Data Processing Addendum

This Data Processing Addendum (the “DPA”) forms part of, and is subject to, the Main Services Agreement (the “MSA”) between iSpot.tv, Inc. (“iSpot”) and Company (as defined in the MSA) pursuant to which iSpot may provide certain services or owes certain obligations to Company (collectively, the “Services”). iSpot and Company shall be collectively referred to as the “Parties” and individually as a “Party”. All capitalized terms not defined in this DPA shall have the meanings set forth in the MSA.

1. DEFINITIONS
   
   CCPA means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq and its regulations; as may be amended, superseded or replaced from time to time. Words and phrases with defined meanings in the CCPA have the same meanings when used in this DPA unless they are otherwise defined herein or by the MSA.
   
   Controller means an entity that determines the purposes and means of the Processing of Personal Data and includes, as applicable, “business” as that term is defined in the CCPA.
   
   Data Privacy Laws means all state, local or federal data protection and privacy laws and regulations enacted in the United States of America applicable to the respective party in its role in the Processing of Personal Data under the MSA, including, as applicable, the CCPA.
   
   Data Security Incident means a confirmed, unauthorized access or acquisition of Company‘s Personal Data in iSpot‘s possession.Data Subject means the identified or identifiable natural person to whom the Personal Data relates.
   
   Notification Related Costs means Company‘s reasonable internal and external costs associated with investigating, addressing and responding to a Data Security Incident.
   
   Personal Data means any Company Data relating to an identified or identifiable natural personal and includes similarly defined terms in Data Privacy Laws including, as applicable, “personal information” as that term is defined in the CCPA.
   
   Process and its derivatives means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission or dissemination.
   
   Processor means an entity that Processes Personal Data on behalf of a Controller and includes, as applicable, “service provider” as that term is defined in the CCPA.
   
   Sub-Processor means any other Processor engaged by iSpot to Process Personal Data.
   
   
2. Scope and Applicability of this DPA. This DPA applies wherever and only to the extent that iSpot Processes Personal Data on behalf of Company as a Processor in the course of providing the Service.
   
   
3. OBLIGATIONS
   
   
   1. The Parties will comply with the Data Privacy Laws in connection with this DPA, will provide the same level of privacy protection as is required by Data Protection Laws, and will not cause either party to breach any of its obligations under Data Privacy Laws.
      
      
   2. iSpot shall process Personal Data only as a Processor (or sub-processor) acting on behalf of Company in connection with the MSA and this DPA.
      
      
   3. iSpot will, or iSpot will procure that the Sub-Processor will:
      
      
      1. Process Personal Data only on behalf of Company and only for the purposes of (i) performing the Services, (ii) as required by Data Privacy Laws, and (iii) in accordance with instructions contained in the MSA or this DPA or as otherwise provided by Company;
         
         
      2. ensure that all persons with access to Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and
         
         
      3. notify Company (unless prohibited by applicable law) if it is required to Process Personal Data other than pursuant to Company’s instructions;
         
         
      4. notify Company within a commercially reasonable time, upon becoming aware, if in iSpot’s reasonable opinion, any instructions provided by Company infringe Data Privacy Laws.
         
         
   4. Company agrees it has obtained all consents, permissions and/or rights necessary for iSpot to lawfully Process Personal Data.
      
      
   5. iSpot acknowledges and agrees that Company discloses Personal Data to iSpot solely (i) for a valid business purpose; and (ii) to allow iSpot to perform the Services as permitted in the MSA.
      
      
   6. iSpot shall not: (i) sell or share (as defined in the CCPA) Personal Data; (ii) retain, use, or disclose Personal Data for any purpose other than pursuant to this DPA; (iii) retain, use, or disclose Personal Data for a commercial purpose other than pursuant to this DPA; (iv) combine the Personal Data that iSpot receives from, or on behalf of, Company with Personal Data that iSpot receives from, or on behalf of, another person or persons, or collects from its own interaction with a consumer, except as permitted under the CCPA; or (v) retain, use, or disclose Personal Data outside of the direct business relationship between iSpot and Company.
      
      
4. Assistance
   
   
   1. Taking into account the nature of the Processing and insofar as is possible, assist Company with the fulfilment of its obligation to respond to requests under Data Privacy Laws.
      
      
   2. No more than once every 12 months, iSpot will permit Company to monitor iSpot‘s compliance with this DPA through written questionnaires and assessments. Company is entitled to additional and reasonable questionnaires and written assessments if it reasonably believes a Data Security Assessment has occurred.
      
      
5. Sub-Processors
   
   
   1. Company provides iSpot with a general authorization to engage Sub-Processors, pursuant to Section 5.3. iSpot will make available to Company a list of its Sub-Processors and provide Company with a mechanism to obtain notice of any updates to the Sub-Processor List.
      
      
   2. iSpot will enter into a written contract with each Sub-Processor which imposes on such Sub-Processor terms no less protective of Personal Data than those imposed on iSpot in this DPA. iSpot shall remain liable for Sub-Processor’s compliance with the obligations under this DPA.
      
      
   3. iSpot will provide notice to Company within 30 days prior to authorizing any new Sub-Processor to Process Personal Data (“Objection Period”). iSpot will consider Company’s reasonable objections to a new Sub-Processor provided that Company provides written notice of the objection to iSpot during the Objection Period. The Parties will discuss any objections in good faith with a view to achieving resolution. If it can be demonstrated that the new Sub-Processor is unable to Process Personal Data in compliance with the terms of the DPA and iSpot cannot provide an alternative Sub-Processor, Company, as its sole and exclusive remedy, may terminate the Service(s) with respect to only those aspects which cannot be provided by iSpot without the use of the new Sub-Processor by providing iSpot with advance written notice of such termination. iSpot will refund Company any prepaid unused fees of such Service(s) following the effective date of termination.
      
      
6. Technical and Organizational Security Measures
   
   
   1. iSpot will implement and maintain appropriate technical and organizational measures designed to protect Personal Data from Security Incidents and to preserve the security, confidentiality, integrity, and availability of Personal Data.
      
      
   2. iSpot will have no obligation to assess the contents or accuracy of Personal Data, including to identify information subject to any specific legal, regulatory or other requirement.
      
      
   3. Company acknowledges and agrees that the Services are intended to be used only in the United States.
      
      
7. Security Incident Response
   
   iSpot shall, inform Company in writing of any confirmed Data Security Incident involving Personal Data in the possession, custody or control of iSpot or its Sub-Processors, no later than 24 hours after confirmation of the unauthorized access or acquisition of Company’s Personal Data in iSpot’s possession. Such notice shall summarize in reasonable detail the effect on Company, if known, of the Data Security Incident and the corrective action taken or to be taken by iSpot. iSpot shall (i) investigate such Data Security Incident and perform a root cause analysis thereon; (ii) remediate the effects of such Data Security Incident while preserving relevant forensic evidence; and (iii) provide Company with such assurances as Company shall request that such Data Security Incident is not likely to recur. The content of any filings, communications, notices, press releases or reports (“Incident Communications”) related to any Data Security Incident must be approved by Company prior to any publication or communication thereof unless prohibited by law. For clarity, such approval shall be limited to the content which relates to Company’s Personal Data only and not to any general Incident Communications. iSpot shall reimburse Company on demand for all Notification Related Costs incurred by Company arising out of or in connection with any such Data Security Incident.
   
   
8. Relationship with the MSA
   
   
   1. In the event of any inconsistency between the terms of this Addendum and the terms of the Agreement, the terms of this Addendum shall govern and control.
      
      
   2. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the MSA.
      
      
   3. Upon termination of this DPA, iSpot will return or delete all Personal Data in accordance with the relevant provisions in the MSA.
      

Personal Data Processing Purposes and Details

Data exporter: Customer.
Contact details: As set out in the Agreement.
Activities relevant to the data transferred under these Clauses: Use of iSpot’s cloud applications.
Signature and date: By entering into the Agreement, data exporter is deemed to have signed these Standard Contractual Clauses incorporated herein as of the effective date of the Agreement.
Role: The data exporter’s role is set forth in the DPA.

Data Importer: iSpot.tv, Inc.
Address: 15831 NE 8th St, Suite 200, Bellevue, WA 98008
Contact person’s name, position and contact details: iSpot Legal and Privacy Team, legal-privacy@ispot.tv
Activities relevant to the data transferred under these Clauses: Provide and support enterprise cloud applications, including audit and risk management.
Signature and date: By entering into the Agreement, data importer is deemed to have signed these Standard Contractual Clauses incorporated herein as of the effective date of the Agreement.
Role (controller/processor): Processor

Business Purposes/Nature of Processing: The nature and purposes of the processing is the collection, storage, duplication, deletion, and disclosure of Personal Data pursuant to providing the Services to Company.

Personal Information Categories: Depending on the Service purchased may include: Name and contact information (including work address, work telephone numbers, mobile telephone numbers, web address, IP addresses, work email address); business title; company; IP addresses.

Data Subject Types: Employees or contact persons of Company.

Sensitive data transferred: None.

Frequency of Transfer: Continuous.

Processing Duration: Duration of the Agreement or to the extent required by law.

Approved Sub-Processors: Amazon Web Services, SnowFlake and Flexential (only used for ACE products)

Countries where the Service Provider may receive, access, transfer or store Personal Information: United States