DATA PROCESSING ADDENDUM

This Data Processing Addendum (the “DPA”) supplements and forms part of the Platform Services Agreement entered into between Scope3 and Customer (“PSA”). Capitalized terms not defined in context or in the attached Appendix 1 to this DPA will have the meaning provided to them in the PSA.

1. Data Processing and Protection

1.1. Roles

Customer may be using the Services to Process Personal Data on behalf of itself, in which case Scope3 will be a processor and Customer will be a controller under this DPA, or Customer may be using the Services to Process Personal Data as a processor on behalf of its customers, in which case Scope3 will be a sub-processor to Customer.

1.2. Use Limitations

Scope3 will not:

  • Process the Personal Data for any purpose other than as a processor on behalf of Customer for the specific purpose of performing the Services for Customer in accordance with this DPA;
  • Process the Personal Data for a commercial purpose other than as necessary to provide the Services to Customer;
  • “Sell” or “share” (each as defined by the CCPA) any Personal Data;
  • Process the Personal Data outside of the direct business relationship between Scope3 and Customer; or
  • Combine Personal Data with any other personal data or information it collects (directly or via any third party) other than as expressly permitted under Data Protection Law for processors.

1.3. Instructions

Scope3 will Process Personal Data only:

  • In a manner consistent with documented instructions from Customer, including with regard to transfers of Personal Data to a third country, which will include Processing as authorized or permitted under the PSA and this DPA; and
  • As required by Data Protection Law, provided that Scope3 will inform Customer (unless prohibited by such Data Protection Law) of the applicable legal requirement before Processing pursuant to such Data Protection Law.

1.4. Compliance

In connection with its Processing of any Personal Data, Scope3 will comply with all obligations applicable to it in its role as a processor under Data Protection Law and provide the same level of privacy protection as is required by Data Protection Law. Scope3 will notify Customer if Scope3 determines it can no longer meet its obligations under this DPA. Customer reserves the right, upon notice to Scope3, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

1.5. Confidentiality

Scope3 will ensure that persons authorized by Scope3 to Process any Personal Data are subject to appropriate confidentiality obligations.

1.6. Security

Scope3 will implement and maintain security measures designed to protect Personal Data against Personal Data Breach that meet or exceed requirements under Data Protection Law.

1.7. Return or Disposal

Scope3 will delete all Personal Data after the end of the provision of the Services (rather than return), and Scope3 will complete such deletion unless Data Protection Law requires the storage of such Personal Data.

2. Assistance

2.1. Data Subject’s Rights Assistance

If Customer does not have the ability to fulfill a data subject rights request as required by Data Protection Law itself through the Services without further assistance from Scope3, then Scope3 will provide commercially reasonable efforts to assist Customer in responding to such rights request.

2.2. Other Compliance Assistance

Taking into account the nature of Processing and the information available to Scope3, Scope3 will provide reasonable assistance to Customer as necessary under Data Protection Law to facilitate Customer’s compliance with requirements under Data Protection Law, including requirements related to data security, data protection assessments, and consultations with supervisory authorities.

2.3. Personal Data Breach Notice and Assistance

Scope3 will notify Customer without undue delay after becoming aware of a Personal Data Breach. Taking into account the nature of the Processing and the information available to Scope3, Scope3 will provide reasonable assistance to Customer as may be necessary to satisfy any notification obligations imposed under Data Protection Law as a result of any Personal Data Breach.

3. Audits

Scope3 may procure independent audits by third parties, on an annual or more frequent basis, to assess Scope3’s adherence to generally recognized audit standards and requirements, such as SOC 2 or other substantially equivalent certifications or standards. Customer may audit Scope3 by requesting a copy of such audit results and Scope3 will provide a copy upon request. Customer may also request to conduct an on-site audit of Scope3 only if any third-party audit results provided by Scope3 are not reasonably sufficient to demonstrate Scope3’s compliance with this DPA and Customer must conduct an on-site audit to satisfy its compliance obligations under Data Protection Law. Any such on-site audit will be at Customer’s expense and may only be conducted once per 12-month period by a nationally recognized independent third-party auditor that agrees to a reasonable non-disclosure agreement with Scope3. Further, any such on-site audit must:

  • Be tailored to what is reasonably necessary to verify Scope3’s compliance with this DPA,
  • Occur during Scope3’s normal business hours at a mutually agreed upon date and time,
  • Be conducted in a manner to avoid unreasonable interference with Scope3’s business activities, and
  • Be conducted in accordance with applicable on-site policies and procedures.

The audit results (including on-site audit results or copies of audit reports provided by Scope3) will be deemed Scope3’s confidential information. Customer will reimburse Scope3 for its reasonable costs and expenses incurred in connection with an on-site audit.

4. Subprocessors

Customer provides Scope3 with general authorization to use subprocessors to Process Personal Data in connection with the provision of the Services to Customer (each, a “Subprocessor”). Scope3 will only add or remove a Subprocessor after providing Customer with reasonable prior notice and an opportunity to object within 10 days. Scope3 will enter into a written contract with each Subprocessor imposing data protection obligations upon any Subprocessor that are no less protective than those included in this DPA. Scope3 will remain liable for any acts or omissions of its Subprocessors.

5. Data Transfers

Scope3 may Process the Personal Data in regions where Scope3 conducts its Services. Subject to Section 6, any Personal Data subject to the GDPR, UK GDPR, or the Swiss Federal Act on Data Protection (“FADP”) that is transferred to Scope3 in a third country not deemed adequate will be conducted pursuant to Module 2 or Module 3, depending on Customer’s role, of the standard contractual clauses for the transfer of Personal Data to Scope3s in third countries according to Decision (EU) 2021/914 of the EU Commission of 4 June 2021 (the “Standard Contractual Clauses”) (the text of which is available at: Standard Contractual Clauses).

The Standard Contractual Clauses will be deemed executed by Scope3 and Customer and the following terms will apply:

  • If there is any conflict between this DPA or the PSA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail;
  • Customer will be referred to as the “Data Exporter” and Scope3 will be referred to as the “Data Importer” in the Standard Contractual Clauses;
  • Details in Attachment 1 of this DPA will be used to complete Annex I and III of the Standard Contractual Clauses;
  • Details in Section 1.6 will be used to complete Annex II of the Standard Contractual Clauses;
  • For the purposes of the Standard Contractual Clauses: (a) the Parties agree to retain Clause 7; (b) the Parties select option 2 in Clause 9 and agree on 10 days as the notice period for additions or replacements of new Subprocessors; (c) the optional language in Class 11(a) is omitted; (d) The parties select option 2 of Clause 17; and (e) for Clause 18(b), the Parties select the courts of country of the data exporter’s competent supervisory authority to be determined in accordance with the GDPR.
  • In addition to the Standard Contractual Clauses, the Parties agree that any Personal Data subject to the UK GDPR that is transferred to Scope3 will be subject to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses Version B1.0, in force 21 March 2022 (the “UK Addendum”) (the text of which is available at: UK Addendum). The UK Addendum will be deemed executed by the Parties as of the effective date of this DPA, and the information in this DPA will be used to fill out the relevant sections of the UK Addendum.
  • The parties agree to complete the Standard Contractual Clauses as follows for Personal Data subject to the FADP that is transferred to Scope3: (i) the Parties agree to abide by the GDPR standard in relation to all Processing of Personal Data that is governed by the FADP; (ii) the term ‘Member State’ in the Standard Contractual Clauses will not be interpreted to exclude data subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the Standard Contractual Clauses; and (iii) references to the ‘GDPR’ and ‘Member State’ in the Standard Contractual Clauses will be understood as references to the FADP and Switzerland, respectively.

Attachment 1

Definitions; Description of Processing

1. Definitions

For purposes of this DPA, the following terms will have the meaning:

  • 1.1. “Data Protection Law” means any and all privacy, security, and data protection laws and regulations that apply to the Personal Data Processed by Scope3 under the Agreement, in each case as amended, including the California Consumer Privacy Act of 2018, as amended, and the regulations promulgated thereunder (“CCPA”).
  • 1.2. “GDPR” means (a) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and (b) such law as incorporated into United Kingdom law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019 (“UK GDPR”) (each as amended, superseded, or replaced).
  • 1.3. “Personal Data” means any data Processed by Scope3 in connection with the Services (excluding information business contacts or other authorized users of Customer) that is deemed “personal data” or “personal information” (or other analogous variations of such terms) under Data Protection Law.
  • 1.4. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
  • 1.5. “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • 1.6. “Services” means the applicable platform and services of the Scope3, as further described in the PSA.
  • 1.7. As used in this DPA, the terms “processor” and “controller” (or analogous variations of such terms, such as “service provider” and “business” as used in the CCPA) will have the meaning provided under Data Protection Law.

2. Description of Processing

  • 2.1. Subject-Matter and Duration of Processing: Scope3 Processes Personal Data for the subject-matter specified under the PSA and until the PSA terminates or expires, unless otherwise agreed upon by the parties in writing.
  • 2.2. Nature and Purpose of Processing: Scope3 Processes Personal Data to provide the Services to Customer, as further described in the PSA.
  • 2.3. Types of Personal Data: the following data, if and to the extent Processed by the Services and deemed Personal Data under Data Protection Law:
    • Data collected about viewers of advertisements and media, such as IP address and browser type and version.
    • Other data that Customer provides to the Services and Platform about consumers.
  • 2.4. Categories of Data Subjects: current and prospective customers and end users.
  • 2.5. Frequency of Transfer: Ongoing basis.
  • 2.6. Competent Supervisory Authority: The data exporter’s competent supervisory authority to be determined in accordance with the GDPR, except that: (a) the Swiss Federal Data Protection and Information Commission will act as the competent supervisory authority for transferred Personal Data subject to the FADP; and (b) the Information Commissioner’s Office will be the competent supervisory authority for transferred Personal Data subject to the UK GDPR.