This Data Processing Agreement (“DPA") is an integral part of an Insertion Order between Start.io Inc. and Advertiser (“Advertiser Agreement”), and available at: https://www.start.io/startio-dpa-advertising. Each of Start.io and Advertiser may be referred to as a ”Party”, and together as the ”Parties”.
- “Data Protection Law" means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law) as may be amended or from time to time.
- "Controller", "Processor", "Data Subject", "Personal Data", "Processing" (and "Process"), “Personal Data Breach” and "Special Categories of Personal Data" shall have the meanings given in EU Data Protection Law.
- “Start.io Data” means data collected by Start.io (including without limitations, IDs) and shared with the Advertiser subject to the Advertiser Agreement and for the purpose of providing the Services.
- "EU Data Protection Law" means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iv) any legislation replacing or updating any of the foregoing.
- “ID” means: (i) a unique identifier stored on an end-user’s device, (ii) a unique identifier generated on the basis of device information, or (iii) a resettable advertising ID associated with a mobile device or an application.
- “Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other Party’s Personal Data will comprise a Security Incident.
This DPA applies to the extent that EU Data Protection Law applies to the Processing of Personal Data under the Advertiser Agreement, including if: (a) the Processing is in the context of the activities of an establishment of either party in the European Economic Area (“EEA”); or (b) the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA by or on behalf of a party. Notwithstanding the above, this DPA and the obligations hereunder do not apply to aggregated reporting or statistics information a party may collect from end users or provide to the other party.
- Relationship of The Parties
The Parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Personal Data, Start.io is the Data Controller and Advertiser is the Data Processor on behalf of Start.io. Provided however that, when placement of an Ad uses and/or is based only on data received by Start.io within a respective request through RTB, then Start.io is only a Processor for the purpose of such action and Advertiser is the Data Sub-Processor on behalf of Start.io
Each party shall be individually and separately responsible for complying with the obligations that apply to it subject to the Data Protection Law.
The subject-matter and duration of the Processing carried out by the Processor in connection with the Advertiser Agreement, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex A.
- Processing and Protection of Personal Data
- Each party shall Process Personal Data in compliance with applicable Data Protection Law, industry standards and its obligations herein.
- In respect of the Processing of Personal Data by Advertiser in connection with the Advertiser Agreement where EU Data Protection Law applies, the Advertiser is responsible for and shall comply with applicable Data Protection Law and agrees that it shall: (a) cooperate as requested by Start.io and implement appropriate technical and organizational measures to enable Start.io to comply with any exercise of rights by a Data Subject under applicable Data Protection Law in respect of Personal Data processed by Start.io under the Advertiser Agreement (including, without limitation, deletion of a Data Subject’s Personal Data); (b) not access or transfer outside the EEA any Personal Data without the prior written consent of Start.io; (c) provide Start.io with reasonable resources and assistance as are required by Start.io pursuant to Articles 32 to 36 of the GDPR; (d) by Start.io’s sole discretion, delete all Start.io Data following the completion of the Processing, and delete existing copies unless European Union or Member State law requires storage of such; and (e) make available to Start.io at its request all information necessary to demonstrate compliance with the obligations herein and under Article 28 of the GDPR, including without limitation, provide Start.io with a written description of the technical and organizational methods employed by Advertiser and its Sub- Processors (if any) for the Processing of Personal Data.
- Notification of Security Incident
The Advertiser will notify Start.io without undue delay, and, in any event within forty-eight (48) hours, upon becoming aware that an actual Security Incident has occurred. The Advertiser will, as soon as possible, provide Start.io with at least the following information with respect to the Security Incident: (a) a description of the cause and nature of the Security Incident including the categories and approximate numbers of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the measures being taken to contain, investigate and remediate the Security Incident; (c) the likely consequences and risks for Start.io and its Data Subjects as a result of the Security Incident; and (d) any mitigating actions taken and a proposed plan to mitigate any risks for Data Subjects as a result of the Security Incident. Further, the Advertiser shall (i) immediately and without delay, take necessary steps to contain, remediate, minimize any effects of the Security Incident and to identify its cause; (ii) co-operate with Start.io and provide Start.io with applicable assistance and information as it may reasonably require in connection with the mitigation of the Security Incident; and (iii) immediately notify Start.io in writing of any request, inspection, audit or investigation by a Supervisory Authority.
- Technical and Organizational Measures
Start.io has implemented appropriate technical and organizational measures to protect the Personal Data as detailed herein: https://www.start.io/start-io-computer-policy/. The Advertiser shall implement and maintain the technical and organizational measures and take all other measures required pursuant to Article 32 of the GDPR including all organizational and technical security measures necessary to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Start.io Data, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing, and in any event, with respect to Start.io Data the security measures implemented are at least as strict as Start.io’s.
Advertiser may share Start.io Data with Sub-Processors provided that (a) it will notify Start.io in advance in writing with respect to these Sub-Processors (including replacement or any change with respect to these Sub-Processors; email notification to Start.io DPO at: firstname.lastname@example.org shall be sufficient). Start.io may reasonably object in writing a proposed Sub-Processor within thirty (30) days of receipt of the email notification (in which case Advertiser shall not use or replace the Sub-Processor concerned in relation with Start.io Data); (b) each Sub-Processor will guarantee to meet the requirements of the GDPR and this DPA and ensure the protection of the rights of Data Subjects, through a legally binding contract between Advertiser and Sub-Processor, with the same data protection obligations as set out in this DPA; and (c) if any Sub-Processor fails to fulfil its obligations in the contract between the Advertiser and Sub-Processor, Advertiser shall remain fully liable to Start.io for the performance of the Sub-Processor’s obligations.
Upon reasonable request of Start.io, the Advertiser will submit its data processing facilities, data files and documentation as reasonably needed by Start.io for the purpose of auditing or inspecting the Advertiser to ensure compliance with the warranties and undertakings under this DPA (“Audit”). The Audit will be conducted (i) by Start.io or any independent or impartial inspection agents or auditors agreed between the parties; and (ii) by providing reasonable notice and during regular business hours. The request will be subject to the extent permitted under applicable law.
* * *
ANNEX A (to Appendix B)
DETAILS OF PROCESSING ACTIVITIES
Processing carried out for the purpose of providing the Services as detailed in the Advertiser Agreement and specifically for the purpose of placing advertisement within the Inventory (digital assets of Start.io’s partners; i.e., publishers, suppliers, etc.).
Categories of data
- Personal Data of the Data Subjects in the EEA that have installed a mobile application that contains Start.io SDK in which the Advertiser will display advertisement.
- Personal Data of the Data Subjects in the EEA that shared with Start.io in its capacity as Processor by third parties which, directly or indirectly, develop, operate, own or licensee of mobile applications or advertisement space at mobile applications, in which the Advertiser will display advertisement.
Types of Personal Data
Special categories of data
Solely for the purpose of providing the Service and shall be deleted by Advertiser thereafter.
Last update: January 5, 2021