This Data Processing Agreement (the “DPA”) defines the roles and responsibilities of Publisher and Smartie Pants for their respective processing of personal data and is integral part of all business terms agreed between the Parties, including but not limited to Smartie Pants terms of service, any service specific terms and/or additional terms (collectively “the Terms”). The DPA shall override any other terms and any deviation thereof if and to the extent there is any conflict or inconsistency and shall survive the termination of all agreements between Publisher and Smartie Pants.

I. PARTIES
1. Publisher and Smartie Pants as defined in the Terms.
II. AGREED TERMS
2. Definitions and interpretation

For the purposes of this DPA, the terms defined below shall have the following meanings.

Words set out in These Terms starting with capital letters shall have the following meaning:

Data Protection Legislation means: (i) the European Union (EU) General Data Protection Regulation (GDPR) as revised and superseded from time to time; (ii) EU Directive 2002/58/EC as updated by EU Directive 2009/136/EC; and (iii) any other laws and regulations relating to the processing of personal data which apply to a party and, if applicable, the guidance and codes of practice issued by the relevant data protection or supervisory authority.

EEA means the European Economic Area.

Controller and Processor (or equivalent terms) have the meanings set forth under Data Protection Law.

Personal Data means all personal data that is processed by the parties pursuant to or in connection with the Terms/

EU SCCs means the European Standard Contractual Clauses of EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021, incorporated by reference into this DPA and specified in Annex C.

Adequate Country means a country that is recognized by the European Commission providing adequate protection for Personal Data.

Adequacy Decision means a European Commission Decision that a third country or an international organization ensures an adequate level of data protection as defined in Data Protection Law.

Appropriate Safeguards means the standard of protection over the personal data and of data subjects’ rights, which is required by Data Protection Law when parties are making a third country transfer relying on standard data protection clauses Data Protection Law.

Business Purposes means the execution of the Terms or any other purpose specifically defined by Publisher in Annex A.

Data Subject: the end user who is the subject of Personal Data and whose Personal Data is processed under this DPA (can be referred to as ‘End User’).

Lowercase terms used but not defined in this DPA such as “personal data”, “personal data breach”, “processing”, “data subject request” have the meanings set out in the Data Protection Law.

3. This DPA is incorporated into the Terms. Interpretations and defined terms set forth in the Terms of Service apply to the interpretation of this DPA.

4. Any Annexes to this DPA form a part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.

5. The DPA includes the following Annexes:

Annex A: Data Processing Details and List of sub-processors.

Annex B: Technical and organizational measures description.

Annex C: Specification of the EU SCCs

6. In the case of conflict or ambiguity between:

  1. any provision contained in the body of this DPA and any provision contained in any Annex hereto, the provision in the body of this DPA will prevail;
  2. any of the provisions of this DPA and the provisions of the Terms of Service, the provisions of this DPA will prevail.
III. Personal Data processing

7. Publisher and Smartie Pants acknowledge and agree that for the purpose of the Data Protection Legislation:

  1. Smartie Pants processes Personal Data provided by Publisher in the capacity of a Processor in relation to the Publisher’s use of Services. Publisher is a Controller and will provide or make available to Smartie Pants the Personal Data through various means, such as for example Smartie Pants’s SDK.
  2. In some circumstances, Smartie Pants may process and aggregate some of the Personal Data provided by Publisher with data received from other sources (including Mediation platforms and other data providers), provided that such processing is compatible with the Publisher’s expectations and needs. Smartie Pants warrants that such processing is compliant with the Data Protection Legislation, and this DPA, and Publisher hereby authorizes such processing.
IV. OBLIGATIONS OF THE PARTIES

8. Smartie Pants’s obligations as a Processor

  1. Smartie Pants will only process the Personal Data to the extent and in such a manner as is necessary for the Business Purposes and this DPA. Smartie Pants will also process Personal Data in accordance with the Publisher's written instructions, if applicable. Smartie Pants will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or Data Protection Legislation.
  2. Smartie Pants will promptly comply with any of Publisher’s requests requiring Smartie Pants to rectify, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorized processing. Smartie Pants will promptly notify Publisher if, in its opinion, Publisher’s instructions would not comply with Data Protection Legislation.
  3. Smartie Pants shall keep Personal Data confidential and will ensure its staff and Sub-processors are bound by the same confidentiality obligation. If a law, court, regulator, or supervisory authority requires Smartie Pants to disclose Personal Data, Smartie Pants will first inform Publisher of the legal or regulatory requirement and give the Smartie Pants an opportunity to object or challenge the requirement unless the law prohibits such notice.
  4. Smartie Pants will reasonably assist Publisher with meeting Publisher's compliance obligations under Data Protection Legislation, taking into account the nature of Smartie Pants's processing and the information available to Smartie Pants, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.

9. Publisher’s obligations as the Controller

  1. Publisher represents and warrants that it has taken all the required measures to ensure that Smartie Pants may lawfully process the Personal Data in accordance with the applicable Data Protection Legislation. Publisher is independently responsible for complying with Data Protection Legislation, providing all necessary disclosures, notices, and obtaining all required consents, as applicable.
V. DATA PROTECTION

10. Smartie Pants will implement appropriate technical and organizational measures (‘TOMs’) against unauthorized or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display, or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data. The list of such measures is provided in Annex B.

VI. PERSONAL DATA BREACHES

11. Smartie Pants will immediately and without undue delay notify Publisher if it becomes aware of

  1. any accidental, unauthorized, or unlawful processing of the Personal Data; or
  2. any Personal Data Breach.

12. Immediately following any unauthorized or unlawful Personal Data processing or Personal Data Breach, the Parties will coordinate with each other to investigate the matter. Smartie Pants will reasonably cooperate with Publisher in Publisher’s handling of the matter.

PERSONAL INFORMATION

Prior to creating an account on the Platform, we encourage you to read our Privacy Notice about how and why we process personal information you provide us with when registering on the Platform.

We may also process personal information of ЕndUsers on your behalf as part of our Services. In such cases, the DataProcessing Addendum, incorporated herein by reference shall apply.

VII. INTERNATIONAL TRANSFERS OF PERSONAL DATA

13. Smartie Pants may process Processed Data globally as necessary to perform the services under the Terms. To the extent such global access involves a third country transfer of Personal data subject to cross-border transfer obligations under Data Protection Legislation, the Parties agree that such Personal Data may only be transferred, if:

  1. the transfer is to a jurisdiction for which an appropriate EU Adequacy Decision has been issued and subject to the terms of that Adequacy Decision;
  2. in the absence of an Adequacy Decision, the transfer is subject to Appropriate Safeguards.
VIII. SUB-PROCESSORS

14. Publisher generally agrees that Smartie Pants may engage third party providers with regards to the Processed Data (“Sub-processors”). Smartie Pants will maintain the list of engaged sub-processors (Annex A) updated via email or in the dashboard notifications on the Smartie Pants Platform, and which Publisher shall read and review to receive the updated information.

15. Publisher may object to the intended engagement of such new Sub-processor by notifying Smartie Pants within 10 (ten) business days of the notification, provided that such objection must be on reasonable, substantial grounds, directly related to such new Sub-processor’s ability to comply with substantially similar obligations to those set out in this DPA. If Publisher does not object, the engagement of the new Sub-processor shall be deemed accepted by Publisher. Smartie Pants shall ensure that the contract with each new Sub-processor shall impose obligations on the new Sub-processor that are substantially equivalent to the terms of this DPA.

IX. DATA SUBJECT REQUESTS

16. Smartie Pants must not disclose the Personal Data to any Data Subject or to a third party other than at the Publisher's request or instruction, as provided for in this DPA or as required by law.

X. RETURN AND DELETION OF PERSONAL DATA

17. Smartie Pants will cease any processing and delete and/or return if directed in writing by Publisher, all or any Personal Data related to this DPA upon (i) instruction from Publisher in connection with the Services; or (ii) written request of Publisher in connection with the termination of the Terms for any reason or expiry of the term.

18. In the event Publisher requests the deletion of any Personal Data in connection with 17 (i), Smartie Pants shall assess such request and shall promptly inform Publisher if compliance with the deletion request is likely to impair or prevent the performance of the Services under the Terms. In such cases, Smartie Pants shall not be held liable for any disruption, degradation, or failure of the Services resulting directly from the deletion of the Personal Data as requested by Publisher.

19. If any law, regulation, or government or regulatory body requires Smartie Pants to retain any documents or materials that Smartie Pants would otherwise be required to return or destroy, it will notify Publisher in writing of that retention requirement.

XI. AUDITS

20. Smartie Pants shall, in accordance with Data Protection Legislation, make available to Publisher any information as is reasonably necessary to demonstrate Smartie Pants's compliance with its obligations as a data processor under the Data Protection Legislation.

XII. TERM AND TERMINATION

21. This DPA will remain in full force and effect so long as the Terms remain in effect.

22. Any provision of this DPA that expressly should come into or continue in force on or after the termination of the Terms in order to protect Personal Data will remain in full force and effect.

23. If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements.

Annex A
Details of processing

Purpose of Processing: Provision of the services under the Terms

Publisher’s Business Purpose: Improving the services and user experience; Optimizing Publisher’s revenue.

Nature of Processing: Analysis of End Users’ data 

Frequency and Duration of Processing: Ongoing for the duration of the Terms

Data subjects’ categories: Publisher’s End Users

Categories of data for Processing: The Personal Data processing is based on technical documentation and includes the following categories: End User Data, Application Data, Impression Data, Device Data.

Frequency of transfers in case of international transfers: on a continuous basis, in accordance with the Publisher’s purpose(s) and Business purpose.

Subject matter, nature and duration of the processing by sub-processors: The subject matter, nature and duration of the processing is indicated and specified in the relevant agreement with the sub-processor that Smartie Pants engages for Business purpose. 

For processing by (sub-)processors, also specify subject matter, nature and duration of the processing: the same as above

List of sub-processors:

Sub-processor Location of Personal data Sub-processing Services Provided
Microsoft Azure USA Data storage
Snowflake USA Data storage, analytics
Amazon Web Services USA Infrastructure hosting
MongoDB USA Data storage, backup
Google USA Data warehouse, analytics, data quality management
Astrato USA Dashboards
Firebase USA Application development
Annex B
Technical and organizational measures description

Applicable standards and controls. Smartie Pants adheres to the principles of integrity, availability and confidentiality of the information (and Personal Data as its integral part) it processes in line with international industry standards and applicable law requirements.

Standards and normative requirements. Smartie Pants management is maintained in accordance with the lead industry standards. To maintain the ISMS and the Data protection framework, Smartie Pants implements policies, processes, enforcement measures and controls governing all storage/processing/transmitting of Personal Data, designed to:

  1. secure Personal Data against accidental or unlawful loss, access or disclosure;
  2. identify reasonably foreseeable risks to security and authorized access to personal data; and
  3. minimize security risks, including through risk assessment and regular testing.

Smartie Pants actively follows information security trends and developments as well as legal developments with regards to the services provided and especially with regards to Personal Data and uses such insights to maintain its ISMS and Data protection framework, considering privacy by design and by default.

Policies and Procedures. Smartie Pants's framework is based on its policies that are regularly reviewed and maintained, and disseminated to all relevant parties, including all personnel. The policies and derived procedures clearly define information security responsibilities.

Anti-malware protection. Smartie Pants has installed and maintains a firewall configuration to protect Personal Data that controls all traffic allowed between Smartie Pants's (internal) network and untrusted (external) networks, as well as traffic into and out of more sensitive elements of its internal network. This includes current documentation, change control and regular reviews.

Firewalls. The firewalls are used to protect Smartie Pants’s internet connection as a first line of defense against an intrusion from the Internet. 

Implementation of Access Control Measures. Smartie Pants restricts access to Personal Data to businesses’ need to know to ensure that critical data can only be accessed by authorized personnel.

Internal training, privacy awareness and personnel confidentiality arrangements.

Annex C
Specification of the EU SCCs

To the extent legally required, by signing this DPA, Publisher and Smartie Pants are deemed to have signed the EU SCCs as an additional safeguard, which form part of this DPA and will be deemed completed as follows:

Module 2 of the EU SCCs applies to transfers of Personal Data from Publisher (as a Controller) to Smartie Pants (as a Processor).

Clause 7 of the EU SCCs (the optional docking clause) is included.

Under Clause 9 of the EU SCCs, the Parties select Option 2 (General written authorization). Smartie Pants shall specifically inform Publisher in writing of any intended changes to the list through the addition or replacement of sub-processors at least 10 (ten) business days in advance, thereby giving Publisher sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s).

Under Clause 11 of the EU SCCs, the optional language requiring that Data Subjects are permitted to lodge a complaint with an independent dispute resolution body shall be deemed to be included.

Under Clause 17 of the EU SCCs, the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the laws of Bulgaria.

Under Clause 18 of the EU SCCs (Choice of forum and jurisdiction), the Parties select the courts of Bulgaria.

Annex I(A) and I(B) is completed as set forth in Annex A.

Under Annex I(C), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Bulgarian Data Protection Commission.

Annex II is completed as provided in Annex B.

Annex III is completed as provided in Annex 1 of this DPA for clarity.