Supplemental terms to Wunder Data Processing Addendum
The purpose of these Wunder Data Processing terms (“Terms”) is to ensure that the parties execute the Agreement in accordance with Data Protection Laws and specifically to ensure that any cross-border transfers of Personal Data are conducted in accordance with Data Protection Laws, including but not limited to the GDPR and with due respect for the rights and freedoms of individuals whose Personal Data are Processed.
These Terms are incorporated by reference into the data processing addendum or other similar data processing agreement (the “DPA”) that further modifies or is incorporated by reference into the platform or services agreement (“Agreement”) currently in place between Company (as defined in the applicable DPA) and Wunderkind Corporation d/b/a Wunder (“Wunder” formerly known as Bounce Exchange, Inc. or BounceX).
The parties agree to comply with the following provisions with respect to any Personal Data of Data Subjects located in the European Economic Area, Switzerland, the United Kingdom, Argentina, Brazil or other jurisdiction which places rules and/or restrictions on cross-border transfers of data (each, a “Restricted Data Transfer Jurisdiction”) Processed in connection with the Agreement and/or which requires a specific legal mechanism (a “Transfer Mechanism”) in order to effectuate such cross-border transfer in accordance with Data Protection Laws. References to the Agreement will be construed as including the DPA and these Terms. All terms not otherwise defined herein shall have the meanings ascribed to them in the Agreement or DPA. Except as amended by these Terms, the Agreement will remain in full force and effect. Capitalized terms used but not defined in these Terms have the same meanings as set out in the DPA and the Agreement. To the extent that these Terms differ from those in the Agreement and/or DPA, the terms of these Terms shall govern.
1.1 Wunder may, subject to these Terms, store and process the relevant Personal Data in the European Economic Area, the United Kingdom and the United States.
1.2 If the Services involve the storage and/or Processing of Customer’s Personal Data which transfers such Personal Data out of the European Economic Area or Switzerland to a jurisdiction that does not have adequate Data Protection Laws, and the Data Protection Laws apply to the transfers of such data, the parties agree that the EU Commission Implementing Decision (EU) 2021/914 and available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (as amended or updated from time to time) (“Standard Contractual Clauses”) will apply and such Standard Contractual Clauses shall be incorporated by reference and form an integral part of this DPA. Purely for the purposes of the descriptions in the Standard Contractual Clauses and only as between Customer and Wunder, the parties agree that: (a) Roles of the Parties: Customer is a Data Controller and “data exporter” and Wunder is the Data Processor and “data importer” under the Standard Contractual Clauses, (b) Governing Law and Supervisory Authority: The Standard Contractual Clauses shall be governed by the law of the EU Member State in which the data exporter is established and enforced by the Supervisory Authority of such EU Member State; (c) Sub-Processors: the parties select general written authorization for Sub-processors; (d) Redress: The parties elect to omit the optional text; and (e) Annex I, II and III are provided at the end of this DPA as Appendix A and to the extent that there’s a conflict as between the DPA and the Appendix A, the Appendix A shall govern.
1.3 If the Services involve the storage and/or Processing of UK Personal Data which transfers UK Personal Data out of the United Kingdom to a jurisdiction that does not have adequate data protection laws, and the Data Protection Laws apply to the transfers of such data, both parties agree that the Standard Contractual Clauses for transfers reflecting the roles of the parties as described in the DPA in the form approved by the UK Information Commissioner’s Office and currently available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf (as amended or updated from time to time) (“UK Standard Contractual Clauses”) shall be incorporated by reference and form an integral part of this DPA. For the purposes of the UK Standard Contractual Clauses, Annex I, Annex II and Annex III of these Terms shall take the place of Annex 1a/Annex 1b, Annex II and Annex III respectively of the UK Standard Contractual Clauses.
1.4 If the Services involve the storage and/or Processing of Personal Data from data subjects located in Argentina which transfers such Personal Data out of Argentina to a jurisdiction that does not have adequate data protection laws, and the Data Protection Laws apply to the transfers of such data, both parties agree that the Argentina Standard Contractual Clauses for transfers reflecting the roles of the parties as described in this DPA in the form approved by the Agencia de Acceso a la Información Pública (“AAIP”) and currently available at http://servicios.infoleg.gob.ar/infolegInternet/anexos/265000-269999/267922/norma.htm (as amended or updated from time to time) (“Argentina Standard Contractual Clauses”) shall be incorporated by reference and form an integral part of this DPA. For the purposes of the Argentina Standard Contractual Clauses, Annex I and Annex II of these Terms shall take the place of Appendix 1 and Appendix 2 respectively.
1.5 If the Services involve the storage and/or Processing of Personal Data governed under a Restricted Data Transfer Jurisdiction not listed above (e.g., Brazil) which transfers Personal Data out of such Restricted Data Transfer Jurisdiction to a jurisdiction that does not have adequate data protection laws, and Data Protection Laws apply to the transfers of such data, both parties agree that the Standard Contractual Clauses for transfers reflecting the roles of the parties as described in the DPA in the form approved by the European Commission and currently available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en (as amended or updated from time to time) (“Old Standard Contractual Clauses”) shall be incorporated by reference and form an integral part of this DPA until such time as such Restricted Data Transfer Jurisdiction formally approves a data transfer mechanism at which point the parties shall execute and/or apply such data transfer mechanism. For the purposes of the Old Standard Contractual Clauses, Annex I and Annex II of these Terms shall take the place of Appendix 1 and Appendix 2 respectively.
1.6 If any of the Transfer Mechanisms described above are deemed invalid by a governmental entity with jurisdiction over such Restricted Data Transfer Jurisdiction (e.g., the EU Court of Justice with respect to the EEA) or if such governmental entity imposes additional rules and/or restrictions regarding such Personal Data, the parties agree to work in good faith to find an alternative Transfer Mechanism and/or modified approach with respect to such transferred Personal Data which is in compliance with Data Protection Laws.
1.7 To the extent Company is the recipient of Personal Data from one or more Restricted Data Transfer Jurisdictions from Wunder pursuant to these Terms, Company will provide at least the same level of protection for the information as is available under the applicable data Transfer Mechanism(s) outlined above in compliance with Applicable Laws.
1.8 These Terms will remain in effect until the termination or expiration of the Agreement between the parties.
U.S. Data Processing Agreement Addendum
This Wunder (the “Supplier”) U. S. Data Processing Addendum (“DPA”) incorporated by reference into any and all services agreements, order forms insertion orders and addendums currently in place between Company and Wunderkind Corporation d/ba/ Wunder (the “Agreement(s)”). This U.S. DPA applies to the Processing of Personal Information in connection with the Services provided to the Company and the Company’s Affiliates.
a.“Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Company or Supplier respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
b. “Applicable Privacy Laws”means any U.S. state or federal privacy or security law and/or self-regulatory code that are in effect during the Term, and which apply to Personal Information processed pursuant to the Agreement, including but not limited to the Virginia Consumer Data Protection Act, the California Privacy Rights Act, the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Protection Act, the Utah Consumer Privacy Act, each as amended, replaced or supplemented from time to time, and all subordinate legislation made under them, together with any codes of practice, regulations or other guidance issued by the governments, agencies, data protection regulators, or other authorities in the relevant countries, states or other jurisdictions, and (to the extent applicable to the parties) the NAI and DAA self-regulatory codes.
c. “Approved Sub-processor”means a third-party entity that processes data on behalf of and as specifically directed by Supplier pursuant to a written contract and is thereby bound by obligations that are substantially similar to the obligations set out in this DPA. A list of Approved Sub-processors is available https://www.wunder.co/privacy/data-subprocessors/
d. "Company"means Wunder client and its Affiliate companies worldwide.
e. "Personal Information" or Personal Datashall mean: (1) any information relating to an identified or identifiable natural person or household; and (2) any information defined as “personally identifiable information,” “personal information,” “personal data” or similar terms as such terms are defined under Applicable Privacy Laws.
f. "Company Personal Information"shall mean the Personal Information provided by Company which Supplier Processes in connection with Services provided by Supplier. Such individuals may include, but are not limited to, Company's current or prospective customers and site/app visitors, consumers, employees, contractors or business partners.
g. “Company Third Party Partner”means any entity, exclusive of Supplier, engaged by Company for the processing of Personal Information.
h. “Data Subject”means any person or household as defined by Applicable Privacy Laws.
i. “Process” or “Processing”means any set of operations performed upon Personal Information, whether or not by automatic means, including the following activities: collect, retain, process, transfer, share or otherwise use.
j. "Incident"means the known accidental or unlawful destruction, loss, alteration, unauthorized disclosure of Personal Information, or access to, transmission of, storage of, or otherwise processing by Supplier or a Sub-processor of Supplier.
k. “Sensitive Information”means information defined as “sensitive” or “special category” about an individual or household under Applicable Privacy Laws, including but not limited to: financial account numbers, insurance plan numbers, precise information about health or medical conditions, medical records or pharmaceutical prescriptions, government-issued identifiers (such as a Social Security number), race, ethnicity, religion, trade union membership, sexual orientation, genetic or biometric information and precise location information such as GPS coordinates.
l. “Service Provider”means the Processing of Company Personal Information by Supplier as directed by Company and for no other purpose as defined under Applicable Privacy Laws whereby Service Provider does not sell or share such information unless directed in writing by Company.
2. Mutual Warranties:
3. The Nature of Data Processed:
Company Personal Information shall include email addresses (which will be de-identified and/or rendered as pseudonymous personal information by Supplier) and/or pseudonymous user IDs (e.g., cookie ID, HEM or MAID) and logfile data collected via Company websites, mobile applications or other forms of digital media.
4. The Business Purpose(s);
Supplier shall provide the Services as described in the Agreement only for the following business purpose(s): (a) providing advertising and marketing services, (b) undertaking internal research for technological development and demonstration, (c) operating the Program, and (d) undertaking activities to verify or maintain the quality or safety of a Service that is manufactured for Company, and to improve, upgrade, or enhance the Service. Each of the below is deemed a “Permitted Purpose” of Company Personal Information where Supplier is a Service Provider as indicated on the applicable order form:
The Ad Serving Platform -- Company Personal Information is used to help Company better understand how Company websites are being utilized, draw insights on how to better engage Company’s site visitors, to deliver more relevant advertising messages based upon the those site visits, and to provide Company with ad delivery reports.
The Behavioral Automation Platform - Company Personal Information is used to target ads and emails powered by data that each Company collects from direct interactions with its customers and/or site visitors.
The Identity Platform - Company Personal Information is used to generate a pseudonymous ID in order: (i) to help us understand whether two devices are likely to be used by the same User or household, (ii) enable Company to onboard demographic data and other data onto profiles linked to a User or household, and (iii) purchase digital media as directed by Company.
The Performance Advertising Platform - Personal Information is used to create and utilize interest segments to target and deliver ads as well as report on ad campaigns run by Company. To the extent that Company provides profile data, such data is Company Personal Information and shall only be used the benefit of Company.
The Audiences Platform - Company Personal Information is used to provide a customer data platform that enables Company to unify its information for analytics and market research purposes and to send targeted email, text (e.g., SMS/MMS) marketing messages using such information.
5. Consumer Integrity Program.
Company grants to Supplier, the right to access and use data derived from Company Personal Information (including pseudonymous identifiers) (the “Program Data”) in connection with the provision of its device and consumer integrity program (the “Program”) in which Company and other companies participating in the Program (together, the “Participants”) permit Supplier additional rights to collect and use data generated by Company’s use of Platforms and Services to better identify the end-users of Participants’ websites for the benefit of Company and other Participants in the Program. A Participant’s cookie or other first-party ID data included in the Program Data will not be accessed by or transferred to any other Participant. Company also grants Supplier the right to disclose Program Data for use in connection with the Program and related Supplier services, as long as any disclosure of such data is aggregated, anonymized or otherwise does not individually identify Company. Supplier is not obligated to disclose to Company the identity of any Participant. Company must cease all use of Program Data upon notification by Supplier. As between Supplier and Company, Supplier will own all rights in and to all Program Data and shall use Program Data in accordance with Applicable Privacy Laws.
6. Supplier Warranties:
Supplier agrees that: a) it shall Process all Personal Information using the same standard commercially reasonable care as Company to ensure the protection of such data in compliance with Applicable Privacy Laws; b) except as specifically allowed under Applicable Privacy Laws, it shall not Process Company Personal Information except for the specific Business Purposes described herein unless as required by law or a government authority (in which case Supplier shall use its reasonable efforts to notify Company before such disclosure or as soon thereafter as reasonably possible); c) except as specifically allowed under Applicable Privacy Laws, it shall not Process (for purposes of clarity, such Processing may not include the sale, transfer to a third-party or combination with other data) Company Personal Information for any commercial purpose outside of the direct business purpose except to provide the Services; and d) except for Approved Sub-processors, it shall only transfer Company Personal Information to a third-party, including a Company Third-Party Partner as specifically directed by Company. Any Approved Sub-processors will be permitted to obtain Company Personal Information only to deliver the Services Supplier has retained them to provide. Supplier shall remain fully liable for all acts or omissions of its Approved Sub-processors.
7. Company Warranties:
8. Data Retention
Supplier shall retain Company Personal Information only for as long as necessary to provide Services to Company. Upon termination of the parties Agreement for any reason, Supplier shall erase, delete, or destroy all or any part of such Company Personal Information in accordance with Supplier’s policy.
a. Information Security Standard. Supplier agrees that it will use commercially reasonable efforts to maintain administrative, technical, and physical safeguards that are no less rigorous than industry standard practices to ensure the security and confidentiality of Personal Information, protect against any anticipated threats or hazards to the confidentiality, availability or integrity of Personal Information, and protect against unauthorized access, use, or alteration of Personal Information.
b. Written Information Security Program. Supplier shall maintain, in writing, reasonable security procedures and practices (“Written Information Security Program” or “WISP”) that is necessary to protect Personal Information within its control from unauthorized access, destruction, use, modification, or disclosure. Without limiting the generality of the foregoing statement, the WISP shall at a minimum encompass each of the elements set forth below:
i. physical, administrative and technological controls;
ii. security training and oversight;
iii. written plans to assess and manage system failures and change controls;
iv. regular assessments of security risks and measures to prevent and detect unauthorized access;
v. collection, maintenance, transmittal and disposal of any Company Personal Information and
vi. notice and incident response procedures
c. Incident Procedures.
Any Incident involving the nonencrypted or nonredacted Company Personal Information as defined under section 1798.81.5(d)(1) of the California Civil Code (each a “Reportable Incident”) shall be subject to the following procedures:
i. Supplier shall notify Company without undue delay (within 48 hours) of any Reportable Incident by sending an email with all available and relevant details to Company’s designated email address(es).
ii. Supplier shall investigate the Reportable Incident, and provide reasonable and necessary cooperation with Company, including facilitating interviews with relevant personnel, making available all relevant records, logs, files, data reporting and other materials, and providing Company with reasonable physical access to the facilities affected.
iii. Unless required by law, Supplier shall not inform any third party of any Reportable Incident without first obtaining Company’s prior written consent, other than to inform a complainant that the matter has been forwarded to Company’s legal counsel.
iv. Following a Reportable Incident, Supplier shall document responsive actions taken in connection with the Incident and shall conduct a post-breach review of events and actions taken, if any, to make changes in security practices and procedures to prevent such Incident from occurring again in the future
d. Incident Remediation. Supplier shall use its commercially reasonable efforts to mitigate and remedy any Incident and prevent any further Incident at its sole expense.
e. Third Party notification. Supplier agrees that, unless applicable law states otherwise, Company shall have the sole right to determine (i) whether notice of the Reportable Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as required by law or regulation, or otherwise in Company’s discretion, (ii) the contents of such notice, and (iii) whether any type of remediation may be offered to affected persons, as well as the nature and extent of any such remediation. Supplier agrees to reimburse Company for reasonable costs described in this section for Reportable Incidents and/or as required by applicable law.
Once per year, Company (or its appointed representatives) may carry out an audit of Supplier's operations and facilities at Company’s expense and during normal business hours and subject to reasonable prior notice where Company considers it necessary or appropriate (for example, without limitation, where Company has reasonable concerns about Supplier’s compliance with Applicable Privacy Laws, following a Reportable Incident or following instruction from a data protection authority). To request an audit, Company must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to firstname.lastname@example.org. The auditor must be approved in advance by Supplier (such approval may not be unreasonably withheld) and execute a written confidentiality agreement acceptable to Supplier before conducting the audit.
11. Data Subject Requests:
a. Supplier shall, at no additional cost, assist Company to provide appropriate technical and organizational measures, and any necessary product features and functionality to allow the Company to effectively fulfill its obligations to respond to Data Subject requests for information, access, correction, rectification, restriction, portability, objection, and deletion requests pertaining to Company Personal Information as required under Applicable Privacy Laws (each, a “Data Subject Request”). At the direction of a Company, Supplier shall promptly, and in any event within thirty (30) days, unless otherwise agreed in writing, completely respond to and fulfill a Company’s request for further Data Subject Request assistance.
b. Supplier shall maintain complete and accurate records in connection with each of Company’s Data Subjet Requests.
c. Supplier shall notify the Company of any Data Subject Requests that it receives, without responding to the individual except to acknowledge receipt of the Data Subject Request.
Both parties agree to notify the other party within five (5) business days if it (i) has reason to believe that it is unable to comply with any of its obligations under this DPA and it cannot cure this inability to comply within a reasonable timeframe; or (ii) becomes aware of any circumstances or change in applicable Applicable Privacy Laws that is likely to prevent it from fulfilling its obligations under this DPA. Upon Company’s reasonable request, Supplier will provide the following to Company to demonstrate Supplier’s processing of Company Personal Information consistent with the parties respective obligations under the CCPA: (a) a copy of a certificate issued for security verification reflecting the outcome of an audit conducted by an independent third-party auditor; or (b) any other information the Parties agree is reasonably necessary for Company to verify Supplier’s processing is consistent with Company’s obligations under the CCPA, such as an attestation. If this DPA, or any actions to be taken or contemplated to be taken in performance of this DPA, does not or would not satisfy either party’s obligations under such Applicable Privacy Laws, the Parties will negotiate in good faith an amendment to this DPA. If such negotiations fail, Company reserves the right to take reasonable and appropriate steps to stop and remediate any non-compliance or unauthorized processing of Company Personal Information, including by terminating the Agreement without penalty.
The term of this Addendum commences as of the Addendum Effective Date and will end upon Supplier’s secure destruction (to be confirmed in writing) of all Company Personal Information Processed by Supplier under the Agreement.
IN WITNESS of which the parties have executed this Agreement on the date set out above.
|WUNDERKIND CORPORATION |||COMPANY|