Magnite SCCs
Last Updated: July 7, 2023
“SCCs” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“) https://eur-lex.europa.eu/eli/dec_impl/2021/914/; and (ii) where the UK GDPR applies, the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers adopted by the United Kingdom pursuant to the Data Protection Act of 2018 and other implementation of the GDPR, with an effective date of 21 March 2022, and issued by the UK Information Commissioner’s Office under Section 119A of the Data Protection Act 2018 for the transfer of Personal Information/Data from the United Kingdom to controllers or processors established outside the UK, as set forth at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK SCCs“).
The parties agree that, when there is a transfer of Personal Data that is (i) within scope of the EU GDPR and from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018, it shall be subject to the appropriate SCCs as follows:
1. in relation to data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
(i) Module One will apply;
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 9 is Not Applicable;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Agreement; and
(viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Agreement;
2. in relation to data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:
(i) Table 1 of the UK SCCs shall be deemed completed with the information set out Annex I to this Agreement;
(ii) Table 2 of the UK SCCs shall be deemed completed with the information set out below:
The parties select: the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: Module 1 with selections as set forth in Section 1 of this Addendum
(iii) Table 3 of the UK SCCs shall be deemed completed with the information set out Annexes I and II to this Agreement; and
(iv) Table 4 of the UK SCCs shall be deemed completed by selecting: neither party.
3. in the event that any provision of this Agreement contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
Annex I:
Data Processing Description
This Annex I forms part of the Agreement and describes the processing between Seller (as an independent Controller) and Magnite (as an independent Controller).
A. DESCRIPTION OF TRANSFER
| Categories of data subjects whose personal data is transferred: | Customers of Exporters online digital properties. (ie, visitors to websites) |
| Categories of personal data transferred: | 1. Information about the Visitor’s behavior on our publishers’ Digital Media Properties: including information about the domain, topic or name of the property, your referring website addresses, date/time of visits, viewability data, search keywords, visitor activities and actions on the publisher properties, referring/exit pages, platform type, the video title, video player size, description or category being displayed, date/time stamp, non-precise location information (including city, country, zip code), click data, types of advertisements viewed; 2. Information about the Visitor’s browser: including information about browser type, version, language, and history; 3. Information about the Visitor’s device: including information about IP address, device make, device model, device operating system, device operating system version, and data connection type; 4. Information about the Visitor’s Internet service: including information about which Internet Service Provider (ISP); and 5. Magnite may also collect precise geolocation information if the Visitor has actively enabled location services on its device and a Digital Media Property passes it to us. 6. Magnite may also receive information from third parties at the instruction or for the benefit of its sellers that provide user demographics and information with respect to a user’s preferences, patterns, click and video interactions, behaviors or interests, as well as advertisers and advertising platforms that provide information to Magnite in order to match an ad opportunity offered by its clients with the right advertisement. 7. Magnites clients may collect and store inferences about user activity using Magnites technology. |
| Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: | Not applicable |
| The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): | Continuous |
| Nature of the processing: | Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction of data, in order to provide services to clients with respect to facilitating the serving of advertisements on data exporter’s digital properties that are purchased or placed using the data importer’s technology. |
| Purpose(s) of the data transfer and further processing: | To maintain activity logs for the following purposes: (1) providing advertising services to the data exporter, including reporting on advertisements delivered to the data exporter’s digital properties using the data importer’s technology; (2) improving the data importer’s technology; and (3) for recordkeeping purposes, in the event of a dispute between the data exporter and the data importer. |
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | We store Information in our systems for up to 90 days unless required by applicable law to retain it longer. |
| For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: | NA |
| Categories of data subjects whose personal data is transferred: |
| Categories of personal data transferred: |
| Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: |
| The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): |
| Nature of the processing: |
| Purpose(s) of the data transfer and further processing: |
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: |
| For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: |
| Customers of Exporters online digital properties. (ie, visitors to websites) |
| 1. Information about the Visitor’s behavior on our publishers’ Digital Media Properties: including information about the domain, topic or name of the property, your referring website addresses, date/time of visits, viewability data, search keywords, visitor activities and actions on the publisher properties, referring/exit pages, platform type, the video title, video player size, description or category being displayed, date/time stamp, non-precise location information (including city, country, zip code), click data, types of advertisements viewed; 2. Information about the Visitor’s browser: including information about browser type, version, language, and history; 3. Information about the Visitor’s device: including information about IP address, device make, device model, device operating system, device operating system version, and data connection type; 4. Information about the Visitor’s Internet service: including information about which Internet Service Provider (ISP); and 5. Magnite may also collect precise geolocation information if the Visitor has actively enabled location services on its device and a Digital Media Property passes it to us. 6. Magnite may also receive information from third parties at the instruction or for the benefit of its sellers that provide user demographics and information with respect to a user’s preferences, patterns, click and video interactions, behaviors or interests, as well as advertisers and advertising platforms that provide information to Magnite in order to match an ad opportunity offered by its clients with the right advertisement. 7. Magnites clients may collect and store inferences about user activity using Magnites technology. |
| Not applicable |
| Continuous |
| Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction of data, in order to provide services to clients with respect to facilitating the serving of advertisements on data exporter’s digital properties that are purchased or placed using the data importer’s technology. |
| To maintain activity logs for the following purposes: (1) providing advertising services to the data exporter, including reporting on advertisements delivered to the data exporter’s digital properties using the data importer’s technology; (2) improving the data importer’s technology; and (3) for recordkeeping purposes, in the event of a dispute between the data exporter and the data importer. |
| We store Information in our systems for up to 90 days unless required by applicable law to retain it longer. |
| NA |
B. COMPETENT SUPERVISORY AUTHORITY
| Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs) | Where the EU GDPR applies, the competent supervisory authority shall be determined in accordance with Clause 13 of these Standard Contractual Clauses. Where the UK GDPR applies, the UK Information Commissioner’s Office will be the competent supervisory authority. |
| Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs) |
| Where the EU GDPR applies, the competent supervisory authority shall be determined in accordance with Clause 13 of these Standard Contractual Clauses. Where the UK GDPR applies, the UK Information Commissioner’s Office will be the competent supervisory authority. |
Annex II:
Technical and Organizational Security Measures
Description of the technical and organisational measures implemented by the processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
| Measure | Description |
|---|---|
| Measures of pseudonymisation and encryption of personal data | Limits production platform data to pseudonymized values only. Implements data security controls, including logical segregation of data, restricted (e.g. role-based) access and monitoring, and where applicable, utilization of commercially available and industry-standard encryption technologies. |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Maintains operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards. Conducts security reviews of key third-party software and service vendors while onboarding and, where appropriate, conducts additional periodic security reviews. |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Maintains incident response plans designed to allow Magnite to investigate, respond to, mitigate, and notify of events related to Magnite technology and information assets. These incident response plans include severity levels, escalations, and internal and external communications procedures. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | Conducts periodic third-party reviews, including external penetration testing to evaluate risk. Utilizes vulnerability assessments, patch management and threat protection technologies. |
| Measures for user identification and authorization | Utilizes logical access controls to manage electronic access to data and system functionality based on authority levels and job functions. |
| Measures for the protection of data during transmission | Utilizes cryptographic protocols such as TLS to protect information in transit over public and internal networks, where possible. Utilizes firewalls, load balancers, and third-party DDoS protection at the network edge to filter and/or mitigate. |
Measures for the protection of data during storage | Limits production platform data to pseudonymized values only. |
| Measures for ensuring physical security of locations at which personal data are processed | Enforces physical and environmental security of data centers, server room facilities, and other areas containing client confidential information designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of Magnite facilities, and (iii) guard against environmental hazards such as heat, fire and water damage. |
| Measures for ensuring events logging | Implements a SIEM system for coordinated logging/alarming, enabling system audit, event logging/aggregation, and related monitoring procedures for ongoing review |
Measures for ensuring system configuration, including default configuration | Utilizes Industry standard configuration management tools for software deployments across the platform, inclusive of alerting for systems that fall out of the standard configurations. |
| Measures for internal IT and IT security governance and management | Appointed a Security Information Officer and Data Protection Officer. |
| Measures for certification/assurance of processes and products | Maintains operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards. |
Measures for ensuring data minimization | Processes the minimum data necessary to provide the services. |
Measures for ensuring data quality | N/A |
Measures for ensuring limited data retention | Follows a company data retention and purging policy. |
| Measures for ensuring accountability | Appointed a Data Protection Officer and conducts annual reviews of policies and procedures |
| Measures for allowing data portability and ensuring erasure | Maintains processes to enable access to data and removal upon request meeting expected timeline standards as set forth by regulation. |
| Measure |
| Measures of pseudonymisation and encryption of personal data |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing |
| Measures for user identification and authorization |
| Measures for the protection of data during transmission |
Measures for the protection of data during storage |
| Measures for ensuring physical security of locations at which personal data are processed |
| Measures for ensuring events logging |
Measures for ensuring system configuration, including default configuration |
| Measures for internal IT and IT security governance and management |
| Measures for certification/assurance of processes and products |
Measures for ensuring data minimization |
Measures for ensuring data quality |
Measures for ensuring limited data retention |
| Measures for ensuring accountability |
| Measures for allowing data portability and ensuring erasure |
| Description |
| Limits production platform data to pseudonymized values only. Implements data security controls, including logical segregation of data, restricted (e.g. role-based) access and monitoring, and where applicable, utilization of commercially available and industry-standard encryption technologies. |
| Maintains operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards. Conducts security reviews of key third-party software and service vendors while onboarding and, where appropriate, conducts additional periodic security reviews. |
| Maintains incident response plans designed to allow Magnite to investigate, respond to, mitigate, and notify of events related to Magnite technology and information assets. These incident response plans include severity levels, escalations, and internal and external communications procedures. |
| Conducts periodic third-party reviews, including external penetration testing to evaluate risk. Utilizes vulnerability assessments, patch management and threat protection technologies. |
| Utilizes logical access controls to manage electronic access to data and system functionality based on authority levels and job functions. |
| Utilizes cryptographic protocols such as TLS to protect information in transit over public and internal networks, where possible. Utilizes firewalls, load balancers, and third-party DDoS protection at the network edge to filter and/or mitigate. |
| Limits production platform data to pseudonymized values only. |
| Enforces physical and environmental security of data centers, server room facilities, and other areas containing client confidential information designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of Magnite facilities, and (iii) guard against environmental hazards such as heat, fire and water damage. |
| Implements a SIEM system for coordinated logging/alarming, enabling system audit, event logging/aggregation, and related monitoring procedures for ongoing review |
| Utilizes Industry standard configuration management tools for software deployments across the platform, inclusive of alerting for systems that fall out of the standard configurations. |
| Appointed a Security Information Officer and Data Protection Officer. |
| Maintains operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards. |
| Processes the minimum data necessary to provide the services. |
| N/A |
| Follows a company data retention and purging policy. |
| Appointed a Data Protection Officer and conducts annual reviews of policies and procedures |
| Maintains processes to enable access to data and removal upon request meeting expected timeline standards as set forth by regulation. |