TripleLift Data Protection Terms

TRIPLELIFT DATA PROTECTION TERMS

Version 0.3

These Data Protection Terms (“DPT”) are incorporated into the TripleLift Publisher Master Services Agreement, TripleLift Supply Master Services Agreement, or other agreement relating to the provision of TripleLift services between Triple Lift, Inc. (“TripleLift”) and Seller (the “Agreement”) pursuant to which TripleLift provides its services to Seller (referred herein as the “Services”). “Seller” in this DPT shall mean the Publisher, Seller, or other party receiving the Services from TripleLift. References to the Agreement will be construed as including the DPT. Except as modified below, the terms of the Agreement remain in full force and effect. Certain capitalized terms used in the DPT and not otherwise defined are defined in Section 9 below.  Any capitalized terms not defined in the DPT have the respective meanings given to them in the Agreement. In the event of any conflict between the DPT and the Agreement, the DPT will prevail.

  1. Compliance with Data Protection Laws. Each of TripleLift and Seller will comply with all Data Protection Laws which apply to the parties in respect of the performance of their respective obligations under the DPT and the Agreement. The parties agree that both TripleLift and Seller are independent Data Controllers for purposes of any Covered Personal Data originating from the European Economic Area, Switzerland, and the United Kingdom (collectively, the “GDPR Territories”). For purposes of any Covered Personal Data processed in relation to the Services originating from jurisdictions governed by US State Privacy Laws, both TripleLift and Seller are Businesses or Controllers, as applicable, except that TripleLift will process any such Covered Personal Data transmitted with a Restricted Processing Signal as a Service Provider or Processor to Seller.
  2. Contact. Each of TripleLift and Seller agree to notify each other of an individual within its organization authorized to respond from time to time to enquiries regarding the Covered Personal Data and each of TripleLift and Seller will handle such enquiries promptly. TripleLift’s contact is the Director of Privacy available at platformprivacy@triplelift.com.
  3. End User Disclosures and Permissions.
    1. Seller will ensure that, at all times and in accordance with applicable Data Protection Laws, all Inventory will contain conspicuous privacy disclosures that include a description of the Covered Personal Data collection and use associated with the Services, including without limitation, the types of Personal Data that are collected by TripleLift and Demand Partners, an explanation of how and for which purpose(s) the Personal Data will be used and transferred to third parties including TripleLift and Demand Partners, and if required by Data Protection Laws, identifying TripleLift by name and providing a link to TripleLift’s Privacy Policy (defined below).
    2. Seller will ensure the provision of Notice and Choice to End Users for Covered Personal Data and for the use of cookies and other technologies used to store or access information on an End User’s device. TripleLift’s use of Personal Data is set out in its privacy policy currently referenced at https://triplelift.com/privacy/ (and any successor related locations designated by TripleLift), as may be updated by TripleLift from time to time (“TripleLift Privacy Policy”). 
    3. If TripleLift reasonably believes that Seller’s privacy disclosures or Seller’s Notice and Choice are not adequate to enable, in a legally compliant and commercially reasonable manner, TripleLift to provide the Services, or Demand Partners to bid for and purchase Inventory, then TripleLift may notify Seller of its concerns and/or provide a reasonable alternative method. The parties will discuss any changes in good faith.
  4. Co-operation between the parties
    1. As it relates to the Services, the parties will provide reasonable assistance and cooperate with each other to assist in each party’s compliance with Data Protection Laws.
    2. Each party may respond directly to Data Subject requests addressed to it relating to its processing of Personal Data.  At the request of a party receiving a Data Subject request, the other party will cooperate reasonably in assessing and fulfilling such requests for notification, access, erasure or other requests under Data Protection Laws.
    3. The parties shall reasonably cooperate with each other with respect to Complaints related to Covered Personal Data or the use of cookies or similar advertising identifiers on Seller’s Inventory. If Seller receives such a Complaint, it shall promptly notify TripleLift. Likewise, if TripleLift receives a Complaint with respect to Seller’s Inventory, TripleLift will promptly notify Seller. 
  5. Security. Each party will have in place appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data by or on behalf of the parties. 
  6. International Transfer.  
    1. Seller acknowledges that certain Covered Personal Data that originates in the GDPR Territories, the United Kingdom, or Switzerland may be processed by TripleLift outside the GDPR Territories, the United Kingdom, or Switzerland. TripleLift and Seller agree that with respect to such processing (other than that taking place exclusively in an Adequate Country), and as required by Data Protection Laws, the standard contractual clauses contained in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (currently available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) will apply (the “Clauses”) and form part of the DPT subject to Sections 6.2 and 6.3.
    2.  The Clauses are incorporated subject to the following terms:
      1. Module 1 on controller to controller transfers shall apply;
      2. Modules 2, 3, and 4 on other types of transfers shall not apply; 
      3. In Clause 7, the optional docking clause shall not apply; 
      4. In Clause 11, the optional redress clause shall not apply;
      5. In Clause 13(a), the applicable option shall apply;
      6. In Clause 17, Option 1 shall apply and the Parties agree that the Clauses shall be governed by the laws of Ireland;
      7. In Clause 18, the Parties agree that the courts of Ireland shall resolve any dispute arising from the Clauses; and
      8. Annex I and II of the Clauses shall be completed with the information provided in Schedule I of the DPT.
    3. The following terms supplement the Clauses only if, and to the extent, the Clauses apply with respect to data transfers subject to: 
      1. the UK GDPR:
        1.  The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses VERSION B1.0, in force 21 March 2022 shall apply as set out in Schedule 2.
      2. the Federal Data Protection Act of 19 June 1992 (Switzerland):
        1.  The term ’Member State’ will be interpreted in such a way as to allow data subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.
  7. US State Privacy Laws. 
    1. The parties agree that this Section 7 is applicable if the Services cause TripleLift to process Covered Personal Data of users located in jurisdictions governed by US State Privacy Laws. Seller further acknowledges that to facilitate the Services, TripleLift may transmit Covered Personal Data to Demand Partners and other partners and vendors as set out here, provided that TripleLift will not further disclose Covered Personal Data with a Restricted Processing Signal present except to subprocessors. In addition, Seller may use controls provided by TripleLift, such as to select which Demand Partners may access Seller’s Inventory under the Services.
    2. Where Seller transmits or otherwise communicates to TripleLift a Restricted Processing Signal in connection with Covered Personal Data, TripleLift will operate as a Service Provider and Processor, in accordance with applicable US State Privacy Laws. When processing Covered Personal Data with a Restricted Processing Signal present, TripleLift will:
      1. Process such Covered Personal Data in accordance with its obligations in the Agreement and only for Restricted Purposes, and not Process such Covered Personal Data for Targeted Advertising purposes or Sell or Share such Covered Personal Data; 
      2. Assist Seller with US State Privacy Laws compliance by (i) assisting Seller in responding to End User requests made pursuant to US State Privacy Laws, provided that Seller must supply to TripleLift all information necessary for it to provide such assistance; (ii) contributing to data protection assessments where required by US State Privacy Laws; (iii) offering reasonable notice and assistance to Seller in the event TripleLift experiences a Data Breach, including to help Seller satisfy its Data Breach notification obligations, if any, under applicable law; and (iv) implementing reasonable security procedures and practices appropriate to the nature of the Covered Personal Data and designed to protect such Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with US State Privacy Laws.
      3. Treat such Covered Personal Data as confidential and subject each person that processes such Covered Personal Data to an appropriate obligation of confidentiality;
      4. Engage a subcontractor to process such Covered Personal Data only if (i) TripleLift has in place a written agreement with the subcontractor that obligates the subcontractor to comply with terms at least as protective as the terms set out in this Section 7.2; (ii) ensure any Restricted Processing Signal is transmitted with the Personal Data to the subcontractor; and (iii) to the extent required by US State Privacy Laws, provide Seller notice of the planned transmission to any subcontractor and an opportunity to object;
      5.  Upon the earlier of any request by Seller or without undue delay following termination of the Agreement, delete, return, or de-identify such Covered Personal Data in accordance with US State Privacy Laws, unless retention is required by applicable law.
      6. Upon Seller’s reasonable request, provide information or an attestation that TripleLift deems reasonably necessary for Seller to verify that TripleLift’s processing is consistent with the obligations set out in this Section 7.2. If the parties mutually agree further review is necessary, TripleLift will allow for reasonable inspection by a third-party auditor approved by TripleLift to verify its compliance with this Section 7.2.
    3. If Covered Personal Data transmitted with a Restricted Processing Signal present is subject to the CCPA, in addition to the obligations set out in Section 7.2, TripleLift will:
      1. Not retain, use, or disclose such Covered Personal Data outside of the direct business relationship with Seller or for any purpose, including Commercial Purposes, other than the Restricted Purposes, unless otherwise permitted by the CCPA.
      2. Upon notice from Seller of its reasonable belief that TripleLift is processing such Covered Personal Data in an unauthorized manner, cooperate with Seller in good faith to stop or remediate the allegedly unauthorized use of such Personal Data, as necessary, such as by providing documentation verifying certain practices.
      3. Notify Seller without undue delay if TripleLift determines it can no longer meet its obligations under the CCPA.
      4. Except to process for the Restricted Purposes or as otherwise permitted by the CCPA, not combine such Covered Personal Data with Personal Data received from or on behalf of another person or source or that TripleLift collects from its own interactions with End Users.
    4. If Covered Personal Data is subject to the CCPA but no Restricted Processing Signal is present, then TripleLift will:
      1. Comply with applicable obligations under the CCPA, including by providing an appropriate level of privacy protection as required by the CCPA, and notify Seller without undue delay if TripleLift determines it can no longer meet its obligations under the CCPA.
      2. Upon Seller’s reasonable request, provide Seller with information TripleLift deems reasonably necessary to demonstrate TripleLift’s Processing of Covered Personal Data is consistent with Seller’s obligations under the CCPA including by TripleLift providing materials it generally makes available for such purposes or by providing an attestation of compliance.
      3. To the extent Seller reasonably believes that TripleLift is engaged in any unauthorized use of such Covered Personal Data, work with Seller in good faith to stop or remediate the allegedly unauthorized use of such Covered Personal Data, as necessary. 
  8. Regulatory changes. If changes to applicable Data Protection Laws, or their interpretation or implementation, arise through legislation, claim or regulator guidance or action, which in TripleLift’s reasonable opinion make changes to the DPT necessary or prudent, TripleLift may, on written notice to Seller, make such changes to the DPT, which Seller agrees will be binding on Seller.
  9. Definitions.

The terms “Data Controller”, “Data Subject”, “Personal Data”, “processing,” and “Processor” have the meanings given to such terms under Data Protection Laws. “Commercial Purpose,” “Cross-Context Behavioral Advertising,” “Share,” “Sell” “Service Provider” and “Targeted Advertising” have the meanings given to such terms under the US State Privacy Laws. 

Adequate Country” means a country or territory that is recognized under Data Protection Laws from time to time as providing adequate protection for Personal Data.

Business” has the meaning given to such term under the CCPA.

Business Purpose” has the meaning given to such term under the CCPA.

Complaint” means a complaint or request relating to either party’s obligations under Data Protection Laws relevant to this Agreement, including any compensation claim from a Data Subject or any notice, investigation or other action from a Supervisory Authority, consumer or industry body.

Covered Personal Data” means Personal Data (or equivalent term) as such is defined in Data Protection Laws, that relates to End Users, and that TripleLift or Demand Partners process, or that Seller otherwise causes TripleLift to process, in relation to the Services. Covered Personal Data includes, without limitation, Personal Data that Seller provides into the Services directly or through a Provider.

Data Breach” means any unauthorized, accidental or unlawful processing, access, loss, disclosure or destruction of Covered Personal Data.

Data Protection Laws” means: (1) the EU General Data Protection Regulation (Regulation 2016/679); (2) any other national laws made under or pursuant to (1) applicable to GDPR Territories; (3) in the United Kingdom, the Data Protection Act 2018 and any later United Kingdom legislation relating to the processing of personal data; (4) ePrivacy Laws; (5) in Switzerland, the Swiss Federal Act on Data Protection of 19 June 1992; and (6) the US State Privacy Laws, each as may be amended, superseded or replaced.

Demand Partners” means media buyers who use the Services to bid for and purchase Inventory including demand side platforms, ad exchanges, agency trading desks and ad networks and any third party acting on behalf of such media buyers.

EEA” means the European Economic Area.

End User” means the users or consumers of Inventory on whose devices cookies or similar technologies may be used, or persons who are otherwise the subjects of Personal Data that is processed in relation to the Services, as such may be termed and defined under Data Protection Laws, including “Data Subjects” under the GDPR, “Consumers” under the US State Privacy Laws, or “users” under 2002/58/EC. 

ePrivacy Laws” means (1) in member states of the European Union: the ePrivacy Directive, or the Regulation concerning the respect for private life and the protection of personal data in electronic communications (Regulation on Privacy and Electronic Communications) 2017/0003 (COD), once applicable, and all relevant member state laws, rules and regulations giving effect to or corresponding with any of them, and/or (2) in the United Kingdom: the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426, and any laws or regulations implementing Directive 2002/58/EC (ePrivacy Directive) and/or any corresponding or equivalent national laws, rules and regulations.

Industry Standards” means industry standards available at https://triplelift.com/industry-standards/ (or any successor location). 

Inventory” means Publisher Media, Media Properties, or Seller Media as such terms may be defined in the Agreement or any other electronic media on which Seller places ads through the Services. 

Provider” means any client, partner, supplier and/or contractor (e.g. a data provider) on whose behalf Seller uses the Services or whom Seller allows to access the Services.

Notice and Choice” means with respect to End Users, the disclosures and choices that must be provided, permissions that must be secured, and rights that must be honored, in accordance with the requirements of Data Protection Laws, Industry Standards, and the specific implementation criteria set out by TripleLift at https://triplelift.com/industry-standards/ (or any successor location). Notice and Choice includes, without limitation, disclosure of data processing purposes and associated legal bases under the GDPR via the TCF or comparable method, ability to give informed consent (as under GDPR), access for the End User to object to processing (as under GDPR), or the right to opt-out of Sales, Sharing, or Targeted Advertising under the US State Privacy Laws. 

Restricted Processing Signal” means an Industry Standard communicating that an End User has opted out of the Sale, Sharing, or Processing for purposes of Targeted Advertising of their Personal Data.

Restricted Purposes” means advertising-related processing that qualifies as a Business Purpose, including Processing for purposes of auditing; security and integrity; debugging; short term, transient uses; analytics; providing advertising or marketing services that do not include Cross-Contextual Behavioral Advertising, Targeted Advertising, or profiling; internal research and service improvement; and efforts to improve quality and safety.  Restricted Purposes includes first-party advertising, contextual advertising, frequency capping, measurement, fraud detection and prevention, and ensuring and measuring viewability, each only to the extent such activity (i) is permissible for a Service Provider or Processor to perform under the applicable US State Privacy Laws; and (ii) does not result in a Sale or Sharing of Personal Data or constitute processing of Personal Data for Targeted Advertising purposes.

Service Provider” has the meaning given to such term under the CCPA.

Services” means the services provided by TripleLift to Seller under the Agreement.

US State Privacy Laws” means the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020 (“CPRA”), and any regulations promulgated thereunder (together the “CCPA”), the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring of 2022, the Utah Consumer Privacy Act of 2022, and the Virginia Consumer Data Protection Act, in each case as amended and including any regulations promulgated thereunder.

Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.

Schedule 1

Annex I

(A) List of Parties
Data exporter: 
Name: Seller 
Address: As set out in the Agreement
Contact person’s name, position and contact details: Contact details for the Seller are specified in, or supplied to TripleLift in connection with, the Agreement.
Activities relevant to the data transferred under these Clauses: Use of advertising technology platform services.
Signature and date: The parties agree that execution of the Agreement by the data importer and the data exporter constitutes execution of these Clauses by both parties as follows: (a) on the effective date of the Agreement; or (b) on 27 December 2022, where the effective date of the Agreement is before 27 December 2022.
Role (controller/processor): Controller

Data importer: 
Name: Triple Lift, Inc.
Address: 53 W 23rd St 12th Floor, New York, NY 10010, USA
Contact person’s name, position and contact details: Chief Privacy Officer, platformprivacy@triplelift.com
Activities relevant to the data transferred under these Clauses: Provision of advertising technology platform services.
Signature and date: The parties agree that execution of the Agreement by the data importer and the data exporter constitutes execution of these Clauses by both parties as follows: (a) on the effective date of the Agreement; or (b) on 27 December 2022, where the effective date of the Agreement is before 27 December 2022.
Role (controller/processor): Controller

(B) Description of Transfer
Categories of data subjects whose personal data is transferred:

  • Seller’s End Users;
  • Seller’s employees, agents, contractors and suppliers.

Categories of personal data transferred:

  • In relation to Seller’s End Users:
    • Cookie, mobile and similar advertising identifiers:
    • IP Address;
    • Demographic information: age range, gender, other Seller-specified demographics;
    • Geo-location
    • Data transferred in connection with the data above, e.g. HTTP header data.
  • In relation to individual employees, contractors, agents or suppliers of Seller (or its Providers):
  • an individual’s business or vocation status, including job role, job description, job title, employment status;
  • personal data that is provided by an individual in connection with permitted purposes of processing.

Sensitive data transferred (if applicable):

  • N/A; unless provided by Seller, which shall be discussed in advance between the parties.

The frequency of the transfer: 

  • The personal data is transferred on a continuous basis.

Nature of the processing:

  • collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure or destruction.

Purpose(s) of the data transfer and further processing:

  • Facilitating advertising of information to the Data Subject from the advertiser by way of Inventory;
  • Performance of the rights and obligations under the Agreement and any activities that are reasonably necessary or incidental thereto;

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

(C) Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance with Clause 13:

  • Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
  • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
  • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

Annex II

Technical and Organisational Measures designed to Ensure the Security of the Data
Protecting data stored
Personal, private, confidential, and sensitive data, including but not limited to user data, employee data, research and market data, and company, vendor, and partner proprietary data, are all considered “protected data”. TripleLift reasonably prevents unauthorized access to protected data by employing the following technical safeguards:

  • Corporate: Reliance on Google documents and drive and associated permissions and limits access to only authorized users, applications, and devices.
  • Platform: TripleLift places systems and storage devices processing or containing protected data on private networks accessible only to authorized users, applications, and devices and uses a combination of Firewalls, Access Lists, and Proxy devices to limit access to only authorized users, applications, and devices.

Protecting transmitted data

All protected data transferred past the boundaries of TripleLift infrastructure use either authenticated and encrypted communication protocols (SCP, SFTP, and SSL) or internal private networks, point to point external networks, or a combination thereof wherever practically possible, to protect the data in transit. 

Protecting continuity of service

Operational continuity plans are in place which leverage the global AWS data center footprint providing for availability across regions for key systems. These plans are informed and refined by our disaster recovery and capacity planning processes

Schedule 2

UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties
As in Schedule 1, Annex 1(A)

Table 2: Selected SCCs, Modules and Selected Clauses
Addendum SCCs – The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:

  • Date: The parties agree that execution of the Agreement by the data importer and the data exporter constitutes execution of these Clauses by both parties as follows: (a) on the effective date of the Agreement; or (b) on 27 December 2022, where the effective date of the Agreement is before 27 December 2022.
    Reference (if any): Module 1: Controller to Controller as incorporated into the Agreement
    Other identifier (if any): N/A

Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

  • Annex 1A: List of Parties: Schedule 1, Annex I(A)
  • Annex 1B: Description of Transfer: Schedule 1, Annex I(B)
  • Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Schedule 1, Annex II
  • Annex III: List of Sub processors (Modules 2 and 3 only): N/A

Table 4:  Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes – Which Parties may end this Addendum as set out in Section 19:

  • ✔ Importer
  • ✔ Exporter
  • ▢ neither Party

Part 2: Mandatory Clauses
Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.