MSA - Data Security and Privacy Policy
The following Data Security and Privacy Policy (“Policy”) forms an integral part of the underlying Master Services Agreement between AdCellerant LLC, a Colorado limited liability company (“Company”), and the customer (“Client”) agreed to here (the “Agreement”). In the course of performing work and services on behalf of the Client, Company may receive, analyze, aggregate or use various pieces of data and information regarding third parties (collectively referred to as “Data”), some of which may be considered personal, sensitive or proprietary by various information privacy laws or regulations, including, without limitation, the California Consumer Privacy Act of 2018 (“CCPA”), and the Global Data Privacy Regulation (“GDPR”).
Company’s receipt of, access to, or use of the Data is governed by this Policy, the provisions of which are hereby incorporated into the Agreement between Company and Client. In the event of a conflict between this Policy and the Agreement, the terms of this Policy will govern except where the terms of the Agreement expressly state otherwise
Definitions
The following definitions shall apply to this Policy and the Agreement:
- “Controller” means the natural or legal person, public authority, or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data; where the purposes and means of Processing are determined by the European Union or its member state laws, the Controller (or the criteria for nominating the Controller) may be designated by those laws.
- “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
- “Personal Data” means any information relating to an identified or identifiable natural person (“data subject”), where an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
- “Personal Information” are the categories of personal data defined by CCPA that can identify, relate to, describe, be associated with, or be reasonably linked directly or indirectly to a particular consumer or household, including, without limitation: personal identifiers, records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies, biometric information, Internet activity information, geolocation data, or inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
- “Process(ing)” means any operation or set of operations performed upon Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” means a natural or legal person, public authority, or any other body which Processes Personal Data on behalf of the Controller.
- “Sensitive Personal Data” are Personal Data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life and sexual orientation, genetic data or biometric data. Sensitive Personal Data do not include data relating to criminal offences and convictions are addressed separately.
- “Subprocessor” means any third-party data processor engaged by and contracted with a Processor for purposes of Processing Data.
Company and Client may address the following in the Agreement or other writing:
- The subject matter and duration of the Processing
- The nature and purpose of the Processing
- The type of Personal Data and categories of data subject
- The obligations and rights of the Controller
Client shall serve as the Controller.
Company Policies Regarding Privacy and Data Security
General Policies:
Company will make commercially reasonable efforts to comply with the predominant privacy and data security laws and regulations, including CCPA and GDPR, as applicable solely to the Agreement.
Company and Client will work together to protect all Data by adherence to the following general principles:
- Client will only provide Company with Data or information necessary for Company’s performance of the work and services set forth in the Agreement.
- Client will provide notice to the senior Company executive handling the Client’s account prior to transmitting any Data or information, so that the parties can establish required security notices or information process filters in advance of transmission. In the case of Personal Information, Company may require advance written consent prior to receipt.
- Company will designate the appropriate individuals to receive Data from Client or any third parties on behalf of Client.
Policy for Personal Information, Personal Data and Sensitive Personal Data:
When the Agreement entails Company’s handling or Processing of Personal Information, Personal Data, and Sensitive Personal Data, Client and Company will jointly establish the data security risk, control measures, and any enhanced responsibilities of each party with respect to the Personal Information, Personal Data, and Sensitive Personal Data. In the event additional or more stringent data security requirements are required to handle Personal Information and Sensitive Personal Data, those requirements will be separately outlined in the Agreement. Those more stringent data security requirements will apply only to the identified Personal Information and Sensitive Personal Data, and to any project under the Agreement that involves the Personal Information or Sensitive Personal Data.
In the event Company is required to institute additional, more costly, or more stringent measures to use, handle or store the Data, and incurs additional costs related to such measures, (i) Company will advise Client in advance of incurring these expenses, and Client will be responsible for such expenses, and (ii) Client acknowledges that any additional or enhanced measures may cause delays in completion or implementation of work or services. Company is not responsible for such delays, or any increased costs or expenses incurred by Client related to such delays.
Responsibilities of Client
In addition to any obligations in the Agreement, Client will:
- maintain commercially reasonable privacy and data security processes, and will employ measures to avoid misuse or wrongful transfer of Data to Company;
- not provide Company, or induce any third party to provide Company, with any Data or information that is improperly sourced, or obtained by any method that does not comply with applicable privacy or data security laws, regulations, rules, or industry codes or guidelines, including but not limited to CCPA or GDPR;
- provide Company only with Data or information necessary for Company’s performance of the work and services set forth in the Agreement;
- provide Company with sufficient advance notice of any necessary additional, or more stringent, measures required for Company to use, handle or store the Data. Client will provide such notice to provide Company a reasonable amount of time to evaluate and, as necessary, prepare for, the additional or more stringent measures required;
- have an up-to-date privacy policy on its website(s) that: (i) complies with all applicable country and local privacy and data protection laws, that are applicable only to Client’s business and services; (ii) accurately discloses all applicable data collection, use and disclosure practices, including the use of cookies, pixels, beacons, locally stored objects or other similar technologies for purposes of targeting individual end users with advertisements (iii) discloses the use of one or more third parties for ad serving activities, if applicable; (iv) contains a statement that its site or application permits limited data collection, based only on data that does not personally identify consumers, for interest-based advertising; (v) contains a description of the non-personally identifiable types of data collected for such advertising; and (vi) contains an explanation of the purposes for which data is collected by, or transferred to, third parties, if applicable; and
- make commercially reasonable efforts to conspicuously post a link to its privacy policy on its website(s), mobile application(s) and in relevant application store(s). Such privacy policies must provide end users with a conspicuous link to a functional opt-out page.
In addition to any responsibilities in the Agreement, Client is responsible for:
- obtaining any required consents or acknowledgements from Company prior to the transmitting or sharing of any Data, and will request and obtain such consents or acknowledgments in a timely manner to as to allow Company to conduct a reasonable review of the request; and
- any increased costs associated with instituting additional, more costly or more stringent measures required for Company to use, handle, or store the Data. Client will pay such costs promptly upon notification by Company of them. In some cases where reasonable and appropriate, Company may request Client to advance such costs.
Client may be subject to additional privacy or data security laws and regulations, rules, or industry codes and guidelines, including but not limited to CCPA or GDPR, unrelated to the specific work or services provided by Company. In such case, Client is solely responsible for compliance with those laws or regulations.
Responsibilities of Company
In addition to any obligations in the Agreement, Company will:
- act on the reasonable written instructions of Client (unless required by law to act without such instructions or such instructions are contrary to relevant laws or regulations);
- ensure that people in its employment with access to the Data or otherwise Processing the Data are subject to a confidentiality agreement or similar policy;
- implement appropriate technical and organizational measures to secure the Data;
- provide reasonable assistance to Client in providing subject access and allowing owners of Personal Information to exercise their rights under CCPA or GDPR;
- reasonably cooperate with Client in the event of a breach of Data;
- keep records of its activities regarding the Data in accordance with CCPA or GDPR;
- delete, destroy, or return all Personal Data or Personal Information to Client in accordance with the Agreement;
- provide reasonable cooperation in audits and inspections;
- provide Client with whatever information is in its possession that Client reasonably needs to determine whether both parties are meeting their CCPA or GDPR obligations;
- promptly inform Client if Company is asked to take an action that it believes may infringe GDPR or any other data protection law of the European Union or its member states; and
- only engage a Subprocessor with the prior written consent of Client.
Responsibilities of Third Parties
In the event of the engagement by Client of any third party suppliers or services to obtain or collect, curate, store, or otherwise use relevant Data, Company will not be responsible for guaranteeing the performance of third party suppliers or for indemnifying Client for a Data Breach or security breach arising out of the conduct of third party suppliers or services. Indemnification obligations related to services provided by third party suppliers are the responsibility of the third party supplier and Client will ensure that such indemnification obligations are included in the agreement between the third party supplier and Client. Client will procure a written agreement with any third party supplier or service it engages to reflect the indemnification responsibilities of that third party.
Where a third party vendor will be charged with obtaining or collecting, curating, storage of, or other use of Data, Company and Client may collaborate to review the proposed agreement and other documents with the third party to ensure that they include the necessary and specific data privacy and security requirements, however Client will not assume responsibility for any negligence or noncompliance of Company where it contracts directly with that third party.
Where a Subprocessor is directly subcontracted by Company, such third party indemnification obligations of Subprocessor will be included in the agreement between Company and the Subprocessor. Company will ensure that all Subprocessors are bound by the terms of this Policy.
Compliance Verification
Company will promptly and reasonably respond to any requests of Client to verify Company’s compliance with any agreed data privacy and security measures. The scope of verification required will be determined jointly by the parties, based upon the type and amount of Data collected by Company, and any agreed measures and protocol for maintaining Data privacy and security. The review will be no broader than necessary to determine Company’s compliance.
Liability Limitation
Client will remain directly liable for compliance with all aspects of CCPA and GDPR and other applicable law, and for demonstrating that compliance, including all compliance by Company and any of its Subprocessors, unless Client can prove that it was not in any way responsible for the event giving rise to the damage. Otherwise, Client will be fully liable for any damages, losses, claims and liabilities caused by non-compliant handling or Processing of Data, regardless of its use of Company to assist in management or Processing of Data. Each party’s liability to the other party under this Policy, or to remediate or for any Data privacy or security breach, or any failure to comply with relevant privacy or data security laws and regulations, rules, or industry codes and guidelines, including CCPA or GDPR, shall not exceed the total fees paid pursuant to the Agreement.
Indemnification
Client will defend, indemnify, and hold Company and its Subprocessors harmless from any claims, liabilities, losses, or damages caused by or related to:
- Client’s negligence or intentional failure to comply with relevant privacy or data security laws and regulations, rules, or industry codes and guidelines, including CCPA or GDPR, relevant to any Data in possession or control of Company related to the Agreement;
- non-compliant Processing or breach of duties by Client; and
- non-compliance with all aspects of relevant privacy or data security laws and regulations, rules, or industry codes and guidelines, including CCPA or GDPR.
Company will defend, indemnify, and hold Client harmless from any claims, liabilities, losses, or damages caused by or related to Company’s:
- failure to comply with CCPA or GDPR or other applicable law provisions for which it has specifically assumed responsibility in writing in this Policy or the Agreement,
- actions against the lawful written instructions of Client
- gross negligence or intentional act in selection of or failure to adequately supervise a Subprocessor (where Company selected and contracted with such Subprocessor), which gross negligence or intentional act creates a liability of Client for failure to comply with relevant privacy or data security laws and regulations, rules, or industry codes and guidelines, including CCPA or GDPR, relevant to Data in possession or control of the Subprocessor related to the Agreement.
Company and Client have caused this Policy to be executed by their duly authorized representatives to be effective as of the date of the last signature below. This Policy may be delivered via facsimile and/or email in a PDF document and executed in one or more identical counterparts, each of which, when so executed, shall be deemed to be an original, and all counterparts so executed shall together constitute one binding agreement. The parties acknowledge and accept that signatures sent via facsimile and/or email in a PDF document shall be as legally binding as signatures upon originals.
See how we make
digital advertising easy
Better campaigns. Greater experiences. More revenue. It’s all within your grasp.
