Data Processing Agreement

1. Scope and Purpose

This Data Processing Agreement ("DPA") forms part of the agreement (the "Principal Agreement") between IMC, Inc. and its affiliates ("IMC" or "Processor") and the entity that has entered into the Principal Agreement with IMC ("Client" or "Controller") for the processing of personal data in connection with IMC's advertising technology services. This DPA sets out the terms and conditions under which IMC will process personal data on behalf of the Client, in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and all other applicable data protection and privacy laws (collectively, "Data Protection Laws").

This DPA applies to the extent that IMC processes personal data on behalf of and under the instructions of the Client in the course of providing the services described in the Principal Agreement. Where IMC processes personal data as an independent controller (e.g., for its own fraud detection, platform improvement, or compliance purposes), such processing is governed by IMC's Privacy Policy and is not subject to this DPA.

2. Definitions

In this DPA, the following terms have the meanings set forth below. Terms not defined herein have the meanings given in the GDPR, UK GDPR, or other applicable Data Protection Laws:

• "Controller" means the entity that determines the purposes and means of the processing of personal data (as defined in Article 4(7) of the GDPR).
• "Processor" means the entity that processes personal data on behalf of the Controller (as defined in Article 4(8) of the GDPR).
• "Data Subject" means an identified or identifiable natural person to whom personal data relates (as defined in Article 4(1) of the GDPR).
• "Personal Data" means any information relating to a Data Subject that is processed by IMC on behalf of the Client under the Principal Agreement (as defined in Article 4(1) of the GDPR).
• "Processing" means any operation or set of operations performed on personal data, whether or not by automated means (as defined in Article 4(2) of the GDPR).
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data (as defined in Article 4(12) of the GDPR).
• "Sub-Processor" means any third party engaged by IMC to process personal data on behalf of the Client.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.
• "Supervisory Authority" means an independent public authority established by an EU Member State, the UK ICO, or the Swiss FDPIC, as applicable.

3. Data Processing Obligations

IMC will:

• Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by applicable law, in which case IMC will inform the Controller of that legal requirement before processing (unless prohibited by law);
• Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR;
• Respect the conditions for engaging sub-processors as set out in Section 6 of this DPA;
• Assist the Controller, taking into account the nature of the processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights;
• Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to IMC;
• At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data;
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4. Processing Instructions

The subject matter, duration, nature, and purpose of the processing, the types of personal data processed, and the categories of Data Subjects are as described in the Principal Agreement and the following:

• Subject matter: Processing of personal data in connection with IMC's advertising technology services, including ad serving, header bidding, real-time bidding, analytics, fraud detection, and related services.
• Duration: For the term of the Principal Agreement, plus any period required for the return or deletion of personal data.
• Nature and purpose: To provide the advertising technology services described in the Principal Agreement, including serving and delivering advertisements, measuring ad performance, detecting and preventing fraud, and providing analytics and reporting.
• Types of personal data: Online identifiers (cookie IDs, device advertising IDs, IP addresses), browser and device information, behavioral data, ad interaction data, geolocation data, and audience segment data.
• Categories of Data Subjects: End users who visit or interact with the Client's digital properties.

The Controller's instructions for the processing of personal data are set out in the Principal Agreement and this DPA. The Controller may issue additional written instructions consistent with the terms of this DPA. IMC will immediately inform the Controller if, in IMC's opinion, an instruction infringes applicable Data Protection Laws.

5. Security Measures

IMC implements and maintains appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include, but are not limited to:

• Pseudonymization and encryption of personal data in transit and at rest;
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
• Measures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• Regular testing, assessing, and evaluating the effectiveness of technical and organizational measures;
• Access controls and authentication mechanisms, including multi-factor authentication;
• Network security controls, including firewalls, intrusion detection and prevention systems, and network segmentation;
• Regular vulnerability scanning and penetration testing;
• Employee security awareness training and confidentiality obligations;
• Physical security controls for offices and data centers;
• Incident response and business continuity procedures;
• Logging and monitoring of access to personal data.

IMC will regularly review and update these security measures to ensure they remain appropriate to the risks presented by the processing. The Controller acknowledges that security measures are subject to technical progress and development and that IMC may update or modify these measures from time to time, provided that such updates do not materially decrease the overall level of security.

6. Sub-Processors

The Controller provides general written authorization for IMC to engage sub-processors to process personal data on behalf of the Controller. IMC will:

• Maintain a current list of sub-processors, which will be made available to the Controller upon request;
• Provide the Controller with prior written notice of at least thirty (30) days before adding or replacing any sub-processor, giving the Controller the opportunity to object to such changes;
• Enter into a written agreement with each sub-processor that imposes data protection obligations no less protective than those set out in this DPA;
• Remain fully liable to the Controller for the performance of each sub-processor's obligations.

If the Controller objects to a new sub-processor on reasonable grounds relating to data protection, IMC will use commercially reasonable efforts to make available to the Controller a change in the services or recommend a commercially reasonable change to the Controller's configuration or use of the services to avoid processing of personal data by the objected-to sub-processor. If IMC is unable to make such a change within a reasonable period of time, either party may terminate the affected services by providing written notice.

7. Data Subject Rights

IMC will assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable Data Protection Laws, including the rights of access, rectification, erasure, restriction of processing, data portability, and objection. IMC will:

• Promptly notify the Controller if IMC receives a request from a Data Subject to exercise their rights, unless prohibited by law;
• Not respond to such requests directly unless authorized by the Controller or required by applicable law;
• Provide the Controller with commercially reasonable cooperation and assistance in relation to handling Data Subject requests, taking into account the nature of the processing;
• Implement appropriate technical and organizational measures to assist the Controller in fulfilling its obligations to respond to Data Subject requests.

8. Data Breach Notification

IMC will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting personal data processed on behalf of the Controller. The notification will include, to the extent available:

• A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and personal data records concerned;
• The name and contact details of IMC's Data Protection Officer or other contact point where more information can be obtained;
• A description of the likely consequences of the Personal Data Breach;
• A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

IMC will cooperate with the Controller and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach. IMC's notification of or response to a Personal Data Breach will not be construed as an acknowledgment of any fault or liability.

9. Data Protection Impact Assessments

IMC will provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities that the Controller reasonably considers to be required under Article 35 or 36 of the GDPR or equivalent provisions of other Data Protection Laws, in each case solely in relation to the processing of personal data by IMC on behalf of the Controller and taking into account the nature of the processing and the information available to IMC.

10. International Data Transfers

IMC will not transfer personal data to a country outside the EEA, UK, or Switzerland unless appropriate safeguards are in place in accordance with Chapter V of the GDPR (or equivalent provisions of the UK GDPR or FADP). Such safeguards may include:

• Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914);
• The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs;
• Compliance with the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. DPF;
• An adequacy decision by the European Commission, UK Secretary of State, or Swiss Federal Council;
• Binding Corporate Rules approved by a competent supervisory authority;
• Any other transfer mechanism approved under applicable Data Protection Laws.

Where the Standard Contractual Clauses are used as the transfer mechanism, they are hereby incorporated by reference into this DPA. The parties agree that the SCCs will apply to the transfer of personal data from the Controller to IMC where IMC is located in a country that does not ensure an adequate level of data protection.

11. Audit Rights

IMC will make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 of the GDPR. IMC will allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to the following conditions:

• The Controller will provide at least thirty (30) days' prior written notice of any audit;
• Audits will be conducted during normal business hours and will not unreasonably interfere with IMC's business operations;
• The Controller will bear the costs of any audit, unless the audit reveals a material breach of this DPA by IMC;
• The Controller and its auditors will be bound by confidentiality obligations with respect to any information obtained during the audit;
• Audits will be limited to once per twelve (12) month period, unless required by a supervisory authority or in the event of a Personal Data Breach;
• IMC may satisfy audit requests by providing relevant certifications, audit reports (e.g., SOC 2 Type II), or other documentation that demonstrates compliance.

12. Data Deletion and Return

Upon termination or expiration of the Principal Agreement, or upon the Controller's written request, IMC will, at the Controller's choice: (a) return all personal data to the Controller in a commonly used, machine-readable format; or (b) securely delete all personal data and certify such deletion in writing. IMC will complete the return or deletion within thirty (30) days of the request, unless applicable law requires continued storage. IMC may retain copies of personal data to the extent required by applicable law, subject to the confidentiality and security obligations of this DPA.

13. Confidentiality

IMC will ensure that any person authorized to process personal data under this DPA is subject to appropriate confidentiality obligations, whether by contract or statutory duty. IMC will limit access to personal data to those personnel who require access to perform the services under the Principal Agreement.

14. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement. Nothing in this DPA limits either party's liability to Data Subjects under applicable Data Protection Laws.

15. Term and Termination

This DPA will remain in effect for the duration of the Principal Agreement and will automatically terminate upon termination or expiration of the Principal Agreement, except that the obligations relating to the processing of personal data (including data deletion, confidentiality, and security) will survive termination to the extent necessary to complete the return or deletion of personal data and to comply with applicable law.

16. CCPA Service Provider Addendum

To the extent that IMC processes personal information (as defined by the CCPA) on behalf of the Client as a "service provider" (as defined by the CCPA), IMC will:

• Not sell or share the personal information;
• Not retain, use, or disclose the personal information for any purpose other than for the specific business purposes set forth in the Principal Agreement, or as otherwise permitted by the CCPA;
• Not retain, use, or disclose the personal information outside of the direct business relationship between IMC and the Client;
• Not combine the personal information with personal information received from or on behalf of another person or collected from IMC's own interaction with the consumer, except as permitted by the CCPA;
• Comply with applicable obligations under the CCPA and grant the Client the same level of privacy protection as required by the CCPA;
• Notify the Client if IMC determines that it can no longer meet its obligations under the CCPA;
• Allow the Client to take reasonable and appropriate steps to ensure that IMC uses the personal information in a manner consistent with the Client's obligations under the CCPA.

17. Contact Information

To request a signed copy of our DPA or for any questions regarding data processing: