Data Processing Addendum

Effective Date: January 31, 2024

This BidsCube Data Processing Addendum (hereinafter ‘DPA’) supplements the BidsCube Terms of Use DSP and Publisher Terms of Use (hereinafter ‘Terms’), the agreement between you (hereinafter ‘Publisher’, ‘Advertiser’, ‘RTB Partner’, or ‘Customer’ or together as ‘Customers’, ‘you’, ‘your’) and BidsCube SP. Z.O.O (hereinafter ‘Company’, ‘BidsCube’, ‘we’, ‘us’ or ‘our’) and governs the processing of personal data provided to BidsCube in connection with the Services or of any personal data that BidsCube processes in connection with the performance of the Services, hereinafter referred to individually as a ‘Party’ or together as the ‘Parties’.

Unless otherwise defined in this DPA, all capitalised terms used in this DPA will have the meanings set forth in BidsCube’s Terms. This DPA shall remain in force until the termination of the Terms between you and us governing your use of the Services.

1. Definitions

“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, the United Kingdom, the United States and its states, applicable to the processing of personal data under the Terms as amended from time to time, such as the GDPR, UK Data Protection Laws, or other applicable laws and regulations.

“General Data Protection Regulation (GDPR)” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“UK Data Protection Laws” means the Data Protection Act 2018 and the UK GDPR (retained version of the EU GDPR).

“EU Standard Contractual Clauses (EU SCCs)” means Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.

“UK Addendum” means International Data Transfer Addendum to the EU Standard Contractual Clauses that have been issued by the Information Commissioner for Parties making Restricted Transfers in the meaning of the UK Data Protection Laws, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

“controller”, “joint controller”, “processor”, “data subject”, “personal data”, and “processing” have the meanings given in Data Protection Laws and Regulations.

“End User Data” means personal data provided to BidsCube in connection with the Services or any personal data that BidsCube processes in connection with the performance of the Services.

“Services” means online advertising services, including AdTech solutions (the SSP, DSP) and White Label AdExchange, SSP and DSP solutions as described in the Terms.

“Sub-processor” means any entity which provides processing services to BidsCube in furtherance of BidsCube’s processing on behalf of the Customer.

“Public Authority” means a government agency or law enforcement authority, including judicial authorities.

“Supervisory Authority” means an independent public authority to be responsible for monitoring the application of the data protection legislation.

2. Application of DPA and Roles under Data Protection Laws and Regulations

During the provision of Services, BidsCube and Customers may have different roles under Data Protection Laws and Regulations depending on the specific service BidsCube provides. Thus, certain provisions of this DPA are applicable only in specific cases, as described below. The Customer acknowledges and agrees that with regard to the processing of End User Data the Customer and the Company have the roles under Data Protection Laws and Regulations specified in this Section. This DPA shall apply accordingly to established roles and not apply to situations where we act as sole controllers in accordance with BidsCube’s Privacy Policy.

Supply Side Platform services

Where the Customer uses Supply Side Platform services, the Customer as a data exporter and the Company as a data importer are joint controllers in respect of End User Data. In this case, Sections 1, 2, 8 and 9 of this DPA and Schedules 1 and 4 of this DPA shall apply.

Demand Side Platform services

Where the Customer uses Demand Side Platform services, the Customer as a data importer and the Company as a data exporter are joint controllers in respect of End User Data. In this case, Sections 1, 2, 8 and 9 of this DPA and Schedules 2 and 4 of this DPA shall apply.

White Label AdExchange, White Label Supply Side Platform, White Label Demand Side Platform services

Where the Customer uses White Label AdExchange, White Label Supply Side Platform, White Label Demand Side Platform services, the Customer is a controller and a data exporter of End User Data, and the Company is a processor and a data importer in respect of End User Data. In this case, Sections 1 to 7 and 9 of this DPA and Schedules 3 and 4 of this DPA shall apply.

3. Instructions

The Parties agree that this DPA and the Terms constitute your complete and final documented instructions regarding when we process End User Data on your behalf (hereinafter ‘Instructions’). Any additional or alternate instructions must be consistent with the terms and conditions of this DPA and the Terms.

4. Description of Processing

The processing of End User Data on your behalf in connection with Services is described in Schedule 3 of this DPA. We reserve the right to update the description of processing from time to time to reflect new functionality which is part of the Services.

5. Your obligations

Within the scope of the DPA and Terms and your use of the Services, when you act as a data controller and we act as a data processor, you will be solely responsible for complying with all requirements that apply to you under the Data Protection Laws and Regulations. You represent and warrant that you will be solely responsible for:

(i) the accuracy, quality, integrity, confidentiality and security of collected End User Data;

(ii) complying with all necessary transparency, lawfulness, fairness and other requirements under Data Protection Laws and Regulations for the collection and use of personal data by establishing and maintaining the procedure for the exercise of the rights of the data subjects whose personal data are processed on behalf of the Customer; providing us only with data that has been lawfully and validly obtained and ensuring that such data will be relevant and proportionate to the respective uses; ensuring compliance with the provisions of this DPA and Terms by your personnel or by any third-party accessing or using End User Data on your behalf; and

(iii) ensuring that your Instructions to us regarding the processing of End User Data comply with the Data Protection Laws and Regulations, including complying with principles of data minimisation, purpose and storage limitation.

6. Our obligations

6.1. General Obligations

With regard to the processing of End User Data, we shall:

(i) process End User Data using appropriate technical and organisational security measures and in compliance with the Instructions received from the Customer subject to Section 3 of this DPA;

(ii) inform the Customer if, in our opinion, the Customer’s Instructions may be in violation of the provisions of the Data Protection Laws and Regulations;

(iii) inform the Customer if we cannot comply with its obligations under this DPA, in which case the Customer may terminate the agreement or take any other reasonable actions, including suspending data processing operations;

(iv) follow the Customer’s instructions regarding the collection of End User Data, in case we are obtaining End User Data from data subjects on behalf of the Customer under Terms;

(v) take reasonable steps to ensure that any employee/contractor to whom we authorise access to End User Data on our behalf comply with respective provisions of the Terms and this DPA.

6.2. Notices to the Customer

Upon becoming aware, we shall inform you of any legally binding request for disclosure of End User Data by a Public Authority, unless we are otherwise forbidden by law to inform the Customer, for instance, to preserve the confidentiality of investigation by a Public Authority. We will inform the Customer if it becomes aware of any notice, inquiry, or investigation by a Supervisory Authority with respect to the processing of End User Data under this DPA conducted between you and us.

6.3. Security measures

We shall implement and maintain appropriate technical and organisational measures to protect End User Data from personal data breaches (hereinafter ‘Security Incidents’) in accordance with our security standards set out in Schedule 4 of this DPA. You acknowledge that security measures are subject to technical progress so that we may modify or update Schedule 4 of this DPA at our sole discretion, provided that such modification or update does not result in a material degradation in the security measures offered by Schedule 4 of this DPA.

6.4. Security Incident

Upon becoming aware of a Security Incident, we shall:

(i) notify you without undue delay after we become aware of the Security Incident;

(ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by you; and

(iii) promptly take reasonable steps to contain and investigate any Security Incident so that you can notify competent authorities and/or affected Data Subjects of the Security Incident. Our notification of or response to a Security Incident shall not be construed as an acknowledgement by us of any fault or liability regarding the Security Incident.

6.5. Confidentiality

We will not access, use, or disclose to any third party any End User Data, except, in each case, as necessary to maintain or provide the Services or as necessary to comply with contractual and legal obligations or binding order of a public body (such as a subpoena or court order). We shall ensure that any employee/contractor whom we authorize to access End User Data on our behalf is subject to appropriate confidentiality contractual or statutory duty obligations with respect to End User Data.

6.6. Return or deletion of End User Data

Upon termination or expiration of the Terms concluded between you and us, we shall delete all End User Data in our possession or control, except that this requirement shall not apply to the extent we are required by applicable law or respective contractual obligations to retain some or all of End User Data.

6.7. Reasonable Assistance

We agree to provide reasonable assistance to the Customer, when acting as a data processor, regarding:
(i) any request from a data subject in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of End User Data that we process on behalf of the Customer. In the event that a data subject sends such a request directly to us, Section 7 of this DPA shall apply;
(ii) the investigation of Security Incident and communication of necessary notifications regarding such Security Incident subject to Section 6.4 of this DPA;
(iii) preparation of data protection impact assessments and, where necessary, consultation of the Customer with the Supervisory Authority under Articles 35 and 36 of the GDPR.

6.8 Audit and Certification

If a Supervisory Authority requires an audit of the data processing facilities from which we process End User Data to ascertain or monitor Customer’s compliance with Data Protection Laws and Regulations, we will cooperate with such audit. The Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time we expend for any such audit, in addition to the rates for services performed by us.

The Customer may, prior to the commencement of processing and at regular intervals thereafter, audit the technical and organisational measures taken by us. If the Customer is the controller with respect to the personal data processed by us on its behalf, upon reasonable and timely advance agreement, during regular business hours and without interruption to our business operations, we may provide the Customer with all information necessary to demonstrate compliance with its obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer with respect to such processing.

We shall, upon a Customer’s written request and within a reasonable period, provide the Customer with all information necessary for such audit, to the extent that such information is within our control and we are not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

7. Data Subject Request

In the event that a data subject contacts us with regard to the exercise of their rights under the Data Protection Laws and Regulations (in particular, requests for access to, rectification or deletion of End User Data) when acting as a data processor, we will use all reasonable efforts to forward such requests to you. If we are legally required to respond to such a request, we shall immediately notify you and provide you with a copy of the request unless we are legally prohibited from doing so.

8. Joint Controllership Arrangement

This Section shall apply only with respect to the processing of personal data carried out in the context of the provision of the services by the Company to the Customer when the Parties act as the joint controllers.

In accordance with Article 26 of the GDPR, the Parties hereby determine their responsibilities for compliance with their obligations under the GDPR.

8.1. Obligations of the Parties when acting as Joint Controllers

When processing personal data as joint controllers under Section 8 of this DPA, each Party agrees that it shall:

(i) comply with requirements arising to its role under the Data Protection Laws and Regulations;

(ii) maintain a record of the processing activities under its responsibility;

(iii) implement appropriate technical and organizational measures as defined in Schedule 4 of this DPA to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access;

(iv) take all the measures necessary to address the Security Incident relating to the personal data it processes (if any), mitigate its effects, prevent further Security Incidents, notify the other Party about the Security Incident, and, when required, notify the competent supervisory authority(ies) and the data subjects;

(v) cooperate with the preparation of the data protection impact assessments where required;

(vi) handle data subject’s requests it receives, in particular, the requests relating to the exercise of data subject’s rights under the Data Protection Laws and Regulations;

(vii) provide the other Party with reasonable assistance in complying with any data subject access request;

(viii) notify the other Party about the receipt of the data subject request in respect of personal data processing by the other Party covered by this DPA;

(ix) when one Party receives a request from a data subject regarding his or her personal data that is processed by the other Party, it should redirect the request to the other Party. The redirecting Party should explain to the data subject how he or she can exercise his or her rights with the other Party;

(x) not disclose or release any personal data in response to a data subject request without prior consulting the other Party where necessary;

(xi) notify the other Party without undue delay on becoming aware of any breach of the provisions of the GDPR;

(xii) designate a contact point through which the Parties can be contacted in respect of queries or complaints in relation to issues covered by this DPA or any other data protection issues.

8.2. The Company’s obligations

When processing personal data as joint controllers under Section 8 of this DPA, the Company shall:

(i) comply with all obligations listed in subsection 8.1.;

(ii) be responsible for the creation and publication of the Company’s Privacy Policy and additional policies;

(iii) process the personal data only for the purposes defined in its Privacy Policy, additional policies, and other internal information security policies;

(iv) inform the Company’s contact point in respect of queries or complaints in relation to issues covered by this DPA or any other data protection issues;

(v) comply with other obligations established by the GDPR.

8.3. The Customer’s obligations

When processing personal data as joint controllers under Section 8 of this DPA, the Customer shall:

(i) comply with all obligations listed in subsection 8.1.;

(ii) provide the Company with evidence of the data subject’s consent collection when required;

(iii) be responsible for the creation and publication of the Customer’s Privacy Policy and additional policies;

(iv) process the personal data only for the purposes defined in its Privacy Policy, additional policies, and other internal information security policies;

(v) inform the Customer’s contact point in respect of queries or complaints in relation to issues covered by this DPA or any other data protection issues

(vi) comply with other obligations established by the GDPR.

8.4. The Parties’ contact points

The Parties established their contact points as follows:

• Details for contacting the Company are indicated in Schedules 1 and 2 of this DPA. In any case, the Company can be contacted by the data subject according to the details provided in its Privacy Policy and other publicly available documents.
• Details for contacting the Customer are indicated in Schedules 1 and 2 of this DPA. In any case, the Сustomer can be contacted by the data subject according to the details provided in its Privacy Policy and other publicly available documents.

9. Transfers of End User Data

9.1. General

Parties agree that when the processing of End User Data on behalf of the Customer in connection with Services constitutes a transfer under Data Protection Laws and Regulations and appropriate safeguards are required, such processing will be subject to the Standard Contractual Clauses and/or UK Addendum which are deemed to be incorporated into and form part of this DPA as further described in subsections 9.2 and 9.3 of this DPA. If and to the extent the EU SCCs and/or UK Addendum, as applicable, conflict with any provision of the DPA, the EU SCCs and UK Addendum shall prevail to the extent of such conflict.

When the processing of End User Data on behalf of the Customer in connection with Services does not constitute a transfer under Chapter V of the GDPR, the Standard Contractual Clauses and/or UK Addendum are used to impose obligations on the data processor under Article 28 of the GDPR and employ additional data protection safeguards during data transmission between controllers to the extent that such clauses are not in conflict with the Data Protection Laws and Regulations.

9.2. Transfers under the GDPR

When the processing of End User Data, including when the Company processes End User Data on behalf of the Customer in connection with Services, constitutes a “transfer” under the GDPR and in other cases under this DPA, Standard Contractual Clauses shall apply. When you act as a controller, and we act as a controller (together as joint controllers), Module One of the EU SCCs shall apply, and when you act as a controller, and we act as a processor, Module Two of the EU SCCs shall apply.

For the purpose of the EU SCCs, when the Company and the Customer act as joint controllers, including the case when we obtain data from the Customer under Supply Side Platform services, we are a “data importer”, and the Customer is a “data exporter”; when we transfer data to the Customer under Demand Side Platform services we are a “data exporter”, and the Customer is a “data importer”. When the Customer acts as a data controller, and the Company acts as a data processor under White Label AdExchange, White Label Supply Side Platform, White Label Demand Side Platform services, we are a “data importer”, and the Customer is a “data exporter”. The relevant provisions contained in the EU SCCs are incorporated by reference and are an integral part of this DPA. Clauses and annexes of the EU SCCs deemed to be completed are as follows:

(i) in Clause 7, the optional docking clause shall not apply;

(ii) in Clause 9, Option 2 (the General Written Authorisation) shall apply. For the purpose of Clause 9(a), the time period for informing of data exporter shall be 1 month;

(iii) in Clause 11, the optional provision shall not apply;

(iv) in Clause 13, where the Customer acts as a data exporter, a particular option shall apply depending on the specific case, and where the Company acts as a data exporter, Option 1 shall apply;

(v) in Clause 17, Option 1 shall apply. The EU SCCs shall be governed by the law of the Republic of Poland;

(vi) in Clause 18(b), disputes shall be resolved by the courts of the Republic of Poland;

(vii) Annex I of the EU SCCs is deemed completed with the information set out in Schedules 1, 2 and 3 of this DPA, depending on the specific case;

(viii) Annex II of the EU SCCs is deemed completed with the information set out in Schedule 4 of this DPA.

9.3. Transfers under UK Data Protection Laws

When the processing of End User Data on behalf of the Customer in connection with Services constitutes a “restricted transfer” under UK Data Protection Laws and in other cases under this DPA, the UK Addendum shall apply. When you act as a controller, and we act as a controller (together as joint controllers), Module One of the EU SCCs shall apply, and when you act as a controller, and we act as a processor, Module Two of the EU SCCs shall apply, as completed in subsection 9.2 of this DPA.

For the purpose of the UK Addendum, when the Company and the Customer act as joint controllers, including the case when we obtain data from the Customer under Supply Side Platform services, we are a “data importer”, and the Customer is a “data exporter”; when we transfer data to the Customer under Demand Side Platform services we are a “data exporter”, and the Customer is a “data importer”. When the Customer acts as a data controller and the Company acts as a data processor under White Label AdExchange, White Label Supply Side Platform, White Label Demand Side Platform services, we are a “data importer”, and the Customer is a “data exporter”. The relevant provisions contained in the UK Addendum are incorporated by reference and are an integral part of this DPA. Tables in the UK Addendum deemed to be completed as follows:

(i) Table 1 in Part 1 is deemed completed with the information set out in Schedules 1, 2 and 3 of this DPA. When the Company acts as a data importer, the official registration number of the importer is 0000867869, and the official registration number of the exporter is contained in the Customer’s account, if any.
When the Company acts as a data exporter, the official registration number of the importer is contained in the Customer’s account (if any), and the official registration number of the exporter is 0000867869;

(ii) Table 2 in Part 1 is deemed completed accordingly with the information set out in subsection 9.2 of this DPA;

(iii) Table 3 in Part 1 is deemed completed with the information set out in Schedules 1, 2 and 3 of this DPA, depending on the specific case;

(iv) in Table 4 in Part 1, neither party may end this Addendum as set out in Section 19 of the UK Addendum. 

SCHEDULE 1 – DESCRIPTION OF PROCESSING UNDER SSP SERVICES

A. LIST OF PARTIES

Data exporter

---

Name: You, «Publisher», «Customer»

Address: the relevant information is contained in the Customer’s account.

Contact person’s name, position and contact details: the relevant information is contained in the Customer’s account.

• Activities relevant to the data transferred under these Clauses: provision of BidsCube’s services (e.g., the Supply Side Platform services), including:
  • Serving Ads: enabling the Publisher’s customers to auction advertising inventory on their websites and/or apps and to populate this inventory with pertinent ads.
  • Interest-Based Advertising: delivering targeted advertisements grounded in the End Users’ online activities across websites and mobile applications, along with data about their inferred commercial interests.
  • Ad Reporting and Conversions: generating reports for our Advertising customers to illustrate when and how End Users have encountered, interacted with, or acted upon ads.
  • Geo-Targeting: customizing ads according to the End User’s current or previous geographical locations.
  • Ad Measurement: comprehending ad effectiveness by analysing End User responses to ads, such as clicks.
  • Aggregated Statistics: to offer insights into the efficacy of online advertising campaigns by contributing End User data to aggregated reports.
  • Cross-Device Mapping: serving or assessing advertising on interconnected devices.
  • Fraud Detection and Prevention: identifying and preventing invalid clicks or queries, safeguarding Customers from fraudulent activities.
  • Security and Debugging: identifying and rectifying errors within our Service to ensure proper and secure system operations.
  • Frequency Capping: to regulate the frequency at which End Users encounter the same ad across diverse websites and applications

Signature and date: By entering into the Terms, the data exporter is deemed to have signed the EU SCCs incorporated herein, including their Annexes, as of the effective date of the Terms.

Role: controller

Data importer

---

Name: BidsCube SP. Z.O.O

Address: str.Odrzanska 6A /6, Wroclaw, Lower, Silesian Voivodeship, Poland 50-113

Contact person’s name, position and contact details: Dmytro Chebakov, support@bidscube.com

• Activities relevant to the data transferred under these Clauses: provision of BidsCube’s services (e.g., the Supply Side Platform services), including:
  • Serving Ads: enabling the Publisher’s customers to auction advertising inventory on their websites and/or apps and to populate this inventory with pertinent ads.
  • Interest-Based Advertising: delivering targeted advertisements grounded in the End Users’ online activities across websites and mobile applications, along with data about their inferred commercial interests.
  • Ad Reporting and Conversions: generating reports for our Advertising customers to illustrate when and how End Users have encountered, interacted with, or acted upon ads.
  • Geo-Targeting: customizing ads according to the End User’s current or previous geographical locations.
  • Ad Measurement: comprehending ad effectiveness by analysing End User responses to ads, such as clicks.
  • Aggregated Statistics: to offer insights into the efficacy of online advertising campaigns by contributing End User data to aggregated reports.
  • Cross-Device Mapping: serving or assessing advertising on interconnected devices.
  • Fraud Detection and Prevention: identifying and preventing invalid clicks or queries, safeguarding Customers from fraudulent activities.
  • Security and Debugging: identifying and rectifying errors within our Service to ensure proper and secure system operations.
  • Frequency Capping: to regulate the frequency at which End Users encounter the same ad across diverse websites and applications.

Signature and date: By entering into the Terms, the data importer is deemed to have signed the EU SCCs incorporated herein, including their Annexes, as of the effective date of the Terms.

Role: controller

B. DESCRIPTION OF TRANSFER

1. Categories of data subjects whose personal data is transferred:
   • End Users (individuals who explore the publishers’ websites and/or applications and receive advertisements).
2. Categories of personal data transferred:
   • End User Data that can include the following information:
     • Data provided by the End User to the Customer: data about age or gender, etc;
     • Details of the End User’s device: comprising device specifications, model, manufacturer, operating system version, connection type, and device identifiers such as mobile advertising IDs (such as Apple’s iOS Identifier for Advertising or Google’s Android Advertising ID), geographic location data, IP address;
     • Data about the End User’s interactions on the Customer’s website or apps: data about activities, actions, and session commencement and conclusion times;
     • Insights regarding advertisements served, viewed, or interacted with: ad type, placement, user interaction (clicks), frequency of exposure, and actions following exposure, such as visiting the Customer’s website or app store, purchasing products or services advertised, or installing advertised apps.
3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:
   • The data importer does not obtain access to the special categories of data (sensitive data).
4. The frequency of the transfer:
   • The personal data is transferred on a continuous basis.
5. Nature of the processing:
   • Personal data processing consists of the following: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.
6. Purpose(s) of the data transfer and further processing:
   • The purpose of the data processing under these Clauses is the performance of the services for the data exporter by the data importer under the Terms concluded between the data importer and the data exporter.
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
   • The personal data shall be stored for the duration of this DPA concluded between the data importer and the data exporter, unless otherwise agreed in writing or the data importer is required by applicable law to retain some or all of the transferred personal data.
8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
   • subject matter: the performance of services
   • nature: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.
   • duration: the performance of the services for the data importer by the (sub-) processor under the service agreement concluded between the data importer and (sub-) processor.

C. COMPETENT SUPERVISORY AUTHORITY

In accordance with Clause 13, competent supervisory authority under these Clauses is determined depending on what version of Clause 13(a) applies to the data exporter. 

SCHEDULE 2 – DESCRIPTION OF PROCESSING UNDER DSP SERVICES

A. LIST OF PARTIES

Data exporter

---

Name: BidsCube SP. Z.O.O

Address: str.Odrzanska 6A /6, Wroclaw, Lower, Silesian Voivodeship, Poland 50-113

Contact person’s name, position and contact details: Dmytro Chebakov, support@bidscube.com

• Activities relevant to the data transferred under these Clauses: provision of BidsCube’s services (e.g., the Demand Side Platform services), including:
  • Serving Ads: enabling the Publisher’s customers to auction advertising inventory on their websites and/or apps and to populate this inventory with pertinent ads.
  • Interest-Based Advertising: delivering targeted advertisements grounded in the End Users’ online activities across websites and mobile applications, along with data about their inferred commercial interests.
  • Ad Reporting and Conversions: generating reports for our Advertising customers to illustrate when and how End Users have encountered, interacted with, or acted upon ads.
  • Geo-Targeting: customizing ads according to the End User’s current or previous geographical locations.
  • Ad Measurement: comprehending ad effectiveness by analysing End User responses to ads, such as clicks.
  • Aggregated Statistics: to offer insights into the efficacy of online advertising campaigns by contributing End User data to aggregated reports.
  • Cross-Device Mapping: serving or assessing advertising on interconnected devices.
  • Fraud Detection and Prevention: identifying and preventing invalid clicks or queries, safeguarding Customers from fraudulent activities.
  • Security and Debugging: identifying and rectifying errors within our Service to ensure proper and secure system operations.
  • Frequency Capping: to regulate the frequency at which End Users encounter the same ad across diverse websites and applications

Signature and date: By entering into the Terms, the data importer is deemed to have signed the EU SCCs incorporated herein, including their Annexes, as of the effective date of the Terms.

Role: controller

Data importer

---

Name: You, «Advertiser», «Customer»

Address: the relevant information is contained in the Customer’s account.

Contact person’s name, position and contact details: the relevant information is contained in the Customer’s account.

• Activities relevant to the data transferred under these Clauses: provision of BidsCube’s services (e.g., the Demand Side Platform services), including:
  • Serving Ads: enabling the Publisher’s customers to auction advertising inventory on their websites and/or apps and to populate this inventory with pertinent ads.
  • Interest-Based Advertising: delivering targeted advertisements grounded in the End Users’ online activities across websites and mobile applications, along with data about their inferred commercial interests.
  • Ad Reporting and Conversions: generating reports for our Advertising customers to illustrate when and how End Users have encountered, interacted with, or acted upon ads.
  • Geo-Targeting: customizing ads according to the End User’s current or previous geographical locations.
  • Ad Measurement: comprehending ad effectiveness by analysing End User responses to ads, such as clicks.
  • Aggregated Statistics: to offer insights into the efficacy of online advertising campaigns by contributing End User data to aggregated reports.
  • Cross-Device Mapping: serving or assessing advertising on interconnected devices.
  • Fraud Detection and Prevention: identifying and preventing invalid clicks or queries, safeguarding Customers from fraudulent activities.
  • Security and Debugging: identifying and rectifying errors within our Service to ensure proper and secure system operations.
  • Frequency Capping: to regulate the frequency at which End Users encounter the same ad across diverse websites and applications.

Signature and date: By entering into the Terms, the data exporter is deemed to have signed the EU SCCs incorporated herein, including their Annexes, as of the effective date of the Terms.

Role: controller

B. DESCRIPTION OF TRANSFER

1. Categories of data subjects whose personal data is transferred:
   • End Users (individuals who explore the publishers’ websites and/or applications and receive advertisements).
2. Categories of personal data transferred:
   • End User Data that can include the following information:
     • Data provided by the End User to the Customer: data about age or gender, etc;
     • Details of the End User’s device: comprising device specifications, model, manufacturer, operating system version, connection type, and device identifiers such as mobile advertising IDs (such as Apple’s iOS Identifier for Advertising or Google’s Android Advertising ID), geographic location data, IP address;
     • Data about the End User’s interactions on the Customer’s website or apps: data about activities, actions, and session commencement and conclusion times;
     • Insights regarding advertisements served, viewed, or interacted with: ad type, placement, user interaction (clicks), frequency of exposure, and actions following exposure, such as visiting the Customer’s website or app store, purchasing products or services advertised, or installing advertised apps.
3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:
   • The data importer does not obtain access to the special categories of data (sensitive data).
4. The frequency of the transfer:
   • The personal data is transferred on a continuous basis.
5. Nature of the processing:
   • Personal data processing consists of the following: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.
6. Purpose(s) of the data transfer and further processing:
   • The purpose of the data processing under these Clauses is the performance of the services for the data exporter by the data importer under the Terms concluded between the data importer and the data exporter.
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
   • The personal data shall be stored for the duration of this DPA concluded between the data importer and the data exporter, unless otherwise agreed in writing or the data importer is required by applicable law to retain some or all of the transferred personal data.
8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
   • subject matter: the performance of services
   • nature: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.
   • duration: the performance of the services for the data importer by the (sub-) processor under the service agreement concluded between the data importer and (sub-) processor.

C. COMPETENT SUPERVISORY AUTHORITY

In accordance with Clause 13, the competent supervisory authority under these Clauses is Urząd Ochrony Danych Osobowych (Polish Personal Data Protection Office).

SCHEDULE 3 – DESCRIPTION OF PROCESSING UNDER WHITE-LABEL SERVICES

A. LIST OF PARTIES

Data exporter

---

Name: You, «Customer»

Address: the relevant information is contained in the Customer’s account.

Contact person’s name, position and contact details: the relevant information is contained in the Customer’s account.

• Activities relevant to the data transferred under these Clauses: provision of BidsCube’s services (e.g., the White Label AdExchange, White Label Supply Side Platform, White Label Demand Side Platform services), including:
  • Serving Ads: enabling the Publisher’s customers to auction advertising inventory on their websites and/or apps and to populate this inventory with pertinent ads.
  • Interest-Based Advertising: delivering targeted advertisements grounded in the End Users’ online activities across websites and mobile applications, along with data about their inferred commercial interests.
  • Ad Reporting and Conversions: generating reports for our Advertising customers to illustrate when and how End Users have encountered, interacted with, or acted upon ads.
  • Geo-Targeting: customizing ads according to the End User’s current or previous geographical locations.
  • Ad Measurement: comprehending ad effectiveness by analysing End User responses to ads, such as clicks.
  • Aggregated Statistics: to offer insights into the efficacy of online advertising campaigns by contributing End User data to aggregated reports.
  • Cross-Device Mapping: serving or assessing advertising on interconnected devices.
  • Fraud Detection and Prevention: identifying and preventing invalid clicks or queries, safeguarding Customers from fraudulent activities.
  • Security and Debugging: identifying and rectifying errors within our Service to ensure proper and secure system operations.
  • Frequency Capping: to regulate the frequency at which End Users encounter the same ad across diverse websites and applications

Signature and date: By entering into the Terms, the data exporter is deemed to have signed the EU SCCs incorporated herein, including their Annexes, as of the effective date of the Terms.

Role: controller

Data importer

---

Name: BidsCube SP. Z.O.O

Address: str.Odrzanska 6A /6, Wroclaw, Lower, Silesian Voivodeship, Poland 50-113

Contact person’s name, position and contact details: Dmytro Chebakov, support@bidscube.com

• Activities relevant to the data transferred under these Clauses: provision of BidsCube’s services (e.g., the Supply Side Platform, White Label AdExchange, White Label Supply Side Platform, White Label Demand Side Platform services), including:
  • Serving Ads: enabling the Publisher’s customers to auction advertising inventory on their websites and/or apps and to populate this inventory with pertinent ads.
  • Interest-Based Advertising: delivering targeted advertisements grounded in the End Users’ online activities across websites and mobile applications, along with data about their inferred commercial interests.
  • Ad Reporting and Conversions: generating reports for our Advertising customers to illustrate when and how End Users have encountered, interacted with, or acted upon ads.
  • Geo-Targeting: customizing ads according to the End User’s current or previous geographical locations.
  • Ad Measurement: comprehending ad effectiveness by analysing End User responses to ads, such as clicks.
  • Aggregated Statistics: to offer insights into the efficacy of online advertising campaigns by contributing End User data to aggregated reports.
  • Cross-Device Mapping: serving or assessing advertising on interconnected devices.
  • Fraud Detection and Prevention: identifying and preventing invalid clicks or queries, safeguarding Customers from fraudulent activities.
  • Security and Debugging: identifying and rectifying errors within our Service to ensure proper and secure system operations.
  • Frequency Capping: to regulate the frequency at which End Users encounter the same ad across diverse websites and applications.

Signature and date: By entering into the Terms, the data importer is deemed to have signed the EU SCCs incorporated herein, including their Annexes, as of the effective date of the Terms.

Role: controller

B. DESCRIPTION OF TRANSFER

1. Categories of data subjects whose personal data is transferred:
   • End Users (individuals who explore the publishers’ websites and/or applications and receive advertisements).
2. Categories of personal data transferred:
   • End User Data that can include the following information:
     • Data provided by the End User to the Customer: data about age or gender, etc;
     • Details of the End User’s device: comprising device specifications, model, manufacturer, operating system version, connection type, and device identifiers such as mobile advertising IDs (such as Apple’s iOS Identifier for Advertising or Google’s Android Advertising ID), geographic location data, IP address;
     • Data about the End User’s interactions on the Customer’s website or apps: data about activities, actions, and session commencement and conclusion times;
     • Insights regarding advertisements served, viewed, or interacted with: ad type, placement, user interaction (clicks), frequency of exposure, and actions following exposure, such as visiting the Customer’s website or app store, purchasing products or services advertised, or installing advertised apps.
3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:
   • The data importer does not obtain access to the special categories of data (sensitive data).
4. The frequency of the transfer:
   • The personal data is transferred on a continuous basis.
5. Nature of the processing:
   • Personal data processing consists of the following: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.
6. Purpose(s) of the data transfer and further processing:
   • The purpose of the data processing under these Clauses is the performance of the services for the data exporter by the data importer under the Terms concluded between the data importer and the data exporter.
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
   • The personal data shall be stored for the duration of this DPA concluded between the data importer and the data exporter, unless otherwise agreed in writing or the data importer is required by applicable law to retain some or all of the transferred personal data.
8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
   • subject matter: the performance of services
   • nature: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.
   • duration: the performance of the services for the data importer by the (sub-) processor under the service agreement concluded between the data importer and (sub-) processor.

C. COMPETENT SUPERVISORY AUTHORITY

In accordance with Clause 13, competent supervisory authority under these Clauses is determined depending on what version of Clause 13(a) applies to the data exporter.

SCHEDULE 4 – TECHNICAL AND ORGANISATIONAL MEASURES

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

• Description of the technical and organisational measures implemented by the data importer(s) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing and the risks for the rights and freedoms of natural persons:
• The data importer is committed to preserving the confidentiality, integrity, availability and resilience of all the personal data in question throughout the data importer processing activities and ensuring that personal data are protected against loss and destruction by implementing appropriate internal information security policies and procedures.
• The data importer has adopted data encryption that is designed to protect the privacy of data subjects by ensuring the security of personal data processing.
• To ensure the security and protection of personal data, the data importer uses a backup system as part of its data management practices.
• The data importer has implemented measures designed to deny unauthorised persons access to processing equipment used for processing of personal data and prevent the use of automated processing systems by unauthorised persons. The personal data is subject to a strictly need-to-know principle of access and can be displayed to authorised staff members and users only.
• The data importer has implemented measures designed to ensure that the confidentiality and integrity of personal data are protected during transfers of personal data.
• The data importer has implemented measures designed to prevent the unauthorised input of personal data and the unauthorised inspection, modification or deletion of stored personal data.
• The data importer’s staff shall comply with the data importer’s internal information security policies, procedures and other applicable documents. It is required to read the current version of such documents to any staff member before undertaking any of their responsibilities regarding personal data processing. All staff members shall receive appropriate security training or instructions concerning the processing of personal data.
• The data importer has adopted information security policies, procedures and other documents for ensuring the fulfillment of data minimization, data quality, limited data retention and accountability principles and ensuring system configuration.