- Home
- /
- Terms of Use
Terms of Use
Last Updated: November 21, 2024
Welcome To Azira
The General Terms and Conditions (collectively (“Terms”) are the terms and conditions for the Customer’s use of the Services (as defined below) and constitute a legally binding agreement between the corporate entity, LLP, corporation, LLC, partnership, sole proprietorship, or other business entity signing the Service Order (“Customer”) and (i) AZIRA, LLC, in case the Customer is registered in the territorial limits of North America; or (ii) AZIRA PTE. LTD., in case the Customer is registered outside of North America; and their affiliates (“Company”). These Terms and any fully executed Insertion Orders or Service Orders that refer to these Terms (“Service Orders”) collectively constitute the Parties shall be referred to as the “Agreement”. In the event of a conflict or ambiguity between these Terms and the applicable Service Order, the terms of the Service Order shall prevail. In the event of an inconsistency between the Agreement and the Data Processing Agreement (“DPA”), as outlined under Schedule I, the DPA shall prevail.
Company may modify these Terms. Company will notify Customer by making the revised version available on this page or an identified successor page, and an updated version date will indicate that changes have been made. If Customer does not accept the changes, Customer must stop using the Services. Customer’s continued use of the Services after Company publishes changes means that Customer consents to the updates. For the avoidance of doubt, changes to these Terms will not affect any fees agreed in a Service Order, for the duration of the then-current terms of the Service Order.
1. Definitions
- “Adequate Country” means a country or territory recognized as providing an adequate level of protection for Personal Data under an adequacy decision or regulations made, from time to time, by (as applicable) (i) the European Commission and/or (ii) the UK Secretary of State.
- “Allspark” means the Company’s identity, enrichment, audience curation, activation products which form Company’s marketing intelligence solution.
- “State Privacy Laws” means, as applicable, all US state privacy laws including but not limited to: (i) the CCPA; (ii) all US state Privacy Laws, which may include but shall not be limited to, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended, including by the California Privacy Rights Act, Cal. Civ. Code § 1798.99.90, the Virginia Consumer Data Protection Act, Code of Virginia title 59.1, Chapter 52, the Colorado Privacy Act, Colorado Rev. Stat. 6-1-1301 et seq., the Utah Consumer Privacy Act, Utah Code 13-61-101 et seq., the Connecticut Act Concerning Personal Data Protection and Online Monitoring, Conn. PA 22-15 § 1 et seq.; Washington My Health My Data Act, Ch. 19.373 RCW et seq., Nevada Security and Privacy of Personal Information, Nev. Rev. Stat. § 603A et seq., N.Y. Gen. Bus. Law § 394-G, or any regulations or guidance issued pursuant thereto; and (iii) all other relevant U.S. state laws regarding the privacy of personal information as applicable to the Underlying Agreement.
- “Azira Platform” means the Company’s proprietary operational intelligence and marketing intelligence solutions through which the Services are provided.
- “CCPA” means the California Consumer Privacy Act of 2018, as it may be amended from time to time, and any further final implementing regulations.
- “Company Data” means any data (including reports) either derived from Azira Platform by the Customer or curated and provided to the Customer by the Company as part of the Services including but not limited to (i) aggregated dataset created and customized from the Azira Platform and based upon the Company’s analysis of the Customer Data; or (ii) Pseudonymised Data.
- “Compass” means the Company’s measurement product, and part of the Company’s marketing intelligence solution.
- “Customer Data” means any data provided by Customer in connection with the provision of Services, including any data received by or on behalf of Customer from websites, mobile sites, mobile applications, or other digital media owned and/or operated by Customer, its affiliates, customers or other partners, wherein reference to ‘Customer’ includes, without limitation, its Users, but excluding all Company Data.
- “Company Privacy Policy” means Company’s privacy policy available at: https://azira.com/privacy-policy/.
- “Data Protection Laws” means, applicable statutes, regulations, or other laws pertaining to information and security, including where applicable, the EU GDPR, the UK GDPR, the European e-Privacy Directive (Directive 2002/58/EC) and all national implementations (including but not limited to the Privacy and Electronic Communications (EC Directive) Regulations 2003), Applicable State Privacy Laws, and any other data protection and privacy laws applicable to any Personal Data processed under the Agreement, each as amended or replaced from time to time.
- “Data Subject Request” means a request from or on behalf of a Data Subject to exercise any rights in relation to their Personal Data under Data Protection Laws.
- “Derivative Data” shall mean all works and output created by the Customer through its usage of the Company Data and which does not contain any Company Data in its raw and unmodified form.
- “EEA” means the European Economic Area.
- “Engage” means the Company’s in-house demand side or activation platform (DSP), and part of the Company’s marketing intelligence solution.
- “Enrichment” means the Company’s service which appends Company Data to Customer Data.
- “Enquiry” means a complaint or request in relation to either party’s obligations under Data Protection Laws relevant to the Agreement, including but not limited to any compensation claim from a Data Subject or any notice, investigation or other action from a supervisory authority.
- “EU GDPR” means the EU’s Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation).
- “EU SCCs” means the standard contractual clauses for international transfers of personal data to third countries set out in the European Commission’s Decision 2021/914 of 4th June 2021 (at https://data.europa.eu/eli/dec_impl/2021/914/oj) incorporating Module One for controller to controller transfers.
- “Fees” shall mean all fees payable by the Customer for the provision of Services in accordance with these Terms, and as specified in the applicable Service Order.
- “Industry Standards” means any of the following to which Customer is subject from time to time: (i) the IAB Transparency and Consent Framework; and (ii) any applicable self-regulatory codes, rules or guidelines, including the rules, codes and guidelines of the European Interactive Digital Advertising Alliance, the Network Advertising Initiative.
- “Intellectual Property Rights” means patents, patentable rights, copyright, design rights, utility models, trademarks (whether or not any of the above are registered), trade names, rights in domain names, rights in inventions, rights in data, database rights, rights in know-how and trade secrets, and all other intellectual and industrial property and similar or analogous rights existing under the laws of any country and all pending applications for and right to apply for or register the same (present, future and contingent, and including all renewals, extensions, revivals and all accrued rights of action).
- “Marketing Material” means the creative, artwork, copy or active URLs of advertisement provided by the Customer to the Company or otherwise approved by the Customer for running it through the platform that interfaces with a publisher platform (i.e., mobile application on which Company has a right to serve advertisements including the Azira Platform) to enable the Company to serve advertisements (including by running Marketing Materials) on such publisher platform.
- “Permitted Purpose” has the meaning given to it in Section 4.1.
- “Personal Data” means any information processed in connection with the Services which relates to an identified or identifiable natural person or household (“Data Subject”); an “identifiable natural person” being one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Personal Data Breach” means a breach of security leading to the accidental or unauthorized destruction, loss, alteration, disclosure of, or access to, Personal Data processed in connection with the Agreement.
- “Pinnacle” means the Company’s operational intelligence solution.
- “Pseudonymised Data” means such pseudonymised data forming part of the Company Data, which includes identifiers (such as unique mobile advertising identifiers, cookie identifiers, location data such as latitude and longitude coordinates) such that the data no longer relates to an identified or identifiable household or living individual.
- “Restricted Transfer” means an EU Transfer and/or UK Transfer.
- “Sensitive Personal Data” means precise geolocation information (including, but not limited to, latitude, longitude, and timestamp) of an individual, device, or household (“Precise Geolocation Information”), Personal Information revealing a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, financial information, sex life or sexual preferences, sex health, family planning, medical, reproductive or health information (including any such information protected under any health data protection laws), genetic or biometric data (for purposes of uniquely identifying an individual), Personal Information of children protected under any child protection laws (including Personal Information subject to the US Children’s Online Privacy Protection Act (“COPPA”)), criminal conviction or offense data, and any additional types of information included within this term or any similar term (such as “sensitive personal information” or “special categories of personal data”) as used in applicable Privacy Laws.
- “Services” means the Azira Platform, the Company Data shared with the Customer under a Service Order, the Company products provided to the Customer (e.g., Allspark, Compass, Advance, Engage, Identity and Enrichment and/or Pinnacle) and other solutions or products specified in a Service Order.
- “Term” shall mean the term of this Agreement as specified in the respective Service Order which will auto-renew for subsequent one year terms unless otherwise specified in the Service Order.
- “UK” means the United Kingdom.
- “UK Approved Addendum” means the template Addendum B.1.0 and the accompanying mandatory clauses as issued by the UK’s Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 of the UK on 2nd February 2022, and in force on 21st March 2022.
- “UK GDPR” means the EU GDPR as implemented into the law of the United Kingdom by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the Data Protection Act 2018.
- “User” means any individual who uses the Services on Customer’s behalf or through Customer’s login accounts or passwords, whether authorized or not.
- “controller“, “processor“, “process“, “processing“, “supervisory authority” and “Data Subject” shall have the meaning as set out in the Data Protection Laws.
2. Payment Terms
- Fees. Customer shall pay the Company all Fees as set out in the Service Order. The Customer agrees that all invoices will only be delivered electronically to Customer at the email address specified in the Service Order. All payments must be made free and clear of any set-off or credits within thirty (30) days of receipt of the applicable invoice in accordance with this Section 2.1. In the event of any dispute as to the amount of an invoice, the Customer shall pay the amount in full pending the resolution of any dispute and the Company shall make any adjustment due immediately upon such resolution. Late payments bear interest at the rate of 1.5% per month (or the highest rate permitted by law, if less). All amounts payable hereunder are exclusive of any sales, use, other taxes or duties or other deductions and withholdings, however designated, for which Customer is solely responsible. Any Fees that are unpaid as of the date of termination or expiration of the Agreement will be immediately due and payable.
- Fee Review. The Fees in respect of Service Orders with a Term longer than 12 (Twelve) months are subject to review and increase by the Company on every anniversary of the effective date of the Service Order, until the termination or expiry of the Agreement.
- Taxes. The Fees payable under the Service Order must be paid to the Company without deduction and are net of any applicable tax, tariff, duty, or assessment imposed by any governmental authority (national, state, provincial, or local), including without limitation any goods and services, sales, use, excise, ad valorem, property, withholding, or value-added tax withheld at the source. Customer will be solely responsible for paying all applicable taxes which may be levied or assessed in connection with the Services. If applicable law requires withholding or deduction of such taxes or duties, Customer will separately pay Company the withheld or deducted amount. However, this Section does not apply to taxes based on Company’s net income.
3. Intellectual Property Rights
- Ownership. Company and/or its licensors (as applicable) retain all right, title, and interest in and to the Company’s brands, trademarks and logos, in each of the Allspark, Compass, Engage, Identity and Enrichment, Pinnacle services and all other Services, including associated methods, processes, designs, analyses, materials and information used in connection with the Services, and all Intellectual Property Rights thereto. Except for the licenses described herein, nothing herein shall be construed to assign or transfer any Intellectual Property Rights of one party to the other. Customer shall (i) not remove notices and notations on Company Data that refer to copyrights, trademark rights, patent rights and other intellectual property rights, (ii) promptly bring to the attention of the Company any improper or wrongful use of any of the Company’s Intellectual Property Rights which comes to the Customer’s notice, and provide all assistance as may be reasonably requested by the Company in defending its Intellectual Property Rights. As between Company and Customer, Customer owns (or where applicable, must ensure it has a valid license to) the Customer Data and the Derivative Data.
- Feedback. All suggestions or contributions for improving or otherwise modifying any of Company’s products or services (“Feedback”) provided by Customer will be owned by Company, and Customer assigns all rights in such Feedback to the Company. Nothing in the Agreement will restrict Company’s right to use, profit from, disclose, publish, keep secret, or otherwise exploit the Feedback, without compensating or crediting Customer or the User in question. Notwithstanding anything to the contrary, Feedback will not be considered as Confidential Information.
- Trademarks. Customer authorizes the Company to use its trade name, trademark and logo for the purpose of listing Customer in its general list of customers. Additionally, Customer permits Company to bring out press releases, create case studies on anonymized basis and will be open to provide quotes from time to time solely for Company’s marketing purposes, provided Company obtains Customer’s prior written approval specific to such quotes, which approval shall not be unreasonably withheld or delayed. Company will comply with Customer’s guidelines regarding use of Customer’s trademarks.
4. Grant Of Licence And Scope Of Use
- Subject to full payment of the Fees and subject to the other provisions of this Agreement, the Customer is granted a limited, non-transferable, non-exclusive, revocable, and non-sublicensable licence, for the Term, to access and use the Services solely for the applicable permitted purpose set forth below (each a “Permitted Purpose”):4.1.1. Audience data, including AllsparkServices: where the Service Order specifies that device ID data (“MAID”) exports are not included, may only be used to target the Customer’s specific advertising campaigns for which the Company Data has been provided to the Customer and for analysing the efficacy of that specific advertising campaign in the marketing channel identified in the Service Order;
4.1.2. Measurement/conversion data, including CompassServices: may be used solely for analysing the efficacy of specific advertising campaigns;
4.1.3. Engage/AdvanceServices: may be used solely for planning, managing, optimizing and analyzing online advertising campaigns;
4.1.4. Identity & EnrichmentServices: may be used for (i) Customer’s non-commercial internal operational purposes; and (ii) analyses that Customer may provide to its third-party clients;
4.1.5. Foot traffic and insights data, including PinnacleServices: may be used for extraction of information from the Company Data solely for: (i) analyses that Customer may provide to its third-party clients; (ii) creating reports, statements or other work output by combining the Company Data with the Customer’s own or any third party data; (iii) drawing conclusions or making business decisions; and (iv) conducting market research; and
4.1.6. Any other usage explicitly set forth in a Service Order.
- Subject to full payment of the Fees and subject to the other provisions of this Agreement, the Customer is granted a limited, non-transferable, non-exclusive, revocable, and non-sublicensable licence, for the Term, to access and use the Company Data for the applicable Permitted Purpose and as set out in this Agreement. Except as prohibited elsewhere in this Agreement or by Privacy Laws or DPA, this license permits the Customer to:4.2.1. access, view, combine or aggregate the Company Data (wholly or in part) with other data or information or to adapt the Company Data (wholly or in part), and create Derivative Data;
4.2.2. store the Company Data on the Customer systems; and
4.2.3. make the Company Data accessible (including the provision of access through a database or other application populated with the Company Data, reselling, sub-licensing, transferring or disclosing the Company Data) by any means (including any electronic means) to third parties solely to the extent explicitly set out in the applicable Permitted Purpose,
provided that in no circumstance shall the Customer, share, resell, or permit or enable any third party to have access to any Company Data in its raw form (i.e., as-is).
- Customer must not retain or permit any third-party to retain any Company Data for longer than the period during which Customer has a legitimate need to retain the Company Data for the applicable Permitted Purposes.
- Upon the earlier of, the completion of the applicable Permitted Purposes or expiration/termination of the Agreement, the Customer must: (i) cease all processing or storage of such Company Data; (ii) securely delete and destroy such Company Data, including any associated backup copies, whether stored or maintained by the Customer or any of its service providers or partners (including its Partners, where relevant); (iii) certify in writing that the Customer has deleted/destroyed or otherwise expunged/purged such Company Data; (iv) update, delete, destroy, segregate, truncate, encrypt, mask, transfer, and/or provide to any third party designated by the Company any Company Data stored or maintained by the Customer, as per Company’s specific instructions.
- Customer is not authorized to use any Services beyond those specifically granted in this Agreement. Without limiting the foregoing, Customer will not:4.5.1. resell, sublicense or otherwise commercially exploit or make available to any third party, the Azira Platform, including using the Azira Platform for service bureau or time-sharing purposes;
4.5.2. share, publish, publicly display, or otherwise disclose or make available the Azira Platform to any third party;
4.5.3. store, combine, comingle, or otherwise use the Azira Platform, or any element thereof, to develop, enhance, or structure any database, or use the Services for purposes of segmenting, re-targeting, creating or supplementing user profiles or inventory profiles, interest categories, audience segmentations, or syndication;
4.5.4. copy, translate, decompile, reverse engineer or otherwise modify or make derivative works based upon any parts of the Services in order to build a competitive product or service;
4.5.5. use the Services and Company Data in an illegal or unethical manner;
4.5.6. create Internet ‘links’ to the Services or ‘frame’ or ‘mirror’ the Services on any other server or wireless or Internet-based device or interfere with or disrupt Company’s systems used to host the Services;
4.5.7. engage in web scraping or data scraping, including collection of information through any software that simulates human activity or any bot or web crawler; or
4.5.8. circumvent the user authentication/login provided to the Customer.
- Without limiting the foregoing Section 4.5, in all cases, Customer will not use the Services for any of the following purposes:i. employment eligibility,
ii. credit eligibility,
iii. health care eligibility,
iv. insurance eligibility, underwriting, or pricing,
v. for correlation or generating Personal Data,
vi. to market or sell to law enforcement agencies, or
vii. any unlawful or prohibited purposes.
- Where the Customer is using Allspark and Engage Services, if Customer uses any third-party advertisement serving or measurement platform on its behalf (“Partner”), the Partner will receive Pseudonymised Data. Customer agrees that it will not, and will procure that each Partner will not, share any Pseudonymised Data received from Company with third parties and that the Customer’s use of such Pseudonymised Data will be solely as permitted herein, and without limitation, the Customer will not use, transmit, combine, merge, sync, link, or analyse Pseudonymised Data with other Personal Data or make any other attempt to re-identify the individuals.
- Customer must use the Services in a manner that is consistent with Customer’s privacy policy and compliant with all applicable laws, regulations and self-regulatory guidelines (including but not limited to the NAI’s Self-Regulatory Principles).
- Subject to the terms of the Service Order, Customer may use each Service and access, store and otherwise process the Company Data for the applicable Permitted Purpose only, provided always that no more than the number of Users set out in the Service Order may access and use the Service and the Company Data for such Permitted Purpose. The Customer acknowledges and agrees that any use of any Service and/or Customer Data beyond applicable the Permitted Purposes will be considered a material breach of the Agreement.
- Company may without liability, terminate this Agreement upon notice to the Customer, or suspend Customer’s access to the Services without advance notice, if the Company, in its sole discretion, determines any breach of this Section 4. Company’s right to suspend the Services is in addition to other remedies that Company may have. Customer must notify Company immediately of any known or suspected unauthorized use of the Services or breach of its security and will use best efforts to stop the said breach.
- Customer grants Company and its affiliates free of charge, a non-exclusive, worldwide, royalty-free, irrevocable, perpetual license to use, copy, modify, transmit, sub-license, index, store, validate, integrate, aggregate, sort, analyse and display Customer Data: (i) to the extent necessary for the provision of Services as Company may determine (including creating derivative works from the Customer Data, developing, modifying, improving, supporting, customizing, optimising and operating the Services) or enforcing its rights under the Agreement; or (ii) where required or authorized by law. Customer represents and warrants that it has all rights to grant such license to Company without infringement or violation of any third-party rights.
- Company may use, copy, transmit, index, model, aggregate (including with other customers’ data) Customer Data for the purpose of (i) developing, improving or customizing the Services, and (ii) publishing, displaying and distributing any anonymous information (i.e., information where neither Customer nor its Users are capable of being identified) derived from Customer Data.
- In the event the Customer is granted a temporary, limited, non-exclusive, revocable, non-sublicensable, non-transferable license to access and use the Azira Platform and/or Company Data for the purpose of internal evaluation, such use is limited to an internal test environment and such license is provided on “as-is” basis without any representations and warranties from the Company. Unless Company has agreed otherwise in writing, the duration of the foregoing license is no more than 30 days. The Customer agrees and understands that it is not authorized to distribute, commercialize, or otherwise use in its production any part of the Company Data provided under this Section.
5. Confidentiality
- “Confidential Information” includes (but is not limited to) the following items that either party (“Disclosing Party”) discloses to the other party (“Receiving Party”): (i) any document that the Disclosing Party marks as ‘Confidential’; (ii) any information that the Disclosing Party orally designates as ‘Confidential’ at the time of disclosure, provided the Disclosing Party confirms such designation in writing within 15 (Fifteen) business days; (iii) the Company Data and Customer Data, whether or not marked or designated as confidential; and (iv) any other non-public, sensitive information that the Receiving Party should reasonably consider a trade secret or otherwise confidential. Notwithstanding the foregoing, Confidential Information does not include information that: (a) is lawfully in the Receiving Party’s possession at the time of disclosure in circumstances in which the Receiving Party is not prevented from disclosing it to others; (b) is independently developed by the Receiving Party without use of or reference to Confidential Information; (c) becomes known publicly, before or after disclosure, other than as a result of improper action or inaction; (d) has been disclosed to the Receiving Party by a third party who, to the Receiving Party’s knowledge, has the right to disclose such information without restriction; or (e) is approved for release in writing by the Disclosing Party. Customer is on notice that the Confidential Information may include Company’s valuable trade secrets. For the purpose of this Section 5, a reference to a “party” means such party and its affiliates.
- The Receiving Party will treat Confidential Information with the same care as it exercises in respect of its own information, which shall not be less than ‘reasonable care’ and disclose only on a need-to-know basis or as permitted under the Agreement. The Receiving Party will only use Confidential Information for the purposes of performing its obligations or as permitted under the Agreement. However, the Receiving Party may disclose Confidential Information: (i) if approved by the other party in writing; (ii) if required by law or regulation; (iii) in the event of dispute between the parties, as necessary to establish the rights of either party; or (iv) as necessary to provide the Services to the Customer. In the case of (ii) and (iii), the Receiving Party will, to the extent lawful to do so, provide reasonable advance notice to the Disclosing Party and provide reasonable assistance to limit the scope of the disclosure unless prohibited by law or regulation. The Receiving Party is responsible for ensuring that its representatives and affiliates fully comply with the obligations of the Receiving Party under this Section. Upon termination of the Agreement, Disclosing Party shall return all copies of Confidential Information to the Receiving Party or certify, in writing, the destruction thereof. Customer shall return all Confidential Information of the Company within 10 (Ten) days of termination or expiry of the Service Order.
- Notwithstanding the foregoing, Company Data and the terms and pricing in the Service Order are considered Confidential Information of the Company and Customer must use the same care and protection it affords to its own Confidential Information (but not less than reasonable care). Customer will be responsible for any breach of confidentiality by its employees, consultants, agents and representatives. Customer must keep the Company Data distinct and separate from all other data and information retained by the Customer. Customer agrees to maintain reasonable and appropriate technical and organizational measures to protect the Company Data from unauthorized access, misuse, or disclosure.
6. Warranties
- Company’s Warranties. Company represents and warrants that it has all rights needed to provide the Services and grant the licenses as set forth in this Agreement. Company’s representations and warranties in the preceding sentence do not apply to the extent any infringement arises out of any of the conditions listed in Subsections 7.2.(i) and 7.2.(ii) below. In the event of a breach of the warranty in this Section 6.1, Company shall, within a reasonable time period and at its own expense: (i) secure for Customer the right to continue using the Services; (ii) modify the Services to make them non-infringing, or provide a reasonable solution that is not materially detrimental to the Customer; or (iii) terminate the infringing features of the Services, and refund to Customer any prepaid Fees for such features, in proportion to the portion of the Term left after such termination, in which case Customer shall cease all use of the affected Services and erase any copies of Company Data in relation thereto. In conjunction with Customer’s right to terminate for breach, where applicable, the preceding sentence states Company’s sole obligation and liability, and Customer’s sole and exclusive remedy, for breach of the warranty in this Section 6.1 and for potential or actual intellectual property infringement by the Services.
- Customer’s Warranties. Customer represents and warrants that: (i) it has the full right and authority to enter into, execute, and perform its obligations under the Agreement; (ii) it is an entity authorized to do business pursuant to applicable law; (iii) it has the right, power and authority to provide Customer Data and Marketing Material to the Company as envisaged by this Agreement; (iv) the Customer Data and Marketing Material are complete, accurate, in the agreed format, and will not infringe or misappropriate the Intellectual Property Rights of any third party, breach any duty towards or rights of any third party, including rights of publicity or privacy; (v) the Marketing Materials are not false, deceptive, misleading, obscene, defamatory, illegal (including without limitation, in violation of applicable advertising laws and other applicable laws, rules and regulations), harmful, threatening, abusive, obscene, hateful, libellous, invasive of any individual’s privacy rights, unethical or racially or politically objectionable; (vi) the Marketing Materials will be in accordance with the then existing advertising guidelines of the Company; (vii) Customer shall accurately identify each User and shall not provide any inaccurate information about a User to Company; (viii) the performance of its obligations under these Terms will not cause Company to infringe the rights of any third party (including privacy rights of individuals); and (ix) it will comply with all laws, rules and regulations applicable to its use of the Services.
- IMPLIED WARRANTIES. THE CUSTOMER AGREES THAT IT IS SOLELY RESPONSIBLE FOR ITS SELECTION OF THE SERVICE AND FOR ALL USE IT MAKES OF THEM, AND ALL RELIANCE IT CHOOSES TO PLACE ON THE SERVICES AND ANY COMPANY DATA. EXCEPT FOR THE EXPRESS WARRANTIES IN THE AGREEMENT, CUSTOMER ACCEPTS THAT THE SERVICES ARE PROVIDED ON AN “AS-IS” AND AS AVAILABLE BASIS, WITH NO REPRESENTATION OR WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, ACCURACY, COMPLETENESS, CURRENCY, CORRECTNESS, RELIABILITY, INTEGRITY, USEFULNESS, QUALITY, NON-INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, ACCURACY OR ANY IMPLIED WARRANTY ARISING FROM STATUTE, COURSE OF DEALING, COURSE OF PERFORMANCE, OR USAGE OF TRADE. CUSTOMER ACKNOWLEDGES THAT (I) NEITHER COMPANY, ITS AFFILIATES NOR ITS THIRD-PARTY PROVIDERS CONTROLS CUSTOMER EQUIPMENT OR THE TRANSFER OF DATA OVER COMMUNICATIONS FACILITIES (INCLUDING THE INTERNET); (II) THE SERVICES MAY BE SUBJECT TO LIMITATIONS, INTERRUPTIONS, DELAYS, CANCELLATIONS, AND OTHER PROBLEMS INHERENT IN THE USE OF THE COMMUNICATIONS FACILITIES; AND (III) IT IS FULLY RESPONSIBLE TO INSTALL APPROPRIATE SECURITY UPDATES AND PATCHES. COMPANY, ITS AFFILIATES, AND ITS THIRD-PARTY PROVIDERS ARE NOT RESPONSIBLE FOR ANY INTERRUPTIONS, DELAYS, CANCELLATIONS, DELIVERY FAILURES, DATA LOSS, CONTENT CORRUPTION, PACKET LOSS, OR OTHER DAMAGE RESULTING FROM THESE PROBLEMS. COMPANY IS NOT RESPONSIBLE FOR ANY COMPUTER VIRUSES, WORMS, SOFTWARE BOMBS, BUGS OR SIMILAR ITEMS THAT AFFECT THE CUSTOMER’S COMPUTERS, COMPUTER SYSTEMS, SOFTWARE, INFRASTRUCTURE OR DATA AS A RESULT OF THE CUSTOMER’S ACCESS TO OR USE OF SERVICES. THERE MAY BE PERIODS WHEN THE SERVICES ARE UNAVAILABLE AND CANNOT BE ACCESSED AND COMPANY ACCEPTS NO LIABILITY FOR ANY LOSS OR DAMAGE THAT CUSTOMER MAY SUFFER OR INCUR AS A RESULT OF SUCH UNAVAILABILITY AT ANY TIME.
- Company Data. Company Data is based upon data which is provided by third parties, the accuracy and/or completeness of which is not guaranteed by the Company. Services involve models and techniques based on aggregate statistical analysis, probability and predictive behaviour. Company is therefore not able to accept any liability for any inaccuracy, incompleteness or other error in the Services and any failure of Company Data to achieve any particular result for the Customer. While Company strives to provide reliable information, the Company Data may become stale and less dependable for a number of reasons, including, but not limited to, changes over time, market conditions and/or technological changes. Except where expressly provided in the Service Order, Company undertakes no obligation to update the Company Data and may discontinue offering Company Data. If Company provides support or updates for the Company Data under a Service Order, such updates shall be included in the definition of “Company Data” for purposes of the Agreement.
7. Indemnities
Customer’s Indemnities. Customer will indemnify, defend and hold Company, its parent, subsidiaries, affiliates, shareholders, licensors, customers, officers, and employees harmless, including costs, expenses and attorneys’ fees and other legal costs, from any and all losses, damages, penalties and/or fines liability imposed by judicial or regulatory authorities, claim or demand made by any third party due to or arising out of:
I. Company’s receipt, use or possession of Customer Data or Marketing Materials. Customer recognizes and agrees that hosting data online involves risks of unauthorized disclosure or exposure and that, in accessing and using the System, Customer assumes such risks;
ii. any violation of the Agreement by Customer including without limitation breach of representations and warranties and/or obligations related to confidentiality and Customer Data;
iii. breach of any applicable data privacy laws or regulations including but not limited to that (i) Customer will not use Company data or associate Covered Personal Information to sell, track, license, use, target or distribute any device data that is associated with or targeted towards any sensitive locations including: (1) medical facilities (e.g., family planning centers, general medical and surgical hospitals, offices of physicians, offices of mental health physicians and practitioners, residential mental health and substance abuse facilities, outpatient mental health and substance abuse centers, outpatient care centers, psychiatric and substance abuse hospitals, and specialty hospitals); (2) religious organizations; (3) correctional facilities; (4) labor union offices; (5) locations of entities held out to the public as predominantly providing education or childcare services to minors; (6) associations held out to the public as predominantly providing services based on racial or ethnic origin; (7) locations held out to the public as providing temporary shelter or social services to homeless, survivors of rape or domestic violence, refugees, or immigrants, (8) places held out to the public as involving engagement with explicit sexual content, material, or acts, (9) halfway houses, (10) credit repair, debt services, bankruptcy services, or payday lending institutions or (11) military bases nor will it; (i) associate location data from Company with (a) locations held out to the public as predominantly providing services to LGBTQ+ individuals such as service organizations, bars and nightlife, (b) locations of public gatherings of individuals during political or social demonstrations, marches and protests, or (ii) using such location data to determine the identity or the location of an individual’s home, i.e., the location of any individual’s private residences (e.g., single family homes, apartments, condominiums, townhomes);
iv. infringement of any third party intellectual property rights or other right of any person or entity by the Customer;
v. wilful misconduct or gross negligence by the Customer;
vi. fraudulent or unlawful act of the Customer;
vii. the Customer Data, Marketing Materials, or the Customer’s use of the Services not complying with all applicable laws, rules and regulations, or causing an infringement of any third party intellectual property rights or other right of any person or entity; and
viii. breaches of confidentiality.
Additionally, Customer will be responsible for the retention and payment of attorneys and court costs, as well as settlement and payment of judgments and its own cost and expense. Company will have the right, not to be exercised unreasonably, to reject any settlement or compromise that requires that it admit wrongdoing or liability or subjects it to any ongoing affirmative obligations. Customer must not settle or compromise any such claim, subject to an indemnity under this Section, without Company’s prior written consent. Customer acknowledges and agrees that it is responsible and liable for: (a) all of its Users’ use of the Services; and (b) any use of the Services through the Customer’s account, whether authorized or unauthorized.
- Company’s Indemnities. Company will defend, at its expense, any third-party claim, suit, or proceeding against Customer made during the Term to the extent such claim alleges that: (i) the Azira Platform directly infringes any third-party copyright, or trademark rights; or (ii) Company has misappropriated any third-party trade secrets (“Infringement Claim”). Company will pay any damages finally awarded by a court of competent jurisdiction (or settlement amounts agreed to in writing by Company). Company’s obligations set forth in this Section do not apply to the extent that the Infringement Claim arises out of: (a) Customer’s breach of the Agreement; or (b) modifications to the Services made without Company’s written consent; or (c) the Customer Data; or (d) third-party products, services, hardware, software, or other materials, or combination of these with the Services, if the Services would not be infringing without this combination. In the event of an Infringement Claim, Company may exercise the remedies in Sub-sections 6.1.(i) through 6.1.(iii) above, including without limitation its right therein to terminate the Service Order and require erasure of the Company Data. Company will have no liability for any Infringement Claim under this Section that arises from the Customer’s failure to: (1) notify Company in writing of the Infringement Claim promptly upon the earlier of learning of or receiving a notice of it, to the extent that Company is prejudiced by this failure; (2) provide Company with reasonable assistance requested by Company for the defense or settlement (as applicable) of the Infringement Claim; (3) provide Company with the exclusive right to control and the authority to settle the Infringement Claim; or (4) refrain from making admissions or statements about the Infringement Claim without Company’s prior written consent. The remedies in this Section are the Customer’s sole and exclusive remedy and Company’s sole liability regarding the subject matter giving rise to the Infringement Claim.
8. Limitation Of Liability
- Under no circumstances shall either party shall be liable for any (i) indirect, incidental, special, consequential or punitive damages (even if it has been advised of the possibility of such damages), arising from or related to the Agreement; (ii) loss of revenue or profits or lost business; (iii) loss of or damage to reputation or goodwill; (iv) loss of any software or data; or (v) use of the Services in a manner which is not consistent with terms of this Agreement, except for instances of willful misconduct or fraud.
- Company’s cumulative liability for all losses, claims, action, demands, and expenses arising out of or related to the Agreement in any 12 (Twelve) month period will not exceed the greater of (i) the Fees paid by the Customer to the Company, under the Service Order, during that 12 (Twelve) months period; or (ii) $20,000 (USD), notwithstanding the failure of essential purpose of any remedy.
- The liabilities limited by this Section 8 apply regardless of the form of action, whether in contract, tort, negligence, strict product liability, breach of statutory duty or otherwise, even if Company is advised in advance of the possibility of the damages in question and even if such damages were foreseeable; and Customer’s remedies fail their essential purpose. If applicable law limits the application of this Section 8, Company’s liability will be limited to the maximum extent permissible. For the avoidance of doubt, Company’s liability limits and other rights set forth in this Section 8 apply likewise to Company’s affiliates, licensors, suppliers, agents, directors, officers, employees, consultants, and other representatives.
- Nothing in this Agreement limits or excludes either party’s liability for anything which may not lawfully be excluded or limited.
9. Data Privacy
- The parties agree that both Company and Customer act as independent controllers when processing Personal Data. Customer will comply with applicable Data Protection Laws in respect of performance and/or exercise of rights under the Agreement and only process Personal Data in accordance with the Permitted Purposes. Customer shall notify Company no later than five (5) business days following any determination by Customer that it or its subcontractor(s) cannot meet its or their obligations under applicable Data Protection Laws.
- Each of Company and Customer shall notify each other of an individual within its organization authorized to respond from time to time to enquiries regarding Personal Data and each of Company and Customer shall deal with such enquiries within a reasonable time.
- Customer will not collect, transmit, process, store or make available any Sensitive Personal Data through its use of the Services. Customer will not transmit, disclose, or make available any Sensitive Personal Data to Company or its affiliates or third-party partners.
- Customer will ensure that, at all times in compliance with Data Protection Laws, it shall: (i) only input lawfully collected Personal Data into the Azira Platform; (ii) conspicuously display (and comply with) a privacy policy that complies with applicable Data Protection Law and discloses the Customer’s privacy practices in relation to the collection, use and sharing of Personal Data; (iii) ensure that such privacy policy provides sufficiently clear, meaningful and prominent notice to relevant Data Subjects; (iv) where required by applicable Data Protection Laws and/or Industry Standards (a) obtain valid consent from relevant Data Subjects to the processing of their Personal Data by Company and its affiliates for the purposes of the Services and/or (as appropriate) the use of cookies and other technologies used in connection with the Services to store or access information stored on data subjects’ devices (b) provide relevant Data Subjects with persistent and easy to use opt-out mechanisms for processing Personal Data and legally sufficient consumer choices (including, where applicable, to disallow interest-based advertising or further sale of Personal Data); and (v) in respect of Customer Data provided for Allspark and/or Enrichment, always obtain opt-in consent as per applicable Data Protection Laws, from the relevant Data Subjects whose Personal Data is provided to Company with consent prompts including information identifying (a) the purposes for which Personal Data can be used by Customer (including sharing such Personal Data with Company) (b) Company’s processing of such Personal Data for the provision of the Services (including data enrichment activity), which includes, but is not limited to, identifying the behaviour of such Data Subjects and profiling them based on their physical/digital world behaviour to create an enriched dataset from such Personal Data (“Enriched Data“) and sharing of such Enriched Data with Customer.
- Customer will, within five (5) days of Company’s request, provide Company with copies of screenshots of its proposed Data Subject consent flow, opt-out process and the privacy policy which relate(s) to the processing of Personal Data, and a brief written explanation of how it proposes to achieve required consents and transparency in accordance with applicable Data Protection Laws. The parties will discuss in good faith within a reasonable time any comments or concerns Company may have in this regard. If Company reasonably believes at any time that Customer’s notification or consent wording or mechanism, opt-out process, privacy policy or related documentation does not allow Company to process Personal Data and/or use cookies or other technologies in accordance with Industry Standards and Data Protection Laws, Company may notify Customer of its concerns and/or provide a reasonable alternative method. The parties will discuss subsequent amendments to this Agreement prompted by Data Protection Laws and/or Industry Standards in good faith.
- Each party may respond directly to Data Subject Requests addressed to it relating to its processing of Personal Data as a controller. At the request of a party receiving a Data Subject Request, the other party shall provide any cooperation reasonably requested to enable the other party’s compliance with such request.
- Customer will notify Company if it receives any Enquiry in relation to Personal Data in respect of which Company is responsible, in whole or in part, for the processing of such Personal Data under Data Protection Laws or relevant Industry Standards. Customer will provide Company with reasonable cooperation and assistance to allow Company to assess and respond to such Enquiry.
- Each party will implement appropriate physical, technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data in connection with the Services as set out in Annex 2, to Schedule I (DPA).
- If Customer becomes aware of any Personal Data Breach involving Personal Data processed in connection with the Services, it will promptly notify Company of the Personal Data Breach and, if requested, provide reasonable cooperation to Company to take measures to record, report and address the Personal Data Breach in accordance with Customer’s obligations under Data Protection Laws.
- In the event that another data transfer mechanism other than the EU SCCs and/or UK Approved Addendum (as applicable) is available in respect of any Restricted Transfer in accordance with Data Protection Laws, including any further alternative standard contractual clauses approved from time to time, the parties will, on the request of either party, work in good faith to determine if such data transfer mechanism is sufficient in respect of any or all Restricted Transfer(s) and, if the parties agree that it is sufficient, the parties will discuss subsequent amendments to this Agreement in good faith.
- Customer shall make available to Company such information in Customer’s possession or control as may be necessary to demonstrate compliance with its obligations relating to Personal Data under this Agreement or in order for Company to respond to an Enquiry. Company may require Customer to attest that it treats the Personal Data processed in the same manner that Company is obligated to treat such Personal Data under the applicable Data Protection Laws. Company may itself, or commission a third-party auditor to conduct, an audit of Customer’s data privacy practices. Audits will: (i) be on no less than fourteen days’ prior written notice to Customer; (ii) be conducted during normal business hours; (iii) not unreasonably interfere with Customer’s business activities; and (iv) not take place more than once in any year except when agreed between the parties.
- Customer agrees and acknowledges that the Company does not require any Personal Data, for the provision of Services. Customer will ensure that it reviews all Customer Data provided to Company and scrub any Personal Data from the same before providing it to the Company. In the event the Customer determines that disclosure of Personal Data is crucial, for the performance of Services, Customer will provide Company with a prior written notice of its intent to disclose Personal Data. Such data shall be disclosed upon Company’s written acceptance of such notice and subject to any documentation that the Company requires the Customer to execute, and the Customer must specify Company’s name in its privacy policy as one of the third-parties with whom Customer will be sharing Personal Data.
- Customer warrants that it will not use Company Data in combination with any third-party data (including other Personal Data) that may lead to identification or disclosure of the Data Subject(s)/individual(s).
- By using the Services, Customer acknowledges Company’s processing, use and disclosure of Customer Data in accordance with the Company’s Privacy Policy. The Company Privacy Policy applies only to the Azira Platform and does not apply to any third-party website or service linked to the Azira Platform or recommended or referred to through the Azira Platform.
10. Termination
- Termination by Company. Company reserves the right to terminate this Agreement by giving fifteen (15) days’ notice if the Customer (i) is in breach of this Agreement and which breach is not cured within fifteen (15) days of receipt of a written notice from the Company or if such breach is incapable of remedy; or (ii) has repeatedly or persistently breached any terms of this Agreement.
- Termination by Customer. Customer may terminate this Agreement, if the Company is in material breach of its obligations hereunder, which breach is not cured within fifteen (15) days of receipt of a written notice or which breach is incapable of remedy.
- Effect of Termination. Upon termination (for any reason) or expiry of the Service Order, (i) all payments due till the date of termination or expiry shall be immediately paid by Customer on or prior to the date of termination or expiry (as applicable); and (ii) all license rights granted herein shall terminate; and (iii) Customer shall cease all use of the Services and delete, destroy, or return all copies of the Company Data in its possession or control, and certify such deletion or destruction through an authorized officer of the Customer. Termination or expiration of the Service Order shall not affect any rights, obligations or liabilities, arising out of the Service Order, which have accrued before termination or expiry or which are intended to continue to have effect beyond termination or expiry.
- Survival. The termination or expiration of the Agreement will not affect any provisions of the Agreement which by their nature survive termination or expiration, including the provisions that deal with payment obligations, confidentiality, data security, term and termination, effect of termination, intellectual property rights, compliance, indemnities, limitation of liability, privacy, usage analytics and Section 12 (Miscellaneous).
11. Compliance Audit
- Customer will maintain accurate records of its use of the Services and all consents obtained from its Users throughout the Term. In the event (i) any third party authorised under applicable law asks Company for information or audits Company’s records in respect of Customer Data or Customer’s use of Company Data and all consents obtained from its Users (“Third Party Request”); or (ii) in an event Company deems it fit to conduct an audit for any reasons whatsoever, Customer will permit, the applicable third party, the Company or an independent external auditor approved by Company or such third party to inspect and audit Customer’s records pertaining to the scope of such Third Party Request. The audit rights provided herein shall be valid for the Term and a period of two (2) years thereafter.
- Such audits shall be conducted at Company’s sole expense. All audits conducted under this Section will be subject to the following requirements: (i) Company shall provide at least five (5) business days’ notice to Customer before such audit, unless applicable law requires otherwise; and (ii) any such inspection and audit shall be conducted during regular business hours of Customer in such a manner as to not interfere with normal business activities of Customer. Customer will, at its own expense, promptly correct any non-compliance detected by such audit, but not exceeding (a) Fifteen (15) days from the release of such audit results identifying such non-compliance; or (b) the period as may be required under applicable law, whichever is lower. If any audit under this Section reveals any material breach of the Agreement by Customer (including a material underpayment of Fees, as determined by the Company), the Customer will reimburse Company for the reasonable costs of the audit. If the audit reveals an underpayment by Customer, Customer will make payment to the Company within 10 (Ten) business days.
12. Miscellaneous
- Third Party Products. The Services may contain certain third-party products, services and/or data licensed to the Company (“Third-Party Products”). Such Third-Party Products may be available to the Customer in an embedded, integrated or linked form on the Services. The Agreement does not govern the use and access of such Third-Party Products and the same shall be governed by the terms and conditions specific to such Third-Party Products (“Third-Party Product Terms”). By way of using the Third-Party Products, or consenting to the Third-Party Product Terms, the Company will assume that the Customer has read, agreed, and accepted the Third-Party Product Terms. The Company will not be liable for the disputes arising out of or related to the Third-Party Product Terms or the breach of such Third-Party Product Terms by the third-party service providers.
- Insurance. Without prejudice to its obligations under these Terms, the Customer shall affect and maintain, commercial general liability insurance policy with a limit of $$5,000,000 (USD)), with a reputable insurance company. Upon receipt of a written request from Company, the Customer shall submit a certificate to confirm that Customer maintains the required insurance policy.
- Force Majeure. Except for the Customer’s payment obligations under the Service Order, neither party will be responsible for any failure or delay in its performance under these Terms due to causes beyond its reasonable control, including, but not limited to, labour disputes, strikes, lock-outs, internet or telecommunications failures, shortages of or inability to obtain labour, energy, or supplies, war, terrorism, riot, acts of God or governmental action, acts by hackers or other malicious third parties and problems with the Internet generally, and such performance shall be excused to the extent that it is prevented or delayed by reason of any of the foregoing.
- Assignment. Customer shall not have the right to assign, transfer, resell or sublicense Customer’s rights or obligations hereunder. Any attempt to assign, transfer, resell or sub-license such rights or obligations without Company’s prior written approval will be null and void.
- Governing Law and Jurisdiction. If the Customer is registered in North America, these Terms will be governed by the laws of the State of California. If the Customer is registered outside of North America, these Terms will be governed by and construed in accordance with the laws of Singapore. The Company and the Customer agree that any claims, legal proceedings, or litigation arising in connection with these Terms, will be brought solely in the courts of Pasadena, California or Singapore based on the jurisdiction where the Customer is registered. If any provision herein is held to be unenforceable, the remaining provisions will remain in full force and effect. All rights and remedies hereunder are cumulative.
- Injunctive Relief. Actual or threatened breach of the Agreement (such as, without limitation, provisions on intellectual property (including ownership), license, privacy, data protection and confidentiality) may cause immediate, irreparable harm that is difficult to calculate and cannot be remedied by the payment of damages alone. Either party will be entitled to seek preliminary and permanent injunctive relief and other equitable relief for any such breach.
- Notices. Any notice required to be delivered hereunder will be deemed delivered: (i) upon delivery, if delivered by courier or by hand (against receipt); or (ii) Three (3) days after posting, if sent by electronic mail, fax, or certified or registered mail, return receipt requested. All notices to the Company and the Customer will be sent to the addresses set forth in the Service Order or to such other address as a party may designate by written notice to the other.
- Entire Agreement; Severability; No Waiver; Conflicts; Independent Contractors. This is the entire agreement between the parties relating to this subject matter and supersedes all other commitments, negotiations and understandings. If one or more of the provisions contained in these Terms is found by a court of competent jurisdiction to be invalid, illegal or unenforceable in any respect, the validity, legality and enforceability of the remaining provisions will not be affected. The provisions will be revised only to the extent necessary to make them enforceable. The failure of either party to enforce its rights under the Agreement at any time for any period shall not be construed as a waiver of such rights. Nothing herein will constitute either party as the employer, employee, agent or representative of the other party, or both parties as joint venturers for any purpose. Except as provided herein, neither party will have the authority to obligate or bind the other in any manner.
SCHEDULE I
DATA PROCESSING AGREEMENT
1. DEFINITIONS
- “Covered Personal Information” means any Personal Information that Azira makes available to Customer pursuant to the Agreement.
- “Data Subject Request” means a request from or on behalf of a Data Subject to exercise any rights in relation to their Personal Information under Privacy Laws.
- “Inquiry” means a complaint or request in relation to either Party’s obligations under Privacy Laws relevant to the Agreement, including but not limited to any compensation claim from a Data Subject or any notice, investigation or other action from a supervisory authority.
- “IDTA” means the International Data Transfer Addendum to the Standard Contractual Clauses, issued by the Information Commissioner’s Office of the United Kingdom.
- “Personal Information” shall be interpreted consistent with the Privacy Laws, includes at a minimum “personal information” and “personal data” as those terms are defined in the State Privacy Laws, and shall include Sensitive Personal Data as defined herein.
- “Privacy Laws” means applicable statutes, regulations or other laws pertaining to privacy and information security, including, where applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”), United Kingdom General Data Protection Regulation applicable by virtue of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“UK GDPR”), and the State Privacy Laws.
- “Sensitive Personal Data” means what is defined in Section 1.29 of the Azira Terms.
- “Standard Contractual Clauses” means the standard contractual clauses annex to European Commission Implementing Decision (EU) 2021/914 for the transfer of Personal Information to Third Countries (and any successor clauses).
- “State Privacy Laws” mean all US state Privacy Laws, as defined in the Definitions above.
- “Third Countries” mean countries which are not recognized by the applicable Privacy Laws as countries providing adequate protection of Personal Information.
2. TERMS OF DATA DISCLOSURE
- Permitted Purposes. Azira provides Covered Personal Information to Customer only for limited and specified purposes (“Permitted Purposes”) described in Annex 3 attached hereto, and Customer agrees to use the Covered Personal Information only for such limited and specified purposes.
- Prohibited Uses. Notwithstanding anything else in this DPA or the Agreement, Customer will not do any of the following: (i) associate Covered Personal Information with (a) locations held out to the public as predominantly providing services to LGBTQ+ individuals such as service organizations, bars and nightlife, (b) locations of public gatherings of individuals during political or social demonstrations, marches and protests, or (ii) use Covered Personal Information to (a) associate any individual with the foregoing locations or (b) determine the identity or the location of an individual’s home, i.e., the location of any individual’s private residences (e.g., single family homes, apartments, condominiums, townhomes) (all of the foregoing, “Prohibited Uses”).
- The Parties acknowledge and agree that:2.3.1. Customer complies with the applicable Privacy Laws, and agrees to provide the level of privacy protection required by the applicable Privacy Laws with respect to the Covered Personal Information;2.3.2. Azira has the right to take reasonable and appropriate steps to help ensure that Customer uses the Covered Personal Information in a manner consistent with the requirements of the applicable Privacy Laws, this DPA, and the Agreement, including through an attestation signed by Customer, manual reviews, automated scans, regular assessments, audits, or technical or operational testing. Customer will reasonably and promptly cooperate to enable Azira to assess and document Company’s compliance with the Permitted Purposes and Prohibited Uses described in this DPA. Azira may terminate this Agreement upon written notice if Customer fails to cooperate or if Azira determines that Company has engaged in any use of the Covered Personal Information outside the Permitted Uses or that is a Prohibited Use;
2.3.3. Customer will notify Azira without undue delay if it makes a determination that it can no longer meet its obligations under the applicable Privacy Laws, this DPA, or the Agreement, and Azira has the right, upon 10 (Ten) days’ notice to Customer, to take reasonable and appropriate steps to stop and remediate unauthorized use of Covered Personal Information, including requiring Customer to delete the Covered Personal Information on legitimate data protection grounds; and
2.3.4. Customer shall cooperate with any reasonable request from Azira with respect to a Data Subject Request or Inquiry related to data protection. Customer will notify Azira if it receives any Inquiry in relation to Personal Information received from Azira, in whole or in part, and will provide Azira with reasonable cooperation and assistance to allow Azira to assess and respond to such Inquiry.
- Restrictions on Selling or Sharing. If the Agreement permits Customer to sell, share, or disclose the Covered Personal Information to any third party, Customer shall (i) prohibit such third party from engaging in Prohibited Uses; (ii) restrict such third party to use the Covered Personal Information for Permitted Purposes; and (iii) remain directly responsible to Azira for such third party compliance with these restrictions. Without limiting the foregoing, Customer will not sell or share the Covered Personal Information unless Customer provides explicit notice to the end consumer and provides the end consumer an opportunity to exercise the right to opt-out.
- Opt-out Preferences. Where required by the applicable Privacy Laws, Customer shall comply with an end consumer’s opt-out preferences forwarded to Customer by Azira.
- Customer acknowledges and agrees that:2.6.1. Customer, its employees, agents, subcontractors, and sub-processors are subject to a duty of confidentiality with respect to the Covered Personal Information, and Customer is liable for any breach of confidentiality by its employees, agents, sub-contractors or sub-processors;2.6.2. Customer shall implement and maintain reasonable technical and organizational security measures, policies, and procedures, including physical access control, backup, and encryption to protect the Covered Personal Information. Such security measures will, at all times, be appropriate to the nature of the Covered Personal Information;
2.6.3. Customer shall implement appropriate access controls restricting access to Covered Personal Information to only such employees, agents, subcontractors, and sub-processors as need to know the information in order to perform the Permitted Purposes and in accordance with the Agreement;
2.6.4. Customer will, as part of its incident management policies and procedures and to the extent permitted by law, promptly notify Azira without unreasonable delay of any actual or reasonably suspected incident that introduces a material risk to Customer’s processing of Covered Personal Information; and
2.6.5. Customer will inform Azira within 24 (Twenty-Four) hours of Customer’s knowledge of any unauthorized access, destruction, use, modification, or disclosure (each, a “Security Incident”) of any Covered Personal Information (to include, without limitation, any personal data breach as defined by applicable law). Customer will provide Azira with any information and cooperation reasonably requested by Azira regarding such Security Incident. Customer shall not provide notice of such Security Incident to any third party without the prior written consent of Azira unless required by applicable law. If requested, Customer shall provide reasonable cooperation to Azira to take measures to record, report and address the Security Incident in accordance with Azira’s obligations under Privacy Laws.
- Changes to Privacy Laws. The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to applicable Privacy Laws.
3. CROSS-BORDER DATA TRANSFERS
- Transfer Mechanism. With regard to any transfers of Covered Personal Information to countries that do not provide adequate protection for such data (as determined by the applicable Privacy Laws), the Parties hereby enter into applicable instruments in support of such transfer. If Covered Personal Information is transferred to Third Countries from a member state of the European Economic Area, Switzerland, or the United Kingdom, this DPA incorporates the Standard Contractual Clauses and, in the case of the United Kingdom, the IDTA.
- Alternative Data Transfer Authority. The Parties acknowledge that the laws, rules and regulations relating to international data transfers are rapidly evolving. In the event that Azira adopts another mechanism authorized by applicable laws, rules or regulations to transfer Covered Personal Information (each an “Alternative Data Transfer Authority”), Azira may provide Customer with written notice describing that Alternative Data Transfer Authority and, and upon Customer’s approval, the Parties agree that the mechanism described in Section 3.1, as the case may be, shall no longer apply to any Personal Information that Azira elects to receive or process under that Alternative Data Transfer Authority, and such Alternative Data Transfer Authority shall thereafter apply. The Parties agree to work together in good faith to implement any amendments to this DPA necessary to implement the Alternative Data Transfer Authority.
4. TERMS OF STANDARD CONTRACTUAL CLAUSES
- Customer as Controller. If the Parties agree to the Standard Contractual Clauses and Customer is a Controller:4.1.1. For transfers from the European Economic Area, United Kingdom, or Switzerland, the Standard Contractual Clauses, Module I, is hereby incorporated by reference when available as a valid transfer mechanism under applicable law. Azira and Customer further agree to the following provisions with respect to the Standard Contractual Clausesi. Applicable Module: Module One (controller to controller) applies to transfers from Customer to Azira where Azira acts as a Controller. Customer is the data exporter and Azira is the data importer.
ii. Conflicts: In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
iii. Specific Provisions: The following specific provisions apply to the Standard Contractual Clauses:
- Module One will apply.
- In Clause 7, the Parties do not permit docking.
- In Clause 11, the Parties do not select the independent dispute resolution option.
- In Clause 18(b), the Parties agree that the jurisdiction is the member state in which Controller is established, or if the Controller is not established in a member state, the Republic of Ireland.
- Annex I: with the information set out in Annex 1 to this DPA.
- Annex II: with the information set out in Annex 2 to this DPA.
4.1.2. For transfers from the United Kingdom, the IDTA (including all Part 2 Mandatory Clauses) is also incorporated by reference as an addendum to the Standard Contractual Clauses, when the IDTA is available as a valid transfer mechanism under applicable law. Azira and Customer further agree to the following provisions with respect to the IDTA
i. Specific Provisions: The following specific provisions apply to the IDTA:
- Table 1 (Parties): The contents of Table 1 (Parties) shall be completed with the details provided in Annex 1.
- Table 2 (Selected SCCs, Modules, and Selected Clauses):1. Module One will apply.2. In Clause 7, the Parties do not permit docking.
3. In Clause 11, the Parties do not select the independent dispute resolution option.
- Table 3 (Appendix Information): The list of Parties is provided in Annex 1.A. and the description of the transfer is provided in Annex 1.B, attached to this DPA. The technical and organizational measures including technical and organizational measures to ensure the security of the data are provided in Annex 2, attached to this DPA.
- Table 4 (Ending this DPA when the Approved Addendum Changes): The Parties agree that Importer or Exporter may end the DPA as set out in Section 19 of the IDTA.
ii. Conflicts: In the event of any conflict or inconsistency between this DPA and the IDTA, the IDTA shall prevail.
DATA PROCESSING ANNEXES
ANNEX 1
A. List of Parties
Name of Data Exporter Azira LLC or Azira Pte. Ltd. (if applicable) or as set out in the Agreement Address As set out in the Agreement. Contact Person’s Name, Position, and Contact Details As set out in the Agreement. Activities relevant to the data transferred under these Clauses: As set out in the Agreement. Signature and Date Signed and dated through execution of the DPA. Role Controller Name of Data Importer As set out in the Agreement. Address As set out in the Agreement. Contact Person’s Name, Position, and Contact Details As set out in the Agreement. Activities relevant to the data transferred under these Clauses: As set out in the Agreement. Signature and Date Signed and dated through execution of the DPA. Role Controller B. Description of Transfer
Categories of Data Subjects whose personal data is transferred Individuals who use mobile or electronic devices Categories of personal data that will be transferred Device ID (IFDA or AAID (MAIDs)), hashed email address, home address, timestamp, latitude-longitude, IP address, country code, users agent string (mobile device information derived from UA string: device type, manufacturer, model, screen size, browser and version), ISP/Carrier, GPS source, App ID, App Name, Publisher ID, Publisher Name, Postal Code, OS, OS Version, Ad Height/Width, IAB Category, Keywords, GDPR Device (whether the device is in the EEA), Gender, Year of Birth, audience codes, HTTP referrer, HTTP cookies, language preference, census data. Sensitive Personal Data transferred and applicable restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. N/A Frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). As set out in the Agreement. Nature of the processing The collection, analysis, storage, duplication, deletion and disclosure as necessary in the provision of the services under the Agreement. Purpose of the data transfer and further processing. The provision of the services under the Agreement and Company’s use of such Personal Data for the provision of its own services to its customers. Retention Criteria For the duration of the Agreement or until the processing is otherwise no longer necessary for the purposes for which it was shared between the Parties. Sub-processor transfers N/A Competent Supervisory Authority EEA Data Subjects: Republic of Ireland
UK Data Subjects: United Kingdom
ANNEX 2: TECHNICAL & ORGANIZATIONAL MEASURES
Technical and Organisational Measures including Technical and Organisational Measures to ensure the Security of the Data
A. Information Security; Information Security Policies and Standards.
Azira shall maintain a corporate Information Security function that is responsible for managing its information security program. The Information Security function shall be responsible for:
1. Performing periodic onsite security risk assessments of Azira’s information processing facilities, systems, and applications.
2. Advising Azira’s executive management team about Azira’s information security program, potential risks, and mitigation plans.
3. Promulgating and maintaining reasonable and appropriate information security policies, procedures and standards that are designed to adequately provide for the confidentiality, integrity and availability of information including Personal Information processed by Azira.
4. Periodically reviewing and updating Azira’s information security policies, procedures and standards to address new and emerging threats and changes to legal requirements and industry standards.
5. Providing management direction and support for information security in accordance with business requirements and relevant laws and regulations.
B. Personnel Security.
1. Azira shall take steps to educate and inform its employees, contractors, and other third-party users of its network, systems and applications about (i) information security threats and concerns; (ii) the requirements of the information security program; and (iii) their responsibilities and obligations with respect to the processing of Personal Information.
2. Unless Azira uses Azira-provided computing equipment, application and network access to provide the Services, Azira shall equip its employees with systems and applications and with appropriate tools and equipment that support the implementation of the information security program requirements in the course of their normal work.
3. Azira shall maintain procedures to terminate access to Personal Information when employees or contractors exit the organization or change roles.
C. Asset management.
Azira shall maintain reasonable and appropriate controls that are designed to protect organizational assets that process data.
D. Physical and environmental security.
Azira shall take reasonable and appropriate steps designed to prevent unauthorized physical access and damage to and interference with its premises, and the loss, damage, theft or compromise of assets and interruption to its activities related to the processing of Personal Information.
E. Communications and operations management.
1. Azira shall implement processes designed to provide for the correct and secure operation of information processing facilities, including by use of appropriate firewall and encryption technologies; and, as far as possible, the logging and monitoring of all data transmissions.
2. Azira shall implement and maintain appropriate levels of information security and service delivery designed to facilitate compliance with relevant agreements.
F. System Planning and Acceptance.
Azira shall maintain processes and procedures designed to minimize the risk of systems failures and maintain appropriate backup facilities as a control to support the integrity and availability of information and information processing facilities.
G. Network security management.
1. Azira employs reasonable and appropriate controls to protect both the Personal Information in its networks, and the supporting network infrastructure.
2. Azira shall maintain protections (including anti-virus software) against malicious and mobile code.
H. Media handling.
Azira shall maintain appropriate processes and procedures designed to prevent unauthorized disclosures, modifications, removals or destruction of assets, and interruptions to business activities. When media are to be disposed of or reused, procedures have been implemented to prevent any subsequent retrieval of the information stored on them before they are withdrawn from the inventory.
I. Access Controls.
1. Azira shall maintain appropriate access control procedures to prevent unauthorized access to, or theft or loss of Personal Information from information systems, including networks, applications, and operating systems.
2. Azira shall implement access controls for networks, systems, and applications based on a “least privilege” basis.
3. Azira shall implement procedures to limit the ability to grant, modify or revoke user access to an information system to a limited set of authorized privileged users.
J. Information systems acquisition, development and maintenance.
Azira shall incorporate privacy and information security as an integral part of information systems acquisition development and maintenance, and shall develop appropriate policies, processes and procedures to prevent the erroneous processing of Personal Information and the loss, unauthorized modification or misuse of such data in applications.
K. Cryptographic Controls.
Azira shall implement suitable measures to prevent Personal Information from being read, copied, altered or deleted by unauthorized parties during its transmission or during the transport of the data media. Specifically, where it is feasible to do so, Azira shall protect the confidentiality, authenticity or integrity of Personal Information at rest and in transit by use of cryptographic means.
L. Technical Vulnerability Management.
Azira has bug-bounty and vulnerability management programs which reduces risks resulting from exploitation of technical vulnerabilities. Further, Azira maintains an independent platform accessible to all that facilitates safe disclosures.
M. Data Incident Management.
Azira shall maintain a consistent and effective approach to the management of Security Incidents, and shall take timely corrective action to address such incidents.
N. Business Continuity Management.
Azira shall take appropriate measures designed to counteract interruptions to business activities and protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.
O. Information Systems Audit Considerations.
Azira shall conduct periodic audits of systems and processes involved in the processing of Personal Information.
ANNEX 3
MANDATORY DISCLOSURES
Limited and specified purposes for the sale or disclosure of Covered Personal Information The limited and specified purposes for the sale or disclosure of Covered Personal Information are as explicitly set forth in Section 4 of the Terms and each Service Order.