Adswerve Data Processing Terms
Adswerve, Inc. (“Adswerve”) and the counterparty agreeing to these terms (“Customer”) have entered into an agreement for the provision of certain services by Adswerve to Customer (as amended from time to time, the “Agreement”).
These Data Processing Terms (including its annexes, appendices, and schedules, “Data Processing Terms”) are entered into by Adswerve and Customer and supplement and form part of the Agreement. These Data Processing Terms will be effective and replace any previously applicable terms relating to their subject matter, from the Terms Effective Date (as defined below).
If you are accepting these Data Processing Terms on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to these Data Processing Terms; (b) you have read and understand these Data Processing Terms; and (c) you agree, on behalf of Customer, to these Data Processing Terms. If you do not have the legal authority to bind Customer, please do not accept these Data Processing Terms.
1. Introduction. These Data Processing Terms reflect the parties’ agreement on the terms governing the Processing and security of Customer Personal Data in connection with Data Protection Laws.
2. Definitions and Interpretation
2.1. As used in these Data Processing Terms, the terms below have the meanings set forth below. Capitalized terms used but not defined in these Data Processing Terms have the meaning given in the Agreement.
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.
“Data Protection Laws” means with respect to a party, all privacy, data protection and information security-related laws and regulations applicable to such party’s Processing of Personal Data, including, where applicable, European Data Protection Legislation, U.S. State Privacy Laws, and/or the LGPD.
“Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.
“Customer Personal Data” means Personal Data that is Processed by Adswerve on behalf of Customer in Adswerve’s provision of the Services. For purposes of these Data Processing Terms, Customer Personal Data does not include Personal Data of employees or representatives of Customer with whom Adswerve has a direct business relationship.
“Data Incident” means a breach of Adswerve’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Adswerve. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“EEA” means the European Economic Area.
“European Data Protection Legislation” means, as applicable, data protection or privacy laws in force in the EEA, Switzerland, and the United Kingdom, including, to the extent applicable: (a) Regulation (EU) 2016/679 (“EU GDPR”) and any national legislation implementing the EU GDPR; (b) the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, if in force, and applicable secondary legislation made under that Act (“UK GDPR”); and/or (c) as applicable, the Federal Data Protection Act of 19 June 1992 (Switzerland) (with the Ordinance to the Federal Data Protection Act of 14 June 1993), or the revised Federal Data Protection Act of 25 September 2020 (with the Ordinance to the Federal Data Protection Act of 31 August 2022) (“Swiss FDPA”).
“Instructions” has the meaning given in Section 5.2 (Customer’s Instructions).
“LGPD” means the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais).
“Notification Email Address” means the email address (if any) designated by Customer to receive certain notifications from Adswerve relating to these Data Processing Terms.
“Personal Data” means any information that constitutes “personal data,” “personal information,” “personally identifiable information” or similar information defined in and governed by Data Protection Laws.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Security Documentation” means any ISO/IEC 27001:2013 certification or any comparable certifications or audit reports made available by Adswerve and/or an applicable Services Partner in connection with the Services.
“Services” means the services that Adswerve has agreed to provide to Customer under the Agreement.
“Services Partner” means the third party identified in the Agreement which provides certain products, services, and/or support for resale by Adswerve to Customer as part of the Services.
“Subprocessors” means third parties authorized under these Data Processing Terms to Process Customer Personal Data on behalf of Customer.
“Term” means the period from the Terms Effective Date until the end of Adswerve’s provision of the Services under the Agreement.
“Terms Effective Date” means, the date on which Customer clicked to accept or the parties otherwise agreed to these Data Processing Terms.
“U.S. State Privacy Laws” means, as applicable: (a) the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020, together with all implementing regulations (“CCPA”); (b) Virginia’s Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq.; (c) the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq., together with all implementing regulations; (d) Connecticut’s Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015; (e) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq; and (d) any other applicable United States privacy laws or regulations which may be enacted during the Term.
“Usage Information” means (i) statistical data, trends and usage information collected by Adswerve regarding Customer’s or Customer’s end users’ or clients’ use of Services, technical logs, billings logs, and billing data, and (ii) support tickets, account data, and log-in information relating to Adswerve-branded platforms and services. Usage Information does not include Data (as defined in the Agreement) or any information specifically identifying Customer or Customer’s end users or clients.
2.2. The terms “controller,” “personal data,” and “processor” as used in these Data Processing Terms have the meanings given by either (a) Data Protection Laws; or (b) absent any such meaning or law, the GDPR.
2.3. The words “include” and “including” mean “including but not limited to”. Any examples in these Data Processing Terms are illustrative and not the sole examples of a particular concept.
2.4. Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
2.5. To the extent any translated version of these Data Processing Terms is inconsistent with the English version, the English version will govern.
3. Duration of these Data Processing Terms
These Data Processing Terms will take effect on the Terms Effective Date. Regardless of whether the Agreement has terminated or expired, these Data Processing Terms will remain in effect until, and automatically expire when Adswerve deletes all Customer Personal Data as described in these Data Processing Terms.
4. Application of these Data Processing Terms
4.1. These Data Processing Terms apply to the Processing of Customer Personal Data under the Agreement, except that:
(a) Annex A (European Data Processing Terms) available at www.adswerve.com/europeanannex, will apply only to the extent that European Data Protection Legislation applies to Adswerve’s Processing of Customer Personal Data under the Agreement;
(b) Annex B (U.S. State Privacy Laws Addendum to the Adswerve Data Processing Terms), available at www.adswerve.com/usannex, will apply only to the extent that the U.S. State Privacy Laws apply to Adswerve’s Processing of Customer Personal Data under the Agreement;
(c) Schedule I (Additional Data Processing Terms for Google Marketing Platform Processor Services), available at www.adswerve.com/gmpprocessordpt, will apply to the services listed as “Processor Services” at business.safety.google/adsservices (as amended from time to time by Google) if Adswerve has agreed to provide such Google services to Customer under the Agreement.
(d) Schedule II (Data Processing Terms for Google Marketing Platform Controller Services) available at www.adswerve.com/gmpcontrollerdpt, will apply to the services listed as “Controller Services” at business.safety.google/adsservices (as amended from time to time by Google) if Adswerve has agreed to provide such Google services to Customer under the Agreement; and
(e) Schedule III (Additional Data Processing Terms for Google Cloud Platform), available at www.adswerve.com/gcpprocessingterms, will apply to the Google Cloud Platform and related technical support if Adswerve has agreed to provide the Google Cloud Platform to Customer under the Agreement.
5. Processing of Data
5.1. Roles and Regulatory Compliance; Authorization
5.1.1. Processor and Controller Responsibilities. The parties acknowledge and agree that:
(a) Appendix 1 describes the subject matter and details of the processing of Customer Personal Data;
(b) Adswerve is a processor of Customer Personal Data;
(c) Customer is a controller or processor, as applicable, of Customer Personal Data; and
(d) each party will comply with the obligations applicable to it under Data Protection Laws with respect to the Processing of Customer Personal Data.
5.1.2. Processor Customers. If Customer is a processor:
(a) Customer warrants on an ongoing basis that the relevant controller has authorised: (i) the Instructions, (ii) Customer’s appointment of Adswerve as another processor, and (iii) Adswerve’s engagement of Subprocessors as described in Section 9 (Subprocessors); and
(b) Customer will forward to the relevant controller promptly and without undue delay any notice provided by Adswerve under Sections 7.3.1 (Incident Notification) or 9.4 (Opportunity to Object to Subprocessor Changes).
5.2. Customer’s Instructions. By entering into these Data Processing Terms, Customer instructs Adswerve to Process Customer Personal Data only in accordance with applicable law: (a) to provide the Services and any related technical support; (b) as further specified via Customer’s use of the Services (including in the settings and other functionality of the Services, where available) and any related technical support; (c) as documented in the form of the Agreement (including these Data Processing Terms); and (d) as further documented in any other written instructions given by Customer and acknowledged by Adswerve as constituting instructions for purposes of these Data Processing Terms (collectively, the “Instructions”).
5.3. Adswerve’s Compliance with Instructions. Adswerve will comply with the Instructions unless prohibited by applicable law, or such applicable laws require other Processing.
6. Data Deletion
Except as otherwise set forth in a Schedule, following termination or expiration of the Agreement Adswerve will, at Customer’s option, delete or return all Customer Personal Data (including existing copies) from Adswerve’s systems in accordance with applicable law. Adswerve will comply with this instruction as soon as reasonably practicable, unless applicable laws require storage.
7. Data Security
7.1. Security Measures. Adswerve will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, including the measures described in any applicable Schedule (the “Security Measures”). Adswerve or the relevant Services Partner may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in a material reduction of the security of the Services.
7.2. Access and Compliance. Adswerve will: (a) authorize its employees, contractors, and Subprocessors to access Customer Personal Data only as necessary to comply with the Instructions; (b) take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance; and (c) ensure that all persons authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7.3. Data Incidents.
7.3.1. Incident Notification. If Adswerve becomes aware of a Data Incident, Adswerve will: (a) notify Customer of the Data Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Customer Personal Data.
7.3.2. Details of Data Incident. Notifications made under Section 7.3.1 (Incident Notification) will describe the nature of the Data Incident, including the Customer resources impacted; the measures Adswerve has taken or plans to take, to address the Data Incident and to mitigate its potential risk; the measures, if any, Adswerve recommends that Customer take to address the Data Incident; and details of a contact point where more information can be obtained. If it is not possible to provide all such information at the same time, Adswerve’s initial notification will contain the information then available and further information will be provided without undue delay as it becomes available.
7.3.3. Delivery of Notification. Adswerve will deliver its notification of any Data Incident to the Notification Email Address or, at Adswerve’s discretion (including if Customer has not provided a Notification Email Address), by other direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for providing the Notification Email Address and ensuring that the Notification Email Address is current and valid.
7.3.4. Third Party Notifications. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Data Incident.
7.3.5. No Acknowledgement of Fault by Adswerve. Adswerve’s notification of or response to a Data Incident under this Section 7.3 (Data Incidents) will not be construed as an acknowledgement by Adswerve of any fault or liability with respect to the Data Incident.
7.4. Customer’s Security Responsibilities and Assessment.
7.4.1. Customer’s Security Responsibilities. Customer agrees that, without prejudice to Adswerve’s obligations under Sections 7.1 (Security Measures), 7.2 (Access and Compliance), and 7.3 (Data Incidents):
(a) Customer is responsible for its use of the Services, including (i) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of Customer Personal Data, (ii) securing the account authentication credentials, systems and devices Customer uses to access the Services, where applicable, and (iii) backing up its Customer Data and Customer Personal Data as appropriate; and
(b) Adswerve has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of Adswerve’s and its Subprocessors’ systems.
7.4.2. Customer’s Security Assessment. Customer acknowledges and agrees that the Services, the Security Measures, and Adswerve’s commitments under this Section 7 (Data Security): (a) meet Customer’s needs, including with respect to any security obligations of Customer under Data Protection Laws, as applicable, and (b) provide a level of security appropriate to the risk in respect of the Customer Personal Data or any Customer Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals.
7.5. Reviews and Audits of Compliance. To the extent Data Protection Laws include a right for Customer to review or audit Adswerve’s Processing of Customer Personal Data, Customer will exercise such review or audit right, and Adswerve will fulfill its corresponding obligations, as follows:
7.5.1. Reviews of Security Documentation. Adswerve shall make available to Customer relevant information regarding Adswerve’s Processing of Customer Personal Data under these Data Protection Terms in the form of the Security Documentation.
7.5.2. Customer’s Audit Rights.
(a) Not more than once per calendar year and at Customer’s expense, Customer may audit Adswerve’s compliance with its obligations under these Data Processing Terms by submitting reasonable requests for information, including security and audit questionnaires. Adswerve will provide written responses to the extent the requested information is necessary to confirm Adswerve’s compliance with these Data Protection Terms. However, if the requested information is addressed in any Security Documentation, Customer agrees to accept such Security Documentation in lieu of a written response. Any information provided by Adswerve under this Section 7.5.2 constitutes Adswerve’s Confidential Information under the Agreement.
(b) If required by Data Protection Laws, Adswerve will allow Customer or a third party auditor appointed by Customer to conduct audits (including inspections) to verify Adswerve’s compliance with its obligations under these Data Processing terms in accordance with Section 7.5.3 (Additional Business Terms For Audits). During an audit, Adswerve will make available all information necessary to demonstrate such compliance and contribute to the audit as described in this Section 7.5 (Reviews and Audits of Compliance).
(c) If the SCCs (as defined in Annex A) apply under Annex A, Adswerve will allow Customer (or a third-party auditor appointed by Customer) to conduct audits as described in the SCCs and, during the audit, make available all information required by the SCCs, each in accordance with Section 7.5.3 (Additional Business Terms for Audits).
7.5.3. Additional Business Terms for Audits
(a) Customer will send any request for an audit under Section 7.5.2(b) or 7.5.2(c) to Adswerve as described in Section 11 (Contacting Adswerve) of the Data Processing Terms;
(b) Following receipt by Adswerve of such a request, Adswerve and Customer will discuss and agree in advance on the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any audit under Section 7.5.2(b) or 7.5.2(c);
(c) Adswerve or any applicable Services Partner may charge a fee for any audit under Section 7.5.2(b) or 7.5.2(c). Adswerve will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any third party auditor appointed by Customer to execute any such audit;
(d) Adswerve or the relevant Services Partner may object to any third party auditor appointed by Customer to conduct any audit under this Section 7.5.2(b) or 7.5.2(c) if the auditor is, in Adswerve’s or the Services Partner’s reasonable opinion, not suitably qualified or independent, a competitor of Adswerve or the Services Partner or otherwise manifestly unsuitable. Any such objection will require Customer to appoint another auditor or conduct the audit itself; and
(e) Nothing in these Data Processing Terms will require Adswerve either to disclose to Customer or its third party auditor, or to allow Customer or its third party auditor to access: (i) any data of any other customer of Adswerve or a Services Partner; (ii) any internal accounting or financial information; (iii) any trade secret; (iv) any information that, in Adswerve’s or a Services Partner’s reasonable opinion, could: (A) compromise the security of any systems or premises; or (B) cause Adswerve or any Services Partner to breach its obligations under the European Data Protection Legislation or its security and/or privacy obligations to Customer or any third party; or (v) any information that Customer or its third party auditor seeks to access for any reason other than the good faith fulfilment of Customer’s obligations under the European Data Protection Legislation.
8. Data Subject Rights
8.1. Responses to Data Subject Requests. If Adswerve receives a request from a data subject in relation to Customer Personal Data, Adswerve will advise the data subject to submit his/her request to Customer, and Customer will be responsible for responding to such request.
8.2. Adswerve’s Data Subject Request Assistance. Subject to any applicable Schedule, upon Customer’s request, Adswerve will (taking into account the nature of the Processing of Customer Personal Data) reasonably assist Customer in fulfilling any obligation of Customer to respond to requests by data subjects to exercise their rights in respect of Customer Personal Data under Data Protection Laws in cases where Customer cannot reasonably fulfill such requests independently using the functionality of the Services, where available. Adswerve may charge Customer on a time and materials basis in the event that Adswerve considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.
8.3. Rectification. If Customer becomes aware that any Customer Personal Data is inaccurate or outdated, Customer will be responsible for rectifying or deleting that data if required by Data Protection Laws, including (where available) by using the functionality of the Services.
9.1. Consent to Subprocessor Engagement. In addition to any Subprocessors authorized under any applicable Schedule, Customer specifically authorizes the engagement as Subprocessors of those entities listed as of the Terms Effective Date at the URL specified in Section 9.2 (Subprocessor List). In addition, without prejudice to Section 9.4 (Opportunity to Object to Subprocessor Changes), Customer generally authorizes the engagement of any other third parties as Subprocessors (“New Subprocessors”).
9.2. Subprocessor List. Customer may view a list of Subprocessors utilized by Adswerve by visiting https://adswerve.com/subprocessors/ or such other website as Adswerve may designate.
9.3. Requirements for Subprocessor Engagement. When engaging any Subprocessor, Adswerve will: (a) enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in these Data Protection Terms; and (b) remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.
9.4. Opportunity to Object to Subprocessor Changes. When any new New Subprocessor is engaged during the Term, Adswerve will, at least ten (10) business days before the New Subprocessor Processes any Customer Personal Data, inform Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor list described in Section 9.2 and by either: (a) sending an email to the Notification Email Address; or (b) alerting Customer via the user interface or portal for the Services, where applicable. If, within five (5) business days after such notice, Customer notifies Adswerve in writing that Customer objects to Adswerve’s appointment of a New Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and whether they can be resolved. If the parties are not able to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the Agreement for convenience.
10. Impact Assessments and Consultations
Adswerve will (taking into account the nature of the processing and the information available to Adswerve) assist Customer in ensuring compliance with Customer’s (or, where Customer is a processor, the relevant controller’s) obligations relating to data protection impact assessments and prior regulatory consultations under Data Protection Laws, by (a) providing the Security Documentation in accordance with Section 7.5.1 (Reviews of Security Documentation); (b) providing the information contained in the Agreement (including these Data Processing Terms); and (c) providing additional information as may be made available by the applicable Services Partner(s) for such purposes.
11. Contacting Adswerve
Customer may contact Adswerve in relation to the exercise of its rights under these Data Processing Terms by emailing firstname.lastname@example.org. If Adswerve receives a request or instruction from a third party purporting to be a controller of Customer Personal Data, Adswerve will advise the third party to contact Customer.
Regardless of anything else in the Agreement, the total liability of either party towards the other party under or in connection with these Data Processing Terms will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (and therefore, any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the Data Protection Laws). If there is no monetary or payment-based liability cap under the Agreement, then the total liability of either party towards the other party under or in connection with these Data Processing Terms will not exceed the total amount of fees paid to Adswerve (in the case of Adswerve’s liability) or payable (in the case of Customer’s liability) to Adswerve with respect to the Services during the 12 months before the date when the liability arose.
13. Effect of these Data Processing Terms
If there is any conflict or inconsistency between these Data Processing Terms and the remainder of the Agreement, then these Data Processing Terms shall govern. Except as expressly set forth in these Data Protection Terms, the Agreement remains unchanged and in full force and effect.
14.1. Changes to Data Processing Terms. Adswerve may change these Data Processing Terms if the change:
(a) is expressly permitted by these Data Processing Terms;
(b) reflects a change in the name or form of a legal entity;
(c) is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency, is required by a Services Partner, or reflects Adswerve’s adoption of an Alternative Transfer Solution (as defined in Annex A); or
(d) does not: (i) result in a degradation of the overall security of the Services; (ii) expand the scope of, or remove any restrictions on Adswerve’s Processing of Customer Personal Data, as described in Section 5.3 (Adswerve’s Compliance with Instructions); and (iii) otherwise have a material adverse impact on Customer’s rights under these Data Processing Terms, as reasonably determined by Adswerve.
14.2. Notification of Changes. If Adswerve intends to change these Data Processing Terms under Section 14.1(c) or (d), Adswerve will inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (a) sending an email to the Notification Email Address; or (b) alerting Customer via the user interface or portal for the Services, where applicable. If Customer objects to any such change, Customer may immediately terminate the Agreement for convenience by giving written notice to Adswerve within 90 days of being informed by Adswerve of the change.
APPENDIX 1 TO ADSWERVE DATA PROCESSING TERMS: Subject Matter and Details of the Data Processing
1. Subject Matter. Adswerve’s provision of the Services and any related technical support to Customer.
2. Duration of the Processing. The Term plus the period from the end of the Term until deletion of all Customer Personal Data by Adswerve in accordance with the Data Processing Terms.
3. Nature and Purpose of the Processing. Adswerve will Process (including, as applicable to the Services and the Instructions, collecting, recording, organizing, structuring, storing, altering, retrieving, using, disclosing, combining, erasing and destroying) Customer Personal Data for the purpose of providing the Services and any related technical support to Customer in accordance with these Data Processing Terms.
4. Types of Personal Data. The categories of Customer Personal Data which Customer is authorized to provide to the Services under the Agreement or which Customer makes available to Adswerve as part of any consulting Services, such as online identifiers (including cookie identifiers, internet protocol addresses and device identifiers). With respect to the Google Marketing Platform, Customer Personal Data may include the types of personal data described at business.safety.google/adsservices.
5. Categories of Data Subjects. Data subjects include the individuals about whom data is provided to Adswerve or a Services Partner via the Services by (or at the direction of) Customer or by Customer End Users. Depending on the nature of the Services, Customer Personal Data may concern the following categories of data subjects: (a) to whom online advertising has been, or will be, directed; (b) who have visited specific websites or applications in respect of which Adswerve provides the Services; and/or (c) who are customers or users of Customer’s products or services.
Adswerve Data Processing Terms, Version 23.2
1 September 2023