Start.io Data Processing Agreement (Advertising)

This Data Processing Agreement (“DPA") is an integral part of an Insertion Order between Start.io Inc. and Advertiser (“Advertiser Agreement”), and available at: https://www.start.io/startio-dpa-advertising. Each of Start.io and Advertiser may be referred to as a ”Party”, and together as the ”Parties”.

Definitions
1. “Data Protection Law" means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law) as may be amended or from time to time.
1. "Controller", "Processor", "Data Subject", "Personal Data", "Processing" (and "Process"), “Personal Data Breach” and "Special Categories of Personal Data" shall have the meanings given in EU Data Protection Law.
1. “Start.io Data” means data collected by Start.io (including without limitations, IDs) and shared with the Advertiser subject to the Advertiser Agreement and for the purpose of providing the Services.
1. “Start.io Privacy Policy” means Start.io End User Privacy Policy available at: https://www.start.io/policy/privacy-policy/, as may be amended by Start.io from time to time.
1. "EU Data Protection Law" means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iv) any legislation replacing or updating any of the foregoing.
1. “ID” means: (i) a unique identifier stored on an end-user’s device, (ii) a unique identifier generated on the basis of device information, or (iii) a resettable advertising ID associated with a mobile device or an application.
1. “Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other Party’s Personal Data will comprise a Security Incident.
Applicability

This DPA applies to the extent that EU Data Protection Law applies to the Processing of Personal Data under the Advertiser Agreement, including if: (a) the Processing is in the context of the activities of an establishment of either party in the European Economic Area (“EEA”); or (b) the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA by or on behalf of a party. Notwithstanding the above, this DPA and the obligations hereunder do not apply to aggregated reporting or statistics information a party may collect from end users or provide to the other party.

Relationship of The Parties

The Parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Personal Data, Start.io is the Data Controller and Advertiser is the Data Processor on behalf of Start.io. Provided however that, when placement of an Ad uses and/or is based only on data received by Start.io within a respective request through RTB, then Start.io is only a Processor for the purpose of such action and Advertiser is the Data Sub-Processor on behalf of Start.io

Each party shall be individually and separately responsible for complying with the obligations that apply to it subject to the Data Protection Law.

The subject-matter and duration of the Processing carried out by the Processor in connection with the Advertiser Agreement, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex A.

Processing and Protection of Personal Data
- Each party shall Process Personal Data in compliance with applicable Data Protection Law, industry standards and its obligations herein.
- In respect of the Processing of Personal Data by Advertiser in connection with the Advertiser Agreement where EU Data Protection Law applies, the Advertiser is responsible for and shall comply with applicable Data Protection Law and agrees that it shall: (a) cooperate as requested by Start.io and implement appropriate technical and organizational measures to enable Start.io to comply with any exercise of rights by a Data Subject under applicable Data Protection Law in respect of Personal Data processed by Start.io under the Advertiser Agreement (including, without limitation, deletion of a Data Subject’s Personal Data); (b) not access or transfer outside the EEA any Personal Data without the prior written consent of Start.io; (c) provide Start.io with reasonable resources and assistance as are required by Start.io pursuant to Articles 32 to 36 of the GDPR; (d) by Start.io’s sole discretion, delete all Start.io Data following the completion of the Processing, and delete existing copies unless European Union or Member State law requires storage of such; and (e) make available to Start.io at its request all information necessary to demonstrate compliance with the obligations herein and under Article 28 of the GDPR, including without limitation, provide Start.io with a written description of the technical and organizational methods employed by Advertiser and its Sub- Processors (if any) for the Processing of Personal Data.
Notification of Security Incident

The Advertiser will notify Start.io without undue delay, and, in any event within forty-eight (48) hours, upon becoming aware that an actual Security Incident has occurred. The Advertiser will, as soon as possible, provide Start.io with at least the following information with respect to the Security Incident: (a) a description of the cause and nature of the Security Incident including the categories and approximate numbers of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the measures being taken to contain, investigate and remediate the Security Incident; (c) the likely consequences and risks for Start.io and its Data Subjects as a result of the Security Incident; and (d) any mitigating actions taken and a proposed plan to mitigate any risks for Data Subjects as a result of the Security Incident. Further, the Advertiser shall (i) immediately and without delay, take necessary steps to contain, remediate, minimize any effects of the Security Incident and to identify its cause; (ii) co-operate with Start.io and provide Start.io with applicable assistance and information as it may reasonably require in connection with the mitigation of the Security Incident; and (iii) immediately notify Start.io in writing of any request, inspection, audit or investigation by a Supervisory Authority.

Technical and Organizational Measures

Start.io has implemented appropriate technical and organizational measures to protect the Personal Data as detailed herein: https://www.start.io/start-io-computer-policy/. The Advertiser shall implement and maintain the technical and organizational measures and take all other measures required pursuant to Article 32 of the GDPR including all organizational and technical security measures necessary to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Start.io Data, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing, and in any event, with respect to Start.io Data the security measures implemented are at least as strict as Start.io’s.

Sub-Processors

Advertiser may share Start.io Data with Sub-Processors provided that (a) it will notify Start.io in advance in writing with respect to these Sub-Processors (including replacement or any change with respect to these Sub-Processors; email notification to Start.io DPO at: dpo@start.io shall be sufficient). Start.io may reasonably object in writing a proposed Sub-Processor within thirty (30) days of receipt of the email notification (in which case Advertiser shall not use or replace the Sub-Processor concerned in relation with Start.io Data); (b) each Sub-Processor will guarantee to meet the requirements of the GDPR and this DPA and ensure the protection of the rights of Data Subjects, through a legally binding contract between Advertiser and Sub-Processor, with the same data protection obligations as set out in this DPA; and (c) if any Sub-Processor fails to fulfil its obligations in the contract between the Advertiser and Sub-Processor, Advertiser shall remain fully liable to Start.io for the performance of the Sub-Processor’s obligations.

Audit

Upon reasonable request of Start.io, the Advertiser will submit its data processing facilities, data files and documentation as reasonably needed by Start.io for the purpose of auditing or inspecting the Advertiser to ensure compliance with the warranties and undertakings under this DPA (“Audit”). The Audit will be conducted (i) by Start.io or any independent or impartial inspection agents or auditors agreed between the parties; and (ii) by providing reasonable notice and during regular business hours. The request will be subject to the extent permitted under applicable law.

Conflict

During the performance of the Agreement, Start.io may share with or transfer Personal Data to the Advertiser. It is acknowledged by the Parties that the Personal Data has been or is Processed by Start.io for the Purpose only, and pursuant to Start.io End User Privacy Policy, available at: https://www.start.io/policy/privacy-policy/ (“Start.io Privacy Policy”). Advertiser is fully responsible (i) for its data collection and/or Process practices and its compliance with any applicable laws; and (ii) to analyze or verify its rights or lawful basis to Process Personal Data considering the consents, authorizations or permissions granted by or obtained from End Users within the scope of Start.io Privacy Policy or otherwise.

In the event of a conflict or discrepancies between the terms and conditions of this DPA and the terms and conditions of Start.io Privacy Policy, Start.io Privacy Policy shall prevail. In the event of a conflict between the terms and conditions of this DPA and the Advertiser Agreement, this DPA shall prevail. Except as set forth herein all of the terms and conditions of the Advertiser Agreement shall remain in full force and effect.

* * *

ANNEX A (to Appendix B)

DETAILS OF PROCESSING ACTIVITIES

Subject Matter

Processing carried out for the purpose of providing the Services as detailed in the Advertiser Agreement and specifically for the purpose of placing advertisement within the Inventory (digital assets of Start.io’s partners; i.e., publishers, suppliers, etc.).

Categories of data

Personal Data of the Data Subjects in the EEA that have installed a mobile application that contains Start.io SDK in which the Advertiser will display advertisement.
Personal Data of the Data Subjects in the EEA that shared with Start.io in its capacity as Processor by third parties which, directly or indirectly, develop, operate, own or licensee of mobile applications or advertisement space at mobile applications, in which the Advertiser will display advertisement.

Types of Personal Data

IDs.

Special categories of data

N/A

Duration

Solely for the purpose of providing the Service and shall be deleted by Advertiser thereafter.

Last update: January 5, 2021

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.