Data Processing Addendum
This Tapjoy Data Processing Addendum (“Tapjoy DPA”), effective May 25, 2018, is incorporated into and part of the agreement between Tapjoy, Inc. (“Tapjoy”) and you (“you”, and “Advertiser” or “Publisher” as applicable) relating to your use of Tapjoy’s Advertising Service, Publisher Services, or both (such services collectively, the “Tapjoy Services”, and the agreements applicable to you (“Advertising Agreement” and/or “Publisher Agreement”, as applicable, and collectively, your “Tapjoy Agreements”), available at http://www.tapjoy.com/legal.
If and to the extent you provide Tapjoy with personal data originating in the EEA or Switzerland, you and Tapjoy agree that this DPA governs our respective collection, transfer, and processing of personal data in the course of our provision and your use of our Services.
- Definitions. The terms in this Addendum, whether capitalized or not, have the meanings set forth below; terms not defined here have the definition set forth in your applicable Tapjoy Agreement.
- “Advertising Service“ means mobile in-app advertising services provided by Tapjoy pursuant to one or more insertion orders executed under your Advertising Agreement.
- “Advertising Service Data“ means personal data provided by you to Tapjoy used solely for your benefit in connection with your use of the Advertising Service.
- “Applicable Data Protection Laws” means all applicable international, federal, national and state privacy and data protection laws that apply to the processing of Personal Data covered by this Tapjoy DPA, including but not limited to the laws and regulations of the EU applicable to the processing of personal data, in particular: (i) the EU Data Protection Directive (Directive 95/46/EC) through 25 May 2018; and (ii) from 25 May 2018 onward, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); and (iii) the EU e-Privacy Directive (Directive 2002/58/EC), and if enacted, the EU e-Privacy Regulation from its effective date forward; and (iv) any national data protection laws made under or pursuant to (i), (ii) or (iii).
- “Controller” means the entity that determines the purposes and means of the processing of personal data.
- “EEA” means the European Economic Area.
- “Model Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en, specifically (a) for transfer of Publisher Monetization Data, the Controller to Controller Standard Contractual Clauses 2004 (Set II) (Commission Decision 2004/915/EC); and (b) for transfer of Advertising Service Data and Publisher Service Data, the Controller to Processor Standard Contractual Clauses 2010 (Commission Decision 2010/87/EU).
- “Personal Data” means information relating to an identified or identifiable person (data subject) processed pursuant to the Agreement and as to which one or both of us is a Data Controller.
- “Privacy Shield” means the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce.
- “Processor” means an entity that processes personal data on behalf of a controller.
- “Processing” has the meaning set forth under the GDPR.
- “Publisher Monetization Data” means personal data provided, via the Tapjoy SDK as integrated in your mobile application, for use in connection with use of Tapjoy’s Publisher Monetization Services, including mobile device identifiers and IP addresses of data subjects who are end users of your mobile application.
- “Publisher Service Data” means personal data provided by you to Tapjoy used solely for your benefit in connection with your use of Tapjoy’s Publisher Services other than Monetization.
- “Publisher Services“ means the Tapjoy publisher services used by you pursuant to your Publisher Agreement, which may include Monetization Services, Analytics Services, and Virtual Currency Management Services, each as defined in Tapjoy’s publisher Terms of Service (https://www.tapjoy.com/legal/#Terms-of-service-publishers).
- “Security incident” means any destruction, loss, alteration, unauthorised disclosure of personal data processed for you by Tapjoy as a processor, arising due to unlawful or unauthorized access to your personal data within storage managed by us.
- “Transfer” means the access by, transfer or delivery to, or disclosure of personal data to a person, entity or system located in a country or jurisdiction other than the country or jurisdiction where the personal data originated from.
- Purpose and Details of Processing
- Respective Roles. You and Tapjoy agree that each of us will process and transfer personal data only for the purposes described in your Tapjoy Agreement(s) and this Tapjoy DPA, or as otherwise agreed in writing between us. Each of us acknowledges and agrees as follows:
- Advertising Service. You, as Controller, appoint Tapjoy as Processor to process Advertising Service Data in connection with the Advertising Service pursuant to your Advertising Agreement and in accordance with this Tapjoy DPA.
- Publisher Monetization Service. You, as Controller, acknowledge that you and Tapjoy each serve as an independent Controller with respect to Publisher Monetization Data provided under your Publisher Agreement
- Other Publisher Services. You, as Controller, appoint Tapjoy as Processor to process Publisher Service Data pursuant to your Publisher Agreement and in accordance with this Tapjoy DPA.
- No Special Category Data. Neither you nor Tapjoy shall transfer, provide each other, or have responsibility for processing special categories of personal data, as referenced in Article 9 of the GDPR.
- Obligations As Controllers
- Compliance with Obligations. You and Tapjoy each agree, when acting as a Controller of personal data to comply with all applicable laws, including Applicable Data Protection Laws, in your use and our provision of the Tapjoy Services, including fulfillment of all duties required of Controllers under Applicable Data Protection Laws. Each of us will implement and maintain security measures to protect personal data from any Security Incident, including all measures required pursuant to Article 32 of the GDPR.
- Data Subject Requests. Each of us, when we act as a Controller, has the sole and independent obligation (as between the parties) to receive and manage data subject requests regarding our respective personal data, including without limitation any request to access, correct, amend, restrict processing of, port, object to the Processing of, block or delete personal data. If applicable, and to the extent legally permitted, each of us will provide the other with reasonable cooperation and assistance in relation to handling of a data subject’s request.
- Third-Party Requests. If applicable, and to the extent legally permitted, each of will provide the other upon request with reasonable cooperation and assistance in relation to any correspondence, inquiry, or complaint received from a regulator, individual, supervisory authority, court, or other third party.
- Appointing Processors. Where you and Tapjoy are independent Controllers, each party may appoint third party Data Processors to Process personal data for the purposes set forth in this Tapjoy DPA and your Publisher Agreement, provided that such Data Processors (i) agree in writing to Process Personal Data in accordance with the Publisher Agreement (and any other contractual agreements between the parties); (ii) implement appropriate technical and organisational security measures to protect Personal Data subject to the Publisher Agreement against a Security Incident, in compliance with the standards required by this Tapjoy DPA; and (iii) otherwise provide sufficient guarantees that they will process the Personal Data in a manner that will meet the requirements of Applicable Data Protection Laws, including all requirements under GDPR Article 28.
- International Transfer Obligations.
- European Data. Each of us agrees that personal data originating in the EEA or Switzerland, or other countries or jurisdictions recognizing the GDPR or EU Directive 95/46/EC (such locations collectively, the “Covered Areas” and such data, “European Data”) shall not be transferred to a jurisdiction outside the Covered Areas unless the transfer is subject to an Approved Transfer Mechanism, meaning that (i) the recipient is located in the EEA or Switzerland, or another country that the European Commission or Swiss Federal Data Protection Authority (as applicable) has decided provides adequate protection for personal data, or (ii) the recipient (a) receives the European Data pursuant to a binding corporate rules authorization in accordance with Applicable Data Protection Laws; or (b) has executed Model Clauses with the Covered Area-based exporter of the personal data; or (c) is located in the United States and has certified compliance to the EU-US or Swiss-US Privacy Shield (as applicable); or (d) transfers the data pursuant to another approved transfer mechanism.
- Model Clauses. You hereby agree to and hereby enter into the Model Clauses applicable to you, the terms of which are hereby incorporated by reference into and form part of this Agreement. For the purposes of the Model Clauses, you are the data exporter, and Tapjoy, Inc. is the data importer.
- Controller to Controller Model Clauses – Details: For the purposes of clause II(h): We select option (iii) and agree to be governed by and comply with the data processing principles set out in Annex A of the Controller-to-Controller Model Clauses. For the purpose of Annex B: (i) the data subjects are end users of the mobile applications in which you use Tapjoy Monetization Services; (ii) the purpose of the transfer is to permit use of the data in accordance with your Publisher Agreement; (iii) the data transferred is as described in this DPA and your Publisher Agreement; (iv) the recipient of the personal data is Tapjoy, Inc.; (v) no sensitive data is or shall be transferred; (vi) there is no applicable data registration information; (vii) there is no additional useful information; and (viii) the contact points for data protection queries are your and our usual contacts under your Publisher Agreement.
- Controller to Processor Model Clauses – Details: For the purpose of Appendix 1: (i) the data subjects are, for Advertisers, current or potential customers for your products or services advertised through Tapjoy’s Advertising Service; for Publishers, end users of your mobile applications; and for both Advertisers and Publishers, the individuals (employees, agents or representatives) responsible for your use of Tapjoy Services; (ii) the data transferred is as described in this DPA and your Tapjoy Agreement(s); (iii) no special categories of data are or shall be transferred; and (iv) the personal data transferred will be processed in connection with our provision of Services to you under your Tapjoy Agreements. For the purpose of Appendix 2: Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data provided by data exporter as described in Attachment 1 to the Tapjoy DPA between data exporter and data importer; data importer will not materially decrease the overall security of the Tapjoy Services while your Tapjoy Agreement is in effect.
- Order of precedence: In the event the terms of the applicable Model Clauses conflict with other terms of your Tapjoy Agreements, the Model Clauses will control.
- Privacy Shield. You understand that Tapjoy is headquartered in the United States of America. Tapjoy represents that it is Privacy Shield certified. Accordingly, where applicable, you agree that Tapjoy may lawfully receive and process European Data in the United States of America for as long as we maintain a valid and up-to-date certification. If more than one Approved Transfer Mechanism applies, the transfer shall be governed first by Tapjoy’s Privacy Shield self-certification where applicable, and second, by the Model Clauses.
- Future Requirements. You and Tapjoy agree to work together as commercially reasonable to allow each other to apply for and obtain any permit, authorization or consent that may be required under future Applicable Data Protection Laws or policies.
- Your Data Subject Consent Obligations
- You acknowledge that we use mobile device identifier and IP address data to provide the Tapjoy Services; accordingly, for personal data provided under this Tapjoy DPA as to which you are Controller, you represent that you have implemented notice and consent mechanisms sufficient to ensure that any data subject consent is freely given, informed, specific and unambiguous, and (for Publisher Monetization Data) covers use for audience segmentation and targeting in connection with online behavioral advertising.
- You and Tapjoy will each honor mobile opt-out signals. You will not provide Tapjoy with personal data from any device that has opted out through device settings (“Opt-Outs”) unless you also provide any accompanying opt-out signal. Tapjoy will not knowingly collect or use personal data from any Opt-Outs for purposes of online behavioral advertising.
- You agree to provide Tapjoy, on request, with documentation explaining your consent processes or mechanisms for obtaining consent from data subjects with respect to Publisher Monetization Data.
- You and Tapjoy each agree to use and honor any applicable OpenRTB specifications that pass any signal regarding COPPA flagging, GDPR consent or Opt-Outs.
- If and to the extent that we, in our sole discretion, opt to provide you with a notice or consent mechanism or template (e.g., a privacy notice and consent screen or interstitial enabled via Tapjoy’s SDK) (“SDK Tool”), you acknowledge that the decision of whether to implement it is at your discretion. You understand and agree that any such SDK Tool is provided solely on an “As Is” basis, and that you should not rely on it or our provision of it as legal advice; as between you and Tapjoy, you are solely liable for the nature and sufficiency of your compliance with data subject consent obligations.
- Tapjoy Obligations As Processor. Tapjoy, when acting as your Processor, agrees as follows:
- Data Subject Requests. We will, to the extent legally permitted, promptly notify you if we receive a request from a data subject wishing to exercise rights under Applicable Data Protection Law (including rights of access, correction, objection, erasure and data portability, as applicable) in connection with our processing of personal data processed for you, or any other correspondence, enquiry or complaint from an individual, regulator, court or other third party in connection with our processing of personal data for you. Taking into account the nature of the processing and the request, we will assist you insofar as possible in fulfilment of your obligation to respond to the data subject request under Applicable Data Protection Laws. At your request, to the extent you do not have the ability to fulfill the data subject request, we will provide commercially reasonable efforts to help you in responding, to the extent we are legally permitted to do so and the response is required under Applicable Data Protection Laws and Regulations.
- Confidentiality and Security. We agree to maintain the confidentiality of personal data that we process for you, in accordance with the confidentiality provisions of your Tapjoy Agreements. We require our personnel involved in the processing of personal data for you to have executed written confidentiality agreements that survive the termination of their work for us, and we limit access to personal data processed by us for you to those personnel with a business need to know, in accordance with your Tapjoy Agreements. Upon request, we will provide you with a copy of our written privacy and information security policies and procedures. Upon determining that a Security Incident has occurred affecting personal data, Tapjoy will promptly notify you, take reasonable steps to mitigate any effects and damage from the Security Incident, and will provide you with timely information and cooperation as reasonably requested by you for you to fulfill your own Security Incident reporting obligations pursuant to Applicable Data Protection Laws. You agree that an attempted security breach, meaning an event which does not result in unauthorized access to your personal data or to our equipment or facilities storing your personal data, does not give rise to any obligations on our part to you, and that our compliance with this paragraph shall not be deemed an acknowledgement of fault or liability on our part in connection with any actual or attempted Security Incident.
- Treatment at Termination. Upon termination or expiration of the Tapjoy Agreements under which Tapjoy is a Processor for you, Tapjoy will at your request destroy or anonymize all associated personal data, including copies and personal data held by sub-Processors, except that Tapjoy may retain certain personal data for its legal, accounting and auditing purposes.
- Audit. Subject to the confidentiality provisions of the Tapjoy Agreement(s), Tapjoy grants you, through reasonably acceptable third-party auditors, the right to audit, at your expense, our compliance with our obligations as your processor under this Addendum, including provision of access to information, systems and staff necessary for the conduct of the audit. Your audit right is conditioned upon your providing reasonable prior notice of your intention to audit, the audit taking place during normal business hours, and your auditors taking all reasonable measures to prevent unnecessary disruption to our operations. This audit right may be exercised up to once per year, except to the extent (i) when sooner required by instruction of a competent data protection authority; or (ii) you reasonably believe a further audit is necessary due to a Security Incident affecting us.
- Sub-Processors. As your Processor, Tapjoy will not subcontract any processing of personal data to a third party sub-Processor without your prior written consent. Notwithstanding the foregoing, you consent to Tapjoy’s engaging of third-party sub-Processors to process personal data provided that: (i) Tapjoy provides you, upon request, with a list of our then-current sub-Processors; (ii) Tapjoy provides at least fourteen (14) days’ notice of the addition or removal of any sub-Processor (including details of the processing to be performed), whether by direct email, updating a publicly posted list of our sub-processors, or otherwise as generally communicated to our Advertisers and Publishers; (iii) Tapjoy requires its sub-Processors to abide by data protection terms as protective as the terms of this Tapjoy DPA; and (iv) Tapjoy remains fully liable for breach of this Tapjoy DPA caused by its sub-Processor’s act, error or omission. If you reasonably refuse, for reasons related to the protection of personal data, to consent to our appointment of a third party sub-Processor, then we will either not appoint the sub-Processor or you may opt to terminate this Tapjoy DPA and cease your use of our Services.
- Each party (the “Indemnifying Party”) shall indemnify and hold harmless the other, including its officers directors, employees, contractors, and agents (the “Indemnified Party”) from and against all claims, losses, costs, liabilities, damages, and expenses, including reasonable attorneys’ fees (“Claims”) brought by data subjects, supervisory authorities under the Applicable Data Protection Laws, or other third parties, suffered or incurred by the Indemnified Party to the extent arising from the Indemnifying Party’s breach of this Tapjoy DPA.
- Indemnification under this Section is conditioned upon (i) the Indemnified Party providing the Indemnifying Party (x) prompt notice of any circumstances of which it is aware that give rise to an indemnity claim under this Tapjoy DPA and (y) reasonable cooperation as to such claim, including provision of all relevant materials to it; (ii) the Indemnified Party taking reasonable steps and actions to mitigate any ongoing Damage it may suffer as a consequence of the Indemnifying Party’s breach.
- The Indemnifying Party reserves the right, at its expense, to assume the exclusive defense and control of any matter for which it is required to indemnify the Indemnified Party, and the Indemnified Party shall have the right to participate with counsel of its own choosing at its own expense. The Indemnifying Party will not enter into any settlement of any claim without the prior written consent of the Indemnified Party, such consent not to be unreasonably withheld or conditioned.
- Limitation of Liability.
- Each of our respective liability, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of your applicable Tapjoy Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and its affiliates under the Tapjoy Agreement including this Tapjoy DPA together; for the avoidance of doubt, each reference to this Tapjoy DPA includes all applicable Attachments and Appendices.
- Nothing in this Tapjoy DPA shall confer any benefits or rights on any person or entity other than the parties to this Tapjoy DPA; the foregoing shall not limit third-party beneficiary provisions of the Model Clauses.
- Except as modified by this Addendum, your Tapjoy Agreement(s) remains in full force and effect; in the event of conflict between your Tapjoy Agreement and this Addendum, this Addendum will control.
- Tapjoy and you mutually represent and warrant that we each, respectively, have the right, power, and authority (a) to enter into this Tapjoy DPA, (b) to make the representations and warranties contained herein, and (c) to perform our respective duties, obligations and covenants set forth in this Tapjoy DPA.
- This Tapjoy DPA is co-terminous with your Tapjoy Agreements, terminating automatically with your last Tapjoy Agreement. Sections 7(c), 8, 9, and this section survive termination. Without prejudice to remedies set forth elsewhere in this DPA or in your Tapjoy Agreements, if either of us breaches this Tapjoy DPA, the other is entitled to terminate the Tapjoy Agreement in its sole discretion effective upon written notice; such termination shall be without any extra costs or expenses, and without effect on any payments then due and owing.
Effective Date: May 25, 2018
Tapjoy Security Measures
Tapjoy Facilities Access Control
To protect access to physical premises, systems, and networks, Tapjoy’s industry-standard security measures include radio frequency identification (RFID) door lock schedules, single employee badges, and on-site security personnel.
Tapjoy Systems Access Control
To protect Tapjoy’s online systems, Tapjoy requires complex passwords (upper case, lower case, numerical, symbol characters) and enforce a Last-4 password rotation with lockout after failed attempts, as well as single sign-on (SSO) with multi-factor authentication. Suspicious activity, user accounts, and permissions are reviewed quarterly and audited annually. Tapjoy’s critical system access control policy for dashboard, engineering back-end production systems, and financial systems provides that all access must be approved by a vice-president or higher. Access requests are captured for audit trail, and access levels are audited and re-approved annually.
Tapjoy Network and Data
To protect Tapjoy’s network, Tapjoy employs full disk encryption on laptops and mobile accounts mastered by an Active Directory (AD) or Lightweight Directory Access Protocol (LDAP). All Tapjoy code and technological infrastructure are protected by multifactor authentication. The Tapjoy Dashboard is controlled via role assignments and audited via login list files for access control; internal user access is controlled by SSO. Changes or additions to a role or its accessibility require Vice President approval.
Tapjoy Storage and Transfer Control
Collected personal data is encrypted at rest, across the Tapjoy infrastructure. Use of SSL is required for external traffic. Whenever possible, data is anonymized or pseudonymized. Advertiser payment information is never accepted or processed directly, as Tapjoy uses PCI-compliant third parties to provide this service.
Tapjoy Job Control
To segregate the responsibilities between controller and processor, Tapjoy puts in place a contract with specific language and monitored performance between Advertiser, as data controller/exporter, and Tapjoy, as data processor/importer.
Tapjoy Availability Control
To protect data against accidental destruction or loss, Tapjoy implements appropriate backup procedures, remote storage, and antivirus/firewall systems, as well as disaster recovery protocol.
Tapjoy Input Control
Tapjoy implements logging and reporting systems to maintain full documentation for data management and maintenance.