Data Processing Addendum to ART19 Terms of Service

This Data Processing Addendum (“Addendum”) completes and forms part of the relevant agreement governing Customer’s use of the Service (altogether “Terms of Service”) between the customer specified in the agreement (“Customer”) and ART19 Inc., and its affiliates, subsidiaries and branches (“Service Provider”) to the extent Customer provides Service Provider with information which is subject to Data Protection Law (as defined in Section 1.4).

This Addendum regulates the Processing of Personal Data subject to Data Protection Law for the Purposes (as defined in Section 2) by the Parties in the context of the Service. The terms used in this Addendum have the meaning set forth in this Addendum. Capitalized terms not otherwise defined herein have the meaning given to them in the Terms of Service. Except as modified below, the Terms of Service remain in full force and effect.

The Parties agree that the terms set out below are added as an Addendum to the Terms of Service.

1. Definitions. The following terms have the meanings set out below for this Addendum:
   1. “Controller” means the entity which alone or jointly with others determines the purposes and the means of the Processing of Personal Data.
   2. “Data Subject” means a natural person whose Personal Data are processed in the context of this Addendum.
   3. “Data Subject Rights” means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making in accordance with Data Protection Law;
   4. “Data Protection Law” means the General Data Protection Regulation 2016/679, the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementing legislations in the EEA and the UK; the UK Data Protection Act 2018, the Swiss Federal Data Protection Act, the Data Protection Acts of the EEA countries (all as amended and replaced from time to time), the California Consumer Privacy Act of 2018 (“CCPA”), and all other applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Company Personal Data are subject.
   5. “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
   6. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
   7. “Processor” means the entity which processes Personal Data on behalf of a Controller.
   8. “Processing of Personal Data” (or “Processing/Process”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
   9. “Sub-Processor” means the entity engaged by the Processor or any further sub-contractor to Process Personal Data on behalf of and under the instructions of the Controller.
2. Roles of the Parties. For the purpose of this Addendum, the Parties acknowledge and confirm that Customer is a Controller and Service Provider is a Processor for the Processing of Personal Data for the Purposes (as defined in Section 2) in the context of the Service. For the purposes of the CCPA, Service Provider acts as Customer’s service provider as defined under Cal. Code 1798.140(t)(2)(C).
3. Description of the Processing Activities. Service Provider will Process Personal Data to provide its Services as described in the Terms of Service and only for the purpose of providing such Services (“Purposes”). Service Provider will Process end user or listener IP addresses and other Personal Data in the context of the provision of the Services to Customer and may provide such IP addresses and other Personal Data to Customer upon request. Service Provider will Process Personal Data only for as long as necessary to provide the Service and as permitted under the Terms of Service, and will not further collect, sell, or use Personal Data except where as necessary to perform the business purpose of serving and measuring targeted podcast advertisements (as directed by Customer).
4. Obligations of Customer. Customer confirms and warrants that, in relation to the Processing of Personal Data for the Purposes in the context of the Service, it acts as a Controller and that: (a) it complies with Data Protection Law when Processing Personal Data, and only gives lawful instructions to Service Provider; (b) Data Subjects have been informed of their rights and the uses of Personal Data as required by Data Protection Law, including without limitation by cooperation with Service Provider to include a link to Service Provider’s Privacy Policy and opt-out in the show notes of each Customer’s podcast and in Customer’s privacy policy or terms of service; (c) it relies on a valid legal ground for the processing of Personal Data under Data Protection Law (d) it complies with Data Subject requests to exercise their rights of access, rectification, erasure, data portability, restriction of Processing, and objection to the Processing; (e) it complies with data accuracy, proportionality and data retention principles; (f) implements appropriate technical and organizational measures to ensure, and to be able to demonstrate, that the Processing of Personal Data is performed in accordance with Data Protection Law; and (g) it will cooperate with Service Provider to fulfil their respective data protection compliance obligations in accordance with Data Protection Law.
5. Obligations of Service Provider. Service Provider confirms and warrants that it complies with Data Protection Law when Processing Personal Data for the Purposes in connection with the Service, and that it:
   1. Only Processes Personal Data on behalf of Customer in accordance with the Customer’s lawful written instructions and not for any other purposes than those specified in Section 2, 3, or as otherwise agreed by both Parties in writing. For the avoidance of doubt, Customer authorizes Service Provider to de-identify Personal Data for Service Provider’s own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, product improvement and compliance with law. Service Provider will Process such de-identified data in accordance with Data Protection Law.
   2. Will promptly inform Customer if, in its opinion, the Customer’s instructions infringe Data Protection Law, or if Service Provider is unable to comply with the Customers’ instructions.
   3. Will notify Customer without undue delay after becoming aware of a Personal Data Breach. Service Provider will take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach.
   4. Will assist Customer in complying with its own obligations under Data Protection Law, data breach notifications, conducting data protection impact assessments, and prior consultations with supervisory authorities under Data Protection Law, taking into account the nature of the Processing and the information available to Service Provider. To the extent authorized under applicable law, Customer shall be responsible for any costs arising from Service Provider’s provision of such assistance.
   5. Taking into account the nature of the processing, will assist Customer by appropriate technical and organizational measures, insofar as this is possible, to fulfil Customer’s obligation to respond to Data Subjects’ requests to exercise their rights as provided under Data Protection Law and specified in Clause 4(d) above. To the extent authorized by applicable law, Customer shall be responsible for any costs arising from Service Provider’s provision of such assistance.
   6. When the Addendum expires or upon termination of the Addendum or upon a request to delete or return Personal Data, Service Provider will, at the choice of Customer, delete, anonymize, or return all Personal Data to Customer, and delete or anonymize existing copies unless EU or EU member state law prevents it from returning or destroying all or part of the Personal Data or requires storage of the Personal Data (in which case Service Provider must keep them confidential).
6. Data Transfers. To provide the Services, Service Provider may need to import Personal Data to the United States. Customer authorizes such cross-border Personal Data transfers and confirms and warrants that it will comply with any requirements under Data Protection Law with regard to such Personal Data transfers, including the clauses attached to EU Commission Decision 2010/87/EU of 5 February 2010 which are hereby incorporated into this Addendum here. The parties agree that: (i) the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with Section 9 of this Addendum; (ii) pursuant to Clause 5(h) and Clause 11 of the Standard Contractual Clauses, Service Provider may engage new Subprocessors in accordance with Section 7 of this Addendum; and (iii) the Subprocessor agreements referenced in Clause 5(j) and certification of deletion referenced in Clause 12(1) of the Standard Contractual Clauses shall be provided only upon Company’s written request. Each party’s acceptance of this Addendum shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder. The optional clauses are expressly not included.Notwithstanding anything to the contrary herein or in the Agreement, this Section 6 may be amended by Service Provider to address changes in Data Protection Laws with fifteen (15) days’ notice to Customer.
7. Sub-Processing. Customer gives a general authorization to Service Provider to disclose Personal Data to Sub-Processors under the conditions set forth below, and Service Provider represents and warrants that when sub-processing the Processing of Personal Data in the context of the Service, it binds its Sub-Processors by way of an agreement which imposes on the Sub-Processor data protection obligations that are consistent with the obligations imposed on Service Provider under this Addendum, in particular providing sufficient guarantees to implement appropriate technical and organizational measures to ensure the Processing will meet requirements under Data Protection Law, to the extent applicable to the nature of the service provided by the Sub-Processors. Where the Sub-Processor fails to fulfil its data protection obligations under such agreement, Service Provider shall remain fully liable towards Customer for the performance of the Sub-Processor’s obligations under such agreement.
8. Security of the Processing; Confidentiality. Service Provider must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. In assessing the appropriate level of security, Service Provider must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects and the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. Service Provider will take steps to ensure that any person acting under its authority who has access to Personal Data is bound by enforceable contractual or statutory confidentiality obligation.
9. Data Protection Audit. Upon prior written request by Customer, Service Provider agrees to cooperate and within reasonable time provide Customer with: (a) a summary of the audit reports demonstrating Service Provider’s compliance with its obligations under this Addendum, after redacting any confidential and commercially sensitive information; and (b) confirmation that the audit has not revealed any material vulnerability in Service Provider’s systems, or to the extent that any such vulnerability was detected, that Service Provider has fully remedied such vulnerability. If the above measures are not sufficient to confirm compliance with Data Protection law or reveal some material issues, subject to the strictest confidentiality obligations, Service Provider allows Customer to request an audit of Service Provider’s data protection compliance program by external independent auditors, which are jointly selected by the Parties. The external independent auditor cannot be a competitor of Service Provider, and the Parties will mutually agree upon the scope, timing, and duration of the audit. Service Provider will make available to Customer the result of the audit of its data protection compliance program. Customer must reimburse Service Provider for all expenses and costs for such audit.
10. Liability Towards Data Subjects. Subject to any limitations of liability set out in the Terms of Service, if one Party has paid damages or fines from a failure to comply with its obligations in the Addendum, it is entitled to claim back from the other Party that part of the compensation corresponding to the other Party’s part of responsibility for the damage. For that purpose, both Parties agree that Customer will be liable to Data Subjects for the entire damage resulting from a violation of Data Protection Law with regard to Processing of Personal Data for which it is a Controller, and that Service Provider will only be liable to Data Subjects for the entire damage resulting from a violation of the obligations of Data Protection Law directed to Processor or where it has acted outside of or contrary to Customer’s lawful instructions. Service Provider will be exempt from liability if it proves that it is not responsible for the event giving rise to the damage.
11. Modification of this Addendum and Termination. This Addendum may only be modified by a written amendment signed by each of the Parties. The Parties agree that this Addendum is terminated upon the termination of the Service.
12. Invalidity and Severability. If any provision of this Addendum is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this Addendum and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.