Introduction

SmartyAds uses commercially reasonable efforts to provide participating advertisers, publishers and/or SSP/DSP platforms with a safe, transparent, and fair marketplace. Your use of Smartyads's advertising marketplace (known as Ad Exchange), Demand Side Platform or Supply Side Platform (hereinafter the "SmartyAds Ad Marketplace") is governed by Your contract with SmartyAds, which requires compliance with this SmartyAds Data Processing Addendum (hereinafter the "DPA") as it may be updated by SmartyAds from time to time. In case You are participating on the supply side (either publisher or SSP), please refer to the Publisher's part of this DPA; in case your participation refers to the demand side (an advertiser or DSP) please refer to the "Demand Partner Data Processing Addendum". The obligations set forth herein are the minimum standards for You wishing to participate in the SmartyAds Ad Marketplace.

SmartyAds may update this DPA at any time and without prior notice. All amendments will be posted to this website located at www.smartyads.com (hereinafter the "Site") and will be effective when posted without any notice to You. By using the SmartyAds's Advertising Marketplace following such posting, You agree to any updated version of this DPA.

With respect to ensuring compliance with the foregoing, please note that SmartyAds reserves the right to suspend or remove sites, applications and/or advertisers/publishers, DSP and/or SSP platforms from the SmartyAds Ad Marketplace if it reasonably suspects or determines, in its sole discretion, that any of this SmartyAds Data Processing Addendum rules/policies have been violated.

Publisher Data Processing Addendum

This Publisher Data Processing Addendum (hereinafter the "DPA") is entered into by and between SmartyAds Inc., a Delaware corporation located at 1201 N. Orange Street, Suite 762, Wilmington, New Castle County, DE 19801 (hereinafter the "SmartyAds") and you (hereinafter the "Publisher" or "You"), supplements and forms part of SmartyAds Publisher's Agreement (hereinafter the "Principal Agreement") or other written or electronic agreement, between SmartyAds and Publisher (or SSP or any other supply side partner) to reflect the parties' agreement with regard to the processing of personal data. This DPA is effective as of the date of SmartyAds Publisher's Agreement entered into ("Effective Date").

The terms used in this DPA shall have the meanings outlined in this DPA. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Principal Agreement.
IT IS AGREED:

1. Definitions

"Controller" means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data;

"Processor" means a natural or legal person, public authority, agency or other body which processes the Personal Data on behalf of the Controller;

"Demand Partners" means SmartyAds' media buying clients, including but not limited to advertisers, demand side platforms, ad exchanges, agencies and ad networks;

"European Data Protection Law" means as applicable to a party in its Processing of Data: (i) Regulation 2016/679 (the European General Data Protection Regulation ("GDPR"); (ii) the EU e-Privacy Directive (Directive 2002/58/EC) ("e-Privacy Directive"); (iii) all national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances; and (v) in respect of the United Kingdom, the Data Protection Act 2018 and any applicable national legislation that replaces or converts the GDPR and e-Privacy Directive in domestic law or that relates to data and privacy and is enacted as a consequence of the United Kingdom leaving the European Union; in each case, as may be amended, superseded or replaced from time to time;

"Europe" means, for the purposes of this DPA, the European Economic Area (EEA), the United Kingdom, Iceland, Lichtenstein, Norway and Switzerland;

"Personal Data" means any information which is related to an identified or identifiable natural person to the extent that such information is protected as "personal data" under applicable European Data Protection Law;

"Privacy Requirements" means:

(i) European Data Protection Law, as applicable to Publisher, SmartyAds, its Demand Partners, and their respective Processing of Data under this DPA;

(ii) United States privacy laws, including the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020), the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), and other similar U.S. state laws, including their implementing regulations; and

(iii) any applicable self-regulatory codes, rules, or guidelines, including without limitation, the rules, codes and guidelines of the European Interactive Digital Advertising Alliance (EDAA), the Network Advertising Initiative (NAI), the Digital Advertising Alliance (DAA), and the IAB Transparency and Consent Framework (TCF) or IAB U.S. Privacy Framework (including GPP and US Privacy String), in each case, as amended, superseded, or replaced from time to time.

"Publisher Property" means the websites, mobile applications and/or other digital media properties owned or operated by the Publisher and accessible through the SmartyAds Services or via which the Personal Data used in connection with the SmartyAds Services is collected;

"SmartyAds Services" means SmartyAds' online advertising services, products, and features;

"SmartyAds Privacy Policy" means the SmartyAds privacy policy available at https://smartyads.com/legal/services-privacy-policy (as updated or amended from time to time);

"Standard Contractual Clauses" means the standard contractual clauses for controllers (2004) as approved by the European Commission pursuant to the European Commission's decision C(2004) 5271 of 27 December 2004;

"New SCCs" means: the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council;

"Security Incident" means any event which resulted in, or which is successful had resulted in, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Data (as defined in Section 2 herein) while in the control of the Demand Partner, its affiliates, agents, subcontractors, processors or sub-processors etc.

The terms "Commission", "Member State", "Personal Data Breach", "Supervisory Authority", "Data subject", "personal data", "processing" (and "process"), and "special categories of personal data" shall have the meanings given in Privacy Requirements.

Any other terms not stated herein shall have the meanings given to them in European Data Protection Law.

2. Scope of processing

The parties agree that, unless otherwise agreed between the parties in connection with the SmartyAds Services, SmartyAds may receive from Publisher data (including Personal Data) about or related to end users of the Publisher Properties as more particularly described in Annex B of this DPA (collectively, "Data"). The parties agree that SmartyAds (and its Demand Partners) may process the Data for the purposes contemplated by the Principal Agreement.

The parties also agree that at the moment of the registration and/or signing of the Principal Agreement Publisher may provide data (including Personal Data) about or related to its personnel as more particularly described in Annex B of this DPA (hereinafter the "Publisher's Personnel Data").

3. Privacy Requirements

3.1 Compliance with Privacy Requirements 

Each Party shall comply with all applicable privacy and data protection laws and regulations in connection with its performance under the Agreement, including but not limited to:

  • (i) the EU General Data Protection Regulation 2016/679 (GDPR);
  • (ii) the EU ePrivacy Directive 2002/58/EC;
  • (iii) national laws implementing or replacing the GDPR or ePrivacy Directive;
  • (iv) the UK Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR);
  • (v) the Swiss Federal Data Protection Act and its implementing regulations;
  • (vi) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CCPA), and
  • related regulations;
  • (vii) any other U.S. State privacy laws including, but not limited to, the Virginia Consumer Data Protection Act (VCDPA),
  • Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and Utah Consumer Privacy Act (UCPA);
  • (viii) any other data protection and privacy laws applicable to the Services or the Processing of Personal Data
  • (collectively, “Privacy Requirements”).

3.2 Transparency and Lawful Basis

Each Party shall maintain a publicly accessible privacy policy on its digital properties, ensuring compliance with Privacy Requirements, and shall independently ensure that it has a lawful basis for its processing of Data, including compliance with all relevant consent, notice, and opt-out requirements.

3.3 Controller Obligations

The Parties acknowledge and agree that each acts as an independent Controller with respect to the Data it processes and is solely responsible for its own compliance with Privacy Requirements, including but not limited to:

  • Observing data minimization and data accuracy principles;
  • Managing its own Processors, where applicable, and ensuring they provide sufficient guarantees for data protection
  • compliance;
  • Complying with rights of Data Subjects or Consumers under Privacy Requirements, including responding to access,
  • deletion, correction, and opt-out requests in a timely manner;
  • Implementing and maintaining appropriate technical and organizational security measures.

Publisher shall (if applicable):

  • maintain a valid TCF Vendor registration;
  • comply with the TCF Requirements applicable to TCF Vendors; and
  • process Data solely in accordance with the TCF Purposes.

3.4 US Privacy Compliance – Third Party and Service Provider

Designation

For the purposes of the CCPA and other applicable U.S. privacy laws:

  • SmartyAds acts as a Third Party when receiving bid requests and associated personal information from the Publisher or supply-side platforms. As a Third Party, SmartyAds certifies it shall not Sell or Share personal information without

    appropriate notice and the opportunity to opt out being provided to the consumer by the first party or publisher.

  • Upon receiving a valid opt-out signal (e.g., via the Global Privacy Protocol (GPP), or other recognized mechanisms such as Global Privacy Control (GPC), SmartyAds shall act as a Service Provider and limit its processing to those business purposes permitted under the CCPA and applicable regulations.
  • SmartyAds shall not combine personal information across contexts unless permitted by the CCPA and shall refrain from using, disclosing, or retaining such information for any purpose other than as permitted under applicable privacy law and Principal Agreement.
  • Publisher shall have the right to take reasonable and appropriate steps to ensure that SmartyAds processes Data in a manner consistent with the Publisher’s obligations under the California Consumer Privacy Act (CCPA), including through regular reviews, audits, or other appropriate means.
  • In the event that the Publisher becomes aware of unauthorized use of Data by SmartyAds, or if such use is identified through monitoring activities, Publisher shall have the right to take reasonable and appropriate steps to stop and remediate such use. This may include suspending data transfers or terminating Principal Agreement if necessary.
  • SmartyAds shall promptly notify Publisher if it determines that it can no longer meet its obligations under the CCPA or is unable to process Personal Information in compliance with applicable Privacy Requirements and the terms of the Agreement.
  • Both Parties shall comply with obligations arising under any applicable privacy framework or signal, including IAB Tech Lab's MSPA, where applicable.

4. Purpose Limitation

Each Party agrees to collect, use, retain, and otherwise Process Data strictly for the purposes expressly defined in the Principal Agreement and in accordance with Privacy Requirements. Neither Party shall:

  • Process the Data for any purpose that is incompatible with the specified purposes under Principal Agreement;
  • Use the Data for its own direct marketing purposes unless it has obtained the necessary consent or has an appropriate legal basis to do so;
  • Disclose the Data to any third party unless such disclosure is authorized by Principal Agreement, required by law, or necessary to comply with a valid legal obligation.

Specifically, under the CCPA:

  • SmartyAds shall not retain, use, or disclose the Personal Information received from the Publisher (or through bid requests) for any purpose other than for the specific business purposes defined in the Agreement or as otherwise permitted under the CCPA;
  • SmartyAds shall not use the Personal Information to build or modify consumer profiles for use outside the permitted scope of processing, or to re-identify de-identified data;
  • In the event an opt-out signal is honored, SmartyAds shall continue to Process such Data only as a Service Provider and for the limited business purposes allowed under the CCPA.

5. Prohibited Data Sharing

Publisher shall not include or launch any Publisher Property on any of the SmartyAds Services if such Publisher Property is directed at or likely to be accessed by any data subject that is deemed to be a child under applicable Privacy Requirements of the country in which this child resides. Publisher shall flag within the SmartyAds Services or inform SmartyAds in writing prior to launching any of such Publisher Properties on any of the SmartyAds Services and/or pass to SmartyAds or its Demand Partners any Data of any data subject that is deemed a child under applicable Privacy Requirements.

6. Non-compliance

If Each Party is unable to comply with its consent, opt out and notice obligations under the Agreement (including this DPA) in respect of the Data, that respective Party shall promptly notify another.

7. Co-operation and Data Subject Rights

The parties shall, on request, provide each other with all reasonable and timely assistance (at their own expense) and co-operation to enable the other party to comply with its obligations under the Privacy Requirements, including in order to enable the other party to respond to:

(I) any request from a data subject to exercise any of its rights (including its rights of access, correction, objection, erasure and data portability, as applicable) in relation to the Data;

(ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data (hereinafter the "Correspondence").

Each party shall promptly inform the other if it receives any Correspondence directly from a data subject in relation to the Data. Subject to obligations of confidentiality and policies on disclosure of information, where a party has a concern that the other party has not complied with this DPA, the parties agree to share information in order to ascertain the cause of such non-compliance and take reasonable steps to correct.

8. Standard Contractual Clauses

(a) The Standard Contractual Clauses and Section 10 (b) of this DPA shall only apply where SmartyAds and Publisher entered into this DPA on or prior to September 27, 2021, and will apply through December 27, 2022, after which date the New SCCs and Section 10(c) will apply and the Standard Contractual Clauses will no longer apply. Where SmartyAds and Publisher enter into this DPA on or after September 27, 2021, the New SCCs and Section 10(c) shall apply. SmartyAds agrees to abide by and process Data in accordance with the Standard Contractual Clauses or the New SCCs, whichever apply as set forth in this Section 10(a) (collectively referred to as "Applicable SCCs"). The parties agree that the Applicable SCCs are hereby incorporated into and form an integral part of this DPA. The terms of the Standard Contractual Clauses and New SCCs (as applicable) will apply where and to the extent (i) the applicable transfer of Data is not subject to the laws of a jurisdiction recognized as providing an adequate level of protection for Personal Data (as described in applicable Privacy Requirements); or (ii) SmartyAds and the applicable transfer of Data is not covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection or appropriate safeguards for Personal Data.

(b) For the purposes of the Standard Contractual Clauses the parties agree:

(i) SmartyAds shall be deemed the "data importer" and Publisher shall be deemed the "data exporter"; (ii)Annex A of this DPA shall replace Appendix 1 of the Standard Contractual Clauses; and (iii) Annex B of this DPA shall replace Appendix 2 of the Standard Contractual Clauses;

(c) For the purposes of the New SCCs the parties agree:

(i) SmartyAds shall be deemed the "data importer" and Publisher shall be deemed the "data exporter"; (ii) Module 1 (Transfer controller to controller) will apply to the processing of the data submitted based on the Principal Agreement (Annex A 1); ; Module 1 (Transfer Controller to Controller) will apply to the processing of the Publisher's Personnel Data (Annex A 2) (iii) in Clause 7, the optional docking clause will apply; (iv) in Clause 17, the New SCCs will be governed by laws of Switzerland; (v) in Clause 18(b), disputes shall be resolved by the applicable courts located in Switzerland; (vi) Annex A (1) to this DPA shall replace Annex I of the New SCCs; and (vii) Annex B to this DPA shall replace Annex II of the New SCCs. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses or New SCCs (as applicable). Accordingly, if and to the extent the Standard Contractual Clauses or the New SCCs conflict with any provision of the Agreement, including this DPA, the Standard Contractual Clauses or New SCCs (as applicable) shall prevail to the extent of such conflict.

9. Contact

Publisher shall inform SmartyAds the contact details of an individual authorized to respond to inquiries regarding the Data. Publishers hereby guarantee to deal with any and all inquiries regarding the Data promptly. SmartyAds Data Protection Officer authorized to respond from time to time to inquiries regarding the Data can be contacted via: dpo@smartyads.com

10. Changes in Law

In the event that there is a change in the Privacy Requirements that apply to the processing of Data, that would, in the reasonable opinion of a party, require changes to the SmartyAds Services, the means by which the SmartyAds Services are provided or used and/or terms and conditions of this DPA, that party reserves the right (acting reasonably) to request such changes; provided that, to the extent possible, the party requesting the change will provide at least thirty (30) days prior written notice (where email will be sufficient) of such changes and agrees to discuss such changes in good faith. If the requested changes will cause a material harm to any party (which includes for the avoidance of doubt, causing a party to be in breach of Privacy Requirements) or materially alter any party's provision or use (as applicable) of the SmartyAds Services, such party may terminate the Agreement for the affected SmartyAds Services upon written notice without liability for such termination.

11. Security

11.1 Technical and Organizational Measures.

Each Party shall implement appropriate technical, administrative, and organizational measures to ensure the protection of Data collected and processed in connection with the performance of the Agreement. The security measures implemented by SmartyAds are detailed in Annex C of this Addendum.

Publisher commits to safeguarding the privacy, security, integrity, and confidentiality of Data by applying commercially reasonable and industry-standard security measures that comply with all applicable laws. Upon request by SmartyAds, Publisher shall provide relevant documentation, including security policies, certifications, or other materials evidencing its data protection practices. Such requests shall be limited to one (1) per calendar year unless a Personal Data Breach has occurred.

11.2 Personal Data Breaches.

Each Party agrees to promptly notify the other of any incident involving, or reasonably suspected to involve, unauthorized access to, use of, disclosure of, alteration of, or storage of Data in its possession or under its control during the Term (a “Personal Data Breach”). Notification shall be made within twenty-four (24) hours of becoming aware of the breach and directed to the contact address specified in Section 9 – Contact.

The notifying Party shall provide all relevant information and documentation to enable the other Party to comply with any applicable legal obligations, including notifying supervisory authorities and/or affected Users. The Party responsible for the breach shall take all necessary steps to mitigate and remediate its effects. Where appropriate, the Parties shall cooperate closely in investigating, managing, and resolving the incident.

12. General

(a) Transfer arrangements: To the extent that SmartyAds adopts a data export mechanism not described in this DPA (including any new version of or successor to the Model Clauses pursuant to applicable European Data Protection Law) for the transfer of Data ("Alternative Transfer Mechanism"), such Alternative Transfer Mechanism shall apply instead of any mechanism described in this DPA. Notwithstanding anything to the contrary, an Alternative Transfer Mechanism shall only apply to the extent that it complies with Privacy Requirements applicable to the country where the processing activities take place. Publisher agrees to execute any document and take any appropriate action as reasonably necessary to give effect to such Alternative Transfer Mechanism.

(b) Cooperation and data subject rights: In the event that either party receives (i) any request from a data subject to exercise any of its rights under Privacy Requirements (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data (collectively, the "Correspondence") then, where such Correspondence relates to processing conducted by the other party, it shall promptly inform the other party and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfil their respective obligations under Privacy Requirements.

(c) Survival: This DPA shall survive termination or expiry of the Principal Agreement. Upon termination or expiry of the Principal Agreement, Publisher may continue to process the Data provided that such processing complies with the requirements of this DPA and Privacy Requirements.

(d) Miscellaneous: This DPA shall be governed by and construed in all respects in accordance with the governing law and jurisdiction provisions set out in the Principal Agreement, unless required otherwise by Privacy Requirements. With effect from the effective date of the Principal Agreement, this DPA shall be deemed a part of and incorporated into the Principal Agreement so that references in the Principal Agreement to the "Agreement" shall be interpreted to include this DPA. Except for the changes made by this DPA, the Principal Agreement shall remain unchanged and in full force and effect. In the event of any conflict or inconsistency between this DPA and any other term or terms of the Principal Agreement, this DPA shall prevail in respect of the subject (i.e., the protection of personal data).

Annex A (1)

List of parties

Controller/Data Importer

Name:SmartyAds, Inc.
Address:1201 N. Orange Street, Suite 762, Wilmington, New Castle County, DE 19801
Contact person’s name, position and contact details:

 

DPO at dpo@smartyads.com

 

Activities relevant to the data transfer:See Annex B (description of Transfer) below.
Signature and date:See DPA
Role:Controller

Controller/Data Exporter

Name:See Principal Agreement
Address:See Principal Agreement
Contact person’s name, position and contact details:See Principal Agreement
Activities relevant to the data transfer:See Annex B (description of Transfer) below.
Signature and date:See DPA
Role:Controller

Annex A (2)

List of parties

Controller/Data Importer

Name:SmartyAds, Inc.
Address:1201 N. Orange Street, Suite 762, Wilmington, New Castle County, DE 19801
Contact person’s name, position and contact details:

 

DPO at dpo@smartyads.com

 

Activities relevant to the data transfer:See Annex B (description of Transfer) below.
Signature and date:See Principal Agreement
Role:Controller

Controller/Data Exporter

Name:See Principal Agreement
Address:See Principal Agreement
Contact person’s name, position and contact details:See Principal Agreement
Activities relevant to the data transfer:See Annex B (description of Transfer) below.
Signature and date:See Principal Agreement
Role:Controller

Annex B

Defined terms are as set out in the Publisher Data Processing Addendum agreed between the parties.
Categories of Data Subjects whose Personal Data is transferred:

  • End users of the Publisher Properties or end users viewing ads delivered to the Publisher Properties

  • Publisher Personnel
    Categories of Personal Data transferred:
    End Users:

  • Identifiers: Identifier for Advertising (IFA, IDFA, GAID); User ID; Buyer ID; Device ID; IP address

  • Demographic information: location, year of birth, gender
    Publisher Personnel:

  • Contact details (first name, last name, email, country (region), address, telephone, Skype)

  • Bank details

  • Tax number
    Recipients:

  • Processors

  • Sub-contractors

  • Supervisory authority
    Special Categories of Data / Sensitive data transferred (if applicable):

  • None
    Frequency of the transfer:

  • End Users: Continuous

  • Publisher Personnel: Only at the moment of registration and when required to update the information
    Nature of the Processing:

  • The provision of the SmartyAds Services
    Purpose(s) of the data transfer and further processing:

  • End Users: For the Prescribed Purposes (as defined in this DPA)

  • Publisher Personnel: For business relationship and account management purposes
    Period for which Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:

  • Personal Data will be retained in accordance with the SmartyAds Services Privacy Policy
    Contact points for data protection enquiries:

  • Data Importer: See Annex A

  • Data Exporter: See Annex A
    Competent Supervisory Authority:

  • The competent supervisory authority, in accordance with Clause 13 of the EU SCCs, will be, for Data protected by the EU GDPR, the EU supervisory authority determined to be appropriate in the event that a relevant situation arises

  • For Data protected by the Swiss DPA: the Federal Data Protection and Information Commissioner ("FDPIC")

  • For UK Data: the Information Commissioner’s Office (the "ICO").

Annex C

Technical and organizational security measures

Type of measureTerms
Measures for ensuring confidentialitySmartyAds has implemented measures to ensure the integrity, availability and security of personal information, including vulnerability scans.
Measures for ensuring ongoing availability and adaptability of services

SmartyAds maintains personal data availability through a variety of technical, physical, and administrative measures.

Examples of these measures include: secured and monitored operational sites; processes and policies for topics such as incident response and review, and vendor review.


Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

 

Further measures include regular backups and disaster recovery plans.
 


Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational security measures in order to ensure the security of the processing

 


At least once annually, security measures relevant to the processing of personal data are reviewed and tested for alignment with industry good practices.

 


Measures for user identification and authorization

 

SmartyAds has in place procedures that comply with applicable law to authenticate requests from data subjects who have submitted rights request.

 

SmartyAds has operational and technical controls in place to ensure that access to systems that process personal data is only granted to authorized employees with a "need to know".


Measures for the protection of Data during storage

 

As per the Principal Agreement, personal data processed in connection with the services will not contain any sensitive personal information, and will be limited in scope and cannot be directly identified with a natural person by SmartyAds.

 

Data is only stored for as long as necessary for legitimate business purposes.


Measures for ensuring physical security of locations at which personal data are processed

 

Facilities involved in the processing of personal data are accessible only by authorized personnel. Technical controls in place to secure processing facilities include access controls, two-factor authentication, firewalls, and anti-malware. Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required in order to deliver advertising services under the Agreement.


SmartyAds provides personnel who access personal data with appropriate information security and data protection training.

Measures for certification/assurance of processes and productsSmartyAds participates in industry certification and self-regulatory programs such as IAB TCF 2.2 and Data Privacy Framework.


Measures for ensuring accountability

 

SmartyAds has implemented a privacy program that is appropriate to the scope and nature of personal data processed that includes at least a personal data breach policy and appointment of a data protection officer (DPO).


The foregoing measures are regularly reviewed (at least once a year) and updated to ensure alignment with applicable law and industry standards.


Measures for allowing data portability and ensuring erasure
SmartyAds has implemented and maintains procedures to ensure data portability and erasure that comply with data protection laws.

Demand Partner Data Processing Addendum

This Demand Partner Data Processing Addendum (hereinafter the "DPA") is entered into by and between SmartyAds Inc., 1201 N. Orange Street, Suite 762, Wilmington, New Castle County, DE 19801 (hereinafter the "SmartyAds") and you (hereinafter the "Demand Partner" or "You"), supplements and forms part of the Principal Agreement or any other written or electronic agreement referencing to this DPA between SmartyAds and Advertiser (or DSP or any other demand side partner) to reflect the parties' agreement with regard to the processing of personal data. 

SmartyAds and Demand Partner have entered into a master contract, or other such governing contract, together with one or more connected statements of work, purchase orders, contracts and/or agreements (collectively the "Principal Agreement"), under which Demand Partner may purchase digital advertising inventory via SmartyAds's services (the "SmartyAds Services"). This DPA is effective as of the date of the Principal Agreement entered into (hereinafter the "Effective Date"). 

Capitalized terms used in this DPA shall have the meanings given to them in the main body of the Principal Agreement unless otherwise defined in this DPA. SmartyAds is a provider of a technology platform which engages in the provision of auction of purchases of digital advertising inventory. Demand Partner is an advertiser, agency, demand-side platform or ad network which uses SmartyAds's technology platform or similar technology to engage in the buying of digital advertising inventory. 

The parties have entered into this DPA to ensure that in sharing such personal data pursuant to the Principal Agreement, they both comply with Privacy Requirements, with full respect for the fundamental data protection rights of the data subjects whose personal data will be processed.

IT IS AGREED:

1. Definitions:

"Controller" means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

"Privacy Requirements" means:
(i) European Data Protection Law, as applicable to Publisher, SmartyAds, its Demand Partners, and their respective Processing of Data under this DPA;
(ii) United States privacy laws, including the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020), the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), and other similar U.S. state laws, including their implementing regulations; and
(iii) any applicable self-regulatory codes, rules, or guidelines, including without limitation, the rules, codes and guidelines of the European Interactive Digital Advertising Alliance (EDAA), the Network Advertising Initiative (NAI), the Digital Advertising Alliance (DAA), and the IAB Transparency and Consent Framework (TCF) or IAB U.S. Privacy Framework (including GPP and US Privacy String), in each case, as amended, superseded, or replaced from time to time.

"Europe" means, for the purposes of this DPA, the European Economic Area (EEA), the United Kingdom and Switzerland.

"Industry Rules" means the Transparency and Consent Privacy Framework developed by the IAB Europe, its policies, its global vendor list and specifications and/or any other mutually agreed upon industry protocols.

"Model Clauses" means the Standard Contractual Clauses.

"Standard Contractual Clauses" means the standard contractual clauses for controllers (2004) as approved by the European Commission pursuant to the European Commission's decision C(2004) 5271 of 27 December 2004.

"New SCCs" means: the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

"Security Incident" means any event which resulted in, or which if successful had resulted in, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Data (as defined in Section 2 herein) while in the control of the Demand Partner, its affiliates, agents, subcontractors, processors or sub-processors etc.

"Standard Contractual Clauses" means:
(i) the standard contractual clauses and its appendices in European Commission Implementing Decision (EU) 2021/91 of 4 June 2021 relating to transfers of personal data to third countries pursuant to Regulation (EU) 2017/679 and any successor clauses issued from time to time by the European Commission, any applicable data protection authority, or other body with competent authority and jurisdiction, in each case, in relation thereto (the "EU SCCs") and
(ii) standard data protection clauses specified in regulations made by the Secretary of State under section 17C(b) of the 2018 Data Protection Act and for the time being in force in the United Kingdom (the "UK SCCs").

The terms "Commission", "Member State", "Personal Data Breach", "Supervisory Authority", "Data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in Privacy Requirements.

2. Scope of processing:

The parties agree that unless otherwise agreed between the parties, based on the Principal Agreement signed between the parties SmartyAds will submit to Demand Partner the SmartyAds Services and/or Demand Partner may otherwise collect or receive certain data, including (but not limited to) in bid requests submitted to Demand Partner. Demand Partner acknowledges that such data (as described in the Principal Agreement) may contain personal data, as more particularly described in Annex A (collectively, the "Data").

The parties also agree that at the moment of the registration and/or signing of the Principal Agreement Demand Partner may provide data (including Personal Data) about or related to its personnel as more particularly described in Annex B of this DPA (hereinafter the "Demand Partner's Personnel Data").

3. Privacy Requirements

3.1 Compliance with Privacy Requirements

Each Party shall comply with all applicable privacy and data protection laws and regulations in connection with its performance under the Agreement, including but not limited to:

(i) the EU General Data Protection Regulation 2016/679 ("GDPR");

(ii) the EU ePrivacy Directive 2002/58/EC;

(iii) national laws implementing or replacing the GDPR or ePrivacy Directive;

(iv) the UK Data Protection Act 2018 and the Privacy and Electronic Communications Regulations ("PECR");

(v) the Swiss Federal Data Protection Act and its implementing regulations;

(vi) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA"), and related regulations;

(vii) any other U.S. State privacy laws including, but not limited to, the Virginia Consumer Data Protection Act ("VCDPA"), Colorado Privacy Act ("CPA"), Connecticut Data Privacy Act ("CTDPA"), and Utah Consumer Privacy Act ("UCPA");

(viii) any other data protection and privacy laws applicable to the Services or the Processing of Personal Data (collectively, "Privacy Requirements").

3.2 Transparency and Lawful Basis

Each Party shall maintain a publicly accessible privacy policy on its digital properties, ensuring compliance with Privacy Requirements, and shall independently ensure that it has a lawful basis for its processing of Data, including compliance with all relevant consent, notice, and opt-out requirements.

3.3 Controller Obligations

The Parties acknowledge and agree that each acts as an independent Controller with respect to the Data it processes and is solely responsible for its own compliance with Privacy Requirements, including but not limited to:

  • Observing data minimization and data accuracy principles;

  • Managing its own Processors, where applicable, and ensuring they provide sufficient guarantees for data protection compliance;

  • Complying with rights of Data Subjects or Consumers under Privacy Requirements, including responding to access, deletion, correction, and opt-out requests in a timely manner;

  • Implementing and maintaining appropriate technical and organizational security measures.

Demand Partner shall (if applicable):

  • maintain a valid TCF Vendor registration;

  • comply with the TCF Requirements applicable to TCF Vendors; and

  • process Data solely in accordance with the TCF Purposes.

3.4 US Privacy Compliance – Third Party and Service Provider Designation

For the purposes of the CCPA and other applicable U.S. privacy laws:

SmartyAds acts as a Third Party when receiving bid requests and associated personal information from the Demand Partner or supply-side platforms. As a Third Party, SmartyAds certifies it shall not Sell or Share personal information without appropriate notice and the opportunity to opt out being provided to the consumer by the first party or publisher.

Upon receiving a valid opt-out signal (e.g., via the Global Privacy Protocol ("GPP"), or other recognized mechanisms such as Global Privacy Control ("GPC")), SmartyAds shall act as a Service Provider and limit its processing to those business purposes permitted under the CCPA and applicable regulations.

SmartyAds shall not combine personal information across contexts unless permitted by the CCPA and shall refrain from using, disclosing, or retaining such information for any purpose other than as permitted under applicable privacy law and Principal Agreement.

Demand Partner shall have the right to take reasonable and appropriate steps to ensure that SmartyAds processes Data in a manner consistent with the Demand Partner’s obligations under the California Consumer Privacy Act ("CCPA"), including through regular reviews, audits, or other appropriate means.

In the event that the Demand Partner becomes aware of unauthorized use of Data by SmartyAds, or if such use is identified through monitoring activities, Demand Partner shall have the right to take reasonable and appropriate steps to stop and remediate such use. This may include suspending data transfers or terminating Principal Agreement if necessary.

SmartyAds shall promptly notify Demand Partner if it determines that it can no longer meet its obligations under the CCPA or is unable to process Personal Information in compliance with applicable Privacy Regulations and the terms of the Agreement.

Both Parties shall comply with obligations arising under any applicable privacy framework or signal, including IAB Tech Lab's MSPA, where applicable.

4. Relationship of the parties

a. Demand Partner agrees that it shall and shall ensure that its affiliates, agents, subcontractors, processors, sub-processors, buyers, partners, customers, clients, or any other third party using its SmartyAds Services (hereinafter the "Demand Third Parties") only process and collect the Data solely for the purposes expressly permitted under the Principal Agreement and in a manner that complies with this DPA, the Privacy Requirements, the Principal Agreement and, where applicable, the Industry Rules (collectively and individually, the "Prescribed Purposes").

b. The parties acknowledge that Demand Partner is a controller of the Data and that SmartyAds will process the Data as a data processor, and strictly for the Prescribed Purposes. In no event will the parties process the Data jointly as joint controllers. The parties also acknowledge that only for the purposes of the processing of the Demand Partner's Personnel Data, SmartyAds will be considered as the Controller, and Demand Partner will act as the Controller. SmartyAds hereby agrees that it will process and collect the Demand Partner's Personnel Data only in a manner that complies with the "Prescribed Purposes". The parties hereby agree that for the purposes of the processing of the Demand Partner's Personnel Data, the legal basis will be the Principal Agreement between the parties.

c. Compliance with law: Each party shall be individually and separately responsible for complying with the obligations that apply to it under Privacy Requirements as per the designated roles. Without limitation to the foregoing, each party shall maintain a publicly accessible privacy policy on its website that satisfies the requirements of Privacy Requirements.

d. Consent Signals: Demand Partner shall and shall ensure that the Demand Third Parties honor all "consent", "no consent" and "opt-out" signals received from SmartyAds (or any of its publisher clients or other sub-processors enabled by SmartyAds through the SmartyAds Services) in compliance with Privacy Requirements and, where applicable, the Industry Rules.

e. Deletion: Demand Partner will not, and will not permit any third party, to retain the Data for longer than the period during which the Demand Partner has a lawful basis to retain the Data for the Prescribed Purposes and in compliance with Privacy Requirements.

5. Purpose Limitation

Each Party agrees to collect, use, retain, and otherwise Process Data strictly for the purposes expressly defined in the Principal Agreement and in accordance with Privacy Requirements. Neither Party shall:

  • Process the Data for any purpose that is incompatible with the specified purposes under Principal Agreement;

  • Use the Data for its own direct marketing purposes unless it has obtained the necessary consent or has an appropriate legal basis to do so;

  • Disclose the Data to any third party unless such disclosure is authorized by Principal Agreement, required by law, or necessary to comply with a valid legal obligation.

Specifically, under the CCPA:

  • SmartyAds shall not retain, use, or disclose the Personal Information received through bid requests for any purpose other than for the specific business purposes defined in the Agreement or as otherwise permitted under the CCPA;

  • SmartyAds shall not use the Data to build or modify consumer profiles for use outside the permitted scope of processing, or to re-identify de-identified data;

  • In the event an opt-out signal is honored, SmartyAds shall continue to Process such Data only as a Service Provider and for the limited business purposes allowed under the CCPA.

6. Non-compliance

If Each PartyPublisher is unable to comply with its consent, opt out and and  notice obligations under the Agreement (including this DPA) in respect of the Data, that respective Party shall promptly notify another.

7. Co-operation and Data Subject Rights

The parties shall, on request, provide each other with all reasonable and timely assistance (at their own expense) and co-operation to enable the other party to comply with its obligations under the Privacy Requirements, including in order to enable the other party to respond to:

(I) any request from a data subject to exercise any of its rights (including its rights of access, correction, objection, erasure and data portability, as applicable) in relation to the Data;

(ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data (hereinafter the "Correspondence").

Each party shall promptly inform the other if it receives any Correspondence directly from a data subject in relation to the Data. Subject to obligations of confidentiality and policies on disclosure of information, where a party has a concern that the other party has not complied with this DPA, the parties agree to share information in order to ascertain the cause of such non-compliance and take reasonable steps to correct.

8. Standard Contractual Clauses

(a) The Standard Contractual Clauses and Section 5(b) of this DPA shall only apply where SmartyAds and Demand Partner entered into this DPA on or prior to September 27, 2021, and will apply through December 27, 2022, after which date the New SCCs and Section 5(c) will apply and the Standard Contractual Clauses will no longer apply. Where SmartyAds and Demand Partner enter into this DPA on or after September 27, 2021, the New SCCs and Section 5(c) shall apply. SmartyAds agrees to abide by and process Data in accordance with the Standard Contractual Clauses or the New SCCs, whichever apply as set forth in this Section 5(a) (collectively referred to as "Applicable SCCs"). 

The parties agree that the Applicable SCCs are hereby incorporated into and form an integral part of this DPA. The terms of the Standard Contractual Clauses and New SCCs (as applicable) will apply where and to the extent (i) the applicable transfer of Data is not subject to the laws of a jurisdiction recognized as providing an adequate level of protection for Personal Data (as described in applicable European Data Protection Law); or (ii) SmartyAds and the applicable transfer of Data is not covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection or appropriate safeguards for Personal Data.

(b) For the purposes of the Standard Contractual Clauses the parties agree, (i) SmartyAds shall be deemed the "data exporter" and Demand Partner shall be deemed the "data importer"; (ii) Annex A of this DPA shall replace Appendix 1 of the Standard Contractual Clauses; and (iii) Annex B of this DPA shall replace Appendix 2 of the Standard Contractual Clauses;

(c) For the purposes of the New SCCs the parties agree, (i) SmartyAds shall be deemed the "data exporter" and Demand Partner shall be deemed the "data importer"; (ii) Module 14 (Transfer controller to controller) will apply to the processing of the data submitted based on the Principal Agreement (Annex A 1); Module 1 (Transfer Controller to Controller) will apply to the processing of the Demand Partner's Personnel Data (Annex A 2); (iii) in Clause 7, the optional docking clause will apply; (iv) in Clause 17, the New SCCs will be governed by laws of Switzerland; (v) in Clause 18(b), disputes shall be resolved by the applicable courts located in Switzerland; (vi) Annex A to this DPA shall replace Annex I of the New SCCs; and (vii) Annex B to this DPA shall replace Annex II of the New SCCs. 

It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses or New SCCs (as applicable). Accordingly, if and to the extent the Standard Contractual Clauses or the New SCCs conflict with any provision of the Agreement, including this DPA, the Standard Contractual Clauses or New SCCs (as applicable) shall prevail to the extent of such conflict.

9. Contact

Demand Partner shall inform SmartyAds the contact details of an individual authorized to respond to inquiries regarding the Data. Demand Partner hereby guarantees to deal with any and all inquiries regarding the Data promptly. SmartyAds Data Protection Officer authorized to respond from time to time to inquiries regarding the Data can be contacted via: dpo@smartyads.com

10. Changes in Law

In the event that there is a change in the Privacy Requirements that apply to the processing of Data, that would, in the reasonable opinion of a party, require changes to the SmartyAds Services, the means by which the SmartyAds Services are provided or used and/or terms and conditions of this DPA, that party reserves the right (acting reasonably) to request such changes; provided that, to the extent possible, the party requesting the change will provide at least thirty (30) days prior written notice (where email will be sufficient) of such changes and agrees to discuss such changes in good faith. If the requested changes will cause a material harm to any party (which includes for the avoidance of doubt, causing a party to be in breach of Privacy Requirements) or materially alter any party's provision or use (as applicable) of the SmartyAds Services, such party may terminate the Agreement for the affected SmartyAds Services upon written notice without liability for such termination.

11. Security

11.1 Technical and Organizational Measures.

Each Party shall implement appropriate technical, administrative, and organizational measures to ensure the protection of Data collected and processed in connection with the performance of the Agreement. The security measures implemented by SmartyAds are detailed in Annex C of this Addendum.
Demand Partner commits to safeguarding the privacy, security, integrity, and confidentiality of Data by applying commercially reasonable and industry-standard security measures that comply with all applicable laws. Upon request by SmartyAds, Demand Partner shall provide relevant documentation, including security policies, certifications, or other materials evidencing its data protection practices. Such requests shall be limited to one (1) per calendar year unless a Personal Data Breach has occurred.

11.2 Personal Data Breaches.

Each Party agrees to promptly notify the other of any incident involving, or reasonably suspected to involve, unauthorized access to, use of, disclosure of, alteration of, or storage of Data in its possession or under its control during the Term (a “Personal Data Breach”). Notification shall be made within twenty-four (24) hours of becoming aware of the breach and directed to the contact address specified in Section 8 – Contact.
The notifying Party shall provide all relevant information and documentation to enable the other Party to comply with any applicable legal obligations, including notifying supervisory authorities and/or affected Users. The Party responsible for the breach shall take all necessary steps to mitigate and remediate its effects. Where appropriate, the Parties shall cooperate closely in investigating, managing, and resolving the incident.

12. General Terms 

(a) International transfers: Where GDPR applies to the Data, the Demand Partner shall not process any such Data (nor permit any Data to be processed) in a territory outside of Europe (whether directly or via onward transfer) unless it has taken such measures as are necessary to ensure the transfer is in compliance with GDPR and this DPA.

(b) Transfer arrangements: To the extent that SmartyAds adopts a data export mechanism not described in this DPA (including any new version of or successor to the Model Clauses pursuant to applicable Privacy Requirements) for the transfer of Data (the "Alternative Transfer Mechanism"), such Alternative Transfer Mechanism shall apply instead of any mechanism described in this DPA. Notwithstanding anything to the contrary, an Alternative Transfer Mechanism shall only apply to the extent that it complies with Privacy Requirements applicable to the country where the processing activities take place. Demand Partner agrees to execute any document and take any appropriate action as reasonably necessary to give effect to such Alternative Transfer Mechanism.

(c) Survival: This DPA shall survive termination or expiry of the Principal Agreement. Upon termination or expiry of the Principal Agreement, Demand Partner may continue to process the Data provided that such processing complies with the requirements of this DPA and Privacy Requirements.

(d) Miscellaneous: This DPA shall be governed by and construed in all respects in accordance with the governing law and jurisdiction provisions set out in the Principal Agreement, unless required otherwise by Privacy Requirements. With effect from the effective date of the Principal Agreement, this DPA shall be deemed a part of and incorporated into the Principal Agreement so that references in the Principal Agreement to the "Agreement" shall be interpreted to include this DPA. Except for the changes made by this DPA, the Principal Agreement shall remain unchanged and in full force and effect. In the event of any conflict or inconsistency between this DPA and any other term or terms of the Principal Agreement, this DPA shall prevail in respect of the subject (i.e., the protection of personal data).

Annex A

List of parties

Controller/Data Exporter

Name:SmartyAds, Inc.
Address:1201 N. Orange Street, Suite 762, Wilmington, New Castle County, DE 19801
Contact person’s name, position and contact details:

 

DPO at dpo@smartyads.com

 

Activities relevant to the data transfer:See Annex B (description of Transfer) below.
Signature and date:See Principal Agreement
Role:Controller

Controller/Data Importer

Name:See Principal Agreement
Address:See Principal Agreement
Contact person’s name, position and contact details:See Principal Agreement
Activities relevant to the data transfer:See Annex B (description of Transfer) below.
Signature and date:See Principal Agreement
Role:Controller

Annex A (2)

List of parties

Controller/Data Importer

Name:SmartyAds, Inc.
Address:1201 N. Orange Street, Suite 762, Wilmington, New Castle County, DE 19801
Contact person’s name, position and contact details:

 

DPO at dpo@smartyads.com

 

Activities relevant to the data transfer:See Annex B (description of Transfer) below.
Signature and date:See Principal Agreement
Role:Controller

Controller/Data Exporter

Name:See Principal Agreement
Address:See Principal Agreement
Contact person’s name, position and contact details:See Principal Agreement
Activities relevant to the data transfer:See Annex B (description of Transfer) below.
Signature and date:See Principal Agreement
Role:Controller

Annex B

Description of transfer

Defined terms are as set out in the Demand Partner Data Processing Addendum agreed between the parties.

Categories of Data Subjects whose Personal Data is transferred:

  • End users, submitted to Demand Partner via the SmartyAds Services

  • Demand Partner's Personnel

Categories of Personal Data transferred:

End users (as allowed by oRTB 2.6 specification):

  • Identifiers: Identifier for Advertising (IFA; IDFA; GAID); User ID; Buyer ID; Device ID; IP address

  • Demographic information: location, year of birth, gender

Demand Partner's Personnel:

  • Contact details (first name, last name, email, country (region), address, telephone and Skype)

Recipients: sub-contractors, supervisory authority

Sensitive data transferred (if applicable): None.

Frequency of the transfer:

  • End Users – Continuous

  • Demand Partner's Personnel – Only at the moment of registration and when required to update the information.

Nature of the Processing:
Personal data transferred will be processed in accordance with the Principal Agreement (including this DPA) and may be subject to the following processing activities:

  1. Storage and other processing necessary to provide the SmartyAds Services to the Data Importer

  2. Disclosures in accordance with the Principal Agreement and/or as required by Privacy Requirements

Purpose(s) of the data transfer and further processing:

  • End Users: To enable Data Importer to process the Data solely for purposes expressly permitted under the Principal Agreement and in a manner that complies with the European Data Protection Law (the "Prescribed Purposes")

  • Demand Partner's Personnel: For business relationship and account management purposes.

Period for which Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
Data Importer will not, and will not permit any third party, to retain the Data for longer than the period during which the Data Importer has a lawful basis to retain the Data for the Prescribed Purposes and in compliance with the European Data Protection Law.

Contact points for data protection enquiries:

  • Data Exporter: See Annex A

  • Data Importer: See Annex A / Principal Agreement

Competent Supervisory Authority
The competent supervisory authority, in accordance with Clause 13 of the EU SCCs, will be, for Data protected by the EU GDPR, the EU supervisory authority determined to be appropriate in the event that a relevant situation arises, and for Data protected by the Swiss DPA, the Federal Data Protection and Information Commissioner ("FDPIC"). With respect to UK Data, the competent supervisory authority is the Information Commissioner’s Office (the "ICO").

Annex C

Technical and organizational security measures

The technical and organizational security measures implemented by SmartyAds to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are as follows:

Type of measureTerms
Measures for ensuring confidentialitySmartyAds has implemented measures to ensure the integrity, availability and security of personal information, including vulnerability scans.
Measures for ensuring ongoing availability and adaptability of services

SmartyAds maintains personal data availability through a variety of technical, physical, and administrative measures.

Examples of these measures include: secured and monitored operational sites; processes and policies for topics such as incident response and review, and vendor review.


Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

 

Further measures include regular backups and disaster recovery plans.
 


Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational security measures in order to ensure the security of the processing

 


At least once annually, security measures relevant to the processing of personal data are reviewed and tested for alignment with industry good practices.

 


Measures for user identification and authorization

 

SmartyAds has in place procedures that comply with applicable law to authenticate requests from data subjects who have submitted rights request.

 

SmartyAds has operational and technical controls in place to ensure that access to systems that process personal data is only granted to authorized employees with a "need to know".


Measures for the protection of Data during storage

 

As per the Principal Agreement, personal data processed in connection with the services will not contain any sensitive personal information, and will be limited in scope and cannot be directly identified with a natural person by SmartyAds.

 

Data is only stored for as long as necessary for legitimate business purposes.


Measures for ensuring physical security of locations at which personal data are processed

 

Facilities involved in the processing of personal data are accessible only by authorized personnel. Technical controls in place to secure processing facilities include access controls, two-factor authentication, firewalls, and anti-malware. Personal data can only be accessed by personnel who have a need-to-know and whose access to such information is required in order to deliver advertising services under the Agreement.


SmartyAds provides personnel who access personal data with appropriate information security and data protection training.

Measures for certification/assurance of processes and productsSmartyAds participates in industry certification and self-regulatory programs such as IAB TCF 2.2 and Data Privacy Framework.


Measures for ensuring accountability

 

SmartyAds has implemented a privacy program that is appropriate to the scope and nature of personal data processed that includes at least a personal data breach policy and appointment of a data protection officer (DPO).


The foregoing measures are regularly reviewed (at least once a year) and updated to ensure alignment with applicable law and industry standards.


Measures for allowing data portability and ensuring erasure
SmartyAds has implemented and maintains procedures to ensure data portability and erasure that comply with data protection laws.