Adswerve

Adswerve Data Processing Terms

 

We are making changes to the Adswerve Data Processing Terms (DPTs), including to reflect the new versions of Standard Contractual Clauses issued by the European Commission on June 4, 2021. If you accepted the DPTs on or after October 8, 2021, these updates will apply to your use of the relevant service(s) immediately. If you accepted the DPTs before October 8, 2021, these updates will apply to your use of the relevant service(s) from November 7, 2021 onwards. For our legacy terms, see here.

Adswerve Data Processing Terms

Adswerve, Inc. (“Adswerve”) and the counterparty agreeing to these terms (“Customer”) have entered into an agreement for the provision of certain services by Adswerve to Customer (as amended from time to time, the “Agreement”).

These Data Processing Terms (including its annexes, appendices, and schedules, “Data Processing Terms”) are entered into by Adswerve and Customer and supplement and form part of the Agreement. These Data Processing Terms will be effective and replace any previously applicable terms relating to their subject matter, from the Terms Effective Date (as defined below).

If you are accepting these Data Processing Terms on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to these Data Processing Terms; (b) you have read and understand these Data Processing Terms; and (c) you agree, on behalf of Customer, to these Data Processing Terms. If you do not have the legal authority to bind Customer, please do not accept these Data Processing Terms.

1.   Introduction. These Data Processing Terms reflect the parties’ agreement on the terms governing the Processing and security of Customer Personal Data in connection with Data Protection Laws.

2.   Definitions and Interpretation

2.1.   As used in these Data Processing Terms, the terms below have the meanings set forth below:

Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.

Adequate Country” means:

(a)   for data processed subject to the EU GDPR: the EEA, or a country or territory that is the subject of an adequacy decision by the European Commission under Article 45(1) of the EU GDPR;

(b)   for data processed subject to the UK GDPR: the UK or a country or territory that is the subject of the adequacy regulations under Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act 2018; and/or

(c)   for data processed subject to the Swiss FDPA: Switzerland, or a country or territory that (i) is included in the list of the states whose legislation ensures an adequate level of protection as published by the Swiss Federal Data Protection and Information Commissioner, or (ii) is the subject of an adequacy decision by the Swiss Federal Council under the Swiss FDPA.

Alternative Transfer Solution” means a solution, other than SCCs, that enables the lawful transfer of Personal Data to a third country in accordance with European Data Protection Legislation.

CCPA” means the California Consumer Privacy Act of 2018.

Data Protection Laws” means with respect to a party, all privacy, data protection and information security-related laws and regulations applicable to such party’s Processing of Personal Data, including, where applicable, European Data Protection Legislation, the CCPA, and/or the LGPD.

Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.

Customer Personal Data” means Personal Data that is Processed by Adswerve on behalf of Customer in Adswerve’s provision of the Services. For purposes of these Data Protection Terms, Customer Personal Data does not include Personal Data of employees or representatives of Customer with whom Adswerve has a direct business relationship.

Data Incident” means a breach of Adswerve’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Adswerve. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

EEA” means the European Economic Area.

European Data Protection Legislation” means, as applicable, data protection or privacy laws in force in the EEA, Switzerland, and the United Kingdom, including, to the extent applicable: (a) Regulation (EU) 2016/679 (“EU GDPR”) and any national legislation implementing the EU GDPR; (b) the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, if in force, and applicable secondary legislation made under that Act (“UK GDPR”); and/or (c) the Federal Data Protection Act of 19 June 1992 (Switzerland) (“Swiss FDPA”).

Instructions” has the meaning given in Section 5.1 (Customer’s Instructions).

LGPD” means the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais).

Notification Email Address” means the email address (if any) designated by Customer to receive certain notifications from Adswerve relating to these Data Processing Terms.

Personal Data” means any information that constitutes “personal data,” “personal information,” “personally identifiable information” or similar information defined in and governed by Data Protection Laws.

Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

SCCs” means the SCCs (EU Controller-to-Processor), the SCCs (EU Processor-to-Processor), and/or the SCCs (UK Controller-to-Processor), as applicable.

SCCs (EU Controller-to-Processor)” means the terms at https://adswerve.com/eu-scc-controller-to-processor.

SCCs (EU Processor-to-Processor)” means the terms at https://adswerve.com/eu-scc-processor-to-processor.

SCCs (UK Controller-to-Processor)” means the terms at https://adswerve.com/uk-scc-controller-to-processor.

Security Documentation” means any ISO/IEC 27001:2013 certification or any comparable certifications or audit reports made available by Adswerve and/or an applicable Services Partner in connection with the Services.

Services” means the services that Adswerve has agreed to provide to Customer under the Agreement.

Services Partner” means the third party identified in the Agreement which provides certain products, services, and/or support for resale by Adswerve to Customer as part of the Services.

Subprocessors” means any third party authorized under these Data Processing Terms to Process Customer Personal Data on behalf of Customer.

Term” means the period from the Terms Effective Date until the end of Adswerve’s provision of the Services under the Agreement.

Terms Effective Date” means, the date on which Customer clicked to accept or the parties otherwise agreed to these Data Processing Terms.

Usage Data” means: (a) (i) statistical data, trends and usage information collected by Adswerve regarding Customer’s use of Services, (ii) Adswerve’s technical logs, billings logs, billing data, and administrative account information, (iii) Customer user account and login data; or (b) any information defined as a “Usage Information” in the Agreement.

2.2.   The words “include” and “including” mean “including but not limited to”. Any examples in these Data Processing Terms are illustrative and not the sole examples of a particular concept.

2.3.   Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

3.   Duration of these Data Processing Terms. These Data Processing Terms will take effect on the Terms Effective Date.  Regardless of whether the Agreement has terminated or expired, these Data Processing Terms will remain in effect until, and automatically expire when Adswerve deletes all Customer Personal Data as described in these Data Processing Terms.

4.   Application of these Data Processing Terms

4.1.   These Data Processing Terms apply to the Processing of Customer Personal Data under the Agreement, except that:

(a)   Annex A (European Data Processing Terms) will apply only to the extent that European Data Protection Legislation applies to Adswerve’s Processing of Customer Personal Data under the Agreement;

(b)   Annex B (California Data Processing Terms) will apply only to the extent that the CCPA applies to Adswerve’s Processing of Customer Personal Data under the Agreement;

(c)   Annex C (Brazil Data Processing Terms) will apply only to the extent that the LGPD applies to Adswerve’s Processing of Customer Personal Data under the Agreement; and

(d)   Schedules I and II will each individually apply only where the Services include the products, services, or support provided by one or more Services Partners described in such Schedule and identified in the Agreement.

5.   Processing of Data

5.1.   Customer’s Instructions. By entering into these Data Processing Terms, Customer instructs Adswerve to Process Customer Personal Data only in accordance with applicable law: (a) to provide the Services and any related technical support; (b) as further specified via Customer’s use of the Services (including in the settings and other functionality of the Services, where available) and any related technical support; (c) as documented in the form of the Agreement (including these Data Processing Terms); and (d) as further documented in any other written instructions given by Customer and acknowledged by Adswerve as constituting instructions for purposes of these Data Processing Terms (collectively, the “Instructions”).

5.2.   Adswerve’s Compliance with Instructions.  Adswerve will comply with the Instructions unless prohibited by applicable law.

6.   Data Deletion. Except as otherwise set forth in a Schedule, following termination or expiration of the Agreement Adswerve will, at Customer’s option, delete or return all Customer Personal Data (including existing copies) from Adswerve’s systems in accordance with applicable law. Adswerve will comply with this instruction as soon as reasonably practicable, unless applicable laws require storage.

7.   Data Security

7.1.   Security Measures. Adswerve will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, including the measures described in any applicable Schedule (the “Security Measures”). Adswerve or the relevant Services Partner may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in a material reduction of the security of the Services.

7.2.   Access and Compliance.  Adswerve will: (a) authorize its employees, contractors, and Subprocessors to access Customer Personal Data only as necessary to comply with the Instructions; (b) take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance; and (c) ensure that all persons authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.3.   Data Incidents

7.3.1.   Incident Notification. If Adswerve becomes aware of a Data Incident, Adswerve will: (a) notify Customer of the Data Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Customer Personal Data.

7.3.2.   Details of Data Incident. Notifications made under Section 7.3.1 (Incident Notification) will describe the nature of the Data Incident, including the Customer resources impacted; the measures Adswerve has taken or plans to take, to address the Data Incident and to mitigate its potential risk; the measures, if any, Adswerve recommends that Customer take to address the Data Incident; and details of a contact point where more information can be obtained. If it is not possible to provide all such information at the same time, Adswerve’s initial notification will contain the information then available and further information will be provided without undue delay as it becomes available.

7.3.3.   Delivery of Notification. Adswerve will deliver its notification of any Data Incident to the Notification Email Address or, at Adswerve’s discretion (including if Customer has not provided a Notification Email Address), by other direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for providing the Notification Email Address and ensuring that the Notification Email Address is current and valid.

7.3.4.   Third Party Notifications. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Data Incident.

7.3.5.   No Acknowledgement of Fault by Adswerve. Adswerve’s notification of or response to a Data Incident under this Section 7.3 (Data Incidents) will not be construed as an acknowledgement by Adswerve of any fault or liability with respect to the Data Incident.

7.4.   Customer’s Security Responsibilities and Assessment

7.4.1.   Customer’s Security Responsibilities. Customer agrees that, without prejudice to Adswerve’s obligations under Sections 7.1 (Security Measures), 7.2 (Access and Compliance), and 7.3 (Data Incidents):

(a)   Customer is responsible for its use of the Services, including (i) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of Customer Personal Data, (ii) securing the account authentication credentials, systems and devices Customer uses to access the Services, where applicable, and (iii) backing up its Customer Data and Customer Personal Data as appropriate; and

(b)   Adswerve has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of Adswerve’s and its Subprocessors’ systems.

7.4.2.   Customer’s Security Assessment. Customer acknowledges and agrees that the Services, the Security Measures, and Adswerve’s commitments under this Section 7 (Data Security): (a) meet Customer’s needs, including with respect to any security obligations of Customer under Data Protection Laws, as applicable, and (b) provide a level of security appropriate to the risk in respect of the Customer Personal Data or any Customer Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals.

7.5.   Reviews and Audits of Compliance. To the extent Data Protection Laws include a right for Customer to review or audit Adswerve’s Processing of Customer Personal Data, Customer will exercise such review or audit right, and Adswerve will fulfill its corresponding obligations, as follows:

7.5.1.   Reviews of Security Documentation. Adswerve shall make available to Customer relevant information regarding Adswerve’s Processing of Customer Personal Data under these Data Protection Terms in the form of the Security Documentation.

7.5.2.   Customer’s Audit Rights

(a)   Not more than once per calendar year and at Customer’s expense, Customer may audit Adswerve’s compliance with its obligations under these Data Processing Terms by submitting reasonable requests for information, including security and audit questionnaires. Adswerve will provide written responses to the extent the requested information is necessary to confirm Adswerve’s compliance with these Data Protection Terms. However, if the requested information is addressed in any Security Documentation, Customer agrees to accept such Security Documentation in lieu of a written response. Any information provided by Adswerve under this Section 7.5.2 constitutes Adswerve’s Confidential Information under the Agreement.

(b)   If required by Data Protection Laws, Adswerve will allow Customer or a third party auditor appointed by Customer to conduct audits (including inspections) to verify Adswerve’s compliance with its obligations under these Data Processing terms in accordance with Section 7.5.3 (Additional Business Terms For Audits).  During an audit, Adswerve will make available all information necessary to demonstrate such compliance and contribute to the audit as described in this Section 7.5 (Reviews and Audits of Compliance).

(c)   If the SCCs apply under Annex A, Adswerve will allow Customer (or a third-party auditor appointed by Customer) to conduct audits as described in those SCCs and, during the audit, make available all information required by those SCCs, each in accordance with Section 7.5.3 (Additional Business Terms for Audits).

7.5.3.   Additional Business Terms for Audits

(a)   Customer will send any request for an audit under Section 7.5.2(b) or 7.5.2(c) to Adswerve as described in Section 10 (Contacting Adswerve) of the Data Processing Terms;

(b)   Following receipt by Adswerve of such a request, Adswerve and Customer will discuss and agree in advance on the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any audit under Section 7.5.2(b) or 7.5.2(c);

(c)   Adswerve or any applicable Services Partner may charge a fee for any audit under Section 7.5.2(b) or 7.5.2(c). Adswerve will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any third party auditor appointed by Customer to execute any such audit;

(d)   Adswerve or the relevant Services Partner may object to any third party auditor appointed by Customer to conduct any audit under this Section 7.5.2(b) or 7.5.2(c) if the auditor is, in Adswerve’s or the Services Partner’s reasonable opinion, not suitably qualified or independent, a competitor of Adswerve or the Services Partner or otherwise manifestly unsuitable. Any such objection will require Customer to appoint another auditor or conduct the audit itself; and

(e)   Nothing in these Data Processing Terms will require Adswerve either to disclose to Customer or its third party auditor, or to allow Customer or its third party auditor to access: (i) any data of any other customer of Adswerve or a Services Partner; (ii) any internal accounting or financial information; (iii) any trade secret; (iv) any information that, in Adswerve’s or a Services Partner’s reasonable opinion, could: (A) compromise the security of any systems or premises; or (B) cause Adswerve or any Services Partner to breach its obligations under the European Data Protection Legislation or its security and/or privacy obligations to Customer or any third party; or (v) any information that Customer or its third party auditor seeks to access for any reason other than the good faith fulfilment of Customer’s obligations under the European Data Protection Legislation.

8.   Data Subject Rights

8.1.   Responses to Data Subject Requests. If Adswerve receives a request from a data subject in relation to Customer Personal Data, Adswerve will advise the data subject to submit his/her request to Customer, and Customer will be responsible for responding to such request.

8.2.   Adswerve’s Data Subject Request Assistance. Subject to any applicable Schedule, upon Customer’s request, Adswerve will (taking into account the nature of the Processing of Customer Personal Data) reasonably assist Customer in fulfilling any obligation of Customer to respond to requests by data subjects to exercise their rights in respect of Customer Personal Data under Data Protection Laws in cases where Customer cannot reasonably fulfill such requests independently using the functionality of the Services, where available. Adswerve may charge Customer on a time and materials basis in the event that Adswerve considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.

8.3.   Rectification.  If Customer becomes aware that any Customer Personal Data is inaccurate or outdated, Customer will be responsible for rectifying or deleting that data if required by Data Protection Laws, including (where available) by using the functionality of the Services.

9.   Subprocessors

9.1.   Consent to Subprocessor Engagement. In addition to any Subprocessors authorized under any applicable Schedule, Customer specifically authorizes the engagement as Subprocessors of those entities listed as of the Terms Effective Date at the URL specified in Section 9.2 (Subprocessor List). In addition, without prejudice to Section 9.4 (Opportunity to Object to Subprocessor Changes), Customer generally authorizes the engagement of any other third parties as Subprocessors (“New Subprocessors”).

9.2.   Subprocessor List. Customer may view a list of Subprocessors utilized by Adswerve by visiting https://adswerve.com/subprocessors/ or such other website as Adswerve may designate.

9.3.   Requirements for Subprocessor Engagement. When engaging any Subprocessor, Adswerve will: (a) enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in these Data Protection Terms; and (b) remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.

9.4.   Opportunity to Object to Subprocessor Changes. When any new New Subprocessor is engaged during the Term, Adswerve will, at least ten (10) business days before the New Subprocessor Processes any Customer Personal Data, inform Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor list described in Section 9.2 and by either: (a) sending an email to the Notification Email Address; or (b) alerting Customer via the user interface or portal for the Services, where applicable. If, within five (5) business days after such notice, Customer notifies Adswerve in writing that Customer objects to Adswerve’s appointment of a New Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and whether they can be resolved. If the parties are not able to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the Agreement for convenience.

10.   Contacting Adswerve. Customer may contact Adswerve in relation to the exercise of its rights under these Data Processing Terms by emailing privacy@adswerve.com.  If Adswerve receives a request or instruction from a third party purporting to be a controller of Customer Personal Data, Adswerve will advise the third party to contact Customer.

11.   Liability. Regardless of anything else in the Agreement, the total liability of either party towards the other party under or in connection with these Data Processing Terms will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (and therefore, any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the Data Protection Laws). If there is no monetary or payment-based liability cap under the Agreement, then the total liability of either party towards the other party under or in connection with these Data Processing Terms will not exceed the total amount of fees paid to Adswerve (in the case of Adswerve’s liability) or payable (in the case of Customer’s liability) to Adswerve with respect to the Services during the 12 months before the date when the liability arose.

12.   Effect of these Data Processing Terms. If there is any conflict or inconsistency between these Data Processing Terms and the remainder of the Agreement, then these Data Processing Terms shall govern. Except as expressly set forth in these Data Protection Terms, the Agreement remains unchanged and in full force and effect.

13.   Modifications

13.1.   Changes to Data Processing Terms. Adswerve may change these Data Processing Terms if the change:

(a)   is expressly permitted by these Data Processing Terms;

(b)   reflects a change in the name or form of a legal entity;

(c)   is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency, is required by a Services Partner, or reflects Adswerve’s adoption of an Alternative Transfer Solution; or

(d)   does not: (i) result in a degradation of the overall security of the Services; (ii) expand the scope of, or remove any restrictions on Adswerve’s Processing of Customer Personal Data, as described in Section 5.2 (Adswerve’s Compliance with Instructions); and (iii) otherwise have a material adverse impact on Customer’s rights under these Data Processing Terms, as reasonably determined by Adswerve.

13.2.   Notification of Changes. If Adswerve intends to change these Data Processing Terms under Section 13.1(c) or (d), Adswerve will inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (a) sending an email to the Notification Email Address; or (b) alerting Customer via the user interface or portal for the Services, where applicable. If Customer objects to any such change, Customer may immediately terminate the Agreement for convenience by giving written notice to Adswerve within 90 days of being informed by Adswerve of the change.


Annex A: European Data Processing Terms

1.   Definitions. For purposes of this Annex A, the terms “controller”, “processor”, and “supervisory authority” have the meanings given in European Data Protection Legislation; “Customer Personal Data” shall mean that portion of Customer Personal Data that constitutes “personal data” as such term is defined in European Data Protection Legislation; “European Laws” means, as applicable: (a) EU or EU Member State law (if the EU GDPR applies to the processing of Customer Personal Data); and (b) the law of the UK or a part of the UK (if the UK GDPR applies to the processing of Customer Personal Data); and the terms “data importer” and “data exporter” have the meanings given in the applicable SCCs.

2.   Roles and Regulatory Compliance; Authorization; Notification

2.1.   Processor and Controller Responsibilities. The parties acknowledge and agree that:

(a)   Adswerve is a processor of Customer Personal Data under European Data Protection Legislation;

(b)   Customer is a controller or processor, as applicable, of Customer Personal Data under European Data Protection Legislation; and

(c)   Each party will comply with the obligations applicable to it under European Data Protection Legislation with respect to the Processing of Customer Personal Data.

To the extent that Usage Data constitutes Personal Data, Adswerve is the controller with respect to such data and shall Process such data in accordance with its Privacy Policy, which can be found at https://adswerve.com/privacy-policy/.

2.2.   Subject Matter and Details of Processing. Adswerve and Customer acknowledge and agree that Appendix 1 to this Annex A describes the subject matter and details of the Processing of Customer Personal Data.

2.3.   Processor Customers. If Customer is a processor:

(a)   Customer warrants on an ongoing basis that the relevant controller has authorised: (i) the Instructions, (ii) Customer’s appointment of Adswerve as another processor, and (iii) Adswerve’s engagement of Subprocessors as described in Section 9 (Subprocessors) of the Data Processing Terms; and

(b)   Customer will immediately forward to the relevant controller any notice provided by Adswerve under Sections 2.4 (Instruction Notifications) of this Annex A, Sections 7.3.1 (Incident Notification) or 9.4 (Opportunity to Object to Subprocessor Changes) of the Data Processing Terms, or that refers to any SCCs.

2.4.   Instruction Notifications. Adswerve will notify Customer if, in Adswerve’s opinion: (a) applicable European Laws prohibit Adswerve or a Services Partner from complying with an Instruction; (b) an Instruction does not comply with European Data Protection Legislation; or (c) Adswerve or a Services Partner is otherwise unable to comply with an Instruction, in each case unless such notice is prohibited by European Law.  This Section 2.4 (Instruction Notifications) does not reduce either party’s rights and obligations elsewhere in the Agreement.

3.   Adswerve’s Security Assistance.  Adswerve will (taking into account the nature of the processing of Customer Personal Data and the information available to Adswerve) assist Customer in ensuring compliance with Customer’s  (or, where Customer is a processor, the relevant controller’s) obligations in respect of the security of Customer Personal Data and Data Incidents, including Customer’s (or, where Customer is a processor, the relevant controller’s) obligations under Articles 32 to 34 (inclusive) of the EU GDPR (or equivalent articles of the UK GDPR), by:

(a)   implementing and maintaining the Security Measures in accordance with Section 7.1 (Security Measures) of the Data Processing Terms;

(b)   complying with the terms of Section 7.3 (Data Incidents) of the Data Processing Terms; and

(c)   providing Customer with the Security Documentation in accordance with Section 7.5.1 (Reviews of Security Documentation) of the Data Processing Terms and the information contained in these Data Processing Terms.

4.   Impact Assessments and Consultations.  Adswerve will (taking into account the nature of the processing and the information available to Adswerve) assist Customer in ensuring compliance with Customer’s (or, where Customer is a processor, the relevant controller’s) obligations in respect of data protection impact assessments and prior consultation, including (if applicable) Customer’s or the relevant controller’s obligations under Articles 35 and 36 of the EU GDPR or equivalent articles of the UK GDPR, by (a) providing the Security Documentation in accordance with Section 7.5.1 (Reviews of Security Documentation) of the Data Processing Terms; (b) providing the information contained in the Agreement (including these Data Processing Terms); and (c) providing additional information as may be made available by the applicable Services Partner(s) for such purposes.

5.   Data Transfers

5.1.   Data Storage and Processing Facilities.  Subject to the remainder of this Section 5 (Data Transfers), Adswerve may Process Customer Personal Data in any country in which Adswerve, its Services Partners, or any of its Subprocessors maintains facilities.

5.2.   Permitted Transfers.  The parties acknowledge that the European Data Protection Legislation does not require the SCCs or an Alternative Transfer Solution in order to Process Customer Personal Data in or transfer it to an Adequate Country (“Permitted Transfers”).

5.3.   Restricted Transfers.  If the Processing of Customer Personal Data involves transfers that are not Permitted Transfers, and the European Data Protection Legislation applies to those transfers (“Restricted Transfers”), then:

(a)   if Adswerve announces its adoption of an Alternative Transfer Solution for any Restricted Transfers, then Adswerve will ensure that they are made in accordance with that Alternative Transfer Solution; and/or

(b)   if Adswerve has not adopted an Alternative Transfer Solution for any Restricted Transfers, then: (i) the SCCs (EU Controller-to-Processor) and/or SCCs (EU Processor-to-Processor) will apply (according to whether Customer is a controller and/or processor) with respect to Restricted Transfers between Adswerve and Customer that are subject to the EU GDPR and/or the Swiss FDPA; and (ii) the SCCs (UK Controller-to-Processor) will apply (regardless of whether Customer is a controller and/or processor) with respect to Restricted Transfers between Adswerve and Customer that are subject to the UK GDPR.

5.4.   Supplementary Measures and Information.  Adswerve will provide Customer with information relevant to Restricted Transfers, including information about supplementary measures to protect Customer Personal Data, as described in Section 7.5.1 (Reviews of Security Documentation) of the Data Processing Terms and other materials made available by the relevant Services Partner for such purposes.

5.5.   Termination. If Customer concludes, based on its current or intended use of the Services, that the Alternative Transfer Solution and/or SCCs, as applicable, do not provide appropriate safeguards for Customer Personal Data, then Customer may immediately terminate the Agreement for convenience by notifying Adswerve in writing.

5.6.   No Modification of SCCs.  Nothing in the Agreement (including these Data Processing Terms) is intended to modify or contradict any SCCs or prejudice the fundamental rights or freedoms of data subjects under the European Data Protection Legislation.

5.7.   Legacy MCCs.  Customer agrees that, as of their effective date, the SCCs will supersede and terminate any Model Contract Clauses approved under Article 26(2) of Directive 95/46/EC and previously entered into by Customer and Adswerve (“Model Contract Clauses”).  This Section 12.3 (Legacy MCCs) will not affect either party’s rights, or any data subject’s rights, that may have accrued under the Model Contract Clauses whilst they were in force.

5.8.   Changes to SCCs.  Adswerve may change the SCCs in accordance with Section 13 (Modification) of the Data Processing Terms or to incorporate any new version of the SCCs that may be adopted under the European Data Protection Legislation, in in each case in a manner that does not affect the validity of the SCCs under European Data Protection Legislation.

6.   Processing Records. Customer acknowledges that Adswerve and its relevant Services Partners may be required under European Data Protection Legislation to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Adswerve is acting and (if applicable) of such processor’s or controller’s local representative and data protection officer; and (b) make such information available to any Supervisory Authority. Accordingly, Customer will, where requested and as applicable to Customer, provide such information to Adswerve or the relevant Services Partner via the user interface of the Services or via such other means as may be provided by Adswerve, and will use such user interface or other means to ensure that all information provided is kept accurate and up-to-date.


Appendix 1 to Annex A: Subject Matter and Details of the Data Processing

1.   Subject Matter. Adswerve’s provision of the Services and any related technical support to Customer.

2.   Duration of the Processing. The Term plus the period from the end of the Term until deletion of all Customer Personal Data by Adswerve in accordance with the Data Processing Terms.

3.   Nature and Purpose of the Processing. Adswerve will Process (including, as applicable to the Services and the Instructions, collecting, recording, organizing, structuring, storing, altering, retrieving, using, disclosing, combining, erasing and destroying) Customer Personal Data for the purpose of providing the Services and any related technical support to Customer in accordance with these Data Processing Terms.

4.   Types of Personal Data. The categories of Customer Personal Data which Customer is authorized to provide to the Services under the Agreement, which may include: Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; precise location data; client identifiers; other categories which may be identified in an applicable Schedule.

5.   Categories of Data Subjects. Data subjects include the individuals about whom data is provided to Adswerve or a Services Partner via the Services by (or at the direction of) Customer or by Customer End Users. Depending on the nature of the Services, Customer Personal Data may concern the following categories of data subjects: (a) to whom online advertising has been, or will be, directed; (b) who have visited specific websites or applications in respect of which Adswerve provides the Services; and/or (c) who are customers or users of Customer’s products or services.


Annex B: CCPA Service Provider Addendum to Adswerve Data Processing Terms

1.   Definitions. For purposes of this Annex B, the terms “business”, “commercial purpose”, “sale”, and “service provider” have the meanings given in the CCPA and “Customer Personal Data” shall mean that portion of Customer Personal Data that constitutes “personal information” as such term is defined in the CCPA.

2.   Roles and Regulatory Compliance; Authorization

2.1.   CCPA Roles. Except as otherwise described in any Schedule applicable to the Services, with respect to Customer Personal Data, Adswerve is a service provider under the CCPA. To the extent that any Usage Data is considered Personal Data, Adswerve is the business with respect to such data and shall Process such data in accordance with its Privacy Policy, which can be found at https://adswerve.com/privacy-policy/.

2.2.   Customer Responsibility. Customer is solely liable for its compliance with the CCPA in its use of the Services.

2.3.   Business Purpose. The parties acknowledge and agree that the Processing of Customer Personal Data authorized by Customer’s instructions described in Section 5.1 (Customer’s Instructions) of the Data Processing Terms is integral to and encompassed by Adswerve’s provision of the Services and the direct business relationship between the parties.

3.   Restriction on Processing. Adswerve will not (a) sell Customer Personal Data; (b) retain, use or disclose any Customer Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing the Customer Personal Data for a commercial purpose other than providing the Services; or (c) retain, use or disclose the Customer Personal Data outside of the direct business relationship between Adswerve and Customer.


Annex C: LGPD Processor Addendum to the Adswerve Data Processing Terms

1.   Definitions. For purposes of this Annex C, “controller” means the “controlador” as such term is defined in the LGPD; “processor” means the “operador” as such term is defined in the LGPD; “Customer Personal Data” shall mean that portion of Customer Personal Data that constitutes personal data under the LGPD; and “Data Protection Authority” means the Autoridade Nacional de Proteção de Dados (ANPD) as defined in the LGPD.

2.   Roles and Regulatory Compliance; Authorization

2.1.   Processor and Controller Responsibilities. The parties acknowledge and agree that:

(a)   Adswerve is a processor of Customer Personal Data under the LGPD;

(b)   Customer is a controller or processor, as applicable, of Customer Personal Data under the LGPD; and

(c)   Each party will comply with the obligations applicable to it under the LGPD with respect to the Processing of Customer Personal Data.

To the extent that Usage Data constitutes Personal Data, Adswerve is the controller with respect to such data and shall Process such data in accordance with its Privacy Policy, which can be found at https://adswerve.com/privacy-policy/.

2.2.   Authorization by Third Party Controller. If Customer is a processor, Customer warrants to Adswerve that Customer’s instructions and actions with respect to Customer Personal Data, including its appointment of Adswerve and any relevant Services Partner as another processor, have been authorized by the relevant controller.

3.   Verifying Compliance. Customer agrees that Adswerve will assist Customer in verifying Adswerve’s compliance with (i) Customer’s instructions; (ii) its obligations under this Annex C; and (iii) the obligations applicable to it under the LGPD with respect to the Processing of Customer Personal Data, by: (a) making the Security Documentation available for review by Customer; (b) providing the information contained in the Data Processing Terms; and (c) providing additional information as may be available from the applicable Services Partner(s).

4.   Data Transfer. In the event that Customer transfers Customer Personal Data to Adswerve outside of Brazil in a manner that is restricted under the LGPD, the parties will reasonably cooperate to identify and implement a legal basis for any such transfer to the extent required by Data Protection Laws, including by entering into any standard contractual clauses approved for such transfers by the Data Protection Authority. Customer shall ensure that all Customer Personal Data has been collected, Processed, and transferred in accordance with the laws applicable to Customer as the exporter of Customer Personal Data.


Schedule I: Additional Data Processing Terms for Google Processor Services

This Schedule I (Additional Data Processing Terms for Google Processor Services) shall apply if Adswerve has agreed to provide any Google Processor Services (as defined below) to Customer under the Agreement. As used in this Schedule I, the “Services” shall mean only such Google Processor Services.

1.   Definitions. For purposes of this Schedule I, the following definitions apply:

Additional Product” means a product, service or application provided by a Google Entity or a third party that: (i) is not part of the Google Processor Services; and (ii) is accessible for use within the user interface of the Google Processor Services or is otherwise integrated with the Google Processor Services.

Data Subject Tool” means a tool (if any) made available by a Google Entity to data subjects that enables Google to respond directly and in a standardized manner to certain requests from data subjects in relation to Customer Personal Data (for example, online advertising settings or an opt-out browser plugin).

Google” means the Google Entity that is party to the reseller agreement with Adswerve.

Google Entity” means Google LLC (formerly known as Google Inc.), Google Ireland Limited or any other Affiliate of Google LLC.

Google Processor Services” means any of the applicable services listed at privacy.google.com/businesses/adsservices (as amended from time to time by Google).

ISO 27001 Certification” means a Google Entity’s ISO/IEC 27001:2013 certification or a comparable certification for the Google Processor Services.

2.   Additional Terms Regarding Data Deletion

2.1.   Deletion During Term

2.1.1.   Google Processor Services With Deletion Functionality. During the Term, if: (a) the functionality of the Google Processor Services includes the option for Customer to delete Customer Personal Data; (b) Customer uses the Google Processor Services to delete certain Customer Personal Data; and (c) the deleted Customer Personal Data cannot be recovered by Customer (for example, from the “trash”), then such Customer Personal Data will be deleted from Google’s systems as soon as reasonably practicable and within a maximum period of 180 days, unless applicable laws require storage.

2.1.2.   Google Processor Services Without Deletion Functionality.  During the Term, if the functionality of the Google Processor Services does not include the option for Customer to delete Customer Personal Data, then Adswerve will comply with, or will request that Google comply with: (a) any reasonable request from Customer to facilitate such deletion, insofar as this is possible taking into account the nature and functionality of the Google Processor Services and unless applicable laws require storage; and (b) the data retention practices described at google.com/technologies/ads.  Adswerve may charge a fee (based on Adswerve’s and Google’s reasonable costs) for any data deletion under this Section 2.1.2.  Adswerve will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such data deletion.

2.2.   Deletion on Term Expiry.  Customer instructs Adswerve, and Adswerve will instruct Google, to delete all remaining Customer Personal Data (including existing copies) from Google’s systems at the end of the Term in accordance with applicable law. This instruction will be carried out as soon as reasonably practicable and within a maximum period of 180 days, unless applicable laws require storage.

3.   Additional Terms Regarding Data Security. In relation to the Google Processor Services, the Security Measures shall include the measures described in Exhibit A to this Schedule I. In addition to any applicable audit rights set forth in the Data Processing Terms, Customer may also review the ISO 27001 Certification (which reflects the outcome of an audit conducted by a third party auditor), information about the locations of Google’s data centers (available at www.google.com/about/datacenters/locations/) and information about Google’s Subprocessors (available at privacy.google.com/businesses/subprocessors).

4.   Additional Terms Regarding the CCPA. Customer may enable certain in-product settings, configurations or other functionality for the Google Processor Services relating to restricted data Processing, as described in supporting documentation available at privacy.google.com/businesses/rdp, as updated from time to time (“Restricted Data Processing”). Notwithstanding the terms of Annex B to the Data Processing Terms and solely with respect to Customer Personal Information Processed while Restricted Data Processing is enabled, Adswerve will act as Customer’s service provider, and as such, will not retain, use or disclose Customer Personal Information, other than (a) for a business purpose under the CCPA on behalf of Customer and the specific purpose of performing the Google Processor Services, as further described in supporting documentation available at privacy.google.com/businesses/rdp, as updated from time to time, or as otherwise permitted under the CCPA or (b) as may otherwise be permitted for service providers or under a comparable exemption from “sale” in the CCPA, as reasonably determined by Adswerve.

5.   Additional Products. If Customer uses any Additional Product, the Google Processor Services may allow that Additional Product to access Customer Personal Data as required for the interoperation of the Additional Product with the Google Processor Services. For clarity, this Schedule I does not apply to the Processing of Personal Data in connection with the provision of any Additional Product used by Customer, including Personal Data transmitted to or from that Additional Product.

6.   Additional Terms Regarding Data Subject Rights.  If Google receives a request from a data subject in relation to Customer Personal Data, Adswerve hereby notifies Customer that Google will, and Customer acknowledges and agrees that Google will: (a) respond directly to the data subject’s request in accordance with the standard functionality of the Data Subject Tool (if the request is made via a Data Subject Tool); or (b) advise the data subject to submit their request to Customer, and Customer will be responsible for responding to such request (if the request is not made via a Data Subject Tool).


Exhibit A to Schedule I: Google Processor Services Security Measures

This Exhibit A sets forth additional security information regarding the Security Measures applicable to the Google Processor Services. The Security Measures may be updated or modified from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Google Processor Services.

1.   Data Center & Network Security

1.1.   Data Centers

(a)   Infrastructure. Google maintains geographically distributed data centers. Google stores all production data in physically secure data centers.

(b)   Redundancy. Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy. The Google Processor Services are designed to allow Google to perform certain types of preventative and corrective maintenance without interruption. All environmental equipment and facilities have documented preventative maintenance procedures that detail the Process for and frequency of performance in accordance with the manufacturer’s or internal specifications. Preventative and corrective maintenance of the data center equipment is scheduled through a standard Process according to documented procedures.

(c)   Power. The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, and 7 days a week. In most cases, a primary as well as an alternate power source, each with equal capacity, is provided for critical infrastructure components in the data center. Backup power is provided by various mechanisms such as uninterruptible power supply (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the data center, at full capacity, for up to 10 minutes until the backup generator systems take over. The backup generators are capable of automatically starting up within seconds to provide enough emergency electrical power to run the data center at full capacity typically for a period of days.

(d)   Server Operating Systems. Google servers use hardened operating systems which are customized for the unique server needs of the business. Data is stored using proprietary algorithms to augment data security and redundancy. Google employs a code review Process to increase the security of the code used to provide the Google Processor Services and enhance the security products in production environments.

(e)   Business Continuity. Google replicates data over multiple systems to help to protect against accidental destruction or loss. Google has designed and regularly plans and tests its business continuity planning/disaster recovery programs.

(f)   Encryption Technologies. Google’s security policies mandate encryption at rest for all user data, including personal data. Data is often encrypted at multiple levels in Google’s production storage stack in data centres, including at the hardware level, without requiring any action by customers. Using multiple layers of encryption adds redundant data protection and allows Google to select the optimal approach based on application requirements. All personal data is encrypted at the storage level, generally using AES256. Google uses common cryptographic libraries which incorporate Google’s FIPS 140-2 validated module, to implement encryption consistently across the Processor Services.

1.2.   Networks & Transmission

(a)   Data Transmission. Data centers are typically connected via high-speed private links to provide secure and fast data transfer between data centers. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. Google transfers data via Internet standard protocols.

(b)   External Attack Surface. Google employs multiple layers of network devices and intrusion detection to protect its external attack surface. Google considers potential attack vectors and incorporates appropriate purpose-built technologies into external facing systems.

(c)   Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Google’s intrusion detection involves:

(i)   Tightly controlling the size and make-up of Google’s attack surface through preventative measures;

(ii)   Employing intelligent detection controls at data entry points; and

(iii)   Employing technologies that automatically remedy certain dangerous situations.

(d)   Incident Response. Google monitors a variety of communication channels for security incidents, and Google’s security personnel will react promptly to known incidents.

(e)   Encryption Technologies. Google makes HTTPS encryption (also referred to as SSL or TLS connection) available. Google servers support ephemeral elliptic curve Diffie Hellman cryptographic key exchange signed with RSA and ECDSA. These perfect forward secrecy (PFS) methods help protect traffic and minimize the impact of a compromised key, or a cryptographic breakthrough.

2.   Access and Site Controls

2.1.   Site Controls

(a)   On-site Data Center Security Operation. Google’s data centers maintain an on-site security operation responsible for all physical data center security functions 24 hours a day, 7 days a week. The on-site security operation personnel monitor Closed Circuit TV (“CCTV”) cameras and all alarm systems. On-site security operation personnel perform internal and external patrols of the data center regularly.

(b)   Data Center Access Procedures. Google maintains formal access procedures for allowing physical access to the data centers. The data centers are housed in facilities that require electronic card key access, with alarms that are linked to the on-site security operation. All entrants to the data center are required to identify themselves as well as show proof of identity to on-site security operations. Only authorized employees, contractors and visitors are allowed entry to the data centers. Only authorized employees and contractors are permitted to request electronic card key access to these facilities. Data center electronic card key access requests must be made in advance and in writing and require the approval of the requestor’s manager and the data center director. All other entrants requiring temporary data center access must: (i) obtain approval in advance from the data center managers for the specific data center and internal areas they wish to visit; (ii) sign in at on-site security operations; and (iii) reference an approved data center access record identifying the individual as approved.

(c)   On-site Data Center Security Devices. Google’s data centers employ an electronic card key and biometric access control system that is linked to a system alarm. The access control system monitors and records each individual’s electronic card key and when they access perimeter doors, shipping and receiving, and other critical areas. Unauthorized activity and failed access attempts are logged by the access control system and investigated, as appropriate. Authorized access throughout the business operations and data centers is restricted based on zones and the individual’s job responsibilities. The fire doors at the data centers are alarmed. CCTV cameras are in operation both inside and outside the data centers. The positioning of the cameras has been designed to cover strategic areas including, among others, the perimeter, doors to the data center building, and shipping/receiving. On-site security operations personnel manage the CCTV monitoring, recording and control equipment. Secure cables throughout the data centers connect the CCTV equipment. Cameras record on-site via digital video recorders 24 hours a day, 7 days a week. The surveillance records are retained for at least 7 days based on activity.

2.2.   Access Control

(a)   Infrastructure Security Personnel. Google has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Google’s infrastructure security personnel are responsible for the ongoing monitoring of Google’s security infrastructure, the review of the Google Processor Services, and responding to security incidents.

(b)   Access Control and Privilege Management. Customer’s administrators and users must authenticate themselves via a central authentication system or via a single sign on system in order to use the Google Processor Services.

(c)   Internal Data Access Processes and Policies – Access Policy. Google’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Google aims to design its systems to: (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during Processing, use and after recording. The systems are designed to detect any inappropriate access. Google employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. LDAP, Kerberos and a proprietary system utilizing SSH certificates are designed to provide Google with secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. Google requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with Google’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g. login to workstations), password policies that follow at least industry standard practices are implemented. These standards include restrictions on password reuse and sufficient password strength.

3.   Data

3.1.   Data Storage, Isolation & Authentication. Google stores data in a multi-tenant environment on Google-owned servers. Data, the Google Processor Services database and file system architecture are replicated between multiple geographically dispersed data centers. Google logically isolates each customer’s data. A central authentication system is used across all Google Processor Services to increase uniform security of data.

3.2.   Decommissioned Disks and Disk Destruction Guidelines. Certain disks containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned (“Decommissioned Disk”). Every Decommissioned Disk is subject to a series of data destruction Processes (the “Data Destruction Guidelines”) before leaving Google’s premises either for reuse or destruction. Decommissioned Disks are erased in a multi-step Process and verified complete by at least two independent validators. The erase results are logged by the Decommissioned Disk’s serial number for tracking. Finally, the erased Decommissioned Disk is released to inventory for reuse and redeployment. If, due to hardware failure, the Decommissioned Disk cannot be erased, it is securely stored until it can be destroyed. Each facility is audited regularly to monitor compliance with the Data Destruction Guidelines.

3.3.   Pseudonymous Data. Online advertising data are commonly associated with online identifiers which on their own are considered ’pseudonymous’ (i.e. they cannot be attributed to a specific individual without the use of additional information). Google has a robust set of policies and technical and organisational controls in place to ensure the separation between pseudonymous data and personally identifiable user information (i.e. information that could be used on its own to directly identify, contact, or precisely locate an individual), such as a user’s Google account data. Google policies only allow for information flows between pseudonymous and personally identifiable data in strictly limited circumstances.

3.4.   Launch reviews. Google conducts launch reviews for new products and features prior to launch. This includes a privacy review conducted by specially trained privacy engineers. In privacy reviews, privacy engineers ensure that all applicable Google policies and guidelines are followed, including but not limited to policies relating to pseudonymisation and data retention and deletion.

4.   Personnel Security

4.1.   Google personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Google conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.

4.2.   Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Google’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling Customer Personal Data are required to complete additional requirements appropriate to their role. Google’s personnel will not Process Customer Personal Data without authorization.

5.   Subprocessor Security. Before onboarding Subprocessors, Google conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Google has assessed the risks presented by the Subprocessor then the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.


Schedule II: Additional Data Processing Terms for Google Cloud Platform

This Schedule II (Additional Data Processing Terms for Google Cloud Platform) shall apply if Adswerve has agreed to provide the Google Cloud Platform (as described at  https://cloud.google.com/terms/services) and related technical support to Customer under the Agreement.  As used in this Schedule II, the “Services” shall mean only such Google Cloud Platform and related technical services.

1.   Definitions

“Additional Security Controls” means security resources, features, functionality and/or controls that Customer may use at its option and/or as it determines, including the Admin Console, encryption, logging and monitoring, identity and access management, security scanning, and firewalls.

“Audited Services” means the then-current Services indicated as being in-scope for the relevant certification or report at https://cloud.google.com/security/compliance/services-in-scope. Google may not remove a Service from this URL unless that Service has been discontinued in accordance with the Agreement.

“Customer Data” has the meaning given in the Agreement or, if no such meaning is given, means data provided by or on behalf of Customer or Customer End Users via the Services under the Customer’s account.

“Customer End Users” has the meaning given in the Agreement or, if not such meaning is given, has the meaning given to “End Users” in the Agreement.

Google” means the Google Entity that is party to the reseller agreement with Adswerve.

Google Entity” means Google LLC (formerly known as Google Inc.), Google Ireland Limited or any other Affiliate of Google LLC.

2.   Additional Terms Regarding Data Deletion

2.1.   Deletion by Customer. Customer may delete Customer Data during the Term in a manner consistent with the functionality of the Services. If Customer uses the Services to delete any Customer Data during the Term and that Customer Data cannot be recovered by Customer, this use will constitute an Instruction to delete the relevant Customer Data from the Google Cloud Platform in accordance with applicable law. In most cases, this instruction will be carried as soon as reasonably practicable and within a maximum period of 180 days, unless applicable law requires storage.

2.2.   Deletion on Termination. If Customer wishes to retain any Customer Data after the end of the Term, it may provide instructions via the Services (in a manner consistent with their functionality) to return that data during the Term. Customer instructs Adswerve, and Adswerve will instruct Google, to delete all remaining Customer Data (including existing copies) from Google’s systems at the end of the Term in accordance with applicable law. After a recovery period of up to 30 days from that date, Adswerve will ensure that Google complies with this Instruction as soon as reasonably practicable and within a maximum period of 180 days, unless applicable law requires storage.

3.   Additional Terms Regarding Data Security. In relation to the Google Cloud Platform, the Security Measures shall include any Additional Security Controls and the measures described in Exhibit A to this Schedule II. In addition to any applicable audit rights set forth in the Data Processing Terms, Customer may also (a) review information about the locations of Google facilities (available at https://cloud.google.com/about/locations/) (as may be updated by Google from time to time) and about Google’s Subprocessors, including their functions and locations (available at https://cloud.google.com/terms/subprocessors/) (as may be updated by Google from time to time); and (b) submit a written request to Adswerve to review Google’s (i) certificates for ISO 27001, ISO 27017 and ISO 27018, and its PCI DSS Attestation of Compliance (the “Compliance Certifications”) and (ii) SOC 2 and SOC 3 reports produced by Google’s Third Party Auditor and updated annually based on an audit performed at least once every 12 months (the “SOC Reports”). Customer shall provide all information requested by Adswerve or Google in connection with any such request and be responsible for any fee(s) charged by Google in connection with such request. Customer acknowledges and agrees that Google may add standards at any time and/or replace a Compliance Certification or SOC Report with an equivalent or enhanced alternative.

4.   Additional Terms Regarding Supplementary Measures. With respect to any Restricted Transfers, in addition to the information provided in Section 3 (Additional Terms Regarding Data Security), Customer may also review information about Additional Security Controls and other supplementary measures to protect Customer Personal Data in: (a) the documentation for the Google Cloud Platform, available at https://cloud.google.com/docs; and (b) in the Google Cloud Trust and Security website, available at https://cloud.google.com/security

5.   Additional Terms Regarding Data Storage and Processing Facilities. The location of Processing of Customer Personal Data shall also be subject to any data location commitments provided by Google.


Exhibit A to Schedule II: Google Cloud Platform Security Measures

This Exhibit A sets forth additional security information regarding the Security Measures applicable to the Google Cloud Platform. The Security Measures may be updated or modified from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Google Cloud Platform.

1.   Data Center and Network Security

1.1.   Data Centers

(a)   Infrastructure. Google maintains geographically distributed data centers. Google stores all production data in physically secure data centers.

(b)   Redundancy. Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy. The Services are designed to allow Google to perform certain types of preventative and corrective maintenance without interruption. All environmental equipment and facilities have documented preventative maintenance procedures that detail the process for and frequency of performance in accordance with the manufacturer’s or internal specifications. Preventative and corrective maintenance of the data center equipment is scheduled through a standard change process according to documented procedures.

(c)   Power. The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, 7 days a week. In most cases, a primary as well as an alternate power source, each with equal capacity, is provided for critical infrastructure components in the data center. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the data center, at full capacity, for up to 10 minutes until the backup generator systems take over. The backup generators are capable of automatically starting up within seconds to provide enough emergency electrical power to run the data center at full capacity typically for a period of days.

(d)   Server Operating Systems. Google servers use a Linux based implementation customized for the application environment. Data is stored using proprietary algorithms to augment data security and redundancy. Google employs a code review process to increase the security of the code used to provide the Services and enhance the security products in production environments.

(e)   Businesses Continuity. Google has designed and regularly plans and tests its business continuity planning/disaster recovery programs.

1.2.   Networks and Transmission

(a)   Data Transmission. Data centers are typically connected via high-speed private links to provide secure and fast data transfer between data centers. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. Google transfers data via Internet standard protocols.

(b)   External Attack Surface. Google employs multiple layers of network devices and intrusion detection to protect its external attack surface. Google considers potential attack vectors and incorporates appropriate purpose built technologies into external facing systems.

(c)   Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Google’s intrusion detection involves:

(i)   tightly controlling the size and make-up of Google’s attack surface through preventative measures;

(ii)   employing intelligent detection controls at data entry points; and

(iii)   employing technologies that automatically remedy certain dangerous situations.

(d)   Incident Response. Google monitors a variety of communication channels for security incidents, and Google’s security personnel will react promptly to known incidents.

(e)   Encryption Technologies. Google makes HTTPS encryption (also referred to as SSL or TLS connection) available. Google servers support ephemeral elliptic curve Diffie-Hellman cryptographic key exchange signed with RSA and ECDSA. These perfect forward secrecy (PFS) methods help protect traffic and minimize the impact of a compromised key, or a cryptographic breakthrough.

2.   Access and Site Controls

2.1.   Site Controls

(a)   On-site Data Center Security Operation. Google’s data centers maintain an on-site security operation responsible for all physical data center security functions 24 hours a day, 7 days a week. The on-site security operation personnel monitor closed circuit TV (CCTV) cameras and all alarm systems. On-site security operation personnel perform internal and external patrols of the data center regularly.

(b)   Data Center Access Procedures. Google maintains formal access procedures for allowing physical access to the data centers. The data centers are housed in facilities that require electronic card key access, with alarms that are linked to the on-site security operation. All entrants to the data center are required to identify themselves as well as show proof of identity to on-site security operations. Only authorized employees, contractors and visitors are allowed entry to the data centers. Only authorized employees and contractors are permitted to request electronic card key access to these facilities. Data center electronic card key access requests must be made through e-mail, and require the approval of the requestor’s manager and the data center director. All other entrants requiring temporary data center access must: (i) obtain approval in advance from the data center managers for the specific data center and internal areas they wish to visit; (ii) sign in at on-site security operations; and (iii) reference an approved data center access record identifying the individual as approved.

(c)   On-site Data Center Security Devices. Google’s data centers employ an electronic card key and biometric access control system that is linked to a system alarm. The access control system monitors and records each individual’s electronic card key and when they access perimeter doors, shipping and receiving, and other critical areas. Unauthorized activity and failed access attempts are logged by the access control system and investigated, as appropriate. Authorized access throughout the business operations and data centers is restricted based on zones and the individual’s job responsibilities. The fire doors at the data centers are alarmed. CCTV cameras are in operation both inside and outside the data centers. The positioning of the cameras has been designed to cover strategic areas including, among others, the perimeter, doors to the data center building, and shipping/receiving. On-site security operations personnel manage the CCTV monitoring, recording and control equipment. Secure cables throughout the data centers connect the CCTV equipment. Cameras record on site via digital video recorders 24 hours a day, 7 days a week. The surveillance records are retained for up to 30 days based on activity.

2.2.   Access Control

(a)   Infrastructure Security Personnel. Google has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Google’s infrastructure security personnel are responsible for the ongoing monitoring of Google’s security infrastructure, the review of the Services, and responding to security incidents.

(b)   Access Control and Privilege Management. Customer’s administrators and Customer End Users must authenticate themselves via a central authentication system or via a single sign on system in order to use the Services.

(c)   Internal Data Access Processes and Policies – Access Policy. Google’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Google designs its systems to (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access. Google employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. Google’s authentication and authorization systems utilize SSH certificates and security keys, and are designed to provide Google with secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. Google requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with Google’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include restrictions on password reuse and sufficient password strength. For access to extremely sensitive information (e.g., credit card data), Google uses hardware tokens.

3.   Data

3.1.   Data Storage, Isolation and Logging. Google stores data in a multi-tenant environment on Google-owned servers. Subject to any Instructions to the contrary (e.g., in the form of a data location selection), Google replicates Customer Data between multiple geographically dispersed data centers. Google also logically isolates Customer Data. Customer will be given control over specific data sharing policies. Those policies, in accordance with the functionality of the Services, will enable Customer to determine the product sharing settings applicable to Customer End Users for specific purposes. Customer may choose to use logging functionality that Google makes available via the Services.

3.2.   Decommissioned Disks and Disk Erase Policy. Disks containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned (“Decommissioned Disk”). Every Decommissioned Disk is subject to a series of data destruction processes (the “Disk Erase Policy”) before leaving Google’s premises either for reuse or destruction. Decommissioned Disks are erased in a multi-step process and verified complete by at least two independent validators. The erase results are logged by the Decommissioned Disk’s serial number for tracking. Finally, the erased Decommissioned Disk is released to inventory for reuse and redeployment. If, due to hardware failure, the Decommissioned Disk cannot be erased, it is securely stored until it can be destroyed. Each facility is audited regularly to monitor compliance with the Disk Erase Policy.

4.   Personnel Security. Google personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Google conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.

Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Google’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling Customer Data are required to complete additional requirements appropriate to their role (e.g., certifications). Google’s personnel will not process Customer Data without authorization.

5.   Subprocessor Security. Before onboarding Subprocessors, Google conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Google has assessed the risks presented by the Subprocessor, then subject to the requirements described in Section 9.3 (Requirements for Subprocessor Engagement) of the Data Processing Terms, the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.

Adswerve Data Processing Terms, Version 21.2

08 October 2021

Previous Versions: