Data Processing Addendum

This Data Processing Addendum (“DPA”) forms an integral part of the Xeworks Terms of Use (“Agreement”) entered into by and between Xeworks and the Customer using the Services from Xeworks. Together, this DPA and the Agreement constitute a binding legal agreement governing the parties' obligations regarding the processing of personal data in connection with the Services, as defined herein.

The Customer acknowledges and agrees to enter into this DPA on its own behalf and, as required by Applicable Data Protection Laws, on behalf of any affiliates or group entities using the Services.

Xeworks reserves the right to update this DPA at any time and without prior notice. All amendments will be published on this webpage and will take effect upon posting. By continuing to use the Services after any such updates, you accept and agree to be bound by the revised DPA.

1. DefinitionsFor the purposes of this DPA:

Applicable Data Protection Laws means all applicable data protection and privacy laws, regulations, and industry self-regulatory standards, including the EU General Data Protection Regulation (GDPR) and the industry principles and standards, including policies and specifications as set by IAB Europe.

Controller, Processor, Sub-Processor, Data Subject, Processing, and Personal Data have the meanings set forth in the GDPR.

Services, Customer, Publisher (“Publisher”, “Supply Side Platform”, “SSP”), Advertiser (“Advertiser”, “Demand Side Platform”, “DSP”), Digital Property, End User have the meanings provided in Xeworks Terms of Use.

Security Incident means a personal data breach or any unauthorized access or breach of security leading to, or reasonably believed to have led to, the theft, accidental or unlawful destruction loss, alteration, unauthorized disclosure or access to any personal data processed by the Customer (and/or any processor or Sub-processor) under or in connection with this DPA.

Standard Contractual Clauses (SCCs) refers to either Module Two (Controller to Processor) or Module Three (Processor to Processor) of the standard contractual clauses adopted by the European Commission in Implementing Decision (EU) 2021/91 of June 4, 2021, as may be amended. The SCCs are available here.

Sub-processor means any third party appointed by a processor or service provider to process personal data on behalf of that processor or service provider.

Any terms not specifically defined herein have the meanings ascribed to them in the GDPR.

2. Scope of this DPA and Relationship of the Parties

This DPA applies where and only to the extent Xeworks processes any data, including Personal Data, about the End User of the Digital Property in the course of providing the Services pursuant to the Agreement (collectively “Data”).

The parties acknowledge that the Customer is a controller of the Data and that Xeworks will process the Data solely for purposes necessary to provide the Services as specified in the Agreement (“Permitted Purpose”). In no event will the parties process the Data jointly as joint controllers. Where the Customer acts as a Processor for a third-party Controller, Xeworks acts as a Sub-processor.

The Customer agrees that it shall and shall ensure that its affiliates, agents, subcontractors, processors, sub-processors, partners, customers, clients, or any other third party using the Services process and collect the Data solely for the purposes expressly permitted under the Agreement and in a manner that complies with the Applicable Data Protection Laws.

Xeworks will not (i) sell personal data, (ii) retain, use, or disclose personal data for any purpose outside the Permitted Purpose, or (iii) process personal data for its own benefit or that of any third party.

Each party shall be individually and separately responsible for complying with the obligations that apply to it under the Applicable Data Protection Laws as per the designated roles and neither party shall be responsible for the other party's compliance with the Applicable Data Protection Law.

3. Data Processing Obligations

General. The Customer shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data or sensitive data to Xeworks for processing. The Customer must also ensure that no Digital Property is intended for or likely to be accessed by children under the age of 18.

The Customer shall only process the Data necessary to fulfill the Permitted Purposes defined in the Agreement and shall not repurpose, store, or retain the Data beyond the duration required under the Agreement and the Applicable Data Protection Laws.

Publisher’s Obligations. When the Customer acts as the Publisher, the following obligations shall apply:

  1. Requesting Consent. Given that Xeworks and Advertisers lack direct relationships with data subjects on the Digital Property, the Publisher agrees to obtain all necessary consents from relevant data subjects, on behalf of applicable Advertisers (acting as Data Controllers), to allow Xeworks and Advertisers to lawfully process Data through Xeworks Services for the Permitted Purposes and in connection with the performance of the Services. The Publisher represents and warrants that it shall maintain and make operational on Digital Properties a consent management tool to obtain and record such consent and enable withdrawal of consent in accordance with the Applicable Data Protection Laws.
  2. Consent Signals. The Publisher shall ensure that all “consent,” “no consent,” and “opt-out” signals are provided to Xeworks and its sub-processors (if any) in compliance with the Applicable Data Protection Laws.
  3. Notice Requirements. The Publisher shall notify data subjects about data processing practices on the Digital Property. The Publisher warrants that it will maintain a publicly accessible privacy notice on the Digital Property in compliance with the Applicable Data Protection Laws.
  4. Non-compliance notification. If the Publisher cannot fulfill its consent and notice obligations under the Agreement (including this DPA) regarding the Data, the Publisher shall promptly notify Xeworks.

Advertiser’s Obligations. When the Customer acts as the Advertiser, the following obligations shall apply:

  1. Compliance with Consent Signals. The Advertiser shall honor all “consent,” “no consent,” and “opt-out” signals transmitted in accordance with the Applicable Data Protection Laws.
4. International Transfers

Xeworks shall not transfer the personal data outside of the European Economic Area (“EEA“) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Laws.

Where Xeworks processes personal data relating to individuals located in the European Economic Area in a territory outside of the European Economic Area that does not have adequate data protection laws (as determined by the EU Commission), or (ii) the transfer of personal data is not covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection or appropriate safeguards for personal data, the Standard Contractual Clauses shall be incorporated by reference into this DPA and shall apply in relation to such Personal Data.

For the purposes of the Standard Contractual Clauses:

  1. Customer is the “data exporter” and Xeworks is the “data importer”.
  2. Where Customer is a data controller, the parties choose Module Two: Transfer controller to processor as being the only applicable terms between the parties and any terms related to and references therein to Module One, Module Three and Module Four shall be deemed deleted.
  3. Where Customer is a data processor, the parties choose Module Three: Transfer processor to processor as being the only applicable terms between the parties and any terms related to and references therein to Module One, Module Two and Module Four shall be deemed deleted.
  4. In Clause 9, irrespective of the chosen Module, the Parties choose Option 2 and agree the time period shall be completed as at least 10 days in advance.
  5. The optional language in Clause 11(a) shall be deemed deleted.
  6. Clause 13(a) shall be amended as applicable depending on where the Customer is established (as identified in the Agreement).
  7. In Clause 17, the Parties choose Option 1 and agree that this shall be the law of the Republic of Lithuania.
  8. Clause 18(b) shall be deemed completed with the courts of the Republic of Lithuania.
  9. Annex I to the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix 1 to this DPA.
  10. Annex II to the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix 2 to this DPA.

It is not the intention of either party to contradict or restrict any of the provisions set forth in the SCCs and, accordingly, if and to the extent the SCCs conflict with any provision of the Agreement (including this DPA), the SCCs shall prevail to the extent of such conflict.

5. Sub-processing

The Customer may appoint third parties to process Data for the purposes expressly permitted under this DPA, provided that the Customer: (i) enter into a written agreement with each sub-processor imposing data protection terms that require sub-processor to protect the Data to the standard required by Applicable Data Protection Laws and this DPA; (ii) ensure the Sub-processor processes the Data strictly for the Permitted Purpose; and (iii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause the Customer to breach any of its obligations under this DPA.

6. Security Measures

The Customer shall implement and maintain appropriate technical and organizational security measures designed to protect the Data (including but not limited to Security Incidents) and to preserve the security and confidentiality of the Data. Such measures will include, at minimum, those measures described in Appendix 2 of this DPA.

Upon becoming aware of a Security Incident, the Customer shall notify Xework without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Xeworks, including the type of data affected, and steps taken to mitigate the Security Incident as soon as such information becomes known or available to the Customer.

7. Data Subject Rights

The parties shall, on request, provide each other with all reasonable and timely assistance (at their own expense) and co-operation in good faith to enable the other party to comply with its obligations under the Applicable Data Protection Laws, including in order to enable the other party to respond to: (i) any request from a data subject to exercise any of its rights under the Applicable Data Protection Laws in connection with the processing of the Data; (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data.

Each party shall promptly inform the other if it receives any such request directly in relation to the Data and the parties shall cooperate in good faith as necessary to respond to such.

8. General

Survival. The obligations placed upon the Customer under this DPA (including, to the extent applicable, the SCCs) shall survive so long as the Customer and/or its sub-processors process Personal Data on behalf of Customer. The provisions contained in this DPA and its appendixes that by their context are intended to survive termination or expiration will survive.

Governing Law. This DPA is governed by the law which governs the Agreement and any dispute between the parties is to be handled as set out in the Agreement, unless required otherwise by the Applicable Data Protection Laws or the SCCs.

Severability. If any part of this DPA is held unenforceable, the DPA will be interpreted with the unenforceable portion of the DPA deleted, and the validity of all remaining parts will not be affected.

Appendix 1Annex A. List of parties

Data Exporter:

Name: Customer as a party identified in the Agreement.
Activities relevant to the data transferred: See Annex B below.
Role (controller/processor): Controller or processor

Data Importer:

Name: Xeworks as a party identified in the Agreement.
Address: As set out in the Agreement.
Activities relevant to the data transferred: See Annex B below.
Role: Processor or sub-processor

Annex B. Description of transfer

Categories of data subjects whose personal data is transferred: End User of the Digital Property

Categories of personal data transferred: personal data required for performance of the Services pursuant to the Agreement.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: None.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): continuous basis depending on the Customer’s use of the Services.

Purpose, nature and subject matter of processing: Xeworks is a processor or sub-processor (if applicable) and will process personal data as necessary to perform the Services pursuant to the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: the duration of the data processing under this DPA is until the termination of the Agreement.

Retention period (or, if not possible to determine, the criteria used to determine that period): the Services has different retention/deletion periods for different types of data and settings, but in no event is personal data retained longer than is necessary for the purposes of processing.

Annex C. Competent supervisory authority

The competent supervisory authority, in accordance with Clause 13 of the SCCs will be determined in accordance with the Applicable Data Protection Laws.

Appendix 2Technical and organisational measures including technical and organisational measures to ensure the security of the data

Description of the technical and organisational measures implemented by the data importer to ensure an appropriate level of security, confidentiality, and integrity of personal data processed. In all cases, the data importer uses various security technologies and procedures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. For example:

  1. Pseudonymisation and Encryption of Personal Data
    • Personal data is pseudonymized and/or encrypted where possible to mitigate risks in case of unauthorized access.
  2. Confidentiality, Integrity, Availability, and Resilience
    • Processing systems and services maintain ongoing confidentiality, integrity, availability, and resilience.
    • Redundancy and failover systems are in place to ensure business continuity.
    • Regular system audits detect and prevent unauthorized access or data breaches.
  3. Restoration of Availability and Access
    • Backup procedures are implemented to ensure data can be restored in a timely manner in the event of a physical or technical incident.
    • Backup data is securely stored and tested regularly to verify the integrity of restoration processes.
  4. Regular Testing and Assessment of Security Measures
    • Regular penetration tests and vulnerability assessments are conducted to evaluate the effectiveness of security controls.
  5. Protection of Data During Storage
    • Personal data processed in connection with the Services will not contain any sensitive personal information about the End User of the Digital Property, and will be limited in scope and cannot be directly identified with a natural person.
    • Personal data is only accessible by personnel with a need-to-know basis, and such access is granted only for the purpose of providing the Services.
  6. System Configuration and Default Settings
    • Default configurations of software and systems are securely set. Regular configuration reviews are performed to maintain system security.
  7. Data Minimisation
    • Personal data is processed only to the extent necessary for the performance of the Services.
    • Data is anonymized or aggregated where feasible to reduce exposure to unnecessary risk.
  8. Limited Data Retention
    • Personal data is not retained for longer than necessary to fulfill the purpose for which it was collected.