Amobee Master Service Terms

Schedule E – General Data Protection Regulation

Last Updated: June 13, 2018

Scope

  1. This Schedule E applies to the Processing of Personal Data if (a) Client or Amobee is established in the European Union or (b) neither Client nor Amobee are established in the European Union but the Agreement covers the Processing of Personal Data of Data Subjects who are in the European Union.
  2. In the event of conflict between this Schedule E and the remainder of the Agreement, this Schedule E will control.

Definitions

  1. In addition to terms defined in the Pricing Sheet or the General Terms, the following definitions apply to this Schedule E.
  2. Additional Instructions” means further instructions from Client to Amobee which are reasonable but beyond the scope of the Services.
  3. Affiliates” means any entity which is controlled by, controls or is in common control with one of the parties.
  4. Arrangement between Controllers” means the so-titled section of this Schedule E.
  5. Assisting Party” means the party from which assistance is requested pursuant to Section 12.
  6. Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
  7. Data Protection Addendum” means the so-titled section of this Schedule E.
  8. Data Protection Laws” means all privacy and data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland) and applicable to the Processing of Personal Data under the Agreement.
  9. Data Subject” means the individual to whom Personal Data relates.
  10. GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
  11. Personal Data” means any information relating to an identified or identifiable person that is subject to the Data Protection Laws which is Processed by either party in connection with the Services.
  12. Personal Data Breach” has the meaning set forth in paragraph 12 of Article 4 of the GDPR.
  13. Privacy Shield” means the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce.
  14. Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
  15. Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
  16. Requesting Party” means the party requesting assistance pursuant to Section 12.
  17. Security Measures” means the technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access described in Schedule E-2.
  18. Subprocessor” means a third party authorized under the Data Protection Addendum to have logical access to and Process Personal Data in order to provide parts of the Services.
  19. Supervisory Authority” has the meaning set forth in Article 51 of the GDPR, or means the Federal Data Protection and Information Commissioner of Switzerland, as applicable.

Arrangement between Controllers

  1. To the extent that (a) the Services comprise the demand side platform, DataMine, social services or managed services and (b) the Data Protection Laws apply to the Processing of Personal Data, the parties agree that Client and Amobee are Controllers of that Personal Data.
  2. PRIVACY POLICY DISCLOSURES
  3. Each party shall designate a contact point for Data Subjects in its publicly posted privacy policy;
  4. Each party shall post a privacy policy on its web site which reflects the nature of the relationship between the parties;
  5. RIGHTS OF DATA SUBJECTS
  6. As between the parties, the following party shall have sole responsibility for determining the legal basis for processing (including but not limited to determining the need for and obtaining) all consents from Data Subjects to the extent necessary for collection and Processing of Personal Data in the scope of the Services:
  7. in the case of the demand side platform, Amobee (except where the data was on-boarded by or at the direction of Client, in which case the responsible party shall be Client);
  8. in the case of DataMine, Client; and
  9. in the case of social services, Amobee (except where the data was on-boarded by or at the direction of Client, in which case the responsible party shall be Client); and

    provided that in any case, neither Client nor Amobee shall have responsibility for Processing special categories of personal data as referenced in Article 9 of the GDPR. Special categories of data shall not be Processed in connection with the Services.
  10. Either party is authorized to provide the information referred to in Articles 13 and 14 of the GDPR. Client grants consent to Amobee to respond to any such Data Subject request in its reasonable judgment. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request, to the extent legally permitted. Any further assistance will be provided in accordance with Section 12.
  11. DATA PROTECTION OFFICER
  12. Amobee’s data protection officer is ePrivacy GmbH, Große Bleichen 21, 20354 Hamburg. If Amobee’s data protection officer should change, Amobee shall provide updated contact details to Client.
  13. Client shall provide contact details for its data protection officer. If Client’s data protection officer should change, Client shall provide updated contact details to Amobee.
  14. RETURN OR DELETION OF CLIENT DATA
  15. If and to the extent that Client has the right under the Agreement to request Amobee return or delete Client Data, Amobee will do so if requested according to the terms of the Agreement.
  16. SECURITY
  17. Amobee will implement and maintain the Security Measures for protection of the security, confidentiality and integrity of the Personal Data. Amobee may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
  18. Client confirms that the Security Measures provide an appropriate level of protection for the Personal Data.
  19. Client will implement and maintain appropriate technical and organizational measures to ensure the protection of the rights of Data Subjects.
  20. AUDIT RIGHTS
  21. Amobee shall allow for and contribute to limited audits of the Security Measures in accordance with the following procedures:
  22. Upon Client’s written request, Amobee will provide Client or its appointed auditor with the most recent certifications and/or summary audit report(s), which Amobee has procured to regularly test, assess and evaluate the effectiveness of the Security Measures.
  23. Amobee will reasonably cooperate with Client by providing available additional information concerning the Security Measures to help Client better understand such Security Measures.
  24. If further information is needed by Client to comply with a competent Supervisory Authority’s request, Client will inform Amobee in writing to enable Amobee to provide such information or to grant Client access to it.
  25. Client shall promptly notify Amobee with information regarding any non-compliance discovered during the course of an audit.
  26. Each party will bear its own costs in respect of paragraphs 9.1.1 and 9.1.2. Any further assistance will be provided in accordance with Section 12.
  27. SECURITY BREACH MANAGEMENT AND NOTIFICATION
  28. Each party will notify the other within three business days after becoming aware of a Personal Data Breach with respect to the Services. Each party will promptly investigate the Personal Data Breach if it occurred on its infrastructure or in another area it is responsible for and will assist the other party as set out in Section 12.
  29. Client is responsible for maintaining accurate contact information at all time in Amobee’s support systems. Amobee may deliver a notification of a Personal Data Breach to any of Client’s business, technical or administrative contacts by any means it chooses, including e-mail or telephone.
  30. Client must deliver notification of a Personal Data Breach to both support@amobee.com and legal@amobee.com.
  31. A notification of a Personal Data Breach by either party is not an acknowledgement by such party of any fault or liability with respect to such Personal Data Breach.
  32. CROSS-BORDER DATA TRANSFERS, PRIVACY SHIELD
  33. Amobee may, subject to this Section 11, store and Process the relevant Client Data in the European Economic Area, the United States, Australia, Hong Kong and Singapore.
  34. Amobee self-certified to and complies with the Privacy Shield, and Amobee shall maintain its self-certification to and compliance with the Privacy Shield with respect to the Processing of Personal Data that is transferred from the European Economic Area or Switzerland to the United States.
  35. Client shall use and disclose the Personal Data only for the advertising-related purposes permitted by the Agreement. Client will provide at least the same level of protection for the Personal Data as is available under the EU-U.S. Privacy Shield program, though this Agreement does not require Client to join such program. If Client determines that it can no longer provide this level of protection (a) Client will promptly notify Amobee of this determination; (b) Amobee shall have the right to terminate the Agreement without penalty upon notice to Client; and (c) Client will cease processing the information or take other reasonable and appropriate steps to remediate the situation. Client authorizes Amobee to provide this Arrangement between Controllers and a copy of the relevant privacy provisions of the Agreement to the Department of Commerce upon its request (as required under the Accountability for Onward Transfer Principle of the Privacy Shield).
  36. ASSISTANCE
  37. The Assisting Party will assist the Requesting Party by technical and organizational measures, insofar as possible, for the fulfillment of the Requesting Party’s obligation to comply with the rights of Data Subjects and in ensuring compliance with the Requesting Party’s obligations relating to the security of Processing, the notification of a Personal Data Breach and the data protection impact assessment, taking into account the information available to the Assisting Party.
  38. The Requesting Party will make a written request for any assistance referred to in this Arrangement between Controllers. The Assisting Party will charge the Requesting Party no more than a reasonable charge to perform such assistance, such charges to be set forth in a quote and agreed in writing by the parties, or as set forth in an applicable change control provision of the Agreement.
  39. LIABILITY
  40. Both parties agree that their respective liability under this Arrangement between Controllers shall be apportioned according to each party’s respective responsibility for the harm (if any) caused.
  41. Nothing in this Section 13 will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).
  42. If a Data Subject asserts its rights against either party pursuant to Article 26(3) of the GDPR and such assertion includes a claim for money, such party will notify the other party to give an opportunity to participate in the defense at such other party’s own expense.
  43. MISCELLANEOUS
  44. This Arrangement between Controllers will take effect on the Effective Date and will survive the Agreement and shall remain in effect until, and automatically expire upon, the deletion of all Client Data by Amobee as described in this Arrangement between Controllers.
  45. Nothing in this Data Protection Addendum shall confer any benefits or rights on any person or entity other than the parties to this Arrangement between Controllers.

Controller – Processor Data Protection Addendum

  1. PROCESSING OF PERSONAL DATA
  2. To the extent that (a) the Services comprise the data management platform and not DataMine and (b) the Data Protection Laws apply to the Processing of Personal Data, the parties agree that:
  3. Client is the sole Controller of that Personal Data;
  4. Amobee is a Processor of that Personal Data;
  5. the subject matter and details of the Processing of such Personal Data are described in Schedule E-1; and
  6. each party will comply with the obligations applicable to it under the Data Protection Laws with respect to the Processing of that Personal Data.
  7. The objective of Processing of Personal Data by Amobee is the performance of the Services pursuant to the Agreement.
  8. During the Term of the Agreement, Amobee shall only Process Personal Data on behalf of and in accordance with the Agreement and any Additional Instructions and shall treat Personal Data as Confidential Information. Client instructs Amobee to Process Personal Data for the following purposes:
  9. Processing in accordance with the Agreement; and
  10. Processing to comply with Additional Instructions provided by Client, where such Additional Instructions are acknowledged by Amobee as consistent with the terms of the Agreement.
  11. Client shall, in its use or receipt of the Services, Process Personal Data in accordance with the requirements of the Data Protection Laws and Client will ensure that its instructions for the Processing of Personal Data shall comply with the Data Protection Laws. If Amobee believes or becomes aware that any Additional Instruction conflicts with any Data Protection Laws, Amobee shall inform Client.
  12. Amobee may Process Personal Data other than on the instructions of Client if it is mandatory under applicable law to which Amobee is subject. In this situation Amobee shall inform Client of such a requirement unless the law prohibits such notice.
  13. Amobee shall keep a record of all Processing activities with respect to Client’s Personal Data as required under GDPR.
  14. To the extent that the data protection legislation of another jurisdiction is applicable to either party’s Processing of data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the Processing of that data.
  15. RIGHTS OF DATA SUBJECTS
  16. As between the parties, Client shall have sole responsibility for determining the legal basis for processing (including but not limited to determining the need for and obtaining) all consents from Data Subjects to the extent necessary for collection and Processing of Personal Data in the scope of the Services. Special categories of personal data, as referenced in Article 9 of the GDPR, shall not be Processed in connection with the Services.
  17. Amobee shall, to the extent legally permitted, promptly notify Client if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the Processing of such Data Subject’s Personal Data. Client grants consent to Amobee to respond to any such Data Subject request in its reasonable judgment. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request, to the extent legally permitted. Any further assistance will be provided in accordance with Section 24.
  18. DATA PROTECTION OFFICER
  19. Amobee’s data protection officer is ePrivacy GmbH, Große Bleichen 21, 20354 Hamburg. If Amobee’s data protection officer should change, Amobee shall provide updated contact details to Client.
  20. Client shall provide contact details for its data protection officer. If Client’s data protection officer should change, Client shall provide updated contact details to Amobee.
  21. RETURN AND DELETION OF CLIENT DATA
  22. Amobee will enable Client to delete Client Data during the Term in a manner consistent with the functionality of the Services. Amobee will comply with instructions from Client to delete certain Personal Data as soon as reasonably practicable and within a maximum period of 30 days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage.
  23. On expiry of the Agreement, Client instructs Amobee to delete all Client Data from Amobee’s systems and discontinue Processing of such Client Data in accordance with Data Protection Law. Amobee will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage.
  24. SECURITY
  25. Amobee will implement and maintain the Security Measures for protection of the security, confidentiality and integrity of Client’s Personal Data. Amobee may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
  26. Client confirms that the Security Measures provide an appropriate level of protection for Client’s Personal Data, taking into account the risks associated with the Processing of Client Personal Data.
  27. AUDIT RIGHTS; PRIVACY IMPACT ASSESSMENTS
  28. Amobee shall allow for and contribute to audits, including inspections, of the Processing of Client’s Personal Data by Amobee or its affiliates in accordance with the following procedures:
  29. Upon Client’s written request, Amobee will provide Client or its appointed auditor with the most recent certifications and/or summary audit report(s), which Amobee has procured to regularly test, assess and evaluate the effectiveness of the Security Measures.
  30. Amobee will reasonably cooperate with Client by providing available additional information concerning the Security Measures to help Client better understand such Security Measures.
  31. If further information is needed by Client to comply with a competent Supervisory Authority’s request, Client will inform Amobee in writing to enable Amobee to provide such information or to grant Client access to it.
  32. To the extent it is not possible to otherwise satisfy an audit obligation mandated by applicable law, only legally mandated entities (such as a governmental regulatory agency having oversight of Client’s operations), Client or its appointed auditor may conduct an onsite visit of the facilities used to provide the Service. Such visit will occur with at least 30 days’ prior written notice, during normal business hours and only in a manner that causes minimal disruption to Amobee’s business, subject to coordinating the timing of such visit and in accordance with any audit procedures reasonably required by Amobee in order to reduce any risk to Amobee’s other customers.
  33. The audit shall be conducted by Client or another auditor appointed by Client. Amobee may object in writing to an auditor appointed by Client if, in Amobee’s reasonable opinion, the auditor is not suitably qualified or independent, a competitor of Amobee or otherwise manifestly unsuitable. Any such objection will require Client to appoint another auditor or conduct the audit itself.
  34. Client shall promptly notify Amobee with information regarding any non-compliance discovered during the course of an audit.
  35. Each party will bear its own costs in respect of paragraphs 20.1.1 and 20.1.2. Any further assistance will be provided in accordance with Section 24.
  36. SECURITY BREACH MANAGEMENT AND NOTIFICATION
  37. Amobee will notify Client within three business days after becoming aware of a Personal Data Breach with respect to the Services. Amobee will promptly investigate the Personal Data Breach if it occurred on Amobee infrastructure or in another area Amobee is responsible for and will assist Client as set out in Section 24.
  38. Client is responsible for maintaining accurate contact information at all time in Amobee’s support systems. Amobee may deliver a notification of a Personal Data Breach to any of Client’s business, technical or administrative contacts by any means it chooses, including e-mail or telephone.
  39. A notification of a Personal Data Breach by Amobee is not an acknowledgement by Amobee of any fault or liability with respect to such Personal Data Breach.
  40. SUBPROCESSORS
  41. Client authorizes Amobee to engage Subprocessors to Process Client Personal Data. Amobee will have a written agreement with each Subprocessor and all such agreements will include substantially the same data protection obligations as set out in this Data Protection Addendum. A list of Amobee’s current Subprocessors as pertinent to the Services is set out in Schedule E-3 and is also available through the Amobee platform user interface. Client is responsible for checking the list of Subprocessors for changes; Amobee will update the list in advance of engaging any new Subprocessor.
  42. Client can object to the appointment of a Subprocessor on the basis that such addition would cause Client to violate applicable legal requirements. Client’s objection shall be given within five days of Amobee’s notice, shall be in writing and shall include Client’s specific reasons for its objection and options to mitigate, if any. If Client does not object within such period the respective Subprocessor may be engaged to Process Client Personal Data.
  43. Amobee shall impose substantially similar data protection obligations as set out in this Data Protection Addendum on any approved Subprocessor prior to the Subprocessor Processing any Client Personal Data.
  44. If Client legitimately objects to the appointment of a Subprocessor and Amobee cannot reasonably accommodate Client’s objection, Amobee will notify Client. Client may terminate the affected Services by providing Amobee with a written notice within one month of Amobee’s notice. Amobee will refund a prorated portion of any pre-paid charges for the period after such termination date.
  45. Amobee shall be liable for the acts and omissions of its Subprocessors to the same extent Amobee would be liable if performing the services of each Subprocessor directly under the terms of this Data Protection Addendum, except as otherwise set forth in the Agreement.
  46. CROSS-BORDER DATA TRANSFERS, PRIVACY SHIELD
  47. Amobee may, subject to this Section 23, store and Process the relevant Client Data in the European Economic Area, the United States, Australia, Hong Kong and Singapore.
  48. Amobee self-certified to and complies with the Privacy Shield, and Amobee shall maintain its self-certification to and compliance with the Privacy Shield with respect to the Processing of Personal Data that is transferred from the European Economic Area or Switzerland to the United States.
  49. At the request of Client, or if the Services involve transfers of Client Data out of the European Economic Area to a jurisdiction other than the United States that does not have adequate data protection laws, and the Data Protection Laws apply to the transfers of such data, Amobee as the data importer of the Personal Data will enter into EU Model Contract Clauses with Client as the data exporter and Amobee will ensure that transfers to any Subprocessor are made in accordance with such EU Model Contract Clauses.
  50. ASSISTANCE
  51. Amobee will assist Client by technical and organizational measures, insofar as possible, for the fulfillment of Client’s obligation to comply with the rights of Data Subjects and in ensuring compliance with Client’s obligations relating to the security of Processing, the notification of a Personal Data Breach and the data protection impact assessment, taking into account the information available to Amobee.
  52. Client will make a written request for any assistance referred to in this DPA. Amobee will charge Client no more than a reasonable charge to perform such assistance or Additional Instructions, such charges to be set forth in a quote and agreed in writing by the parties, or as set forth in an applicable change control provision of the Agreement.
  53. LIABILITY
  54. Both parties agree that their respective liability under this DPA shall be apportioned according to each party’s respective responsibility for the harm (if any) caused.
  55. If EU Model Contract Clauses have been entered into as described in Section 23.3, the total combined liability of either party and its Affiliates towards the other party and its Affiliates under or in connection with the Agreement and such EU Model Contract Clauses combined will be limited to any liability cap set forth in the Agreement.
  56. Nothing in this Section 25 will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).
  57. MISCELLANEOUS
  58. This Data Protection Addendum will take effect on the Effective Date and will survive the Agreement and shall remain in effect until, and automatically expire upon, the deletion of all Client Data by Amobee as described in this Data Protection Addendum.
  59. Nothing in this Data Protection Addendum shall confer any benefits or rights on any person or entity other than the parties to this Data Protection Addendum, except that where Client’s Affiliates are Data Controllers of the Personal Data, they may enforce the terms of this Data Protection Addendum against Amobee directly.

Schedule E-1 – Subject matter and details of the Processing Data exporter: The data exporter is Client.

Data importer: The data importer is Amobee.

Data subjects: The Personal Data concern the following categories of Data Subjects: The individuals about whom Personal Data is provided to Amobee via the Services by (or at the direction of) Client.

Categories of data: The Personal Data concern the following categories of data: Data relating to individuals provided to Amobee via the Services by (or at the direction of) Client.

Processing operations: The Personal Data will be subject to the following Processing activities: Amobee will process Client’s Personal Data for the purposes of providing the Services to Client in accordance with the Agreement.

SCHEDULE E-2 – TECHNICAL AND ORGANIZATIONAL MEASURES

As from the Effective Date, Amobee will implement and maintain the Security Measures set out in this Schedule E-2. Amobee may update or modify such Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Processor Services.

1. DATA CENTER & NETWORK SECURITY

(a) Data Centers.

Infrastructure. Amobee maintains geographically distributed data centers. Amobee stores all production data in physically secure data centers.

Redundancy. Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy. The Processor Services are designed to allow Amobee to perform certain types of preventative and corrective maintenance without interruption. All environmental equipment and facilities have documented preventative maintenance procedures that detail the process for and frequency of performance in accordance with the manufacturer’s or internal specifications. Preventative and corrective maintenance of the data center equipment is scheduled through a standard process according to documented procedures.

Power. The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, and 7 days a week. In most cases, a primary as well as an alternate power source, each with equal capacity, is provided for critical infrastructure components in the data center. Backup power is provided by various mechanisms such as uninterruptible power supply (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the data center, at full capacity, for up to 10 minutes until the diesel generator systems take over. The diesel generators are capable of automatically starting up within seconds to provide enough emergency electrical power to run the data center at full capacity typically for a period of days.

Server Operating Systems. Amobee servers use hardened operating systems which are customized for the unique server needs of the business. Data is stored using proprietary algorithms to augment data security and redundancy. Amobee employs a code review process to increase the security of the code used to provide the Processor Services and enhance the security products in production environments.

(b) Networks & Transmission.

Data Transmission. Data centers are typically connected via high-speed private links to provide secure and fast data transfer between data centers. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. Amobee transfers data via Internet standard protocols.

External Attack Surface. Amobee employs multiple layers of network devices and intrusion detection to protect its external attack surface. Amobee considers potential attack vectors and incorporates appropriate purpose built technologies into external facing systems.

Intrusion Prevention. Amobee’s intrusion prevention involves tightly controlling the size and make-up of Amobee’s attack surface through preventative measures.

Incident Response. Amobee monitors a variety of communication channels for security incidents, and Amobee’s security personnel will react promptly to known incidents. Amobee has a written Security Incident Response Plan that has been reviewed by counsel.

Encryption Technologies. Amobee makes HTTPS encryption (also referred to as SSL or TLS connection) available.

2. ACCESS AND SITE CONTROLS

(a) Site Controls.

On-site Data Center Security Operation. Amobee’s data centers maintain an on-site security operation responsible for all physical data center security functions 24 hours a day, 7 days a week. (The security operation consists of non-Amobee staff.) The on-site security operation personnel monitor Closed Circuit TV (“CCTV”) cameras and all alarm systems. On-site security operation personnel perform internal and external patrols of the data center regularly.

Data Center Access Procedures. Amobee maintains formal access procedures for allowing physical access to the data centers. The data centers are housed in facilities that require electronic card key access, with alarms that are linked to the on-site security operation. All entrants to the data center are required to identify themselves as well as show proof of identity to on-site security operations. Only authorized employees, contractors and visitors are allowed entry to the data centers. Only authorized employees and contractors are permitted to request electronic card key access to these facilities. Data center electronic card key access requests must be made in advance and in writing, and require the approval of the requestor’s manager and the data center director. All other entrants requiring temporary data center access must: (i) obtain approval in advance from the data center managers for the specific data center and internal areas they wish to visit; (ii) sign in at on-site security operations; and (iii) reference an approved data center access record identifying the individual as approved.

On-site Data Center Security Devices. The data centers that Amobee uses employ an electronic card key and biometric access control system that is linked to a system alarm. The access control system monitors and records each individual’s electronic card key and when they access perimeter doors, shipping and receiving, and other critical areas. Unauthorized activity and failed access attempts are logged by the access control system and investigated, as appropriate. Authorized access throughout the business operations and data centers is restricted based on zones and the individual’s job responsibilities. The fire doors at the data centers are alarmed. CCTV cameras are in operation both inside and outside the data centers. The positioning of the cameras has been designed to cover strategic areas including, among others, the perimeter, doors to the data center building, and shipping/receiving. On-site security operations personnel manage the CCTV monitoring, recording and control equipment. Secure cables throughout the data centers connect the CCTV equipment. Cameras record on-site via digital video recorders 24 hours a day, 7 days a week. The surveillance records are retained for at least 7 days based on activity.

(b) Access Control.

Infrastructure Security Personnel. Amobee has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Amobee’s security personnel are responsible for the ongoing monitoring of Amobee’s security infrastructure, the review of the Processor Services, and responding to security incidents.

Access Control and Privilege Management. Client’s administrators and users must authenticate themselves via a central authentication system or via a single sign on system in order to use the Processor Services.

Internal Data Access Processes and Policies. Amobee’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Amobee aims to design its systems to: (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during Processing, use and after recording. The systems are designed to detect any inappropriate access.

3. DATA

(a) Pseudonymization

In order to enhance user privacy, Amobee uses pseudonymous identifiers for end users. Amobee does not have the ability to deduce an end user’s name, physical address, e-mail address or telephone number from its records.

(b) Data Storage, Isolation & Authentication.

Amobee stores data in a multi-tenant environment on Amobee-owned servers. Data, the Processor Services database and file system architecture are replicated between multiple geographically dispersed data centers. Amobee logically isolates each Client’s data.

(c) Decommissioned Disks and Disk Destruction Guidelines.

Certain disks containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned. Every decommissioned disk is subject to a series of data destruction processes before leaving Amobee’s premises either for reuse or destruction.

4. PERSONNEL SECURITY

Amobee personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Amobee conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.

Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Amobee’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling Client Personal Data are required to complete additional requirements appropriate to their role. Personnel will not Process Client Personal Data without authorization and access to Client Personal Data is limited to those personnel who require such access to perform the Services.

5. SUBPROCESSOR SECURITY

Before onboarding Subprocessors, Amobee conducts due diligence to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Amobee has assessed the risks presented by the Subprocessor then the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.

SCHEDULE E-3 – SUBPROCESSORS

See list in console.