MEDIAMATH, INC. ADDENDUM TO IAB STANDARD TERMS AND CONDITIONS FOR
INTERNET ADVERTISING FOR MEDIA BUYS ONE YEAR OR LESS (VERSION 3.0)
This Addendum (“Addendum”) is to the IAB STANDARD TERMS AND CONDITIONS FOR INTERNET ADVERTISING FOR MEDIA BUYS ONE YEAR OR LESS (Version 3.0) (“Standard Terms”) found at http://www.iab.com/wp-content/uploads/2015/06/IAB_4As-tsandcs-FINAL.pdf The Standard Terms, as modified by this Addendum constitutes the parties’ agreement (“Agreement”) regarding the delivery of certain internet advertising services and any IOs executed and delivered between the parties shall be governed by the Agreement. Capitalized terms used and defined in the Standard Terms shall have the same meaning when used in this Addendum. All references to “Terms” in the Standard Terms shall mean the Standard Terms as modified by this Addendum. In the event of any inconsistency between the Standard Terms and this Addendum, the terms of this Addendum shall prevail. The Standard Terms are hereby modified as follows:
- Advertiser (or Advertiser’s authorized Agency on its behalf) and MediaMath, Inc. and its Affiliates, as Media Company, agree to be bound by the Standard Terms, as amended by this Addendum and Schedule A. All references in the Standard Terms to Media Company shall mean MediaMath. Any terms and conditions proposed by Advertiser in acknowledging or accepting MediaMath’s provision of services which are different from or in addition to the terms set forth in this Addendum or an applicable Insertion Order, each of which shall be executed by both parties, shall not be binding upon MediaMath and shall be void and of no effect.
- Advertiser (or Advertiser’s authorized Agency on its behalf) acknowledges that MediaMath is not a publisher and is a service provider that provides digital media services (“Services”) using MediaMath’s proprietary TerminalOne® Service Platform (“Service Platform”), and therefore Sections I(a)(v), II(b), II(c), II(d), III(c), IV(c), VI, VII, IX(f) and XIII of the Standard Terms are not applicable and are hereby removed in their entirety. Sections III(a) and (b) regarding payment terms are hereby removed in their entirety and are replaced with payment terms set forth on each Insertion Order.
- The definitions shall be amended as follows:
- “Advertiser Site” means websites owned or operated by Advertiser.
- “European Law” means: (i) prior to 25 May 2018, Directive 95/46/EC and applicable laws implementing that Directive in Member States; (ii) on and after 25 May 2018, Regulation 2016/679 (GDPR); (iii) Directive 2002/58/EC (as amended or replaced from time to time) and applicable laws implementing that Directive in Member States; and (iv) any data protection and privacy laws of the United Kingdom in effect from time to time. References in this Addendum or Schedule A to this Addendum to “controller”, “data subject”, “personal data”, “process”/”processed”/processing”, “processor” and “special categories of personal data” shall have the meanings given in European Law;
- “Media Company Properties” is deleted in its entirety;
- “MMUID” means any unique identifier which is created, assigned or retained by MediaMath in respect of each user who interacts with a Site.
- “Network Properties” means the websites on which Media Company purchases digital media on behalf of Agency either through premium direct deals with publishers or through RTB exchanges, in each case, as available through the Service Platform;
- “IO Details” are details set forth on the IO but only when expressly associated with the applicable Discloser, including, but not limited to, Ad pricing information, Ad description, Ad placement information, Ad targeting information, and all data provided to Media Company by or on behalf of Advertiser, but in each case in respect to Advertiser, excluding Site Data.
- “Performance Data” means (x) data regarding a campaign gathered during delivery of an Ad pursuant to an IO (e.g., number of impressions, interactions, and header information) and (y) data gathered by Media Company from Advertiser Sites with Advertiser’s consent (or the consent of Advertiser’s Agency on Advertiser’s behalf), but in each case excluding Site Data or IO Details.”
- “Site” means a digital property that is accessible by users (including websites, mobile sites and software applications).
- “Site Data” means any data that is (A) preexisting Media Company data used by Media Company pursuant to the IO; (B) gathered pursuant to the IO during delivery of an Ad that identifies or allows identification of Media Company, Media Company’s Site, brand, content, context, or users as such; (C) entered by users on any Media Company Site other than User Volunteered Data; (D) generated in connection with providing services under this IO(including any MMUID) that is Aggregated; and (E) all data relating to any error by, issue with, or enhancement to the operation of the services provide by Media Company under the IO.
- “Third Party Ad Server” is deleted in its entirety.
- Section II(a) and Section IV(b) are deleted in their entirety and replaced with the following:
“Compliance with IO. Media Company will comply with the campaign strategy set forth in IOs and any other directions provided in writing by Advertiser (or Advertiser’s authorized Agency on its behalf), including Ad targeting specifications, and will deliver to Advertiser (or Advertiser’s authorized Agency on its behalf) any agreed upon reports relating to the performance of the campaign”.
- The following shall be added as a clause (iv) at the end of Section X(b): “or (iv) Advertiser’s alleged breach of Schedule A”.
- Section XI is hereby amended and replaced in its entirety as follows:
“EXCEPT FOR INTENTIONAL MISCONDUCT BY AN ADVERTISER, AN AGENCY ACTING ON BEHALF OF AN ADVERTISER, OR MEDIA COMPANY, IN NO EVENT SHALL A PARTY BE LIABLE TO THE OTHER PARTY OR ITS AFFILIATES FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING, BUT NOT LIMITED TO DAMAGES FOR LOSS OF REVENUE, AND/OR PROFITS), WHETHER FORESEEABLE OR UNFORESEEABLE, ARISING OUT OF THIS AGREEMENT REGARDLESS OF WHETHER THE LIABILITY IS BASED ON BREACH OF CONTRACT, TORT, STRICT LIABILITY, BREACH OF WARRANTIES OR OTHERWISE, AND EVEN IF THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF THOSE DAMAGES. MEDIA COMPANY’S LIABILITY UNDER THIS AGREEMENT SHALL NOT EXCEED THE AGGREGATE FEES PAID TO MEDIA COMPANY UNDER THIS AGREEMENT DURING THE SIX (6) MONTH PERIOD PRECEDING THE DATE THAT LIABILITY FIRST AROSE”.
- The first sentence of Section XII(f) shall be replaced with the following: “Agency, Advertiser, and Media Company will post on their respective websites their privacy policies, which will abide by applicable laws, including but not limited to European Law.”
- Section XII(g) shall be replaced in its entirety with the following: “Agency, Advertiser, and Media Company will at all times comply with all federal, state, and local laws, ordinances, regulations, and codes, including but not limited to European Law, which are applicable to their performance of their respective obligations under the IO.
- The following will be added to Section XIV(d) immediately after the first sentence: “In the event of any inconsistency between the terms of the Terms and the Addendum and its Schedule A, the terms shall prevail as follows: Schedule A, the Addendum then the Terms.”
- The blank spaces reserved in Section XIV(d) shall be filled as follows:
- where the Advertiser is incorporated in the USA or Canada with the State of New York and New York County
- where the Advertiser is incorporated in Europe or the Middle East or Africa with England & Wales and London, England
- where the Advertiser is incorporated in Asia Pacific with Singapore and Singapore
- where the Advertiser is incorporated in Latin American with Brazil and Sao Paulo, Brazil.
- The attached “Schedule A” shall be incorporated into and part of this Addendum for any campaign where Collected Data or User Volunteered Data originates from the European Economic Area.”
European Law Requirements
- Definitions. As used in this Schedule A, the following terms shall have the following meanings:
“Client Data” means all Performance Data, User Volunteered Data and IO Details associated with Advertiser.
“Client Controller Purposes” means for the purposes of receiving the Services; and as is more particularly described at www.mediamath.com/legal/processingpurposes.
“MediaMath Data” means all Site Data and IO Details associated with Media Company.
“MediaMath Controller Purposes” means improving and enhancing the Services, including identifying, blocking and removing data considered to be unlawful or fraudulent; the bidding process; and as is more particularly described at www.mediamath.com/legal/processingpurposes.
“Privacy Shield” means the EU-US Privacy Shield and the Swiss-US Privacy Shield as applicable.
“Processing Activities” means processing software code (e.g., HTML5) or a web beacon (e.g., pixel tag, clear GIF) that (i) collects data regarding a user’s actions in or on a digital property that is accessible by users or a user’s interaction with an Ad or (ii) requests the delivery of an Ad to Network Properties which is placed by or on behalf of Advertiser and as more particularly described at www.mediamath.com/legal/processingpurposes.
“Security Incident” means a breach of security measures leading to accidental or unlawful destruction, loss, alteration, or unauthorized access to or disclosure of Client Data or MediaMath Data.
- Scope. The rights and obligations in this Schedule A apply to the collection, processing and sharing of personal data originating in the European Economic Area (“EEA”) by and among Media Company, Advertiser (or Advertiser’s authorized Agency on its behalf) and certain third parties (e.g. subprocessors including Affiliates of Media Company). For the purposes of this Schedule A references to Client Data shall mean any personal data incorporated in Client Data and references to MediaMath Data shall mean any personal data incorporated in MediaMath Data.
- General Obligations.
Advertiser (or Advertiser’s authorized Agency on its behalf) will ensure that it has all necessary and appropriate consents and notices in place to enable the lawful transfer of Client Data to Media Company for the duration and purposes of each IO.
- Appointment of Media Company as Advertiser’s Processor.
- The parties acknowledge that, for the purposes of European Law, Advertiser (or Advertiser’s authorized Agency on its behalf): is the data controller of Client Data and appoints Media Company as its data processor for the Processing Activities.
- Media Company shall, in relation to any Client Data processed for the Processing Activities and in connection with the performance by Media Company of its obligations under the Agreement:
- process Client Data only for the Processing Activities (or as otherwise agreed in writing);
- ensure that all personnel who have access to and/or process Client Data are obliged to keep Client Data confidential;
- only transfer Client Data out of the EEA in accordance with its Privacy Shield registration and notify Advertiser (or Advertiser’s authorized Agency) if its Privacy Shield registration expires or terminates for any reason;
- assist Advertiser (or Advertiser’s authorized Agency on its behalf), at Advertiser’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under European Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
- notify Advertiser (or Advertiser’s authorized Agency) without undue delay upon becoming aware of any confirmed Security Incident relating to Client Data;
- upon written request of Advertiser (or Advertiser’s authorized Agency on its behalf), delete or return Client Data and copies thereof to Advertiser upon expiration or termination of the IO unless required by a judicial or other governmental order or by applicable law to retain some or all Client Data. This requirement shall not apply to Client Data that Media Company has archived on back-up systems;
- maintain appropriate technical and organizational measures and commercially reasonable and appropriate administrative and physical measures designed to protect Client Data from a Security Incident; and
- maintain accurate records and information to demonstrate its compliance with this clause 4(b) of this Schedule A.
- Advertiser consents to Media Company appointing subprocessors to process Client Data, such subprocessors will be listed at www.mediamath.com/legal/subprocessors, which Media Company shall update with any details of any changes at least 10 days prior to the change. Media Company confirms that it has entered or (as the case may be) will enter with the subprocessor into a written agreement requiring it to protect Client Data to the standard required by European Law. As between Advertiser and Media Company, Media Company shall remain fully liable for all acts or omissions of any subprocessor appointed by it pursuant to this clause 4(c) of this Schedule A.
- Media Company uses external auditors to verify the adequacy of its security measures, including the security of the physical data centres where Client Data is processed. The audit: (i) will be performed at least annually; (ii) will be performed according to SSAE 16 audit standard or such other alternative standard that is substantially equivalent to SSAE 16; (iii) will be performed by independent third-party security professionals at Media Company’s selection and expense; and (iv) will result in the generation of an audit report which will be Media Company’s Confidential Information. Media Company shall provide Advertiser (or Advertiser’s authorized Agency) with a copy of the report upon written request.
- Sharing of Personal Data between Advertiser and Media Company as Controller.
- Advertiser (or Advertiser’s authorized Agency on its behalf) shall disclose Client Data to Media Company on an independent controller to controller basis for the MediaMath Controller Purposes.
- Media Company shall, in relation to any Client Data processed for MediaMath Controller Purposes:
- process Client Data only for the MediaMath Controller Purposes (or as otherwise agreed in writing) and transfer the same out of the EEA in accordance with Media Company’s Privacy Shield registration;
- notify Advertiser (or Advertiser’s authorized Agency on its behalf) if its Privacy Shield registration expires or terminates for any reason;
- promptly inform Advertiser (or Advertiser’s authorized Agency on its behalf) of any request from a data subject, supervisory authority or regulator related to the processing of Client Data conducted by Media Company and cooperate as necessary to respond to such correspondence and fulfil each parties’ respective obligations under European Law;
- notify Advertiser (or Advertiser’s authorized Agency on its behalf) without undue delay on becoming aware of any confirmed Security Incident relating to Client Data;
- maintain accurate records and information to demonstrate its compliance with this clause 5(b) of this Schedule A.
- Sharing of Personal Data between Media Company and Advertiser as Controller.
- Media Company will through performance of the Services make available MediaMath Data to Advertiser (or Advertiser’s authorized Agency on its behalf) on an independent controller to controller basis for Client Controller Purposes.
- Advertiser (or Advertiser’s authorized Agency on its behalf) shall, in relation to any MediaMath Data processed for Client Controller Purposes:
- process MediaMath Data only for Client Controller Purposes (or as otherwise agreed in writing) and in accordance with the level of protection required by the Privacy Shield Principles (and if Advertiser (or Advertiser’s authorized Agency on its behalf) fails to do so, it will promptly notify Media Company in writing and remedy the breach or Media Company will have the right to suspend the Services and/or terminate the Agreement);
- maintain appropriate technical and organizational measures and commercially reasonable and appropriate administrative and physical, measures for the security and confidentiality of MediaMath Data from a Security Incident;
- ensure that all personnel who have access to and/or process MediaMath Data are obliged to keep such MediaMath Data confidential;
- not process any MediaMath Data in a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with European Law;
- promptly inform Media Company of any request from a data subject, supervisory authority or regulator related to the processing conducted by Advertiser (or Advertiser’s authorized Agency on its behalf) and cooperate as necessary to respond to such correspondence and fulfil each parties’ respective obligations under European Law;
- notify Media Company without undue delay on becoming aware of any confirmed Security Incident involving MediaMath Data; and
- maintain accurate records and information to demonstrate its compliance with this clause 6(b) of this Schedule A.
- Privacy Shield.
Media Company shall be entitled to provide a copy of this Schedule A and any other provisions of the Agreement to the US Department of Commerce, the Federal Trade Commission, any supervisory authority or regulator on their request (notwithstanding any other provision of the Agreement).