Data sharing addendum

This Data Sharing Addendum (“DSA”) is entered into by and between BRAVE PEOPLE LTD. on behalf of itself and its Affiliates (“Brave”), and _____________ (“Supply Partner”), to reflect the parties’ agreement with regard to the Processing of Shared Personal Data by the Parties. Both parties shall be referred to as the “Parties” and each, a “Party”.

The Parties hereby agree that the terms and conditions set out below shall be added as an addendum integral to the main agreement established between the Parties (“Agreement”). Capitalized terms not otherwise defined herein shall have the meaning ascribed to them in the Agreement. This DSA reflects the Parties’ agreement on the Processing of Shared Personal Data in connection with the Parties’ obligations under the Agreement in accordance with Data Protection Laws. Any reference to a legal framework, statute, or other legislative enactment is a reference to it as amended or re-enacted from time to time. Brave’s privacy policy is available here.

1. Definitions. 
   1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
   2. The terms “Controller,” “Business,” “Data Subject,” “Member State,” “Processor,” “Processing,” “Supervisory Authority,” “Personal Data,” “Personal Data Breach,” “Service Provider,” and “Third Party” shall have the meaning ascribed to them under Data Protection Laws. 
   3. “Data Protection Laws” means the General Data Protection Regulation (“GDPR”), the e-Privacy Directive, the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR”), the California Consumer Privacy Act of 2018 and its implementing regulations, as may be amended from time to time (“CCPA”), and the Rules and Self-Regulatory Principles of the European Interactive Digital Advertising Alliance, as applicable to the Parties in relation to the Shared Personal Data hereunder and in effect at the time of the Parties’ performance hereunder.
   4. “End-User(s)” means the individuals who interact or engage with the digital assets, websites, or apps in which the ads provided by Brave on behalf of advertisers and demand-side platforms are displayed.
   5. “Onward Transfer” means the onward transfer of Personal Data received by either of the Parties (in this case acting as a Data Importer) from the other Party (in this case acting as the Data Exporter) to a third entity.
   6. “Privacy Signals” means End-Users’ preference regarding the processing of Personal Data, including, without limitation, “do not share or sell my personal information” under the CCPA, the Google restricted data processing “rdp,” Digital Advertising Alliance, Network Advertising Initiative, and the IAB Global Privacy Platform (“GPP”) or IAB Transparency & Consent Framework (“TCF”) signals, Global Privacy Control (“GPC”) string, or any current or future standard signal initiated by an approved consent management platform (“CMP”) which indicates the End-User’s preference with respect to Processing Personal Data and providing personalized, interest-based advertisement.
   7. “Shared Personal Data” means the Personal Data Processed by Brave to the extent that Brave received the Personal Data from the Supply Partner in connection with the performance of the Agreement, and as further detailed in Schedule 1 attached hereto. For the avoidance of doubt, Brave is also deemed to “receive” Personal Data when the Supply Partner grants access to such Personal Data to Brave.
   8. “SCC” shall mean (a) where the GDPR applies, the standard contractual clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCC”), or (b) where the UK GDPR applies, the International Data Transfer Addendum to the EU SCC as issued by the Information Commissioner’s Office (“UK SCC”), each as incorporated by reference under Schedule 2 attached hereto.
2. Roles and Processing of Personal Data
   1. The Parties acknowledge and agree that with regard to the Shared Personal Data, each Party is a separate and independent Data Controller, and each Party will individually determine the purposes and means of its Processing of Shared Personal Data. To the extent that the Supply Partner considers that any Processing of Shared Personal Data by the Parties is or could be considered as joint controllers (as defined in the GDPR, UK GDPR, or other Data Protection Law, as applicable), then the Supply Partner shall request Brave by email at [email protected] for a joint controller agreement to be executed between the Parties. Supply Partner shall be solely and fully responsible and liable for any such breach, violation, infringement, and/or Processing by Brave of the Shared Personal Data without a joint controller agreement in place (when necessary and required) and shall defend, indemnify, and hold Brave harmless in the event of any claim of any kind related to any such breach, violation, or infringement arising from, or related to, any and all losses, penalties, fines, damages, liabilities, settlements, costs, and expenses, including reasonable attorneys’ fees. To the extent that the Shared Personal Data is subject to the CCPA, the Parties shall each be considered a Business and/or a Third-Party under the CCPA, as applicable, when Processing the Shared Personal Data. 
   2. Each Party will comply with the obligations applicable to it under the Data Protection Laws with respect to the Processing of Shared Personal Data, including the collection, monitoring, maintenance, record-keeping, and technical feasibility of Privacy Signals concerning the Shared Personal Data.
   3. Section ‎2.1 will not affect any restrictions on either Party’s rights to use or otherwise Process Shared Personal Data under the Agreement.
   4. Neither Party shall share any Personal Data with the other Party: (i) that allows Data Subjects to be directly identified (for example, by reference to their name and e-mail address); (ii) which is or could be considered sensitive Personal Data (including, without limitation, individual’s racial or ethnic origin, political opinions, religious or philosophical affiliation or beliefs, trade-union membership, health, sex life or sexual orientation, criminal convictions or alleged commission of an offense, genetic data, biometric data, government-issued identifiers, financial account information, protected health information, account log-in credentials, the contents of user communications, precise geolocation information, or any other information that could be considered sensitive Personal Data under Data Protection Laws);(iii) that contains Personal Data relating to children under 16 years. Supply Partner may not use the services to serve interest-based advertising to children as defined under Data Protection Laws; and/or (iv) that is obtained from websites, mobile apps, or other forms of media which are “covered entities” under the Health Insurance Portability and Accountability Act (“HIPAA”). 
   5. To the extent that the Shared Personal Data is subject to the CCPA, the Parties acknowledge that: (1) they are selling and/or sharing the Shared Personal Data with one another solely for the purposes set forth in the Agreement and this DSA; (2) they will inform one another if either Party determines that it cannot meet its obligations concerning the Shared Personal Data under the CCPA; and (3) either Party can take reasonable and appropriate steps to stop and remediate unauthorized use of the Shared Personal Data.
3. Data Subject Rights and Supervisory Authorities.
   1. Subject to Section ‎4.4, it is agreed that where either Party receives a request from a Data Subject with respect to the Shared Personal Data, the receiving Party shall be responsible for exercising the request in accordance with Data Protection Laws. Upon each Party’s reasonable request, the other Party will provide reasonable assistance with respect to the exercising of Data Subjects’ requests relating to the Shared Personal Data, in order to allow the requesting Party to comply with its obligations under applicable Data Protection Laws.
   2. If either Party is the subject of a claim by a Data Subject or a supervisory authority, or receives a notice or complaint from a supervisory authority concerning the respective Processing activities of both Parties (a “DP Claim”), it shall promptly inform, to the extent permitted by law, the other Party of the DP Claim and provide the other Party with such information as it may reasonably request regarding the DP Claim. The Parties shall use all reasonable endeavors to cooperate with the aim of disputing or settling the DP Claim in a timely manner; provided always that neither Party shall make any admission or offer of settlement or compromise without using all reasonable endeavors to consult with the other Party in advance.
4. Compliance with Law and Information Requests. 
   1. Supply Partner shall ensure that it: (i) provides all information regarding its compliance with Data Protection Laws and Privacy Signals and its data collection, protection, use, and disclosure policies and practices reasonably requested by Brave; (ii) complies with any and all consent obligations, including the Privacy Signals regarding collection, use, or disclosure of Shared Personal Data, including, without limitation, compliance with any opt-out or consent signals; and (iii) promptly notifies Brave if it determines that it cannot meet its obligations under this DSA or Data Protection Laws (including the Privacy Signals). 
   2. As required under Data Protection Laws, Supply Partner shall disclose its use of Brave’s services and how Brave (and all other involved parties, including, without limitation, vendors, service providers, and the advertisers/demand side platforms) Processes the Shared Personal Data in its privacy policy. 
   3. Supply Partner acknowledges and agrees that the End User does not have a direct relationship with Brave; however, certain features of the services are dependent and based upon End User’s consent or any other demonstrated lawful bases, that shall be obtained by Supply Partner (for example, via the consent management platform), and which Brave relies on, amongst others, under the IAB protocol. Supply Partner also acknowledges that it shall be able to demonstrate such consent at any time and represents that such consent exists and it was lawfully obtained. Supply Partner hereby agrees that Brave will transfer the Privacy Signals “as is”(except as otherwise instructed by the Supply Partner, such as when adding information to enhance the Shared Personal Data) to the advertisers and demand side platforms. Supply Partner acknowledges and agrees that such requests are transmitted to the advertisers and demand side platforms, and such parties will respond as per Supply Partner’s request. Therefore, Brave has no control over such parameters or over Privacy Signals and shall not be liable or responsible.
   4. Supply Partner hereby instructs and authorizes Brave to disclose and share Shared Personal Data with third parties that provide services to Supply Partner, data enrich bid providers, and with advertisers and demand-side platform companies for purposes including, but not limited to, user identification, audience targeting and segments, and improving and measurement.
   5. To the extent applicable, when the Supply Partner acts as an intermediate company vis-à-vis the publisher, the Supply Partner hereby acknowledges and agrees that, due to the direct relationship between the Supply Partner and the publisher, Supply Partner is solely and fully responsible and liable for delegating and ensuring the fulfillment of the obligations under this DSA to the publisher. 
   6. Without derogating from the foregoing, Supply Partner hereby acknowledges and agrees with Brave’s Supply Partner Guidelines available here (“Supply Partner Guidelines”), which are incorporated herein by reference. The Supply Partner Guidelines are intended to add information and instructions related to the provision of the services. The Supply Partner shall read the Supply Partner Guidelines and make sure that Supply Partner complies with them. In the event of any inconsistency between this DSA and/or the Agreement and the Supply Partner Guidelines, the Supply Partner Guidelines shall prevail. Supply Partner acknowledges and agrees that Brave may update, change, and/or amend the Supply Partner Guidelines from time to time at Brave’s sole discretion.
5. Security. Each Party shall be responsible for complying with security requirements that apply to it as an independent and separate Data Controller under Data Protection Laws for the Processing of the Shared Personal Data.
6. Cross Border Transfers.
   1. Applicable Data Protection Laws in certain jurisdictions may require additional/different safeguards or transfer mechanisms to facilitate cross-border transfers. In such a case, the Parties agree to respect and implement such additional safeguards or adopt such transfer mechanisms, as appropriate and necessary.
   2. Either Party may transfer Shared Personal Data from the EEA or UK to a destination outside of these, provided that it complies with applicable provisions regarding the transfer of Personal Data to countries outside of the EEA or UK under Data Protection Laws (such as where the transfer of Personal Data is to an Approved Jurisdiction or through the use of the SCC, as incorporated by reference in Schedule 2, or other applicable frameworks). Where and to the extent that the SCC apply pursuant to this Section ‎6, Brave will be referred to as the “Data Importer” and Supply Partner will be referred to as the “Data Exporter”. 
7. Termination. he Parties agree that this DSA and, if applicable, the SCC shall terminate automatically upon (i) termination or expiration of the Agreement; or (ii) as agreed upon between the parties, whichever is earlier. Sections ‎2.1, ‎7, ‎8 and Brave’s remedies under law or equity in connection with Supply Partner’s breach of this DSA and/or violation of Data Protection Laws shall survive the termination of the Agreement and/or this DSA for any reason.
8. General. Each Party may request in writing variations to this DSA if they are required as a result of any change in, or decision of a competent authority under Data Protection Laws, to allow Processing of Shared Personal Data to be made (or continue to be made) in accordance with the Agreement and/or this DSA without breach of those Data Protection Laws. The Parties shall make commercially reasonable efforts to accommodate such modifications requested by a Party. To the maximum extent permitted by law, this DSA shall be governed by the laws governing the Agreement, except for those provisions of clauses that dictate the application of another law for particular purposes. Notwithstanding anything to the contrary in the Agreement or any agreement between the Parties, the Supply Partner shall indemnify, defend, and hold harmless Brave against all losses, fines, penalties, costs, and expenses (including reasonable attorney fees) and sanctions arising from any claim of any kind by a Data Subject, third party, or Supervisory Authority, an advertiser and/or demand side platforms, related to, or arising from the Shared Personal Data, any breach of this DSA and/or violation of Data Protection Laws and Privacy Signals. Notwithstanding anything to the contrary in the Agreement and/or in any agreement between the Parties and to the maximum extent permitted by law: (A) Brave’s (its officers, employees, suppliers, vendors, advertisers, and demand side platform) entire, total, and aggregate liability, related to Shared Personal Data or information, privacy, or for breach of this DSA and/or Data Protection Laws, Privacy Signals, including, without limitation, if any, any indemnification obligation or applicable law regarding data protection or privacy, shall be limited to the amounts paid to Brave under the Agreement within six (6) months preceding the event that gave rise to the claim. This limitation of liability is cumulative and not per incident; (B) In no event will Brave (its officers, employees, suppliers, vendors, advertisers, and demand side platform) be liable under, or otherwise in connection with this DSA for: (i) any indirect, exemplary, special, consequential, incidental, or punitive damages; (ii) any loss of profits, business, or anticipated savings;  (iii) any loss of, or damage to data, reputation, revenue, or goodwill; and/or (iv) the cost of procuring any substitute goods or services; and (C) the foregoing exclusions and limitations on liability set forth in this Section shall apply: (i) even if Brave or third-party providers have been advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy in this DSA fails of its essential purpose; and (iii) regardless of the form, theory, or basis of liability (such as, but not limited to, breach of contract or tort). This DSA may not be assigned, transferred, delegated, sold, or otherwise disposed of, including without limitation by operation of law, without the prior written consent of the non-assigning party; provided that either party may assign this DSA to a successor without such consent in connection with a merger, acquisition, consolidation, similar transaction, or the sale of all or substantially all its assets. In the event of any conflict between certain provisions of this DSA and the provisions of the Agreement, the provisions of this DSA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Shared Personal Data. In the event of a conflict between this DSA and the SCC (as defined below), the SCC will prevail solely with regard to international transfers of Shared Personal Data, where the SCC are applicable.

SCHEDULE 1 – DETAILS OF THE SHARED PERSONAL DATA

Purpose of Data Sharing

Supply Partner shares Shared Personal Data with Brave for the purposes stipulated in the Agreement and/or this DSA, including, among others, for placing ads (personalized or contextual, as applicable), optimization, ad serving, etc. 

Nature of the Processing

Collection, storage, organization, analysis, modification, retrieval, disclosure, communication, and other uses in performance of the services as set out in the Agreement.  

Duration of the Processing

Continuous and as necessary for the performance of the services. 

Categories of Data Subjects

End-Users to whom ads are displayed. 

Sensitive Personal Data

None.

Type of Personal Data Shared 

IP addresses, IFV and IFA (e.g., IDFA/ AAID or any other related device IDs), Privacy String, cookies data or unique identifiers, information about End-Users’ devices (device type, model, operation system) and End-Users’ browsing behavior. 

Process Frequency

Continuous and as necessary for the performance of the Service. 

SCHEDULE 2 – CROSS BORDER TRANSFERS

PART 1 – EEA Cross Border Data Transfers

1. The Parties agree that to the extent the EU SCC apply, they are hereby incorporated by reference as follows:
2. Module One (Controller to Controller) of the EU SCC shall apply where the applicable transfer is effectuated between the Parties, each acting as an independent and separate data controller of the Shared Personal Data.
3. Clause 7 of the EU SCC (Docking Clause) shall not apply.
4. In Clause 11 of the EU SCC, the optional language will not apply.
5. With respect to Clause 17 of the EU SCC, the Parties agree that the SCC shall be governed by the laws of the Republic of Ireland.
6. In Clause 18(b) of the EU SCC, disputes will be resolved before the courts of the Republic of Ireland.
7. Annex I.A of the EU SCC shall be completed as follows:
   • Data Exporter: Supply Partner
   • Contact details: As detailed in the Agreement.
   • Data Exporter Role:
   • Module One: The Data Exporter is a data controller.
   • Signature and Date: By entering into the Agreement and DSA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
   • Data Importer: Brave
   • Contact details: As detailed in the Agreement.
   • Data Importer Role: Module One: The Data Importer is a data controller.
   • Signature and Date: By entering into the Agreement and DSA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
8. Annex I.B of the EU SCC shall be completed as follows:
   • The categories of data subjects, personal data, frequency of transfer, nature of the processing, purpose of the processing, and duration are described in Schedule 1 (Details of Processing) of this DSA
9. Annex I.C of the EU SCC shall be completed as follows:
   • The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 5.
10. Annex II of the EU SCC: The technical and organizational security measures implemented by the Parties.

PART 2 – UK Cross Border Data Transfers

The Parties have agreed that to the extent the UK SCC apply, they are incorporated by reference as follows:

The UK SCC is incorporated by reference:

• Table 1: The Parties: as detailed in the Agreement.
• Table 2: Selected SCCs, Modules, and Selected Clauses: as detailed in Part 1.
• Table 3: Appendix Information: as set out in the Annexes to Part 1.
• Table 4: Neither Party will be entitled to terminate the UK SCCs in accordance with Clause 19 of the UK Mandatory Clauses.