SpringServe DPA & SCCs

Last Updated: September 2, 2022

This Data Processing Addendum (“DPA“) is between Customer on behalf of itself and its Subsidiaries (“Company”) and SpringServe, Inc. (“SpringServe“).

Recitals

1. SpringServe has entered into one or more written contracts and/or agreements (the “Contract(s))” with Company and/or Company Subsidiaries.  In delivering the Services under the Contract(s), SpringServe may process data, including Personal Data controlled by Company and/or a Company Subsidiary.

2. To comply with Applicable Privacy Law(s) (defined below), Company must ensure the appropriate protection of all data, including Personal Data when Company engages SpringServe. Accordingly, Company’s engagement of SpringServe is conditioned upon agreement to the terms and conditions of this DPA.

Agreement

1. Definitions

Applicable Privacy Law(s)” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, EU/UK Data Protection Law.

Authorized Persons” means any person who processes Personal Data on SpringServe’s behalf, including SpringServe’s employees, officers, partners, principals, contractors and Subcontractors.

EEA” means, for the purposes of this DPA, the European Economic Area, the United Kingdom and Switzerland.

EU/UK Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR“); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR“); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;

Personal Data” means information provided by Company to SpringServe under and in accordance with the Contract(s) relating to an identified or identifiable natural person (“data subject“); an identifiable natural person is one who can be identified in particular by reference to an identifier such as a name, an identification number, location data, an online identifier. 

Company Subsidiary” means any entity that is directly or indirectly controlled by, controlling or under common control with Company. “Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

“SCCs” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (“UK SCCs“).

Security Incident” means any unauthorized acquisition, access, use or disclosure of unencrypted Personal Data provided by Company and processed by SpringServe under or in connection with the Contract(s) that materially compromises the security or confidentiality of such Personal Data.

Services” shall mean the services provided by SpringServe to Company under and as more particularly described in the Contract(s).

Subcontractor” means any third party engaged by SpringServe to process any Personal Data relating to the Contract(s).

The terms “Controller“, “Processor,” and “processing,” have the meanings given to them in Applicable Privacy Laws.  If and to the extent that Applicable Privacy Laws do not define such terms, then the definitions given in EU Data Protection Law will apply. 

2. Role and Scope of Processing

2.1 SpringServe shall process Personal Data under the Contract(s) only as a Processor acting on behalf of Company (whether as Controller or itself a Processor on behalf of third party Controllers).

2.2 SpringServe will at all times: (i) process the Personal Data only for the purpose of providing the Services to Company under the Contract(s) and in accordance with Company’s documented instructions; (ii) not process the Personal Data for its own purposes or those of any third party.

2.3 Each party shall comply with its obligations under Applicable Privacy Law(s) in respect of any Personal Data it Processes under this DPA.

2.4 SpringServe shall promptly notify Company if it makes a determination that it cannot comply with its obligations under this DPA and in such event (and without prejudice to any other rights available to Company) SpringServe shall work with Company and take all reasonable and appropriate steps to stop and remediate (if remediable) any processing until such time as the processing complies with the requirements of this DPA. SpringServe shall promptly cease (and procure all Subcontractors) processing Personal Data if Company determines that SpringServe has not or cannot correct any non-compliance in accordance with this Section 2.4 within a reasonable time frame.

3. Subprocessing

3.1 SpringServe may use Subcontractors to process Personal Data, provided that SpringServe shall not subcontract any processing of the Personal Data to a Subcontractor without the prior written notice to Company. Notwithstanding this, Company consents to SpringServe engaging Subcontractors to process the Personal Data provided that:

(a) SpringServe provides at least 30 days prior written notice to Company of the engagement of any new Subcontractor;

(b) SpringServe imposes the same data protection terms on any Subcontractor it engages as contained in this DPA (including data transfer provisions, where applicable); and

(c) SpringServe remains fully liable for any breach of this DPA or the Contract(s) that is caused by an act, error or omission of such Subcontractor.

3.2 If Company objects to the engagement of any Subcontractor, it must inform SpringServe within five (5) business days’ of SpringServe’s notice of the engagement of such Subcontractor,  on justifiable data protection grounds, and then either SpringServe will not engage the Subcontractor to process the Personal Data, Company may elect to suspend or terminate the processing of Personal Data under the Contract(s) without penalty, or SpringServe may terminate the Contract(s) upon advance written notice to Company.

4. Cooperation

4.1 SpringServe shall reasonably cooperate with Company to enable Company (or its third party Controller) to respond to any requests, complaints or other communications from data subjects and regulatory or judicial bodies relating to the processing of Personal Data under the Contract(s), including requests from data subjects seeking to exercise their rights under Applicable Privacy Laws.  In the event that any such request, complaint or communication is made directly to SpringServe, SpringServe shall promptly pass this onto Company (to the extent legally permissible).

4.2 If SpringServe receives a subpoena, court order, warrant or other legal demand from a third party (including law enforcement or other public or judicial authorities) seeking the disclosure of Personal Data, SpringServe shall promptly notify Company in writing of such request (to the extent legally permissible), and reasonably cooperate with Company if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws.

4.3 To the extent SpringServe is required under Applicable Privacy Laws, upon Company’s reasonable request SpringServe will assist Company (or its third party Controller) to conduct a data protection impact assessment and, where legally required, consult with applicable data protection authorities in respect of any proposed processing activity that present a high risk to data subjects.

5. Data Access & Security Measures

5.1 SpringServe shall ensure that any Authorized Person is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and that they process any data only for the purpose of delivering the Services under the Contract(s) to Company. 

5.2 SpringServe will implement and maintain appropriate technical and organizational security measures designed to protect from Security Incidents and to preserve the security, integrity and confidentiality of all data processed under or in connection with the Contract(s), including Personal Data (“Security Measures”).  Such measures shall have regard to the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.  At a minimum, SpringServe agrees to the following Security Measures (i) Personal Data is not changed while stored, transferred or otherwise processed, unless such change constitutes a functionality of the Services; (ii) Personal Data that is stored, transferred or otherwise processed is encrypted or kept in another reasonably  secure format; (iii) the availability of and access to Personal Data can be ensured in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing is in place; (v) logs are kept of all processing performed under the Contract; and (vi) appropriate safeguards are in place to restrict and/or limit access to Personal Data to those employees who (a) have a strict need to know in order to perform the Services; (b) have been provided with appropriate training on the handling of Personal Data; and (c) have agreed to confidentiality obligations consistent with the terms herein.

6. Security Incidents

6.1 In the event of a Security Incident, SpringServe shall without undue delay inform Company and provide written details of the Security Incident, including the type of data affected, as soon as such information becomes known or available to SpringServe. 

6.2 Furthermore, in the event of a Security Incident, SpringServe shall:

(a) provide timely information and cooperation as Company may reasonably require tofulfil Company’s data breach reporting obligations under Applicable Privacy Laws; and

(b) take such measures and actions as are appropriate to remedy the effects of the Security Incident and shall keep Company reasonably up-to-date about the developments in connection with the Security Incident.

6.3 The content and provision of any notification, public/regulatory communication or press release concerning the Security Incident as it pertains specifically to Company shall be solely at Company’s discretion, except as otherwise required by applicable laws.

7. Security Reports & Inspections

7.1 SpringServe shall maintain records in accordance with ISO 27001 or similar Information Security Management System (“ISMS“) standards. Upon request, SpringServe shall provide copies of relevant external ISMS certifications, audit report summaries and/or other documentation reasonably required by Company to verify SpringServe’s compliance with this DPA.

7.2 While it is the parties’ intention ordinarily to rely on SpringServe’s obligations set forth in Section 7.1 to verify SpringServe’s compliance with this DPA,  up to one time during any calendar year during the term of the applicable Contract(s) Company) may carry out an inspection, conducted by an independent, internationally-recognized certified public accountant hired by and paid for by Company,  of the SpringServe’s operations and facilities during normal business hours and subject to at least thirty (30) days’  prior written notice where Company considers it necessary or appropriate (for example, without limitation, where Company has reasonable concerns about SpringServe’s data protection compliance, following a Security Incident or following instruction from the ultimate Controller or a data protection authority).

8. Restricted Transfers

8.1 The parties agree that, when the transfer of Personal Data from Company to SpringServe is a Restricted Transfer, it shall be subject to the appropriate SCCs as follows:

(a) in relation to data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:

(i) Module Two will apply;

(ii) in Clause 7, the optional docking clause will apply;

(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 3.1 of this DPA;

(iv) in Clause 11, the optional language will not apply;

(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;

(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Agreement; and

(viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Agreement;  

(b) in relation to data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:

(i) Appendix 1 of the UK SCCs shall be deemed completed with the information set out Annex I to this Agreement; and

(ii) Appendix 2 of the UK SCCs shall be deemed completed with the information set out in Annex II to this Agreement; and

(c) in the event that any provision of this Agreement contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

9. Deletion & Return 

9.1 Following the termination of the applicable Contract(s). SpringServe will make available to Company its Personal Data for the duration of up to one (1) month to allow Company to retrieve where reasonably technically feasible the Personal Data in a commonly used format set out by SpringServe. After such period, SpringServe shall destroy or otherwise render inaccessible all Personal Data (including copies) from the production environment of the Services. This requirement shall not apply to the extent that SpringServe is required by any applicable law to retain some or all of the Personal Data, in which event SpringServe shall isolate and protect the Personal Data from any further processing except to the extent required by such law. Actions set out in this section are at Company’s sole cost.

10. General

10.1 Except for the changes made by this DPA, the Contract(s) remain unchanged and in full force and effect.  If there is any conflict between any provision in this DPA and any provision in the Contract(s), this DPA controls and takes precedence.  With effect from the effective date, this DPA is part of, and incorporated into the Contract(s).

10.2 The obligations placed upon the SpringServe under this DPA shall survive so long as SpringServe and/or its Subcontractors processes Personal Data on behalf of Company.

10.3 NOTWITHSTANDING ANYTHING ELSE IN THE CONTRACT(S), THE TOTAL LIABILITY OF EITHER PARTY TO THE OTHER PARTY UNDER OR IN CONNECTION WITH THIS DPA WILL BE SUBJECT TO THE EXCLUSIONS AND LIMITATIONS OF LIABILITY IN THE APPLICABLE CONTRACT(S).

10.4 This DPA may not be modified except by a subsequent written instrument signed by both parties.

10.5 If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.

Annex I:
Data Processing Description

This Annex I forms part of the Agreement and describes the processing that SpringServe (as the processor) will perform on behalf of Company (as the controller).

A. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:Visitors of online properties. (i.e, visitors to websites and CTV).  
Categories of personal data transferred:  Pseudonymous Identifiers relating to consumer devices (including IP address, device identifiers, cookie identifiers) and geo location data.  
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:  Not Applicable
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):  Continuous
Nature of the processing:  Collection, storage and dissemination of the data to deliver digital advertisements on websites and other devices such as CTV.  
Purpose(s) of the data transfer and further processing:  Processor supplies an ad serving platform to Controller, to enable Controller to sell its ad inventory. Furthermore, Processor may find buyers of Controller’s ad inventory through its marketplace.  The data processing activities consist of serving and tracking digital advertisements.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:  For as long as necessary for the purposes of the engagement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:  NA
Categories of data subjects whose personal data is transferred:
Categories of personal data transferred:  
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:  
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):  
Nature of the processing:  
Purpose(s) of the data transfer and further processing:  
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:  
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:  
Visitors of online properties. (i.e, visitors to websites and CTV).  
Pseudonymous Identifiers relating to consumer devices (including IP address, device identifiers, cookie identifiers) and geo location data.  
Not Applicable
Continuous
Collection, storage and dissemination of the data to deliver digital advertisements on websites and other devices such as CTV.  
Processor supplies an ad serving platform to Controller, to enable Controller to sell its ad inventory. Furthermore, Processor may find buyers of Controller’s ad inventory through its marketplace.  The data processing activities consist of serving and tracking digital advertisements.
For as long as necessary for the purposes of the engagement.
NA

B. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs)Where the EU GDPR applies, the competent supervisory authority shall be determined in accordance with Clause 13 of these Standard Contractual Clauses. Where the UK GDPR applies, the UK Information Commissioner’s Office shall be the competent supervisory authority.
Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs)
Where the EU GDPR applies, the competent supervisory authority shall be determined in accordance with Clause 13 of these Standard Contractual Clauses. Where the UK GDPR applies, the UK Information Commissioner’s Office shall be the competent supervisory authority.

Annex II:
Technical and Organizational Security Measures

Description of the technical and organizational measures implemented by the processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

MeasureDescription
Measures of pseudonymisation and encryption of personal dataSpringServe will encrypt or hash the passwords for networks, databases, platform, technology, and computer systems using commercially reasonable encryption levels. Data processed for purposes of providing our Services is done in a pseudonymized form.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and servicesEmployees, subcontractors, and agents performing work on behalf of SpringServe are bound by confidentiality agreements.  SpringServe conducts security reviews of key third-party software and service vendors while onboarding and, where appropriate, conducts additional periodic security reviews. SpringServe runs in independent AWS regions with an automatic failover on our ad serving and event tracking systems.   Software solutions written by SpringServe operate in a design allowing systems to be replaced easily and not be dependent on recovering application datasets manually. Critical datasets, such as database systems, are backed up to industry standards and replicated to other regions.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incidentSpringServe maintains archival backups of all SpringServe networks, databases, technology, platforms, and software to enabling restoration of these systems. Archival backups are stored on a secure server or on other secure media to which access is restricted only to employees of SpringServe or authorized third parties on a need to know basis.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processingSpringServe conducts periodic third-party reviews. We also utilize vulnerability assessments, patch management and threat protection technologies. Servers are regularly updated with security patches issued by the operating system vendor and associated programs installed. Critical patches are installed promptly.
Measures for user identification and authorisationSpringServe utilizes logical access controls to manage electronic access to data and system functionality based on authority levels and job functions.
Measures for the protection of data during transmissionSpringServe utilizes cryptographic protocols such as TLS to protect information in transit over public and internal networks, where possible.  SpringServe utilizes firewalls, load balancers, and third-party DDoS protection at the network edge to filter and/or mitigate
Measures for the protection of data during storagePersonal Data processed by SpringServe is limited to pseudonymized values only.
Measures for ensuring physical security of locations at which personal data are processedSpringServe limits access to its facilities to SpringServe’s employees, employee- accompanied visitors and contractors using reasonable standard physical security methods. At a minimum, such methods include restricted access key cards for SpringServe’s employees, limited access to server rooms and archival backups, and security cameras at key entry points. Key cards are provisions in accordance with SpringServe policy. Access to business-critical data hosted in our cloud service providers is controlled through SpringServe’s access control policy.
Measures for ensuring events loggingSpringServe keeps a log of all actions taken in response to Security Incidents. The log must be time and date stamped. Further detail is provided in SpringServe’s incident response policy.
Measures for ensuring system configuration, including default configurationSpringServe utilizes industry standard configuration management tools for software deployments across the platform, inclusive of alerting for systems that fall out of the standard configurations
Measures for internal IT and IT security governance and managementSpringServe has appointed a Security Information Security Officer to ensure the Security team has the resources and authority required to adequately secure the companies Information Resources.
Measures for certification/assurance of processes and productsSpringServe maintains operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards.
Measures for ensuring data minimisationSpringServe only processes the minimum data necessary to provide our services.
Measures for ensuring data qualityN/A
Measures for ensuring limited data retentionSpringServe conducts an annual review of policies and procedures, and retains data for as long as necessary to provide the services.
Measures for ensuring accountabilitySpringServe ensures that individual access and accountability controls are in place with respect to its employees who will have access to the networks, databases, software, technology, platform, Confidential Information, and computer systems.
Measures for allowing data portability and ensuring erasureSpringServe has a process to enable access to data and removal upon request meeting expected timeline standards as set forth by data protection regulations and contractual obligations.
Measure
Measures of pseudonymisation and encryption of personal data
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
Measures for user identification and authorisation
Measures for the protection of data during transmission
Measures for the protection of data during storage
Measures for ensuring physical security of locations at which personal data are processed
Measures for ensuring events logging
Measures for ensuring system configuration, including default configuration
Measures for internal IT and IT security governance and management
Measures for certification/assurance of processes and products
Measures for ensuring data minimisation
Measures for ensuring data quality
Measures for ensuring limited data retention
Measures for ensuring accountability
Measures for allowing data portability and ensuring erasure
Description
SpringServe will encrypt or hash the passwords for networks, databases, platform, technology, and computer systems using commercially reasonable encryption levels. Data processed for purposes of providing our Services is done in a pseudonymized form.
Employees, subcontractors, and agents performing work on behalf of SpringServe are bound by confidentiality agreements.  SpringServe conducts security reviews of key third-party software and service vendors while onboarding and, where appropriate, conducts additional periodic security reviews. SpringServe runs in independent AWS regions with an automatic failover on our ad serving and event tracking systems.   Software solutions written by SpringServe operate in a design allowing systems to be replaced easily and not be dependent on recovering application datasets manually. Critical datasets, such as database systems, are backed up to industry standards and replicated to other regions.
SpringServe maintains archival backups of all SpringServe networks, databases, technology, platforms, and software to enabling restoration of these systems. Archival backups are stored on a secure server or on other secure media to which access is restricted only to employees of SpringServe or authorized third parties on a need to know basis.
SpringServe conducts periodic third-party reviews. We also utilize vulnerability assessments, patch management and threat protection technologies. Servers are regularly updated with security patches issued by the operating system vendor and associated programs installed. Critical patches are installed promptly.
SpringServe utilizes logical access controls to manage electronic access to data and system functionality based on authority levels and job functions.
SpringServe utilizes cryptographic protocols such as TLS to protect information in transit over public and internal networks, where possible.  SpringServe utilizes firewalls, load balancers, and third-party DDoS protection at the network edge to filter and/or mitigate
Personal Data processed by SpringServe is limited to pseudonymized values only.
SpringServe limits access to its facilities to SpringServe’s employees, employee- accompanied visitors and contractors using reasonable standard physical security methods. At a minimum, such methods include restricted access key cards for SpringServe’s employees, limited access to server rooms and archival backups, and security cameras at key entry points. Key cards are provisions in accordance with SpringServe policy. Access to business-critical data hosted in our cloud service providers is controlled through SpringServe’s access control policy.
SpringServe keeps a log of all actions taken in response to Security Incidents. The log must be time and date stamped. Further detail is provided in SpringServe’s incident response policy.
SpringServe utilizes industry standard configuration management tools for software deployments across the platform, inclusive of alerting for systems that fall out of the standard configurations
SpringServe has appointed a Security Information Security Officer to ensure the Security team has the resources and authority required to adequately secure the companies Information Resources.
SpringServe maintains operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards.
SpringServe only processes the minimum data necessary to provide our services.
N/A
SpringServe conducts an annual review of policies and procedures, and retains data for as long as necessary to provide the services.
SpringServe ensures that individual access and accountability controls are in place with respect to its employees who will have access to the networks, databases, software, technology, platform, Confidential Information, and computer systems.
SpringServe has a process to enable access to data and removal upon request meeting expected timeline standards as set forth by data protection regulations and contractual obligations.