DATA PROCESSING ADDENDUM

This Data Processing Addendum ("DPA") is entered into between the Customer (hereinafter referred to as "Advertiser," being the entity signing the underlying agreement) and BuySellAds.com, Inc. (hereinafter "BuySellAds" or BuySellAds' affiliates).

Background

Provider provides certain services in accordance with the Agreement (the “Services”). This DPA governs the processing of Personal Data by Provider, in the course of providing the Services.  Customer enters into this DPA on behalf of itself and, to the extent required under applicable data protection laws and relevant to the Services, in the name and on behalf of its affiliates.

1. Definitions. All capitalized terms used in this DPA shall have the meanings given to them below: "processing" ("process", "processes" and "processed" shall be interpreted accordingly) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, creation, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
   
   "Personal Data" means any information relating to an identified or identifiable natural person processed by Provider in the course of providing the Services. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
   
   
2. Data Protection Obligations
   
   1. Compliance with Laws. Provider shall comply with applicable data protection laws, rules and regulations applicable to its role and scope of responsibility with respect to the processing of Personal Data under the Agreement and this DPA.
   2. Instructions. Provider shall only process Personal Data on behalf of Customer and in compliance with its documented instructions (which shall notably be deemed to include an instruction to use the Personal Data as necessary for Provider to perform its obligations under the Agreement, unless such instruction is amended in writing by the Customer) and this DPA.  Provider warrants that that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from Customer and its obligations under this DPA and that, in the event of a change in this legislation which is likely to have an adverse effect on the warranties and obligations provided under this DPA, it will notify the change to Customer as soon as it becomes aware of it, in which case Customer shall be entitled to suspend the processing of Personal Data by Provider and/or terminate all or part of the Agreement immediately, at no cost and as of right, without prejudice to its other rights and remedies. If the Partner engages in the dissemination of marketing messages via SMS, the Partner is solely responsible for ensuring and facilitating the necessary mechanisms for recipients to opt-in and opt-out as required by applicable law. BuySellAds shall bear no liability for the Partner's failure to implement these mechanisms accurately and in accordance with the relevant legal and regulatory requirements.
   3. Access and Use. Provider shall not process Personal Data for any purpose other than to perform the Services and comply with this DPA.  Without prejudice to the generality of the foregoing, Provider shall treat Personal Data as confidential information and shall not copy, use, reproduce, display, perform, sell, modify, destroy or transfer any Personal Data, works derived from Personal Data or anything that includes Personal Data, to any third party (including affiliates), except as otherwise expressly set out in this DPA or permitted by Customer in writing.
   4. Limited disclosure. Provider shall not disclose (and not allow its employees, agents or representatives to disclose) Personal Data to any person except as necessary to perform the Services or with Customer’s prior written consent. Provider shall further ensure that access to Personal Data to perform the Services will be granted only on a strict need-to-know basis.   Provider shall properly advise and train each of its employees, agents and representatives who process Personal Data on data protection principles, obligations of Provider under this DPA and applicable law. Provider also warrants that any person acting under its authority and having access to Personal Data for the provision of the Services shall process them according to Customer’s instructions only.
   5. Notification of Customer in case of disclosure requests / questions. Provider shall notify Customer without delay upon  – and in any event no later than twenty-four (24) hours after – becoming aware of: (i) any request, order, demand, warrant or other document for the disclosure of and/or access to Personal Data by a law enforcement authority unless otherwise prohibited under applicable law, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; (ii) any request, order or inspection activity by a data protection authority or other competent authority relating to Personal Data; or (iii) any request, complaint or question received from individuals in relation to their Personal Data, such as requests for access, rectification, portability or deletion of their Personal Data. Provider shall not respond independently to any such questions, complaints and/or requests, unless otherwise expressly agreed in writing by Customer.
   6. Assistance to Customer. Provider shall assist Customer, through appropriate technical and organizational measures, in the fulfillment of its obligations under applicable data protection laws, including in responding and acting upon requests  from individuals to exercise their rights of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or right not to be subject to an automated individual decision making.
   7. Notification of data breaches. Provider shall notify Customer without delay upon – and in any event no later than twenty-four (24) hours after – becoming aware of any breach of security leading to the accidental, unauthorized or unlawful destruction, loss, damage, alteration, disclosure of, or access to, Personal Data. Provider shall provide to Customer all data and details relating to such breach and provide any necessary assistance to enable Customer to remedy any such breach, and shall do so in a timely manner. In particular, and without prejudice to any other right or remedy available to Customer, following discovery of a breach, Provider shall, at its own costs and expenses, promptly take: (i) corrective action to mitigate any risks or damages involved with such breach and to protect the Personal Data from any further compromise; and (ii) any other actions that may be required by applicable law as a result of such breach, subject to Customer’s prior written approval.
   8. Deletion. Upon expiration or termination of the Agreement, for whatever reason, Provider shall destroy all Personal Data and copies thereof (or, at the choice of Customer, return all such Personal Data to Customer) and certify to Customer in writing that neither it nor any person or legal entity it gave access to Personal Data in accordance with this DPA holds or has access to any such Personal Data anymore. Where legislation imposed upon Provider prevents it from returning or destroying all or part of the Personal Data, Provider shall keep the Personal Data confidential, cease actively processing it, and destroy it as soon as legally allowed and provide a written certification of the same to Customer.
   9. Inspections. Provider shall make available to Customer all information necessary to demonstrate compliance with this DPA. Further, Customer, or an independent auditor selected by Customer bound by a duty of confidentiality or a data protection authority with jurisdiction over Customer or, where relevant, Customer’s affiliates’ activities, shall be entitled to conduct an audit of Provider’s (and/or any of its subcontractors’) data processing facilities to ensure compliance with this DPA. Such audits shall be performed during normal business hours and in a way that does not interfere with normal business activities of Provider and, where relevant, Provider’s subcontractors. In the event that such an audit reveals that Provider is not compliant with its obligations under this DPA, Provider shall promptly bring itself into compliance and pay reasonable costs associated with the audit, without prejudice to any other right or remedy available to Customer.
   10. Subcontracting. Provider shall be allowed to engage a subcontractor for carrying out specific Personal Data processing activities, subject to the following: (i) Provider shall only retain subcontractors that Provider reasonably expects to appropriately protect the privacy, confidentiality and security of Personal Data; (ii) Provider shall inform Customer of any intended changes concerning the addition or replacement of subcontractors, thereby giving Customer the opportunity to object to such changes; (iii) Provider shall impose on its subcontractor(s), by way of a written agreement, the same obligations as are imposed on Provider under this DPA; (iv) Provider shall keep a list and a copy (in which commercial information may be removed) of all such subcontracting agreements, which shall be made available to Customer upon request and allow Customer to share the same to competent data protection authorities as necessary to comply with applicable law; and (v) Provider shall at no charge to Customer, actively monitor, regularly audit and, where applicable, take steps to enforce compliance of subcontractors with their obligations, reporting promptly to Customer any detected or reported non-compliance and all actions taken to remedy the same.  If a subcontractor fails to remedy non-compliance within a reasonable time after notice from Customer, Customer shall be entitled, without prejudice to any other right or remedy, to require Provider to cease using the corresponding subcontractor and resume the provision of that part of the Services itself as per the Agreement. In any event, Provider remains fully liable to Customer for the performance of its subcontractor’s obligations.
   11. Cross-Border Data Transfers. Provider acknowledges that some data protection laws may require that additional measures be taken to secure transfers of Personal Data outside the country or region the Personal Data originates from. In such a case, Provider shall assist Customer and, where relevant, Customer’s affiliates, in implementing these additional measures and, for instance, enter into separate agreements, where and as mandated under applicable data protection law. Without limiting the generality of the foregoing, Provider shall not transfer any Personal Data subject to the data protection laws of the European Union outside the European Union or a country deemed adequate by the European Commission, without relying, for the entire duration of such transfer, on: (i) an agreement strictly based on the European Commission Decision of 5 February 2010 entered into with Customer and/or Customer’s affiliates; or (ii) if agreed by Customer, an alternate mechanism in accordance with the legislation of the European Union. In the event that any transfer mechanism under the data protection laws of the European Union is determined by the European Court of Justice or another organism of the European Union not to be adequate, Provider shall, as soon as possible, adopt an appropriate alternative transfer mechanism. In the event that Provider fails to adopt an alternative transfer mechanism within one (1) month of the invalidation decision by the European Union organism, Customer may terminate the Agreement, at no cost, as of right and without prejudice to Customer’s other rights and remedies under the Agreement. In any case, Customer and Provider agree that, in relation to transfer and processing of any Personal Data, the terms of the transfer mechanisms used (e.g., separate agreement(s)) will prevail over those of the Agreement and this DPA in case of inconsistency.
3. Security. Provider shall implement appropriate physical, technical and organizational measures to protect Personal Data against accidental or unauthorized loss, theft, alteration, damage, disclosure, access or other processing, in particular where the processing involves the transmission of Personal Data over a network, and against all forms of unlawful processing. Such measures shall ensure a level of security appropriate to the risk, including inter alia as appropriate: (i)  the pseudonymisation and/or encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii)  the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) the protection against viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents, or programs, including code that is intended to or has the effect of misappropriating, commandeering, or disrupting access to or use or operation of any information, device, or system; and (v) a process for regularly testing, assessing and evaluating the effectiveness of technical, physical and organizational measures for ensuring the security of the processing. Provider shall in any event comply with data security documentation that Customer may provide, from time to time.
4. Liability. Notwithstanding anything to the contrary in this DPA or in the Agreement, the liability of Provider for any breach of this DPA shall not be subject to the limitations of liability provisions included in the Agreement, if any.
5. Miscellaneous
   1. The Parties acknowledge and agree that the activities performed by Provider under this DPA do not involve any right to specific compensation other than that compensation owed to Customer for the supply of Services in accordance with the Agreement.
   2. This DPA sets out the entire agreement and understanding between Customer and Provider with respect to the processing of Personal Data by Provider for the purpose of providing the Services and supersedes all other agreements made between Customer and Provider on the same subject matter. In case of conflict between the Agreement and this DPA, the terms of this DPA shall prevail.
   3. Except as mandated under applicable data protection laws, any dispute relating to this DPA shall be governed by and interpreted in accordance with the law of the country and subject to the jurisdiction referred to in the Agreement.