Gaming Audiences

Data Processing Agreement

This agreement is dated: July 1, 2024.

PARTIES

(1) Customer Audiences, LLC dba Gaming Audiences, a California corporation, with offices located at 27 Tessera Ave., Foothill Ranch, CA 92610 (the “Processor”).
(2) the Advertiser customer as set forth on an insertion order for advertising services with Processor (the “Customer”).

RECITALS

WHEREAS, the Customer and the Processor entered into an insertion order for advertising services (“IO”) which may require the Processor to process Personal Information provided by or collected for the Customer; and

WHEREAS, this Data Processing Agreement (the "DPA") sets out the additional terms, requirements, and conditions on which the Processor will obtain, handle, process, disclose, transfer, or store Personal Information when providing services under the IO;

NOW, THEREFORE, in consideration of the mutual covenants and agreements hereinafter set forth and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereto agree as follows:

1. Definitions and Interpretation

1.1 The following definitions and rules of interpretation apply in this DPA.

“Authorized Persons” means the managers, directors, and officers of Customer who are authorized to give the Processor personal information processing instructions.

“Business Purpose” means the services described in the IO or any other purpose specifically identified in Appendix A.

“Data Subject” means an individual who is the subject of Personal Information.

“Personal Information” means any information the Processor processes for the Customer that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in the Processor’s possession or control or that the Processor is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information.

“Processing, processes, or process” means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.

“Privacy and Data Protection Requirements” means all applicable laws and
regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This includes, but is not limited to, the California Consumer Privacy Act, as amended.

“Security Breach” means any act or omission that compromises the security,
confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Personal Information is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Requirements.

1.2 This DPA is subject to the terms of the IO and is incorporated into the IO.
Interpretations and defined terms set forth in the IO apply to the interpretation of this DPA.

1.3 Appendix A forms part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes Appendix A.

1.4 A reference to a writing in this DPA includes email.

1.5 In the case of conflict or ambiguity between:
   (a) any provision contained in the body of this DPA and any provision contained in Appendix A, the provision in the body of this DPA will prevail; and
    (b) any of the provisions of this DPA and the provisions of the IO, the provisions of this DPA will prevail.

2. Personal Information Types and Processing Purposes

2.1 The Customer retains control of the Personal Information and remains
responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Processor.

2.2 Appendix A describes the general Personal Information categories and Data
Subject types the Processor may process to fulfill the Business Purposes of the IO.

3. Processor’s Obligations

3.1 The Processor shall only process, retain, use, or disclose the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's written instructions from Authorized Persons. The Processor will not process, retain, use, or disclose the Personal Information for any other purpose or in a way that does not comply with this DPA or the Privacy and Data Protection Requirements.

 The Processor must promptly notify the Customer if, in its opinion, the Customer’s
instruction would not comply with the Privacy and Data Protection Requirements.

3.2 The Processor must promptly comply with any Customer request or instruction
from Authorized Persons requiring the Processor to amend, transfer, or delete the Personal Information, or to stop, mitigate, or remedy any unauthorized processing.

3.3 The Processor will maintain the confidentiality of all Personal Information,
will not sell it to anyone, and will not disclose it to third parties unless the Customer or this DPA specifically authorizes the disclosure, or as required by law. If a law requires the Processor to process or disclose Personal Information, the Processor must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.

3.4 The Processor will reasonably assist the Customer with meeting the Customer’s
compliance obligations under the Privacy and Data Protection Requirements.

3.5 The Processor must promptly notify the Customer of any changes to Privacy
and Data Protection Requirements that may adversely affect the Processor’s performance of the IO.

4. Processor’s Employees

4.1 The Processor will limit Personal Information access to:

(a) those employees who require Personal Information access to meet the Processor’s obligations under this DPA and the IO; and

(b) the part or parts of the Personal Information that those employees strictly require for the performance of their duties.

4.2 The Processor will ensure that all employees:

(a) are informed of the Personal Information’s confidential nature and use
restrictions;

(b) have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their
particular duties;

(c) are aware both of the Processor’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this DPA; and

(d) are contractually required to comply with terms at least as restrictive as the terms in this DPA.

4.3 The Processor will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all of the Processor’s employees with access to the Personal Information.

5. Security

5.1 The Processor must at all times implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, or damage. The Processor must document those measures in writing and periodically review them, at least annually, to ensure they remain current and complete.

5.2 The Processor will immediately notify the Customer if it becomes aware of any advance in technology and methods of working, which indicate that the parties should adjust their security measures.

5.3 The Processor must take reasonable precautions to preserve the integrity of any Personal Information it processes and to prevent any corruption or loss of the Personal Information, including but not limited to establishing effective back-up and data restoration procedures.

6. Security Breaches and Personal Information Loss

6.1 The Processor will promptly notify the Customer if any Personal Information is lost or destroyed or becomes damaged, corrupted, or unusable. The Processor will restore such Personal Information at its own expense.

6.2 The Processor will immediately notify Customer if it becomes aware of:

(a) any unauthorized or unlawful processing of the Personal Information;
or
(b) any Security Breach.

6.3 Immediately following any unauthorized or unlawful Personal Information processing or Security Breach, the parties will co-ordinate with each other to investigate the matter. The Processor shall fully co-operate with the Customer in the Customer’s handling of the matter, including:

(a) assisting with any investigation;

(b) providing the Customer with physical access to any facilities and operations affected;

(c) facilitating interviews with the Processor’s employees, former employees and others involved in the matter; and

(d) making available all relevant records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by the Customer.

6.4 The Processor will not inform any third party of any Security Breach without first obtaining the Customer's prior written consent, except when law or regulation requires it.

6.5 The Processor agrees that the Customer has the sole right to determine:

(a) whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in the Customer’s discretion, including the contents and delivery method of the notice; and

(b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

6.6 The Processor will cover all reasonable expenses associated with the performance of the obligations under Section 6.2 and Section 6.3 , unless the matter arose from the Customer's specific instructions, negligence, willful default, or breach of this DPA.

6.7 The Processor will also reimburse the Customer for actual reasonable expenses the Customer incurs when responding to and mitigating damages, to the extent that the Processor caused a Security Breach, including all costs of notice and any remedy as set out in Section 6.5 .

7. Cross-Border Transfers of Personal Information

7.1 If the Privacy and Data Protection Requirements restrict cross-border Personal Information transfers, the Customer will only transfer that Personal Information to the Processor under the following conditions:

(a) the Processor, either through its location or participation in a valid
cross-border transfer mechanism under the Privacy and Data Protection Requirements, as identified in Appendix A, may legally receive that Personal Information, however the Processor must immediately inform the Customer of any change to that status;

(b) the Customer obtained valid Data Subject consent to the transfer under the Privacy and Data Protection Requirements; or

(c) the transfer otherwise complies with the Privacy and Data Protection Requirements for the reasons set forth in Appendix A.

7.2 The Processor will not transfer any Personal Information to another country unless the transfer complies with the Privacy and Data Protection Requirements. In Appendix A, the Processor must identify the legal basis supporting any transfers it makes and must immediately inform the Customer of any change to that status.

8. Subcontractors

8.1 The Processor may only authorize a third party (subcontractor) to process the Personal Information if:

(a) the Customer provides prior written consent after the Processor supplies the Customer with full details regarding such subcontractor;

(b) the Processor enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this DPA and, upon the Customer’s written request, provides the Customer with copies of such contracts;

(c) the Processor maintains control over all Personal Information it entrusts to the subcontractor.

8.2 The Processor must list all approved subcontractors in Appendix A and include any subcontractor’s name and location and contact information for the person responsible for privacy and data protection compliance.

8.3 Where the subcontractor fails to fulfill its obligations under such written agreement, the Processor remains fully liable to the Customer for the subcontractor’s performance of its agreement obligations.

8.4 The Parties consider the Processor to control any Personal Information controlled by or in the possession of its subcontractors.

8.5 The Processor will audit a subcontractor’s compliance with its obligations regarding the Customer’s Personal Information and provide the Customer with the audit results.

9. Complaints, Data Subject Requests, and Third Party Rights

9.1 The Processor must notify the Customer immediately if it receives any complaint, notice, or communication that directly or indirectly relates to the Personal Information processing or to either party's compliance with the Privacy and Data Protection Requirements.

9.2 The Processor must notify the Customer within three (3) working days if it receives a request from a Data Subject for access to or deletion of their Personal Information.

9.3 The Processor will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request.

9.4 The Processor must not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at the Customer's request or instruction, permitted by this DPA, or is otherwise required by law.

10. Term and Termination

10.1 This DPA will remain in full force and effect so long as:

(a) the IO remains in effect; or

(b) the Processor retains any Personal Information related to the IO in its possession or control (the “Term”).

10.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the IO in order to protect Personal Information will remain in full force and effect.

10.3 The Processor’s failure to comply with the terms of this DPA is a material breach of the IO. In such event, the Customer may terminate the IO effective immediately upon written notice to the Processor without further liability or obligation.

10.4 If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of its IO obligations, the parties will suspend the processing of Personal Information until that processing complies with the new requirements.

11. Data Return and Destruction

11.1 At the Customer’s request, the Processor will give the Customer a copy of or access to all or part of the Customer’s Personal Information in its possession or control in the format and on the media reasonably specified by the Customer.

11.2 On termination of the IO for any reason or expiration of its term, the Processor will securely destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Information related to this agreement in its possession or control.

11.3 If any law, regulation, or government or regulatory body requires the Processor to retain any documents or materials that the Processor would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. The Processor may only use this retained Personal Information for the required retention reason or audit purposes.

11.4 Upon written request from Customer (email sufficing), the Processor will certify in writing that it has destroyed the Personal Information within ten (10) days after the request.

12. Records

12.1 The Processor will keep detailed, accurate, and up-to-date records regarding any processing of Personal Information it carries out for the Customer, including but not limited to, the access, control, and security of the Personal Information, approved subcontractors and affiliates, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the “Records”).

12.2 The Processor will ensure that the Records are sufficient to enable the Customer to verify the Processor’s compliance with its obligations under this DPA.

12.3 The Customer and the Processor must review the information listed in Appendix A once a year to confirm its current accuracy and update it when required to reflect current practices.

13. Audit

13.1 At least once per year, the Processor shall conduct site audits of its Personal Information processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this DPA, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognized third-party audit firm based on recognized industry best practices.

13.2 Upon the Customer’s written request, the Processor will make all of the relevant audit reports available to the Customer for review, including as applicable: The Processor’s latest Payment Card Industry (PCI) Compliance Report, and reports relating to its ISO/IEC 27001 certification. The Customer will treat such audit reports as the Processor’s confidential information under this Agreement

13.3 The Processor will promptly address any issues, concerns, or exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Processor’s management.

14. Warranties

14.1 The Processor warrants and represents that:

(a) its employees, subcontractors, agents, and any other person or persons accessing Personal Information on its behalf are reliable and trustworthy and have received the required training on the Privacy and Data Protection Requirements relating to the Personal Information; and

(b) it and anyone operating on its behalf will process the Personal Information in compliance with both the terms of this DPA and all applicable Privacy and Data Protection Requirements and other laws, enactments, regulations, orders, standards, and other similar instruments; and

(c) it has no reason to believe that any Privacy and Data Protection Requirements prevent it from providing any of the IO’s contracted services; and

(d) considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Information and the accidental loss or destruction of, or damage to, Personal Information, and ensure a level of security
appropriate to:

(i) the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage; and

(ii) the nature of the Personal Information protected; and

(iii) comply with all applicable Privacy and Data Protection

Requirement and its information and security policies, including the security measures required in clause 5.1 .

14.2 The Customer warrants and represents that the Processor's expected use of the Personal Information for the Business Purpose and as specifically instructed by the Customer will comply with all Privacy and Data Protection Requirements.

15. Indemnification

15.1 The Processor agrees to indemnify, keep indemnified, and defend, at its own expense, the Customer against all costs, claims, damages, or expenses incurred by the Customer or for which the Customer may become liable due to any failure by the Processor or its employees, subcontractors, or agents to comply with any of its obligations under this DPA or applicable Privacy and Data Protection Requirements.

15.2 Any limitation of liability set forth in the IO will apply to Processor’s indemnity or reimbursement obligations in this DPA.

15.3 During the Term, the Processor must, at its own cost and expense, obtain and maintain insurance, in full force and effect, sufficient to cover the Processor’s potential indemnity or reimbursement obligations. The Processor will produce the policy and premium payment receipt to the Customer on request. The Processor will give the Customer thirty (30) days advance written notice if the policy materially changes or is cancelled.

16. Notice

16.1 Any notice or other communication given to a party under or in connection with this DPA must be in writing and delivered to:

For the Customer: As set forth on the IO.
For the Processor: Ameer@gamingaudiences.com.

16.2 Section 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

APPENDIX A

Personal Information Processing Purposes and Details

Business Purposes: Serving digital advertisement campaigns on behalf of Customer.

Personal Information Categories: IP Addresses and Device IDs.

Data Subject Types: Consumers

Approved Subcontractors:

Countries where the Processor may receive, access, transfer or store Personal Information:
United States