DATA PROCESSING ADDENDUM

a. In this DPA, capitalized terms shall have the meanings set out in Exhibit 1 (Definitions and Details of Processing). In the event that any terms of this DPA and its appendices are inconsistent with any other terms of the Agreement, the Parties intend for the terms of this DPA and the Agreement to be construed in the manner that permits Xsolla to fulfill its obligations under Applicable Data Protection Law.

a. With respect to Personal Information Processed by Xsolla in connection with the Services or otherwise in the possession or control of Xsolla:

I.     as between Xsolla and Advertiser, Xsolla (together with any permitted assignee and/or subcontractor, subject to and as permitted under this DPA) will be a Data Processor; and
II.     Advertiser will be a Data Controller.

b. Xsolla shall not sell, rent, lease, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Personal Information to another business, person, or third party for monetary or other valuable consideration. Xsolla shall not collect, retain, use or disclose Personal Information for any purpose other than the specific purpose of performing the Services specified in the Agreement or pursuant to the directions of Advertiser, or outside of the direct business relationship between Xsolla and Advertiser. Xsolla shall not disclose Personal Information to another business, person, or a third party, except for the purpose of performing Services specified in the Agreement, or to the extent such disclosure is required by Applicable Data Protection Law. Xsolla may disclose Personal Information required by Applicable Data Protection Law only after (i) notifying Advertiser of the legal requirement prior to disclosing any such Personal Information; and (ii) taking steps to ensure that only the information that is legally required is disclosed. Xsolla certifies that it understands and will comply with the restrictions of this section.

c. The extent and type of Personal Information to be Processed by Xsolla, and the categories of Data Subjects are set out in Exhibit 1. The details of the Personal Information listed in Exhibit 1 may also be restricted in certain territories on a case-by-case basis subject to the requirements of Applicable Data Protection Law and/or the directive of Advertiser.

d. Xsolla will only Process Personal Information pursuant to written instructions from Advertiser. Xsolla will not deviate from Advertiser’s directives, unless Advertiser has agreed to such deviation in advance and in writing.

e. Xsolla will, at no additional cost, assist Advertiser to:

I.     comply with obligations to inform individuals about the collection, Processing or use of Personal Information;

II.     immediately notify Advertiser of any notices, requests for information or orders from data protection authorities and work at the direction of Advertiser to promptly provide the information required by Advertiser to respond to notices, requests for information, or orders from data protection authorities received by Xsolla or Advertiser;

III.     immediately inform Advertiser if, in Xsolla’s opinion, a direction or instruction from Advertiser infringes Applicable Data Protection Law; and

IV.     immediately notify Advertiser of any data subject requests for information, access, rectification, erasure, restriction, portability, objection, do not sell, deletion, and any other similar requests (each, a “Data Subject Request”) that it receives, without responding to the individual except to acknowledge receipt of the Data Subject Request.

f. Xsolla shall maintain complete and accurate records in connection with Advertiser’s Data Subject Requests. Xsolla shall provide access to Advertiser at all reasonable times to the records relating to Advertiser’s Data Subject Requests.

g. Xsolla will implement and maintain technical and organizational security measures to adequately protect Advertiser’s Personal Information against the risks inherent in the Processing of Personal Information for the purposes identified in the Agreement, and risks from unauthorized or unlawful Processing and destruction, damage, misuse and loss. Xsolla will implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Information it Processes.

h. Xsolla will ensure that each of its personnel:

I.     have undertaken to comply with confidentiality obligations in respect of such Personal Information, which confidentiality obligations will continue after the termination of the Agreement; and

II.     are aware of the procedures that Xsolla has put in place and receive appropriate training on data protection and security.

i. Xsolla shall assist Advertiser in response to any requests from data protection authorities relating to the Processing of Personal Information in connection with the Agreement. In the event that any such request is made directly to Xsolla, Xsolla shall not respond to such communication directly without Advertiser’s prior written authorization, unless legally compelled to do so. If Xsolla is required to respond to such a request, Xsolla shall promptly notify Advertiser and provide it with a copy of the request unless legally prohibited from doing so.

j. Xsolla will promptly and without undue delay and in any case no later than forty-eight (48) hours of becoming aware, inform Advertiser, at an email address known to Xsolla, provided by Advertiser itself, or retrieved from public sources, such as the Advertiser's website, in the event of: (i) any serious interruption of Xsolla’s Processing operations; (ii) any unauthorized acquisition, loss, access, or use of Personal Information; or (iii) any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosures of, or access to, Personal Information (altogether, a “Security Incident”), or any reasonable suspicion of a Security Incident, regardless of its cause. At Advertiser’s direction, Xsolla will provide all information and assistance required by Advertiser to investigate, mitigate and respond to a Security Incident, including at a minimum, any information or assistance required by Applicable Data Protection Laws. If Xsolla subcontracts or assigns any of Xsolla’s obligations pursuant to this DPA to a third party, Xsolla will (a) in each case first ensure that each and every such subcontractor, partner or assignee (as the case may be) has undertaken in signed writing to comply with obligations no less protective than the obligations undertaken by Xsolla in this DPA; (b) perform appropriate due diligence to ensure that all subcontractors, partners and assignees can meet all of Xsolla’s obligations in the Agreement, including all requirements related to features, functionality and assistance necessary for Data Subject Requests; and (c) remain fully liable for the performance of each subcontractor and/or assignee.

k. Advertiser authorizes Xsolla to engage the subprocessors to process Personal Information, subject to the terms set forth above. Xsolla retains the right to select subprocessors at its discretion, in accordance with its internal processes. Upon the Advertiser’s request, Xsolla shall provide a list of subprocessors engaged to process Personal Information related to this Agreement.

a. Xsolla shall, in Processing Personal Information, comply with all Applicable Data Protection Law.

b. Where Xsolla Processes Personal Information from a Restricted Country outside the European Union, European Economic Area, or a country in respect of which a valid Adequacy Decision has been issued by the European Commission or adequacy otherwise determined in another valid method under Applicable Data Protection Law, then Xsolla shall comply with the obligations of a data importer as set out in the Standard Contractual Clauses adopted by the Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (the “Standard Contractual Clauses”) and incorporated herein by reference. The Parties use Module Two “Transfer controller to processor” and applicable for this module terms of the Standard Contractual Clauses. Xsolla acknowledges that Advertiser will be a data exporter. In particular, and without limiting the above obligations:

I.     Xsolla agrees that its obligations under the Standard Contractual Clauses shall be governed by the law(s) of the Member State with the greatest number of European Union Data Subjects; and

II.     details of the appendices applicable to the Standard Contractual Clauses are set out in Exhibit 1 to this DPA.

c. Xsolla will provide all other reasonable assistance and execute such agreements as may be necessary to legitimize any Processing or data transfer of Personal Information to Xsolla or a subcontractor/assignee and to ensure an adequate level of protection for Personal Information. In the event that any competent authority holds that a data transfer mechanism relied on by the Parties is invalid, or any supervisory authority requires transfers of Personal Information made pursuant to such decision to be suspended, then Advertiser may, at its discretion, require Xsolla to cease Processing Personal Information, or cooperate with Advertiser to facilitate use of an alternative transfer mechanism.

d. Upon termination or expiration of the Agreement, Xsolla shall return to Advertiser a complete copy of the Personal Information it Processed in connection with the Agreement, in a form and format reasonably agreed upon by the Parties. Following Advertiser’s confirmation that it received this copy (email sufficing), Xsolla shall securely dispose of all Personal Information remaining in Xsolla’s possession or control.

a. Advertiser Data Treatment. Xsolla will not, directly or indirectly, (i) reverse engineer any Advertiser data that is masked, hashed, aggregated, pseudonymized, de-identified, anonymized, or otherwise protected; (ii) use the Services to collect or otherwise attempt to discern Personal Information and/or any combination of the following data elements, in each case, with respect to any End-User: (a) precise geographic location information (i.e., latitudinal/longitudinal information), (b) device IDs or other persistent or unique identifiers, and/or (c) IP addresses (collectively, the data elements described in (a) through (c) are referred to herein as “Identifiers”); (iii) combine Advertiser Data obtained through the Services pursuant to this Agreement with Personal Information; (iv) combine page or End-User-level data, including any URL or a video title (collectively, “Page-Level Data”), with Personal Information and/or any Identifiers; (v) attempt to reverse engineer, disassemble, decompile, modify or otherwise use efforts to re-identify any individual, device or household about whom data received through this Agreement (including but not limited to the combination of Personal Information or Identifiers with other non-Personal Information data); or (vi) transmit to a third party any data in connection with this Agreement if (a) it contains any Personal Information, Identifiers, URLs or otherwise sensitive information, or (b) such transmission violates the Agreement and/or any Applicable Data Protection Law.

b. COPPA Compliance. If applicable, Xsolla understands and agrees that the Services will be used in connection with properties of Advertiser and/or Advertiser Affiliates that may be considered, in whole or in part, “website(s) or online service(s) directed to children” as defined by the Children’s Online Privacy Policy Act of 1998 and the applicable rules, regulations and guidance promulgated thereunder (“COPPA”). Such website(s) and online service(s) are referred to herein as “Child-Directed Properties”. With respect to Child-Directed Properties:

I.     Xsolla shall not collect any Personal Information, including persistent identifiers used over time and different sites, photographs, videos and audio recordings of children, geolocation information sufficient to identify street and city, and certain screen names; and

II.     Xsolla shall not send any messages such as push notifications that would require “verifiable parental consent” (as defined under COPPA); and


III.     Xsolla shall comply with all applicable COPPA requirements, including without limitation, those required under 16 CFR § 312.8 (“Confidentiality, security and integrity of Personal Information collection from children”) and 16 CFR § 312.10 (“Data retention and deletion requirements”).


IV.     Without limiting Xsolla’s other obligations under this DPA and the Agreement, in the event that Advertiser and/or Advertiser Affiliates passes to Xsolla or Xsolla collects any persistent identifiers (e.g. Advertiser number held in a cookie, an internet protocol address, a processor or device serial number, a mobile device ID, or any other unique identifier), Xsolla shall: (i) restrict use of persistent identifiers and any related data solely to those activities necessary for the support of the following approved “internal operations” (as defined under COPPA) of Advertiser and/or Advertiser Affiliates (i.e. maintaining or analyzing the functioning of the Services); and (ii) promptly and securely delete all persistent identifiers.

V.     In no event may any Personal Information collected from a Child-Directed Property be used to create profiles of individual End-Users, be merged with other data related to individual End-Users, or serve online behavioral advertising based upon activity of the End-Users across other sites or applications other than as expressly agreed upon by the Parties in an Insertion Order governed by the Agreement.

VI.     Xsolla shall not collect End-User device, geolocation, or any other Personal Information except for the limited use of any non-precise GPS data and device IDs for “support for internal operations” (as defined under COPPA) as allowed without parental consent under COPPA.

VII.     If Xsolla becomes aware that it has collected from Advertiser the Personal Information of a child under the age of 13 (or other relevant age, which may apply by virtue of applicable law) without prior consent, Xsolla will promptly erase the Personal Information from Xsolla’s records. If Advertiser discovers it has provided Xsolla with the Personal Information of a child under the age of 13, the Advertiser shall contact Xsolla at data.protection@xsolla.com immediately (not to exceed 24 hours from date of discovery).

c. CCPA and CPRA Compliance. The following shall apply to the extent that Personal Information Processed under the Agreement constitutes “Personal information” as defined under the California Consumer Privacy Act (the “CCPA”) and California Privacy Rights Act (the “CPRA”):

I.     Personal information is disclosed for limited and specified purposes.

II.     The Parties shall comply with applicable obligations under the CCPA and CPRA and provide the same level of protection to Personal information as required by the CCPA and CPRA.

III.     Each Party grants other Party rights to take reasonable and appropriate steps to help to ensure that each Party uses Personal information in a manner consistent with Party’s obligations under the CCPA and CPRA.

IV.     The Party shall notify the other Party promptly in writing if the first Party makes a determination that the other Party can no longer meet any of obligations under the CCPA and (or) CPRA.

V.     The Parties acknowledge that each party acts as “business” as defined under the CCPA and CPRA.

VI.     Parties must not “sell” or “share” any Personal information as the terms “selling” or “sharing” are defined in the CCPA and CPRA. Each Party shall refrain from taking any action that would cause any transfers of Personal information to or from the Party to qualify as “selling Personal information” or “sharing Personal information” under the CCPA and CPRA.

VII.     Parties must not retain, use or disclose any Personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using, or disclosing the Personal information for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CCPA and CPRA.

VIII.     Parties must not retain, use, or disclose any Personal information outside of their direct business relationship under the Agreement.

IX.     The Party must not combine Personal information with Personal information that the Party receives from or on behalf of another person or persons, provided that the Party may do so to perform any business purpose as defined in CCPA and CPRA.

The Parties each certify that they understand the rules, requirements and definitions of the CCPA and CPRA and will comply with all of the requirements contained therein.

The term of this DPA commences as of the DPA Effective Date and will end upon Xsolla’s return or destruction (to be confirmed in writing) of all Personal Information Processed by Xsolla under the Agreement.

a. Indemnification. Advertiser agrees to indemnify, defend, and hold harmless Xsolla from any third-party claims (which include any governmental claims), liabilities, costs and expenses (including reasonable attorneys’ fees) incurred by Xsolla as a result of the acts or omissions or breach of this DPA by Advertiser or any violations of Applicable Data Protection Law (or any other applicable laws) by Advertiser. Xsolla agrees to indemnify, defend, and hold harmless Advertiser from any third-party claims, liabilities, costs and expenses (including reasonable attorneys’ fees) incurred by Advertiser as a result of the acts or omissions or breach of this DPA by Xsolla or any violations of Applicable Data Protection Law. Under no circumstances shall Xsolla be liable to Advertiser pursuant to this Section for an amount of damages greater than the total amounts paid by Advertiser under the Agreement for the three (3) month period prior to the date the claim arose or $25,000.00, whichever is less.

b. Limitation of Liability. IN NO EVENT SHALL XSOLLA BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, FOR BREACH OF CONTRACT, WARRANTY, NEGLIGENCE OR STRICT LIABILITY OR OTHERWISE), OR FOR INTERRUPTED COMMUNICATIONS, LOSS OF USE, LOST BUSINESS, LOST DATA OR LOST PROFITS (EVEN IF XSOLLA WAS ADVISED OF THE POSSIBILITY OF ANY OF THE FOREGOING), ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT. FURTHER, UNDER NO CIRCUMSTANCES SHALL XSOLLA BE LIABLE TO ADVERTISER FOR AN AMOUNT OF DAMAGES GREATER THAN THE TOTAL AMOUNTS PAID BY ADVERTISER UNDER THE AGREEMENT FOR THE THREE (3) MONTH PERIOD PRIOR TO THE DATE THE CLAIM AROSE OR $25,000.00, WHICHEVER IS LESS.

Unless otherwise required by the Standard Contractual Clauses or other data transfer requirements, this DPA will be subject to the governing law identified in the Agreement without giving effect to conflict of laws principles.

Where the provisions of this DPA diverge from or contradict provisions of the Agreement, the provisions of this DPA shall have precedence over the Agreement. Except as supplemented or amended by this DPA, the Agreement will remain in full force and effect.

DEFINITIONS AND DETAILS OF PROCESSING

1. 1.
   For purposes of this DPA, the following terms will have the following definitions:
   
   A. “Adequacy Decision” means a formal decision made by the European Commission of the European Union (“EU”) which recognizes that another country, territory, sector or international organization provides an equivalent level of protection for Personal Information as the EU does.
   
   B. “Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party, where “control” means the ownership of at least fifty percent (50%) of the voting securities or other ownership interests of such entity, or the power to direct or cause the direction of the management and policies of such entity, whether through ownership, contract, or otherwise.
   
   C. “Applicable Data Protection Law” means all data protection and data security laws, rules and regulations applicable to the Processing of Personal Information, including but not limited to the General Data Protection Regulation (“GDPR”) 2016/679 of the European Parliament and of the Council of the European Union, the Children's Online Privacy Protection Rule (“COPPA”), the California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”).
   
   D. “Data Controller” means the person or entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information.
   
   E. “Data Processor” means the person or entity which Processes Personal Information on behalf of the Data Controller.
   
   F. “Data Subject(s)” means any identified or identifiable natural person(s) whose Personal Information is Processed under the Agreement.
   
   G. “End-User(s)” means any individual who interacts with, views, or otherwise engages with the Advertiser’s online advertisements pursuant to the Services provided by Xsolla to Advertiser under the Agreement.
   
   H. “Member State” means a country that is a member of the EU or the European Economic Area (“EEA”), as well as any other jurisdiction that has adopted data protection laws substantially similar to the GDPR or other applicable regional data protection frameworks.
   
   I. “Personal Information” shall mean: (1) any information relating to an identified or identifiable natural person; and (2) any information defined as “personally identifiable information,” “personal information,” “personal data” or similar terms as such terms are defined under Applicable Data Protection Laws or regulations, limited to that Personal Information Xsolla Processes in connection with Services provided to Advertiser.
   
   J. “Process(ed)” “Processes” or “Processing” means any operation or set of operations performed upon Personal Information, whether or not by automatic means.
   
   K. “Restricted Country” means a country, territory or jurisdiction which is not covered by an Adequacy Decision.
   
   L. “Services” means all services provided by Xsolla to Advertiser pursuant to the Agreement, including any support, maintenance and training services related thereto.
   
2. 2.
   The details of the Processing of Personal Information carried out by Xsolla are as follows:
   
   a. Data Subjects: Xsolla will Process Personal Information relating to End-Users.
   
   b. Categories of data: Xsolla will Process the following categories of Personal Information:
   
   -”Advertising Service Data” as defined in Section 14.3 of the Agreement
   
   c. Processing operations: Xsolla will Process Personal Information solely as described in the Agreement.
   
   d. Duration of Processing: Personal Information shall be Processed so long as Services are provided under the Agreement and until written confirmation of destruction (or return) of all Personal Information under the Agreement.
   
3. 3.
   Security measures: Any technical and organizational measures are specified in the Agreement, including any relevant DPA or exhibit specifying security requirements, such as a data security DPA or security requirements exhibit. Applicable security measures include, at a minimum, the following:
   
   a. “Administrative Safeguards” including documented security policies and procedures, training programs, management of access rights, background checks and security clearances.
   
   b. “Technical Safeguards” including logging and monitoring of system activity and access, intrusion detection, vulnerability assessments, mobile device management, access controls, firewalls, change management controls, malware protection and appropriate use of encryption of data in transit and at rest.
   
   c. “Physical Safeguards” include facility access controls, secure disposal of records and electronic media, reasonable workstation security, and privacy screens and clean desk policies where appropriate.
   
   The purpose of the Administrative, Technical and Physical Safeguards as described in 3(a)(b) and (c) are to protect the Personal Information Xsolla collects through the Services against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. Xsolla regularly monitors compliance with these measures.
   
4. 4.
   Subcontracting: Advertiser uses the following subcontractors as of the Effective Date of the DPA: N/A