Data Protection Addendum

This Data Protection Addendum (“Addendum”) forms an integral part of your agreement(s) as a Partner utilizing the ironSource Sonic Platform and/or ironSource’s Services (“Principal Agreement”) between: (i) ironSource Mobile Ltd. (even if the Principal Agreement is with a different ironSource Affiliate) (ironSource); and (ii) the entity and/or person specified in the Partner Account or the Principal Agreement as the Partner using the Services (“Partner”).

RECITALS:

  1. The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning ascribed to them in the Principal Agreement.  Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
  2. In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement.  Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.
  3. Partner and ironSource have entered into a Principal Agreement pursuant to which ironSource will provide certain Services to Partner. ironSource’s liability for this Addendum is limited to the period of the validity of the Principal Agreement, i.e., the period during which ironSource is contracted by Partner for the provision of the services.
  4. To the extent that the provision of such services involves the processing of Partner Personal Data, the parties have agreed to enter into this Addendum for the purposes of ensuring compliance with the applicable data protection legislation.
  1. Definitions
    1. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
      1. “Alternative Transfer Solution” means any applicable mechanism or solution, other than Standard Contractual Clauses, that enables the lawful transfer of Personal Data to a third country in accordance with European Data Protection Laws;
      2. Authorized Processing of Third-Party Personal Data” has the meaning given to such term in Subsection 16.1;
      3. Cessation Date” has the meaning given to such term in Subsection 14.2;
      4. Contracted Processor” means ironSource or a Subprocessor;
      5. Covered Countries” means EEA countries, the United Kingdom and Switzerland;
      6. Device Manufacturer” means a device manufacturer and/or a mobile carrier on which ironSource promotes Partner’s products and/or services using its Aura Platform under the Principal Agreement;
      7. Device Manufacturer Personal Data” has the meaning give to such term in Subsection 16.1;
      8. EEA” means the European Economic Area;
      9. European Data Protection Laws” means the GDPR, the UK Data Protection Act 2018, the EU e-Privacy Directive (Directive 2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended), the FADP, any applicable domestic legislation of each Covered Country that relates to data protection or privacy and any successor legislation and/or regulation implementing or made pursuant to the foregoing, or which amends, replaces, re-enacts or consolidates any of the foregoing;
      10. FADP” means the Swiss Federal Act on Data Protection of 19 June 1992 (as may be amended or replaced from time to time);
      11. GDPR” means, as applicable to the Processing: (i) the EU General Data Protection Regulation 2016/679 (“EU GDPR”); and/or (ii) the Retained Regulation (EU) 2016/679 as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended) (“UK GDPR”);
      12. Partner Personal Data” means any Personal Data provided or made available by (or provided on behalf of) Partner and Processed by ironSource or its Subprocessors for the performance of or in connection with the Principal Agreement;
      13. Processor Services” are the services for which ironSource acts as a Processor on behalf of Partner, as detailed in Section 3;
      14. Publisher Personal Data” has the meaning given to such term in Subsection 16.1;
      15. Relevant Personal Data” means Partner Personal Data, Publisher Personal Data and Device Manufacturer Personal Data;
      16. Restricted Transfermeans a transfer of Personal Data where such transfer would be prohibited by European Data Protection Laws in the absence of appropriate safeguards, as required by Article 46 of the GDPR or equivalent provisions under the Swiss FDPA (as applicable);
      17. SDK” means ironSource’s software development kit for integrating ironSource’s proprietary products into mobile applications.
      18. Services” means the services and other activities to be supplied to or carried out by or on behalf of ironSource for Partner pursuant to the Principal Agreement;
      19. Standard Contractual Clauses” means:
        1. the clauses for the transfer of Personal Data to Processors established in third countries which do not ensure an adequate level of protection for Personal Data adopted by the European Commission under Commission Decision C(2010) 593 (available here) (“2010 C2P Standard Contractual Clauses“);
        2. the clauses for the transfer of Personal Data to Controllers established in third countries adopted by the European Commission under the Commission’s Decision of 27 December 2004 (2004/915/EC) (available here) (“2004 C2C Standard Contractual Clauses“);
        3. the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 (available here) including the text from the modules of such clauses as specified in this Addendum (“2021 Standard Contractual Clauses”);
        4. the 2021 Standard Contractual Clauses, subject to the following amendments:
          1. the competent supervisory authority in Annex I.C under clause 13 of the 2021 Standard Contractual Clauses shall be the Swiss Federal Data Protection and Information Commissioner;
          2. the applicable law for contractual claims under clause 17 of the 2021 Standard Contractual Clauses shall be Swiss law and the place of jurisdiction for actions between the parties pursuant to clause 18(b) of the 2021 Standard Contractual Clauses shall be the Swiss courts;
          3. the term ’member state’ in the 2021 Standard Contractual Clauses shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the 2021 Standard Contractual Clauses;
          4. references to Regulation (EU) 2016/679, the General Data Protection Regulation or GDPR in the 2021 Standard Contractual Clauses are to be understood as references to the FADP; and
          5. the 2021 Standard Contractual Clauses also protect the data of legal entities and references to ‘personal data’ in the 2021 Standard Contractual Clauses shall also include the data of legal entities until the entry into force of the revised Swiss Federal Act on Data Protection of 19 June 1992 (“Swiss 2021 Standard Contractual Clauses”);
        5. the 2021 Standard Contractual Clauses subject to the UK Addendum and the terms of Part G of Schedule 1 (as such terms are applicable).
    1. Subprocessor” means any third party (excluding an employee of ironSource or any of its sub-contractors) appointed by or on behalf of ironSource to Process Partner Personal Data on behalf of Partner for the performance of the Principal Agreement;
    2. ironSource Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with ironSource, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise; and
    3. UK Addendum” means the International Data Transfer Addendum to the 2021 Standard Contractual Clauses, issued by the Information Commissioner, and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022.
  1. The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“,Processing“, “Processor” and “Supervisory Authority” shall have the same meaning as in the GDPR, and the terms “data importer” and “data exporter” shall have the same meaning as in the Standard Contractual Clauses, and their cognate terms shall be construed accordingly.
  2. The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
  1. Application of This Addendum

This Addendum shall apply only to the extent that European Data Protection Laws apply to the Processing of Relevant Personal Data by the Parties in connection with the Principal Agreement.

  1. Roles

Partner hereby acknowledges that, with respect to the Processing of Relevant Personal Data, the parties shall have the roles set out in the table below. The parties acknowledge and agree that certain Chapters of this Addendum only apply in certain circumstances as specified in the table below (except Chapter I (General Processing Obligations), Chapter VI (Transfers) and Chapter VII (General) which each apply in all circumstances).

Processing Activity Partner’s role ironSource’s role Applicable Chapters of this Addendum
1.     All Processing activities with respect to Partner Personal Data in connection with the Mediation Platform, the Ad-Quality Platform and the Analytics Service. Controller Processor on behalf of Partner Chapter IV (Processing of Partner Personal Data by ironSource as a Processor on behalf of Partner)
2.     Processing of Partner Personal Data for including, and/or excluding specific advertising identifiers in, or from campaigns of the Partner on the Growth Platform. Controller Processor on behalf of Partner Chapter IV (Processing of Partner Personal Data by ironSource as a Processor on behalf of Partner)
3.     All Processing activities with respect to Partner Personal Data in connection with all other Aura Platform Services. Controller Processor on behalf of Device Manufacturer Chapter III (Processing of Partner Personal Data by ironSource as a Processor on behalf of Device Manufacturer)
4.     Processing of Publisher Personal Data in relation to ironSource’s performance of advertising Services under the Principal Agreement. Independent Controller Independent Controller Chapter V (Additional Provisions for the Advertising Services)
5.     Processing of Device Manufacturer Personal Data in relation to ironSource’s performance of advertising Services under the Principle Agreement. Controller Processor on behalf of Device Manufacturer Chapter V (Additional Provisions for the Advertising Services)
6.     All Processing activities with respect to Partner Personal Data in connection with all other Services provided by ironSource to Partner under the Principal Agreement. Independent Controller Independent Controller

Chapter II (Processing of Partner Personal Data by ironSource as a Controller)

 

Chapter I – General Processing Obligations

  1. Processing of Personal Data

Partner hereby represents, warrants, and undertakes that at all times during the term of the Principal Agreement:

  1. Partner shall comply with all European Data Protection Laws.
  2. Partner shall have all required rights, licenses, and permissions to allow the Processing of Partner Personal Data by ironSource under the Principal Agreement and to make the Partner Personal Data available to ironSource in accordance with the requirements of this Addendum.
  3. Partner shall provide all notices and obtain all consents, as required by and in compliance with European Data Protection Laws with respect to the collection of data by ironSource and/or transfer of any data to ironSource by Partner, in connection with the Principal Agreement, in accordance with the requirements of this Addendum.
  4. When Partner Personal Data is collected and shared with ironSource by Partner or on Partner’s behalf, such collection and transfer of Partner Personal Data complies with all European Data Protection Laws, and the Processing of such Partner Personal Data shall not cause ironSource to be in violation of any European Data Protection Laws.

Chapter II – Processing of Partner Personal Data by ironSource as a Controller

  1. Transparency and consent

When ironSource acts as a Controller of Partner Personal Data:

  1. Partner shall make available to end users of Partner’s application or website (“Partner App”) a link to ironSource’s privacy policy available at https://developers.ironsrc.com/ironsource-mobile/air/ironsource-mobile-privacy-policy/, prior to downloading the Partner application (if applicable), and from within the Partner App.
  2. Partner shall obtain consent from end users of the Partner App on behalf of ironSource, prior to disclosing, and/or allowing ironSource to access any data, that shall cover, at a minimum, the Processing (including accessing, collecting, using, storing and/or disclosing) by ironSource of data, including Personal Data, originating from, and/or associated with the end user’s device, for the purpose of serving non-interest based ads, and measuring the effectiveness of ads, including aggregating Personal Data for the purpose of creating reports, and improving ironSource’s products and services. In the event such consent is not obtained or is withdrawn by the end user, Partner must not initialize ironSource’s SDK or disclose any Personal Data to ironSource in relation to that end user and refrain from using ironSource’s SDK in any other manner in relation to that end user. In any event, the consent obtained from an end user shall comply with all the requirements of European Data Protection Laws and shall name ironSource as a Controller.
  3. When Partner uses ironSource’s Monetization Services, Partner may also obtain consent from end users of the Partner App, on behalf of ironSource, for the sharing of Personal Data by ironSource with Advertisers listed in the following link:  https://developers.is.com/ironsource-mobile/general/ironsource-exchange-programmatic-partners/ (“Advertising Partners“) for operating ironSource’s ad exchange platform, who may Process such Personal data for serving personalized advertising. In that event, Partner shall use ironSource’s consent API (the “Consent API“) to indicate whether an end user granted consent to such sharing of Personal Data by ironSource and use of such Personal Data by the Advertising Partners or not, and upon any change in an end user’s consent status.
    Partner represents and warrants that: (i) the information provided to ironSource using its Consent API is complete, accurate, and up-to-date; (ii) consent obtained from an end user shall comply with all the requirements of European Data Protection Laws, shall name ironSource and Advertising Partners as Controllers and shall include a link to ironSource’s privacy policy, available at: https://developers.ironsrc.com/ironsource-mobile/air/ironsource-mobile-privacy-policy/, and to Advertising Partners’ privacy policies, available at: https://developers.is.com/ironsource-mobile/general/ironsource-exchange-programmatic-partners/; (iii) ironSource’s and Advertising Partners’ reliance on the information provided to ironSource using its Consent API shall not cause ironSource and/or Advertising Partners to be in violation of European Data Protection Laws; and (iv) Partner shall re-obtain consent from end users as required from time to time by ironSource.

Chapter III – Processing of Partner Personal Data by ironSource as a Processor on behalf of Device Manufacturer

  1. Transparency and consent

When ironSource acts as a Processor of Partner Personal Data on behalf of Device Manufacturer:

    1. Partner shall provide end users of Partner App with a list of all the data shared by Partner with ironSource and inform such end users that such data will be used by the end user’s mobile carrier and/or device manufacturer for marketing purpose.
    2. Partner shall obtain consent from end users of the Partner App on behalf of the end user’s mobile carrier and/or device manufacturer, prior to disclosing, and/or allowing ironSource to access any data, that shall cover, at a minimum, the Processing (including accessing, collecting, using, storing and/or disclosing) by ironSource of data, including Personal Data, originating from, and/or associated with the end user’s device, for the purpose of serving non-interest based ads, and measuring the effectiveness of ads, including aggregating Personal Data for the purpose of creating reports, and improving the end user’s mobile carrier and/or device manufacturer’s products and services. In the event such consent is not obtained or is withdrawn by the end user, Partner must not initialize ironSource’s SDK or disclose any Personal Data to ironSource in relation to that end user, and refrain from using ironSource’s SDK in any other manner in relation to that end user. In any event, the consent obtained from an end user shall comply with all the requirements of European Data Protection Laws and shall name the end user’s mobile carrier and/or device manufacturer as a Controller.

Chapter IV – Processing of Partner Personal Data by ironSource as a Processor on behalf of Partner

  1. Processing of Partner Personal Data
    1. ironSource shall not Process Partner Personal Data other than on the Partner’s documented instructions set forth in this Chapter unless Processing is required by laws of the EEA or EEA Member State (where EU GDPR applies to the Processing), UK (where UK GDPR applies to the Processing) or Switzerland (where the FADP applies to the Processing) to which the relevant Contracted Processor is subject, in which case ironSource shall inform Partner of that legal requirement before the relevant Processing of that Personal Data, unless that law prohibits such information on important grounds of public interest.
    2. Partner instructs ironSource (and authorises ironSource to instruct each Subprocessor) to:
      1. Process Partner Personal Data; and
      2. in particular, transfer Partner Personal Data to any country or territory,

as reasonably necessary for the provision of the Processor Services and consistent with the Principal Agreement. Partner shall ensure it obtains any necessary consents or has the necessary rights to enable such transfer.

      1. Part B of Schedule 2 to this Addendum sets out certain information regarding the Contracted Processors’ Processing of the Partner Personal Data as required by article 28(3) of the GDPR.
  1. ironSource Personnel

ironSource shall grant access to the Partner Personal Data to members of its personnel only to the extent they need to know or access the relevant Partner Personal Data, as necessary for the purposes of the Principal Agreement, and shall ensure that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

  1. Security
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ironSource shall in relation to the Partner Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
    2. In assessing the appropriate level of security, ironSource shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
  1. Subprocessing
    1. The Partner generally authorises ironSource to appoint (and permit each Subprocessor appointed in accordance with this Section 10 to appoint) Subprocessors.
    2. ironSource may continue to use those Subprocessors already engaged by ironSource as at the date of this Addendum as specified at: https://developers.ironsrc.com/ironsource-mobile/19783-2/.
    3. ironSource shall give Partner 7 days’ prior written notice of the appointment of any new Subprocessor through a notice available at: https://developers.ironsrc.com/ironsource-mobile/19783-2/, including full details of the Processing to be undertaken by the Subprocessor. ironSource shall provide the Partner with the information necessary to enable the Partner to exercise its right to object as set out in Subsection 10.4 of this Addendum.
    4. If, within 7 days of provision of that notice, Partner notifies ironSource in writing of any objections to the proposed appointment, and ironSource does not undertake to perform reasonable steps to address such objections raised by the Partner, Partner, as its sole and exclusive remedy, may terminate the portion of any Principal Agreement relating to the Services that cannot be reasonably provided without the objected-to new Subprocessor by providing 30 days’ written notice to ironSource. If the Partner does not deliver a written objection notice within 7 days of the provision of the ironSource notice, Partner shall be deemed as granting specific authorisation to the appointment of all Subprocessors mentioned in the ironSource notice.
    5. With respect to each Subprocessor, ironSource shall ensure that the arrangement between on the one hand (a) ironSource, or (b) the relevant Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which provide, in substance, the same level of protection for Partner Personal Data as those set out in article 28(3) of the GDPR;
    6. ironSource shall be liable for the acts and omissions of its Subprocessors to the same extent it would be liable if performing the Services of each Subprocessor directly under the terms of the Principal Agreement.
  1. Data Subject Rights
    1. Without derogating from Section 14 below, and taking into account the nature of the Processing, ironSource shall assist Partner by implementing appropriate technical and organizational measures (including as specified at: https://developers.ironsrc.com/ironsource-mobile/air/ironsource-mobile-submitting-deletion-pull-requests-procedure/), insofar as this is possible, for the fulfilment of Partner’s obligations, to respond to requests to exercise Data Subject rights under European Data Protection Laws.
    2. ironSource may require Partner to cover the costs of assistance provided pursuant to Subsection 11.1 in the event that such assistance may interfere with the normal operation of ironSource and/or create an unreasonable burden on ironSource, and/or require ironSource to make material changes to its products and services, subject to ironSource’s sole discretion.
    3. ironSource shall:
      1. promptly notify Partner if any Contracted Processor receives a request from a Data Subject under European Data Protection Laws in respect of Partner Personal Data; and
      2. not respond to that request except on the documented instructions of Partner.
  1. Personal Data Breach
    1. ironSource shall notify Partner without undue delay upon ironSource becoming aware of a Personal Data Breach concerning Partner Personal Data, providing Partner with sufficient information to allow each Partner to meet any obligations to report or inform a Supervisory Authority or Data Subjects of the Personal Data Breach under European Data Protection Laws. Partner agrees that an unsuccessful security incident will not be subject to this Section, if it results in no unauthorized access to Partner Personal Data and in no unauthorized access to any of Contracted Processors’ equipment or facilities containing Partner Personal Data and does not otherwise constitute a Personal Data Breach. Such unsuccessful security incident not subject to this Section may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.
    2. Partner is solely responsible for providing ironSource an email address to which notifications regarding Personal Data Breach should be sent and ensuring that such email address is current and valid. The default email address for the purpose of sending notification under this Section shall be the email address specified in the Partner dashboard made available by ironSource at the time of the notification.
    3. In the event of a Personal Data Breach concerning Partner Personal Data, ironSource shall take appropriate measures to address the Personal Data Breach, including measures to mitigate its adverse effects.
    4. Partner shall use the Services in an appropriate manner, taking into account the level of security necessary for securing the Partner Personal Data.
  1. Data Protection Impact Assessment and Prior Consultation

ironSource shall provide assistance, at Partner’s expense, to Partner with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Partner reasonably considers to be required by European Data Protection Laws, in each case solely in relation to Processing of Partner Personal Data by and taking into account the nature of the Processing and information available to, the Contracted Processors.

  1. Deletion of Partner Personal Data
    1. During the term of the Principal Agreement, taking into account the nature of the Processing, ironSource shall make reasonable efforts to comply with any reasonable request from Partner to delete information of a user of the Partner, insofar as this is possible, unless applicable laws require storage of the Partner Personal Data, and subject to Subsection 14.3 below. ironSource shall only delete Partner Personal Data associated with the Processor Services, according to the deletion requests submission procedure specified at https://developers.ironsrc.com/ironsource-mobile/air/ironsource-mobile-submitting-deletion-pull-requests-procedure/ (as may be updated from time to time by ironSource). ironSource may require Partner to cover the costs of such assistance in the event that such assistance may interfere with the normal operation of ironSource and/or create an unreasonable burden on ironSource, and/or require ironSource to make material changes to its products and services, subject to ironSource’s sole discretion.
    2. Subject to Subsections 14.3 and 14.4 ironSource shall promptly and in any event within 180 days of the date of cessation of any Services involving the Processing of Partner Personal Data (the “Cessation Date“), delete and procure the deletion of all copies of those Partner Personal Data Processed for the performance of the Processor Services.
    3. ironSource may retain a copy of Partner Personal Data where it is required to retain such Partner Personal Data by laws of the EEA or an EEA Member State (where EU GDPR applies to the Processing), UK (where UK GDPR applies to the Processing) or Switzerland (where the FADP applies to the Processing) to which ironSource is subject.
    4. If requested by Partner, ironSource shall provide written approval to Partner that it has complied with this Section 14 within 90 days of the Cessation Date.
  2. Audit rights
    1. To the extent that European Data Protection Laws or Standard Contractual Clauses require Partner to be in a position to audit ironSource’s Processing of Partner Personal Data, Partner, as the Controller, will have the right to request ironSource for an audit, no more than once per year or if there are indications of non-compliance by ironSource or Subprocessors, through a mutually agreed, reputable, and independent third party solely for the purposes of, and as absolutely necessary for, meeting its audit requirements pursuant to European Data Protection Legislation and/or applicable Standard Contractual Clauses, and solely those systems and documents directly related to such purpose and solely with respect to a period of 12 months prior to the audit, or such maximum period required by European Data Protection Laws or Standard Contractual Clauses.
    2. In the event that Partner wishes to audit ironSource under this Section, it must send a detailed audit request specifying the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any such audit, at least four (4) weeks in advance of the proposed audit date. Audit requests must be sent in a written form to the designated contact person in ironSource responsible for communications with the Partner (or, if no such contact person, to ironSource’s support email as specified in the Partner dashboard made available by ironSource), with a copy to the following email address: legal@is.com.
    3. The auditor must execute a written confidentiality agreement acceptable to ironSource prior to conducting the audit. The audit shall be conducted during regular business hours, subject to ironSource’s policies, and may not unreasonably interfere with ironSource’s business activities.
    4. Any audits are at Partner’s sole expense.
    5. Nothing in this Section will require ironSource either to disclose to Partner or any auditor, or otherwise to allow Partner or any auditor to access any data of any other third party, any internal financial information, any trade secret, or any data which is requested, as reasonably determined by ironSource, not in a good faith, resulting in an interference with ironSource’s business, and/or for purposes other than conducting an audit as required by European Data Protection Laws or Standard Contractual Clauses.
    6. ironSource may, at its option, provide Partner with a copy of its most recent third-party audits or certifications by an independent third-party auditor, as applicable, or any summaries thereof.
    7. Any results and/or findings of the audit, and/or any third-party certifications or audits shall be ironSource’s confidential information, and Partner will keep the audit results in strict confidentiality, and shall not disclose them to any third-party, without ironSource’s prior explicit written approval.
    8. If Partner is required to disclose the audit results to a competent authority, Partner shall provide ironSource with a prior written notice, explaining the details and necessity of the disclosure and further provide all necessary assistance to prevent such disclosure. In the event that such disclosure occurs despite Partner’s best efforts to prevent such disclosure, Partner will disclose only the portion of the results of the audit that is explicitly requested to be disclosed.

Chapter V – Additional Provisions for the Advertising Services

      1. Processing of Personal Data shared by ironSource
        1. Partner hereby acknowledges and agrees that any Personal Data shared by ironSource with Partner and/or any third-party on Partner’s behalf, in connection with the advertising services, concerning (1) end users of an application of a third-party app developer (“Publisher Personal Data“); and/or (2) for Aura Platform Services, end users of a mobile device of a Device Manufacturer (“Device Manufacturer Personal Data”), is provided solely for the purposes of attribution, frequency capping and/or fraud detection and prevention (“Authorized Processing of Third-Party Personal Data”), and that:
          1. When Processing Publisher Personal Data, each Party acts as an independent Controller; and
          2. When Processing Device Manufacturer Personal Data, Partner acts as an independent Controller and ironSource acts as a Processor on behalf of Device Manufacturer.
        2. Partner hereby represents and warrants that it and/or any third-party on its behalf (i) shall Process Publisher Personal Data and/or Device Manufacturer Personal Data solely in compliance and as permitted under European Data Protection Laws; and (ii) shall not Process Publisher Personal Data and/or Device Manufacturer Personal Data for any purpose other than for the Authorized Processing of Third-Party Personal Data, unless Partner has obtained a valid consent from the respective Data Subject for such Processing in accordance with European Data Protection Laws.

Chapter VI – Transfers

      1. Restricted Transfers

If the Processing of Relevant Personal Data in connection with the Principal Agreement involves any Restricted Transfers, then:

      1. If the data importer notifies the other Party or otherwise announces the adoption of or reliance on an Alternative Transfer Solution in respect of any Restricted Transfers to the data importer, then such Alternative Transfer Solution shall apply to the relevant Restricted Transfer(s). In such circumstances, the data importer shall comply with the Alternative Transfer Solution in respect of the relevant Restricted Transfers.
      2. If an Alternative Transfer Solution is not being relied on or has not been adopted pursuant to Subsection 17.1 in respect of any Restricted Transfers:
        1. Subject to Subsections 17.2.3 and 17.2.4, Partner and ironSource agree to the terms of Schedule 1 in relation to any Restricted Transfer from Partner to ironSource and/or from ironSource to Partner, as applicable.
        2. If Partner and ironSource entered into standard contractual clauses approved under Article 26(2) of Directive 95/46/EC, Partner and ironSource agree that, as of their effective date, the Standard Contractual Clauses applicable between Partner and ironSource pursuant to Schedule 1 will supersede and terminate any such previous standard contractual clauses entered into by the Partner and ironSource .
        3. In relation to any Restricted Transfer from Partner to ironSource where ironSource acts as a Processor on behalf of the Device Manufacturer, Partner agrees to be bound by and represents and warrants to ironSource and Device Manufacturer that it shall comply with the Standard Contractual Clauses as applicable pursuant to Part E and G (as applicable) of Schedule 1 as of the date of this Addendum (as if such Restricted Transfer was made to Device Manufacturer).
        4. In relation to any Restricted Transfer of Device Manufacturer Personal Data from ironSource to Partner where ironSource acts as a Processor on behalf of the Device Manufacturer, Partner agrees to be bound by and represents and warrants to ironSource and Device Manufacturer that it shall comply with Standard Contractual Clauses as applicable pursuant to Part F and G (as applicable) of Schedule 1 as of the date of this Addendum (as if such Restricted Transfer was from the Device Manufacturer).
        5. Partner and ironSource each agree that each Device Manufacturer has the right to enforce and benefit from the Partner’s obligations, representations, and warranties under Subsections 17.1, 17.2.3 and 17.2.4 of this Addendum as a third-party beneficiary.
        6. The Parties acknowledge and agree that ironSource has no liability in relation to the Standard Contractual Clauses entered into between the Partner and the Device Manufacturer.

Chapter VII – General

      1. General Terms

Governing law and jurisdiction

      1. Without prejudice to the governing law and jurisdiction provisions of the Standard Contractual Clauses:
        1. the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
        2. this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.

Order of precedence

      1. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses or if this Addendum is deemed to modify or contradict any Standard Contractual Clauses in a manner that would cause such Standard Contractual Clauses to be invalid, the Standard Contractual Clauses shall prevail to the extent necessary.
      2. Subject to Subsection 2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

Severance

      1. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Changes to this Addendum

      1. ironSource may change this Addendum by sending an email notification to Partner, at least 30 days prior to any such taking effect, in the event that such change does not: (i) result in a degradation of the overall security of the Services; (ii) expand the scope of, or remove any restrictions on, ironSource’s Processing of Partner Personal Data; and (iii) otherwise have a material adverse impact on Partner’s rights under this Addendum, as reasonably determined by ironSource, unless such change is required by European Data Protection Laws, such change is pursuant to Part G of Schedule 1 of this Addendum or such change involves replacing any of the Standard Contractual Clauses with new or replacement standard contractual clauses as recognised as a transfer mechanism under European Data Protection Laws. For the avoidance of doubt, ironSource may change the types of data specified under “Categories of Personal Data” to the extent such change is made in accordance with this Section.

 

SCHEDULE 1

Restricted Transfers

Summary of Schedule 1 (for guidance purposes only)

Transfer description Relevant Sections of this Schedule 1
Partner to ironSource
Restricted Transfers of Partner Personal Data from Partner to ironSource where ironSource Processes such Partner Personal Data as a Processor on behalf of the Partner and:
·       such transfer is subject to the EU GDPR

Subsection 1.1 of Part A

Section 2 of Part A

·       such transfer originates from the UK and is subject to UK GDPR

Subsection 1.2 of Part A

Section 3 of Part A

Part G

·       such transfer is subject to the FADP

Subsection 1.3 of Part A

Section 4 of Part A

Restricted Transfers of Partner Personal Data from Partner to ironSource where ironSource Processes such Partner Personal Data as a Controller and:
·       such transfer is subject to the EU GDPR

Subsection 1.1 of Part B

Section 2 of Part B

·       such transfer originates from the UK and is subject to UK GDPR

Subsection 1.2 of Part B

Section 3 of Part B

Part G

·       such transfer is subject to the FADP

Subsection 1.3 of Part B

Section 4 of Part B

ironSource to Partner
Restricted Transfers of Partner Personal Data to Partner from ironSource where ironSource Processes such Partner Personal Data as a Processor on behalf of the Partner, and:
·       such transfer is subject to the EU GDPR

Subsection 1.1 of Part C

Section 2 of Part C

·       such transfer is subject to the FADP

Subsection 1.2 of Part C

Section 3 of Part C

·       such transfer is subject to UK GDPR Part G
Restricted Transfers of Publisher Personal Data to Partner from ironSource where ironSource Processes such Publisher Personal Data as a Controller and:
·       such transfer is subject to the EU GDPR

Subsection 1.1 of Part D

Section 2 of Part D

·       such transfer is subject to the FADP

Subsection 1.2 of Part D

Section 3 of Part D

·       such transfer is subject to UK GDPR Part G
Partner to Device Manufacturer (via ironSource as a Processor on behalf of the Device Manufacturer)
Restricted Transfers of Partner Personal Data from Partner to Device Manufacturer (where ironSource Processes such Partner Personal Data as a Processor on behalf of the Device Manufacturer), and:
·       such transfer is subject to the EU GDPR Subsection 1.1 of Part E and Section 2 of Part E
·       such transfer is subject to UK GDPR

Subsection 1.2 of Part E and Section 3 of Part E

Part G

·       such transfer is subject to the FADP Subsection 1.3 of Part E and Section 4 of Part E
Device Manufacturer to Partner (via ironSource as a Processor on behalf of the Device Manufacturer)
Restricted Transfers of Device Manufacturer Personal Data from Device Manufacturer to Partner (where ironSource Processes such Partner Personal Data as a Processor on behalf of the Device Manufacturer), and:
·       such transfer is subject to the EU GDPR Subsection 1.1 of Part F and Section 2 of Part F
·       such transfer is subject to UK GDPR

Subsection 1.2 of Part F and Section 3 of Part F

Part G

·       such transfer is subject to the FADP Subsection 1.3 of Part F and Section 4 of Part F

 

Part A – Restricted Transfers of Partner Personal Data to ironSource as a Processor on behalf of Partner

      1. In relation to Restricted Transfers of Partner Personal Data from Partner to ironSource where ironSource Processes such Partner Personal Data as a Processor on behalf of the Partner, the Parties agree that:
        1. the 2021 Standard Contractual Clauses shall apply, subject to Section 2 of this Part A, to the transfer of Partner Personal Data where such transfer is subject to the EU GDPR;
        2. the 2010 C2P Standard Contractual Clauses shall apply, subject to Section 3 of this Part A, to the transfer of Partner Personal Data where such transfer originates from the UK and is subject to UK GDPR; and
        3. the Swiss 2021 Standard Contractual Clauses shall apply, subject to Section 4 of this Part A, to the transfer of Partner Personal Data where such transfer is subject to the FADP,

and in each case such Standard Contractual Clauses form part of this Addendum and signature to and dating of the Principal Agreement shall constitute all required signatures and dates for the 2021 Standard Contractual Clauses, the Swiss 2021 Standard Contractual Clauses and the 2010 C2P Standard Contractual Clauses.

      1. EEA transfers. For the purposes of the 2021 Standard Contractual Clauses that apply pursuant to Subsection 1.1. of this Part A, the Parties agree the following:
        1. the text from module two of the 2021 Standard Contractual Clauses shall apply and no other modules or any clauses marked as optional in the 2021 Standard Contractual Clauses shall apply;
        2. ironSource is the data importer and Partner is the data exporter;
        3. for the purposes of clause 9(a) of the 2021 Standard Contractual Clauses, option 2 applies and the advance written notice period of any addition or replacement of Sub-processors required for the purposes of this option is set out in Subsection 10.3 of this Addendum;
        4. the terms set out in Subsection 10.4 of this Addendum apply in addition to clause 9(a) of the 2021 Standard Contractual Clauses;
        5. the terms set out in Subsection 11.2 of this Addendum shall apply in addition to clause 10(b) of the of the 2021 Standard Contractual Clauses;
        6. the assistance provided pursuant to clause 8.6(d) of the of the 2021 Standard Contractual Clauses shall be at the expense of the data exporter to the extent set out in Section 13 of this Addendum;
        7. in relation to clause 8.5 of the 2021 Standard Contractual Clauses, the Partner agrees that it elects to have the Partner Personal Data deleted in accordance with Subsection 14.2 of this Addendum;
        8. ironSource shall use the email address provided in accordance with Subsection 12.2 of this Addendum, to the extent ironSource is required to notify Partner about a Personal Data Breach under clause 8.6(c) of the 2021 Standard Contractual Clauses;
        9. any audit pursuant to clause 8.9(d) of the 2021 Standard Contractual Clauses shall be carried out in accordance with and subject to Section 15 of this Addendum;
        10. the information as required by Annex I of the 2021 Standard Contractual Clauses is as set out in Part A and Part B (column (i)) of Schedule 2;
        11. the technical and organizational measures required by Annex II of the 2021 Standard Contractual Clauses are as set out in Part B (column (i)) of Schedule 2 and in Part A of Schedule 3; and
        12. for the purposes of clause 17 of the 2021 Standard Contractual Clauses, option 1 applies and the 2021 Standard Contractual Clauses shall be governed by the laws of Ireland and for the purposes of clause 18(b) of the 2021 Standard Contractual Clauses, the selected courts are the courts of Ireland.
      1. UK transfers. For the purposes of the 2010 C2P Standard Contractual Clauses that apply pursuant to Subsection 1.2 of this Part A, the Parties agree the following:
        1. ironSource is the data importer and Partner is the data exporter under the C2P Standard Contractual Clauses;
        2. in relation to clause 12(1) of the 2010 C2P Standard Contractual Clauses, the Partner agrees that it elects to have the Partner Personal Data deleted in accordance with Subsection 14.2 of this Addendum;
        3. any audit pursuant to clauses 5(f) and 12(2) of the 2010 C2P Standard Contractual Clauses (insofar as they relate to audit requests made by the data exporter) shall be carried out in accordance with and subject to Section 15 of this Addendum;
        4. the information required by Appendix I of the 2010 C2P Standard Contractual Clauses is as set out in Part A and Part B (column (i)) of Schedule 2;
        5. the technical and organizational measures required by Appendix II of the 2010 C2P Standard Contractual Clauses are as set out in Part A of Schedule 3; and
        6. the governing law of the 2010 C2P Standard Contractual Clauses shall be the law of the country in the United Kingdom in which the data exporter is established.
      1. Swiss transfers. For the purposes of the Swiss 2021 Standard Contractual Clauses that apply pursuant to Subsection 1.3 of this Part A, the Parties agree that the terms of Section 2 of this Part A shall also apply.

Part B – Restricted Transfers of Partner Personal Data to ironSource as a Controller

      1. In relation to Restricted Transfers of Partner Personal Data from Partner to ironSource where ironSource Processes such Partner Personal Data as a Controller, the Parties agree that:
        1. the 2021 Standard Contractual Clauses shall apply, subject to Section 2 of this Part B, to the transfer of Partner Personal Data where such transfer is subject to the EU GDPR;
        2. the 2004 C2C Standard Contractual Clauses shall apply, subject to Section 3 of this Part B, to the transfer of Partner Personal Data where such transfer originates from the UK and is subject to UK GDPR; and
        3. the Swiss 2021 Standard Contractual Clauses shall apply, subject to Section 4 of this Part B, to the transfer of Partner Personal Data where such transfer is subject to the FADP;

and in each case such Standard Contractual Clauses form part of this Addendum and signature to and dating of the Principal Agreement shall constitute all required signatures and dates for the 2021 Standard Contractual Clauses, the Swiss 2021 Standard Contractual Clauses and the 2004 C2C Standard Contractual Clauses.

      1. EEA Transfers. For the purposes of the 2021 Standard Contractual Clauses that apply pursuant to Subsection 1.1 of this Part B, the Parties agree the following:
        1. the text from module one of the 2021 Standard Contractual Clauses shall apply and no other modules or any clauses marked as optional in the 2021 Standard Contractual Clauses shall apply;
        2. ironSource is the data importer and Partner is the data exporter;
        3. ironSource shall use the email address provided in accordance with Subsection 12.2 of this Addendum, to the extent ironSource is required to notify Partner about a Personal Data Breach under clause 8.5(e) of the 2021 Standard Contractual Clauses;
        4. the information required by Annex I of the 2021 Standard Contractual Clauses is as set out in Part A and Part C (column (i)) of Schedule 2;
        5. the technical and organizational measures required by Annex II of the 2021 Standard Contractual Clauses are as set out in Part C (column (i)) of Schedule 2 and in Part A of Schedule 3; and
        6. for the purposes of clause 17 of the 2021 Standard Contractual Clauses, option 1 applies and the 2021 Standard Contractual Clauses shall be governed by the laws of Ireland and for the purposes of clause 18(b) of the 2021 Standard Contractual Clauses, the selected courts are the courts of Ireland.
      1. UK Transfers. For the purposes of the 2004 C2C Standard Contractual Clauses that apply pursuant to Subsection 1.2 of this Part B, the Parties agree the following:
        1. ironSource is the data importer and Partner is the data exporter;
        2. any audit pursuant to clause ii(g) of the 2004 C2C Standard Contractual Clauses shall be carried out in accordance with and subject to Section 15 of this Addendum;
        3. the information required by Annex B of the 2004 C2C Standard Contractual Clauses is as set out in Part A and C (column (i)) of Schedule 2; and
        4. the governing law of the 2004 C2C Standard Contractual Clauses shall be the country in which the Partner is established.
      1. Swiss Transfers. For the purposes of the Swiss 2021 Standard Contractual Clauses that applies pursuant to Subsection 1.3 of this Part B, the Parties agree that the terms of Section 2 of this Part B shall also apply.

Part C – Restricted Transfers of Partner Personal Data to Partner from ironSource as a Processor on behalf of Partner

      1. In relation to Restricted Transfers of Partner Personal Data to Partner from ironSource where ironSource Processes such Partner Personal Data as a Processor on behalf of the Partner; the Parties agree that:
        1. the 2021 Standard Contractual Clauses shall apply, subject to Section 2 of this Part C, to the transfer of Partner Personal Data where such transfer is subject to the EU GDPR;
        2. the Swiss 2021 Standard Contractual Clauses shall apply, subject to Section 3 of this Part C, to the transfer of Partner Personal Data where such transfer is subject to the FADP,

and in each case such Standard Contractual Clauses form part of this Addendum and signature to and dating of the Principal Agreement shall constitute all required signatures and dates for the 2021 Standard Contractual Clauses and the Swiss 2021 Standard Contractual Clauses.

      1. EEA transfers. For the purposes of the 2021 Standard Contractual Clauses that apply pursuant to Subsection 1.1. of this Part C, the Parties agree the following:
        1. the text from module four of the 2021 Standard Contractual Clauses shall apply and no other modules or any clauses marked as optional in the 2021 Standard Contractual Clauses shall apply;
        2. Partner is the data importer and ironSource is the data exporter;
        3. in relation to clause 8.1(d) of the 2021 Standard Contractual Clauses, the Partner agrees that it elects to have the Partner Personal Data deleted in accordance with Subsection 14.2 of this Addendum;
        4. ironSource shall use the email address provided in accordance with Subsection 12.2 of this Addendum, to the extent ironSource is required to notify Partner about a Personal Data Breach under clause 8.2(b) of the 2021 Standard Contractual Clauses;
        5. any audit pursuant to clause 8.3(b) of the 2021 Standard Contractual Clauses shall be carried out in accordance with and subject to Section 15 of this Addendum;
        6. the information as required by Annex I of the 2021 Standard Contractual Clauses is as set out in Part A and Part B (column (ii)) of Schedule 2;
        7. for the purposes of clause 17 of the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses shall be governed by the laws of Ireland and for the purposes of clause 18 of the 2021 Standard Contractual Clauses, the selected courts are the courts of Ireland.
      1. Swiss transfers. For the purposes of the Swiss 2021 Standard Contractual Clauses that apply pursuant to Subsection 1.2 of this Part C, the Parties agree that the terms of Section 2 of this Part C shall also apply.

 

Part D – Restricted Transfers of Partner Personal Data to Partner from ironSource as a Controller

      1. In relation to Restricted Transfers of Publisher Personal Data to Partner from ironSource where ironSource Processes such Publisher Personal Data as a Controller, the Parties agree that:
        1. the 2021 Standard Contractual Clauses shall apply, subject to Section 2 of this Part D, to the transfer of Publisher Personal Data where such transfer is subject to the EU GDPR;
        2. the Swiss 2021 Standard Contractual Clauses shall apply, subject to Section 3 of this Part D, to the transfer of Publisher Personal Data where such transfer is subject to the FADP;

and in each case such Standard Contractual Clauses form part of this Addendum and signature to and dating of the Principal Agreement shall constitute all required signatures and dates for the 2021 Standard Contractual Clauses and the Swiss 2021 Standard Contractual Clauses.

      1. EEA Transfers. For the purposes of the 2021 Standard Contractual Clauses that apply pursuant to Subsection 1.1 of this Part D, the Parties agree the following:
        1. the text from module one of the 2021 Standard Contractual Clauses shall apply and no other modules or any clauses marked as optional in the 2021 Standard Contractual Clauses shall apply;
        2. Partner is the data importer and ironSource is the data exporter;
        3. the information required by Annex I of the 2021 Standard Contractual Clauses is as set out in Part A and Part C (column (ii)) of Schedule 2;
        4. the technical and organizational measures required by Annex II of the 2021 Standard Contractual Clauses are as set out in Part C (column (ii)) of Schedule 2 and Part B of Schedule 3; and
        5. for the purposes of clause 17 of the 2021 Standard Contractual Clauses, option 1 applies and the 2021 Standard Contractual Clauses shall be governed by the laws of Ireland and for the purposes of clause 18(b) of the 2021 Standard Contractual Clauses, the selected courts are the courts of Ireland.
      1. Swiss Transfers. For the purposes of the Swiss 2021 Standard Contractual Clauses that apply pursuant to Subsection 1.2 of this Part D, the Parties agree that the terms of Section 2 of this Part D shall also apply.

Part E – Restricted Transfers of Partner Personal Data from Partner to Device Manufacturer as a Controller

      1. In relation to Restricted Transfers of Partner Personal Data from Partner to Device Manufacturer where Device Manufacturer Processes such Partner Personal Data as a Controller, the Parties agree that:
        1. the 2021 Standard Contractual Clauses shall apply, subject to Section 2 of this Part E, to the transfer of Partner Personal Data where such transfer is subject to the EU GDPR;
        2. the 2004 C2C Standard Contractual Clauses shall apply, subject to Section 3 of this Part E, to the transfer of Partner Personal Data where such transfer originates from the UK and is subject to UK GDPR; and
        3. the Swiss 2021 Standard Contractual Clauses shall apply, subject to Section 4 of this Part E, to the transfer of Partner Personal Data where such transfer is subject to the FADP;

and in each case such Standard Contractual Clauses form part of this Addendum and signature to and dating of the Principal Agreement shall constitute all required signatures and dates for the 2021 Standard Contractual Clauses, the Swiss 2021 Standard Contractual Clauses and the 2004 C2C Standard Contractual Clauses. For the purposes of this Part E, a Restricted Transfer to Device Manufacturer includes transfers made via ironSource as a Processor on behalf of Device Manufacturer.

      1. EEA Transfers. For the purposes of the 2021 Standard Contractual Clauses that apply pursuant to Subsection 1.1 of this Part E, the Parties agree the following:
        1. the text from module one of the 2021 Standard Contractual Clauses shall apply and no other modules or any clauses marked as optional in the 2021 Standard Contractual Clauses shall apply;
        2. Device Manufacturer is the data importer and Partner is the data exporter;
        3. Device Manufacturer shall use the email address provided in accordance with Subsection 12.2 of this Addendum, to the extent Device Manufacturer is required to notify Partner about a Personal Data Breach under clause 8.5(e) of the 2021 Standard Contractual Clauses;
        4. the information required by Annex I of the 2021 Standard Contractual Clauses is as set out in Part A and Part D (column (i)) of Schedule 2;
        5. the technical and organizational measures required by Annex II of the 2021 Standard Contractual Clauses are as set out in Part D (column (i)) of Schedule 2 and in Part A of Schedule 3; and
        6. for the purposes of clause 17 of the 2021 Standard Contractual Clauses, option 1 applies and the 2021 Standard Contractual Clauses shall be governed by the laws of Ireland and for the purposes of clause 18(b) of the 2021 Standard Contractual Clauses, the selected courts are the courts of Ireland, unless otherwise specified in platform.ironsrc.com/partners/funds/company/info.
      1. UK Transfers. For the purposes of the 2004 C2C Standard Contractual Clauses that apply pursuant to Subsection 1.2 of this Part E, the Parties agree the following:
        1. Device Manufacturer is the data importer and Partner is the data exporter;
        2. the information required by Annex B of the 2004 C2C Standard Contractual Clauses is as set out in Part A and D (column (i)) of Schedule 2; and
        3. the governing law of the 2004 C2C Standard Contractual Clauses shall be the laws of England and Wales.
      1. Swiss Transfers. For the purposes of the Swiss 2021 Standard Contractual Clauses that applies pursuant to Subsection 1.3 of this Part E, the Parties agree that the terms of Section 2 of this Part E shall also apply.

 

Part F – Restricted Transfers of Device Manufacturer Personal Data from Device Manufacturer to Partner as a Controller

      1. In relation to Restricted Transfers of Device Manufacturer Personal Data from Device Manufacturer to Partner where Partner Processes such Device Manufacturer Personal Data as a Controller, the Parties agree that:
        1. the 2021 Standard Contractual Clauses shall apply, subject to Section 2 of this Part F, to the transfer of Device Manufacturer Personal Data where such transfer is subject to the EU GDPR;
        2. the 2004 C2C Standard Contractual Clauses shall apply, subject to Section 3 of this Part F, to the transfer of Device Manufacturer Personal Data where such transfer originates from the UK and is subject to UK GDPR; and
        3. the Swiss 2021 Standard Contractual Clauses shall apply, subject to Section 4 of this Part F, to the transfer of Device Manufacturer Personal Data where such transfer is subject to the FADP;

and in each case such Standard Contractual Clauses form part of this Addendum and signature to and dating of the Principal Agreement shall constitute all required signatures and dates for the 2021 Standard Contractual Clauses, the Swiss 2021 Standard Contractual Clauses and the 2004 C2C Standard Contractual Clauses. For the purposes of this Part F, a Restricted Transfer to Partner includes transfers made via ironSource as a Processor on behalf of Device Manufacturer.

      1. EEA Transfers. For the purposes of the 2021 Standard Contractual Clauses that apply pursuant to Subsection 1.1 of this Part F, the Parties agree the following:
        1. the text from module one of the 2021 Standard Contractual Clauses shall apply and no other modules or any clauses marked as optional in the 2021 Standard Contractual Clauses shall apply;
        2. Device Manufacturer is the data exporter and Partner is the data importer;
        3. the information required by Annex I of the 2021 Standard Contractual Clauses is as set out in Part A and Part D (column (ii)) of Schedule 2;
        4. the technical and organizational measures required by Annex II of the 2021 Standard Contractual Clauses are as set out in Part D (column (ii)) of Schedule 2 and in Part B of Schedule 3; and
        5. for the purposes of clause 17 of the 2021 Standard Contractual Clauses, option 1 applies and the 2021 Standard Contractual Clauses shall be governed by the laws of Ireland and for the purposes of clause 18(b) of the 2021 Standard Contractual Clauses, the selected courts are the courts of Ireland, unless otherwise specified in platform.ironsrc.com/partners/funds/company/info.
      1. UK Transfers. For the purposes of the 2004 C2C Standard Contractual Clauses that apply pursuant to Subsection 1.2 of this Part E, the Parties agree the following:
        1. Device Manufacturer is the data exporter and Partner is the data importer;
        2. the information required by Annex B of the 2004 C2C Standard Contractual Clauses is as set out in Part A and D (column (ii)) of Schedule 2; and
        3. the governing law of the 2004 C2C Standard Contractual Clauses shall be the laws of England and Wales.
      1. Swiss Transfers. For the purposes of the Swiss 2021 Standard Contractual Clauses that applies pursuant to Subsection 1.3 of this Part F, the Parties agree that the terms of Section 2 of this Part F shall also apply.

 

Part G – UK Restricted Transfers

      1. From such time as the UK Addendum is in force, the parties agree that the 2010 C2P Standard Contractual Clauses shall no longer apply, and the UK Addendum shall apply to the Parties in relation to the transfers of Partner Personal Data referenced in Subsection 1.2 of Part A of this Schedule 1 and, to the extent such clauses can be applied, in relation to any other Restricted Transfers of Partner Personal Data from Partner to ironSource where ironSource Processes such Partner Personal Data as a Processor on behalf of Partner and such transfer is subject to UK GDPR. In each case the terms set out in Section 2 of Part A of this Schedule 1 shall also apply to the UK Addendum applicable under this Section 1 of this Part G and, as permitted by clause 17 of the UK Addendum, the Parties agree to change the format of the information set out in Part 1 of the UK Addendum so that:
        1. the details of the parties in Table 1 of the UK Addendum shall be as set out in Schedule 2 (with no requirement for signature);
        2. for the purposes of Table 2 of the UK Addendum, the UK Addendum shall be appended to the 2021 Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as set out in Subsection 2.1 of Part A of this Schedule 1) and Subsection 2.3 of Part A of this Schedule 1 selects the option and timescales for clause 9; and
        3. the appendix information listed in Table 3 of the UK Addendum is set out in Part A and Part B (column (i)) of Schedule 2 and in Part A of Schedule 3.
      2. From such time as the UK Addendum is in force, the parties agree that the 2004 C2C Standard Contractual Clauses shall no longer apply and the UK Addendum shall apply to the Parties in relation to the transfers of Partner Personal Data referenced in Subsection 1.2 of Part B of this Schedule 1 and, to the extent such clauses can be applied, in relation to any other Restricted Transfers of Partner Personal Data from Partner to ironSource where ironSource Processes such Partner Personal Data as a Controller and such transfer is subject to UK GDPR. In each case the terms set out in Section 2 of Part B of this Schedule 1 shall also apply to the UK Addendum applicable under this Section 2 of this Part G and, as permitted by clause 17 of the UK Addendum, the Parties agree to change the format of the information set out in Part 1 of the UK Addendum so that:
        1. the details of the parties in Table 1 of the UK Addendum shall be as set out in Schedule 2 (with no requirement for signature);
        2. for the purposes of Table 2 of the UK Addendum, the UK Addendum shall be appended to the 2021 Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as set out in Subsection 2.1 of Part B of this Schedule 1); and
        3. the appendix information listed in Table 3 of the UK Addendum is set out in Part A and Part C (column (i)) of Schedule 2 and in Part A of Schedule 3.
      3. When the UK Addendum is in force, the Parties agree that the UK Addendum shall apply to the Parties in relation to:
        1. transfers of Partner Personal Data to Partner from ironSource where ironSource Processes such Partner Personal Data as a Processor on behalf of Partner where such transfer is subject to UK GDPR. In this case, the terms set out in Section 2 of Part C of this Schedule 1 shall also apply to the UK Addendum applicable under this Subsection 3.1 of this Part G and, as permitted by clause 17 of the UK Addendum, the Parties agree to change the format of the information set out in Part 1 of the UK Addendum so that:
          1. the details of the parties in Table 1 of the UK Addendum shall be as set out in Schedule 2 (with no requirement for signature);
          2. for the purposes of Table 2 of the UK Addendum, the UK Addendum shall be appended to the 2021 Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as set out in Subsection 2.1 of Part C of this Schedule 1) and Partner Personal Data received from the importer is combined with personal data collected by the exporter; and
          3. the appendix information listed in Table 3 of the UK Addendum is set out in Part A and Part B (column (ii)) of Schedule 2; and
        2. transfers of Partner Personal Data to Partner from ironSource where ironSource Processes such Partner Personal Data as a Controller where such transfer is subject to UK GDPR. In this case, the terms set out in Section 2 of Part D of this Schedule 1 shall also apply to the UK Addendum applicable under this Subsection 3.2 of this Part G and, as permitted by clause 17 of the UK Addendum, the Parties agree to change the format of the information set out in Part 1 of the UK Addendum so that:
          1. the details of the parties in Table 1 of the UK Addendum shall be as set out in Schedule 2 (with no requirement for signature);
          2. for the purposes of Table 2 of the UK Addendum, the UK Addendum shall be appended to the 2021 Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as set out in Subsection 2.1 of Part D of this Schedule 1); and
          3. the appendix information listed in Table 3 of the UK Addendum is set out in Part A and Part C (column (ii)) of Schedule 2 and Part B of Schedule 3.
      1. From such time as the UK Addendum is in force, the parties agree that that the 2004 C2C Standard Contractual Clauses shall no longer apply, and the UK Addendum shall apply to the Partner and Device Manufacturer in relation to the transfers of Partner Personal Data referenced in Subsection 1.2 of Part E of this Schedule 1. In each case the terms set out in Section 2 of Part E of this Schedule 1 shall also apply to the UK Addendum applicable under this Section 4 of this Part G and, as permitted by clause 17 of the UK Addendum, the Parties agree to change the format of the information set out in Part 1 of the UK Addendum so that:
        1. the details of the parties in Table 1 of the UK Addendum shall be as set out in Schedule 2 (with no requirement for signature);
        2. for the purposes of Table 2 of the UK Addendum, the UK Addendum shall be appended to the 2021 Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as set out in Subsection 2.1 of Part E of this Schedule 1); and
        3. the appendix information listed in Table 3 of the UK Addendum is set out in Part A and Part D (column (i)) of Schedule 2 and in Part A of Schedule 3.
      2. From such time as the UK Addendum is in force, the parties agree that the 2004 C2C Standard Contractual Clauses shall no longer apply, and the UK Addendum shall apply to the Partner and Device Manufacturer in relation to the transfers of Device Manufacturer Personal Data referenced in Subsection 1.2 of Part F of this Schedule 1. In each case the terms set out in Section 2 of Part F of this Schedule 1 shall also apply to the UK Addendum applicable under this Section 5 of this Part G and, as permitted by clause 17 of the UK Addendum, the Parties agree to change the format of the information set out in Part 1 of the UK Addendum so that:
        1. the details of the parties in Table 1 of the UK Addendum shall be as set out in Schedule 2 (with no requirement for signature);
        2. for the purposes of Table 2 of the UK Addendum, the UK Addendum shall be appended to the 2021 Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as set out in Subsection 2.1 of Part F of this Schedule 1); and
        3. the appendix information listed in Table 3 of the UK Addendum is set out in Part A and Part D (column (II)) of Schedule 2 and in Part B of Schedule 3.
      1. The Parties agree, notwithstanding anything to the contrary in the Principal Agreement, that ironSource may make any amendments to the application of the 2021 Standard Contractual Clauses, the application of the UK Addendum and/or any other amendments to this Part G in respect of transfers of Partner Personal Data, Publisher Personal Data and/or Device Manufacturer Personal Data where such transfer is subject to UK GDPR as it deems necessary in order to implement any replacement standard contractual clauses as approved for use under Article 46 of the UK GDPR by notifying the Partner of any such amendments to this Addendum in writing and such amendments shall be effective upon such notice.

 

 

SCHEDULE 2

DETAILS OF PROCESSING OF PERSONAL DATA

A. List of parties

  • Data exporter in relation to relevant Restricted Transfers from Partner to ironSource and Partner to Device Manufacturer
  • Data importer in relation to relevant Restricted Transfers from ironSource to Partner and from Device Manufacturer to Partner
Partner, as identified in the Principal Agreement and/or in the Partner Account

·       Address: As specified in the Principal Agreement and/or in the Partner Account.

·       Contact person’s name, position and contact details, including any contact person with responsibility for data protection: As specified in the Principal Agreement and/or in the Partner Account and as specified in the next bullet point.

·       Data protection officer identity and contact details and/or representative in the EEA (if applicable): Details about the data exporter’s data protection officer (or, where the data exporter has not appointed a data protection officer, another appropriate point of contact) and/or representative are available to the data importer in the form of the email address provided in accordance with Subsection 12.2 of this Addendum.

·       Activities relevant to Personal Data transferred under the Standard Contractual Clauses: As set out in Part B, Part C and Part D of this Schedule 2 (as appropriate).

·       Role: Controller

      • Data importer in relation to relevant Restricted Transfers from Partner to ironSource
      • Data exporter in relation to relevant Restricted Transfers from ironSource to Partner

 

ironSource Mobile Ltd.

·       Address: 121 Menachem Begin Rd., Tel Aviv, Israel

·       Contact person’s name, position and contact details, including any contact person with responsibility for data protection: Ido Chernobroda, DPO, dpo@ironsrc.com.

·       Activities relevant to Personal Data transferred under the Standard Contractual Clauses: As set out in Part B and Part C of this Schedule 2 (as appropriate).

·       Role:

o   Processor (when module 2 or 4 of the 2021 Standard Contractual Clauses or of the Swiss 2021 Standard Contractual Clauses, or the 2010 C2P Standard Contractual Clauses apply)

o   Controller (when module 1 of the 2021 Standard Contractual Clauses or of the Swiss 2021 Standard Contractual Clauses, or the 2004 C2C Standard Contractual Clauses apply)

      • Data importer in relation to relevant Restricted Transfers from Partner to Device Manufacturer
      • Data exporter in relation to relevant Restricted Transfers from Device Manufacturer to Partner

 

 

 

Each Device Manufacturer as identified in platform.ironsrc.com/partners/funds/company/info from time to time

·       Address: As set out in platform.ironsrc.com/partners/funds/company/info from time to time

·       Contact person’s name, position and contact details, including any contact person with responsibility for data protection: As set out in platform.ironsrc.com/partners/funds/company/info from time to time

·       Activities relevant to Personal Data transferred under the Standard Contractual Clauses: As set out in Part D of this Schedule 2 (as appropriate).

·       Role:

o   Controller

 

 

 

B. ironSource as a Processor on behalf of Partner

 

Processing details

(i) Relevant Restricted Transfers from Partner to ironSource (ii) Relevant Restricted Transfers from ironSource to Partner
1.     Subject-matter of the Processing Personal Data will be Processed to allow ironSource to provide the Processor Services pursuant to the Principal Agreement and this Addendum. As set out in the previous column.
2.     Nature of Processing and Processing operations

ironSource will Process (including, as applicable to the Processor Services and the instructions set forth in this Addendum, collect, record, organize, structure, store, alter, retrieve, use, disclose, combine, erase and destroy) Partner Personal Data for the following purposes:

(a)   Providing the Processor Services.

(b)   Providing any related technical support to Partner in accordance with this Addendum.

ironSource will disclose Partner Personal Data to Partner concerning revenue associated with an advertisement served by ironSource in a Partner’s application.
3.     The obligations and rights of Controller As set out in the Principal Agreement and this Addendum. As set out in the Principal Agreement and this Addendum.
4.     Data Subjects

·       End users of Partner from which ironSource collects Personal Data in its provision of the Processor Services.

·       End users of Partner about whom Personal Data is transferred to ironSource by Partner in connection with the Processor Services.

·       End users of Partner about whom Personal Data is transferred to ironSource by advertisers, by a third party on such advertisers’ behalf, and/or by third party data providers in connection with the Services.

As set out in the previous column.
5.     Categories of Personal Data

·       Device ID

·       IP address

·       Online unique identifiers

·       Segment name (only for the Mediation Platform)

·       User ID, if provided by the Partner

·       Device ID

·       User ID, if provided by the Partner

6.     Special Categories of Personal Data N/A N/A
7.     Duration of Processing The duration of the Processor Services is subject to the Principal Agreement and Subsection 14.2 of this Addendum. As set out in the Principal Agreement.
8.     Purposes of, and further Processing following, the transfer For the purposes of the Processor Services. For the purposes of the provision of the Processor Services.
9.     Activities relevant to the Standard Contractual Clauses

Data importer: Providing Processor Services in accordance with the Principal Agreement.

Data exporter: Receiving the Processor Services in accordance with the Principal Agreement.

Data exporter: Providing Processor Services in accordance with the Principal Agreement.

Data importer: Receiving the Processor Services in accordance with the Principal Agreement.

10.  Applied restrictions or safeguards for Special Categories of Personal Data [1] N/A N/A
11.  Frequency of transfer (e.g. whether the Personal Data is transferred on a one-off or continuous basis) Continuous transfer during the term of the Principal Agreement As set out in the previous column.
12.  Retention period for or, if that is not possible, criteria used to determine retention period As set out in row 7 above. As set out in the previous column.

13.  Supplemental technical and organizational measures

As set out here from time to time: https://developers.ironsrc.com/ironsource-mobile/19783-2/ N/A
14.  Competent Supervisory Authority

For transfers subject to the EU GDPR, the competent supervisory authority for the purposes of clause 13(a) and Annex 1, Part C of the 2021 Standard Contractual Clauses is: (i) the EEA Member State in which the data exporter is established where the data exporter is established in the EEA according to the information set out in in Part A of this Addendum; or (ii) the Irish Supervisory Authority, the Data Protection Commission, where the data exporter is not established in the EEA unless the data exporter notifies the data importer of an alternative competent Supervisory Authority (which shall either be the EEA Member State in which the data exporter has a representative or an EEA Member State in which the data subjects whose Partner Personal Data is transferred by the data exporter in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.

For transfers subject to the UK GDPR, the competent supervisory authority for the purposes of relevant Standard Contractual Clauses applied to such transfers (as required) is the UK Information Commissioner’s Office.

For transfers subject to the FADP, the competent supervisory authority for the purposes of relevant Standard Contractual Clauses applied to such transfers (as required) is the Swiss Federal Data Protection and Information Commissioner.

N/A

 

 

C. ironSource as a Controller

 

Processing details

 

(i) Relevant Restricted Transfers from Partner to ironSource (ii) Relevant Restricted Transfers from ironSource to Partner
1.     Purposes of the Processing and further Processing following the transfer Provision of the applicable Services and of any related technical support to Partner in accordance with the Principal Agreement, compliance with legal obligations and as set out in ironSource’s privacy policy available at https://developers.ironsrc.com/ironsource-mobile/air/ironsource-mobile-privacy-policy/. Publisher Personal Data is transferred for the purposes of Authorized Processing of Third-Party Personal Data.
2.     Data Subjects

·       End users of Partner from which ironSource collects Personal Data in its provision of the Services.

·       End users of Partner about whom Personal Data is transferred to ironSource by Partner in connection with the Services.

·       End users of Partner about whom Personal Data is transferred to ironSource by advertisers, by a third party on such advertisers’ behalf, and/or by third party data providers in connection with the Services.

End users of a third-party app developer who are served with a Partner’s advertisement by ironSource.
3.     Categories of Personal Data

·       Device ID

·       IP address

·       Online unique identifiers

·       User ID, if provided by the Partner

·       Device ID

·       Online unique identifiers

4.     Special Categories of Personal Data N/A N/A
5.     Nature of transfer As described in row 1. As described in row 1
6.     Activities relevant to the Standard Contractual Clauses

Data exporter: Receipt of the applicable Services from the data importer in accordance with the Principal Agreement.

Data importer: Provision of the applicable Services and of any related technical support to data exporter, and Processing in accordance with ironSource’s privacy policy, available at https://developers.ironsrc.com/ironsource-mobile/air/ironsource-mobile-privacy-policy/.

Data exporter: To enable the Authorized Processing of Third-Party Personal Data

Data importer: To enable the Authorized Processing of Third-Party Personal Data

7.     Applied restrictions or safeguards for Special Categories of Personal Data [2] N/A

N/A

8.     Frequency of transfer (e.g., whether the Personal Data is transferred on a one-off or continuous basis) Continuous transfer during the term of the Principal Agreement

As set out in the previous column.

9.     Retention period for or criteria used to determine retention period Partner Personal Data will be retained by data importer in accordance with its data retention policies specified at https://developers.ironsrc.com/ironsource-mobile/19783-2/ (as may be updated from time to time). Publisher Personal Data will be retained by Partner for a reasonable period based on the applicable limitation period for contractual claims.

10.  Supplemental technical and organizational measures

As set out here from time to time: https://developers.ironsrc.com/ironsource-mobile/19783-2/

As set out in Part B of Schedule 3.

11.  Competent Supervisory Authority

For transfers subject to the EU GDPR, the competent supervisory authority for the purposes of clause 13(a) and Annex 1, Part C of the 2021 Standard Contractual Clauses is: (i) the EEA Member State in which the data exporter is established where the data exporter is established in the EEA according to the information set out in in Part A of this Addendum; or (ii) the Irish Supervisory Authority, the Data Protection Commission, where the data exporter is not established in the EEA unless the data exporter notifies the data importer of an alternative competent Supervisory Authority (which shall either be the EEA Member State in which the data exporter has a representative or an EEA Member State in which the data subjects whose Partner Personal Data is transferred by the data exporter in relation to the offering of goods or services to them, or whose behaviour is monitored, are located..

For transfers subject to the UK GDPR, the competent supervisory authority for the purposes of relevant Standard Contractual Clauses applied to such transfers (as required) is the UK Information Commissioner’s Office.

For transfers subject to the FADP, the competent supervisory authority for the purposes of relevant Standard Contractual Clauses applied to such transfers (as required) is the Swiss Federal Data Protection and Information Commissioner.

For transfers subject to the EU GDPR, the competent supervisory authority for the purposes of clause 13(a) and Annex 1, Part C of the 2021 Standard Contractual Clauses is the Irish Supervisory Authority, the Data Protection Commission.

For transfers subject to the UK GDPR, the competent supervisory authority for the purposes of relevant Standard Contractual Clauses applied to such transfers (as required) is the UK Information Commissioner’s Office.

For transfers subject to the FADP, the competent supervisory authority for the purposes of relevant Standard Contractual Clauses applied to such transfers (as required) is the Swiss Federal Data Protection and Information Commissioner.

12.  Recipients of Personal Data Advertisers, app developers, ironSource Affiliates, Subprocessors, any entity which successes ironSource as a result of a business transition such as merger, acquisition or a sale of assets, and as required to comply with legal obligations or to establish or exercise ironSource’s rights or to defend against legal claims. N/A

D. Restricted Transfers between Partner and Device Manufacturer

 

Processing details

 

(i) Relevant Restricted Transfers from Partner to Device Manufacturer (ii) Relevant Restricted Transfers from Device Manufacturer to Partner
1.     Purposes of the Processing and further Processing following the transfer To enable ironSource’s provision of the applicable Services in accordance with the Principal Agreement and of any related technical support to Partner Device Manufacturer Personal Data is transferred for the purposes of Authorized Processing of Third-Party Personal Data.
2.     Data Subjects End users of Partner about whom Personal Data is transferred to ironSource by advertisers, by a third party on such advertisers’ behalf, and/or by third party data providers in connection with the Services. End users of a mobile device of a Device Manufacturer
3.     Categories of Personal Data

·       Device ID

·       IP address

·       Online unique identifiers

·       Device ID

·       Online unique identifiers

4.     Special Categories of Personal Data N/A N/A
5.     Nature of transfer As described in row 1. As described in row 1
6.     Activities relevant to the Standard Contractual Clauses

Data exporter: Receipt of the applicable Services from ironSource in accordance with the Principal Agreement.

Data importer: To enable ironSource’s provision of the applicable Services and of any related technical support to Partner.

Data exporter: To enable the Authorized Processing of Third-Party Personal Data

Data importer: To enable the Authorized Processing of Third-Party Personal Data

7.     Applied restrictions or safeguards for Special Categories of Personal Data [3] N/A

N/A

8.     Frequency of transfer (e.g., whether the Personal Data is transferred on a one-off or continuous basis) Continuous transfer during the term of the Principal Agreement

As set out in the previous column.

9.     Retention period for or criteria used to determine retention period As set out here from time to time: https://developers.ironsrc.com/ironsource-mobile/19783-2/ Device Manufacturer Personal Data will be retained by Partner for a reasonable period based on the applicable limitation period for contractual claims.

10.  Supplemental technical and organizational measures

As set out here from time to time: https://developers.ironsrc.com/ironsource-mobile/19783-2/ As set out in Part B of Schedule 3.
11.  Competent Supervisory Authority

For transfers subject to the EU GDPR, the competent supervisory authority for the purposes of clause 13(a) and Annex 1, Part C of the 2021 Standard Contractual Clauses is: (i) the EEA Member State in which the data exporter is established where the data exporter is established in the EEA according to the information set out in in Part A of this Addendum; or (ii) the Irish Supervisory Authority, the Data Protection Commission, where the data exporter is not established in the EEA unless the data exporter notifies the data importer of an alternative competent Supervisory Authority (which shall either be the EEA Member State in which the data exporter has a representative or an EEA Member State in which the data subjects whose Partner Personal Data is transferred by the data exporter in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.

For transfers subject to the UK GDPR, the competent supervisory authority for the purposes of relevant Standard Contractual Clauses applied to such transfers (as required) is the UK Information Commissioner’s Office.

For transfers subject to the FADP, the competent supervisory authority for the purposes of relevant Standard Contractual Clauses applied to such transfers (as required) is the Swiss Federal Data Protection and Information Commissioner.

For transfers subject to the EU GDPR, the competent supervisory authority for the purposes of clause 13(a) and Annex 1, Part C of the 2021 Standard Contractual Clauses is as identified in platform.ironsrc.com/partners/funds/company/info in respect of the relevant Device Manufacturer.

For transfers subject to the UK GDPR, the competent supervisory authority for the purposes of relevant Standard Contractual Clauses applied to such transfers (as required) is the UK Information Commissioner’s Office.

For transfers subject to the FADP, the competent supervisory authority for the purposes of relevant Standard Contractual Clauses applied to such transfers (as required) is the Swiss Federal Data Protection and Information Commissioner.

12.  Recipients of Personal Data Device Manufacturer, Device Manufacturer Affiliates, Processors, any entity which successes Device Manufacturer as a result of a business transition such as merger, acquisition or a sale of assets, and as required to comply with legal obligations or to establish or exercise Device Manufacturer’s rights or to defend against legal claims. Partner, its Processors, any entity which successes Partner as a result of a business transition such as merger, acquisition or a sale of assets, and as required to comply with legal obligations or to establish or exercise Partner’s rights or to defend against legal claims.

 

 

SCHEDULE 3

Technical and Organizational Measures

PART A – Relevant Restricted Transfers from Partner to ironSource

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ironSource shall in relation to the Partner Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR, and as shall be further detailed at: https://developers.ironsrc.com/ironsource-mobile/19783-2/.

Notwithstanding any provision to the contrary otherwise agreed to by Partner, ironSource may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices and ironSource updates the information within the aforementioned link. The Parties agree that such modifications or updates from time to time shall form part of this Part A of Schedule 3.

PART B – Relevant Restricted Transfers from ironSource to Partner / Device Manufacturer to Partner

If Partner Processes Publisher Personal Data and/or Device Manufacturer Personal Data under the provisions of this Addendum, Partner hereby represents and warrants it has implemented measures at least equivalent to the technical and organizational measures as set out in this link from time to time (https://developers.is.com/ironsource-mobile/general/160322-2/), in addition to any other measures specified in, or supplied to ironSource and/or Device Manufacturer in connection with the Principal Agreement.

 

 

CALIFORNIA CONSUMER PRIVACY ACT ADDENDUM

This California Consumer Privacy Act Addendum (“CCPA Addendum”) forms an integral part of the Agreement (“Principal Agreement”) between: (i) ironSource Mobile Ltd. (ironSource); and (ii) the entity and/or person specified in ironSource’s dashboard under the following link: https://platform.ironsrc.com/partners/funds/company/info  (“Publisher”).

RECITALS:

  1. The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning ascribed to them in the Principal Agreement.  Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
  2. In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement.  Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.
  3. Publisher and ironSource have entered into a Principal Agreement pursuant to which ironSource will provide certain Services to Publisher. IronSource’s liability for this Addendum is limited to the Term of the Principal Agreement, i.e. the period during which ironSource is contracted by Publisher for the provision of the services.
  4. To the extent that the provision of such services involves the Processing of Publisher Personal Information, the parties have agreed to enter into this Addendum for the purposes of ensuring compliance with the applicable data protection legislation.
    1. Definitions
      1. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
        1. CCPA” means the California Consumer Privacy Act of 2018 and its regulations, as amended;
        2. Contracted Processor” means ironSource or a Subprocessor (as defined below);
        3. ironSource Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with ironSource, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
        4. Publisher Personal Information” means any Personal Information of an End User Processed by a Contracted Processor on behalf of Publisher for the performance of the Principal Agreement;
        5. Services” means the services and other activities to be supplied to or carried out by or on behalf of ironSource for Publisher pursuant to the Principal Agreement;
        6. Subprocessor” means any person (excluding an employee of ironSource or any of its sub-contractors) appointed by or on behalf of ironSource to Process Personal Information on behalf of Publisher for the performance of the Principal Agreement; and
    1. The terms, “Business“, “Consumer“, “Personal Information“, “Processing” “Sale”, and “Service Provider” shall have the same meanings as in the CCPA, and their cognate terms shall be construed accordingly.
    2. The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
    1. Processing of Publisher Personal Information
      1. This Addendum shall apply only (i) to the extent that the CCPA applies to the Processing of Publisher Personal Information, and only to Publisher Personal Information subject to the CCPA; and (ii) to the Services for which the parties agreed to this Addendum.
      2. Publisher hereby represents, warrants, and undertakes that at all times during the term of the Principal Agreement, Publisher shall include a link to the IronSource Mobile Privacy Policy available at: https://developers.ironsrc.com/ironsource-mobile/air/ironsource-mobile-privacy-policy/ from the Publisher’s privacy policy made available to the End User prior to downloading the Publisher’s App(s) in connection with the Principal Agreement. The Publisher shall indemnify ironSource, and shall be fully liable for any damages, losses, costs, and/or expenses arising out of or relating to Publisher’s or its Affiliates’ breach of this Addendum.
      3. In the event that Publisher have implemented ironSource’s SDK that includes ironSource’s CCPA API (the “CCPA API”) enabling Publishers to send information to a Contracted Processor regarding the status of one or more End Users under CCPA (such as, by way of example, designating an End User as having received notice at collection, having provided consent to certain Processing, and/or having opted out of Sales of Personal Information) (“Status Information”), Publisher represents and warrants that: (i) the Status Information is complete, accurate, and up-to-date; (ii) Publisher has complied with all Applicable Rules with respect to the Status Information and the Publisher Personal Information; (iii) Publisher has provided all notices as required by and in compliance with the CCPA, including notices at or before the point of collection of the Publisher Personal Information; (iv) Publisher shall indicate and flag any specific End Users that are under the age of 16 using the applicable CCPA API parameter as an End User that has opted out of Sales of Personal Information; and (v) Publisher has all required rights, licenses, and permissions to sell the Publisher Personal Information to ironSource or to permit ironSource to collect the Publisher Personal Information for ironSource’s purposes in accordance to its designation pursuant to the Status Information and Publisher Account indication. Publisher represents and warrants that ironSource’s reliance on the Status Information shall not cause ironSource to be in violation of CCPA.  Publisher shall provide ironSource with Status Information for each End User or with an indication through the Publisher Account stating that an Application’s End Users have opted out of Sales of Personal Information. Publisher acknowledges and agrees that an omission to provide such Status Information or indication will be treated as a permission to allow Sale of Publisher Personal Information with respect to such End User.  When Publisher provides ironSource with Status Information or with an indication through the Publisher Account stating that an Application’s End Users have opted out of Sales of Personal Information, ironSource will act as a Service Provider with respect to the indicated End User(s) and will not collect, retain, use, sell, or otherwise disclose the Publisher Personal Information for any purpose other than for the specific purpose of performing the Services specified in the Principal Agreement or as otherwise required by law.  IronSource will provide reasonable assistance to Publisher with responding to requests from such End Users relating to the Publisher Personal Information held by a Contracted Processor, to the extent required by, and in a manner that is designed to comply with, the CCPA.
      4. For Publishers that have implemented and utilize the CCPA API, Publisher’s privacy policy shall contain a disclosure substantially similar to the following: “Other businesses collect information when you interact with our app, including IP addresses, digital identifiers, information about your web browsing and app usage, and how you interact with our properties and ads in order to provide you with relevant ads across the Internet and for other analytics purposes, and may sell that information to other businesses for advertising and other purposes.” In the event that Publisher provides a disclosure that is not substantially similar to this example, Publisher shall provide ironSource with a true and correct copy of its proposed disclosure for ironSource’s review at least 30 days prior to enabling ironSource to Process Publisher Personal Information collected under such disclosure.
      5. For Publishers that have not implemented the CCPA API, the following terms apply:
        1. Publisher represents and warrants that: (i) Publisher has complied with all Applicable Rules with respect to the Publisher Personal Information; (ii) Publisher has provided all notices as required by and in compliance with the CCPA, including notices at or before the point of collection of the Publisher Personal Information; and (iii) Publisher has all required rights, licenses, and permissions to make the Publisher Personal Information available to any Contracted Processor.
        2. IronSource will act as a Service Provider and will not collect, retain, use, sell, or otherwise disclose the Publisher Personal Information for any purpose other than for the specific purpose of performing the Services specified in the Principal Agreement or as otherwise required by law.  IronSource will provide reasonable assistance to Publisher with responding to requests from End Users relating to the Publisher Personal Information held by a Contracted Processor, to the extent required by, and in a manner that is designed to comply with, the CCPA.
    1. Publisher shall comply with the CCPA in the Processing of Publisher Personal Information and hereby instructs ironSource (and authorizes ironSource to instruct each Subprocessor) to Process Publisher Personal Information as reasonably necessary for the provision of the Services and consistent with the Principal Agreement.
    1. General Terms

Order of precedence

        1. With regard to the subject matter of this Addendum, in the event of conflict or inconsistency between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail with respect to the Publisher Personal Information.

Severance

        1. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Changes to this Addendum

        1. ironSource may change this Addendum by sending an email notification to Publisher, at least 30 days prior to any such taking effect, in the event that such change does not: (i) result in a degradation of the overall security of the Services; (ii) expand the scope of, or remove any restrictions on, ironSource’s Processing of Publisher Personal Information; and (iii) otherwise have a material adverse impact on Publisher’s rights under this Addendum, as reasonably determined by ironSource, unless such change is required by CCPA or other applicable law.

[1] The applied restrictions or safeguards should fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures

[2]                The applied restrictions or safeguards should fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures

[3]                The applied restrictions or safeguards should fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures