SUBSTATION DATA PROCESSING ADDENDUM

This Substation Data Processing Addendum (“DPA”) forms part of and is incorporated into the Substation Master Terms at substation.com/msa.html between Substation and Customer (the “Agreement”). This DPA reflects the parties’ agreement with respect to the Processing of Personal Data under the Agreement.

Capitalized terms used in this DPA shall have the meanings set forth in this DPA. Capitalized terms used but not otherwise defined herein shall have the meanings given to them in the Agreement.

Except as expressly modified below, the terms of the Agreement shall remain in full force and effect. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Agreement in relation to the Processing of Customer Personal Data, this DPA shall control.

  1. DEFINITIONS.
    1. Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
    2. Customer Personal Data” means Personal Data that Customer uploads or provides to the Platform.
    3. Data Protection Laws” means the data protection and privacy laws and regulations applicable to the Processing of Customer Personal Data under the Agreement, including, to the extent applicable, European Data Protection Laws and the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations (collectively, “CCPA”).
    4. Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.
    5. European Data Protection Laws” means, in each case to the extent applicable: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”); (b) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), the Data Protection Act of 2018, and all other laws relating to data protection, the processing of personal data, privacy, or electronic communications in force from time to time in the United Kingdom (collectively, “UK Data Protection Laws”); (c) the Swiss Federal Act on Data Protection (“Swiss FADP”); and (d) any other applicable law, rule, or regulation related to the protection of Customer Personal Data in the European Economic Area, United Kingdom, or Switzerland that is already in force or that will come into force during the term of this DPA.
    6. Personal Data” means any information that constitutes “personal information,” “personal data,” “personally identifiable information,” or similar term under Data Protection Laws.
    7. “Processing” means any operation or set of operations which is performed on Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. The terms “Process,” “Processes,” and “Processed” will be construed accordingly.
    8. SCCs means Module One (Transfer controller to controller) of the standard contractual clauses approved by the European Commission’s implementing decision (2021/914) of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/678 or the European Parliament and of the Council (available at: http://data.europa.eu/eli/dec_impl/2021/914/oj), as supplemented or modified by Appendix 2.
    9. Sensitive Data” means and Personal Data that is subject to heightened protection under Data Protection Laws, including but not limited to: (i) data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (ii) data concerning health, sex life, or sexual orientation; (iii) financial information, credit, debit or other payment card data; (iv) government-issued identifiers, social security numbers, driver’s license numbers, passport numbers, or other unique identifiers of similar nature; (v) precise geolocation data; (vi) Personal Data about a child or minor, as such terms are defined under Data Protection Laws; (vii) data concerning criminal convictions or offenses; and (viii) any Personal Data that otherwise constitutes “sensitive data,” “sensitive personal data,” “special categories of data,” or similar term under Data Protection Laws.
  2. PROCESSING OF CUSTOMER PERSONAL DATA.
    1. Roles of the Parties; Compliance. The parties acknowledge and agree that each party is a separate and independent Controller with respect to Customer Personal Data and will be responsible for determining the legal basis(es) of its own Processing activities, as applicable. Each party will comply with Data Protection Laws in connection with its Processing of Customer Personal Data.
    2. Transparency; Choice; Lawfulness. Customer represents and warrants that: (a) Customer has made available to Data Subjects all necessary and appropriate notices and disclosures regarding the Processing of Customer Personal Data and the use of the Pixel under the Agreement, including through a conspicuously-posted privacy policy on the Customer Site(s), in all cases in the form and manner required by Data Protection laws; (b) the Customer Site(s) are not directed to children under the age of majority in the applicable jurisdiction; (c) Customer has implemented and maintains a mechanism or method for receiving, managing, and documenting consent and other relevant privacy choices from Data Subjects in accordance with Data Protection Laws; (d) Customer is lawfully permitted to provide or make available Customer Personal Data to Substation in connection with the Services for the purposes set forth herein; and (e) all audiences or other customer lists provided to Substation for targeting or other advertising purposes do not contain Data Subjects who have opted-out of such Processing. Upon Substation’s request, Customer will provide reasonable evidence of compliance with the foregoing.
    3. Details of Processing. The nature and purpose of the Processing of Customer Personal Data, the types of Customer Personal Data Processed, the categories of Data Subjects, and other details regarding the Processing of Customer Personal Data are as set forth in Appendix 1.
    4. Prohibition on Sensitive Data. Customer shall not provide or make available any Sensitive Data to Substation or use the Services to Process any Sensitive Data.
    5. Processing Subject to the CCPA. With respect to any Customer Personal Data that is subject to the CCPA, the parties agree that such Customer Personal Data is disclosed by Customer to Substation for the limited and specified purposes set forth in Appendix 1. Substation will comply with applicable obligations under the CCPA and provide the same level of privacy protection to such Customer Personal Data as is required by the CCPA. Subject to the terms of this DPA and the Agreement, Customer has the right to take reasonable and appropriate steps to: (a) help ensure that Substation uses such Customer Personal Data in a manner consistent with Customer’s obligations under the CCPA; and (b) upon written notice to Substation, stop and remediate unauthorized use of such Customer Personal Data by limiting the Customer Personal Data shared with the Platform or such other steps mutually agreed between the parties in writing.
  3. SECURITY. Taking into account the context of the Processing, Substation will implement and maintain reasonable technical and organizational measures designed to protect the confidentiality, integrity, and availability of Customer Personal Data, as set forth in Appendix 2.
  4. DATA SUBJECT RIGHTS. Each party shall fulfill its obligations under Data Protection Laws to respond to requests from Data Subjects to exercise their rights under Data Protection Laws. Customer shall notify Substation in writing of any opt-out or deletion requests in respect of Customer Personal Data in accordance with Data Protection Laws.
  5. CROSS-BORDER DATA TRANSFERS.
    1. Incorporation of SCCs. If Customer transfers Customer Personal Data to Substation that is subject to European Data Protection Laws, and such transfer is not subject to an alternative adequate transfer mechanism under European Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then Customer (as “data exporter”) and Substation (as “data importer”) agree that the SCCs shall apply to and govern such transfer and are hereby incorporated herein by reference.
    2. SCC Selections. The parties agree to the following selections in Sections I-IV the SCCs: (a) the optional language in Clause 11(a) is omitted; (b) the parties select Option 1 in Clause 17 and the governing law of the Republic of Ireland will apply; and (c) in Clause 18(b), the parties select the courts of the Republic of Ireland. The name, address, contact details, activities relevant to the transfer, and role of the parties set forth in the Agreement and this DPA shall be used to complete Annex I.A. of the SCCs. The information set forth in Appendix 1 shall be used to complete Annex I.B. of the SCCs. The competent supervisory authority in Annex I.C. of the SCCs shall be determined in accordance with the SCCs and this Appendix. The technical and organizational measures in Annex II of the SCCs shall be the measures set forth in Appendix 2.
    3. Business-Related Clauses. The parties agree that the business-related clauses set forth in the Agreement and this DPA shall supplement the SCCs, except to the extent such terms are interpreted or applied in such a way as to contradict the SCCs (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of Data Subjects. The parties agree therefore further agree that: (a) the information required to be provided to Data Subjects under Clause 8.2(a) shall be provided by Customer using the relevant information in the Agreement and this DPA; (b) each party will make all redactions reasonably necessary to protect business secrets or other confidential information of the other party in the event of a request for a copy of the SCCs; (c) the terms of the Agreement governing indemnification and limitation of liability shall apply to Substation’s liability under Clauses 12(a), 12(c), and 12(d); (d) the termination provision(s) of the Agreement shall apply to a termination pursuant to Clause 14(f) or Clause 16; and (e) certification of deletion under Clause 16(d) shall be provided by Substation upon the written request of Customer.
    4. Transfers from the United Kingdom. If Customer transfers Customer Personal Data to Substation that is subject to UK Data Protection Laws, the parties acknowledge and agree that: (a) the template DPA issued by the Information Commissioner’s Office of the United Kingdom and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-DPA.pdf), as it may be revised from time to time by the Information Commissioner’s Office (the “UK DPA”) shall be incorporated by reference herein; (b) the UK DPA shall apply to and modify the SCCs solely to the extent that UK Data Protection Laws apply to Customer’s Processing when making the transfer; (c) the information required to be set forth in “Part 1: Tables” of the UK DPA shall be completed using the information provided in this Appendix and the DPA; and (d) either party may end the UK DPA in accordance with section 19 thereof.
    5. Transfers from Switzerland. If Customer transfers Customer Personal Data to Substation that is subject to the Swiss FADP, the following modifications shall apply to the SCCs to the extent that the Swiss FADP applies to Customer’s Processing when making that transfer: (a) the term “member state” as used in the SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the SCCs; (b) references to the GDPR or other governing law contained in the SCCs shall also be interpreted to include the Swiss FADP; and (c) the parties agree that the supervisory authority as indicated in Annex I.C of the SCCs shall be the Swiss Federal Data Protection and Information Commissioner.
  6. LIMITATION OF LIABILITY. Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, shall be subject to the limitations and exclusions of liability set forth in the Agreement, and any reference to such limitation of liability of a party means the aggregate liability of the party under the Agreement and this DPA together.
  7. GOVERNING LAW. This DPA shall be governed by the laws designated in the Agreement, except to the extent required otherwise by the SCCs or Data Protection Laws.

APPENDIX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

  1. Subject matter and duration of the Processing of Customer Personal Data: The subject matter and duration of the Processing are as described in the Agreement and this DPA.
  2. Nature and purposes of the Processing of Customer Personal Data: The nature of the Processing includes transmission, matching, assessment, modeling, and other activities to facilitate or support the Platform and Services as described in the Agreement and this DPA. The purposes of the Processing of Customer Personal Data include: (a) the provision of the Platform and Services, as described in the Agreement; (b) helping to ensure security and integrity, to the extent the use of Customer Personal Data is reasonably necessary and proportionate for these purposes; (c) debugging to identify and repair errors that impair existing intended functionality; (d) providing cross-context behavioral/targeted advertising, facilitating the delivery of Campaigns, tracking conversions, and targeting/retargeting; (e) model creation (targeting, frequency cadence, bid), segmenting, profiling, and audience creation; (f) undertaking internal research for technological development and demonstration; and (g) undertaking activities to verify or maintain the quality or safety of the Services, the Platform, or Substation’s business, and to improve, upgrade, or enhance the Services, the Platform, or Substation’s operations, offerings, datasets, and Processing activities.
  3. The categories of Data Subjects to whom Customer Personal Data relates: The categories of Data Subjects include clients or prospective clients of Customer and end users of Customer Sites.
  4. The categories of Customer Personal Data Processed: The categories of Customer Personal Data Processed may include audience data (such as demographic data and HEMs, advertising IDs, or other identifiers), Pixel Data (such as IP address and click/activity data), purchase data (such as contact information, order details, and shipping information), interest or profiling data (including inferences), and user macros relating to user identification.
  5. The sensitive data included in Customer Personal Data: N/A.
  6. The frequency of Customer’s transfer of Customer Personal Data to Substation: On a continuous basis or on the cadence determined by Customer pursuant to Customer’s use of the Platform or Services.
  7. The period for which Customer Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Customer Personal Data shall be retained for purposes in accordance with the data retention requirements under Data Protection Laws applicable to each party.

APPENDIX 2: TECHNICAL AND ORGANIZATIONAL MEASURES

  1. Access Controls. Policies, procedures, and physical and technical controls (a) to limit physical access to its information systems in which they are housed to properly authorized persons; (b) to ensure that all members of its workforce who require access to Customer Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; and (c) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing Customer Personal Data or information relating thereto to unauthorized individuals.
  2. Security Awareness and Training. A security awareness and training program for all relevant members of Substation’s workforce (including management), which includes training on how to implement and comply with its information security program.
  3. Security Incident Procedures. Policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect attempted attacks on or intrusions into information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes.
  4. Contingency Planning. Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Customer Personal Data or systems that contain Customer Personal Data, including a data backup plan and a disaster recovery plan.
  5. Device and Media Controls. Policies and procedures on hardware and electronic media that contain Customer Personal Data, including policies and procedures to address the final disposition of Customer Personal Data, or the hardware or electronic media on which it is stored, and procedures for removal of Customer Personal Data from electronic media before the media are made available for re-use.
  6. Audit Controls. Hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.
  7. Data Integrity. Policies and procedures designed to ensure the confidentiality, integrity, and availability of Customer Personal Data and protect it from disclosure, improper alteration, or destruction.
  8. Storage and Transmission Security. Technical security measures designed to guard against unauthorized access to Customer Personal Data that is being transmitted over an electronic communications network.
  9. Assigned Security Responsibility. A designated security official responsible for the development, implementation, and maintenance of the information security program.
  10. Storage Media. Policies and procedures to ensure that prior to any storage media containing Customer Personal Data being assigned, allocated, or reallocated to another user, Substation will delete such Customer Personal Data, such that the media contains no residual data or, if necessary, physically destroy such storage media.
  11. Testing. Substation will regularly test the key controls, systems, and procedures of its information security program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.
  12. Adjust the Program. Substation will monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology or security standards, the sensitivity of the Customer Personal Data, internal or external threats to Substation or the Customer Personal Data, and Substation’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. In light of the foregoing, the information security program is subject to change; provided, however, that any such update will not materially diminish the applicable information security protections applicable to Customer Personal Data.
Last Modified Date: December 2, 2025