Attentive Data Processing Addendum

‍1. Introduction

This Data Processing Addendum (“DPA”) is entered into between Attentive Mobile Inc. (“Attentive” or “Company”) and the counterparty agreeing to these terms (“Customer”), which has entered into or will enter into a Master Subscription Agreement or other written or electronic agreement for the Services provided by Attentive (along with any applicable Order Form, the “Agreement”). Customer and Attentive are individually referred to as “Party” and collectively as the “Parties.”

This DPA governs the manner in which Attentive shall process Personal Data on behalf of Customer (and, where applicable, Customer’s Affiliates) and pursuant to the Agreement. All capitalized terms not defined in this DPA will have meaning set forth in the Agreement. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. In the event of a conflict between the Agreement, and this DPA, this DPA shall control. The Parties agree that this DPA shall supersede and replace any existing data protection terms the Parties may have previously entered into in connection with the Agreement. This DPA shall remain in effect until the end of Attentive’s provision of the Services, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Attentive may continue providing the Services for transitional purposes. Notwithstanding expiration of the Agreement, the relevant provisions of this DPA will remain in effect until, and automatically expire upon, deletion or disposal of all Personal Data as provided herein.

If you are accepting this DPA on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Customer, to this DPA.

​

2. Definitions  

For the purposes of this DPA, the following terms and those defined within the body of this DPA apply.

a.     "Affiliate” means with respect to each Party any entity that controls, is controlled by, or is under common control with that Party.

b.     "Controller” means the entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

c.     “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK Extension of the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce and the European Commission regarding the collection, use, and retention of GDPR Personal Data transferred from the European Union, United Kingdom, and Switzerland to Attentive in the United States.

d.     "Data Protection Laws” mean the relevant data protection and data privacy laws, rules, and regulations applicable to the processing, privacy and protection of Personal Data, which include but are not limited to: (i) the GDPR; (ii) the Swiss Federal Act on Data Protection 1992 and / or the Swiss Data Protection Act 2020; (iii) California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 – 1798.199, 2018) and California Privacy Rights Act of 2020 (2020 Cal. Legis. Serv. Proposition 24, codified at Cal. Civ. Code §§ 1798.100 et seq.) (together, “CCPA”); (iv) the Colorado Privacy Act (Colorado Rev. Stat. 6-1-1301 et seq.), and (v) the Virginia Consumer Data Protection Act (Code of Virginia title 59.1, Chapter 52), as each may be amended or restated from time to time.

e.      “Data Subject” shall have the meaning given to that term under the GDPR, “consumer” under the CCPA, or such similar terms under Data Protection Laws.

f.      “GDPR” means General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”), and any local implementations or applications of the same in any EEA Member State; and/or the “UK GDPR” as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018, as the context permits and to the extent applicable to a Party.

g.      "GDPR Personal Data” means Personal Data pertaining to: (i) Data Subjects located in the United Kingdom, or European Economic Area (“EEA”) or Switzerland (collectively “Europe”); and (ii) Customers that notify Attentive that their Processing of Personal Data of Data Subjects outside the areas listed in (i) is subject to GDPR.  For purposes of this DPA, Personal Data shall also encompass Sensitive Personal Data, if applicable. The Personal Data and the specific uses of the Personal Data are detailed in Annex 1.

h.     “Personal Data” means “personal data,” “personally identifiable information,” “personal information,” or other such similar terms under Data Protection Laws, that is Processed by Attentive pursuant to the Agreement.

i.     “Process” shall have the meaning given to that term under the GDPR.

j.     "Processor” has the meaning given to that term under the GDPR, and in the context of this DPA, that term or “Service Provider” means an entity which Processes Personal Data on behalf of the Customer.

k.     “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data on systems managed by or otherwise controlled by or on behalf of Attentive, and includes any “Personal Data Breach,” as defined under Data Protection Laws, affecting Personal Data.

l.     “Sell” means directly or indirectly selling, renting, licensing, commercializing, releasing, disclosing, disseminating, making available, transferring, communicating orally, or otherwise using in writing or by electronic or other means, Personal Data (by Attentive or any Sub-processor) for monetary or other valuable consideration.

m.     "Sensitive Personal Data” shall have the meaning assigned to the terms “sensitive personal data” or “special categories of personal data” under Data Protection Laws and shall include Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a person, or data concerning health or data concerning a person’s sex life or sexual orientation.

n.     “Services” means the “Services” as defined in the Agreement.

o.      “SCCs” means: (i) where the EU GDPR or Swiss Federal Act on Data Protection applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR, including the “UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”).

p. “Share” means sharing, disclosing, or otherwise making available Personal Data to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

q.     “Sub-processor” means any of Attentive’s Affiliates, authorized contractors, agents, and third-party service providers that are appointed by Attentive to Process Personal Data.

‍

3. Data Processing

a.     Roles of Parties. As between Customer and Attentive, Customer is the Controller of the Personal Data, and Attentive shall Process Personal Data as a Processor acting on behalf of Customer, as to the Processing identified in Annex 1. In relation to Processing by a Party of Personal Data of the other Party’s staff or representatives for contract administration purposes, each Party does so as an independent Controller and shall do so in compliance with their respective obligations under Data Protection Laws. Otherwise, Attentive shall not determine the purposes and means of processing of any Personal Data such that it would be deemed to be a Controller.

b.     Instruction for Data Processing.

1. i.     Attentive. Personal Data shall be Processed by Attentive only on documented instructions from the Customer (including with regard to international data transfers), and in compliance with the terms of this DPA, Data Protection Laws, and the business purposes set forth in the Agreement. Processing outside the scope of this DPA or the Agreement, including any changes to the locations of Processing of Personal Data, will require prior written agreement between the Parties. Attentive will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instruction and Data Protection Laws and the Parties will act promptly and in good faith to agree to non-conflicting processing instructions.
2. ii.     Customer may take reasonable and appropriate steps to help ensure that Attentive uses Personal Data consistent with Customer’s obligations under Data Protection Laws and to stop and remediate unauthorized use of Personal Data. Attentive will notify Customer no later than five (5) business days after Attentive determines that it no longer can meet its obligations under this DPA or Data Protection Laws.‍
3. iii.     Attentive is prohibited from: (i) Selling Personal Data; (ii) Sharing Personal Data; (iii) Processing Personal Data for any purpose other than for the specific purpose identified in the Agreement, except as permitted by Data Protection Laws; (iv) Processing Personal Data outside of the direct business relationship between Customer and Attentive; and (v) combining Personal Data that it receives from, or on behalf of, Customer with Personal Data it receives from, or on behalf of, another person or persons, or processes as a business, except as expressly permitted by Data Protection Laws. Attentive certifies that it understands and shall comply with the provisions set forth herein.‍
4. iv.     Customer. Customer agrees that: (i) it shall comply with its obligations as Controller under Data Protection Laws in respect of its Processing of Personal Data and any Processing instructions it issues to Attentive; and (ii) it has provided notice and obtained (or shall obtain) all necessary authorization (including without limitation, verifiable consent) and rights necessary under Data Protection Laws (including, for avoidance of doubt, the e-Privacy Directive and analogous EU member state laws) for Attentive to Process Personal Data and provide the Services.

c.    Sub-processors.

1. i.     To the extent necessary to fulfill Attentive’s contractual obligations under the Agreement, Customer hereby authorizes the engagement of Sub-processors to Process Personal Data provided Attentive enters into written agreements with the Sub-processors regarding such Sub-processors’ Processing of Personal Data. The written agreements must: (i) impose data protection and security requirements that comply with Data Protection Laws and are no less onerous than those set forth in this DPA; (ii) specifically require such Sub-processors to assist Attentive and Customer in responding to any request received by Attentive or any Sub-processors from a Data Subject exercising their rights in Personal Data granted to them under Data Protection Laws (“Privacy Requests”); and (iii) limit use and access to Personal Data only to the extent required to perform the obligations subcontracted to Sub-processors in accordance with this DPA.  Attentive will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processors in relation to the Personal Data.
2. ii.    The current list of Sub-processors is set forth on security.attentivemobile.com. Customer may subscribe to notifications of any Sub-processor arrangements by subscribing to notifications at security.attentivemobile.com, or such other similar mechanism made available by Attentive. Attentive shall publish and make available to Customer any proposed changes with at least fifteen (15) days’ notice before such changes take effect. Customer may object to Attentive’s use of a new Sub-processor with written notice within ten (10) days after Attentive has published its proposed changes. In the event Customer objects to Attentive’s use of a new Sub-processor, the Parties will work together in good faith to find a mutually acceptable resolution. If the Parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, the Customer may terminate the Agreement by providing no less than 30 days’ written notice, as set forth in the Agreement. During any such objection period, Attentive may suspend the affected portion of the Services.

d.      Confidentiality. Any person authorized to Process Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality. Attentive shall limit access to Personal Data to only those employees and other personnel with a need to have access to such Personal Data to carry out the terms of the Agreement.

‍

4. Transfer of Personal Data

a.      Cross-Border Data Transfer Mechanism. In connection with the Services, the Parties acknowledge and agree that GDPR Personal Data shall be processed outside of Europe in the jurisdictions set out in this DPA or the Agreement, including jurisdictions that have not been designated as providing an adequate level of protection under Data Protection Laws (“Third Country”), and to support such transfers to Third Countries (hereinafter, “Restricted Transfers”), the Data Privacy Framework will apply.

b.      Alternative Transfer Mechanism. To the extent the Data Privacy Framework is invalidated, the Parties agree to adopt the SCCs as the data transfer mechanism for the transfer of GDPR Personal Data (“Alternative Transfer Mechanism”). The Parties agree that to the extent Restricted Transfers are subject to the Alternative Transfer Mechanism, the Restricted Transfer shall be subject to:

1. i.    the data exporter ensuring that all Restricted Transfers comply with Data Protection Laws and, where required, a transfer impact assessment (“TIA”) is carried out;
2. ii.     the data importer ensuring that all subsequent Processing in the Third Country and any onward transfers comply with Data Protection Laws, and that, where required, the data importer supports and assists the data exporter with carrying out a TIA and implements any supplementary measures required to safeguard the GDPR Personal Data from unauthorized access from government authorities in the Third Country;
3. iii.     where the Restricted Transfer is to a Sub-processor, ensuring that a written contract is in place and the provisions of clause 3(c) have otherwise been complied with;
4. iv.     the appropriate SCCs as follows:

1. 1.     Transfers Restricted by European Data Protection Laws. The Parties agree Restricted Transfers protected by European Data Protection Laws shall be subject to the SCCs as follows:
2. A.     Module Two will apply where the Customer is a Controller data exporter and Attentive is a Processor data importer, and Module Three will apply where Customer is a Processor data exporter and Attentive is a Sub-processor data importer;
3. B.     In Clause 7, the optional docking clause will apply to the extent not inconsistent with the other provisions of the Agreement;
4. C.     In Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processors will be set forth in Section 3 of this DPA;
5. D.     In Clause 11, the optional language will not apply;
6. E.     In Clause 17, option 2 will apply, subject to the following:
   Where the Customer is established in Europe, the law of the Member State in which the Customer is established, provided such Member State law allows for third-party beneficiary rights, and if the Member State law does not allow for third-party beneficiary rights, then this shall be governed by the law of the Republic of Ireland;  ‍
7. F.     In Clause 18(b), the Parties submit themselves to the jurisdiction of the courts of that country whose law applies according to Section 4(b)(iv)(1)(E) of this DPA;
8. G.     For the Purpose of Annex I of the SCCs, Appendix 1 contains the specifications regarding the Parties, the description of transfer, and the competent supervisory authority;
9. H.     For the Purpose of Annex II of the SCCs, Appendix 2 contains the technical and organizational measures;
10. I.     The specifications for Annex III of the SCCs, are determined by Section 3 of the DPA. The Sub-processor’s contact person’s name, position and contact details will be provided by Attentive upon request.

1. 2.     Transfers Restricted by United Kingdom Data Protection Laws. Where the Parties are lawfully permitted to rely on the SCCs for transfers of GDPR Personal Data from the United Kingdom subject to completion of the UK Addendum, then:
2. A.     The EU SCCs, completed as set forth in Section 4(b)(iv)(1) shall also apply to transfers of such GDPR Personal Data, subject to sub-clause (B) below;
3. B.     The UK Addendum shall be deemed executed between the transferring Customer and Attentive, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such GDPR Personal Data.

‍5. Data Security

a.     Attentive Security. Attentive shall implement and maintain a security program that includes appropriate technical and organizational measures that are designed to ensure a level of security appropriate to risk and the nature of the information and that are further designed to protect Personal Data from unauthorized access, destruction, use, modification or disclosure in accordance with Data Protection Laws. Such technical and organizational measures are set forth in Annex 2. Further, Attentive shall require all Sub-processors to maintain an equivalent standard of security measures when Processing any Personal Data, taking into account the specific Processing that is being carried out by those Sub-processors.

b.     Attentive shall assist the Customer in ensuring compliance with the obligations pursuant to Article 32 of the GDPR relating to security of processing, taking into account the nature of processing and information available to the Attentive.

‍

6. Assessments and Audits

a.     Attentive Obligations. Attentive shall, in accordance with Data Protection Laws, make available to Customer such information in Attentive’s possession or control as Customer may reasonably request with a view to demonstrating Attentive’s compliance with its obligations pursuant to this DPA.

b.     Attentive may fulfil Customer’s right of audit under Data Protection Laws by providing:

1. i.     an audit report not older than twelve (12) months, prepared by an independent external auditor, describing and documenting Attentive’s technical and organizational measures, and made available at security.attentivemobile.com;
2. ii.     additional information in Attentive’s possession or control, to the extent such information is required by Customer to comply with Data Protection Laws; and

1. iii.     to the extent the information made available under the preceding clauses are insufficient such that Customer would violate Data Protection Laws, then Attentive shall enable Customer to request an audit, no more than once annually, to verify Attentive’s compliance with its obligations under this DPA. If the Parties agree that an audit is appropriate, the Parties will agree in advance on the reasonable start date, scope, duration of, and security and confidentiality controls applicable to any audit under this Section. Whenever possible, evidence for such an audit will be limited to the evidence collected for Attentive’s most recent third-party audit. All reasonable fees incurred by Attentive shall be reimbursed by Customer.
2. ‍

7. Security Incident

a.      Security Incident Procedure. Attentive will deploy and follow policies and procedures designed to detect, respond to, and otherwise address Security Incidents including procedures designed to: (i) identify and respond to suspected or known Security Incidents, investigate Security Incidents and reasonably cooperate with Customer’s (and any law enforcement or regulatory official’s) investigation of the Security Incident, mitigate harmful effects of Security Incidents; and (ii) restore the availability or access of Personal Data in a timely manner.

b.      Notice. Attentive shall provide Customer with notice promptly and without undue delay if Attentive is made aware that a Security Incident has taken place. Such notice will include information available and required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.

‍

8. Data Subject Requests, Regulator and Government Requests, and Prior Consultation

a.      Personal Data Request. Attentive shall provide notice promptly and in any event within any timeframe required by Data Protection Laws to Customer of any Privacy Requests or privacy-related complaints from Data Subjects received by Attentive or any Sub-processor relating to Personal Data. At Customer’s request and without undue delay, Attentive agrees to assist Customer in answering or complying with any Privacy Requests, including by taking reasonable steps to ensure the compliance of any Sub-processor and by appropriate technical and organizational measures in accordance with Article 28(3)(e) of the GDPR.

b.      Government Disclosure and Regulator Requests. Attentive shall provide prompt written notice and full details to Customer of any request for disclosure of or access to Personal Data (“Access Request”) or any other notices, complaints or enforcement actions related to Personal Data that have been submitted or brought by a governmental or regulatory body or law enforcement authority, including any data protection supervisory authority, unless otherwise prohibited by law or a legally binding order of such body or agency. Attentive shall, where possible, seek to refer all such Access Requests to the Customer for the Customer to assume conduct of and respond to, or Attentive shall otherwise challenge all such Access Requests by all reasonable means.

c.      Prior Consultation. Attentive shall provide reasonable assistance to Customer in relation to a data protection impact assessment and/or prior consultation with the relevant data protection authorities.

‍

9. Data Disposal

a.      Disposal upon Termination. After notification from Customer that Customer seeks to terminate use of all Services, Attentive shall at the Customer’s option delete or return to Customer all Personal Data, including existing copies, from its possession or control in accordance with Data Protection Laws. Attentive shall comply with this instruction as soon as reasonably practicable. This requirement shall not apply to the extent Attentive is required by applicable law to retain some or all records that include Personal Data or where such Personal Data is necessary for defense of legal claims. Upon request, Attentive shall provide written certification to Customer that it has destroyed or otherwise disposed of Personal Data. If Attentive is prevented from destroying Personal Data due to applicable law, it shall retain such Personal Data for this limited purpose and shall comply with its relevant obligations, subject to the terms and restrictions of this DPA.

‍

Annex 1 to the DPA: Data Processing Description

‍A. List of Parties

Data exporter(s): Customer and/or the Customer Affiliates operating in the countries which comprise the European Economic Area and UK