Spigot, Inc. Data Processing Addendum

Last Updated: 18 June 2024

This Data Processing Addendum (this “Data Processing Agreement” or this “DPA”) forms an integral part of any agreement in which it is referenced (the “Commercial Agreement”) and is made and entered into as of the Effective Date (as defined in the Commercial Agreement) between Spigot, Inc. (“Controller” or “Spigot”) and the counterparty set forth opposite Controller in the Commercial Agreement (“Processor”). This DPA supplements the Commercial Agreement between the Controller and Processor and sets forth the roles and obligations between the two when Processor processes Personal Data on behalf of Controller. Each of Controller and Processor may be referred to herein individually as a “Party” or collectively as the “Parties”.

SECTION 1. DEFINITIONS. As used in this DPA, capitalized terms not defined herein shall have the meanings ascribed to them in the Commercial Terms or in applicable Data Protection Laws and the following terms shall have the meanings ascribed to them below:

“Affiliate” means, with respect to a Party, any corporate entity that, directly or indirectly, controls, is controlled by, or is under common control with such Party (but only for so long as such control exists). As used in this definition, the term “control” shall mean the possession, directly or indirectly, of the power either to (a) vote 50% or more of the securities or interests having ordinary voting power for the election of directors (or other comparable controlling body) of such person or (b) direct or cause the direction of the actions, management or policies of such person, whether through the ownership of voting securities or interests, by contract or otherwise.

“Commercial Terms” means the terms of the agreement between Controller and Processor that incorporates this DPA by reference, as amended from time to time, along with any applicable order form entered into between the parties.

“Complaint” means a complaint or request relating to either Party’s obligations under the applicable Data Protection Laws relevant to this DPA, including any compensation claim from a Data Subject or any notice, investigation, or other action from a Supervisory Authority.

“Data Controller” means the entity which determines the purposes and means of the Processing.

“Data Processor” means the entity, including all persons operating under its supervision (other than Subprocessors), which Processes Personal Data hereunder.

“Data Protection Laws” means any applicable country, federal, state, and local law, ordinances, statute, by-law, regulation, order, regulatory policy (including any requirement or notice of any regulatory body), guidelines, compulsory guidance of a regulatory body with authority over the applicable Party, rule of court or directives, binding court decision or precedent, or delegated or subordinate legislation, each of the above as may be amended from time to time related to data protection, consumer privacy or e-privacy, including without limitation, the GDPR, the UK Data Protection Laws, the CCPA, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act.

“Data Subject” means an identified or identifiable natural person, who may be directly or indirectly identified by reference to a unique identifier or one or more factors specific to such natural person, or any other analogous term under applicable Data Protection Laws, such as Consumer.

“Data Subject Request” means a request made by a Data Subject to exercise any rights of data subjects under Applicable Data Protection Laws.

“EEA Standard Contractual Clauses” or “EEA SCCs” means the Standard Contractual Clauses set out in the Annex to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, commonly referred to as the General Data Protection Regulation.

“Personal Data” means any information protected by applicable Data Protection Laws.

“Process(ing)”  shall have the same meaning under Applicable Data Protection Laws, and shall include, but is not limited to, any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, including to access, adapt, alter, block, catalog, collect, combine, compile, consult, copy, cross-reference, erase, destroy, disclose, display, disseminate, download, input, log, make available, maintain, manage, organize, output, perform, provide, post, process, receive, retain, retrieve, record, reproduce, store, translate, submit, transmit, transfer, upload, use, or otherwise make other derivative works or improvements. “Processed” has a correlative meaning.

“Public Authority” means any national, provincial, territorial, state, county, municipal, quasi-governmental or self-regulatory department, authority, law enforcement agency, national security agency, regulator, organization, agency, commission, board, tribunal, dispute settlement panel or body, bureau, official, minister, or court or other law, rule or regulation-making entity having or purporting to have jurisdiction over Controller, Processor, or any Processing or other matter related to this DPA, including any Supervisory Authority.

“Purpose” means the specific purposes set forth in the Agreement and as further set forth in Annex 1 of this DPA.

“Restricted Transfer” means a transfer of Personal Data which is (i) from a data exporter subject to GDPR or other Applicable Data Protection Laws of the EEA which is only permitted in accordance with GDPR if a Transfer Mechanism is applicable to that transfer (“EEA Restricted Transfer”); and/or (ii) from a data exporter subject to UK Data Protection Laws which is only permitted in accordance with UK Data Protection Laws if a Transfer Mechanism is applicable to that transfer (“UK Restricted Transfer”).  Notwithstanding the foregoing, Transfers of Personal Data will not be considered an EEA Restricted Transfer or UK Restricted Transfer where (i) the jurisdiction to which the Personal Data is transferred is an Adequate Country; or (ii) the transfer falls within the terms of a derogation as set out in Article 49 of the GDPR or, as applicable, any equivalent provision under UK Data Protection Laws.

“Sale” or “Sell” shall have the same meaning under applicable Data Protection Laws.

“Share,” “Shared,” or “Sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Data Subject’s Personal Data by a Party to another party for cross-context behavioural advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioural advertising for the benefit of a business in which no money is exchanged, except where defined differently under an applicable Data Protection Laws (e.g., the CCPA), in which case the definition under the applicable Data Protection Laws shall prevail, as appropriate.

“Security Incident” means an incident that compromises the availability, security, authenticity, integrity, or confidentiality of accessed, stored or transmitted Personal Data provided by Controller to Processor and/or obtained by Processor in connection with the performance of the Services and the Agreement, and any other incident that may be identified as a breach of security or privacy under Applicable Data Protection Laws.

“Sensitive Personal Data,” “Sensitive Data” or “Sensitive Information” shall have the same meaning under Applicable Data Protection Laws, and in any event shall include without limitation, the categories of sensitive Personal Data in Annex 1. Notwithstanding anything to the contrary, Sensitive Personal Data, Sensitive Data and Sensitive Information will be included in references to Personal Data throughout this DPA.

“Services” means services provided by Processor under the Agreement.

“Standard Contractual Clauses” or “SCCs” means each of the EEA Standard Contractual Clauses and the UK IDTA Addendum.

“Subprocessor” means any processor engaged by the Data Processor to Process Personal Data hereunder.

“Supervisory Authority” means an independent public authority established by an EU Member State pursuant to the GDPR or any other similar authority established by applicable Data Protection Laws.

“Transfer Mechanism” means the Standard Contractual Clauses or any other appropriate safeguards under article 46 of the GDPR or equivalent provision under UK Data Protection Laws applicable to a relevant transfer of Personal Data that has the effect of permitting that transfer.

“UK Data Protection Laws” means all laws relating to data protection, the processing of Personal Data, privacy and/or electronic communications in force from time to time in the United Kingdom, including the United Kingdom General Data Protection Regulation and the UK Data Protection Act 2018.

“UK IDTA Addendum” means the UK international data transfer agreement (IDTA) addendum to the EEA Standard Contractual Clauses for international data transfers, version B1.0, which entered into force on March 21, 2022.

SECTION 2. SCOPE. This DPA applies to the extent that Processor collects and processes Personal Data on behalf of Controller in connection with the Commercial Agreement between the Parties, as described in more detail in Annex 1. To the extent that the SCCs are applicable to the relationship between the Parties, Clause 3.1(a), below, is deemed an instruction by the Data Exporter to Process Personal Data for the purposes of Clause 5(a) of the SCCs. In respect of the Parties’ rights and obligations under this DPA regarding the Personal Data, the Parties hereby acknowledge and agree that Processor may act as a Data Processor (where the counter-Party is a Data Controller) and/or a sub-processor (where the counter-Party acts as the Data Processor to its end user business clients that are the Data Controller), as described further in Annex 1. 

SECTION 3. RESPONSIBILITIES OF THE PARTIES.

3.1.      Processor shall:

(a)        Process Personal Data in accordance with the lawful instructions of Controller (as set out in the Commercial Agreement, this DPA, or otherwise in writing) for the duration of the Commercial Agreement and solely for the purpose of:

(i)         performing under the Commercial Agreement and this DPA;

(ii)        complying with Data Subject Requests; and

(iii)       as required by Applicable Data Protection Laws;

(b)        In connection with Clause 3.1(a), above, immediately notify Controller if, in Processor's opinion, an instruction violates Applicable Data Protection Laws;

(c)        Not Process, or disclose to any third party, Personal Data for any purpose other than those set forth in Subclauses 3.1(a)(i)–(iii), above, or sell Personal Data to any third party for monetary or other valuable consideration within the meaning of CCPA or otherwise;

(d)        Upon notice, take reasonable and appropriate steps to stop and remediate any unauthorized Processing;

(e)        Not engage another Processor to Process Personal Data without Controller's prior written approval;

(f)        Implement appropriate technical, physical and organizational measures to adequately safeguard the security and confidentiality of Personal Data in accordance with applicable Data Protection Laws and protect Personal Data from Security Incidents, including, at a minimum, as described in Annex 2, all at Processor’s sole cost and expense;

(g)        To the extent legally permitted, promptly notify Controller, with as many details as possible, if Processor receives a:

(i)         Complaint or request from a Data Subject to exercise their rights under Applicable Data Protection Laws;

(ii)        Request for Processing or disclosure of Personal Data from a Supervisory Authority

(h)        Taking into account the nature of the Processing,

(i)         Assist Controller in providing security for Personal Data, data protection impact assessments, responses to breaches of Personal Data and consultations with Supervisory Authorities to the extent required under applicable Data Protection Laws;

(ii)        provide reasonable assistance to Controller to enable Controller to respond to requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Laws;

(i)         Promptly return or delete Personal Data related to Processing upon Controller’s written request or the expiration or earlier termination of this DPA (and in any event within thirty (30) days thereof), and shall ensure that all persons or entities acting on its behalf comply with this Clause 3.1(i), except where applicable Data Protection Laws requires Processor to retain Personal Data;

(j)        Cease all Processing upon the expiration or earlier termination hereof.

3.2.      The Party responsible for collecting Personal Data in the first instance shall obtain all of the necessary consents, permissions or other rights to lawfully provide the Personal Data to the other Party to the extent such Personal Data are transferred in accordance with the Commercial Agreement. The Party collecting Personal Data shall ensure that all necessary Data Subject consents to this Processing are obtained and maintained in accordance with applicable Data Protection Laws and shall ensure that a record of such consents is maintained. Such Party shall promptly notify the other Party of any required Data Subject consents which terminate, are revoked or invalidated, or expire. 

3.3.      Each Party shall:

(a)        Comply in their respective capacity as Controller and Processor with Applicable Data Protection Laws and be solely responsible for determining whether its performance of the Agreement or this DPA is in compliance with all Applicable Data Protection Laws;

(b)        Maintain accurate, complete, and up-to-date written records, of the Processing, including:

(i)         The categories of Processing carried out on behalf of Controller;

(ii)        Where applicable, details of transfers of Personal Data to recipients outside the EEA and United Kingdom; and

(iii)       A general description of the technical and organizational security measures described in Annex 2;

(c)        Make any records maintained pursuant to Clause 3.3(b) available to an appropriate Supervisory Authority upon request; and

(d)        Comply with all provisions set forth herein.

4. DATA SECURITY INCIDENTS.

4.1.       Processor shall, immediately upon becoming aware of or reasonably suspecting a Security Incident, notify Controller of such Security Incident in writing and continue thereafter to provide information relating to such Security Incident as Controller may reasonably require in fulfilling any data breach reporting obligations under Applicable Data Protection Laws. To the extent applicable, the obligations in Clause 5(d)(ii) of the SCCs will be carried out in accordance with this Section.

4.2.      Processor shall reasonably cooperate with Controller and follow Controller's reasonable instructions with regard to such incident in order to assist Controller in its investigation and response to the incident.

5. REPRESENTATIONS AND WARRANTIES.

 5.1.      Each Party represents and warrants to the other that:

(a)        in relation to Personal Data, it will comply (and will ensure that any of its personnel comply and use commercially reasonable efforts to procure that its Sub-processors comply), with all applicable Data Protection Laws; and

(b)        its performance of all the terms of this Agreement will not breach any agreement and it has not entered into, and agrees that it will not enter into, any oral or written agreement in conflict herewith.

5.2.      The Party responsible for collecting Personal Data in the first instance represents and warrants that it has obtained all of the necessary consents, permissions or other rights to lawfully provide the Personal Data to the other Party to the extent such Personal Data are transferred in accordance with the Commercial Agreement

SECTION 6. AUDIT. Processor shall make available to Controller, in a timely manner (and in any event within ten (10) business days), all information that is reasonably necessary to verify Processor’s compliance with this DPA, the SCCs, and Applicable Data Protection Laws, including copies of records made pursuant to Clause 3.3(b). Processor shall further allow for and contribute to audits or inspections, by Controller or its appointed third-party auditors, related to the Processing. Any such investigations, audits or inspections shall be upon reasonable prior written notice to Processor, subject to reasonable written confidentiality terms and security requirements, limited to information relevant to Processor's compliance with this DPA and, where feasible, not unreasonably interfere with Processor's normal business operations. Notwithstanding anything to the contrary, Processor shall have no such obligations with respect to Processor’s cloud storage providers that do not permit such access so long as such cloud storage providers is one of Azure, AWS, and/or Snowflake. Controller shall exercise its rights under Clauses 8.9 of the SCCs by instructing Processor to comply with the audit measures described in this Section.

SECTION 7. INTERNATIONAL TRANSFERS.

7.1.      The Parties shall a Transfer Mechanism in place for any Restricted Transfer.

7.2.      For any Personal Data originating in the EEA or the UK, to the extent that the Processing thereof constitutes a Restricted Transfer, the Parties shall continue to apply the requirements of the GDPR to such data irrespective of the location of such Processing. The Parties further agree that the EEA SCCs will apply with respect to the cross-border transfer Personal Data and will be completed as follows:

(a)        Module Three (PROCESSOR TO PROCESSOR) will apply;

(b)        In Clause 7, the optional docking clause will apply;

(c)        In Clause 11, the optional language will not apply;

(d)        In Clause 17, Option 1 will apply, and this shall be the law of Ireland;

(e)        In Clause 18(b), disputes shall be resolved before the courts of Dublin, Ireland;

(f)        Annex I of the EEA SCCs shall be deemed completed with the information set out in Annex 1 to this DPA;

(g)        Annex II of the EEA SCCs shall be deemed completed with the information set out in Annex 2 to this DPA;

(h)        The competent supervisory authority pursuant to Annex I.C. of the SCCs shall be Ireland’s Data Protection Commission; and

(i)         To the extent that the Personal Data being transferred relates to individuals in the UK, the UK IDTA Addendum shall be deemed executed between the Parties and the EEA SCCs shall be deemed amended as specified in Annex 4 in respect of the transfer of such Personal Data.

7.3.      In the event that any provision of this DPA and/or the Commercial Agreement contradicts, directly or indirectly, the SCCs, the contradicted provision in the SCCs shall prevail.

7.4.      Data exporter, in furtherance of its obligations under the SCCs, may implement and require data importer to implement reasonable implementation measures that are applicable to Personal Data that are subject to a Restricted Transfer and this Section 7.

7.5.      In the event that the SCCs or the UK IDTA Addendum are not applicable to a Restricted Transfer (e.g., because they have been deemed insufficient by a Supervisory Authority), the Parties shall cooperate in good faith to implement appropriate and satisfactory safeguards for any Restricted Transfer as required or permitted by the GDPR or UK GDPR without undue delay.

SECTION 8. SUBPROCESSORS.

8.1.      Controller agrees that: (a) Processor may appoint its Affiliates as Subprocessors, and (b) subject to Subsections 8.2. and 8.3., below, Processor and its Affiliates may engage third-party Subprocessors or service providers to support performance hereunder, including the current Subprocessors, as may be listed in Annex 3.

8.2.      If Processor intends on appointing a new or replacement Subprocessor, Processor shall notify Controller thirty (30) days prior to the date on which such Subprocessor would begin providing services; provided, however, that such notice period may be shortened to as soon as reasonably practicable if circumstances exist, as reasonably determined by Processor, that require Processor to add or replace a Subprocessor with more immediacy to avoid material disruptions to its services or avoid any potential damages that might arise in the absence of such addition or replacement. If Controller has a reasonable, good-faith objection to a new Subprocessor, it shall notify Processor of such objection in writing and the Parties will seek to resolve the matter in good faith. In the event that the Parties cannot resolve the matter within thirty (30) days of Controller’s notice of objection, Controller may terminate the Commercial Agreement and any related agreements which cannot be performed by Processor without the use of the objected-to new Subprocessor by providing written notice to Processor.

8.3.      Processor shall (a) maintain an up-to-date list of Subprocessors and make such list available to Controller upon request; (b) impose on Subprocessors data protection terms that offer at least the same level of protection for Personal Data as required by this DPA; and (c) remain liable for any breach of this DPA caused by its Subprocessors.

8.4.      The Parties agree and acknowledge that, by complying with this Section 8, Processor fulfills its obligations under Sections 9(a) and (b) of the SCCs. 

SECTION 9. LIMITATION OF LIABILITY; INDEMNIFICATION. Except to the extent prohibited by applicable Data Protection Laws and/or the Standard Contractual Clauses, the limitations of liability set forth in the Agreement shall control with respect to any damages arising out of this DPA.  Except to the extent prohibited by applicable Data Protection Laws and/or the Standard Contractual Clauses, the indemnification provisions set forth in the Agreement shall control with respect to indemnification for any breach by a Party of its obligations pursuant to this DPA.

SECTION 10. GENERAL.

10.1.    This DPA will remain in full force and effect for so long as: (a) the Commercial Agreement remains in effect, (b) Processor retains any Personal Data related to the Agreement, or (c) it is replaced or repealed by mutual agreement of the Parties.

10.2.    In the event of a change in Data Protection Laws affecting the Processing, the Parties shall work together in good faith to make any amendments to this DPA or to execute additional written agreements as reasonably required by Data Protection Laws. Each Party acknowledges that this DPA and any privacy-related provisions in the Commercial Agreement may be shared with a Public Authority on request.

10.3.    Except as amended by this DPA, the Commercial Agreement will remain in full force and effect. If there is a conflict between this DPA and the Commercial Agreement, this DPA will control. Except to the extent prohibited by Applicable Data Protection Laws or the SCCs, any claims brought under this DPA shall be subject to the terms of the Commercial Agreement, including but not limited to the exclusions and limitations of liability set forth therein.

10.4.    This DPA is the final, complete, and exclusive agreement of the Parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the Parties with respect to such subject matter. No modification of, amendment to, or waiver of any rights under this DPA will be effective unless in writing and signed by each of the Parties. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall control. In the event of a conflict between this DPA and the Agreement, this DPA shall control.

10.5.    If the application of any provision of this DPA to any particular facts or circumstances will be held to be invalid or unenforceable by an arbitration panel or a court of competent jurisdiction, then (a) the validity of other provisions of this DPA will not in any way be affected thereby, and (b) such provision will be enforced to the maximum extent possible so as to affect the intent of the Parties and reformed without further action by the Parties to the extent necessary to make such provision valid and enforceable

10.6.    Each person signing below represents and warrants that he or she is duly authorized and has legal capacity to execute and deliver this DPA. Each Party represents and warrants to the other that the execution and delivery of this DPA, and the performance of such Party’s obligations hereunder, have been duly authorized and that this DPA is a valid and legally binding agreement on each such Party, enforceable in accordance with its terms.

Annex 1: Data Processing Description

This Annex 1 forms part of the DPA and describes the Processing to be performed thereunder.

1(a) – List of Parties

1(b) – Description of Transfer

Annex 2: Technical and Organizational Security Measures

This Annex 2 forms part of the DPA and describes the minimum technical and organizational measures to be implemented by Processor to protect Personal Data from Security Incidents.

1.         Encryption of Personal Data when at rest and in transit.

2.         Virtual Private Network (VPN) and Multi-Factor Authentication (MFA) to access cloud data centers.

3.         Differentiated rights system based on security groups and access control lists, with secure password requirements and storage.

4.         Segregation of responsibilities and duties.

5.         Secure network interconnections.

6.         Role-based access on a need-to-know basis for employees.

7.         Where applicable, use of Distributed Denial of Service (DDoS) protection services.

8.         Documented procedures for handling and reporting incidents, including the detection and reaction to possible Security Incidents.

9.         Regular network and application security testing, whether conducted internally or by a third-party.

10.       Dedicated and identified person to oversee Processor’s information security and compliance program.

11.        Privacy by design/default (privacy impact assessment process).

12.       Process for the exercise of data protection rights in accordance with Applicable Law.

13.       Documented data retention policy and processes.

14.       Assigned responsibility to ensure end-user privacy throughout the product lifecycle and through applicable business processes.

Annex 3: Reserved

Annex 4: UK Addendum