Independent Controller Data Processing Addendum (Sovrn as Data Exporter) 

1. ACCEPTANCE. This Independent Controller Data Processing Addendum (Sovrn as Data Exporter) (“DPA”) is entered into by and between Sovrn and Company (each, a “Party” and together, the “Parties”). This DPA sets forth the legally binding terms between Company and Sovrn that govern the Processing of Personal Data (as defined below) under the Managed Services Demand Agreement, Data License Agreement, or other agreement between Sovrn and Customer which govern the Services and links to or incorporates this DPA (the “Agreement”). Sovrn enters into this DPA in the name of and on behalf of its Affiliates if and to the extent such Affiliates Process Personal Data under the Agreement for which such Affiliates are a Controller.    
2. DEFINITIONS. For the purposes of this DPA, the following definitions apply. Capitalized terms that are used but not otherwise defined herein shall have the meanings as set forth in the Agreement.
   1. “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Sovrn or Company respectively, where control is de ned as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
   2. “Company” means the entity that has entered into the Agreement with Sovrn.
   3. “Controller” means “data controller” as defined in Data Protection Laws and Regulations or “business” as defined in the CCPA and, if not defined, means the entity which determines the purposes and means of the Processing of Personal Data.  
   4. “Data Subject” means the individual to which the Personal Data relates.
   5. “Data Protection Laws and Regulations” means, with respect to a Party, all privacy and data protection laws applicable to such Party’s Processing of Personal Data including, where applicable: (i) European Data Protection Laws; (ii) the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder (as amended from time to time, the “CCPA”); and (iii) any other similar data protection laws in any other applicable territory, each as amended, replaced, supplemented or superseded. 
   6. “EEA” means the European Economic Area.
   7. “European Data Protection Laws” means, in each case to the extent applicable to the relevant Personal Data or Processing thereof under the Agreement, (a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), (b) laws relating to data protection, the processing of Personal Data, privacy and/or electronic communications in force from time to time in the United Kingdom, including the UK General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018 (collectively, “UK Data Protection Laws”); (c) the Swiss Federal Act on Data Protection (“Swiss FDPA”); and (d) any other data protection laws of the EEA and its Member States.
   8. “Personal Data” means any information Processed under the Agreement that constitutes “personal data,” “personal information,” “personally identifiable information” or similar information defined under applicable Data Protection Laws and Regulations.
   9. “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
   10. “Services” means the services the Parties are obligated to provide or permitted to receive pursuant to the Agreement for which each Party determines the purposes and means of the Processing of Personal Data.
   11. “SCCs” means (i) “MODULE ONE: Transfer controller to controller” of the Standard Contractual Clauses set forth in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, made available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, as supplemented and/or amended by the selections and addendum set forth at https://www.sovrn.com/legal/sovrn-exporter-scc/.
   12. “Sovrn” means Sovrn, Inc. or any Affiliate of Sovrn, Inc. that is a party to the Agreement with Company. 
   13. “Transfer” has the meaning given under Data Protection Laws and Regulations.
3. ROLE OF THE PARTIES. In performing their respective obligations under the Agreement, each Party may receive Personal Data which may be subject to Data Protection Laws and Regulations. The Parties acknowledge and agree that each Party is a separate and independent Controller in respect of such Personal Data and shall individually determine the purposes and means of its Processing of such Personal Data. The Parties further acknowledge that neither Party is responsible for determining the requirements of Data Protection Laws and Regulations applicable to the other Party.
4. OBLIGATIONS OF THE PARTIES.
   1. Lawfulness of Processing. Each Party acknowledges and con rms that: (a) it will comply with applicable Data Protection Laws and Regulations and this DPA in connection with its Processing of Personal Data; and (b) it will be responsible for determining the legal basis(es) of its own Processing activities.
   2. Reasonable Assistance. Upon request, Company will provide Sovrn with reasonable assistance, information, and cooperation to ensure compliance with Sovrn’s obligations under Data Protection Laws and Regulations in respect of Personal Data and the Services.
   3. Consent for Processing. Company shall accept and abide by instructions and/or consent signals transmitted by Sovrn under the Agreement, where applicable, including, for example, in the format consistent with the OpenRTB guidelines or relevant IAB framework signals.
5. NO OWNERSHIP OR LICENSE. Nothing in this DPA shall be construed to convey any ownership interest or license in the Personal Data that is contrary to the ownership interests and licenses set forth in the Agreement.
6. PROCESSING SUBJECT TO THE CCPA. As used in this Section 6, “Personal Information” means personal information (as defined in the CCPA) contained in Personal Data. For purposes of the CCPA, the Parties acknowledge that the Personal Information disclosed by Sovrn to Company is provided to Company only for the limited and specified purposes permitted under the express license to Data granted by Sovrn to Company pursuant to the Agreement. Company will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Information as is required by the CCPA. Sovrn has the right to take reasonable and appropriate steps to help ensure that Company uses the Personal Information transferred in a manner consistent with Sovrn’s obligations under the CCPA. Company will notify Sovrn if it makes a determination that Company can no longer meet its obligations under the CCPA. If Company notifies Sovrn of unauthorized use of Personal Information, including under the foregoing sentence, Sovrn will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use.
7. DATA SUBJECTS’ RIGHTS. Each Party hereby authorizes the other Party to release all Personal Data in its possession directly pertaining to a verified Data Subject request for data portability to the Data Subject or his/her authorized representative, without regard to whether such Personal Data are owned/licensed by Sovrn or Company.
8. REGULATORS. Each Party agrees to: (a) promptly notify the other Party in writing of any question, complaint, investigation, inquiry, warrant, subpoena or proceedings from or brought by any public, governmental, and/or judicial agency or authority (each, a “Regulatory Request”), that relates to such other Party’s (i) Processing of Personal Data in relation to the Services, or (ii) potential failure to comply with Data Protection Laws and Regulations; and (b) comply with any written litigation hold, document preservation notice, or similar legal hold requested by the other Party in connection with any Regulatory Request, lawsuit, or other claim, except to the extent required by applicable law.
9. DATA TRANSFERS.
   1. Transfer Authorization. Subject to this Section 9, the Parties acknowledge and agree that each Party is authorized to Process and Transfer Personal Data in any jurisdiction provided that such Processing complies with Data Protection Laws and Regulations. Each Party shall ensure that any Transfer it initiates will, where applicable, be subject to a lawful data transfer mechanism and/or appropriate onward transfer agreements that require that any further Transfers be conducted under a lawful data transfer mechanism.
   2. Transfers of Personal Data From the EEA, Switzerland or the United Kingdom. If Sovrn Transfers Personal Data subject to European Data Protection Laws to Company in a country whose laws have not been deemed by the European Commission or other applicable authority to provide an adequate level of protection for Personal Data, and such Transfer is not subject to an alternative adequate transfer mechanism or otherwise exempt from Transfer restrictions under European Data Protection Laws, Sovrn (as data exporter) and Customer (as data importer) agree that the SCCs will be incorporated herein by reference. . In furtherance of the foregoing, the Parties agree to the selections and addendum set forth at https://www.sovrn.com/legal/sovrn-exporter-scc/. The SCCs shall automatically terminate with respect to a given Transfer once the Transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such SCCs on any other basis.
10. CONFIDENTIALITY. The Parties agree to take steps to ensure that any person acting under their authority who has access to the Personal Data is subject to an appropriate confidentiality obligation.
11. LIMITATION OF LIABILITY. Each Party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to any limitation of liability as set forth in the Agreement and any reference to such limitation of liability of a Party means the aggregate liability of the Party under the Agreement and this DPA together. Additionally, each Party shall be independently liable for its own Processing of Personal Data to the extent such Processing does not comply with Data Protection Laws and Regulations.
12. APPLICABLE LAW AND JURISDICTION. This DPA is and remains governed by and shall be construed in accordance with the law designated as applicable in the Agreement, except to the extent required otherwise under the SCCs.
13. ORDER OF PRECEDENCE. Except as specifically set forth in this DPA, the terms and provisions of the underlying Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms of the Agreement and the terms of this DPA, the terms and provisions of this DPA shall prevail with regard to data protection matters. In the event of a conflict between the terms of this DPA and the SCCs, the SCCs shall prevail.
14. MODIFICATION. Modifications to this DPA will be posted on the Legal Page of Sovrn’s website at https://www.sovrn.com/legal or Customer can subscribe to receive notifications of changes to this DPA by clicking on the RSS feed icon at the top of this page. Changes will not apply retroactively and become effective as of the Last Updated date of this DPA. If Customer does not agree to any terms in this Agreement, Customer must not use the Services. Customer’s continued use of the Services after the Last Updated date of this DPA constitutes Customer’s acceptance of and agreement to follow and be bound by such changes.
15. TERMINATION AND SURVIVAL. The Parties agree that this DPA is terminated upon the termination of the Agreement.
16. INVALIDITY AND SEVERABILITY. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
17. COUNTERPARTS. This DPA may be executed in any number of counterparts, each of which when executed shall constitute a duplicate original, but all the counterparts shall together constitute the one agreement.

Revision Log

Section	Revision summary	Version
Throughout	Clarified definitions of the parties and underlying agreement; removed unused definition of and references to sensitive data; updated section numbering for readability	April 2024
Initial Online version	Independent Controller Data Processing Addendum (Sovrn as Data Exporter) posted online	Sept. 2023