DATA PROCESSING ADDENDUM

a. In this DPA, capitalized terms shall have the meanings set out in Exhibit 1 (Definitions and Details of Processing), or in the Agreement, as applicable. In the event that any terms of this DPA and its appendices are inconsistent with any other terms of the Agreement, the Parties intend for the terms of this DPA and the Agreement to be construed in the manner that permits each Party to fulfill its obligations under Applicable Data Protection Law.

a. With respect to Personal Information Processed by each Party in connection with the Services or otherwise in its possession or control:

I.     Each Party shall independently act as a Data Controller with respect to the Personal Information it Processes under the Agreement; and
II.     Neither Party acts on behalf of the other Party when Processing Personal Information, and each Party independently determines the purposes and means of its own Processing activities.

b. Each Party shall not sell, rent, lease, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Personal Information received from the other Party to any third party for monetary or other valuable consideration. Each Party shall not collect, retain, use, or disclose such Personal Information for any purpose other than the specific purposes of performing or receiving the Services specified in the Agreement, or outside of the direct business relationship between the Parties. Each Party shall not disclose the other Party’s Personal Information to another business, person, or third party, except for the purpose of performing or receiving the Services specified in the Agreement, or to the extent such disclosure is required by Applicable Data Protection Law. A Party may disclose Personal Information required by Applicable Data Protection Law only after (i) notifying the other Party of the legal requirement prior to disclosing any such Personal Information; and (ii) taking steps to ensure that only the information that is legally required is disclosed. Each Party certifies that it understands and will comply with the restrictions of this section.

c. The extent and type of Personal Information to be Processed by each Party, and the categories of Data Subjects are set out in Exhibit 1. The details of the Personal Information listed in Exhibit 1 may also be restricted in certain territories on a case-by-case basis subject to the requirements of Applicable Data Protection Law.

d. Each Party will Process Personal Information in accordance with Applicable Data Protection Law and shall implement appropriate technical and organizational measures to protect Personal Information against risks inherent in its Processing activities, including risks from unauthorized or unlawful Processing and destruction, damage, misuse, and loss.

e. Each Party will, at no additional cost, assist the other Party to:

I.     comply with obligations to inform individuals about the collection, Processing, or use of Personal Information;

II.     immediately notify the other Party of any notices, requests for information, or orders from data protection authorities and work with the other Party to promptly provide the information required to respond to such notices, requests, or orders;

III.     immediately inform the other Party if, in the first Party’s opinion, a direction or instruction from the other Party infringes Applicable Data Protection Law; and

IV.     immediately notify the other Party of any data subject requests for information, access, rectification, erasure, restriction, portability, objection, do not sell, deletion, and any other similar requests (each, a “Data Subject Request”) that it receives relating to Personal Information shared under the Agreement, without responding to the individual except to acknowledge receipt of the Data Subject Request.

f. Each Party shall maintain complete and accurate records in connection with Data Subject Requests relating to Personal Information shared under the Agreement and shall provide the other Party with reasonable access to such records upon request.

g. Each Party will implement and maintain technical and organizational security measures to adequately protect Personal Information against the risks inherent in the Processing of Personal Information for the purposes identified in the Agreement, and risks from unauthorized or unlawful Processing and destruction, damage, misuse, and loss. Each Party will implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Information it Processes.

h. Each Party will ensure that each of its personnel:

I.     have undertaken to comply with confidentiality obligations in respect of such Personal Information, which confidentiality obligations will continue after the termination of the Agreement; and

II.     are aware of the procedures that the relevant Party has put in place and receive appropriate training on data protection and security.

i. Each Party shall assist the other Party in response to any requests from data protection authorities relating to the Processing of Personal Information shared under the Agreement. In the event that any such request is made directly to a Party, that Party shall not respond to such communication directly without the other Party’s prior written authorization (to the extent the request concerns the other Party’s data), unless legally compelled to do so. If a Party is required to respond to such a request, that Party shall promptly notify the other Party and provide it with a copy of the request unless legally prohibited from doing so.

j. Each Party will promptly and without undue delay—and in any case no later than forty-eight (48) hours of becoming aware—inform the other Party, at an email address known to the notifying Party, in the event of: (i) any serious interruption of its Processing operations relating to shared Personal Information; (ii) any unauthorized acquisition, loss, access, or use of shared Personal Information; or (iii) any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, shared Personal Information (altogether, a “Security Incident”), or any reasonable suspicion of a Security Incident, regardless of its cause. At the other Party’s direction, the notifying Party will provide all information and assistance required by the other Party to investigate, mitigate, and respond to a Security Incident, including at a minimum any information or assistance required by Applicable Data Protection Laws. If a Party subcontracts or assigns any of its obligations pursuant to this DPA to a third party, that Party will (a) in each case first ensure that each and every such subcontractor, partner or assignee has undertaken in signed writing to comply with obligations no less protective than the obligations undertaken by that Party in this DPA; (b) perform appropriate due diligence to ensure that all subcontractors, partners and assignees can meet all of the Party’s obligations in the Agreement; and (c) remain fully liable for the performance of each subcontractor and/or assignee.

k. Each Party retains the right to select its own subprocessors at its discretion, in accordance with its internal processes, subject to the requirements of Section 2(j) above. Upon the other Party’s request, a Party shall provide a list of subprocessors engaged to process Personal Information shared under this Agreement.

a. Each Party shall, in Processing Personal Information, comply with all Applicable Data Protection Law.

b. Where a Party transfers Personal Information originating from a Restricted Country outside the European Union, European Economic Area, or a country in respect of which a valid Adequacy Decision has been issued by the European Commission or adequacy has otherwise been determined through a valid method under Applicable Data Protection Law, the transferring Party and the receiving Party shall comply with the Standard Contractual Clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “Standard Contractual Clauses”), incorporated herein by reference. The Parties shall use Module One “Transfer controller to controller” and the applicable terms for that module. In particular, and without limiting the above obligations:

I.     The Parties agree that their respective obligations under the Standard Contractual Clauses shall be governed by the law(s) of the Member State with the greatest number of European Union Data Subjects whose Personal Information is transferred; and

II.     details of the appendices applicable to the Standard Contractual Clauses are set out in Exhibit 1 to this DPA.

c. Each Party will provide all other reasonable assistance and execute such agreements as may be necessary to legitimize any Processing or data transfer of Personal Information and to ensure an adequate level of protection for Personal Information. In the event that any competent authority holds that a data transfer mechanism relied on by the Parties is invalid, or any supervisory authority requires transfers of Personal Information made pursuant to such decision to be suspended, then either Party may require the other Party to cease Processing shared Personal Information, or the Parties shall cooperate to facilitate use of an alternative transfer mechanism.

d. Upon termination or expiration of the Agreement, each Party shall return to the other Party a complete copy of the Personal Information it received from the other Party in connection with the Agreement, in a form and format reasonably agreed upon by the Parties. Following the other Party’s confirmation that it received this copy (email sufficing), the returning Party shall securely dispose of all such Personal Information remaining in its possession or control.

(a). Advertiser Data Treatment. Xsolla will not, directly or indirectly: (i) reverse engineer any Advertiser data that is masked, hashed, aggregated, pseudonymized, de-identified, anonymized, or otherwise protected; (ii) combine page or End-User-level data, including any URL or a video title (collectively, "Page-Level Data"), with Personal Information; (iii) attempt to reverse engineer, disassemble, decompile, modify or otherwise use efforts to re-identify any individual, device or household about whom data received through this Agreement (including but not limited to the combination of Personal Information with other non-Personal Information data); or (iv) transmit to a third party any data in connection with this Agreement if (a) it contains any Personal Information, URLs or otherwise sensitive information, or (b) such transmission violates the Agreement and/or any Applicable Data Protection Law.

b. COPPA Compliance. If applicable, both Parties understand and agree that the Services may be used in connection with properties of Advertiser and/or Advertiser Affiliates that may be considered, in whole or in part, “website(s) or online service(s) directed to children” as defined by the Children’s Online Privacy Policy Act of 1998 and the applicable rules, regulations, and guidance promulgated thereunder (“COPPA”). Such website(s) and online service(s) are referred to herein as “Child-Directed Properties”. With respect to Child-Directed Properties:

I.     Neither Party shall collect any Personal Information, including persistent identifiers used over time and across different sites, photographs, videos and audio recordings of children, geolocation information sufficient to identify street and city, and certain screen names; and

II.     Neither Party shall send any messages such as push notifications that would require “verifiable parental consent” (as defined under COPPA); and


III.     Each Party shall comply with all applicable COPPA requirements, including without limitation, those required under 16 CFR § 312.8 (“Confidentiality, security and integrity of Personal Information collection from children”) and 16 CFR § 312.10 (“Data retention and deletion requirements”).


IV.     Without limiting each Party’s other obligations under this DPA and the Agreement, in the event that a Party receives or collects any persistent identifiers (e.g., a number held in a cookie, an internet protocol address, a processor or device serial number, a mobile device ID, or any other unique identifier) in connection with Child-Directed Properties, that Party shall: (i) restrict use of persistent identifiers and any related data solely to those activities necessary for the support of the following approved “internal operations” (as defined under COPPA) (i.e., maintaining or analyzing the functioning of the Services); and (ii) promptly and securely delete all persistent identifiers.

V.     In no event may any Personal Information collected from a Child-Directed Property be used to create profiles of individual End-Users, be merged with other data related to individual End-Users, or serve online behavioral advertising based upon activity of the End-Users across other sites or applications other than as expressly agreed upon by the Parties in an Insertion Order governed by the Agreement.

VI.     Neither Party shall collect End-User device, geolocation, or any other Personal Information except for the limited use of any non-precise GPS data and device IDs for “support for internal operations” (as defined under COPPA) as allowed without parental consent under COPPA.

VII.     If either Party becomes aware that it has collected the Personal Information of a child under the age of 13 (or other relevant age as may apply by virtue of applicable law) without prior consent, that Party will promptly erase the Personal Information from its records and notify the other Party. If either Party discovers it has provided the other Party with the Personal Information of a child under the age of 13, the discovering Party shall contact the other Party at data.protection@xsolla.com (in the case of Xsolla) immediately (not to exceed 24 hours from the date of discovery).

c. CCPA and CPRA Compliance. The following shall apply to the extent that Personal Information Processed under the Agreement constitutes “Personal information” as defined under the California Consumer Privacy Act (the “CCPA”) and California Privacy Rights Act (the “CPRA”):

I.     Personal information is disclosed for limited and specified purposes.

II.     The Parties shall comply with applicable obligations under the CCPA and CPRA and provide the same level of protection to Personal information as required by the CCPA and CPRA.

III.     Each Party grants the other Party rights to take reasonable and appropriate steps to help ensure that each Party uses Personal information in a manner consistent with each Party’s obligations under the CCPA and CPRA.

IV.     Each Party shall notify the other Party promptly in writing if that Party makes a determination that it can no longer meet any of its obligations under the CCPA and/or CPRA.

V.     The Parties acknowledge that each Party acts as a “business” as defined under the CCPA and CPRA.

VI.     The Parties must not “sell” or “share” any Personal information as the terms “selling” or “sharing” are defined in the CCPA and CPRA. Each Party shall refrain from taking any action that would cause any transfers of Personal information to or from that Party to qualify as “selling Personal information” or “sharing Personal information” under the CCPA and CPRA.

VII.     The Parties must not retain, use, or disclose any Personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using, or disclosing the Personal information for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CCPA and CPRA.

VIII.     The Parties must not retain, use, or disclose any Personal information outside of their direct business relationship under the Agreement.

IX.     Neither Party must combine Personal information with Personal information received from or on behalf of another person or persons, provided that a Party may do so to perform any business purpose as defined in CCPA and CPRA.

The Parties each certify that they understand the rules, requirements, and definitions of the CCPA and CPRA and will comply with all of the requirements contained therein.

The term of this DPA commences as of the DPA Effective Date and will end upon each Party’s return or destruction (to be confirmed in writing) of all Personal Information received from the other Party and Processed under the Agreement.

a. Indemnification. Each Party (“Indemnifying Party”) agrees to indemnify, defend, and hold harmless the other Party (“Indemnified Party”) from any third-party claims (which include any governmental claims), liabilities, costs and expenses (including reasonable attorneys’ fees) incurred by the Indemnified Party as a result of the acts or omissions or breach of this DPA by the Indemnifying Party or any violations of Applicable Data Protection Law (or any other applicable laws) by the Indemnifying Party. Under no circumstances shall Xsolla be liable to Advertiser pursuant to this Section for an amount of damages greater than the total amounts paid by Advertiser under the Agreement for the three (3) month period prior to the date the claim arose or $25,000.00, whichever is less.

b. Limitation of Liability. IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, FOR BREACH OF CONTRACT, WARRANTY, NEGLIGENCE OR STRICT LIABILITY OR OTHERWISE), OR FOR INTERRUPTED COMMUNICATIONS, LOSS OF USE, LOST BUSINESS, LOST DATA OR LOST PROFITS (EVEN IF ADVISED OF THE POSSIBILITY OF ANY OF THE FOREGOING), ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT. FURTHER, UNDER NO CIRCUMSTANCES SHALL XSOLLA BE LIABLE TO ADVERTISER FOR AN AMOUNT OF DAMAGES GREATER THAN THE TOTAL AMOUNTS PAID BY ADVERTISER UNDER THE AGREEMENT FOR THE THREE (3) MONTH PERIOD PRIOR TO THE DATE THE CLAIM AROSE OR $25,000.00, WHICHEVER IS LESS.

Unless otherwise required by the Standard Contractual Clauses or other data transfer requirements, this DPA will be subject to the governing law identified in the Agreement without giving effect to conflict of laws principles.

Where the provisions of this DPA diverge from or contradict provisions of the Agreement, the provisions of this DPA shall have precedence over the Agreement. Except as supplemented or amended by this DPA, the Agreement will remain in full force and effect.

DEFINITIONS AND DETAILS OF PROCESSING

1. 1.
   For purposes of this DPA, the following terms will have the following definitions:
   
   A. “Adequacy Decision” means a formal decision made by the European Commission of the European Union (“EU”) which recognizes that another country, territory, sector or international organization provides an equivalent level of protection for Personal Information as the EU does.
   
   B. “Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party, where “control” means the ownership of at least fifty percent (50%) of the voting securities or other ownership interests of such entity, or the power to direct or cause the direction of the management and policies of such entity, whether through ownership, contract, or otherwise.
   
   C. “Applicable Data Protection Law” means all data protection and data security laws, rules and regulations applicable to the Processing of Personal Information, including but not limited to the General Data Protection Regulation (“GDPR”) 2016/679 of the European Parliament and of the Council of the European Union, the Children’s Online Privacy Protection Rule (“COPPA”), the California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”).
   
   D. “Data Controller” means the person or entity which, alone or jointly with others, independently determines the purposes and means of the Processing of Personal Information.
   
   E. “Data Processor” means the person or entity which Processes Personal Information on behalf of the Data Controller.
   
   F. “Data Subject(s)” means any identified or identifiable natural person(s) whose Personal Information is Processed under the Agreement.
   
   G. “End-User(s)” means any individual who interacts with, views, or otherwise engages with the Advertiser’s online advertisements pursuant to the Services provided by Xsolla to Advertiser under the Agreement.
   
   H. “Member State” means a country that is a member of the EU or the European Economic Area (“EEA”), as well as any other jurisdiction that has adopted data protection laws substantially similar to the GDPR or other applicable regional data protection frameworks.
   
   I. “Personal Information” shall mean: (1) any information relating to an identified or identifiable natural person; and (2) any information defined as “personally identifiable information,” “personal information,” “personal data” or similar terms as such terms are defined under Applicable Data Protection Laws or regulations, limited to that Personal Information each Party Processes in connection with Services under the Agreement.
   
   J. “Process(ed)” “Processes” or “Processing” means any operation or set of operations performed upon Personal Information, whether or not by automatic means.
   
   K. “Restricted Country” means a country, territory or jurisdiction which is not covered by an Adequacy Decision.
   
   L. “Services” means all services provided by Xsolla to Advertiser pursuant to the Agreement, including any support, maintenance and training services related thereto.
   
2. 2.
   The details of the Processing of Personal Information carried out by each Party are as follows:
   
   a. Data Subjects: Each Party will Process Personal Information relating to End-Users.
   
   b. Categories of data: Each Party will Process the following categories of Personal Information pursuant to the Agreement:
   
   -Advertising Service Data
   -personal identification (name);
   -personal contact details (e.g., email address, phone number);
   -device information (e.g., device identifiers, device fingerprints, operating system);
   -IP address;
   -Ad interaction and conversion data to the extent Personal Information is included; and
   -Ad transactional data to the extent Personal Information is included.

c. Processing operations: Each Party will Process Personal Information solely as described in the Agreement and for the purposes for which it independently acts as a Data Controller.

d. Duration of Processing: Personal Information shall be Processed so long as Services are provided under the Agreement and until written confirmation of destruction (or return) of all Personal Information under the Agreement.


3. Security measures: Any technical and organizational measures are specified in the Agreement, including any relevant DPA or exhibit specifying security requirements, such as a data security DPA or security requirements exhibit. Applicable security measures include, at a minimum, the following:

a. “Administrative Safeguards” including documented security policies and procedures, training programs, management of access rights, background checks and security clearances.

b. “Technical Safeguards” including logging and monitoring of system activity and access, intrusion detection, vulnerability assessments, mobile device management, access controls, firewalls, change management controls, malware protection and appropriate use of encryption of data in transit and at rest.

c. “Physical Safeguards” include facility access controls, secure disposal of records and electronic media, reasonable workstation security, and privacy screens and clean desk policies where appropriate.

The purpose of the Administrative, Technical, and Physical Safeguards as described in 3(a)(b) and (c) are to protect the Personal Information each Party Processes against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. Each Party regularly monitors compliance with these measures.


4. Subcontracting: Each Party uses the following subcontractors as of the Effective Date of the DPA: N/A.