January 2025

Unless otherwise indicated, all capitalized terms used but not defined in the Master Services Agreement (“Agreement“) and this Data Processing Agreement (DPA) have the meanings given to them in applicable Data Protection Law.

The parties agree that for the purposes of this DPA, Publisher is a Data Controller and Freestar is a Data Processor.

1.Definitions 

These terms mean the following:

  1. Data Protection Laws: All applicable laws, standards and regulations governing the Processing of Personal Data, as may be amended or enacted from time to time, which may include but is not limited to: the EU General Data Protection Regulation 2016/679 (GDPR); any national laws which implement the GDPR; the California Consumer Privacy Act of 2018, as  amended by California Privacy Rights Act, amendments thereto and regulations contemplated thereunder (CCPA“) and any additional global privacy laws.  
  2. Personal Data: “Personal Data” means any information that relates to an identified or identifiable natural person and shall have the same meaning as defined by Data Protection Laws that Freestar processes on behalf of Publisher.  Personal Data does not include information  that is aggregated or de-identified in accordance with applicable laws and guidance.
  3. Process, Processing or Processed:  Any operation that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
  4. Security Breach:  A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, or unauthorized denial of access to Personal Data. 

2. Security

Freestar will implement appropriate technical and organizational measures to ensure a level of security appropriate to Personal Data provided by Publisher and Processed by Freestar. Such security measures will be at least as protective as the security requirements set forth in the Agreement and the DPA.

3. Sub-processors

Publisher agrees that Freestar may engage other Processors (“Sub-processors“) to assist in providing the Services consistent with the Agreement. Freestar’s Sub-processors are listed as third-party partners in the privacy policy on Freestar’s website.  Freestar will update this Sub-processor list and Publisher is encouraged to review the privacy policy occasionally to review the updated list.  

4. Applicable Law

Freestar represents and warrants that it is in compliance with all applicable Data Protection Laws.

5. Instructions from the Publisher

Notwithstanding anything in the Agreement to the contrary, Freestar will only Process Personal Data on documented instructions from Publisher, unless required to do so by applicable law. Freestar will promptly inform Publisher if following Publisher’s instructions would result in a violation of applicable data protection law or where Freestar must disclose Personal Data in response to a legal obligation (unless the legal obligation prohibits Freestar from making such disclosure). For avoidance of doubt, Publisher’s documented instructions include the Agreement and this DPA. Without limiting the foregoing:

  1. Freestar will not Process the Personal Data outside the direct business relationship with Publisher.
  2. Freestar will not “sell” or “share” Personal Data, as such terms are defined in the CCPA.  For clarity, Freestar’s transmission of the Personal Data to third-parties to provide the Services and/or as directed by Publisher (including directions that Publisher relays by enabling certain third parties to process Personal Data on its website or properties) shall not be considered a sale or share by Freestar.
  3. Freestar hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them.

6. Confidentiality

Freestar will restrict access to Personal Data to those authorized persons who need such information to provide the Services. Freestar will ensure such authorized persons are obligated to maintain the confidentiality of any Personal Data. 

7. Sub-processor Obligations

Where Freestar engages a Sub-processor for carrying out specific Processing activities on behalf of Publisher, Freestar will impose data protection obligations that are at least as restrictive as set out in this DPA by way of a contract or other legal act under the applicable law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the applicable Data Protection Law.  Where that Sub-processor fails to fulfill its data protection obligations, Freestar will remain fully liable to Publisher for the performance of that Sub-processor’s obligations.

8. Data Subject Requests

To the extent legally permitted, Freestar shall promptly notify Publisher if Freestar receives any requests from an individual seeking to exercise any rights afforded to them under applicable law regarding Personal Data.  Freestar has implemented and will maintain appropriate technical and organizational measures needed to enable Publisher to respond to requests from data subjects to access, correct, transmit, limit processing of, or delete any relevant Personal Data held by Freestar.

9. Recordkeeping

Upon a request issued by a supervisory authority for records regarding Personal Data, Freestar will cooperate to provide the supervisory authority with records related to Processing activities performed on Publisher’s behalf, including information on the categories of Personal Data Processed and the purposes of the Processing, the use of service providers with respect to such Processing, any data disclosures or transfers to third parties and a general description of technical and organizational measures to protect the security of such data.

10. Cooperation

Freestar will cooperate to the extent reasonably necessary in connection with Publisher’s requests related to data protection impact assessments and consultation with supervisory authorities and for the fulfillment of Publisher’s obligation to respond to requests for exercising a data subject’s rights afforded by applicable law or any applicable data protection authority. Freestar reserves the right to charge Publisher for its reasonable costs in collecting and preparing Personal Data for transfer and for any special arrangements for making the transfer.

11. Third Party Requests

If Freestar receives a request from a third party in connection with any government investigation or court proceeding that Freestar believes would require it to produce any Personal Data processed pursuant to the Agreement, Freestar will inform Publisher in writing of such request and cooperate with Publisher if Publisher wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable law.

12. Transfer of Personal Data; Appointment

Publisher authorizes Freestar to transfer, store or Process Personal Data in the United States or any other country in which Freestar or its Sub-processors maintain facilities. Publisher appoints Freestar to perform any such transfer of Personal Data to any such country and to store and Process Personal Data in order to provide the Services.  Freestar will conduct all such activity in compliance with the Agreement, this DPA, applicable law and Publisher’s instructions.

13. Data Transfers Outside of the EU.

    • For purposes of this DPA “2021 Standard Contractual Clauses,” means the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described herein.
    • For purposes of this DPA “UK Standard Contractual Clauses” means  the International Data Transfer DPA to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/), completed as set forth in “Data Transfers” below.
    • To the extent legally required and when a legal derogation or a data transfer framework does not apply, with respect to Personal Data transferred from the EEA and Switzerland, the parties are deemed to have signed the 2021 Standard Contractual Clauses, which are incorporated by reference and will be deemed completed as set forth below.
      1. Where such transfer is from Publisher to Freestar, Module 2 of the 2021 Standard Contractual Clauses applies and where such transfer is from Freestar as Processor to Publisher, Module 4 of the 2021 Standard Contractual Clauses applies;
      2. Clause 7 (the optional docking clause) is not included;
      3. Under Clause 9 for Module 2 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of sub-processors is provided upon request. Freestar shall update that list and provide notice to Publisher at least ten days in advance of any intended additions or replacements of sub-processors.
      4. Under Clause 11, the optional language does not apply;
      5. Under Clause 17, the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights).  The parties select Ireland;
      6. Under Clause 18, the parties select the courts of Ireland;
      7. In Annex IA for Module 2, Exporter is Publisher and Controller and importer is Freestar and Processor. In Annex IA for Module 4, Exporter is Freestar and Processor and Importer is Publisher and Controller.
      8. In Annex IB:
        1. Categories of data subjects whose personal data is transferred: visitors to Publisher’s website or media properties.
        2. Categories of personal data transferred: IP address, browser characteristics, device ID, and other user ID.
        3. Sensitive data transferred (if applicable) and applied restrictions: N/A.
        4. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): In accordance with Publisher’s instructions.
        5. Nature of the processing:  As set forth in the Agreement and DPA.
        6. Purpose(s) of the data transfer and further processing: To provide the Services as set forth in the Agreement and DPA.
        7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: In accordance with Publisher’s instructions and/or as set forth in the Agreement and this DPA.
        8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: As set forth in the Agreement and DPA.
        9. In Annex IC, the competent supervisory authority/ies shall be Ireland Data Protection Commissioner.
        10. Annex II shall be the security measures set forth in Exhibit B.
    • With respect to transfers of Personal Data that are subject to the Switzerland Federal Act on Data Protection (“FADP“):
      1. References to the GDPR shall mean the FADP insofar as the data transfers are subject exclusively to the FADP.
      2. The term “member state” shall not be interpreted to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
      3. References to personal data in the 2021 Standard Contractual Clauses also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.
      4. Under Annex I(C): Where the transfer is subject exclusively to the FADP, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner. Where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the 2021 Standard Contractual Clauses insofar as the transfer is governed by the GDPR.
      5. With respect to transfers of Personal Data that are subject to United Kingdom law, the UK Standard Contractual Clauses shall form part of this DPA and take precedence over the rest of this DPA as set forth in the UK Standard Contractual Clauses. Undefined capitalized terms used in this section 11(c)(xii) have the meaning set forth in the definitions in the UK Standard Contractual Clauses. The UK Standard Contractual Clauses shall be deemed completed as follows:
    • Table 1: the parties’ details and key contacts are set forth in the Agreement.
    • Table 2: the Approved 2021 Standard Contractual Clauses referenced in Table 2 shall be the 2021 Standard Contractual Clauses as set forth in section 13 of this DPA.
    • Table 3: Annexes 1A, 1B, and II are as set forth in as set forth in section 13  of this DPA.
    • Table 4: Freestar may end the UK Standard Contractual Clauses as set forth in Section 19 of the UK Standard Contractual Clauses.
    • By entering into this DPA, the Parties are deemed to be signing the UK Standard Contractual Clauses.

14. Retention

Personal Data received from Publisher will be retained only for so long as may be reasonably required in connection with Freestar’s performance of the Agreement or as otherwise required under applicable law.

15. Deletion or Return of Personal Data

At the choice of Publisher, Freestar will delete or return all the Personal Data Processed in connection with the Services to Publisher after the end of the provision of such Services and delete existing copies unless applicable law requires storage of the Personal Data. Freestar will relay Publisher’s instructions to all Sub-processors.    

16. Breach Notification

Freestar will comply with the Security Breach-related obligations directly applicable to it under Data Privacy Laws. Without limiting the foregoing, Freestar will:

  1. notify Publisher within 48 hours after it confirms a Security Breach and without undue delay as the information becomes available related to the Security Breach after that (and in any event at least once each day that there is new material information).  Such information shall include:
    1. the nature of the Security Breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of Personal Data records concerned;
    2. the likely consequences of the Security Breach; and
    3. measures taken or proposed to be taken by Freestar to address and, where appropriate, mitigate the Security Breach.
  2. provide reasonable assistance to, and cooperation with, Publisher to (i) reduce the risk to individuals whose Personal Data was involved and (ii) assist Publisher in providing legally required notifications to individuals or supervisory authorities of the Security Breach.

17. Audits and Remediation

Upon request and to the extent legally required, Freestar will make available to Publisher all information necessary, and allow for and contribute to reasonable audits, including inspections, conducted by Publisher or another auditor mandated by Publisher, to demonstrate compliance with applicable Data Protection Law (“Audits“). Publisher may request Audits no more than once every 12 months except in the event of a Security Breach.  The parties will work together in good faith to determine the scope and timing of the Audit, provided that such Audits shall be limited to Freestar’s Processing of Personal Data on behalf of Publisher only, not any other aspect of Freestar’s business or information systems.  Such audit must not require Freestar to disclose to the Client or its authorized representatives any information of other Freestar clients, internal accounting or financial information, trade secrets, or information that, in Freestar  reasonable opinion, could compromise the security of Freestar systems or premises or cause Freestar to breach its obligations under applicable Data Protection Legislation or privacy obligations to third parties. Client must promptly provide Freestar with information regarding any non-compliance discovered during the course of an audit.

Publisher will provide Freestar with written notice at least 60 days in advance of such Audit.  Such written notice, and anything produced in response to it (including any derivative work product such as notes of interviews), will be considered Confidential Information and, notwithstanding anything to the contrary in the Agreement, will remain Confidential Information in perpetuity or the longest time allowable by applicable law after termination of the Agreement. Such materials and derivative work product produced in response to Publisher’s request will not be disclosed to anyone without the prior written permission of Freestar unless such disclosure is required by applicable law. If disclosure is required by applicable law, Publisher will give Freestar prompt written notice of that requirement and an opportunity to obtain a protective order to prohibit or restrict such disclosure except to the extent such notice is prohibited by applicable law or order of a court or governmental agency. If, after reviewing Freestar’s response to Publisher’s Audit request, Publisher requires additional information or Audits, Publisher acknowledges and agrees that it will be solely responsible for all costs incurred in relation to such additional Audits.  Publisher has the right, upon notice to Freestar, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

18. Deletion or Return of Personal Data

Freestar shall promptly return to Publisher or delete Personal Data in its possession or control when instructed in writing to do so by Publisher, when such Personal Data is no longer reasonably required by Freestar, and upon termination or expiration of the Agreement. In the case that Freestar is not permitted by law to destroy, delete, or return Personal Data as set forth above, it will notify Publisher in writing and shall continue to treat Personal Data in accordance with the terms of the Agreement and this Exhibit.

19. Security Obligations

Freestar shall implement and maintain adequate and appropriate technical and organizational measures to protect Personal Data against accidental, unauthorized, or unlawful Processing and against accidental loss, destruction, damage, alteration, disclosure or access.

Without limitation, Freestar shall:

  1. maintain a level of security appropriate to the harm that may result from any unauthorized or unlawful Processing or accidental loss, destruction, damage, denial of service, alteration, or disclosure, and appropriate to the nature of such Personal Data;
  2. require its personnel to whom it provides access to Personal Data to keep such Personal Data confidential in accordance with the Agreement, and train such personnel on cybersecurity procedures as appropriate;
  3. maintain a process for regularly assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of Personal Data, regularly testing such measures to validate their appropriateness and effectiveness, and implementing corrective action where deficiencies are revealed by such testing;
  4. log individuals’ access to and activities on Freestar’s internal systems containing Personal Data;
  5. adhere to industry-standard password policies and practices for network security;
  6. to the extent applicable, use multi-factor authentication for accounts with access to Personal Data (e.g., using two different factors to authenticate such as a password and a security token or certificate); 
  7. to the extent permitted by applicable third-party systems, store and transmit Personal Data using industry-standard encryption;
  8. logically segregate Personal Data from other systems (i.e. a “single tenant environment”), with the exception of those systems that are dependent for the provision of the Service; and
  9. document and maintain a business continuity and disaster recovery plan, including testing as appropriate, and make an executive summary of such plan and of applicable testing results available to Publisher upon request.

20. CCPA

If applicable, the following California Consumer Privacy Act Addendum (“CCPA Addendum”) is made part of and hereby incorporated by reference into this DPA.

CCPA Addendum 

If applicable to the service, the following terms of this CCPA Addendum govern how Freestar will treat all personal data subject to the California Consumer Privacy Act, as  amended by California Privacy Rights Act (collectively, “CCPA”) that Freestar collects pursuant to the Agreement with the Client. 

In the event of a conflict, this CCPA  Addendum shall govern and control with respect to personal data subject to CCPA that Freestar collects pursuant to the Agreement. Terms used herein have the  same definitions set forth in CCPA when explicitly defined in CCPA. 

1. Freestar shall not sell or share personal data it collects pursuant to the Agreement with Client.
2. The Client is only disclosing the personal data to Freestar for the limited business purpose specified in the Agreement. 
3. Freestar shall not retain, use, or disclose the personal data that it collected pursuant to the Agreement with Client for any purposes other than those  specified in the Agreement or as otherwise permitted by the CCPA and its regulations. 
4. Freestar shall not retain, use, or disclose personal data it collected pursuant to the Agreement with Client for any commercial purpose other than those  specified in the Agreement unless expressly permitted by the CCPA or its regulations. 
5. Freestar shall not retain, use, or disclose the personal data it collected pursuant to the Agreement with Client outside the direct business relationship  between Freestar and Client, unless expressly permitted by the CCPA or its regulations. 
6. Freestar shall comply with all applicable sections of the CCPA and its regulations, including—with respect to the personal data that it collected  pursuant to the written contract with Client—providing the same level of privacy protection as required of businesses by the CCPA and its regulations. 
7. Client has the right to take reasonable and appropriate steps to ensure that Freestar uses the personal data it collected pursuant to the Agreement  with Client in a manner consistent with Client’s obligations under the CCPA and its regulations. 
8. Freestar shall notify Client after it makes a determination that it can no longer meet its obligations under the CCPA and its regulations.
9. Client has the right, upon notice, to take reasonable and appropriate steps to stop and remediate Freestar unauthorized use of personal data.
10. Freestar must enable the Client to comply with consumer requests made pursuant to the CCPA