TripleLift Data Protection Terms

Version 0.2

The Data Protection Terms (“DPT”) are incorporated into the TripleLift Publisher Master Services Agreement or TripleLift Supply Master Services Agreement (or other agreement relating to the provision of TripleLift services to Publisher or Seller (as applicable) if not bearing that name) between Triple Lift, Inc. (“TripleLift”) and Publisher or Seller (as applicable) (the “Agreement”) pursuant to which TripleLift provides its services to Publisher or Seller (as applicable) (referred herein as the “Services”). Parties who are referred to as Seller in their Agreement with TripleLift shall be referred to as Publisher throughout this DPT, which is incorporated into Seller’s Agreement with TripleLift. References to the Agreement will be construed as including the DPT. Except as modified below, the terms of the Agreement remain in full force and effect. Certain capitalized terms used in the DPT and not otherwise defined may be defined in Section 9 below.  Any capitalized terms not defined in the DPT have the respective meanings given to them in the Agreement. In the event of any conflict between the DPT and the Agreement, the DPT will prevail.

  1. Compliance with Data Protection Laws. Each of TripleLift and Publisher will comply with all Data Protection Laws which apply to the parties in respect of the performance of their respective obligations under the DPT and the Agreement. The parties agree that both TripleLift and Publisher are independent Data Controllers for purposes of any Covered Personal Data originating from the European Economic Area, Switzerland, and the United Kingdom (collectively, the “GDPR Territories”), as applicable. For purposes of any Covered Personal Data processed in relation to the Services originating from California, if applicable, both TripleLift and Publisher are Businesses.

  2. Contact. Each of TripleLift and Publisher agree to notify each other of an individual within its organization authorized to respond from time to time to enquiries regarding the Covered Personal Data and each of TripleLift and Publisher will handle such enquiries promptly. TripleLift’s data protection officer (DPO) is Lillian Pang, Taceo Limited. Address: Riverbank House, 2 Swan Lane, London, EC4R 3TT. 

  3. End User Disclosures and Permissions.

    1. Publisher will ensure that, at all times and in accordance with applicable Data Protection Laws, all Inventory will contain conspicuous privacy disclosures that include a description of the Covered Personal Data collection and use associated with the Services, including without limitation, the types of Personal Data that are collected by TripleLift and Demand Partners, an explanation of how and for which purpose(s) the Personal Data will be used and transferred to third parties including TripleLift and Demand Partners, and if required by Data Protection Laws, identifying TripleLift by name and providing a link to TripleLift’s privacy policy.

    2. Publisher will ensure the provision of Notice and Choice to End Users for Covered Personal Data and for the use of cookies and other technologies used to store or access information on an End User’s device. TripleLift’s use of Personal Data is set out in its privacy policy currently referenced at https://triplelift.com/privacy/ (and any successor related locations designated by TripleLift), as may be updated by TripleLift from time to time (“TripleLift Privacy Policy”). 

    3. If TripleLift reasonably believes that Publisher’s privacy disclosures or Publisher’s Notice and Choice are not adequate to enable, in a legally compliant and commercially reasonable manner, TripleLift to provide the Services, or Demand Partners to bid for and purchase Inventory, then TripleLift may notify Publisher of its concerns and/or provide a reasonable alternative method. The parties will discuss any changes in good faith.


  4. Co-operation between the parties

    1. As it relates to the Services, the parties will provide reasonable assistance and cooperate with each other to assist in each party’s compliance with Data Protection Laws.

    2. Each party may respond directly to Data Subject requests addressed to it relating to its processing of Personal Data.  At the request of a party receiving a Data Subject request, the other party will cooperate reasonably in assessing and fulfilling such requests for notification, access, erasure or other requests under Data Protection Laws.

    3. The parties shall reasonably cooperate with each other with respect to Complaints related to Covered Personal Data or the use of cookies or similar advertising identifiers on Publisher’s Inventory. If Publisher receives a such a Complaint, it shall promptly notify TripleLift. Likewise, if TripleLift receives a Complaint with respect to Publisher’s Inventory, TripleLift will promptly notify Publisher. 

  5. Security. Each party will have in place appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data by or on behalf of the parties.
     
  6. International Transfer.  
    1. Publisher acknowledges that certain Covered Personal Data that originates in the GDPR Territories, the United Kingdom, or Switzerland may be processed by TripleLift outside the GDPR Territories, the United Kingdom, or Switzerland. TripleLift and Publisher agree that with respect to such processing (other than that taking place exclusively in an Adequate Country), and as required by Data Protection Laws, the standard contractual clauses contained in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (currently available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) will apply (“the Clauses”) and form part of the DPT subject to Sections 6.2 and 6.3.
    2. The Clauses are incorporated subject to the following terms:
      1. Module 1 on controller to controller transfers shall apply;
      2. Modules 2, 3, and 4 on other types of transfers shall not apply; 
      3. In Clause 7, the optional docking clause shall not apply; 
      4. In Clause 11, the optional redress clause shall not apply;
      5. In Clause 13(a), the applicable option shall apply;
      6. In Clause 17, Option 1 shall apply and the Parties agree that the Clauses shall be governed by the law of Ireland;
      7. In Clause 18, the Parties agree that the courts of Ireland shall resolve any dispute arising from the Clauses;
      8. Annex I and II of the Clauses shall be completed with the information provided in Schedule I of the DPT.
    3. The following terms supplement the Clauses only if, and to the extent, the Clauses apply with respect to data transfers subject to: 
      1. the UK GDPR:

        1. The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses VERSION B1.0, in force 21 March 2022 shall apply as set out in Schedule 2.

      2. the Federal Data Protection Act of 19 June 1992 (Switzerland): 

        1. The term ’Member State’ will be interpreted in such a way as to allow data subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.

  7. CCPA Compliance

    1. The parties agree that this Section 7 is applicable if TripleLift processes Covered Personal Data from residents of California. For purposes of Covered Personal Data originating from California residents, the parties agree that both parties are Businesses.

    2. In the event that TripleLift is deemed to process Covered Personal Data for a Business Purpose, it will be regarded as a Service Provider and TripleLift will process such Personal Data solely to provide the Services to Publisher, which do not constitute a CCPA Sale. Neither party receives from the other party any monetary or other valuable consideration for using Personal Data or for sharing Personal Data with the other party. Publisher further acknowledges that to facilitate the TripleLift Services, TripleLift transmits Personal Data to Demand Partners and Publisher may use controls provided by TripleLift to select which Demand Partners may access Publisher’s Inventory under the Services.  For any End User or device that opts out and about which Publisher shares Personal Data, Publisher will signal the user opt-out to TripleLift in accordance with Industry Standards, and TripleLift will act as Publisher’s Service Provider with respect to Personal Data from such End User, and as such will limit its retention, use, or disclosure as required under the CCPA.  

  8. Regulatory changes. If changes to applicable Data Protection Laws, or their interpretation or implementation, arise through legislation, claim or regulator guidance or action, which in TripleLift’s reasonable opinion make changes to the DPT necessary or prudent, TripleLift may, on written notice to Publisher, make such changes to the DPT, which Publisher agrees will be binding on Publisher. 

  9. Definitions.

The terms “Data Controller”, “Data Subject”, “Personal Data”, and “processing” have the meanings given to such terms under Data Protection Laws.

“Adequate Country” means a country or territory that is recognized under Data Protection Laws from time to time as providing adequate protection for Personal Data.

“Business” has the meaning given to such term under the CCPA.

“Business Purpose” has the meaning given to such term under the CCPA.

“CCPA Sale” has the meaning given to the term “sale” under the CCPA.

“Client” means each third party client on whose behalf Publisher uses the Services or whom Publisher allows to access the Services.

“Complaint” means a complaint or request relating to either party’s obligations under Data Protection Laws relevant to this Agreement, including any compensation claim from a Data Subject or any notice, investigation or other action from a Supervisory Authority, consumer or industry body.

“Covered Personal Data” means Personal Data (or equivalent term) as such is defined in Data Protection Laws, that relates to End Users, and that TripleLift or Demand Partners process, or that Publisher otherwise causes TripleLift to process, in relation to the Services. Covered Personal Data includes, without limitation, Personal Data that Publisher provides into the Services directly or through a Provider.

“Data Protection Laws” means, as applicable to TripleLift, Publisher or the Services as may be amended, superseded or replaced: (1) the EU General Data Protection Regulation (Regulation 2016/679); (2) any other national laws made under or pursuant to (1) applicable to GDPR Territories; (3) in the United Kingdom, the Data Protection Act 2018 and any later United Kingdom legislation relating to the processing of personal data; (4) ePrivacy Laws; and (5) in Switzerland, the Swiss Federal Act on Data Protection of 19 June 1992; and (6) in California, the California Consumer Privacy Act of 2018 and any regulation promulgated thereunder (“CCPA”).

“Demand Partners” means media buyers who use the Services to bid for and purchase Inventory including demand side platforms, ad exchanges, agency trading desks and ad networks and any third party acting on behalf of such media buyers.

“EEA” means the European Economic Area.

“End User” means the users or consumers of Inventory on whose devices cookies or similar technologies may be used, or persons who are otherwise the subjects of Personal Data that is processed in relation to the Services, as such may be termed and defined under Data Protection Laws, including “Data Subjects” under the GDPR,  “Consumers” under the CCPA, or “users” under 2002/58/EC. 

“ePrivacy Laws” means (1) in member states of the European Union: the ePrivacy Directive, or the Regulation concerning the respect for private life and the protection of personal data in electronic communications (Regulation on Privacy and Electronic Communications) 2017/0003 (COD), once applicable, and all relevant member state laws, rules and regulations giving effect to or corresponding with any of them, and/or (2) in the United Kingdom: the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426, and any laws or regulations implementing Directive 2002/58/EC (ePrivacy Directive) and/or any corresponding or equivalent national laws, rules and regulations.

“Industry Standards” means industry standards available at https://triplelift.com/industry-standards/

“Inventory” means Publisher Media or Media Properties as such terms may be defined in the Agreement or any other electronic media on which Publisher places ads through the Services. 

“Provider” means any Client, partner, supplier and/or contractor (e.g. a data provider) on whose behalf Publisher uses the Services or whom Publisher allows to access the Services.

“Publisher” means the Publisher as set out in the Agreement, if such defined term is used, or otherwise TripleLift’s customer or counterparty in the Agreement.

“Notice and Choice” means the disclosures and choices that must be provided to, permissions that must be secured from End Users, and End User rights that must be honored, in accord with the requirements of Data Protection Laws, Industry Standards, and the specific implementation criteria set out by TripleLift at https://triplelift.com/industry-standards/ (or any successor location). Notice and Choice includes, without limitation, disclosure of data processing purposes and associated legal bases under the GDPR via the TCF or comparable method, ability to give informed consent (as under GDPR), access for the End User to object to processing (as under GDPR), or the right to opt-out of a CCPA Sale.

“Service Provider” has the meaning given to such term under the CCPA.

“Services” means the services provided by TripleLift to Publisher under the Agreement.

“Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.

Schedule 1

Annex I

(A) List of Parties

Data exporter: 
Name: Publisher 
Address: As set out in the Agreement
Contact person’s name, position and contact details: Contact details for the Publisher are specified in, or supplied to TripleLift in connection with, the Agreement.
Activities relevant to the data transferred under these Clauses: Use of advertising technology platform services.
Signature and date: The parties agree that execution of the Agreement by the data importer and the data exporter constitutes execution of these Clauses by both parties as follows: (a) on the effective date of the Agreement; or (b) on 27 December 2022, where the effective date of the Agreement is before 27 December 2022.
Role (controller/processor): Controller

Data importer: 
Name: Triple Lift, Inc.
Address: 53 W 23rd St 12th Floor, New York, NY 10010, USA
Contact person’s name, position and contact details: Chief Privacy Officer, privacy@triplelift.com
Activities relevant to the data transferred under these Clauses: Provision of advertising technology platform services.
Signature and date: The parties agree that execution of the Agreement by the data importer and the data exporter constitutes execution of these Clauses by both parties as follows: (a) on the effective date of the Agreement; or (b) on 27 December 2022, where the effective date of the Agreement is before 27 December 2022.
Role (controller/processor): Controller

(B) Description of Transfer
Categories of data subjects whose personal data is transferred:

  • Publisher’s end users;
  • Publisher’s employees, agents, contractors and suppliers.

Categories of personal data transferred:

  • In relation to Publisher’s end users:
    • Cookie, mobile and similar advertising identifiers:
    • IP Address;
    • Demographic information: age range, gender, other Publisher-specified demographics;
    • Geo-location
    • Data transferred in connection with the data above, e.g. HTTP header data.
  • In relation to individual employees, contractors, agents or suppliers of Publisher (or its Providers):
    • an individual’s business or vocation status, including job role, job description, job title, employment status;
    • personal data that is provided by an individual in connection with permitted purposes of processing.

Sensitive data transferred (if applicable):

  • N/A; unless provided by Publisher, which shall be discussed in advance between the parties.

The frequency of the transfer: 

  • The personal data is transferred on a continuous basis.

Nature of the processing:

  • collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure or destruction.

Purpose(s) of the data transfer and further processing:

  • Facilitating advertising of information to the Data Subject from the advertiser by way of Inventory;
  • Performance of the rights and obligations under the Agreement and any activities that are reasonably necessary or incidental thereto;

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

(C) Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance with Clause 13:

  • Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
  • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
  • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

Annex II

Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data

Protecting data stored
Personal, private, confidential, and sensitive data, including but not limited to user data, employee data, research and market data, and company, vendor, and partner proprietary data, are all considered “protected data”. TripleLift reasonably prevents unauthorized access to protected data by employing the following technical safeguards:

  • Corporate: Reliance on Google documents and drive and associated permissions and limits access to only authorized users, applications, and devices.
  • Platform: TripleLift places systems and storage devices processing or containing protected data on private networks accessible only to authorized users, applications, and devices and uses a combination of Firewalls, Access Lists, and Proxy devices to limit access to only authorized users, applications, and devices.

Protecting transmitted data
All protected data transferred past the boundaries of TripleLift infrastructure use either authenticated and encrypted communication protocols (SCP, SFTP, and SSL) or internal private networks, point to point external networks, or a combination thereof wherever practically possible, to protect the data in transit. 

Protecting continuity of service
Operational continuity plans are in place which leverage the global AWS data center footprint providing for availability across regions for key systems. These plans are informed and refined by our disaster recovery and capacity planning processes

Schedule 2

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties
As in Schedule 1, Annex 1(A)

Table 2: Selected SCCs, Modules and Selected Clauses
Addendum SCCs – The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:

Date: The parties agree that execution of the Agreement by the data importer and the data exporter constitutes execution of these Clauses by both parties as follows: (a) on the effective date of the Agreement; or (b) on 27 December 2022, where the effective date of the Agreement is before 27 December 2022.
Reference (if any): Module 1: Controller to Controller as incorporated into the Agreement
Other identifier (if any): N/A

Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: Schedule 1, Annex I(A)
Annex 1B: Description of Transfer: Schedule 1, Annex I(B)
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Schedule 1, Annex II
Annex III: List of Sub processors (Modules 2 and 3 only): N/A

Table 4:  Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes – Which Parties may end this Addendum as set out in Section 19:

✔ Importer
✔ Exporter
▢ neither Party

Part 2: Mandatory Clauses
Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.