Data Protection Addendum

This Data Protection Addendum (“Addendum”) forms an integral part of your agreement(s) as a Partner utilizing the ironSource Sonic Platform and/or ironSource’s Services (“Principal Agreement”) between: (i) ironSource Mobile Ltd. (even if the Principal Agreement is with a different ironSource Affiliate) (“ironSource”); and (ii) the entity and/or person specified in the Partner Account or the Principal Agreement as the Partner using the Services (“Partner”).

RECITALS:

1. The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning ascribed to them in the Principal Agreement.  Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
2. In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement.  Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.
3. Partner and ironSource have entered into a Principal Agreement pursuant to which ironSource will provide certain Services to Partner. ironSource’s liability for this Addendum is limited to the period of the validity of the Principal Agreement, i.e., the period during which ironSource is contracted by Partner for the provision of the services.
4. To the extent that the provision of such services involves the processing of Partner Personal Data, the parties have agreed to enter into this Addendum for the purposes of ensuring compliance with the applicable data protection legislation.

1. Definitions
   1. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
      1. “Alternative Transfer Solution” means any applicable mechanism or solution, other than Standard Contractual Clauses, that enables the lawful transfer of Personal Data to a third country in accordance with European Data Protection Laws;
      2. “Authorized Processing of Third-Party Personal Data” has the meaning given to such term in Subsection 16.1;
      3. “Cessation Date” has the meaning given to such term in Subsection 14.2;
      4. “Contracted Processor” means ironSource or a Subprocessor;
      5. “Covered Countries” means EEA countries, the United Kingdom and Switzerland;
      6. “Device Manufacturer” means a device manufacturer and/or a mobile carrier on which ironSource promotes Partner’s products and/or services using its Aura Platform under the Principal Agreement;
      7. “Device Manufacturer Personal Data” has the meaning give to such term in Subsection 16.1;
      8. “EEA” means the European Economic Area;
      9. “European Data Protection Laws” means the GDPR, the UK Data Protection Act 2018, the EU e-Privacy Directive (Directive 2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended), the FADP, any applicable domestic legislation of each Covered Country that relates to data protection or privacy and any successor legislation and/or regulation implementing or made pursuant to the foregoing, or which amends, replaces, re-enacts or consolidates any of the foregoing;
      10. “FADP” means the Swiss Federal Act on Data Protection of 19 June 1992 (as may be amended or replaced from time to time);
      11. “GDPR” means, as applicable to the Processing: (i) the EU General Data Protection Regulation 2016/679 (“EU GDPR”); and/or (ii) the Retained Regulation (EU) 2016/679 as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended) (“UK GDPR”);
      12. “Partner Personal Data” means any Personal Data provided or made available by (or provided on behalf of) Partner and Processed by ironSource or its Subprocessors for the performance of or in connection with the Principal Agreement;
      13. “Processor Services” are the services for which ironSource acts as a Processor on behalf of Partner, as detailed in Section 3;
      14. “Publisher Personal Data” has the meaning given to such term in Subsection 16.1;
      15. “Relevant Personal Data” means Partner Personal Data, Publisher Personal Data and Device Manufacturer Personal Data;
      16. “Restricted Transfer“means a transfer of Personal Data where such transfer would be prohibited by European Data Protection Laws in the absence of appropriate safeguards, as required by Article 46 of the GDPR or equivalent provisions under the Swiss FDPA (as applicable);
      17. “SDK” means ironSource’s software development kit for integrating ironSource’s proprietary products into mobile applications.
      18. “Services” means the services and other activities to be supplied to or carried out by ironSourceand/or ironSource Affiliates in connection with the Principal Agreement;
      19. “Standard Contractual Clauses” means:
          1. the clauses for the transfer of Personal Data to Processors established in third countries which do not ensure an adequate level of protection for Personal Data adopted by the European Commission under Commission Decision C(2010) 593 (available here) (“2010 C2P Standard Contractual Clauses“);
          2. the clauses for the transfer of Personal Data to Controllers established in third countries adopted by the European Commission under the Commission’s Decision of 27 December 2004 (2004/915/EC) (available here) (“2004 C2C Standard Contractual Clauses“);
          3. the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 (available here) including the text from the modules of such clauses as specified in this Addendum (“2021 Standard Contractual Clauses”);
          4. the 2021 Standard Contractual Clauses, subject to the following amendments:
             1. the competent supervisory authority in Annex I.C under clause 13 of the 2021 Standard Contractual Clauses shall be the Swiss Federal Data Protection and Information Commissioner;
             2. the applicable law for contractual claims under clause 17 of the 2021 Standard Contractual Clauses shall be Swiss law and the place of jurisdiction for actions between the parties pursuant to clause 18(b) of the 2021 Standard Contractual Clauses shall be the Swiss courts;
             3. the term ’member state’ in the 2021 Standard Contractual Clauses shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the 2021 Standard Contractual Clauses;
             4. references to Regulation (EU) 2016/679, the General Data Protection Regulation or GDPR in the 2021 Standard Contractual Clauses are to be understood as references to the FADP; and
             5. the 2021 Standard Contractual Clauses also protect the data of legal entities and references to ‘personal data’ in the 2021 Standard Contractual Clauses shall also include the data of legal entities until the entry into force of the revised Swiss Federal Act on Data Protection of 19 June 1992 (“Swiss 2021 Standard Contractual Clauses”);
          5. the 2021 Standard Contractual Clauses subject to the UK Addendum and the terms of Part G of Schedule 1 (as such terms are applicable).

1. 20. “Subprocessor” means any third party (excluding an employee of ironSource or any of its sub-contractors) appointed by or on behalf of ironSource to Process Partner Personal Data on behalf of Partner for the performance of the Principal Agreement;
   21. “ironSource Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with ironSource, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise; and
   22. “UK Addendum” means the International Data Transfer Addendum to the 2021 Standard Contractual Clauses, issued by the Information Commissioner, and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022.
2. The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“,“Processing“, “Processor” and “Supervisory Authority” shall have the same meaning as in the GDPR, and the terms “data importer” and “data exporter” shall have the same meaning as in the Standard Contractual Clauses, and their cognate terms shall be construed accordingly.
3. The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Application of This Addendum

This Addendum shall apply only to the extent that European Data Protection Laws apply to the Processing of Relevant Personal Data by the Parties in connection with the Principal Agreement.

3. Roles

Partner hereby acknowledges that, with respect to the Processing of Relevant Personal Data, the parties shall have the roles set out in the table below. The parties acknowledge and agree that certain Chapters of this Addendum only apply in certain circumstances as specified in the table below (except Chapter I (General Processing Obligations), Chapter VI (Transfers) and Chapter VII (General) which each apply in all circumstances).

Chapter I – General Processing Obligations

4. Processing of Personal Data

Partner hereby represents, warrants, and undertakes that at all times during the term of the Principal Agreement:

1. Partner shall comply with all European Data Protection Laws.
2. Partner shall have all required rights, licenses, and permissions to allow the Processing of Partner Personal Data by ironSource under the Principal Agreement and to make the Partner Personal Data available to ironSource in accordance with the requirements of this Addendum.
3. Partner shall provide all notices and obtain all consents, as required by and in compliance with European Data Protection Laws with respect to the collection of data by ironSource and/or transfer of any data to ironSource by Partner, in connection with the Principal Agreement, in accordance with the requirements of this Addendum.
4. When Partner Personal Data is collected and shared with ironSource by Partner or on Partner’s behalf, such collection and transfer of Partner Personal Data complies with all European Data Protection Laws, and the Processing of such Partner Personal Data shall not cause ironSource to be in violation of any European Data Protection Laws.

Chapter II – Processing of Partner Personal Data by ironSource as a Controller

5. Transparency and consent

When ironSource acts as a Controller of Partner Personal Data:

1. Partner shall make available to end users of Partner’s application or website (“Partner App”) a link to ironSource’s privacy policy available at https://developers.ironsrc.com/ironsource-mobile/air/ironsource-mobile-privacy-policy/, prior to downloading the Partner application (if applicable), and from within the Partner App.
2. Partner shall obtain consent from end users of the Partner App on behalf of ironSource, prior to disclosing, and/or allowing ironSource to access any data, that shall cover, at a minimum, the Processing (including accessing, collecting, using, storing and/or disclosing) by ironSource of data, including Personal Data, originating from, and/or associated with the end user’s device, for the purpose of serving non-interest based ads, and measuring the effectiveness of ads, including aggregating Personal Data for the purpose of creating reports, and improving ironSource’s products and services. In the event such consent is not obtained or is withdrawn by the end user, Partner must not initialize ironSource’s SDK or disclose any Personal Data to ironSource in relation to that end user and refrain from using ironSource’s SDK in any other manner in relation to that end user. In any event, the consent obtained from an end user shall comply with all the requirements of European Data Protection Laws and shall name ironSource as a Controller.
3. When Partner uses ironSource’s Monetization Services, Partner may also obtain consent from end users of the Partner App, on behalf of ironSource, for the sharing of Personal Data by ironSource with Advertisers listed in the following link: https://developers.is.com/ironsource-mobile/general/1423349-2/ (“Advertising Partners“) for operating ironSource’s ad exchange platform, who may Process such Personal data for serving personalized advertising. In that event, Partner shall use ironSource’s consent API (the “Consent API“) to indicate whether an end user granted consent to such sharing of Personal Data by ironSource and use of such Personal Data by the Advertising Partners or not, and upon any change in an end user’s consent status.
   Partner represents and warrants that: (i) the information provided to ironSource using its Consent API is complete, accurate, and up-to-date; (ii) consent obtained from an end user shall comply with all the requirements of European Data Protection Laws, shall name ironSource and Advertising Partners as Controllers and shall include a link to ironSource’s privacy policy, available at: https://developers.ironsrc.com/ironsource-mobile/air/ironsource-mobile-privacy-policy/, and to Advertising Partners’ privacy policies, available at: https://developers.is.com/ironsource-mobile/general/1423349-2/; (iii) ironSource’s and Advertising Partners’ reliance on the information provided to ironSource using its Consent API shall not cause ironSource and/or Advertising Partners to be in violation of European Data Protection Laws; and (iv) Partner shall re-obtain consent from end users as required from time to time by ironSource.

Chapter III – Processing of Partner Personal Data by ironSource as a Processor on behalf of Device Manufacturer

6. Transparency and consent

When ironSource acts as a Processor of Partner Personal Data on behalf of Device Manufacturer:

1. 1. Partner shall provide end users of Partner App with a list of all the data shared by Partner with ironSource and inform such end users that such data will be used by the end user’s mobile carrier and/or device manufacturer for marketing purpose.
   2. Partner shall obtain consent from end users of the Partner App on behalf of the end user’s mobile carrier and/or device manufacturer, prior to disclosing, and/or allowing ironSource to access any data, that shall cover, at a minimum, the Processing (including accessing, collecting, using, storing and/or disclosing) by ironSource of data, including Personal Data, originating from, and/or associated with the end user’s device, for the purpose of serving non-interest based ads, and measuring the effectiveness of ads, including aggregating Personal Data for the purpose of creating reports, and improving the end user’s mobile carrier and/or device manufacturer’s products and services. In the event such consent is not obtained or is withdrawn by the end user, Partner must not initialize ironSource’s SDK or disclose any Personal Data to ironSource in relation to that end user, and refrain from using ironSource’s SDK in any other manner in relation to that end user. In any event, the consent obtained from an end user shall comply with all the requirements of European Data Protection Laws and shall name the end user’s mobile carrier and/or device manufacturer as a Controller.

Chapter IV – Processing of Partner Personal Data by ironSource as a Processor on behalf of Partner

7. Processing of Partner Personal Data
   1. ironSource shall not Process Partner Personal Data other than on the Partner’s documented instructions set forth in this Chapter unless Processing is required by laws of the EEA or EEA Member State (where EU GDPR applies to the Processing), UK (where UK GDPR applies to the Processing) or Switzerland (where the FADP applies to the Processing) to which the relevant Contracted Processor is subject, in which case ironSource shall inform Partner of that legal requirement before the relevant Processing of that Personal Data, unless that law prohibits such information on important grounds of public interest.
   2. Partner instructs ironSource (and authorises ironSource to instruct each Subprocessor) to:
      1. Process Partner Personal Data; and
      2. in particular, transfer Partner Personal Data to any country or territory,

as reasonably necessary for the provision of the Processor Services(including, without limitation, Processing of ad revenue data associated with Partner Personal Data by ironSource and/or ironSource Affiliates for the purpose of providing the advertising Services by ironSource and/or ironSource Affiliates) and consistent with the Principal Agreement. Partner shall ensure it obtains any necessary consents or has the necessary rights to enable such transfer.

1. 1. 3. Part B of Schedule 2 to this Addendum sets out certain information regarding the Contracted Processors’ Processing of the Partner Personal Data as required by article 28(3) of the GDPR.

8. ironSource Personnel

ironSource shall grant access to the Partner Personal Data to members of its personnel only to the extent they need to know or access the relevant Partner Personal Data, as necessary for the purposes of the Principal Agreement, and shall ensure that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

9. Security

1. 1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ironSource shall in relation to the Partner Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
   2. In assessing the appropriate level of security, ironSource shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

10. Subprocessing

1. 1. The Partner generally authorises ironSource to appoint (and permit each Subprocessor appointed in accordance with this Section 10 to appoint) Subprocessors.
   2. ironSource may continue to use those Subprocessors already engaged by ironSource as at the date of this Addendum as specified at: https://developers.ironsrc.com/ironsource-mobile/19783-2/.
   3. ironSource shall give Partner 7 days’ prior written notice of the appointment of any new Subprocessor through a notice available at: https://developers.ironsrc.com/ironsource-mobile/19783-2/, including full details of the Processing to be undertaken by the Subprocessor. ironSource shall provide the Partner with the information necessary to enable the Partner to exercise its right to object as set out in Subsection 10.4 of this Addendum.
   4. If, within 7 days of provision of that notice, Partner notifies ironSource in writing of any objections to the proposed appointment, and ironSource does not undertake to perform reasonable steps to address such objections raised by the Partner, Partner, as its sole and exclusive remedy, may terminate the portion of any Principal Agreement relating to the Services that cannot be reasonably provided without the objected-to new Subprocessor by providing 30 days’ written notice to ironSource. If the Partner does not deliver a written objection notice within 7 days of the provision of the ironSource notice, Partner shall be deemed as granting specific authorisation to the appointment of all Subprocessors mentioned in the ironSource notice.
   5. With respect to each Subprocessor, ironSource shall ensure that the arrangement between on the one hand (a) ironSource, or (b) the relevant Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which provide, in substance, the same level of protection for Partner Personal Data as those set out in article 28(3) of the GDPR;
   6. ironSource shall be liable for the acts and omissions of its Subprocessors to the same extent it would be liable if performing the Services of each Subprocessor directly under the terms of the Principal Agreement.

11. Data Subject Rights

1. 1. Without derogating from Section 14 below, and taking into account the nature of the Processing, ironSource shall assist Partner by implementing appropriate technical and organizational measures (including as specified at: https://developers.ironsrc.com/ironsource-mobile/air/ironsource-mobile-submitting-deletion-pull-requests-procedure/), insofar as this is possible, for the fulfilment of Partner’s obligations, to respond to requests to exercise Data Subject rights under European Data Protection Laws.
   2. ironSource may require Partner to cover the costs of assistance provided pursuant to Subsection 11.1 in the event that such assistance may interfere with the normal operation of ironSource and/or create an unreasonable burden on ironSource, and/or require ironSource to make material changes to its products and services, subject to ironSource’s sole discretion.
   3. ironSource shall:
      1. promptly notify Partner if any Contracted Processor receives a request from a Data Subject under European Data Protection Laws in respect of Partner Personal Data; and
      2. not respond to that request except on the documented instructions of Partner.

12. Personal Data Breach

1. 1. ironSource shall notify Partner without undue delay upon ironSource becoming aware of a Personal Data Breach concerning Partner Personal Data, providing Partner with sufficient information to allow each Partner to meet any obligations to report or inform a Supervisory Authority or Data Subjects of the Personal Data Breach under European Data Protection Laws. Partner agrees that an unsuccessful security incident will not be subject to this Section, if it results in no unauthorized access to Partner Personal Data and in no unauthorized access to any of Contracted Processors’ equipment or facilities containing Partner Personal Data and does not otherwise constitute a Personal Data Breach. Such unsuccessful security incident not subject to this Section may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.
   2. Partner is solely responsible for providing ironSource an email address to which notifications regarding Personal Data Breach should be sent and ensuring that such email address is current and valid. The default email address for the purpose of sending notification under this Section shall be the email address specified in the Partner dashboard made available by ironSource at the time of the notification.
   3. In the event of a Personal Data Breach concerning Partner Personal Data, ironSource shall take appropriate measures to address the Personal Data Breach, including measures to mitigate its adverse effects.
   4. Partner shall use the Services in an appropriate manner, taking into account the level of security necessary for securing the Partner Personal Data.

13. Data Protection Impact Assessment and Prior Consultation

ironSource shall provide assistance, at Partner’s expense, to Partner with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Partner reasonably considers to be required by European Data Protection Laws, in each case solely in relation to Processing of Partner Personal Data by and taking into account the nature of the Processing and information available to, the Contracted Processors.

14. Deletion of Partner Personal Data
    1. During the term of the Principal Agreement, taking into account the nature of the Processing, ironSource shall make reasonable efforts to comply with any reasonable request from Partner to delete information of a user of the Partner, insofar as this is possible, unless applicable laws require storage of the Partner Personal Data, and subject to Subsection 14.3 below. ironSource shall only delete Partner Personal Data associated with the Processor Services, according to the deletion requests submission procedure specified at https://developers.ironsrc.com/ironsource-mobile/air/ironsource-mobile-submitting-deletion-pull-requests-procedure/ (as may be updated from time to time by ironSource). ironSource may require Partner to cover the costs of such assistance in the event that such assistance may interfere with the normal operation of ironSource and/or create an unreasonable burden on ironSource, and/or require ironSource to make material changes to its products and services, subject to ironSource’s sole discretion.
    2. Subject to Subsections 14.3 and 14.4 ironSource shall promptly and in any event within 180 days of the date of cessation of any Services involving the Processing of Partner Personal Data (the “Cessation Date“), delete and procure the deletion of all copies of those Partner Personal Data Processed for the performance of the Processor Services.
    3. ironSource may retain a copy of Partner Personal Data where it is required to retain such Partner Personal Data by laws of the EEA or an EEA Member State (where EU GDPR applies to the Processing), UK (where UK GDPR applies to the Processing) or Switzerland (where the FADP applies to the Processing) to which ironSource is subject.
    4. If requested by Partner, ironSource shall provide written approval to Partner that it has complied with this Section 14 within 90 days of the Cessation Date.
15. Audit rights
    1. To the extent that European Data Protection Laws or Standard Contractual Clauses require Partner to be in a position to audit ironSource’s Processing of Partner Personal Data, Partner, as the Controller, will have the right to request ironSource for an audit, no more than once per year or if there are indications of non-compliance by ironSource or Subprocessors, through a mutually agreed, reputable, and independent third party solely for the purposes of, and as absolutely necessary for, meeting its audit requirements pursuant to European Data Protection Legislation and/or applicable Standard Contractual Clauses, and solely those systems and documents directly related to such purpose and solely with respect to a period of 12 months prior to the audit, or such maximum period required by European Data Protection Laws or Standard Contractual Clauses.
    2. In the event that Partner wishes to audit ironSource under this Section, it must send a detailed audit request specifying the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any such audit, at least four (4) weeks in advance of the proposed audit date. Audit requests must be sent in a written form to the designated contact person in ironSource responsible for communications with the Partner (or, if no such contact person, to ironSource’s support email as specified in the Partner dashboard made available by ironSource), with a copy to the following email address: legal@is.com.
    3. The auditor must execute a written confidentiality agreement acceptable to ironSource prior to conducting the audit. The audit shall be conducted during regular business hours, subject to ironSource’s policies, and may not unreasonably interfere with ironSource’s business activities.
    4. Any audits are at Partner’s sole expense.
    5. Nothing in this Section will require ironSource either to disclose to Partner or any auditor, or otherwise to allow Partner or any auditor to access any data of any other third party, any internal financial information, any trade secret, or any data which is requested, as reasonably determined by ironSource, not in a good faith, resulting in an interference with ironSource’s business, and/or for purposes other than conducting an audit as required by European Data Protection Laws or Standard Contractual Clauses.
    6. ironSource may, at its option, provide Partner with a copy of its most recent third-party audits or certifications by an independent third-party auditor, as applicable, or any summaries thereof.
    7. Any results and/or findings of the audit, and/or any third-party certifications or audits shall be ironSource’s confidential information, and Partner will keep the audit results in strict confidentiality, and shall not disclose them to any third-party, without ironSource’s prior explicit written approval.
    8. If Partner is required to disclose the audit results to a competent authority, Partner shall provide ironSource with a prior written notice, explaining the details and necessity of the disclosure and further provide all necessary assistance to prevent such disclosure. In the event that such disclosure occurs despite Partner’s best efforts to prevent such disclosure, Partner will disclose only the portion of the results of the audit that is explicitly requested to be disclosed.

Chapter V – Additional Provisions for the Advertising Services

9. 9. 16. Processing of Personal Data shared by ironSource
          1. Partner hereby acknowledges and agrees that any Personal Data shared by ironSource with Partner and/or any third-party on Partner’s behalf, in connection with the advertising services, concerning (1) end users of an application of a third-party app developer (“Publisher Personal Data“); and/or (2) for Aura Platform Services, end users of a mobile device of a Device Manufacturer (“Device Manufacturer Personal Data”), is provided solely for the purposes of attribution, frequency capping and/or fraud detection and prevention (“Authorized Processing of Third-Party Personal Data”), and that:
             1. When Processing Publisher Personal Data, each Party acts as an independent Controller; and
             2. When Processing Device Manufacturer Personal Data, Partner acts as an independent Controller and ironSource acts as a Processor on behalf of Device Manufacturer.
          2. Partner hereby represents and warrants that it and/or any third-party on its behalf (i) shall Process Publisher Personal Data and/or Device Manufacturer Personal Data solely in compliance and as permitted under European Data Protection Laws; and (ii) shall not Process Publisher Personal Data and/or Device Manufacturer Personal Data for any purpose other than for the Authorized Processing of Third-Party Personal Data, unless Partner has obtained a valid consent from the respective Data Subject for such Processing in accordance with European Data Protection Laws.

Chapter VI – Transfers

9. 9. 17. Restricted Transfers

If the Processing of Relevant Personal Data in connection with the Principal Agreement involves any Restricted Transfers, then:

9. 9. 1. If the data importer notifies the other Party or otherwise announces the adoption of or reliance on an Alternative Transfer Solution in respect of any Restricted Transfers to the data importer, then such Alternative Transfer Solution shall apply to the relevant Restricted Transfer(s). In such circumstances, the data importer shall comply with the Alternative Transfer Solution in respect of the relevant Restricted Transfers.
      2. If an Alternative Transfer Solution is not being relied on or has not been adopted pursuant to Subsection 17.1 in respect of any Restricted Transfers:
         1. Subject to Subsections 17.2.3 and 17.2.4, Partner and ironSource agree to the terms of Schedule 1 in relation to any Restricted Transfer from Partner to ironSource and/or from ironSource to Partner, as applicable.
         2. If Partner and ironSource entered into standard contractual clauses approved under Article 26(2) of Directive 95/46/EC, Partner and ironSource agree that, as of their effective date, the Standard Contractual Clauses applicable between Partner and ironSource pursuant to Schedule 1 will supersede and terminate any such previous standard contractual clauses entered into by the Partner and ironSource .
         3. In relation to any Restricted Transfer from Partner to ironSource where ironSource acts as a Processor on behalf of the Device Manufacturer, Partner agrees to be bound by and represents and warrants to ironSource and Device Manufacturer that it shall comply with the Standard Contractual Clauses as applicable pursuant to Part E and G (as applicable) of Schedule 1 as of the date of this Addendum (as if such Restricted Transfer was made to Device Manufacturer).
         4. In relation to any Restricted Transfer of Device Manufacturer Personal Data from ironSource to Partner where ironSource acts as a Processor on behalf of the Device Manufacturer, Partner agrees to be bound by and represents and warrants to ironSource and Device Manufacturer that it shall comply with Standard Contractual Clauses as applicable pursuant to Part F and G (as applicable) of Schedule 1 as of the date of this Addendum (as if such Restricted Transfer was from the Device Manufacturer).
         5. Partner and ironSource each agree that each Device Manufacturer has the right to enforce and benefit from the Partner’s obligations, representations, and warranties under Subsections 17.1, 17.2.3 and 17.2.4 of this Addendum as a third-party beneficiary.
         6. The Parties acknowledge and agree that ironSource has no liability in relation to the Standard Contractual Clauses entered into between the Partner and the Device Manufacturer.

Chapter VII – General

9. 9. 18. General Terms

Governing law and jurisdiction

9. 9. 1. Without prejudice to the governing law and jurisdiction provisions of the Standard Contractual Clauses:
         1. the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
         2. this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.

Order of precedence

9. 9. 2. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses or if this Addendum is deemed to modify or contradict any Standard Contractual Clauses in a manner that would cause such Standard Contractual Clauses to be invalid, the Standard Contractual Clauses shall prevail to the extent necessary.
      3. Subject to Subsection 2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.
      4. With regard to the LevelPlay Mediation Platform, this Addendum shall supersede any
         other Data Processing Addendum between the parties.

Severance

5. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Changes to this Addendum

6. ironSource may change this Addendum by sending an email notification to Partner, at least 30 days prior to any such taking effect, in the event that such change does not: (i) result in a degradation of the overall security of the Services; (ii) expand the scope of, or remove any restrictions on, ironSource’s Processing of Partner Personal Data; and (iii) otherwise have a material adverse impact on Partner’s rights under this Addendum, as reasonably determined by ironSource, unless such change is required by European Data Protection Laws, such change is pursuant to Part G of Schedule 1 of this Addendum or such change involves replacing any of the Standard Contractual Clauses with new or replacement standard contractual clauses as recognised as a transfer mechanism under European Data Protection Laws. For the avoidance of doubt, ironSource may change the types of data specified under “Categories of Personal Data” to the extent such change is made in accordance with this Section.

SCHEDULE 1

Restricted Transfers

Summary of Schedule 1 (for guidance purposes only)

Part A – Restricted Transfers of Partner Personal Data to ironSource as a Processor on behalf of Partner

9. 9. 1. In relation to Restricted Transfers of Partner Personal Data from Partner to ironSource where ironSource Processes such Partner Personal Data as a Processor on behalf of the Partner, the Parties agree that:
         1. the 2021 Standard Contractual Clauses shall apply, subject to Section 2 of this Part A, to the transfer of Partner Personal Data where such transfer is subject to the EU GDPR;
         2. the 2010 C2P Standard Contractual Clauses shall apply, subject to Section 3 of this Part A, to the transfer of Partner Personal Data where such transfer originates from the UK and is subject to UK GDPR; and
         3. the Swiss 2021 Standard Contractual Clauses shall apply, subject to Section 4 of this Part A, to the transfer of Partner Personal Data where such transfer is subject to the FADP,

and in each case such Standard Contractual Clauses form part of this Addendum and signature to and dating of the Principal Agreement shall constitute all required signatures and dates for the 2021 Standard Contractual Clauses, the Swiss 2021 Standard Contractual Clauses and the 2010 C2P Standard Contractual Clauses.

9. 9. 2. EEA transfers. For the purposes of the 2021 Standard Contractual Clauses that apply pursuant to Subsection 1.1. of this Part A, the Parties agree the following:
         1. the text from module two of the 2021 Standard Contractual Clauses shall apply and no other modules or any clauses marked as optional in the 2021 Standard Contractual Clauses shall apply;
         2. ironSource is the data importer and Partner is the data exporter;
         3. for the purposes of clause 9(a) of the 2021 Standard Contractual Clauses, option 2 applies and the advance written notice period of any addition or replacement of Sub-processors required for the purposes of this option is set out in Subsection 10.3 of this Addendum;
         4. the terms set out in Subsection 10.4 of this Addendum apply in addition to clause 9(a) of the 2021 Standard Contractual Clauses;
         5. the terms set out in Subsection 11.2 of this Addendum shall apply in addition to clause 10(b) of the of the 2021 Standard Contractual Clauses;
         6. the assistance provided pursuant to clause 8.6(d) of the of the 2021 Standard Contractual Clauses shall be at the expense of the data exporter to the extent set out in Section 13 of this Addendum;
         7. in relation to clause 8.5 of the 2021 Standard Contractual Clauses, the Partner agrees that it elects to have the Partner Personal Data deleted in accordance with Subsection 14.2 of this Addendum;
         8. ironSource shall use the email address provided in accordance with Subsection 12.2 of this Addendum, to the extent ironSource is required to notify Partner about a Personal Data Breach under clause 8.6(c) of the 2021 Standard Contractual Clauses;
         9. any audit pursuant to clause 8.9(d) of the 2021 Standard Contractual Clauses shall be carried out in accordance with and subject to Section 15 of this Addendum;
         10. the information as required by Annex I of the 2021 Standard Contractual Clauses is as set out in Part A and Part B (column (i)) of Schedule 2;
         11. the technical and organizational measures required by Annex II of the 2021 Standard Contractual Clauses are as set out in Part B (column (i)) of Schedule 2 and in Part A of Schedule 3; and
         12. for the purposes of clause 17 of the 2021 Standard Contractual Clauses, option 1 applies and the 2021 Standard Contractual Clauses shall be governed by the laws of Ireland and for the purposes of clause 18(b) of the 2021 Standard Contractual Clauses, the selected courts are the courts of Ireland.

9. 9. 3. UK transfers. For the purposes of the 2010 C2P Standard Contractual Clauses that apply pursuant to Subsection 1.2 of this Part A, the Parties agree the following:
         1. ironSource is the data importer and Partner is the data exporter under the C2P Standard Contractual Clauses;
         2. in relation to clause 12(1) of the 2010 C2P Standard Contractual Clauses, the Partner agrees that it elects to have the Partner Personal Data deleted in accordance with Subsection 14.2 of this Addendum;
         3. any audit pursuant to clauses 5(f) and 12(2) of the 2010 C2P Standard Contractual Clauses (insofar as they relate to audit requests made by the data exporter) shall be carried out in accordance with and subject to Section 15 of this Addendum;
         4. the information required by Appendix I of the 2010 C2P Standard Contractual Clauses is as set out in Part A and Part B (column (i)) of Schedule 2;
         5. the technical and organizational measures required by Appendix II of the 2010 C2P Standard Contractual Clauses are as set out in Part A of Schedule 3; and
         6. the governing law of the 2010 C2P Standard Contractual Clauses shall be the law of the country in the United Kingdom in which the data exporter is established.

9. 9. 4. Swiss transfers. For the purposes of the Swiss 2021 Standard Contractual Clauses that apply pursuant to Subsection 1.3 of this Part A, the Parties agree that the terms of Section 2 of this Part A shall also apply.

Part B – Restricted Transfers of Partner Personal Data to ironSource as a Controller

9. 9. 1. In relation to Restricted Transfers of Partner Personal Data from Partner to ironSource where ironSource Processes such Partner Personal Data as a Controller, the Parties agree that:
         1. the 2021 Standard Contractual Clauses shall apply, subject to Section 2 of this Part B, to the transfer of Partner Personal Data where such transfer is subject to the EU GDPR;
         2. the 2004 C2C Standard Contractual Clauses shall apply, subject to Section 3 of this Part B, to the transfer of Partner Personal Data where such transfer originates from the UK and is subject to UK GDPR; and
         3. the Swiss 2021 Standard Contractual Clauses shall apply, subject to Section 4 of this Part B, to the transfer of Partner Personal Data where such transfer is subject to the FADP;

and in each case such Standard Contractual Clauses form part of this Addendum and signature to and dating of the Principal Agreement shall constitute all required signatures and dates for the 2021 Standard Contractual Clauses, the Swiss 2021 Standard Contractual Clauses and the 2004 C2C Standard Contractual Clauses.

9. 9. 2. EEA Transfers. For the purposes of the 2021 Standard Contractual Clauses that apply pursuant to Subsection 1.1 of this Part B, the Parties agree the following:
         1. the text from module one of the 2021 Standard Contractual Clauses shall apply and no other modules or any clauses marked as optional in the 2021 Standard Contractual Clauses shall apply;
         2. ironSource is the data importer and Partner is the data exporter;
         3. ironSource shall use the email address provided in accordance with Subsection 12.2 of this Addendum, to the extent ironSource is required to notify Partner about a Personal Data Breach under clause 8.5(e) of the 2021 Standard Contractual Clauses;
         4. the information required by Annex I of the 2021 Standard Contractual Clauses is as set out in Part A and Part C (column (i)) of Schedule 2;
         5. the technical and organizational measures required by Annex II of the 2021 Standard Contractual Clauses are as set out in Part C (column (i)) of Schedule 2 and in Part A of Schedule 3; and
         6. for the purposes of clause 17 of the 2021 Standard Contractual Clauses, option 1 applies and the 2021 Standard Contractual Clauses shall be governed by the laws of Ireland and for the purposes of clause 18(b) of the 2021 Standard Contractual Clauses, the selected courts are the courts of Ireland.

9. 9. 3. UK Transfers. For the purposes of the 2004 C2C Standard Contractual Clauses that apply pursuant to Subsection 1.2 of this Part B, the Parties agree the following:
         1. ironSource is the data importer and Partner is the data exporter;
         2. any audit pursuant to clause ii(g) of the 2004 C2C Standard Contractual Clauses shall be carried out in accordance with and subject to Section 15 of this Addendum;
         3. the information required by Annex B of the 2004 C2C Standard Contractual Clauses is as set out in Part A and C (column (i)) of Schedule 2; and
         4. the governing law of the 2004 C2C Standard Contractual Clauses shall be the country in which the Partner is established.

9. 9. 4. Swiss Transfers. For the purposes of the Swiss 2021 Standard Contractual Clauses that applies pursuant to Subsection 1.3 of this Part B, the Parties agree that the terms of Section 2 of this Part B shall also apply.

Part C – Restricted Transfers of Partner Personal Data to Partner from ironSource as a Processor on behalf of Partner

9. 9. 1. In relation to Restricted Transfers of Partner Personal Data to Partner from ironSource where ironSource Processes such Partner Personal Data as a Processor on behalf of the Partner; the Parties agree that:
         1. the 2021 Standard Contractual Clauses shall apply, subject to Section 2 of this Part C, to the transfer of Partner Personal Data where such transfer is subject to the EU GDPR;
         2. the Swiss 2021 Standard Contractual Clauses shall apply, subject to Section 3 of this Part C, to the transfer of Partner Personal Data where such transfer is subject to the FADP,

and in each case such Standard Contractual Clauses form part of this Addendum and signature to and dating of the Principal Agreement shall constitute all required signatures and dates for the 2021 Standard Contractual Clauses and the Swiss 2021 Standard Contractual Clauses.

9. 9. 2. EEA transfers. For the purposes of the 2021 Standard Contractual Clauses that apply pursuant to Subsection 1.1. of this Part C, the Parties agree the following:
         1. the text from module four of the 2021 Standard Contractual Clauses shall apply and no other modules or any clauses marked as optional in the 2021 Standard Contractual Clauses shall apply;
         2. Partner is the data importer and ironSource is the data exporter;
         3. in relation to clause 8.1(d) of the 2021 Standard Contractual Clauses, the Partner agrees that it elects to have the Partner Personal Data deleted in accordance with Subsection 14.2 of this Addendum;
         4. ironSource shall use the email address provided in accordance with Subsection 12.2 of this Addendum, to the extent ironSource is required to notify Partner about a Personal Data Breach under clause 8.2(b) of the 2021 Standard Contractual Clauses;
         5. any audit pursuant to clause 8.3(b) of the 2021 Standard Contractual Clauses shall be carried out in accordance with and subject to Section 15 of this Addendum;
         6. the information as required by Annex I of the 2021 Standard Contractual Clauses is as set out in Part A and Part B (column (ii)) of Schedule 2;
         7. for the purposes of clause 17 of the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses shall be governed by the laws of Ireland and for the purposes of clause 18 of the 2021 Standard Contractual Clauses, the selected courts are the courts of Ireland.

9. 9. 3. Swiss transfers. For the purposes of the Swiss 2021 Standard Contractual Clauses that apply pursuant to Subsection 1.2 of this Part C, the Parties agree that the terms of Section 2 of this Part C shall also apply.

Part D – Restricted Transfers of Partner Personal Data to Partner from ironSource as a Controller

9. 9. 1. In relation to Restricted Transfers of Publisher Personal Data to Partner from ironSource where ironSource Processes such Publisher Personal Data as a Controller, the Parties agree that:
         1. the 2021 Standard Contractual Clauses shall apply, subject to Section 2 of this Part D, to the transfer of Publisher Personal Data where such transfer is subject to the EU GDPR;
         2. the Swiss 2021 Standard Contractual Clauses shall apply, subject to Section 3 of this Part D, to the transfer of Publisher Personal Data where such transfer is subject to the FADP;

and in each case such Standard Contractual Clauses form part of this Addendum and signature to and dating of the Principal Agreement shall constitute all required signatures and dates for the 2021 Standard Contractual Clauses and the Swiss 2021 Standard Contractual Clauses.

9. 9. 2. EEA Transfers. For the purposes of the 2021 Standard Contractual Clauses that apply pursuant to Subsection 1.1 of this Part D, the Parties agree the following:
         1. the text from module one of the 2021 Standard Contractual Clauses shall apply and no other modules or any clauses marked as optional in the 2021 Standard Contractual Clauses shall apply;
         2. Partner is the data importer and ironSource is the data exporter;
         3. the information required by Annex I of the 2021 Standard Contractual Clauses is as set out in Part A and Part C (column (ii)) of Schedule 2;
         4. the technical and organizational measures required by Annex II of the 2021 Standard Contractual Clauses are as set out in Part C (column (ii)) of Schedule 2 and Part B of Schedule 3; and
         5. for the purposes of clause 17 of the 2021 Standard Contractual Clauses, option 1 applies and the 2021 Standard Contractual Clauses shall be governed by the laws of Ireland and for the purposes of clause 18(b) of the 2021 Standard Contractual Clauses, the selected courts are the courts of Ireland.

9. 9. 3. Swiss Transfers. For the purposes of the Swiss 2021 Standard Contractual Clauses that apply pursuant to Subsection 1.2 of this Part D, the Parties agree that the terms of Section 2 of this Part D shall also apply.

Part E – Restricted Transfers of Partner Personal Data from Partner to Device Manufacturer as a Controller

9. 9. 1. In relation to Restricted Transfers of Partner Personal Data from Partner to Device Manufacturer where Device Manufacturer Processes such Partner Personal Data as a Controller, the Parties agree that:
         1. the 2021 Standard Contractual Clauses shall apply, subject to Section 2 of this Part E, to the transfer of Partner Personal Data where such transfer is subject to the EU GDPR;
         2. the 2004 C2C Standard Contractual Clauses shall apply, subject to Section 3 of this Part E, to the transfer of Partner Personal Data where such transfer originates from the UK and is subject to UK GDPR; and
         3. the Swiss 2021 Standard Contractual Clauses shall apply, subject to Section 4 of this Part E, to the transfer of Partner Personal Data where such transfer is subject to the FADP;

and in each case such Standard Contractual Clauses form part of this Addendum and signature to and dating of the Principal Agreement shall constitute all required signatures and dates for the 2021 Standard Contractual Clauses, the Swiss 2021 Standard Contractual Clauses and the 2004 C2C Standard Contractual Clauses. For the purposes of this Part E, a Restricted Transfer to Device Manufacturer includes transfers made via ironSource as a Processor on behalf of Device Manufacturer.

9. 9. 2. EEA Transfers. For the purposes of the 2021 Standard Contractual Clauses that apply pursuant to Subsection 1.1 of this Part E, the Parties agree the following:
         1. the text from module one of the 2021 Standard Contractual Clauses shall apply and no other modules or any clauses marked as optional in the 2021 Standard Contractual Clauses shall apply;
         2. Device Manufacturer is the data importer and Partner is the data exporter;
         3. Device Manufacturer shall use the email address provided in accordance with Subsection 12.2 of this Addendum, to the extent Device Manufacturer is required to notify Partner about a Personal Data Breach under clause 8.5(e) of the 2021 Standard Contractual Clauses;
         4. the information required by Annex I of the 2021 Standard Contractual Clauses is as set out in Part A and Part D (column (i)) of Schedule 2;
         5. the technical and organizational measures required by Annex II of the 2021 Standard Contractual Clauses are as set out in Part D (column (i)) of Schedule 2 and in Part A of Schedule 3; and
         6. for the purposes of clause 17 of the 2021 Standard Contractual Clauses, option 1 applies and the 2021 Standard Contractual Clauses shall be governed by the laws of Ireland and for the purposes of clause 18(b) of the 2021 Standard Contractual Clauses, the selected courts are the courts of Ireland, unless otherwise specified in platform.ironsrc.com/partners/funds/company/info (Partners who don’t have access to that page may approach their ironSource contact for that information).

9. 9. 3. UK Transfers. For the purposes of the 2004 C2C Standard Contractual Clauses that apply pursuant to Subsection 1.2 of this Part E, the Parties agree the following:
         1. Device Manufacturer is the data importer and Partner is the data exporter;
         2. the information required by Annex B of the 2004 C2C Standard Contractual Clauses is as set out in Part A and D (column (i)) of Schedule 2; and
         3. the governing law of the 2004 C2C Standard Contractual Clauses shall be the laws of England and Wales.

9. 9. 4. Swiss Transfers. For the purposes of the Swiss 2021 Standard Contractual Clauses that applies pursuant to Subsection 1.3 of this Part E, the Parties agree that the terms of Section 2 of this Part E shall also apply.

Part F – Restricted Transfers of Device Manufacturer Personal Data from Device Manufacturer to Partner as a Controller

9. 9. 1. In relation to Restricted Transfers of Device Manufacturer Personal Data from Device Manufacturer to Partner where Partner Processes such Device Manufacturer Personal Data as a Controller, the Parties agree that:
         1. the 2021 Standard Contractual Clauses shall apply, subject to Section 2 of this Part F, to the transfer of Device Manufacturer Personal Data where such transfer is subject to the EU GDPR;
         2. the 2004 C2C Standard Contractual Clauses shall apply, subject to Section 3 of this Part F, to the transfer of Device Manufacturer Personal Data where such transfer originates from the UK and is subject to UK GDPR; and
         3. the Swiss 2021 Standard Contractual Clauses shall apply, subject to Section 4 of this Part F, to the transfer of Device Manufacturer Personal Data where such transfer is subject to the FADP;

and in each case such Standard Contractual Clauses form part of this Addendum and signature to and dating of the Principal Agreement shall constitute all required signatures and dates for the 2021 Standard Contractual Clauses, the Swiss 2021 Standard Contractual Clauses and the 2004 C2C Standard Contractual Clauses. For the purposes of this Part F, a Restricted Transfer to Partner includes transfers made via ironSource as a Processor on behalf of Device Manufacturer.

9. 9. 2. EEA Transfers. For the purposes of the 2021 Standard Contractual Clauses that apply pursuant to Subsection 1.1 of this Part F, the Parties agree the following:
         1. the text from module one of the 2021 Standard Contractual Clauses shall apply and no other modules or any clauses marked as optional in the 2021 Standard Contractual Clauses shall apply;
         2. Device Manufacturer is the data exporter and Partner is the data importer;
         3. the information required by Annex I of the 2021 Standard Contractual Clauses is as set out in Part A and Part D (column (ii)) of Schedule 2;
         4. the technical and organizational measures required by Annex II of the 2021 Standard Contractual Clauses are as set out in Part D (column (ii)) of Schedule 2 and in Part B of Schedule 3; and
         5. for the purposes of clause 17 of the 2021 Standard Contractual Clauses, option 1 applies and the 2021 Standard Contractual Clauses shall be governed by the laws of Ireland and for the purposes of clause 18(b) of the 2021 Standard Contractual Clauses, the selected courts are the courts of Ireland, unless otherwise specified in platform.ironsrc.com/partners/funds/company/info (Partners who don’t have access to that page may approach their ironSource contact for that information).

9. 9. 3. UK Transfers. For the purposes of the 2004 C2C Standard Contractual Clauses that apply pursuant to Subsection 1.2 of this Part E, the Parties agree the following:
         1. Device Manufacturer is the data exporter and Partner is the data importer;
         2. the information required by Annex B of the 2004 C2C Standard Contractual Clauses is as set out in Part A and D (column (ii)) of Schedule 2; and
         3. the governing law of the 2004 C2C Standard Contractual Clauses shall be the laws of England and Wales.

9. 9. 4. Swiss Transfers. For the purposes of the Swiss 2021 Standard Contractual Clauses that applies pursuant to Subsection 1.3 of this Part F, the Parties agree that the terms of Section 2 of this Part F shall also apply.

Part G – UK Restricted Transfers

9. 9. 1. From such time as the UK Addendum is in force, the parties agree that the 2010 C2P Standard Contractual Clauses shall no longer apply, and the UK Addendum shall apply to the Parties in relation to the transfers of Partner Personal Data referenced in Subsection 1.2 of Part A of this Schedule 1 and, to the extent such clauses can be applied, in relation to any other Restricted Transfers of Partner Personal Data from Partner to ironSource where ironSource Processes such Partner Personal Data as a Processor on behalf of Partner and such transfer is subject to UK GDPR. In each case the terms set out in Section 2 of Part A of this Schedule 1 shall also apply to the UK Addendum applicable under this Section 1 of this Part G and, as permitted by clause 17 of the UK Addendum, the Parties agree to change the format of the information set out in Part 1 of the UK Addendum so that:
         1. the details of the parties in Table 1 of the UK Addendum shall be as set out in Schedule 2 (with no requirement for signature);
         2. for the purposes of Table 2 of the UK Addendum, the UK Addendum shall be appended to the 2021 Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as set out in Subsection 2.1 of Part A of this Schedule 1) and Subsection 2.3 of Part A of this Schedule 1 selects the option and timescales for clause 9; and
         3. the appendix information listed in Table 3 of the UK Addendum is set out in Part A and Part B (column (i)) of Schedule 2 and in Part A of Schedule 3.
      2. From such time as the UK Addendum is in force, the parties agree that the 2004 C2C Standard Contractual Clauses shall no longer apply and the UK Addendum shall apply to the Parties in relation to the transfers of Partner Personal Data referenced in Subsection 1.2 of Part B of this Schedule 1 and, to the extent such clauses can be applied, in relation to any other Restricted Transfers of Partner Personal Data from Partner to ironSource where ironSource Processes such Partner Personal Data as a Controller and such transfer is subject to UK GDPR. In each case the terms set out in Section 2 of Part B of this Schedule 1 shall also apply to the UK Addendum applicable under this Section 2 of this Part G and, as permitted by clause 17 of the UK Addendum, the Parties agree to change the format of the information set out in Part 1 of the UK Addendum so that:
         1. the details of the parties in Table 1 of the UK Addendum shall be as set out in Schedule 2 (with no requirement for signature);
         2. for the purposes of Table 2 of the UK Addendum, the UK Addendum shall be appended to the 2021 Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as set out in Subsection 2.1 of Part B of this Schedule 1); and
         3. the appendix information listed in Table 3 of the UK Addendum is set out in Part A and Part C (column (i)) of Schedule 2 and in Part A of Schedule 3.
      3. When the UK Addendum is in force, the Parties agree that the UK Addendum shall apply to the Parties in relation to:
         1. transfers of Partner Personal Data to Partner from ironSource where ironSource Processes such Partner Personal Data as a Processor on behalf of Partner where such transfer is subject to UK GDPR. In this case, the terms set out in Section 2 of Part C of this Schedule 1 shall also apply to the UK Addendum applicable under this Subsection 3.1 of this Part G and, as permitted by clause 17 of the UK Addendum, the Parties agree to change the format of the information set out in Part 1 of the UK Addendum so that:
            1. the details of the parties in Table 1 of the UK Addendum shall be as set out in Schedule 2 (with no requirement for signature);
            2. for the purposes of Table 2 of the UK Addendum, the UK Addendum shall be appended to the 2021 Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as set out in Subsection 2.1 of Part C of this Schedule 1) and Partner Personal Data received from the importer is combined with personal data collected by the exporter; and
            3. the appendix information listed in Table 3 of the UK Addendum is set out in Part A and Part B (column (ii)) of Schedule 2; and
         2. transfers of Partner Personal Data to Partner from ironSource where ironSource Processes such Partner Personal Data as a Controller where such transfer is subject to UK GDPR. In this case, the terms set out in Section 2 of Part D of this Schedule 1 shall also apply to the UK Addendum applicable under this Subsection 3.2 of this Part G and, as permitted by clause 17 of the UK Addendum, the Parties agree to change the format of the information set out in Part 1 of the UK Addendum so that:
            1. the details of the parties in Table 1 of the UK Addendum shall be as set out in Schedule 2 (with no requirement for signature);
            2. for the purposes of Table 2 of the UK Addendum, the UK Addendum shall be appended to the 2021 Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as set out in Subsection 2.1 of Part D of this Schedule 1); and
            3. the appendix information listed in Table 3 of the UK Addendum is set out in Part A and Part C (column (ii)) of Schedule 2 and Part B of Schedule 3.
      4. From such time as the UK Addendum is in force, the parties agree that that the 2004 C2C Standard Contractual Clauses shall no longer apply, and the UK Addendum shall apply to the Partner and Device Manufacturer in relation to the transfers of Partner Personal Data referenced in Subsection 1.2 of Part E of this Schedule 1. In each case the terms set out in Section 2 of Part E of this Schedule 1 shall also apply to the UK Addendum applicable under this Section 4 of this Part G and, as permitted by clause 17 of the UK Addendum, the Parties agree to change the format of the information set out in Part 1 of the UK Addendum so that:
         1. the details of the parties in Table 1 of the UK Addendum shall be as set out in Schedule 2 (with no requirement for signature);
         2. for the purposes of Table 2 of the UK Addendum, the UK Addendum shall be appended to the 2021 Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as set out in Subsection 2.1 of Part E of this Schedule 1); and
         3. the appendix information listed in Table 3 of the UK Addendum is set out in Part A and Part D (column (i)) of Schedule 2 and in Part A of Schedule 3.
      5. From such time as the UK Addendum is in force, the parties agree that the 2004 C2C Standard Contractual Clauses shall no longer apply, and the UK Addendum shall apply to the Partner and Device Manufacturer in relation to the transfers of Device Manufacturer Personal Data referenced in Subsection 1.2 of Part F of this Schedule 1. In each case the terms set out in Section 2 of Part F of this Schedule 1 shall also apply to the UK Addendum applicable under this Section 5 of this Part G and, as permitted by clause 17 of the UK Addendum, the Parties agree to change the format of the information set out in Part 1 of the UK Addendum so that:
         1. the details of the parties in Table 1 of the UK Addendum shall be as set out in Schedule 2 (with no requirement for signature);
         2. for the purposes of Table 2 of the UK Addendum, the UK Addendum shall be appended to the 2021 Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as set out in Subsection 2.1 of Part F of this Schedule 1); and
         3. the appendix information listed in Table 3 of the UK Addendum is set out in Part A and Part D (column (II)) of Schedule 2 and in Part B of Schedule 3.

9. 9. 6. The Parties agree, notwithstanding anything to the contrary in the Principal Agreement, that ironSource may make any amendments to the application of the 2021 Standard Contractual Clauses, the application of the UK Addendum and/or any other amendments to this Part G in respect of transfers of Partner Personal Data, Publisher Personal Data and/or Device Manufacturer Personal Data where such transfer is subject to UK GDPR as it deems necessary in order to implement any replacement standard contractual clauses as approved for use under Article 46 of the UK GDPR by notifying the Partner of any such amendments to this Addendum in writing and such amendments shall be effective upon such notice.

SCHEDULE 2

DETAILS OF PROCESSING OF PERSONAL DATA

A. List of parties

• Data exporter in relation to relevant Restricted Transfers from Partner to ironSource and Partner to Device Manufacturer
• Data importer in relation to relevant Restricted Transfers from ironSource to Partner and from Device Manufacturer to Partner

9. 9. • Data importer in relation to relevant Restricted Transfers from Partner to ironSource
      • Data exporter in relation to relevant Restricted Transfers from ironSource to Partner

9. 9. • Data importer in relation to relevant Restricted Transfers from Partner to Device Manufacturer
      • Data exporter in relation to relevant Restricted Transfers from Device Manufacturer to Partner

B. ironSource as a Processor on behalf of Partner

Processing details

C. ironSource as a Controller

Processing details

D. Restricted Transfers between Partner and Device Manufacturer

Processing details

SCHEDULE 3

Technical and Organizational Measures

PART A – Relevant Restricted Transfers from Partner to ironSource

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ironSource shall in relation to the Partner Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR, and as shall be further detailed at: https://developers.ironsrc.com/ironsource-mobile/19783-2/.

Notwithstanding any provision to the contrary otherwise agreed to by Partner, ironSource may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices and ironSource updates the information within the aforementioned link. The Parties agree that such modifications or updates from time to time shall form part of this Part A of Schedule 3.

PART B – Relevant Restricted Transfers from ironSource to Partner / Device Manufacturer to Partner

If Partner Processes Publisher Personal Data and/or Device Manufacturer Personal Data under the provisions of this Addendum, Partner hereby represents and warrants it has implemented measures at least equivalent to the technical and organizational measures as set out in this link from time to time (https://developers.is.com/ironsource-mobile/general/160322-2/), in addition to any other measures specified in, or supplied to ironSource and/or Device Manufacturer in connection with the Principal Agreement.

ironSource State Data Privacy Addendum (United States)

This State Data Privacy Addendum (“Addendum”) forms an integral part of your agreement(s) as a Partner utilizing the ironSource Platform and/or ironSource’s Services (“Principal Agreement”) between: (i) ironSource Mobile Ltd. (even if the Principal Agreement is with a different ironSource Affiliate) (“ironSource”); and (ii) the entity and/or person specified in the Partner Account or the Principal Agreement as the Partner using the Services (“Partner”).

RECITALS:

1. The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning ascribed to them in the Principal Agreement.  Except as modified below, the terms of the Principal Agreement shall remain in full force and effect. 
2. In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Principal Agreement.  Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.
3. Partner and ironSource have entered into a Principal Agreement pursuant to which ironSource will provide certain products or Services to Partner. ironSource’s liability for this Addendum is limited to the period of the validity of the Principal Agreement, i.e., the period during which ironSource is contracted by Partner for the provision of the Services.
4. To the extent that the provision of such Services involves the Processing of Partner Personal Data and/or Publisher Personal Data, the parties have agreed to enter into this Addendum for the purposes of driving compliance with the State Privacy Laws.

1. Definitions

1. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

• 1. “Growth Services” means ironSource’s advertising, user acquisition and app growth services, that allow Partner to promote and advertise Apps and products. 
  2. “Partner Personal Data” means any Personal Data provided or made available by (or provided on behalf of) Partner and Processed by ironSource or its Subprocessors for the performance of or in connection with the Principal Agreement.
  3. “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.
  4. “Personal Data Breach” means a breach of security leading to the accidental or unlawful loss, destruction, alteration, or unauthorized disclosure of, or access to Partner Personal Data.
  5. “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available.  The terms “Process,” “Processes,” and “Processed” shall have the same meaning.
  6. “Processor Services” are the services for which ironSource acts as a Service Provider or Processor to Partner, as detailed in the table in Section 3 below.
  7. “Publisher Personal Data” means Personal Data shared by ironSource with Partner and/or any other person on Partner’s behalf, in connection with the Growth Services, concerning end users of an application of a third-party app developer.
  8. “Services” means the services and other activities to be supplied to ironSource and/or ironSource Affiliates in connection with the Principal Agreement.
  9. “State Privacy Laws” means all applicable state data protection and data privacy laws and regulations of the United States, including but not limited to the California Privacy Rights Act and regulations issued thereunder, including laws and regulations that are enacted or become effective after the Effective Date.
  10. “Subprocessor” means:

1. 1. 1. Any entity (not including ironSource personnel) appointed by or on behalf of ironSource to Process Partner Personal Data on behalf of Partner for the performance of the Principal Agreement; or
      2. Any entity (not including Partner personnel) appointed by or on behalf of Partner to Process Publisher Personal Data on behalf of ironSource for the purpose of Authorized Processing of Publisher Personal Data.
2. In this Addendum, the terms “Business”, “Consumer”, “Controller”, “Processor”, “Service Provider”, and “Third Party” shall have the same meanings as in State Privacy Laws, and their cognate terms shall be construed accordingly.

2. Application of This Addendum

1. This Addendum shall apply only to the extent that State Privacy Laws apply to the Processing of Partner Personal Data and/or Publisher Personal Data by the parties in connection with the Principal Agreement.

3. Roles

1. Partner hereby acknowledges that, with respect to the Processing of Partner Personal Data and/or Publisher Personal Data, the parties shall have the roles set out in the table below. The parties acknowledge and agree that specific Chapters of this Addendum apply only in certain circumstances as specified in the table below.

Chapter I – General Obligations

4. Processing of Personal Data

1. 1. Partner hereby represents, warrants, and undertakes that at all times during the term of the Principal Agreement:

1. 1. 1. Partner shall comply with all State Privacy Laws.
      2. Partner shall have all required rights, licenses, and permissions to allow the Processing of Partner Personal Data by ironSource under the Principal Agreement and to make the Partner Personal Data available to ironSource in accordance with the requirements of this Addendum.
      3. Partner shall provide all notices and choices and shall obtain all consents as required by and in compliance with State Privacy Laws with respect to any Personal Data that Partner allows ironSource to collect and/or any Personal Data that Partner transfers or makes available to ironSource, in connection with the Principal Agreement, in accordance with the requirements of this Addendum.  
      4. When Partner Personal Data provided or made available to ironSource by Partner or on Partner’s behalf, such transfer of Partner Personal Data shall comply with all State Privacy Laws, and the Processing of such Partner Personal Data shall not cause ironSource to be in violation of any State Privacy Laws.
      5. Partner shall not provide to ironSource Personal Data defined as “sensitive” under State Privacy Laws.

Chapter II – Processing of Partner Personal Data by ironSource as a Controller/Third Party

5. ironSource Compliance 

1. When Partner provides or makes Partner Personal Data available to ironSource, ironSource agrees that: (i) ironSource will use Partner Personal Data only for the limited purposes specified in the Principal Agreement, this Addendum, and other relevant agreements between Partner and ironSource; (ii) ironSource will comply with ironSource’s obligations under State Privacy Laws, including by providing Partner Personal Data the same level of privacy protection as is required by State Privacy Laws; (iii) Partner may take reasonable and appropriate steps to help ensure that ironSource Processes Partner Personal Data in a manner consistent with Partner’s obligations under State Privacy Laws; (iv) ironSource will notify Partner if ironSource makes a determination that it can no longer meet its obligations under State Privacy Laws, and (v) upon such notice or if Partner otherwise becomes aware of ironSource’s unauthorized Processing of Partner Personal Data, Partner may take reasonable and appropriate steps to remediate such unauthorized Processing.  The parties shall negotiate in good faith to determine what steps are reasonable and appropriate.  

6. Opt Outs

1. As applicable, Partner shall provide Consumers with an opportunity to opt out of sales, sharing for targeted advertising, and Processing for targeted advertising (“Sales“). 
2. If Partner has integrated ironSource’s SDK in Partner’s application, Partner shall implement ironSource’s opt-out API applicable to State Privacy Laws (“Opt-Out API“), in accordance with and as instructed by the documentation provided by ironSource or as otherwise made publicly available by ironSource.
3. If Partner shares Partner Personal Data with ironSource via a server-to-server communication (and not through ironSource’s SDK), Partner represents and warrants it has provided all notices and choices and obtained all consents as required by and in compliance with State Privacy Laws in order to transfer this Partner Personal Data to ironSource and for ironSource to Process this Partner Personal Data in accordance with this Addendum. In such event, if the Parties agree on the use of an opt-out notification mechanism, Partner shall implement such mechanism in accordance with ironSource’s written documentation or as otherwise made publicly available by ironSource.
4. When a Consumer exercises an opt out of Sales, Partner shall pass to ironSource an indication of that Consumer’s opt out using, as applicable: (i) ironSource’s Opt-Out API (with respect to Partner Personal Data shared by or on behalf of Partner with ironSource’s SDK); (ii) the opt-out mechanism for server-to-server communications; or (iii) an industry standard opt out signal, including via global privacy controls (together, “Opt Out Signal”). ironSource agrees to comply with such Opt Out Signal received by ironSource.
5. Partner represents and warrants that: (i) the Opt Out Signal is complete, accurate, and up-to-date; (ii) if consent/opt-in is obtained from a Consumer, where opt-in/consent is required for Sales, such consent/opt-in, when communicated to ironSource using the applicable opt out mechanism, shall comply with all the requirements of State Privacy Laws and ironSource’s reliance on such consent/opt-in shall not cause ironSource to be in violation of State Privacy Laws; (iii) Partner shall flag any Consumer under the age of 16 (or under an older age, as stipulated by applicable law) using the applicable opt-out mechanism as a Consumer that has opted-out of Sales, and shall also flag that Consumer as a child, in accordance with and as instructed by the documentation provided by ironSource or as otherwise made publicly available by ironSource.

Chapter III – Processing of Partner Personal Data by ironSource as a Processor to Partner 

7. Scope of Processing

1. The nature and purpose of ironSource’s Processing of Partner Personal Data are set forth in the Principal Agreement and in the below chart. The types of Partner Personal Data subject to the Processing are set forth in the below chart. The duration of the Processing will be for the duration of the Principal Agreement (or as otherwise defined in the Principal Agreement).  

8. Parties’ Compliance 

1. Partner and ironSource will comply with State Privacy Laws and will take steps to protect Partner Personal Data as required by State Privacy Laws. This will include, at minimum, ironSource (i) ensuring that all members of its personnel with access to Partner Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality with respect to such Partner Personal Data; and (ii) maintaining administrative, physical, and technical safeguards to protect the security, confidentiality, and integrity of Partner Personal Data. 

9. Processing of Partner Personal Data

1. 1. 1. Partner provides or makes available Partner Personal Data to ironSource for the limited purposes of providing the Services to Partner as set forth in the Principal Agreement. ironSource will Process Partner Personal Data solely to provide the Services set forth in the Principal Agreement and in accordance with the lawful instructions provided by Partner, including below, except where otherwise required by law. For the avoidance of doubt, ironSource will not (i) collect, retain, use, or otherwise disclose Partner Personal Data outside of the direct business relationship with Partner except as permitted for a Service Provider or a Processor under State Privacy Laws; (ii) collect, retain, use, or otherwise disclose Partner Personal Data for any purpose other than performing the Processing instructed by Partner or as otherwise permitted by State Privacy Laws; (iii) sell Partner Personal Data or share Partner Personal Data for targeted advertising; or (iv) combine Partner Personal Data with Personal Data received from another person or persons except as permitted for a Service Provider or Processor under State Privacy Laws.  ironSource certifies that it understands the restrictions in this Section.  
      2. Partner instructs ironSource (and authorizes ironSource to instruct each Subprocessor) to Process Partner Personal Data as reasonably necessary for the provision of the Processor Services and consistent with the Principal Agreement. 

10. Subprocessing

1. 1. 1. Partner acknowledges and agrees that ironSource continue to use any Subprocessor already engaged by ironSource as specified here: https://developers.ironsrc.com/ironsource-mobile/19783-2/, and agrees that ironSource may engage any new Subprocessors so long as ironSource notifies Partner at least ten (10) business days in advance of such new engagement, through a notice available at: https://developers.ironsrc.com/ironsource-mobile/19783-2/, and provides Partner with the opportunity to object to the engagement of the Subprocessor.
      2. ironSource agrees that its engagement of any Subprocessor shall be pursuant to a written contract that contains restrictions on Processing that are consistent with the terms of this Chapter III of this Addendum and, without limiting the foregoing, require the Subprocessor to meet the obligations of Partner with respect to Partner Personal Data.

11. Consumer Rights

1. 1. 1. Taking into account the nature of the Processing, ironSource shall provide Partner such assistance as may be reasonably required to allow Partner to comply with its obligations under State Privacy Laws to respond to Consumer rights requests under such laws, including by implementing appropriate technical and organizational measures (including as specified at: https://developers.ironsrc.com/ironsource-mobile/air/ironsource-mobile-submitting-deletion-pull-requests-procedure/), insofar as this is possible. 
      2. ironSource may require Partner to cover the costs of assistance provided pursuant to Subsection 11.1 in the event that such assistance may interfere with the normal operation of ironSource and/or create an unreasonable burden on ironSource, and/or require ironSource to make material changes to its products and services, subject to ironSource’s sole discretion.
      3. ironSource shall:

1. 1. 1. 1. promptly notify Partner if ironSource receives a request from a Consumer under State Privacy Laws specifically and exclusively in respect to Partner Personal Data; and
         2. not respond to that request except on the documented instructions of Partner.

12. Personal Data Breach

1. 1. 1. ironSource shall notify Partner without undue delay upon ironSource becoming aware of a Personal Data Breach. Partner agrees that an unsuccessful security incident will not be subject to this Section, if it results in no unauthorized access to Partner Personal Data and in no unauthorized access to any of ironSource’s equipment or facilities containing Partner Personal Data and does not otherwise constitute a Personal Data Breach. Such unsuccessful security incident not subject to this Section may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents. 
      2. Partner is solely responsible for providing ironSource an email address to which notifications regarding Personal Data Breach should be sent and ensuring that such email address is current and valid. The default email address for the purpose of sending notification under this Section shall be the email address specified in the Partner dashboard made available by ironSource at the time of the notification.
      3. In the event of a Personal Data Breach, ironSource shall take appropriate measures to address the Personal Data Breach, including measures to mitigate its adverse effects.
      4. Partner shall use the Services in an appropriate manner, taking into account the level of security necessary for securing the Partner Personal Data.

13. Information Sharing and Data Protection Assessments 

1. 1. 1. Upon reasonable written request, at Partner’s expense, ironSource will make available to Partner information necessary (i) to demonstrate ironSource’s compliance with State Privacy Laws and this Addendum and (ii) for Partner to conduct data protection assessments which are required by State Privacy Laws, in each case solely in relation to Processing of Partner Personal Data by, and taking into account the nature of the Processing and information available to, ironSource.

14. Suspension of Processing

1. 1. 1. Partner may take reasonable and appropriate steps to ensure that ironSource Processes Partner Personal Data in a manner consistent with Partner’s obligations under State Privacy Laws.  The parties shall negotiate in good faith to determine what steps are reasonable and appropriate. If ironSource determines that it can no longer meet its own obligations under State Privacy Laws, ironSource will notify Partner of such determination.  Upon such notice or in the event Partner otherwise becomes aware of unauthorized Processing of Partner Personal Data, Partner may take appropriate steps to stop and remediate the unauthorized Processing.  The parties shall negotiate in good faith to determine what steps are reasonable and appropriate.  

15. Audit Rights

1. 1. 1. No more than annually, upon Partner’s reasonable written request, ironSource shall allow for and contribute to reasonable audits by Partner or its designated auditor, solely for the purpose of assessing ironSource’s compliance with State Privacy Laws and this Chapter III of this Addendum with respect to the Processing of Partner Personal Data. Such audits shall include reviews of the minimum amount of ironSource’s policies, procedures, and safeguards relevant to the Processing of Partner Personal Data required for assessing ironSource’s compliance with applicable State Privacy Laws. As an alternative, Partner agrees that ironSource, at its sole discretion, may arrange for a qualified and independent auditor to conduct such an audit so long as (i) the auditor uses an appropriate and accepted control standard or framework and audit procedure, not less stringent than the provisions of this section; and (ii) the report of such audit is provided to Partner upon written request. Such report shall be the property of ironSource.
      2. If Partner is legally required to disclose the audit results, Partner shall provide ironSource with a prior written notice, explaining the details and necessity of the disclosure and further provide all necessary assistance to prevent such disclosure. In the event that such disclosure occurs despite Partner’s best efforts to prevent such disclosure, Partner will disclose only the portion of the results of the audit that is explicitly required to be disclosed.

16. Deletion of Partner Personal Data 

1. Partner agrees that ironSource shall promptly and in any event within 180 days of the date of cessation of any Services involving the Processing of Partner Personal Data (the “Cessation Date“), delete and procure the deletion of all copies of those Partner Personal Data Processed for the performance of the Processor Services, unless ironSource is required by law to retain such Partner Personal Data. 
2. If requested in writing by Partner, ironSource shall provide written approval to Partner that it has complied with this Section 16 within ninety (90) days of the Cessation Date.

Chapter IV – Processing of Publisher Personal Data by Partner

17. Scope of Processing

1. The nature and purpose of Partner’s Processing of Publisher Personal Data are billing, attribution, frequency capping, and/or fraud detection and prevention in connection with the Services (“Authorized Processing of Publisher Personal Data“). The types of Publisher Personal Data subject to the Processing include device IDs, IP addresses, online unique identifiers, and associated data related to end users of an application of a third-party app developer. The duration of the Processing will be for the duration of the Principal Agreement (or as otherwise defined in the Principal Agreement).  

18. Parties’ Compliance 

1. Partner and ironSource will comply with State Privacy Laws and will take steps to protect Publisher Personal Data as required by State Privacy Laws. This will include, at minimum, Partner (i) ensuring that all members of its personnel with access to Publisher Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality with respect to such Publisher Personal Data; and (ii) maintaining administrative, physical, and technical safeguards to protect the security, confidentiality, and integrity of Publisher Personal Data. 

19. Processing of Publisher Personal Data

1. 1. 1. ironSource provides or makes available Publisher Personal Data to Partner for the limited purposes of Authorized Processing of Publisher Personal Data, as set forth in the Principal Agreement. Partner will Process Publisher Personal Data solely to provide the products and/or services set forth in the Principal Agreement and in accordance with the lawful instructions provided by ironSource, including below, except where otherwise required by law. For the avoidance of doubt, Partner will not (i) collect, retain, use, or otherwise disclose Publisher Personal Data outside of the direct business relationship with ironSource except as permitted for a Service Provider or a Processor under State Privacy Laws; (ii) collect, retain, use, or otherwise disclose Publisher Personal Data for any purpose other than performing the Processing instructed by ironSource or as otherwise permitted by State Privacy Laws; (iii) sell Publisher Personal Data or share Publisher Personal Data for targeted advertising; or (iv) combine Publisher Personal Data with Personal Data received from another person or persons except as permitted for a Service Provider or Processor under State Privacy Laws.  Partner certifies that it understands the restrictions in this Section.  
      2. ironSource instructs Partner (and authorizes Partner to instruct each Subprocessor to Process Publisher Personal Data as reasonably necessary for the Authorized Processing of Publisher Personal Data and consistent with the Principal Agreement. 

20. Subprocessing

1. 1. 1. ironSource acknowledges and agrees that Partner may engage any Subprocessor so long as Partner notifies ironSource at least ten (10) business days in advance of such engagement and provides ironSource with the opportunity to object to the engagement of the Subprocessor. 
      2. Partner agrees that its engagement of any Subprocessor shall be pursuant to a written contract that contains restrictions on Processing that are consistent with the terms of this Chapter IV of this Addendum and, without limiting the foregoing, require the Subprocessor to meet the obligations of ironSource with respect to Publisher Personal Data.

21. Consumer Rights

1. 1. 1. Partner will notify ironSource in writing in the event Partner receives a request from, or on behalf of, a Consumer to exercise such Consumer’s rights under State Privacy Laws specifically and exclusively with respect to Publisher Personal Data.  Taking into account the nature of the Processing, Partner will provide ironSource such assistance as may be reasonably required to allow ironSource to comply with its obligations under State Privacy Laws to respond to such requests.  
      2. Partner may require ironSource to cover the costs of assistance provided pursuant to Subsection 21.1 in the event that such assistance may interfere with the normal operation of Partner and/or create an unreasonable burden on Partner, and/or require Partner to make material changes to its products and services, subject to Partner’s sole discretion.

22. Audits

1. 1. 1. No more than annually, upon ironSource’s reasonable written request, Partner shall allow for and contribute to reasonable audits by ironSource or its designated auditor, solely for the purpose of assessing Partner’s compliance with State Privacy Laws and this Chapter IV of this Addendum with respect to Partner’s Processing of Publisher Personal Data. Such audits shall include reviews of the minimum amount of Partner’s policies, procedures, and safeguards relevant to the Processing of Publisher Personal Data required for assessing Partner’s compliance with applicable State Privacy Laws. As an alternative, ironSource agrees that Partner, at its sole discretion, may arrange for a qualified and independent auditor to conduct such an audit so long as (i) the auditor uses an appropriate and accepted control standard or framework and audit procedure, not less stringent than the provisions of this section; and (ii) the report of such audit is provided to ironSource upon written request. Such report shall be the property of Partner.
      2. If ironSource is legally required to disclose the audit results, ironSource shall provide Partner with a prior written notice, explaining the details and necessity of the disclosure and further provide all necessary assistance to prevent such disclosure. In the event that such disclosure occurs despite ironSource’s best efforts to prevent such disclosure, ironSource will disclose only the portion of the results of the audit that is explicitly required to be disclosed.

23. Information Sharing and Data Protection Assessments 

1. 1. 1. Upon reasonable written request, Partner will make available to ironSource information necessary (i) to demonstrate Partner’s compliance with State Privacy Laws and this Addendum and (ii) for ironSource to conduct data protection assessments which ironSource reasonably considers to be required by State Privacy Laws, in each case solely in relation to Processing of Publisher Personal Data by, and taking into account the nature of the Processing and information available to, Partner.

24. Publisher Personal Data Breach

1. 1. 1. Partner shall notify ironSource immediately upon Partner becoming aware of any breach of security leading to the accidental, unauthorized, or unlawful loss, destruction, alteration, or disclosure of, or access to Publisher Personal Data (“Publisher Personal Data Breach”). ironSource agrees that an unsuccessful security incident will not be subject to this Section, if it results in no unauthorized access to Publisher Personal Data and in no unauthorized access to any of Partner’s equipment or facilities containing Publisher Personal Data and does not otherwise constitute a Publisher Personal Data Breach. Such unsuccessful security incident not subject to this Section may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents. 
      2. In the event of a Publisher Personal Data Breach, Partner shall take appropriate measures to address the Publisher Personal Data Breach at its sole expense, including measures to mitigate its adverse effects.

25. Suspension of Processing

1. 1. 1. ironSource may take reasonable and appropriate steps to ensure that Partner Processes Publisher Personal Data in a manner consistent with ironSource’s obligations under State Privacy Laws.  The parties shall negotiate in good faith to determine what steps are reasonable and appropriate.  If Partner determines that it can no longer meet its own obligations under State Privacy Laws, Partner will notify ironSource of such determination.  Upon such notice or in the event ironSource otherwise becomes aware of unauthorized Processing of Publisher Personal Data, ironSource may take appropriate steps to stop and remediate the unauthorized Processing.  The parties shall negotiate in good faith to determine what steps are reasonable and appropriate.  

26. Deletion of Publisher Personal Data 

1. ironSource agrees that Partner shall promptly and in any event within 180 days of the date of cessation of any Services involving the Processing of Publisher Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Publisher Personal Data, unless Partner is required by law to retain such Publisher Personal Data. 
2. If requested in writing by ironSource, Partner shall provide written approval to Partner that it has complied with this Section 16 within ninety (90) days of the Cessation Date.

Chapter V – General

27. General Terms

Order of precedence

1. With regard to the subject matter of this Addendum, in the event of conflict or inconsistency between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

Severance

1. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Changes to this Addendum

1. ironSource may change this Addendum by sending an email notification to Partner, at least 30 days prior to any such taking effect, in the event that such change does not: (i) result in a degradation of the overall security of the Services; (ii) expand the scope of, or remove any restrictions on, ironSource’s Processing of Partner Personal Information; and (iii) otherwise have a material adverse impact on Partner’s rights under this Addendum, as reasonably determined by ironSource, unless such change is required by State Privacy Laws or other applicable law.