Mediavine Data Processing Agreement – Advertising Management

This Data Processing Agreement (“DPA”) is between Mediavine, Inc. (“Mediavine”) and you (the “Publisher” or “You”) (collectively the “Parties).

This DPA and the Standard Contractual Clauses (SCCs), if applicable, will become legally binding on the Effective Date of the Agreement.

1. Definitions 

“Applicable Data Protection Law” refers to laws and regulations related to the Processing of Personal Data.

“Agreement” refers to the  Advertising Management Agreement between Mediavine and the Publisher.

“EU GDPR” means ​​Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

“EU Standard Contractual Clauses (EU SCCs)” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914 of 4 June 2021.

“Joint Controller” means a Controller acting jointly with one or more Controllers to determine the purposes and means of processing.

“Personal Data or Personal Information” means any information collected through the Property in connection with the Program that relates to an identified or identifiable person and includes the similarly defined terms under Applicable Data Protection Law.

“Program’ means Mediavine’s placement of display advertisements and/or other promotions, including, but not limited to, banner advertisements, sidebar advertisements, in-content advertisements, and text-based advertisements (the “Ads”) on your Property. 

“Property” means the domain provided by You and all subdomains.

“Security Incident or Personal Data Breach” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed under the Agreement and includes the similarly defined terms under Applicable Data Protection Law.

“Standard Contractual Clauses” means the EU SCCs and/or the UK SCCs, as applicable.

“UK GDPR” means the UK Data Protection Act 2018 and the GDPR as it forms part of UK law by virtue of Section 3 of the European Union (Withdrawal) Act 2018.

“UK International Data Transfer Addendum (UK SCCs)” means the template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018.

All other definitions, including but not limited to “Controller”, “Processor”, “Business”, “Organization”, “Processor”, “Service Provider”, “Third Party”, “Data Intermediary”, “Data Subject”, “Consumer”, “Processing”, “Handling”, “Sale”, “Sell”, “Share”, “Commercial Purpose”, and “Supervisory Authority” (or equivalent terms), have the meaning set out under the Applicable Data Protection Law.

2. Duration and Contact

2.1 Duration and Survival. The Parties will Process Personal Data until the relationship between the Parties terminates as specified in the Agreement or as required by law. The Parties’ obligations and rights will continue in effect so long as Personal Data is Processed under the Agreement. 

2.2 Mediavine Contact. Director of Privacy and Compliance – Privacy@Mediavine.com.

3. Details of Personal Data Processing

3.1 Relationship of the Parties. When Personal Data is Processed under the Agreement, the Parties are the Joint Controllers of that Personal Data.  

The Parties will be Independent Controllers for any Processing of the Personal Data outside of the terms of the Agreement.

3.2. CCPA.  When Mediavine’s Processing of Personal Data is subject to the California Consumer Privacy Act of 2018 California Civil Code § 1798.100 et seq. (“CCPA”), or other Applicable Data Protection Law with restrictions on Selling or Sharing Personal Data, the Publisher is the Business and Mediavine is a Third Party.  Mediavine will notify the Publisher if it can no longer meet its obligations as a Third Party.

4.  Obligations of Parties as Joint Controllers

4.1 Applicable Data Protection Law.  Each Party will comply and will be able to demonstrate its compliance with its obligations under Applicable Data Protection Law.

4.2 Purpose Limitation.  Each Party will only Process, Sell, or Share Personal Data for the specific purpose outlined in the Agreement.  A Party may only process the Personal Data for another purpose: (i)  Where it has obtained the data subject’s prior consent; (ii) Where necessary to establish, exercise, or defend legal claims in administrative, regulatory, or judicial proceedings, or (iii)  Where required by applicable law. 

4.3 Confidentiality. Both Parties will treat the Personal Data as confidential, and ensure that their employees and contractors have signed a confidentiality agreement, are bound to a duty of confidentiality, and/or are under a statutory obligation of confidentiality.

4.4 Data Protection Impact Assessment and Prior Consultation. Each Party will conduct its own data protection impact assessment if required by Applicable Data Protection Law.  Each Party will provide reasonable assistance to the other Party in carrying out data protection impact assessments related to the Agreement and in required consultations with regulatory authorities under Applicable Data Protection Law.

4.5 Record of Processing Activities.  Each Party will maintain its own record of processing activities if required by Applicable Data Protection Law.

4.6 Website Privacy Notice.  Each party will maintain a publicly accessible privacy notice on its website that is in compliance with the terms of the Agreement and with Applicable Data Protection Laws.

4.7 Breach of Obligations.  Neither Party will perform its obligations under this DPA and/or ask the other Party to perform its obligations in such a way as to cause the other Party to breach its obligations under Applicable Data Protection Laws.

4.8 Security. To the extent that Personal Data is Processed in connection with the Agreement, each Party agrees to implement and maintain its own appropriate organizational and security measures to protect such Personal Data and ensure a level of security appropriate to the risk. 

4.9 Security Incident. After becoming aware of a Security Incident affecting Personal Data Processed under this DPA, the Party becoming aware agrees to provide prompt written notice to the other Party without undue delay and within the time frame required under Applicable Data Protection Law, but in no event longer than twenty-four (24) hours. Such notice will include all available details required under Applicable Data Protection Law allowing for each Party to comply with its notification obligations to regulatory authorities or individuals affected by the breach.

4.10 Contracts with Processor.  If a Party hires a Processor to assist them with the Processing of the Personal Data subject to this DPA or the Agreement, that Party will ensure that a contract with terms in compliance with Applicable Data Protection Laws is executed between the Party and the Processor.  

5.  Publisher Responsibilities. Publisher agrees to be responsible for:

• Ensuring the Property complies with all laws, including Applicable Data Protection Law
• Obtaining any consents necessary to collect Personal Data from the users of the Property
• Offering users of the Property the right to opt-out of the sale and sharing of their Personal Data or use of Personal Data for purposes of targeted advertising
• Using the Mediavine Consent Management Platform (CMP) for displaying ads in the EU or other countries or US States that require consent to display personalized or targeted advertising.
• Notifying Mediavine within 36 hours after receiving an access and/or deletion request or other data subject access rights request from a user of your Property so that Mediavine may handle this request in accordance with Applicable Data Protection Law.
• Relaying any opt-out signals sent by users of the Property to Mediavine
• Providing any required notifications to regulatory authorities for data transfer

6.  Mediavine’s Responsibilities. Mediavine agrees to be responsible for:

• Responding to user access/deletion requests or other data subject access rights requests from a user of your Property sent to Mediavine directly by the user or forwarded to Mediavine by the Publisher in accordance with Data Protection Laws
• Complying with all opt-out signals provided by Publisher 
• Providing Mediavine’s Consent Management Platform for use on the Publisher’s Property  

7. Audit

7.1 Audit. Each Party will have the right to audit the other Party’s compliance with this DPA once annually or as necessary if the Party has a good faith basis to believe the DPA is not being complied with. Any audit under this section will be: 1) conducted with reasonable advance written notice; 2) of reasonable scope and duration and not interfere with day-to-day operations; 3) conducted by the Party requesting the audit or by independent auditors, who are subject to the duty of confidentiality, and to which the Party being audited does not reasonably object and 4) at the expense of the Party requesting the audit and may include costs of time and resources expended by the audited Party at the audited Party’s professional services rate. The right to audit does not include the right to perform direct testing, such as internal vulnerability scanning or penetration testing.

8. Indemnification and Liability

8.1 Indemnification. Subject to the limitation of liability described herein, Mediavine will indemnify the Customer and hold the Customer harmless against third-party claims, actions, losses, damages, and expenses incurred by the Customer in connection with or arising from a (i) Security Incident caused by the Mediavine (ii)  Mediavine violation of privacy laws; or (iii) Mediavine’s material breach of its obligations under the DPA.

Customer will indemnify Mediavine and hold Mediavine harmless against third-party claims, actions, losses, damages, and expenses incurred by Mediavine in connection with or arising from a (i) Security Incident caused by the Publisher. (ii)  Publishers violation of privacy laws; or (iii) Publisher’s breach of its obligations under the DPA.

8.2 Limitation of Liability. Mediavine’s cumulative aggregate liability to the Publisher under this DPA will be limited to two (2) times the amounts paid to the Publisher during the twelve (12) months immediately prior to the date that the relevant cause of action accrued.

9. Cross-Border Data Transfers (if applicable)

9.1 EU SCCs. For Personal Information protected by the EU GDPR or for Personal Data protected by a country that recognizes the EU SCCs as an approved transfer mechanism, the EU SCCs will apply as follows:

9.1.1 The EU Controller to Controller Transfer Clauses. Both Parties shall comply with the EU Controller to Controller Transfer Clauses (Module 1), subject to Appendix 3 of this DPA; and/or

9.2 UK SCCs. For Personal Information protected by the UK GDPR, the UK SCCs will apply completed as follows:

Where Mediavine and Publisher are lawfully permitted to rely on the EU SCCs for transfers of Personal Information from the United Kingdom subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, then:

1. The EU SCCs, as set out above, will also apply to transfers of such Personal Information, and
2. The UK Addendum will be deemed executed between Mediavine and Publisher, and the EU SCCs will be deemed amended as specified by the UK Addendum regarding the transfer of Personal Information.

To the extent of any inconsistency between this DPA and the applicable Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

Appendix 1

A. LIST OF PARTIES

Data Exporter
Publisher using the Mediavine Program as per the Agreement for ad management.

Data Importer
Mediavine, the Data Importer, assists with ad management, including but not limited to the placement of display advertisements and/or other promotions, including, but not limited, banner advertisements, sidebar advertisements, in-content advertisements, and text-based advertisements 

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

• Users of Publisher’s Property
• Publishers 

Categories of personal data transferred

Users Data

• Advertising Identifier 
• IP Address
• Operating System type
• Operating System version
• Device Type and Model
• Cookie information
• Language of the Website
• Web Browser Type
• Geolocation
• Usage Information
• Interactions between Users and Advertising and Websites

Publishers’ Data 

• Name
• Email
• Address
• Phone number
• Name/Email addresses of Publisher Employees and/or Contractors
• Age Range
• Marital Status

Sensitive Data Transferred (if applicable)

Publishers Personal Data for Use in the Sale of Ads

• Racial or Ethnic Origin
• Gender
• Sexual Orientation
• Gender Identity
• Veteran Status
• Disability
• Number and Ages of Children

Frequency of the Transfer
Data is transferred on a continuous basis and for the duration of the Agreement except where otherwise required or allowed by Applicable Data Protection Law.

Nature of the Processing
The nature of processing is the performance under the Agreement. 

Duration of Processing
Term of the Agreement

C. COMPETENT SUPERVISORY AUTHORITY

The Supervisory Authority shall be those designated in the jurisdiction section of the Agreement. If the Agreement does not designate a jurisdiction in an EU Member State or the UK, the Supervisory Authority will be the Ireland Data Protection Authority and/or the UK Information Commissioner’s Office.

Appendix 2: Security Technical and Organizational Measures for Mediavine to Ensure the Security of Personal Data

Measures of pseudonymization and encryption of personal data
Pseudonymization. Mediavine uses pseudonymization, such as hashed emails, wherever possible to protect personal data.

Encryption. Mediavine encrypts data in its platforms on AWS using industry-accepted TLS 1.2 for data in transit and AES-256 for data at rest. 

Measures for ensuring ongoing confidentiality, integrity and availability, and resilience of processing systems and services
AWS Infrastructure. Mediavine performs daily backups of its AWS databases.  Backups are encrypted.  

Confidentiality Agreements. Agreements between Mediavine and Publisher contain confidentiality obligations. 

Mediavine employees sign confidentiality agreements.

Measures for ensuring the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident
Incident Management.  Mediavine maintains an incident response plan within its runbooks for each product.  A member of the Site Reliability Team is on call 24/7 for incident and data breach management. 

Recovery and Response. Mediavine maintains its runbooks for each product for recovery and response purposes. 

Processes for regular testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing
Quality Assurance:  Mediavine has a dedicated QA team with members embedded into each development team.  All code is tested before deploying to production.  

Measures for user identification and authorization
AWS Access Controls.  Mediavine requires employees to use Virtual Private Networking (VPN) when accessing AWS remotely.  Privileged accounts require multi-factor authentication.  

AWS Access Grant and Removal.  Access to Mediavine’s AWS infrastructure is granted on a need-to-know basis and must be specifically granted by the Site Reliability Team.  When an employee no longer has the need to access the infrastructure, their access is promptly revoked by the Site Reliability Team.

Measures for the protection of data during transmission
Transit Encryption. Mediavine encrypts data in AWS using industry-accepted TLS 1.2 for data in transit. Transmission across open, public networks is encrypted using cryptography and security protocols.  

Measures for the protection of data during storage
Storage Encryption. Mediavine encrypts data in AWS using industry-accepted AES-256 for data at rest.  

Measures for ensuring the physical security of locations at which personal data are processed
Physical Access Controls and Cloud Security. Mediavine uses AWS as its secure hosting and data storage provider for its platforms. AWS meets System and Organization Controls (SOC) verified by independent third-party examination reports demonstrating how it achieves key compliance controls as evidence at: https://aws.amazon.com/compliance/.

Workstation Security. Mediavine protects company-owned workstations against malware using MacOS privacy and security features. Mediavine uses a mobile device management solution for remote locking and device wiping.  

Measures for ensuring events logging
Logging.  Mediavine retains application logs for analysis for at least seven (7) days.  

Measures for ensuring system configurations, including draft configurations
SDLC.  Mediavine applies Secure Software Development Lifecycle (SDLC) standards. Code changes and reviews are tracked in a project management platform and pull requests are tracked in a source-code-management system. Code is tested by a dedicated QA team and/or tools before proceeding into production. 

Measures for internal IT and IT security governance and management
Inventory of Personal Data. Mediavine keeps an inventory of where Personal Data may be processed and stored.

Compliance and Risk.  Mediavine has privacy professionals to perform risk assessments and maintain its security and privacy policies and procedures. 

Measures for ensuring data minimization
Data Deletion. Mediavine deletes data when it no longer serves the purpose for which it was collected.  Mediavine will assist its Publisher and their Users with data deletion requests.  

Measures for ensuring data quality
Data Segregation.  Mediavine uses a single shared database and segments Publisher access using permission controls.  

Measures for ensuring limited data retention
Data Retention in Program. Mediavine keeps Personal Data storage to a minimum and implements data retention and disposal policies to limit data storage in accordance with the needs of its customers.

Measures for ensuring accountability
Audits. Mediavine conducts regular internal audits to ensure compliance with privacy and security standards.

Measures for allowing data portability and ensuring erasure
Data Subject Rights. Mediavine will handle user requests for access or deletion on behalf of the Publisher in accordance with Applicable Data Protection Law.  

Appendix 3: Standard Contractual Clauses

STANDARD CONTRACTUAL CLAUSES: OPTIONS AND ADDITIONAL TERMS

For the purposes of the EU Controller to Controller Transfer Clauses, Publisher is the data exporter, and Mediavine is the data importer, and the Parties agree to the following.

Reference to the Standard Contractual Clauses. The relevant provisions in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA..

Clause 7:  Docking Clause.  The docking clause shall apply.

Clause 11:  The option under Clause 11 on Redress shall apply.

Clause 17:  Governing Law. The Parties agree that these Clauses shall be governed by the laws of Ireland.

Clause 18:  Choice of forum and jurisdiction. The Parties agree that any disputes arising from these Clauses shall be resolved by the courts of Ireland.

The term “member state” is not to be interpreted in such a way as to exclude data subjects in Switzerland or in other countries accepting the EU SCCs for data transfer from the possibility of suing for their rights in their place of habitual residence.

Annexes. The SCC Annexes are set out as follows:

• The contents of Appendix 1 of this DPA shall form Annex I to the Standard Contractual Clauses
• The contents of Appendix 2 to this DPA shall form Annex II to the Standard Contractual Clauses.

Effective March 29, 2023