By executing a services agreement, Platform Access Order, or other agreement or order for Tatari’s products or services (collectively the“Agreement”), a customer (“Company”) of Tatari, Inc. (“Tatari”) and Tatari (each a “Party” and collectively the “Parties”) each agree to be bound by this Data Processing Addendum (“DPA”) as amended or updated by Tatari from time to time.
WHEREAS, Company intends to provideTatari with access to certain Personal Information, including IP addresses and related information, as authorized in connection with Tatari’s services pursuant to the Agreement, which include measurement and attribution analytics and reporting and, at Company’s direction, additional services such as look-alike modeling and retargeting, all relating to Company’s television advertising (the “Permitted Purposes”).
NOW THEREFORE, in consideration of the mutual covenants and agreements in this DPA and the Agreementand for other good and valuable consideration, the sufficiency of which is hereby acknowledged, Company and Tatariagree as follows:
I. Definitions. Capitalized terms not defined herein shall have the meanings specified in the Agreement.
(A) Where Company contracts with Tatari as an agent for designated Company Client(s) under the Agreement, references to “Company” herein shall include both Company and “Company Client(s)” as defined in the Agreement.
(B) “Personal Information” means any information provided to Tatari by Company that constitutes “Personal Information,” “Personal Data,” or “Personally Identifiable Information” under applicable Privacy Laws.
(C) “Privacy Laws” means all applicable laws, rules, regulations, directives and governmental requirements currently in effect, as amended, and as they become effective, relating to the privacy, confidentiality or security of Personal Information Processed hereunder.
(D) As used herein, the following terms and their derivatives shall have the meanings ascribed under applicable Privacy Laws: “Aggregate,” “Business,” “Child,” “Deidentify,” “Highly Sensitive,” “Protected Health Information,” “Process,” “Minor,” “Sell,” “Sensitive,” “Share,” and “Third Party.”
II. Data Use and Processing
(A) Company authorizes Tatari to Process Personal Information solely for the Permitted Purposes and solely in accordance with applicable Privacy Laws.
(B) Each Party shall comply with all applicable Privacy Laws with respect to its collection, storage, disclosure, use and processing of Personal Information under this Agreement, including maintaining and providing all required privacy policies, notices and consents and providing the same level of protections as required under applicable Privacy Laws.
(C) Company will not provide to Tatari any Personal Information constituting Sensitive, Highly Sensitive, Child, or Protected Health information.
(D) Tatari will hold all Personal Information in strict confidence, subject to all confidentiality and use restrictions under the Agreement and this DPA. The Parties acknowledge and agree that any Personal Information is Confidential Information subject to the Parties’ Non-Disclosure Agreement incorporated in and pursuant to the Agreement.
(E) Tatari shall not:
i. Sell or Share Personal Information with any third party without Company’s authorization;
ii. Retain, use or disclose Personal Information for any purpose other than the Permitted Purposes or outside of its direct business relationship with Company;
iii. Retain, use or disclose Personal Information in violation of applicable Privacy Law;
(F) Tatari shall ensure that any Tatari employees, agents, consultants, contractors or Sub-Contractors are only granted access to Personal Information on a need-to-know basis, are subject to use, disclosure and confidentiality restrictions at least as protective as those herein, and only Process Personal Information for the Permitted Purposes and in accordance with this DPA.
(G) Upon notice to Tatari, Company may take reasonable and appropriate steps to ensure compliance with this DPA and applicable Privacy Law, including to stop and remediate unauthorized use or Processing of Personal Information.
(H) Tatari shall promptly inform Company in writing of any requests from individuals to exercise rights under applicable Privacy Laws with respect to Personal Information. Tatari shall provide reasonable assistance to Company in fulfilling Company’s obligation to respond to such requests. Except as otherwise required by law, Tatari shall not respond directly to such individual requests other than as directed by Company, provided that Tatari shall direct such individuals to contact Company directly pursuant to Company’s then-current on-line privacy policy.
(I) Tatari shall promptly notify Company if Tatari determines that it can no longer comply with or otherwise meet its obligations under applicable Privacy Law.
(J) Except as prohibited by law, Tatari shall promptly notify Company in writing of any subpoena, judicial or government order, or other legal compulsion to disclose the Personal Information. Tatari shall reasonably cooperate with Company in Company’s defense against or opposition to such action.
(K) In addition to all terms and conditions herein, to the extent Tatari acts other than as a Service Provider or Processor under applicable Privacy Law, the Parties further agree that:
i. Tatari shall comply with Privacy Law applicable to such Processing, including in relation to consumer requests and data security; and
ii. The Parties shall each, within 72 hours of receipt, relay to the other any consumer requests relating to Personal Information Processed by Tatari in such capacity and shall reasonably cooperate to ensure that each may comply with its obligations, including meeting any deadlines, under applicable Privacy Laws.
II. Sub-Processing Where Tatari engages a third-party to perform any part of Tatari’s Processing of Personal Information (“Sub-Processor”), Tatari shall enter into a written agreement with each such Sub-Processor that imposes terms and conditions substantially the same as under this DPA. Tatari’s use of a Sub-Processor shall not affect Tatari’s obligations and liabilities under this DPA.
III. Data Security Tatari shall implement and maintain reasonable and appropriate technical and organizational security measures to (i) ensure the security and confidentiality of Personal Information; (ii) protect against anticipated threats or hazards to the security and integrity of Personal Information; (iii) protect against Information Security Incidents, and (iv) comply with applicable Privacy Laws.
IV. Security Incident
(A) Tatari shall inform Company in writing of any actual or reasonably suspected unauthorized use, disclosure, acquisition or Processing of any Personal Information (“Security Incident”) within seventy-two (72) hours of learning about such incident. The notification shall include all available material information.
(B) Tatari shall promptly investigate any Security Incident, take all reasonably necessary and advisable corrective actions, and cooperate with Company in all reasonable and lawful efforts to prevent, mitigate or rectify such incident. Tatari shall provide such assistance as reasonably required to enable Company to satisfy Company’s obligations under applicable Privacy Laws. The content of any filings, communications, notices, press releases or reports related to any Security Incident must be approved by Company prior to any publication or communication thereof to the extent Company is referenced or identified in such filings, communications, notices, press releases or reports.
V. Audit Company may take reasonable and appropriate steps to ensure that Tatari uses Personal Information in a manner consistent with Company’s obligations under applicable Privacy Laws. Other than in connection with a Security Incident, Company may, at its sole expense and up to once per 12-month period, engage a qualified third-party auditor to assess Tatari’s compliance with this DPA and applicable Privacy Laws, subject to a mutually acceptable confidentiality agreement with the auditor. Any such audit shall be conducted in a manner designed to minimize disruption of Tatari’s business and operations.
VI. Indemnity Each Party (the “Indemnifying Party”) agrees to indemnify, defend and hold harmless the other (the “Indemnified Party”) from and against any third-party claims against the Indemnified Party arising from the Indemnifying Party’s violation of: (i) applicable Privacy Laws, or (ii) this DPA. Except as set forth herein, indemnification shall be governed by the applicable provisions of the Agreement.
VII. Miscellaneous This DPA is an addendum to the Agreement. Except to the extent specifically provided herein, all terms, provisions and conditions of the Agreement remain in full force and effect and apply to this DPA. In the event of a conflict between the provisions of the Agreement and this DPA, this DPA shall control. Tatari may amend or update this DPA at any time in its sole discretion. Any such changes will be effective upon the posting of the updated DPA on Tatari’s website, provided that such changes are (i) generally applicable to all customers subject this DPA, and (ii) not retroactive. Company’s continued use of the Platform and Services after Tatari’s posting of any changes will constitute its and Company Client’s acceptance of such changes or modifications.