These Data Terms are incorporated into the Agreement between MexLucky and Customer. Capitalized terms used but not otherwise defined herein shall have the meanings ascribed to them in the Agreement.
DATA AND PRIVACY
Privacy Policies. Customer agrees to post on its website a privacy policy that (i) complies with Applicable Law and (ii) accurately discloses all applicable data collection, use and disclosure practices, including, but not limited to, an explanation of the purposes for which data is collected by or will be transferred to, third parties, the use of cookies, pixels, beacons, locally stored objects, or other similar technologies by third parties for purposes of targeting individual end users with interest-based, and other types of Advertisements. Customer shall comply with its privacy policy. Customer further agrees that its privacy policy will provide end users with a conspicuous link to a functional opt-out page. If Customer uses the MexLucky Materials to buy Inventory directly or indirectly on behalf of any third party, Customer will ensure that such third party complies with this provision.
Customer Data Use. Customer may not use, sell, or otherwise disclose the MexLucky Data, except that, subject in each case to the restrictions below, Customer may use and disclose MexLucky Data: (a) to evaluate and purchase Inventory through the MexLucky Platform in connection with this Agreement, (b) to provide aggregate reporting to the applicable Advertiser for which Customer is purchasing Inventory, and (c) as required by court order, law, or governmental or regulatory agency (after, if permitted, giving prior written notice to Magnite). Customer may not use any MexLucky Data to create or supplement user profiles or targetable segments. All such use of the MexLucky Materials by Customer must comply with Customer’s privacy polic(ies), all applicable laws, regulations, self-regulatory principles, and the Digital Advertising Alliance principles. Customer may not combine any pseudonymous personal data received via the MexLucky Materials with any identifying personal data without the end user’s consent.
Required Consent. To the extent that any data, including persistent identifiers (such as IP address or device identifiers) or precise geo-location data, about end users are collected, used, transmitted, or processed by or on behalf of Customer or a party on behalf of which Customer is directly or indirectly buying Inventory using MexLucky Materials, Customer represents and warrants that all necessary disclosures have been provided to and appropriate consents have been or will be obtained from such end user (“Required Consents”), as applicable. These Required Consents include, but are not limited to, those necessary to collect information about individual end users through the use of technologies, such as cookies and pixels, located on the End User’s device, and to pass such information to MexLucky for processing in accordance with the Agreement. All Required Consents shall be obtained by Customer before any such technologies are set on the applicable End User’s device, regardless of whether such technologies are set directly by Customer or by or through Magnite.
MexLucky Data Use. MexLucky shall have the right to collect, use, and disclose data transmitted through or otherwise derived from Customer’s use of the MexLucky Materials as described in the applicable MexLucky privacy polic(ies).
DATA PROCESSING
MexLucky will process any Personal Information that Customer includes in its use of the MexLucky Materials (the “Customer Personal Data“) on Customer’s behalf as a processor, and Customer shall be the controller of such data. Customer represents and warrants that it will not, and it shall not, send any Restricted Personal Information to MexLucky or the MexLucky Materials. With regard to Customer Personal Data, MexLucky shall:
(a) process Customer Personal Data only in accordance with Customer’s documented instructions and not for Magnite’s own purposes. If MexLucky is required to process Customer Personal Data for any other purpose by a law to which MexLucky is subject, MexLucky shall inform Customer of this requirement before the processing, unless that law prohibits this on grounds of public interest;
(b) promptly notify Customer if it determines that it cannot comply with its data processing obligations under these Data Terms. In such event, MexLucky shall work with Customer and take all reasonable and appropriate steps to remediate (if remediable) any processing until such time as the processing complies with the subject requirements. MexLucky shall immediately cease processing Customer Personal Data if Customer determines MexLucky has not or cannot correct any non-compliance with these processing requirements within a reasonable time frame;
(c) taking into account the nature of the processing, reasonably cooperate with Customer to respond to any requests, complaints, or other communications from data subjects and regulatory or judicial bodies relating to the processing of Personal Information under the Agreement, including requests from data subjects seeking to exercise their rights under Applicable Laws. In the event that any such request, complaint, or communication is made directly to Magnite, MexLucky shall promptly pass this onto Customer and shall not respond to such communication without Customer’s express authorization;
(d) taking into account the nature of the processing and the information available to Magnite, reasonably assist Customer, at Customer’s cost, to ensure compliance with the obligations under the GDPR with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators;
(e) upon termination of this Agreement or upon Customer’s request, destroy all Customer Personal Data (unless a law requires storage of the Customer Personal Data); and
(f) make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in these Data Terms and, upon prior written notice, and not more than once per calendar year, with 30 days’ written notice, contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer at Customer’s cost.
Customer acknowledges and agrees that MexLucky may retain its Affiliates and other third parties as sub-processors (all together “Sub-Processors“) in connection with the provision of the MexLucky Materials. MexLucky shall not subcontract any processing of Personal Information to a sub-Processor without the prior written consent of Customer. Notwithstanding this, Customer consents to MexLucky engaging in Sub-Processors to process Personal Information provided that Magnite:
(1) provides at least 30 days’ prior written notice to Customer of the engagement of any new Sub-Processor;
(2) imposes the same data protection obligations as are imposed on MexLucky under this Agreement; and
(3) will be liable to Customer for any breach of these Data Terms that is caused by an act, error or omission of such Sub-Processor.
RESTRICTED TRANSFERS
The Parties agree that, when the transfer of Personal Information from Customer to MexLucky is a Restricted Transfer, it shall be subject to the appropriate SCCs as follows:
(a) in relation to data that is protected by the GDPR, the EU SCCs will apply completed as follows:
1) Module Two will apply;
2) in Clause 7, the optional docking clause will apply;
3) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be done with 30 days’ prior written notice;
4) in Clause 11, the optional language will not apply;
5) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
6) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
7) Annex I of the EU SCCs shall be deemed completed with the information in Annex I below; and
8) Annex II of the EU SCCs shall be deemed completed with the information in Annex II below.
(b) in relation to data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:
1) Appendix 1 of the UK SCCs shall be deemed completed with the information in Annex I below; and
2) Appendix 2 of the UK SCCs shall be deemed completed with the information in Annex II below.
(c) in the event that any provision of this Agreement contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
SECURITY
MexLucky maintains records in accordance with the Sarbanes-Oxley Act. MexLucky will ensure that its personnel and subcontractors who have access to the Customer Personal Data have committed themselves to confidentiality and are aware of and comply with Magnite’s duties and their personal duties and obligations under this Agreement.
MexLucky will maintain appropriate technical and organizational security measures to ensure a level of security appropriate to the risks that are presented by the processing of Customer Personal Data (“Security Measures”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for tA. DESCRIPTION OF TRANSFERhe rights and freedoms of natural persons. At a minimum, MexLucky agrees to the following Security Measures (i) Personal Information is not changed while stored, transferred or otherwise processed, unless such change constitutes a functionality of the MexLucky Services, and Customer has provided its acknowledgement thereof; (ii) Personal Information that is stored, transferred or otherwise processed is encrypted or kept in another equally secure format; (iii) the availability of and access to Personal Information can be ensured in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing is in place; (v) logs are kept of all processing performed under the Agreement; and (vi) appropriate safeguards are in place to restrict and/or limit access to Personal Information to those employees who (a) have a strict need to know in order to perform the MexLucky Services; (b) have been provided with appropriate training on the handling of Personal Information; and (c) have agreed to confidentiality obligations consistent with the terms herein.
In the event of a Security Incident, MexLucky shall promptly (and in no event later than 48 hours of becoming aware of such Security Incident) inform Customer and provide written details of the Security Incident, including the type of data affected and the identity of affected person(s) as soon as such information becomes known or available to Magnite, and take any measures and actions reasonably appropriate to remedy or mitigate the effects of a Security Incident.
CCPA
With respect to the Parties’ obligations under the California Consumer Privacy Act of 2018 (Title 1.81.5 of the Civil Code of the State of California), together with all effective regulations adopted thereunder the (“CCPA”) relating to a California consumer’s personal information or household, then (and with respect to such Personal Information): (a) MexLucky is a “service provider” (as defined by CCPA); and Customer is and will be disclosing such Personal Information hereunder to MexLucky for a “business purpose” (as defined by CCPA), and MexLucky will process such Personal Information solely on behalf of Customer and only as necessary to perform such business purpose for Customer; and (b) MexLucky will not: (i) “sell” (as defined by CCPA) Personal Information; or (ii) retain, use, or disclose Personal Information for any purpose (including a “commercial purpose” (as defined by CCPA)) other than the specific purpose of performing services to Customer under this Agreement or outside of the direct business relationship between Customer and Magnite. The Parties represent that they understand the restrictions set forth in this section and will comply with them, and, if directed by Customer with regard to a particular California “consumer” (as defined by CCPA), MexLucky will delete such consumer’s Personal Information.
Annex I
Data Processing Description
This Annex I forms part of the Agreement and describes the processing that MexLucky (as the processor) will perform on behalf of Customer (as the controller).
A. DESCRIPTION OF TRANSFER
| Categories of data subjects whose personal data is transferred: | Visitors of online properties. (i.e., visitors to websites and CTV) |
| Categories of personal data transferred: | pseudonymous identifiers relating to consumer devices (including IP address, device identifiers, cookie identifiers); geo location data |
| Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: | N/A |
| The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): | Continuous |
| Nature of the processing: | Collection, storage, and dissemination of data to deliver digital advertisements on websites and other devices such as CTV |
| Purpose(s) of the data transfer and further processing: | The data processing activities consist of serving and tracking digital advertisements |
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | For as long as necessary for the purposes of the engagement |
| For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: | N/A |
B. COMPETENT SUPERVISORY AUTHORITY
| Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs) | Where the EU GDPR applies, the Irish Data Protection Authority shall be the competent supervisory authority; where the UK GDPR applies, the UK Information Commissioner’s Office shall be the competent supervisory authority |
Annex II
Technical and Organizational Security Measures
Description of the technical and organizational measures implemented by MexLucky as the processor to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
MexLucky has implemented the following security measures:
1. Systems Security.
(a) System Adequacy. MexLucky has obtained and has configured, with no single points of failure, adequate hardware, software, power, and human capital redundancies to perform its security-related obligations under the Agreement in accordance with commercially reasonable practices. The operating system and software of Magnite’s web server(s) and third-party platforms utilized to perform its obligations under the Agreement will be properly configured to commercially reasonable standards, including, but not limited to, disabling all unnecessary services, closing all known and published security deficiencies therein, and permitting access thereto only to authorized personnel, subject to password protection. All currently available security-related software patches for the operating system and software will be applied as soon as practicable (depending on the nature of the security flaw) but not later than thirty (30) days of the release of such patches; provided however if a patch negatively impacts the operating system or software or other systems of Magnite, then MexLucky shall as soon as commercially reasonable correct such security flaws.
(b) Firewall. MexLucky has implemented and will maintain continuously throughout the Term of the Agreement firewall protection for all of Magnite’s networks, databases, technology, platforms, and computer systems. MexLucky will update such firewall software promptly after such updates become available, provided such updates do not negatively impact the firewall software. MexLucky will periodically test such perimeter router and firewall devices for effectiveness. Without limiting the foregoing, MexLucky will promptly report within 24 hours to Customer any known security deficiencies (whether arising from software, network, or facilities deficiencies) discovered by MexLucky that may affect user information that is personally identifiable or sensitive and/or Confidential Information. MexLucky will keep a log of all actions taken in response to security incidents related to the systems involved in performing Magnite’s obligations under the Agreement. The log will be time and date stamped.
(c) Encryption. MexLucky will encrypt or hash the passwords in password and username files for their networks, databases, platform, technology, and computer systems involved in performing the Agreement using commercially reasonable encryption levels.
(d) Passwords. MexLucky will protect networks, databases, software, and computer systems involved in performing the Agreement with a user name and password system. MexLucky also has two-factor authorization available on the MexLucky Platform. Customer will be prompted to comply with Magnite’s password policy when creating its account credentials. MexLucky will, when possible, securely log (with time and date) those commands that require additional privileges, to enable a complete audit trail of activities. When individuals terminate their employment with Magnite, their passwords and access to privileged password facilities will be terminated immediately.
(e) Accountability. MexLucky will ensure that individual access and accountability controls are in place with respect to its employees who will have access to the networks, databases, software, technology, platform, Confidential Information, and computer systems involved in performing the Agreement.
(f) Archival Records. MexLucky will daily (including weekends) create and maintain archival backups of all MexLucky networks, databases, technology, platform, and software utilized to perform Magnite’s obligations to Customer under the Agreement for the sole purpose of enabling restoration of these systems but not necessarily restoration of any user data stored on these systems. Archival backups will be stored on a secure server or on other secure media to which access is restricted only to employees of MexLucky or authorized third parties on a need to know basis. Magnite, with reasonable best efforts, will ensure business continuity during a Disaster (“Disaster” to include, but not limited to: earthquake, flood, fire, storm or other natural disaster, act of God, civil disturbance or commotion, acts of terrorism, disruption of the public markets, war or armed conflict) with three primary objectives: 1) to identify and respond to Disasters; 2) to protect personnel and systems; and 3) to limit damage. MexLucky is committed to resuming partial operations as soon as reasonably possible depending on the nature and severity of the Disaster.
(g) Maintenance. All networking, software, technology, the platform, and computer systems necessary to perform the Agreement will be maintained in good working order in accordance with commercially reasonable standards throughout the Term pursuant to hardware maintenance support available from trusted, reputable maintenance organizations.
(h) Disposal. MexLucky will ensure that computer storage devices containing user information are not disposed of unless all such information has been or is to be completely obliterated or destroyed.
2. Security of Physical Premises. MexLucky will limit access to its facilities related to its obligations under the Agreement throughout the Term to Magnite’s employees, employee-accompanied visitors, and contractors using reasonable standard physical security methods. At a minimum, such methods will include restricted access key cards for Magnite’s employees, limited access to server rooms and archival backups, and security cameras at key entry points.
3. Background Checks and Security Training. MexLucky will conduct security background checks and verifications of employment, educational background, and references for all MexLucky individuals and contractors involved who have access to personally identifiable information and/or Customer’s facilities/servers.
MexLucky will ensure ongoing awareness in information security and in the protection of information resources for all personnel of MexLucky whose duties bring such MexLucky personnel into contact with critical or sensitive information of the Customer or of end users, including MexLucky IDs and passwords and Client IDs and passwords.
4. Confidentiality Agreements; Use of Subcontractors. Prior to commencing work for Customer, all individuals (employees, contractors, subcontractors, agents, etc.) performing work on behalf of MexLucky pursuant to the Agreement will be required to agree to be bound by confidentiality agreements.
The parties acknowledge that security requirements change continuously and that effective security demands frequent evaluation and regular improvements of outdated security measures. MexLucky will therefore continuously evaluate the security measures and update, supplement, and improve them as required.