Covatic Data Processing Agreement (“DPA”)

1. Additional Definitions

In addition to the terms defined in the Agreement, in this DPA, the following words have the following meanings:

1) Client Personal Data: all personal data provided to Covatic for processing by or on behalf of Client or accessed or generated by Covatic as Client’s processor in connection with the Solutions;

2) Data Protection Laws: means all national or international laws and regulations relating to the processing of personal data and privacy, in each case as amended, replaced or updated from time to time, to the extent applicable to the activities of each party, including without limitation: (a) the EU General Data Protection Regulation (2016/679) (“GDPR”); (b) national laws implementing, adapting, supplementing, or substituting the GDPR including without limitation the UK GDPR and the UK Data Protection Act 2018; (c) UK and national laws implementing the Directive on Privacy and Electronic Communications (2002/58/EC); and (d) US State privacy laws including the California Consumer Privacy Act 2018 and California Privacy Rights Act 2020 (“CCPA/CPRA”);

3) Personal Data Breach: a breach of Covatic’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Personal Data;

4) Sub-processor: any third party that processes Client Personal Data on behalf of Covatic;

5) Other terms used shall have the same meanings as under the Data Protection Laws.

2. Roles of the parties

2.1 The scope, nature, and purpose of processing of Client Personal Data are as set out in the Agreement and in Schedule A to this DPA.

2.2 Each party shall comply with Data Protection Laws in providing and using the Covatic Solutions.

2.3 Client shall at all times have all required consents or other valid legal basis and all other rights required for the processing of Client Personal Data and its provision to or collection by Covatic in connection with the Solutions.

2.4 Client shall be the controller of Client Personal Data and Covatic shall be the processor. Where Client Personal Data is California Personal Information, then Schedule B to this DPA shall apply.

3. Client’s Instructions

3.1 Client instructs Covatic to process Client Personal Data as required for the provision of the Solutions and in accordance with the Agreement, unless:

3.1.1 Covatic is required to process Client Personal Data for another purpose under any law to which Covatic is subject; or

3.1.2 in Covatic’s opinion, any Client instructions infringe or may infringe Data Protection Laws,

and, in either case, Covatic shall notify Client as soon as reasonably practicable (unless applicable law prohibits this), including a description of the nature of the issue.

4. Covatic’s General Obligations

4.1 Covatic, as processor of Client Personal Data, shall:

4.1.1 keep Client Personal Data confidential and process it only as required for the provision of the Covatic Solutions and in accordance with the Agreement and Client’s instructions;

4.1.2 ensure that Covatic’s employees, staff, workers and agents processing Client Personal Data are subject to appropriate confidentiality obligations;

4.1.3 promptly pass any requests, complaints or any other communications relating to the processing of Client Personal Data received directly from data subjects or from a supervisory authority on to Client;

4.1.4 provide appropriate technical and organisational measures and other reasonable assistance to support Client in responding to requests for exercise of their rights by data subjects;

4.1.5 provide reasonable assistance to Client in connection with Client’s obligations under Data Protection Laws including in relation to security of processing, notifications connected with a Personal Data Breach, data protection impact assessments, and prior consultations required to be made to supervisory authorities; and

4.1.6 enable Client, at Client’s option, to delete or download Client Personal Data during the Term or for a reasonable time after termination of the provision of the Solutions. Where data is deleted, Covatic shall delete all copies, unless applicable law requires storage of Client Personal Data and upon request certify such deletion in writing (email being acceptable) to Client. Covatic shall also delete back-up or archive copies as soon as practicable.

5. Data Security

5.1 Covatic shall have and maintain in place security measures appropriate to the nature of the Client Personal Data to prevent Personal Data Breaches, including as referred to in Schedule A.

5.2 In the event of a Personal Data Breach, Covatic shall inform Client without undue delay (and in any event within 48 hours) after becoming aware of it and provide the known information in relation to it. Covatic will take steps to contain and prevent recurrence of the Personal Data Breach, if necessary suspending the processing of Client Personal Data, and the parties will agree any further actions required.

6. Sub-processors

6.1 Client specifically authorises Covatic to engage the sub-processors listed in Schedule A.

6.2 Covatic shall inform Client of any intended addition or replacement of any sub-processors. Client shall have the right to object in writing to any such changes on reasonable grounds within ten business days of being informed of the change. The parties shall agree reasonable steps to resolve any such objections.

6.3 Covatic shall ensure that the arrangement between Covatic and each sub-processor is governed by a written contract including data protection obligations reasonably equivalent to those in this DPA and as required by Data Protection Laws.

6.4 Notwithstanding Covatic’s appointment of sub-processors, Covatic shall remain liable for any breach of this DPA, the Agreement, or Data Protection Laws that is caused by an act, error or omission of any such sub-processor.

7. Transfers outside of Europe

Covatic shall only be permitted to transfer Client Personal Data outside of the UK, the EEA, Switzerland, or another “adequate” location as defined by Data Protection Laws, if Covatic has put in place appropriate safeguards, which may include standard contractual clauses approved by the applicable EU and/or UK authorities for such purpose.

8. Information and Audits

8.1 Covatic shall:

8.1.1 upon reasonable request provide the Client with information demonstrating compliance with Covatic’s obligations under Data Protection Laws; and

8.1.2 cooperate with audits conducted by the Client or by an auditor appointed by the Client (that is subject to reasonable obligations of confidentiality in relation to Covatic confidential information) in order to verify Covatic’s compliance with this DPA, or as requested by a supervisory authority.

8.2 Audits instigated by Client may be carried out not more than once during each 12 month period of the Term (unless required earlier under Data Protection Laws or in response to a Personal Data Breach), on not less than 10 business days’ prior notice, during Covatic’s normal business hours, and without disruption to Covatic’s business.

9. Indemnity & liability

9.1 Covatic shall indemnify the Client against claims and losses incurred by Client arising out of or in connection with Covatic’s non-compliance with: (a) this DPA; and/or (b) Data Protection Laws.

9.2 Covatic will not be liable for any loss or damage caused by Client’s instructions or Client’s own collection or processing of Client Personal Data.

9.3 Client shall indemnify and hold harmless Covatic against all losses incurred by Covatic arising out of or in connection with any breach by Client of Section 2.3 of this DPA.

SCHEDULE A – DATA PROCESSING DETAILS

Duration of the processing	The Term of the Agreement and for any further time as the parties shall agree in writing
Subject matter, nature, and purpose of the processing	The Covatic Solutions process data: (i) on users’ devices; (ii) from third party data providers such as Experian and CACI; and/or (iii) provided by Client (first party data) in order to infer the possible preferences and interests of users in order to serve them more relevant content and ads.
Type(s) of personal data	Content consumption Coarse location Device type Signed-in user data (e.g. gender) Subscription status Network data Inferred income, occupation, shopping habits
Categories of data subjects	End users of Client Products
Security measures	COVATIC HAS IMPLEMENTED A COMPREHENSIVE INFORMATION SECURITY POLICY WHICH INCLUDES MEASURES FOR: PSEUDONYMISATION AND ENCRYPTION OF PERSONAL DATA; ENSURING ONGOING CONFIDENTIALITY, INTEGRITY, AVAILABILITY AND RESILIENCE OF PROCESSING SYSTEMS AND SERVICES; ENSURING THE ABILITY TO RESTORE THE AVAILABILITY AND ACCESS TO PERSONAL DATA IN A TIMELY MANNER IN THE EVENT OF A PHYSICAL OR TECHNICAL INCIDENT; REGULARLY TESTING, ASSESSING AND EVALUATING THE EFFECTIVENESS OF TECHNICAL AND ORGANISATIONAL MEASURES IN ORDER TO ENSURE THE SECURITY OF THE PROCESSING; USER IDENTIFICATION AND AUTHORISATION; PROTECTION OF DATA DURING TRANSMISSION; PROTECTION OF DATA DURING STORAGE; PHYSICAL SECURITY OF LOCATIONS AT WHICH PERSONAL DATA ARE PROCESSED; EVENT LOGGING; SYSTEM CONFIGURATION, INCLUDING DEFAULT CONFIGURATION; INTERNAL IT AND IT SECURITY GOVERNANCE AND MANAGEMENT; CERTIFICATION/ASSURANCE OF PROCESSES AND PRODUCTS
Authorised Sub-processors	Amazon Web Services EMEA SARL, Luxembourg: Cloud Infrastructure and Hosting Services. MongoDB Limited, Ireland: Cloud Infrastructure and Hosting Services.

SCHEDULE B – CALIFORNIA PERSONAL INFORMATION

1. In this Schedule B:

(a) the expressions “business”, “business purpose”, “commercial purpose”, “consumer”, “personal information”, “sell”, “service provider” and “share” have the same definitions as in the CCPA/CPRA; and

(b) “California Personal Information” refers to personal information relating to a California consumer.

2. Without limiting the generality of the parties’ obligations under this DPA, to the extent that Client provides California Personal Information to Covatic, then in relation to such California Personal Information, Covatic:

(a) acknowledges that such California Personal Information is provided to it only for limited and specified purposes as referred to in Schedule A;

(b) will comply with its obligations, and provide the same level of privacy protection as is required, under the CCPA/CPRA;

(c) grants to Client the rights:

(i) to take reasonable and appropriate steps to help to ensure that Covatic uses such California Personal Information in a manner consistent with Client’s obligations under the CCPA/CPRA; and

(ii) upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of such California Personal Information; and

(d) shall notify Client promptly if it makes a determination that it can no longer meet its obligations under the CCPA/CPRA.

3. In relation to such California Personal Information, Client is a business and Covatic is a service provider, and in such capacity Covatic agrees that:

(a) Covatic will not:

(i) sell or share such California Personal Information;

(ii) retain, use, or disclose such California Personal Information for any purpose (including a commercial purpose) other than for the specific business purposes of providing for Client the Covatic Solutions;

(iii) retain, use, or disclose such California Personal Information outside of the direct business relationship between Covatic and Client; or

(iv) combine such California Personal Information with personal information that Covatic receives from, or on behalf of, another person or persons, or collects from Covatic’s own interaction with the consumer (save to the extent that such combination forms part of the business purpose of providing the agreed Covatic Solutions or as otherwise permitted by the CCPA/CPRA).

(b) Client may monitor Covatic’s compliance with this Schedule in accordance with Section 8 of the DPA; and

(c) if Covatic engages any other person to assist Covatic in processing California Personal Information on Client’s behalf, such engagement shall be pursuant to a written contract binding such other person to observe all the requirements of this Schedule, and Covatic shall notify Client of that engagement in accordance with Section 6 of the DPA.