Kochava Inc. (“Kochava”) and Company (collectively, the “Parties”) are parties to certain agreements (“Agreements”) which concern the processing of personal data that is subject to Regulation (EU) 2016/679 (“GDPR”).
Kochava wishes to unilaterally obligate itself to conform to the data processing requirements under GDPR without placing any additional obligations on Company beyond those already included in the Agreements.
This Data Processing Policy (“Policy”) is intended to inform Company of Kochava’s data processing obligations in light of GDPR.
A. With respect to Company Personal Data (meaning, personal data supplied by Company to Kochava under the Agreements and which Kochava processes as a data processor pursuant to the Agreements), Kochava is the data processor and Company is the controller for the purposes of GDPR.
B. Kochava acknowledges that the Agreements may impose existing data processing obligations which are similar or equivalent to the obligations set forth in this Policy. The data processing obligations set out in this Policy supplement, and are subject to, those set out in the Agreements.
C. For purposes of this Policy, the terms “controller,” “data subject,” “personal data,” “personal data breach,” “processing,” “processor,” and “sensitive personal data” have the meanings set out in GDPR.
D. The headings in this Policy do not define or limit the scope of their associated clauses and are for reference only.
III. KOCHAVA’S DATA PROCESSING OBLIGATIONS
In respect of any Company Personal Data that is processed by Kochava for the purposes of GDPR, Kochava shall:
1. Process on-Behalf of Company. Process the Company Personal Data only on behalf of Company and for the purposes of performing its obligations under the applicable Agreements in accordance with the instructions contained in the applicable Agreements or as otherwise agreed in writing by the Parties. Kochava shall notify Company as soon as legally practicable if Kochava is required under applicable law to process Company Personal Data otherwise than as instructed by Company;
2. Purpose & Manner of Processing. Not determine the purposes for which, nor the manner in which, it processes Company Personal Data.
3. Infringing Instruction Notice. Inform Company immediately, if, in Kochava’s opinion, any instruction from Company infringes the GDPR;
4. Employee Access to Data. Ensure that only those Kochava Personnel (meaning, all employees, staff, other workers, agents and consultants of Kochava and of any Sub-Contractors who are engaged to process the Company Personal Data from time to time) who have a need to know and are under confidentiality obligations with respect to the Company Personal Data, have access to the Company Personal Data;
5. Personal Data Protection. Take appropriate technical and organizational measures to protect the Company Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the level of risk presented by the processing (and having regard to the nature of the Company Personal Data which is to be protected) and to the harm which might result from a personal data breach affecting the Company Personal Data;
6. Delete Company Personal Data. Without prejudice to Kochava’s existing obligations under the Agreements in respect of the deletion of Company Personal Data, at the choice of Company, delete or return all Company Personal Data after the termination or expiry of the Agreements, unless required by applicable law or permitted by Company under the Agreements to retain copies of such Company Personal Data;
7. Data Subject Assistance. Provide assistance, insofar as is possible, reasonably requested by Company in order to allow Company to comply with its obligations to data subjects who exercise their rights under the GDPR, including, without limitation, correcting, deleting, or blocking any personal data relating to a data subject;
8. Data Protection Impact Assessment. Taking into account the nature of the processing and the information available to Kochava, provide assistance as reasonably requested by Company in order to allow Company to comply with its obligations under Articles 32 to 36 of the GDPR, including, without limitation, performing a data protection impact assessment where such an assessment for Kochava’s data processing is required under GDPR;
9. Audits. Without prejudice to Kochava’s existing obligations under the Agreements in respect of security audits, on an annual basis, where Kochava deems appropriate, procure that a third-party auditor conducts a ISO/IEC 27001:2013 or other industry standard audit of Kochava’s controls relating to the Company Personal Data. Company mandates Kochava to procure this audit on its behalf in order to audit Kochava’s compliance with its obligations under GDPR as a data processor. At Company’s request annually, Kochava will provide Company with a copy of its then-current audit report and such report will be deemed Kochava’s confidential information. If Company is not satisfied with the audit report, or if Kochava does not provide an audit report, then Company may engage at its sole expense a qualified third-party auditor with sufficient experience and technical proficiency (to be agreed with Kochava) to conduct an audit on its behalf (the scope of the audit to be agreed with Kochava). Kochava may charge a reasonable fee for costs incurred in connection with this audit;
10. Data Breach Notice. Notify Company without undue delay of the discovery by Kochava of any actual or suspected data breach involving the Company Personal Data and shall discharge any related obligations under the GDPR;
11. Data Breach Assistance. in relation to any personal data breach involving the Company Personal Data, Kochava shall provide Company with assistance reasonably requested by Company for Company to investigate such a breach and enable Company to notify the relevant Regulatory Body (meaning, the relevant regulatory body which regulates Company’s or Kochava’s processing of personal data) or the relevant data subjects of such a breach, as applicable;
12. Data Protection Officer. Appoint a Data Protection Officer, as defined under GDPR, if so required and provide Company with notice of such appointment.
13. Sub-Contractor Obligations. With the exception of those Sub-Contractors (defined below) with which Kochava has existing contracts as of May 25, 2018, and without prejudice to Kochava’s existing rights under the Agreements to subcontract the processing of Company Personal Data to a third party, Kochava shall not subcontract or otherwise engage any third party to carry out processing activities with respect to the Company Personal Data without obtaining Company’s prior written consent. Where Kochava uses of a third party in accordance with this clause (each a “Sub-Contractor”), Kochava shall procure a written contract, which imposes obligations at least the equivalent of those imposed on Kochava under the Agreements, obligating each Sub-Contractor to: (i) comply with GDPR, the Agreements, and this Policy whenever applicable to it, and (ii) never perform their obligations in such a way as to cause Company to breach any of its obligations under GDPR. As of May 25, 2018, Kochava has contracts in place in accordance with this clause with Google LLC (Google Cloud Services) and Amazon Web Services, Inc. for the processing of Company Personal Data;
14. Sub-Contractor Liability. Remain fully liable to Company for any Sub-Contractor’s processing of Company Personal Data;
15. Data Isolation. Except where expressly authorized by Company in writing, Kochava shall isolate Company’s data from Kochava’s, and any third party’s, information.
16. Cross-Border Data Transfer. Not process or otherwise transfer any Company Personal Data outside the European Economic Area to any third country which has not been deemed by the European Commission an Adequate Jurisdiction (meaning, the country ensures an adequate level of data protection), unless specifically authorized to do so in writing by Company and then subject always to any conditions that may be reasonably imposed by Company. Kochava shall remain, as necessary, a certified participant in the EU-U.S. Privacy Shield program, under which the European Commission deemed the United States an Adequate Jurisdiction. Furthermore, Kochava shall execute a model Standard Contractual Clauses agreement with Company upon request.
17. Record Maintenance. Maintain appropriate records of all processing activities carried out pursuant to the Agreements.
IV. SCOPE OF DATA PROCESSING
A. The processing of personal data concerns the following categories of data subjects:
End-users of Company’s mobile applications or websites, or individuals who receive Company’s digital advertisements- but only in those instances where Company has sent Kochava such data for processing.
B. The processing concerns the following categories of personal data:
IP address, advertising identifiers (e.g. IDFA, Google Ad ID, or other information as determined by Company- but in all cases excluding sensitive data).
C. The processing concerns the following categories of sensitive data:
D. The processing concerns the following categories of processing activities:
Kochava processes personal data as necessary to perform its obligations under the applicable Agreements in accordance with the instructions contained in the applicable Agreements, or as otherwise agreed in writing by the Parties.
E. Kochava uses the following Sub-Processors:
Google LLC (Google Cloud Platform)
Amazon Web Services, Inc.