Data sharing addendum

This Data Sharing Addendum (“DSA”) is entered into by and between BRAVE PEOPLE LTD. on behalf of itself and its Affiliates (“Brave”), and _____________ (the “Demand Partner”), to reflect the parties’ agreement with regard to the Processing of Shared Personal Data by the Parties. Both parties shall be referred to as the “Parties” and each as a “Party”. The Parties hereby agree that the terms and conditions set out below shall be added as an addendum to the main agreement established between the Parties (“Agreement”) and shall constitute an integral part of the Agreement.

This DSA reflects the Parties’ agreement on the Processing of Shared Personal Data in connection with the Parties’ obligations under the Agreement in accordance with Data Protection Laws. Any reference to a legal framework, statute, or other legislative enactment is a reference to it as amended or re-enacted from time to time. Brave’s privacy policy is available here.

1. Definitions

1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.2 The terms “Business”, “Controller”, “Data Subject”, “Member State”, “Processor”, “Processing”, “Supervisory Authority”, “Personal Data”, “Personal Data Breach”, “Service Provider” and “Third Party” shall have the meaning ascribed to them under the relevant Data Protection Laws. 

1.3“Data Protection Laws” means the General Data Protection Regulation (“GDPR”), the e-Privacy Directive, the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR”), the California Consumer Privacy Act of 2018 and its implementing regulations, as may be amended from time to time (“CCPA”) and the Rules and Self-Regulatory Principles of the European Interactive Digital Advertising Alliance, as applicable to the Parties in relation to the Shared Personal Data hereunder and in effect at the time of the Parties’ performance hereunder.

1.4 “End-User(s)” means the individuals that interact or engage with the digital assets, websites, or apps in which the ads provided by the Demand Partner are displayed.

1.5 “Onward Transfer” means the onward transfer of Personal Data received by either of the Parties (in this case acting as a Data Importer) from the other Party (in this case acting as the Data Exporter) to a third entity.

1.6 “Privacy Signals” means End-Users’ preference regarding the processing of Personal Data, including, without limitation, “do not share or sell my personal information” under the CCPA, the Google restricted data processing “rdp”, Digital Advertising Alliance, Network Advertising Initiative, and the IAB Global Privacy Platform (“GPP”) or IAB Transparency & Consent Framework (“TCF”) signals, Global Privacy Control (“GPC”) string, or any current or future standard signal initiated by an approved consent management platform (“CMP”) which indicates the End-User’s preference with respect to Processing Personal Data and providing personalized, interest-based advertisement.

1.7 “Shared Personal Data” means the Personal Data Processed by one Party to the extent that such Party received the Personal Data from the other Party in connection with the performance of the Agreement, and as further detailed in Schedule 1 attached hereto. For the avoidance of doubt, a Party is also deemed to “receive” Personal Data from the other Party when the sharing Party grants access to such Personal Data to the receiving Party.

1.8 “SCC” shall mean (a) where the GDPR applies, the standard contractual clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCC”), or (b) where the UK GDPR applies, the International Data Transfer Addendum to the EU SCC as issued by the Information Commissioner’s Office (“UK SCC”), each as incorporated by reference under Schedule 2 attached hereto. 

2. Roles and Processing of Personal Data

2.1 The Parties acknowledge and agree that regarding the Shared Personal Data, each Party is a separate and independent Data Controller, and each Party will individually determine the purposes and means of its Processing of Shared Personal Data. The Parties acknowledge and agree that they will not Process the Shared Personal Data as joint controllers (as defined in the GDPR, UK GDPR, or other Data Protection Law, as applicable). To the extent that the Demand Partner believes that any Shared Personal Data is or may be subject to a joint controller relationship, Demand Partner request Brave to execute a joint controller agreement. To the extent that the Shared Personal Data is subject to the CCPA, each Party shall be considered a Business and/or a Third Party under the CCPA, as applicable, when Processing the Shared Personal Data. For the avoidance of doubt, neither Party is a Processor/Service Provider of the other. 

2.2 Each Party will comply with the obligations applicable to it under the Data Protection Laws with respect to the Processing of Shared Personal Data, including following the Privacy Signals concerning the Shared Personal Data (if any available). As required under Data Protection Laws, the Demand Partner shall disclose its Processing activities with respect to its Processing of the Shared Personal Data in its privacy policy.

2.3 The Demand Partner shall refrain from disclosing or sharing any Shared Personal Data with third parties, except as expressly permitted under the Agreement and/or this DSA. Furthermore, the Demand Partner shall promptly erase or destroy all Shared Personal Data under its control in the event of the first of the following occurrences: (i) upon the Demand Partner’s failure to secure the winning bid for an impression associated with said Shared Personal Data, (ii) subsequent to the Demand Partner delivering an advertisement in response to an ad request associated with said Shared Personal Data, or (iii) upon Brave’s (and/or the relevant publisher’s) request. Notwithstanding the foregoing, the Demand Partner shall not retain, utilize, disclose, or otherwise Process any Shared Personal Data for the purposes of profiling, tracking, re-targeting, creating segments or profiles of any End-User, Data Subject, mobile property, or publishers, either directly or indirectly, including by permitting any third party to engage in such Processing. 

2.4 To the extent that the CCPA is applicable, the following shall apply: (i) without limitation to any other restriction outlined in the Agreement and/or this DSA, the disclosure of Shared Personal Data to the Demand Partner is solely for the purpose of facilitating the Demand Partner’s bidding on advertising inventory or serving advertisements via Brave services, and the Demand Partner shall Process the Shared Personal Data solely for such purposes; (ii) the Demand Partner shall adhere to the CCPA, ensuring the provision of privacy protection equivalent to that mandated for Businesses under the CCPA; (iii) the Demand Partner shall promptly notify Brave upon determining that it is unable to fulfill its obligations under the CCPA; and (iv) Brave may, upon notification, undertake reasonable and appropriate measures to cease and rectify any unauthorized processing of Shared Personal Data.

3.1 Data Subject Rights and Supervisory Authorities. It is agreed that where either Party receives a request from a Data Subject with respect to the Shared Personal Data controlled by such Party, then such receiving Party shall be responsible for exercising the request, in accordance with Data Protection Laws. Upon each Party’s reasonable request, the other Party will provide reasonable assistance with respect to the exercising of Data Subjects’ requests relating to the Shared Personal Data, in order to allow the requesting Party to comply with its obligations under applicable Data Protection Laws.

3.2 If either Party is the subject of a claim by a Data Subject or a supervisory authority or receives a notice or complaint from a supervisory authority concerning the respective Processing activities of both Parties (a “DP Claim”), it shall promptly inform, to the extent permitted by law, the other Party of the DP Claim and provide the other Party with such information as it may reasonably request regarding the DP Claim. The Parties shall use all reasonable endeavors to cooperate with the aim of disputing or settling the DP Claim in a timely manner; provided always that neither Party shall make any admission or offer of settlement or compromise without using all reasonable endeavors to consult with the other Party in advance.

4. Compliance with Law and Information Requests

4.1 Each Party must: (i) comply with its obligations under applicable Data Protection Laws and self-regulatory principles (including IAB protocol); (ii) provide all information regarding its compliance with Data Protection Laws and its data collection, protection, use, and disclosure policies and practices reasonably requested by the other Party; and (iii) promptly notify the other Party if it determines that it cannot meet its obligations under this Agreement or Data Protection Laws (including Privacy Signals).

4.2 Demand Partner shall ensure that it complies with any and all applicable Data Protection Laws with respect to the Processing of the Shared Personal Data, including regarding collection, use, or disclosure of Shared Personal Data and honor, in compliance with Data Protection Laws, applicable self-regulatory frameworks, and all Privacy Signals. 

5. Security. Each Party shall comply with its applicable security requirements under Data Protection Laws for Processing Shared Personal Data. Demand Partner shall implement technical and organizational security measures to prevent (i) the accidental, unlawful, or unauthorized destruction, loss, alteration, or disclosure of, or access to, Shared Personal Data or (ii) any other security incident that amounts to a “personal data breach” (as such term or similar term is defined under Data Protection Laws) of Shared Personal Data. Security measures that shall be implemented by Demand Partner shall include pseudonymization and encryption of personal data; ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems; timely restoration of data availability after incidents; regular testing and evaluation of security measures; user identification and authorization; protection of data during transmission and storage; physical security of processing locations; event logging; system configuration; IT governance and management; certification of processes and products; data minimization; data quality assurance; limited data retention; accountability measures; data portability; and erasure.

6. Confidentiality and Training. The Demand Partner shall ensure that the Shared Personal Data is kept confidential, and its personnel engaged in the Processing of Shared Personal Data have committed themselves to confidentiality obligations and have undergone appropriate privacy and security training. Demand Partner shall ensure that all its employees, staff, and consultants involved in the Processing of the Shared Personal Data adhere strictly to the provisions delineated in this DSA and/or the Agreement.

7. Cross-Border Transfers

7.1 Applicable Data Protection Laws in certain jurisdictions may require additional and/or different safeguards or transfer mechanisms to facilitate cross-border transfers. In such a case, the Parties agree to respect and implement such additional safeguards or adopt such transfer mechanisms, as appropriate and necessary.

7.2 Either Party may transfer Shared Personal Data from the EEA or UK to a destination outside of these, provided that it complies with applicable provisions regarding the transfer of Personal Data to countries outside the EEA or UK under Data Protection Laws (such as where the transfer of Personal Data is to an Approved Jurisdiction or through the use of SCC, as incorporated by reference in Schedule 2, or other applicable frameworks). Where and to the extent that the SCC apply pursuant to this Section 7, Demand Partner will be referred to as the “Data Importer” and Brave will be referred to as the “Data Exporter.” If there is any conflict between this DSA and the SCC, the SCC shall prevail. 

7.3 In the event of any Onward Transfer by the Data Importer, it shall procure that the person or entity to which the Shared Personal Data is disclosed or otherwise made available upon the Onward Transfer provides sufficient guarantees to protect the Shared Personal Data and observes no less onerous obligations as those imposed on the Data Importer under the original relevant transfer.

8. Transfers of bulk U.S. sensitive personal data.

8.1 The parties agree that the Services may involve data transactions subject to the restrictions on onward transfers of bulk U.S. sensitive personal data, as set forth in Section 202.302 of the Department of Justice Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the “DOJ Rule”). All terms in this section have the definitions assigned to them under the DOJ Rule.

8.2 Demand Partner represents and warrants that it is not a covered person or country of concern.  Demand Partner will immediately notify Brave if it foresees a change that would cause it to become such a covered person or country of concern.

8.3 Demand Partner shall not, without prior written consent from Brave, transfer, disclose, sell, resell, sublicense, or similar commercial transaction or otherwise permit access to any bulk U.S. sensitive personal data to: a) any individual or entity located in a country of concern; b) any covered person; or c) any third party that intends to, or is likely to, transfer the data to a country of concern or a covered person. Demand Partner shall not engage in any activity or conduct that would result in a violation of the DOJ Rule by Demand Partner or Brave.

8.4 Demand Partner agrees to implement compliance measures to prevent unauthorized transfers, including by: a) conducting thorough due diligence on all third parties to whom it transfers bulk U.S. sensitive personal data, b) ensuring that all third parties are contractually bound to comply with the restrictions outlined in this clause; and c) regularly auditing data transfer practices to ensure adherence to this agreement.

8.5 In the event of a suspected or actual breach of this clause, including if Demand Partner knows or suspects that a country of concern or covered person has gained access to bulk U.S. sensitive personal data, Demand Partner shall: a) immediately notify Brave in writing; b) provide detailed information about the nature and scope of the breach; and c) cooperate fully with Brave in investigating and mitigating the effects of the breach.

9. Termination. The Parties agree that this DSA and, if applicable, the SCC shall terminate automatically upon (i) termination or expiration of the Agreement; or (ii) as agreed upon between the Parties, whichever is earlier. Sections ‎‎2.1, ‎8, and ‎‎9 and Brave’s remedies under law or equity in connection with Demand Partner’s  breach of this DSA and/or violation of Data Protection Laws shall survive the termination of the Agreement and/or this DSA for any reason.

10. General. Each Party may request in writing variations to this DSA if they are required as a result of any change in, or decision of a competent authority under Data Protection Laws, to allow Processing of Shared Personal Data to be made (or continue to be made) in accordance with the Agreement and/or this DSA without breach of those Data Protection Laws. The Parties shall make commercially reasonable efforts to accommodate such modifications requested by a Party. To the maximum extent permitted by law, this DSA shall be governed by the laws governing the Agreement, except for those provisions of clauses which dictate the application of another law for particular purposes. Capitalized terms not defined herein shall have the meaning ascribed to them in the Agreement. In the event of any conflict between certain provisions of this DSA and the provisions of the Agreement, the provisions of this DSA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Shared Personal Data. In the event of a conflict between this DSA and the SCC (as defined below), the SCC will prevail solely with regard to international transfers of Shared Personal Data, where the SCC are applicable. This DSA may not be assigned, transferred, delegated, sold, or otherwise disposed of, including without limitation by operation of law, without the prior written consent of the non-assigning party; provided that either party may assign this DSA to a successor without such consent in connection with a merger, acquisition, consolidation, similar transaction, or the sale of all or substantially all its assets. Notwithstanding anything to the contrary in the Agreement or any agreement between the Parties, the Demand Partner shall indemnify, defend, and hold harmless Brave against all losses, fines, penalties, costs, and expenses and sanctions arising from any claim of any kind by a Data Subject, third party, or Supervisory Authority related to the Shared Personal Data, or arising from or related to any breach of this DSA and/or violation of Data Protection Laws and/or a personal data breach occurring in the Demand Partner’s (and its Affiliates’) and/or their vendors’ and service providers’ systems. Notwithstanding anything to the contrary in the Agreement or any agreement between the Parties, the Demand Partner’s liability related to the Shared Personal Data, or for any breach of or related to this DSA, violation of Data Protection Laws, and/or a personal data breach occurring in the Demand Partner’s (and its Affiliates’) and/or their vendors’ and service providers’ systems shall be unlimited. 

SCHEDULE 1 – DETAILS OF THE SHARED PERSONAL DATA

Purpose of Data Sharing

The Parties share Personal Data for the purposes stipulated in the Agreement and/or this DSA, among others, for placing ads, including personalized or contextual ads, as applicable, optimization, ad serving, etc. 

Nature of the Processing

Collection, storage, organization, analysis, modification, retrieval, disclosure, communication, and other uses in performance of the Services as set out in the Agreement.  

Duration of the Processing

Continuous and as necessary for the performance of the Services. 

Categories of Data Subjects

End-Users to whom ads are displayed. 

Sensitive Personal Data

None.

Type of Personal Data Shared 

IP addresses, Geolocation (including country, region, city, zip code, latitude, and longitude (if available)), language, IFV and IFA (e.g., IDFA/AAID or any other related device IDs), Privacy String, cookies data or unique identifiers, information about End-Users’ devices (device type, model, operating system), and any other information that the SSP/Publisher makes available and shares with Brave to be passed on to Demand Partner. 

Process Frequency

Demand Partner will not retain the Shared Personal Data longer than permitted under this DSA as strictly necessary for performance of the Services. 

For transfers to (sub-)processors, also specify subject matter, nature and duration of the Processing

The Shared Personal Data transferred may be disclosed solely to the following recipients: Strictly necessary service providers and advertisers that Demand Partner uses in connection with the provision of the Services described under the Agreement. The duration of Processing will align with the data retention period described above.

SCHEDULE 2 – CROSS BORDER TRANSFERS

PART 1 – EEA Cross Border Data Transfers

  1. The Parties agree that to the extent the EU SCC applies, it is hereby incorporated by reference as follows:
  2. Module One (Controller to Controller) of the EU SCC shall apply where the applicable transfer is effectuated between the Parties, each as an independent and separate data controller of the Shared Personal Data.
  3. Clause 7 of the EU SCC (Docking Clause) shall not apply.
  4. In Clause 11 of the EU SCC, the optional language will not apply.
  5. With respect to Clause 17 of the EU SCC, the Parties agree that the SCC shall be governed by the laws of the Republic of Ireland.
  6. In Clause 18(b) of the EU SCC, disputes will be resolved before the courts of the Republic of Ireland.
  7. Annex I.A of the EU SCC shall be completed as follows: 

Data Exporter: Brave 

Contact details: As detailed in the Agreement. 

Data Exporter Role: The Data Exporter is an independent and separate data controller.

Signature and Date: By entering into the Agreement and DSA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

Data Importer: Demand Partner 

Contact details: As detailed in the Agreement. 

Data Importer Role: The Data Importer is an independent and separate data controller.

Signature and Date: By entering into the Agreement and DSA, the Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

8. Annex I.B of the EU SCC shall be completed as follows:

The categories of data subjects, personal data, frequency of the transfer, nature of the processing, purpose of the processing, and duration are described in Schedule 1 (Details of Processing) of this DSA. 

9. Annex I.C of the EU SCC shall be completed as follows: 

The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 5 above.

10. Annex II of the EU SCC: The technical security measures are detailed under “Part 4” below.

PART 2 – UK Cross-Border Data Transfers

The Parties have agreed that to the extent the UK SCC applies, it is hereby incorporated by reference as follows:

The UK SCC is hereby incorporated by reference:

Table 1: The Parties: as detailed in the Agreement.

Table 2: Selected SCCs, Modules, and Selected Clauses: as detailed in Part 1.

Table 3: Appendix Information: as set out in the Annexes to Part 1.

Table 4: Neither Party will be entitled to terminate the UK SCCs in accordance with Clause 19 of the UK Mandatory Clauses.

PART 3 – Additional Safeguards

Security Measures: Demand Partner shall implement and maintain current and appropriate technical and organizational measures to protect the Shared Personal Data against accidental, unauthorized, or unlawful Processing and against accidental loss, destruction, damage, alteration, disclosure, or access, as set forth below:

  1. Demand Partner shall provide third-party attestation of static or dynamic application security testing or penetration testing on all software or systems Processing Shared Personal Data, remediate any identified high vulnerabilities, and provide written remediation plans for medium and low vulnerabilities.
  2. Demand Partner shall maintain a level of security appropriate to the harm that may result from any unauthorized or unlawful Processing or accidental loss, destruction, damage, denial of service, alteration, or disclosure of Shared Personal Data as appropriate to the nature of the Shared Personal Data Processed.
  3. Demand Partner shall oblige its employees, agents, or other personnel to whom it provides access to the Shared Personal Data to keep it confidential; take reasonable steps to ensure the integrity of any employees who have access to Shared Personal Data; and provide annual training to staff in order to meet the security requirements contained herein.
  4. Demand Partner shall maintain measures designed to ensure the ongoing confidentiality, integrity, availability, and resilience of its systems and services. 
  5. Demand Partner shall adhere to password policies for standard and privileged accounts consistent with industry best practices. 
  6. Demand Partner shall ensure that only those personnel who need access to Shared Personal Data are granted access, that such access is limited to the least amount required, and that it is granted only for the purposes of performing the services and obligations under this DSA.
  7. Demand Partner shall maintain a physical security program that is consistent with industry best practices.
  8. Demand Partner shall ensure that any storage media (whether magnetic, optical, non-volatile solid state, paper, or otherwise capable of retaining information) that captures Shared Personal Data, if applicable, is securely erased or destroyed before repurposing or disposal.