Independent Controller Data Processing Addendum (Sovrn as Data Importer) 

1. ACCEPTANCE. This Independent Controller Data Processing Addendum (“DPA”) is entered into by and between Sovrn and Customer (each, a “Party” and together, the “Parties”). This DPA sets forth the legally binding terms between Customer and Sovrn that govern the Processing of Personal Data (as defined below) under the Master Services Agreement, available at https://www.sovrn.com/legal/msa/, Sovrn Exchange Terms & Conditions, Sovrn Commerce Terms & Conditions, Sovrn Ad Management Terms & Conditions, or other agreement between Sovrn and Customer which govern the Services and links to or incorporates this DPA (the “Agreement”). Sovrn enters into this DPA in the name of and on behalf of its Affiliates if and to the extent such Affiliates Process Personal Data under the Agreement for which such Affiliates are a Controller.    
2. DEFINITIONS. For the purposes of this DPA, the following definitions apply. Capitalized terms that are used but not otherwise defined herein shall have the meanings as set forth in the Agreement.
   1. “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Sovrn or Customer respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
   2. “Controller” means “data controller” as defined in Data Protection Laws and Regulations or “business” as defined in the CCPA and, if not defined, means the entity which determines the purposes and means of the Processing of Personal Data.  
   3. “Customer” means the entity that has entered into the Agreement with Sovrn.
   4. “Data Subject” means the individual to which the Personal Data relates.
   5. “Data Protection Laws and Regulations” means, with respect to a Party, all privacy and data protection laws applicable to such Party’s Processing of Personal Data including, where applicable: (i) European Data Protection Laws; (ii) the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder (as amended from time to time, the “CCPA”); and (iii) any other similar data protection laws in any other applicable territory, each as amended, replaced, supplemented or superseded.
   6. “EEA” means the European Economic Area.
   7. “European Data Protection Laws” means, in each case to the extent applicable to the relevant Personal Data or Processing thereof under the Agreement, (a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), (b) laws relating to data protection, the processing of Personal Data, privacy and/or electronic communications in force from time to time in the United Kingdom, including the UK General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018 (collectively, “UK Data Protection Laws”); (c) the Swiss Federal Act on Data Protection (“Swiss FDPA”); and (d) any other data protection laws of the EEA and its Member States.
   8. “Personal Data” means any information Processed under the Agreement that constitutes “personal data,” “personal information,” “personally identifiable information” or similar information defined under applicable Data Protection Laws and Regulations.
   9. “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
   10. “Services” means the services the Parties are obligated to provide or permitted to receive pursuant to the Agreement for which each Party determines the purposes and means of the Processing of Personal Data.
   11. “Sensitive Data” means any Personal Data that constitutes “sensitive data,” “sensitive personal data,” “special category” personal data, or similar term under Data Protection Laws and Regulations, including without limitation any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation, data of a known child or minor, as well as any other type of data that is considered sensitive according to Data Protection Laws and Regulations.
   12. “SCCs” means “Module One: Transfer controller to controller” of the Standard Contractual Clauses set forth in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, made available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, as supplemented and/or amended by the selections and addendum set forth at https://sovrn.com/legal/scc-selections/.
   13. “Sovrn” means Sovrn, Inc. or any Affiliate of Sovrn, Inc. that is a party to the Agreement with Customer.
   14. “Transfer” has the meaning given under Data Protection Laws and Regulations.
3. ROLE OF THE PARTIES. In performing their respective obligations under the Agreement, each Party may receive Personal Data which may be subject to Data Protection Laws and Regulations. The Parties acknowledge and agree that each Party is a separate and independent Controller in respect of such Personal Data and shall individually determine the purposes and means of its Processing of such Personal Data. The Parties further acknowledge that neither Party is responsible for determining the requirements of Data Protection Laws and Regulations applicable to the other Party.
4. RESTRICTION ON SENSITIVE DATA. The Parties acknowledge and agree that neither Party shall provide or make available Sensitive Data to the other Party in connection with the Services. The Parties acknowledge and agree that Sovrn shall have no responsibility or liability for any Sensitive Data erroneously or inadvertently transferred under this DPA. Nothing in this DPA shall be interpreted to limit any restrictions under the Agreement regarding the types of Personal Data that may be provided by Customer to Sovrn.
5. OBLIGATIONS OF THE PARTIES.
   1. Lawfulness of Processing. Each Party acknowledges and confirms that: (a) it will comply with applicable Data Protection Laws and Regulations and this DPA in connection with its Processing of Personal Data; and (b) it will be responsible for determining the legal basis(es) of its own Processing activities.
   2. Consent for Processing. Where applicable, Customer has obtained, or has taken commercially reasonable efforts to cause to be obtained, valid Data Subject consent (including renewal of consent) as required by Data Protection Laws and Regulations for each Processing purpose for all Personal Data made available for use in connection with the Services, and, as between the Parties, remains solely responsible for obtaining such valid consent and communicating all relevant withdrawals or revocations of consent to Sovrn. Customer shall (a) notify Sovrn of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Personal Data that it provides to Sovrn under the Agreement that would impact Sovrn’s ability to comply with the Agreement, this DPA or applicable Data Protection Laws and Regulations. Sovrn agrees, where applicable, to accept and abide by instructions and/or any consent signals transmitted by Customer for Processing of Personal Data (including, for example, in the format consistent with the OpenRTB guidelines and/or relevant IAB framework signals). For the avoidance of doubt, nothing in this Section 5(b) shall limit Customer’s notice and/or consent obligations under the Agreement or under Section 4(c) of this DPA.
   3. Privacy Notices. In addition to any privacy policy or notice requirements under the Agreement, each Party agrees to provide all notices and disclosures to Data Subjects required to be provided by such Party under Data Protection Laws and Regulations regarding the Processing of Personal Data contemplated under this DPA and the Agreement including, where applicable, all disclosures regarding a Data Subject’s right to opt-out of Personal Data sales, sharing, or targeted advertising (as such terms are defined under Data Protection Laws and Regulations).
6. NO OWNERSHIP OR LICENSE. Nothing in this DPA shall be construed to convey any ownership interest or license in the Personal Data that is contrary to the ownership interests and licenses set forth in the Agreement.
7. PROCESSING SUBJECT TO THE CCPA. As used in this Section 7, “Personal Information” means personal information (as defined in the CCPA) contained in Personal Information. For purposes of the CCPA, the Parties acknowledge and agree that the Personal Information disclosed by Company to Sovrn is provided to Sovrn only for the limited and specified purposes described in the license to Data granted by Company to Sovrn pursuant to the Agreement and for the uses described in Sovrn’s privacy policy, available at sovrn.com/privacy-policy. Sovrn will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Data as is required by the CCPA. Customer has the right to take reasonable and appropriate steps to help ensure that Sovrn uses the Personal Information transferred in a manner consistent with Customer’s obligations under the CCPA by exercising Customer’s rights under this DPA. Sovrn will inform Customer if it makes a determination that Sovrn can no longer meet its obligations under the CCPA. If Sovrn notifies Customer of unauthorized use of Personal Information, including under the foregoing sentence, Customer will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use by limiting the Personal Information shared with Sovrn, terminating the portion of the Agreement relevant to such unauthorized use, or such other steps mutually agreed between the Parties in writing.
8. DATA SUBJECTS’ RIGHTS. Each Party hereby authorizes the other Party to release all Personal Data in its possession directly pertaining to a verified Data Subject request for data portability to the Data Subject or his/her authorized representative, without regard to whether such Personal Data are owned/licensed by Sovrn or Customer.
9. REGULATORS. Each Party agrees to: (a) promptly notify the other Party in writing of any question, complaint, investigation, inquiry, warrant, subpoena or proceedings from or brought by any public, governmental, and/or judicial agency or authority (each, a “Regulatory Request”), that relates to such other Party’s (i) Processing of Personal Data in relation to the Services, or (ii) potential failure to comply with Data Protection Laws and Regulations; and (b) comply with any written litigation hold, document preservation notice, or similar legal hold requested by the other Party in connection with any Regulatory Request, lawsuit, or other claim, except to the extent required by applicable law.
10. DATA TRANSFERS.
    1. Transfer Authorization. Subject to this Section 9, the Parties acknowledge and agree that each Party is authorized to Process and Transfer Personal Data in any jurisdiction provided that such Processing complies with Data Protection Laws and Regulations. Each Party shall ensure that any Transfer it initiates will, where applicable, be subject to a lawful data transfer mechanism and/or appropriate onward transfer agreements that require that any further Transfers be conducted under a lawful data transfer mechanism.
    2. Transfers of Personal Data From the EEA, Switzerland or the United Kingdom. If Sovrn Transfers Personal Data subject to European Data Protection Laws to Company in a country whose laws have not been deemed by the European Commission or other applicable authority to provide an adequate level of protection for Personal Data, and such Transfer is not subject to an alternative adequate transfer mechanism or otherwise exempt from Transfer restrictions under European Data Protection Laws, Sovrn (as data exporter) and Customer (as data importer) agree that the SCCs will be incorporated herein by reference. In furtherance of the foregoing, the Parties agree to the selections and addendum set forth at https://www.sovrn.com/legal/sovrn-exporter-scc/. The SCCs shall automatically terminate with respect to a given Transfer once the Transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such SCCs on any other basis.
11. CONFIDENTIALITY. The Parties agree to take steps to ensure that any person acting under their authority who has access to the Personal Data is subject to an appropriate confidentiality obligation.
12. LIMITATION OF LIABILITY. Each Party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to any limitation of liability as set forth in the Agreement and any reference to such limitation of liability of a Party means the aggregate liability of the Party under the Agreement and this DPA together. Additionally, each Party shall be independently liable for its own Processing of Personal Data to the extent such Processing does not comply with Data Protection Laws and Regulations.
13. APPLICABLE LAW AND JURISDICTION. This DPA is and remains governed by and shall be construed in accordance with the law designated as applicable in the Agreement, except to the extent required otherwise under the SCCs.
14. ORDER OF PRECEDENCE. Except as specifically set forth in this DPA, the terms and provisions of the underlying Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms of the Agreement and the terms of this DPA, the terms and provisions of this DPA shall prevail with regard to data protection matters. In the event of a conflict between the terms of this DPA and the SCCs, the SCCs shall prevail.
15. MODIFICATION. Modifications to this DPA will be posted on the Legal Page of Sovrn’s website at https://sovrn.com/legal or Customer can subscribe to receive notifications of changes to this DPA by clicking on the RSS feed icon at the top of this page. Changes will not apply retroactively and become effective as of the Last Updated date of this DPA. If Customer does not agree to any terms in this DPA, Customer must not use the Services. Customer’s continued use of the Services after the Last Updated date of this DPA constitutes Customer’s acceptance of and agreement to follow and be bound by such changes.
16. TERMINATION AND SURVIVAL. The Parties agree that this DPA is terminated upon the termination of the Agreement.
17. INVALIDITY AND SEVERABILITY. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
18. COUNTERPARTS. This DPA may be executed in any number of counterparts, each of which when executed shall constitute a duplicate original, but all the counterparts shall together constitute the one agreement.

Revision Log

Section	Revision summary	Version
Preamble; Definitions	Clarified definitions of the parties and underlying agreement; updated Sensitive Data definition to align with evolving definitions under US state privacy laws.	April 2024
Throughout	Updated DPA to reflect changes in US state privacy laws, and for readability	Sept. 2023
Data Transfers	Update to rely on EU Standard Contractual Clauses and UK Approved Addendum for data transfers to the US	Jan. 2022
Initial Online version	Data Processing Addendum posted online	July 2021