is processed pursuant to this Agreement.

 

"EEA" means the European Economic Area.

 

"Effective Date" means the date on which Partner accepted this Agreement via the Pangle Platform user interface, or, the date on which Partner created an Account, or, the date on which Partner started using the Pangle Platform, Technology and/or Services, whichever is the earliest. 

 

"Fees" means the amount payable by Pangle to Partner for a given month calculated by reference to the Performance Results, as determined by Pangle in its sole discretion.

 

"Force Majeure Event" means causes beyond the affected party’s reasonable control, including but not limited to acts of God, fire, explosion, adverse weather conditions, flood, earthquake, pandemic, terrorism, riot, civil commotion, war, hostilities, strikes, work stoppages, slow-downs, or other industrial disputes, accidents, riots or civil disturbance, acts of government, lack of power and delays by suppliers or materials shortages of transportation, facilities, fuel, energy, labour, or materials, energy supply interruption, IT viruses and cyber-attacks, dysfunction of networks.


"GDPR" means (i) the General Data Protection Regulation of the European Union (Regulation 2016/679 of 27 April 2016) ("EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law pursuant to s.3 of the United Kingdom’s European Union (Withdrawal) Act 2018 ("UK GDPR"); (iii) any national legislation made under or pursuant to paragraph (i) or (ii); and (iv) any amendments or successor legislation to any of paragraphs (i), (ii) or (iii).


"Government Entities" means (i) any national, provincial, municipal, local government or any entity exercising executive, legislative, judicial, regulatory or administrative functions of or pertaining to government; (ii) any subordinate unit of any entity listed in paragraph (i) above; or (iii) any state-owned or state-controlled enterprise or other entity owned or controlled by any entity described in paragraphs (i) or (ii) of this definition.

"Government Officials" means (i) any personnel engaged in official duties on behalf of Government Entities; (ii) any political party officials and candidates for political office; (iii) any officers, employees and other persons working in an official capacity on behalf of any public international organisation (e.g., the United Nations, the World Bank); and (iv) any member of a royal family.


"Intellectual Property" means all copyright, patents, trademarks, service marks, layout design rights, registered designs, design rights, database rights, trade or business names, rights protecting trade secrets and confidential information, rights protecting goodwill and reputation, and all other similar or corresponding proprietary rights and all applications for the same, whether presently existing or created in the future, anywhere in the world, whether registered or capable of being registered or not, and all rights to sue, recover damages and obtain relief or other remedies for any past, current or future infringement, misappropriation or violation of any of the foregoing rights.


"Inventory" means the advertising space on the Properties, which Partner makes available for purchase through the Pangle Platform.


"Losses" means all claims, settlement sums, costs (including legal costs on a solicitor-client basis), losses, expenses or other liabilities, whether foreseeable or not.


"Pangle Supply Policy" means the Pangle Supply Policy as updated from time to time.


"Pangle Indemnitees" mean Pangle, its licensors and each such party’s Affiliates and their respective employees, members, officers, directors and agents.


"Pangle Platform" means the website operated by Pangle at https://www.pangleglobal.com/ and any related apps, websites, platforms and other support systems and services operated by Pangle.


"Pangle Privacy Policy" means the Pangle End User Data Privacy Policy as updated from time to time.


"Pangle Technology" means any SDK, code or other technology which is provided by Pangle for implementation by Partner, which enables Pangle’s access to or storage of information on an end user's device.


"Party" means Pangle or Partner and "the Parties" means both of them.


"Performance Data" means data relating to the performance of the Advertisements on the Properties, including the Performance Results.


"Performance Results" means, in relation to Inventory on any Property, the number of valid impressions, clicks, installs, purchases or any other relevant metrics that a Buyer remunerates Pangle for.


"Personal Data" means data that falls within the scope of "personal data" or "personal information" (or any analogous term) that is protected by Applicable Data Protection Law.


"Policies" means any policies, guidelines or directions (including but not limited to the Pangle Supply Policy), as notified to Partner or otherwise made available by Pangle from time to time, and as may be updated from time to time.


"Properties" means the websites and/or apps owned, operated or represented by Partner, on which Inventory is made available by Partner.


"Publisher" means the owner or operator of a Property or Properties.


"Sensitive Data" has the meaning given under Applicable Data Protection Law (or any analogous term, such as "special categories of personal data").


"Services" has the meaning given in Clause 4.1.


"Swiss DPA" means Switzerland’s Federal Data Protection Act of 1992 (as amended or superseded).


"Term" has the meaning given in Clause 2.1.


1.2. Interpretation: In this Agreement, (i) the Schedule to this Agreement shall be incorporated into and deemed part of this Agreement and all references to this Agreement shall include the Schedule to this Agreement unless the context otherwise requires; (ii) whenever the words “include”, “includes” or “including” are used in this Agreement, they will be deemed to be followed by the words “without limitation”; (iii) words importing the singular only shall also include the plural and vice versa where the context requires; (iv) references to a statute or statutory provision in this Agreement are to Singapore statutes or statutory provision unless otherwise stated, and shall include that statute or provision as from time to time modified; (v) references to a month in this Agreement are to a specific calendar month; and (vi) clause headings are inserted for convenience only and shall not affect the interpretation of this Agreement.


1.3. Except as otherwise set forth in this Agreement, in the event of a conflict or inconsistency between these Terms and Conditions and the Schedule, the provisions will be applied in the following order of precedence with the provisions higher in the order of precedence prevailing over the provisions in the lower order of precedence: (i) the provisions in the Schedule; (ii) the provisions in these Terms and Conditions.


2. TERM AND TERMINATION

2.1. Term: This Agreement shall take effect on the Effective Date and remain effective unless and until terminated by either Party providing the other Party not less than thirty (30) days' notice in writing (“Term”).


2.2. Other termination right: Either Party may terminate this Agreement immediately upon notice in writing to the other Party in the event that the other Party becomes bankrupted or makes an arrangement with or assignment in favour of a creditor, goes into liquidation or administration or a receiver or manager is appointed to manage its business or any analogous event.


2.3. Effect of termination

(i) Any termination of this Agreement (howsoever occasioned) shall not affect any accrued rights or liabilities of either Party nor shall it affect the coming into force or the continuance in force of any provision hereof which is expressly or by implication intended to come into or continue in force on or after such termination.

(ii) The Parties agree that the exercise by either Party of its right to terminate this Agreement as provided under the terms and conditions of this Agreement shall not entitle the other Party to any damages, claims for expenses or lost profits, or any other recourse in law or in equity in respect of such termination.


3. AUTHORISATION AND LICENCE

3.1. Partner hereby authorises Pangle to resell Inventory and serve Advertisements onto the relevant Inventory. Partner acknowledges and accepts that Pangle shall have the sole and absolute discretion to decide on the winning bid.


3.2. Pangle hereby grants to Partner, a limited, revocable, non-exclusive, non-transferable and non-sublicensable licence during the Term, to access and use the Pangle Platform and Pangle Technology, solely for the purpose of using the Services, subject at all times to such terms and restrictions of use as may be prescribed by Pangle.


3.3. Partner hereby grants Pangle a limited, non-exclusive, worldwide right and licence for the duration of the Term, to use, reproduce, display and distribute Partner and the Properties’ names, trademarks, logos and images of the Properties in connection with the sale of the Inventory, including (i) listing the Properties and Inventory in pitch materials to prospective Buyers; (ii) reporting the inclusion of the Properties and Inventory as part of the Pangle advertising network; and (iii) identifying Partner as a publishing partner on Pangle’s website and other marketing materials.


3.4. Partner agrees that it will not (i) copy, sell, resell, assign, license, distribute, publish or otherwise reproduce the Pangle Platform, Pangle Technology and Services; (ii) adapt, modify, decompile, disassemble or reverse engineer the Pangle Platform or Pangle Technology; or (iii) use the Pangle Platform, Pangle Technology or Services for any other purposes not expressly permitted under this Agreement.


3.5. Unless expressly provided for in this Agreement, neither Party shall acquire any right, title or interest in any Intellectual Property of the other Party or the other Party’s licensors. For the avoidance of doubt, all Intellectual Property in and to the Pangle Platform and Pangle Technology, including any feedback offered by Partner, vests and shall remain vested in Pangle and nothing in this Agreement shall be construed as transferring any ownership in or to the Pangle Platform or Pangle Technology to Partner.


4. RIGHTS AND OBLIGATIONS

4.1. Where a Buyer successfully bids on Inventory, Pangle shall (i) serve Advertisements onto such Inventory; and (ii) make available to Partner Performance Data reporting on Advertisements served and viewed by human users via the Pangle Platform user interface (“Services”).


4.2. Partner shall implement the Pangle Technology and comply with any technical requirements and specifications (including in relation to display time and pixel dimensions) provided by Pangle from time to time, to enable the proper display of the Advertisements. In particular, Partner must transmit the required data parameters outlined in the Pangle SDK integration document and or the API documentation, as applicable.


4.3. Partner shall be responsible for improving, upgrading and for the technical maintenance of the Properties to guarantee the reliability and availability of the Properties for receipt of the Services.


4.4. Partner shall not make any amendments to the content of the Advertisements without Pangle’s prior written approval.


5. BRAND SAFETY COMMITMENTS

5.1. Partner shall comply with the Pangle Supply Policy. For the avoidance of doubt, the Pangle Supply Policy is hereby incorporated and shall form part of this Agreement. In the event that there is any inconsistency between the provisions in this Agreement and the provisions in the Pangle Supply Policy, the provisions in this Agreement shall prevail to the extent of such inconsistency.


5.2. If Pangle reasonably suspects that Partner may be in breach of the Pangle Supply Policy then Pangle may, upon notice (where practicable), (i) suspend Partner’s access to its Account and/or suspend the Services to the extent that it relates to the Properties in question whilst Pangle investigates the suspected breach; and (ii) withhold payment of the Fees for any Inventory which Pangle suspects may be affected by the breach. Pangle will only restore Partner’s access to its Accounts and resume suspended payments once Partner has cured to Pangle’s reasonable satisfaction the matter that caused the suspension.


5.3. If in Pangle’s reasonable opinion, Partner has breached the Pangle Supply Policy then Pangle shall be entitled to (i) terminate this Agreement immediately on written notice to Partner; (ii) be released of its obligation to pay for any Inventory affected by the breach (the "Affected Portion”); (iii) reduce the Fees otherwise payable to Partner by an amount equal to the Affected Portion; and (iv) receive a refund from Partner of any Affected Portion already paid to Partner, in each case promptly on Pangle’s written demand.


5.4. Without limiting the generality of the Pangle Supply Policy, Partner shall not in its use of the Pangle Platform, Pangle Technology or Services store, distribute or transmit any software viruses, worms, Trojan horses, or other harmful or malicious computer code in any form and shall use best endeavours to manage Properties so as to minimise fraudulent traffic, installs and attribution.


6. REPRESENTATIONS AND WARRANTIES

6.1. Each Party represents and warrants to the other Party on a continuing basis throughout the Term that:

(i) it is duly organised, validly existing and in good standing as a corporation or other entity as represented herein under the laws and regulations of its jurisdiction of , organisation or chartering;

(ii) it has full power and authority to enter into this Agreement and perform its obligations under this Agreement; and

(iii) its entry into and performance of this Agreement will not constitute a breach of any agreement to which it is a party or violate any rights of a third party.


6.2. Partner represents and warrants to Pangle on a continuing basis throughout the Term that:

(i) it owns, or has the legal right and authority to operate the Properties and make available to Pangle the Inventory;

(ii) any information provided by it to Pangle is at all times accurate, authentic, current, complete and not misleading;

(iii) it will at all times comply with, and ensure the Properties comply with, all Applicable Law, this Agreement and the Policies, and will promptly notify Pangle if Partner is in breach of or the Properties do not comply with any Applicable Law, this Agreement or the Policies;

(iv) it will only use the Pangle Platform, the Pangle Technology and the Services for the purposes and in the manner set out in this Agreement; and

(v) it will at all times disclose accurately its status as direct seller or reseller (as those terms are defined in the IAB Tech Lab app-ads.txt initiative).


7. REPORTING AND PAYMENT

7.1. Reporting: Before the eighth (8th) Business Day of each month, Pangle shall provide Partner with a written report setting out the Performance Data for the immediately preceding month.


7.2. Performance Data: As between Pangle and Partner, Pangle shall be deemed the exclusive owner of any and all Performance Data. Performance Data shall be deemed "Confidential Information" of Pangle and shall be subject to confidentiality provisions set out in this Agreement. Partner agrees that it shall only use the Performance Data for the purpose of fulfilling its obligations under this Agreement and shall not disclose any Performance Data to any third party except with the prior written approval of Pangle. Without limiting other possible use cases, Pangle shall be entitled to share Performance Data with Buyers and use Performance Data (both on a user-level and on an aggregated level) in case studies and white papers for its marketing and promotional purposes.


7.3. Discrepancy: If there is any discrepancy between the Performance Data measured by Pangle and any data recorded by Partner for a given month, the following shall apply:

(a) where the discrepancy in the data recorded by Partner for (i) the number of impressions is no greater than ten percent (10%) of the number of impressions recorded as part of Pangle's Performance Data, and (ii) the number of clicks is no greater than thirty (30%) of the number of clicks recorded as part of Pangle's Performance Data, Pangle's Performance Data shall prevail and form the basis for which the Fees are calculated; and

(b) where the discrepancy exceeds the agreed ranges set out in Clause 7.3(a) above, the Parties shall enter into good faith discussion and use reasonable endeavours to agree on the controlling performance data for such month.


7.4. Partner must notify Pangle in writing of any discrepancy within seven (7) days following receipt of the relevant report referred to in Clause 7.1. Such notice shall be accompanied by all relevant information reasonably required by Pangle (including the number of requests, impressions, clicks, CPM and total income) to assist investigation into the discrepancy. Partner’s failure to notify Pangle on a timely basis in accordance with this Clause 7.4 will constitute Partner’s waiver of the discrepancy.


7.5. In the event that the Parties are unable to reach agreement on the performance data within sixty (60) days after the date on which Pangle received the notice referred to in Clause 7.4 despite the good faith discussion, the matter shall be deemed a dispute and shall be resolved in accordance with Clause 16.2 of this Agreement.


7.6. Payment Request: Pangle shall issue a payment request on behalf of Partner on a monthly basis for the Fees incurred during the immediately preceding month based on the Performance Data. Partner agrees to accept payment requests raised by Pangle on its behalf and agrees not to issue separate sales invoices for the Fees payable. Partner shall promptly confirm each payment request via the Pangle Platform user interface.


7.7. Payment: Upon Partner’s confirmation of the relevant payment request, Pangle shall, subject to any good faith dispute, pay the applicable within thirty (30) Business Days. Partner shall be solely responsible for ensuring the accuracy of the bank account details and Pangle shall not be in any way liable for any errors so long as Pangle pays the applicable Fees to the bank account nominated by Partner.


7.8. Applicable Threshold: Where the Fees payable to Partner for a given month is less than the Applicable Threshold, the Parties agree that Pangle shall be entitled to withhold payment of such Fees and postpone the issuance of the corresponding payment request, until such time that the Fees payable to Partner reach the Applicable Threshold. In the event that the Fees payable to Partner at the end of a calendar year is still less than the Applicable Threshold, Pangle shall issue a payment request for such Fees and pay the Fees for the said calendar year within thirty (30) Business Days upon receiving Partner’s confirmation of the said payment request.


7.9. Final Payment: In the event that this Agreement or Partner’s Account is terminated (other than for Partner’s breach), Pangle shall, subject to any good faith dispute, issue a payment request for and pay to Partner the applicable Fees within thirty (30) days following the end of the calendar month in which this Agreement or Partner’s Account was terminated.


7.10. Tax: Each Party shall be responsible for paying all applicable taxes and duties imposed by any government entity in connection with this Agreement including any such taxes or duties that may be imposed in connection with that Party’s performance of or entry into this Agreement. For the avoidance of doubt, Pangle will not be responsible for any indirect taxes levied on Partner by a tax authority with jurisdiction over Partner. Pangle reserves the right to set off any liability of Partner to Pangle against any liability of Pangle to Partner under this Agreement and/or make deductions or withholdings from the Fees where required by law.


7.11. Currency: All payments to be made under this Agreement shall be in United States Dollars (USD) or any other currency as agreed by the Parties from time to time.


8. DISCLAIMER

8.1. Unless expressly provided for in this Agreement or required under Applicable Law, the Pangle Platform, Pangle Technology, Services and Advertisements are provided on an "as is" and "as available" basis with no warranties whatsoever, and Pangle expressly excludes and disclaims all representations and warranties, whether express, implied or statutory. Without limiting the generality of the foregoing and to the maximum extent permitted under Applicable Law, Pangle makes no representation, warranty nor does it provide any other assurance, express or implied, regarding the reliability, suitability, quality, availability, non-infringement or fitness for any purpose whatsoever of the Pangle Platform, Pangle Technology or Services, or that the Pangle Platform, Pangle Technology or the Services will be uninterrupted or error free, or will operate in combination with any other hardware, software, system or data.


8.2. Partner acknowledges and agrees that Pangle cannot guarantee any specific quantity, results, income, profit or effectiveness in relation to the Inventory sold and Advertisements served and that Pangle shall in no event be liable to Partner for any Inventory being unsold in the bidding process.


8.3. Without limiting the generality of Clause 11, Pangle shall not be held liable for any failures of the Pangle Platform and/or Pangle Technology that may arise from circumstances beyond the control of Pangle, including internet failures, power outages and hardware failures of the Partner, as well as downtime scheduled maintenance, updating and configuration adjustments. Partner acknowledges and agrees that some features of the Pangle Platform and/or Pangle Technology may rely on the correct functioning of a third-party application, and Pangle shall not be liable for, nor offer any guarantee in relation to these third-party applications.


9. CONFIDENTIALITY

9.1. Each Party shall treat as confidential, the other Party’s Confidential Information, and the Parties agree that such Confidential Information shall be used for the sole purpose of discussions concerning, and undertaking of, the obligation and the exercise of the rights herein. The Parties shall:

(i) not disclose such Confidential Information, whether directly or indirectly, to any third party without prior written approval of the disclosing Party; and

(ii) only disclose a disclosing Party’s Confidential Information to those of its personnel and professional advisors on a ‘need to know’ and confidential basis.


9.2. Clause 9.1 does not apply to any information that a receiving Party can reasonably demonstrate:

(i) is required to be disclosed by law or a court of competent jurisdiction or pursuant to a binding order or direction of a fiscal authority or regulatory body (provided that the Party making such disclosure gives the disclosing Party prompt written notice of the required disclosure and reasonable assistance in seeking a protective order or other appropriate relief);

(ii) was lawfully in the receiving Party’s possession without an obligation restricting disclosure before disclosure by the disclosing Party or is already in the public domain other than through a breach of this Agreement; or

(iii) was independently developed by the receiving Party without use of or reference to the disclosing Party’s Confidential Information.


9.3. For the avoidance of doubt, nothing in this Clause 9 is intended to prevent or limit Pangle’s right to disclose information to Buyers which is relevant to Buyer’s purchase of the Inventory and reporting and analysis on the performance of the Advertisements on such Inventory.


9.4. The obligations of each Party under this Clause 9 shall survive termination or expiry of this Agreement.


10. PERSONAL DATA PROTECTION

10.1. In the course of receiving the Services, Partner will make available to Pangle (or enable Pangle to collect) Personal Data through the Pangle Technology or via its measurement partners or other service providers for Pangle to process for the purposes described in the Pangle Privacy Policy (or as otherwise agreed in writing by the parties) (the "Permitted Purpose").


10.2. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law in respect of its processing of Personal Data. In particular:

(a) Partner shall maintain a publicly accessible privacy notice on each Property, which shall be available to Data Subjects prior to processing of their Personal Data. Such notice shall (i) provide a clear and comprehensive description of the collection, use and disclosure of Personal Data, including Pangle's access to or storage of information on the Data Subject's device for the Permitted Purpose; (ii) make available the Pangle Privacy Policy; and (iii) comply with any other necessary transparency requirements that apply under Applicable Data Protection Law in order for it to make available Personal Data to Pangle to process for the Permitted Purpose.

(b) In addition Partner must provide clear and comprehensive information to end users in a sufficiently prominent notice regarding Pangle’s access to, collection, and sharing of information via Pangle Technology, including (i) that the Property uses Pangle Technology to collect information about users’ use of the Property; (ii) that such information is used to provide measurement services and/or targeted ads; and (iii) how and where users can opt out of the collection and use of such information for ad targeting. Partner shall ensure that such notice is made available, at a minimum, via an easily accessible link within the Property’s settings and/or privacy policy and within any store or website where the Property is distributed (e.g. Google Play or The App Store).

(c) Where necessary under Applicable Data Protection Law, Partner shall ensure that it has a legal basis to share Personal Data with Pangle and for Pangle's processing for the Permitted Purpose.

(d) Where necessary under Applicable Data Protection Law and/or platform standards (such as Apple or Google platform terms), Partner shall obtain each Data Subject's prior consent to (i) processing for the Permitted Purpose; (ii) the overseas transfer of Personal Data described in the Pangle Privacy Policy; and (iii) the access to or storage of information on that Data Subject’s device via the Pangle Technology.

(e) When seeking consent that is required by Applicable Data Protection Law, Partner shall (i) ensure that the nature of such consent complies with the requirements under the Applicable Data Protection Law; (ii) retain records of consent given by end users; (iii) provide end-users with clear instructions for revocation of consent; and (iv) provide records of consent to the satisfaction of Pangle upon request.

(f) Each party shall implement appropriate technical and organizational measures to protect against the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data and such measures will take into account the nature, scope, context, and purposes of the processing as well as the risks.


10.3. Partner shall not make available to Pangle, nor enable Pangle to collect, Sensitive Data or Personal Data relating to Children, or Personal Data from Properties directed to or marketed at Children (“Child-Directed Properties”). Partner represents and warrants that none of its Properties for which it is using the Pangle Platform or Pangle Technology are Child-Directed Properties. Partner shall not use the Pangle Platform or Pangle Technology to (i) collect Personal Data about Children or visitors to Child-Directed Properties, or (ii) purchase, sell place or facilitate the placement of behaviourally targeted Advertisements on Child-Directed Properties. Pangle undertakes no obligation to identify Child-Directed Properties or to monitor the compliance of Partners with respect to identifying Child-Directed Properties.


10.4. Pangle reserves the right to monitor Partner's compliance with this Clause 10 and Partner agrees promptly upon request to provide to Pangle reasonable documentary evidence of such compliance. Pangle reserves the right to immediately suspend the Services and/or Partner’s access to the Pangle Platform and Technology in the event that Pangle reasonably suspects that Partner may be in breach of this Clause 10.


10.5. If Partner receives any correspondence, request or complaint ("Correspondence") in relation to any processing undertaken in connection with this Agreement (from a Data Subject or otherwise), Partner will promptly notify Pangle and provide all information, cooperation and assistance as Pangle reasonably requires in relation to any such Correspondence (including, without limitation, providing a point of contact and relevant contact details which Pangle may pass to the third party correspondent) in accordance with any timescales that may apply under Applicable Data Protection Law.


10.6. Where Partner is not a Publisher it shall procure that the Publishers it represents comply with the obligations of this Clause 10.


10.7. The Parties acknowledge and agree that where Partner is established in the EEA, Switzerland or the United Kingdom, or otherwise subject to GDPR (under Article 3.2 of GDPR), or the Personal Data that will be processed relates to Data Subjects in the EEA, Switzerland or the United Kingdom, the additional EEA/Swiss/UK Specific Terms set out in Schedule 1 shall apply.


10.8. Without prejudice to the generality of Clause 11.2, Partner will indemnify and hold harmless the Pangle Indemnitees from and against Losses arising from any failure by Partner to comply with its obligations under this Clause 10.


11. LIABILITY AND INDEMNITY

11.1. Unless expressly set forth in this Agreement, neither Party shall be liable for any lost profits, lost savings, lost value, loss of data, or lost sales (whether such profits, savings, value, or sales are direct, indirect, consequential, or of other nature), incidental, indirect, punitive, special, or consequential damages under any part of this Agreement, even if the Party has been advised or was aware of the possibility of such losses or damages.


11.2. Partner shall indemnify, defend and hold harmless the Pangle Indemnitees, from and against Losses which may be sustained, instituted, made or alleged against, or suffered or incurred by the Pangle Indemnitees, and which arise (whether directly or indirectly) out of, in the course of or in connection with Partner's use of the Pangle Platform, Pangle Technology and/or Services and/or Partner’s breach of any term of this Agreement.


11.3. Without prejudice to the generality of the rest of this Clause 11, the maximum aggregate liability of Pangle arising under or in connection with this Agreement, whether in contract, tort (including negligence), breach of statutory duty or otherwise, shall not exceed the lesser of (i) the Fees paid by Pangle to Partner in the six (6) month period preceding the date of the event giving rise to the liability; and (ii) USD 100,000.


12. FORCE MAJEURE

Where Pangle or Partner, in part or in whole, delays in fulfilling the obligations or cannot fulfil the obligations because of any Force Majeure Event (the "Affected Party"), the Affected Party shall not be liable for such default or delay in performance of its obligations under this Agreement. The Affected Party shall use its best efforts including promptly take measures to mitigate the impact of its non-performance notwithstanding the Force Majeure Event. Notwithstanding the foregoing, if the Affected Party is unable to perform its obligations for more than thirty (30) consecutive days due to the Force Majeure Event, the other Party may terminate this Agreement immediately by notice in writing to the Affected Party.


13. LEGAL COMPLIANCE

13.1. Compliance with Anti-Corruption Laws: Partner understands and agrees that it has complied and will continue to comply with Anti-Corruption Laws and the Bytedance Business Partner Code of Conduct as updated from time to time. Partner represents and warrants that:

(a) it did not and will not engage in any conduct in violation of the Anti-Corruption Laws; and

(b) it did not and will not, directly or indirectly offer, promise, approve or authorise the payment of money or anything of value to any entities or individuals to (i) influence any official act or decision of that entity or individual; (ii) improperly obtain or retain any business opportunities; (iii) improperly obtain any business advantage; or (iv) obtain any other improper benefits.

For the avoidance of doubt –

A. the aforementioned "entities" include, Government Entities, collectively owned enterprises and private enterprises; and

B. the aforementioned "individuals" include, Government Officials, staff members of collectively owned enterprises or private enterprises, and any individual who has influence over the aforementioned individuals.


13.2. Books and Records: Partner represents and warrants that it has maintained and will continue to maintain accurate and complete accounting books and financial records in connection with this Agreement in accordance with generally accepted accounting principles and will retain all records related to this Agreement for five (5) years upon expiration or termination of this Agreement and agrees to make such records available upon the request of Pangle.


13.3. Government Ownership: Partner represents and warrants that during the Term of this Agreement, no Government Official is or will be a direct or indirect owner or investor of Partner, holds or will hold any financial or personal interest in Partner.


13.4. Breach and Termination: If Partner breaches any representation or warranty of this Clause 13 or any Anti-Corruption Laws, Pangle shall be entitled to unilaterally and immediately terminate this Agreement without any liability to Partner.


13.5. The Parties agree to comply with all economic sanctions and export control laws and regulations ("International Trade Compliance") applicable to this Agreement, including the laws and regulations where products/services relating to this Agreement are offered or available. Each Party represents and warrants that, at the time of signing this Agreement, it is not subject to any sanctions or relevant program maintained by applicable government authorities, not a military related agency, and is not owned, controlled by, or acting for or on behalf of, one or more of such persons/entities.


13.6. The Parties agree that, should either Party be unable to continue to perform its obligations under this Agreement in compliance with applicable International Trade Compliance due to International Trade Compliance restrictions, both Parties shall review the impact of such restrictions together in good faith to seek a solution to continue to perform this Agreement in compliance with applicable International Trade Compliance, or terminate this Agreement upon mutual consent.


13.7. Without limiting the foregoing, in the event that a Party breaches any applicable International Trade Compliance or otherwise renders any continued performance of this Agreement a breach of the applicable International Trade Compliance, the non-breaching Party shall be entitled to terminate this Agreement immediately and without liability to the breaching Party. The breaching Party agrees to indemnify the non-breaching Party for any Losses incurred as a result of or in connection with such violation.


14. UPDATES TO THIS AGREEMENT

14.1. Pangle may at any time in its sole discretion, propose changes to the terms of this Agreement. Pangle shall endeavour to provide Partner at least seven (7) days prior notice by way of email and/or notice via the Pangle Platform. Partner hereby expressly waives the right to receive alternative notice of such changes.


14.2. If Pangle propose any changes to the terms of this Agreement, such changes will take effect on the date specified in the notice or at the end of the required notice period set out above, whichever is earlier ("Change Date”). If Partner continues to use the Pangle Platform, Technology and/or Services following the Change Date or otherwise indicates its acceptance of such changes (for example, by selecting a click and agree mechanism provided in the notice), Partner shall be taken to have accepted the changes from the Change Date.


14.3. If Partner does not agree to any proposed changes, Partner shall be entitled to terminate this Agreement immediately without penalty and must cease using the Pangle Platform, Technology and Services. Partner acknowledges and accepts that the remedy provided in this Clause 14.3 shall be the sole and exclusive remedy with respect to any changes Pangle proposed to the terms of this Agreement.


15. MISCELLANEOUS

15.1. Assignment: Partner shall not assign, novate, sub-license, mortgage or charge any of its rights and obligations under this Agreement to any third party without the prior written consent of Pangle. This Agreement and all the rights and obligations of Pangle under it may be assigned, transferred, novated or otherwise dealt with by Pangle to its Affiliates without the consent or approval of Partner and will inure to the benefit of such successors and assigns of Pangle. Partner undertakes to do all things and execute all documents necessary to facilitate such assignment, transfer, novation or dealing.


15.2. Independent Contractors: Nothing herein shall be deemed to constitute either Party as the partner of the other nor to constitute either Party the agent or legal representative of the other, nor to create any fiduciary relationship between the Parties.


15.3. Rights of Third Parties: Save for Pangle’s Affiliates, a person or entity who is not a Party to this Agreement shall have no right under the Singapore Contracts (Rights of Third Parties) Act (Chapter 53B) to enforce any term of this Agreement, regardless of whether such person or entity has been identified by name, as a member of a class or as answering a particular description. For the avoidance of doubt, nothing in this Clause 15.3 shall affect the rights of any permitted assignee or transferee of this Agreement.


15.4. Notices: Notices under this Agreement may be delivered by hand, by registered mail or email to the addresses and numbers specified in the Account. Notice will be deemed effectively given:

(i) when received, if delivered by hand, with signed confirmation of receipt;

(ii) when received, if sent by a nationally recognised overnight courier, signature required;

(iii) when sent, if by e-mail, (in each case, with confirmation of transmission), if sent during the addressee's normal business hours, and on the next business day, if sent after the addressee's normal business hours; and

(iv) on the fifth (5th) day after the date mailed by certified or registered mail, return receipt requested, postage prepaid.

The addresses and numbers for notice may be changed by either Party by giving notice to the other Party as provided herein.


15.5. Cumulative Rights and Remedies: Unless otherwise expressly agreed by the Parties or provided under this Agreement, the provisions of this Agreement, and the rights and remedies of Pangle under this Agreement are cumulative and are without prejudice and in addition to any rights or remedies Pangle may have in law or in equity.


15.6. Waiver: A failure by Pangle to exercise or enforce any rights conferred upon it by this Agreement shall not be deemed to be a waiver of any such rights or operate so as to bar the exercise or enforcement thereof at any subsequent time or times. Waiver of any right arising from a breach or non-performance of this Agreement or arising upon default under this Agreement shall be in writing and signed by the Party granting the waiver. A Party is not entitled to rely on a delay in the exercise or non-exercise of a right arising from a breach or non-performance of this Agreement or on a default under this Agreement as constituting a waiver of that right.


15.7. Entire Agreement: This Agreement constitutes the entire agreement between the Parties regarding its subject matter and supersedes all prior agreements between the Parties, whether written or oral, with respect to such subject matter.


15.8. Severability: If any provision of this Agreement is agreed by the Parties to be illegal, void or unenforceable under any law that is applicable hereto or if any court of competent jurisdiction in a final decision so determines, this Agreement shall continue in force save that such provision shall be deemed to be excised herefrom with effect from the date of such agreement or decision or such earlier date as the Parties may agree.


15.9. Counterparts: This Agreement may be executed simultaneously in two or more counterparts, each of which shall be deemed to be an original and all of which together shall constitute the same agreement.


15.10. Prevailing Language: The English language version of this Agreement, regardless of whether a translation in any other language is or will be made, shall be the only authentic one. In the event of any inconsistency or difference in interpretation between the English version and the version in the other language, the English version shall prevail.


16. GOVERNING LAW AND JURISDICTION

16.1. This Agreement, and any and all disputes arising out of or in connection with this Agreement (including any alleged breach of, or challenge to the validity of enforceability, of this Agreement shall be governed by, and construed in accordance with, the laws of the Republic of Singapore.


16.2. Any dispute arising out of or in connection with this Agreement, including any question regarding its existence, validity or termination, shall be referred to and finally resolved by arbitration administered by the Singapore International Arbitration Centre in accordance with the Arbitration Rules of the Singapore International Arbitration Centre for the time being in force, which rules are deemed to be incorporated by reference in this Agreement. The seat of arbitration shall be Singapore. The arbitral tribunal shall consist of three (3) arbitrators and the language of the arbitration shall be English.


SCHEDULE 1: EEA/SWISS/UK SPECIFIC TERMS

1. In this Schedule 1, the following additional definitions shall apply:


"Controller" means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.


"Joint Controllers" means two or more Controllers that jointly determine the purposes and means of processing. "Joint Controller" shall be construed accordingly.


"Joint Processing" means the collection of Personal Data via the Pangle Technology on the Property and its subsequent transmission to Pangle to be used for the Permitted Purpose, but does not include any processing of the Personal Data that takes place after it has been transmitted to Pangle.


"Joint Controller Terms" means the terms set out in this Schedule 1.


"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed under this Schedule 1.


“Restricted Transfer” means (i) where the EU GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not subject to an adequacy determination by the competent Swiss authority in accordance with the Swiss DPA.


"Standard Contractual Clauses" means (i) where the EU GDPR applies or the Swiss DPA applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”).


“UK Addendum” means the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the UK Information Commissioner under s.119A(1) of the UK Data Protection Act 2018.


2. The Parties each acknowledge and agree that they are Joint Controllers in accordance with Article 26 GDPR for any Joint Processing and these Joint Controller Terms determine the parties' responsibilities for compliance with GDPR with respect to the Joint Processing. All other responsibilities for compliance with obligations under GDPR regarding the Joint Processing not referred to in this Schedule remain with each of Pangle and Partner individually. If Partner is contacted by a supervisory authority or Data Subject with regard to the Joint Processing (each a "Request"), Partner will promptly notify Pangle at europe_privacy@pangleglobal.com and provide all timely information, cooperation and assistance as Pangle reasonably requires in relation to such Request. Partner is not authorized to act or answer such Request on Pangle's behalf.


3. Pangle and Partner's GDPR compliance responsibilities with respect to the Joint Processing shall be as follows:

 

GDPR compliance responsibility

Pangle's responsibility

Partner's responsibility

A.                 

Art 6: Legal Basis

X

Pangle has the responsibility to establish a lawful basis in respect of its own processing of Personal Data.

X

Partner has responsibility to establish a lawful basis in respect of its own processing of Personal Data.

In addition, to the extent that Pangle Technology accesses or stores information (including Personal Data), Partner must obtain all necessary and verifiable consents required by virtue of Applicable Data Protection Law and the Agreement.

B.                 

Arts 13, 14: Information

X

Pangle will display (or procure the display of) a publicly-available privacy notice describing its processing activities (including the Joint Processing) that meets the requirements of Article 13 and 14 of GDPR.

X

Partner must display (or procure the display of) a privacy notice describing its processing activities (including the Joint Processing) to meet the requirements of Article 13 and 14.  This includes as a minimum the provision of the following information:

●      That Pangle is a Joint Controller of the Joint Processing.

●      That Partner uses Pangle Technology which enables the collection and transmission of Personal Data for the Permitted Purpose.

●      That further information on how Pangle processes Personal Data, including the legal basis Pangle relies on and the ways to exercise Data Subject rights against Pangle, can be found in the Pangle Privacy Policy (with a link to that policy).

In addition, to the extent that the Pangle Technology accesses or stores information (including Personal Data), Partner must also provide clear and comprehensive information about such access or storage to Data Subjects as required by Applicable Data Protection Law and the Agreement.

C.                 

Art 26(2): Making available Joint Controller Terms

 

X

This includes as a minimum the provision of the following information:

That Partner and Pangle have:

●      entered into these Joint Controller Terms to determine their respective responsibilities for compliance with the obligations under GDPR with regard to the Joint Processing;

●      agreed that Partner is responsible for providing Data Subjects as a minimum with the information listed under point B in this table above; and

●      agreed that between the parties, Pangle is responsible for enabling Data Subjects' rights under Articles 15-20 of GDPR with regard to the Personal Data stored or otherwise Processed by Pangle after the Joint Processing.

D.                 

Art 15-20: Subject Rights

X

 

Pangle shall respond to the exercise of any Data Subject rights under Articles 15-20 GDPR in respect of Personal Data processed by Pangle with regard to the Joint Processing.

 

E.                  

Art 21: Right to object

X

Pangle will enable Data Subjects to exercise their right to object in respect of its own Processing of Personal Data.

X

Partner will enable Data Subjects to exercise their right to object in respect of Partner's Processing of Personal Data.

F.                  

Art 32: Security

X

Pangle in respect of security of the Pangle Technology.

X

Partner in relation to its correct technical implementation and configuration of the Pangle Technology.

G.                 

Arts 33, 34: Personal Data Breaches

X

Pangle will comply with its obligations under GDPR in respect of Personal Data Breaches insofar as any Personal Data Breach concerns Pangle's security obligations under these Joint Controller Terms.

 

X

Partner will comply with its obligations under GDPR in respect of Personal Data Breaches insofar as any Personal Data Breach concerns its security obligations under these Joint Controller Terms.


4. Where Partner makes a Restricted Transfer of Personal Data to Pangle pursuant to this Agreement, the Standard Contractual Clauses shall apply between Partner (as data exporter) and Pangle (as data importer) as follows:

(a) Where the EU GDPR applies to the Restricted Transfer of Personal Data, the EU SCCs will apply as follows: (i) Module One will apply; (ii) in Clause 7, the optional docking clause will apply; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Schedule; and (vii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Schedule; and


(b) Where the UK GDPR applies to the Restricted Transfer of Personal Data, Partner and Pangle hereby agree that the EU SCCs, as amended by the UK Addendum, are incorporated into the Agreement and shall be deemed completed as follows: (i) the EU SCCs shall be deemed completed as set out above in sub-clause 4(a) of this Schedule; and (ii) Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out in sub-clause 4(a) of this Schedule; (iii) the option “Importer” shall be deemed checked in Table 4; and (iv) the start date of the UK Addendum (as set out in Table 1 of the UK Addendum) shall be the date of this Agreement; and


(c) in relation to Personal Data that is protected by the Swiss DPA, the EU SCCs will apply as set out in sub-clause 4(a) of this Schedule with the following amendments: (i) references to ‘Regulation (EU) 2016/679’ in the EU SCCs will be deemed to refer to the Swiss DPA; (ii) references to specific articles of ‘Regulation (EU) 2016/679’ will be deemed replaced with the equivalent article or section of the Swiss DPA, (iii) references to ‘EU’, ‘Union’ and ‘Member State’ will be deemed replaced with ‘Switzerland’, (iv) references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘applicable courts of Switzerland’ (as applicable), (v) in Clause 17, the EU SCCs will be governed by the laws of Switzerland, and (vii) in Clause 18(b), disputes shall be resolved before the competent courts of Switzerland.


5. If the Parties' compliance with GDPR or UK GDPR or Swiss DPA requirements relating to international transfers of Personal Data is affected by circumstances outside of the Parties' control, including if the Standard Contractual Clauses or any other legal instrument for international transfers of Personal Data is invalidated, amended or replaced, then the Parties will work together in good faith to reasonably resolve such non-compliance.


6. If a Property is within the IAB Europe Transparency & Consent Framework, Partner shall (or shall procure that the relevant Publisher shall) comply fully with the policies of the IAB Europe Transparency & Consent Framework Policies currently available at: https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/.


ANNEX I RESTRICTED TRANSFERS DESCRIPTION

A. LIST OF PARTIES

Data exporter(s):

1.

Name:

 

The Partner whose details are specified in the Agreement.

 

 

Address:

 

As above.

 

Contact person’s name, position and contact details:

 

The contact details that the Partner has specified in its Account with Pangle.

 

Activities relevant to the data transferred under these Clauses:

 

The receipt of the Services specified in the Agreement in order to serve Advertisements onto Partner's Inventory.

 

 

Signature and date: 

 

This Annex I shall be deemed executed upon Partner's execution or acceptance of the Agreement.

 

 

Role (controller/processor):

 

(Joint) Controller

 Data importer(s):

 

Name:

 

The Pangle entity whose details are specified in the Agreement.

 

 

Address:

 

As above.

 

Contact person’s name, position and contact details:

 

Questions concerning Pangle's processing of Personal Data pursuant to the Standard Contractual Clauses can be submitted to: europe_privacy@pangleglobal.com  

 

 

Activities relevant to the data transferred under these Clauses:

 

The provision of the Services specified in the Agreement in order to serve Advertisements onto Partner's Inventory.

 

 

Signature and date: 

 

This Annex I shall be deemed executed upon Partner's execution or acceptance of the Agreement.

 

 

Role (controller/processor):

 

(Joint) Controller

 

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

 

Data Subjects who visit, view or interact with: (i) Partner's Property (or Properties) and/or (ii) Advertisements served onto Partner's Inventory.

 

Categories of personal data transferred

 

The categories of Personal Data transferred include:

 

   i.        Identifiers: Device-specific identifiers such as IP address, mobile advertising identifier (such as the "Google Advertising ID" on Android phones or the "ID for Advertisers" on iOS devices), or a Pangle-specific identifier which Pangle assigns to the Data Subject's device. In addition, Pangle may also receive other information about a Data Subject's device, such as the device model, operating system (e.g. iOS or Android), system language and region, time zone, network type, ROM version, screen resolution, mobile country code and mobile network code.

 

  ii.        Geolocation data: Pangle may receive the Data Subject's precise latitude and longitude using its phone's GPS data, where Pangle has the Data Subject's consent or is otherwise permitted to do so in accordance with the GDPR.

 

 iii.        Internet activity: Pangle may receive information about a Data Subject's app and website usage, including the name and version of the app or website that has integrated Pangle. Pangle may also receive information about the Data Subject's interactions with any Advertisements it delivers (e.g. information about the Advertisements served, viewed, or clicked on, such as the type of Advertisement, where and when the Advertisement was served, whether the Data Subject clicked on it, and whether the Data Subject visited the relevant advertiser's website or downloaded the advertiser's app, as well as any preferences the Data Subject may have expressed in respect of that Advertisement).

 

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

 

None.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

 

Continuous for the duration of the Agreement.

Nature of the processing

 

The nature of the processing is the provision of the Services specified in the Agreement in order to serve Advertisements onto Partner's Inventory.

 

Purpose(s) of the data transfer and further processing

 

The purpose of the transfer and further processing is to serve Advertisements onto Partner's Inventory and as otherwise specified in the Agreement.

 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

 

Personal Data will be retained for as long as is necessary to provide the Services, and otherwise as permitted by the Agreement and the GDPR or Swiss DPA (as applicable).

 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

 

Not applicable.  The transfer pursuant to these Standard Contractual Clauses is made on a Controller to Controller basis.


C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

For transfers made under the EU SCCs, the competent supervisory authority will be determined in accordance with Clause 13 of the EU SCCs.

For transfers made under the UK SCCs, the competent supervisory authority will be the United Kingdom Information Commissioner's Office.


ANNEX II      TECHNICAL AND ORGANISATIONAL MEASURES

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.


I. System Entry Control

Establishing, maintaining, monitoring, and using appropriate technical, physical, administrative, and organisational safeguards consistent with the highest industry standards to secure against a security incident including, at a minimum:

(a) Secure user authentication protocols and system access control;

(b) Use of mature and appropriate physical security, current malware, antivirus, and security software that includes e-mail filtering and malware detection;

(c) Use of proper network protection measures;

(d) During idle times, company-issued equipment (e.g., company-issued laptops) are automatically locked;

(e) Encourage use of complex passwords;

(f) Concept of least privilege, allowing only the necessary access for users to accomplish their job function. Access above requires appropriate authorisation;

(g) IT access privileges are reviewed regularly by appropriate personnel;

(h) Network monitoring services in place 24 x 7 x 365 to detect unauthorised activities;

(i) Vulnerability scanning and remediation in place;

(j) Penetration testing as appropriate;

(k) Encryption protocols applied as necessary under various circumstances.


II. Physical Access Controls

Taking, among others, the appropriate security measures in order to establish the identity of the authorised persons and prevent unauthorised access to the data importer(s) premises and facilities in which the data are processed.


III. Data Access Control

Taking technical and organisational measures in order to prevent unauthorised activities in the data processing systems outside the scope of any granted authorisations including, at a minimum:

(a) User and administrator access to the network a role-based access rights model. Authorization model grants access rights to data only on a “need to know” basis;

(b) Administration of user rights through system administrators;

(c) Number of administrators is reduced to the absolute minimum;

(d) Perform internal audits as required to assess high risk processes, technologies, and people;

(e) Prohibit each employee from disclosing the Personal Data to any unauthorised third party or using the Personal Data in an unauthorised manner.

(f) Where encryption of data is used, proper key lifecycle management practices are in place.


IV. Data Transfer Control

Taking technical and organisational measures in order to ensure that Personal Data cannot be read, copied, altered, or removed by unauthorised persons under their electronic transmission or during their transport or recording on data carriers and to guarantee that it is possible to examine and establish where Personal Data are or have been transmitted by data transmission equipment including, at a minimum:

(a) Remote access (including during remote maintenance or service procedures) to the IT systems are to be via VPN tunnels, where appropriate, or other secure, encrypted connections;

(b) Encryption protocols applied as necessary under various circumstances;

(c) Data storage devices and paper documents are locked away when not in use (e.g., clean desk policy);

(d) Appropriate destruction and disposal of documents;

(e) Physical destruction processes in place to industry standards;

(f) Secure communication session established via TLS or similar protocols across core applications/services;

(g) Encrypted certificates utilised for authentication between core web client and core web server.


V. Input Control

Taking appropriate technical and organisational measures in order to ensure that it is subsequently possible to verify and establish via log files whether and by whom Personal Data have been entered into data processing systems, altered, or removed.


VI. Framework Control

Taking technical and organisational measures in order to ensure that any Personal Data transferred under this Agreement can only be processed for the purposes specified in the Agreement including, at a minimum:

(a) Clear and binding internal policies contain formalised instructions for data processing procedures;

(b) Clearly articulated contractual protections in place as appropriate in underlying contracts;

(c) Regular staff training on the proper use of the computer security system, the security backup and disaster recovery procedures, and the importance of security to ensure compliance with contractual arrangements and maintain awareness regarding data protection requirements;

(d) Secure destruction processes in place to industry standards;

(e) Periodic access reviews that monitor employee access controls;

(f) Company's corporate network is separated from its user services network by means of complex segregation devices.


VII. Availability Control

Taking technical and organisational measures in order to protect the data from accidental destruction or loss including, at a minimum:

(a) Appliances for the monitoring of temperature and humidity in data centers;

(b) Fire/smoke detectors and fire extinguishers or fire suppression system in data centers;

(c) Use of mature and appropriate anti-virus software that includes e-mail filtering and malware detection;

(d) Data recovery measures and emergency plan in place and regularly tested;

(e) Implementation of mature and appropriate backup methods including physical separation of the backup data and storage of data stored in a redundant archive;

(f) Use a combination of full, differential, and cumulative backups to ensure data integrity and timely restoration for core data, as appropriate;

(g) To ensure an uninterrupted supply of power to the system, redundant power supply units are built into the systems wherever possible;

(h) Integrity of stored data regularly verified using checksums;

(i) Processes in place to move data traffic away from affected area to uncompromised area in case of failure;

(j) Preventative maintenance is performed to ensure continued operability of equipment.

(k) Appropriate Denial of Service and Distributed Denial of Service technology in place to defend against network and systems based resource starvation attacks.