Data Processing Agreement

Updated February 2026

Unless otherwise indicated, all capitalized terms used but not defined in the Master Services Agreement (“Agreement”) and this  Data Processing Agreement (“DPA“) have the meanings given to them in applicable Data Protection Law. 

The parties agree that for the purposes of this DPA, Publisher is a Data Controller and Freestar is a Data Processor. 

1. Definitions 

These terms mean the following: 

a. Data Protection Laws: All applicable laws, standards and regulations governing the Processing of Personal Data, as may be amended or enacted from time to time, including but not limited to: the EU General Data Protection Regulation 2016/679 (“GDPR”); the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CCPA”); the Maryland Online Data Privacy Act (“MODPA”); and any additional federal, national, or state-level data protection and privacy laws as they come into effect.

b. Personal Data: “Personal Data” means any information that relates to an identified or identifiable natural person and  shall have the same meaning as defined by Data Protection Laws that Freestar processes on behalf of Publisher.  Personal Data does not include information that is aggregated or de-identified in accordance with applicable laws and  guidance. 

c. Process, Processing or Processed: Any operation that is performed upon Personal Data, whether or not by automatic  means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use,  disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure,  or destruction. 

d. Security Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized  disclosure of, or access to, or unauthorized denial of access to Personal Data.  

2. Security 

Freestar will implement appropriate technical and organizational measures to ensure a level of security appropriate to  Personal Data provided by Publisher and Processed by Freestar. Such security measures will be at least as protective as the  security requirements set forth in the Agreement and the DPA. 

3. Sub-processors 

1. Authorization and Notification. Publisher provides a general written authorization for Freestar to engage other Processors (“Sub-processors”) to provide the Services. Freestar shall maintain an up-to-date list of its Sub-processors, which shall be made available to the Publisher upon request. For informational purposes, this list is also published at https://freestar.com/privacy-policy/, which Freestar periodically updates. Freestar shall provide Publisher with at least ten (10) days’ prior written notice of any intended additions or replacements to the list of Sub-processors, giving the Publisher an opportunity to object to such changes.
2. Sub-processors as Independent Controllers. Publisher acknowledges and agrees that certain Sub-processors, particularly those providing services related to security, fraud prevention, advertising measurement, and reporting, may Process Personal Data as an independent Controller for their own specified and limited purposes (the “Permitted Sub-processor Purposes”). Publisher hereby instructs and authorizes Freestar to disclose Personal Data to such Sub-processors for the Permitted Sub-processor Purposes. Publisher understands that when a Sub-processor is processing Personal Data for its own Permitted Sub-processor Purposes, it is not acting as Freestar’s Sub-processor, and that such Processing is governed by that Sub-processor’s own legal, privacy, and security terms.

4. Applicable Law 

Freestar represents and warrants that it is in compliance with all applicable Data ProtectionLaws. 

5. Instructions from the Publisher 

Notwithstanding anything in the Agreement to the contrary, Freestar will only Process Personal Data on documented  instructions from Publisher, unless required to do so by applicable law. Freestar will promptly inform Publisher if following Publisher’s instructions would result in a violation of applicable data protection law or where Freestar must disclose  Personal Data in response to a legal obligation (unless the legal obligation prohibits Freestar from making such disclosure).  For avoidance of doubt, Publisher’s documented instructions include the Agreement and this DPA. Without limiting the  foregoing: 

a. Freestar will not Process the Personal Data outside the direct business relationship with Publisher.

b. Freestar will not “sell” or “share” Personal Data, as such terms are defined in the CCPA. For clarity, Freestar’s  transmission of the Personal Data to third-parties to provide the Services and/or as directed by Publisher (including  directions that Publisher relays by enabling certain third parties to process Personal Data on its website or properties)  shall not be considered a sale or share by Freestar.

c. Freestar hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply  with them. 

d. Freestar will not use Personal Data in or in connection with any activities which involve or are intended to result in the training of artificial intelligence or machine learning algorithms, models, or any other similar technology (“AI Tech”) or for generating new or derivative content using such AI Tech, without the express prior written consent of the Publisher.

6. Confidentiality 

Freestar will restrict access to Personal Data to those authorized persons who need such information to provide the  Services. Freestar will ensure such authorized persons are obligated to maintain the confidentiality of any Personal Data.  

7. Sub-processor Obligations 

Where Freestar engages a Sub-processor for carrying out specific Processing activities on behalf of Publisher, Freestar will  impose data protection obligations that are at least as restrictive as set out in this DPA by way of a contract or other legal  act under the applicable law, in particular providing sufficient guarantees to implement appropriate technical and  organizational measures in such a manner that the Processing will meet the requirements of the applicable Data Protection  Law. Where that Sub-processor fails to fulfill its data protection obligations, Freestar will remain fully liable to Publisher for  the performance of that Sub-processor’s obligations. 

8. Data Subject Requests 

To the extent legally permitted, Freestar shall promptly notify Publisher if Freestar receives any requests from an individual  seeking to exercise any rights afforded to them under applicable law regarding Personal Data. Freestar has implemented  and will maintain appropriate technical and organizational measures needed to enable Publisher to respond to requests  from data subjects to access, correct, transmit, limit processing of, or delete any relevant Personal Data held by Freestar. 

9. Recordkeeping 

Upon a request issued by a supervisory authority for records regarding Personal Data, Freestar will cooperate to provide  the supervisory authority with records related to Processing activities performed on Publisher’s behalf, including  information on the categories of Personal Data Processed and the purposes of the Processing, the use of service providers  with respect to such Processing, any data disclosures or transfers to third parties and a general description of technical and  organizational measures to protect the security of such data. 

10. Cooperation 

Freestar will cooperate to the extent reasonably necessary in connection with Publisher’s requests related to data  protection impact assessments and consultation with supervisory authorities and for the fulfillment of Publisher’s  obligation to respond to requests for exercising a data subject’s rights afforded by applicable law or any applicable data  protection authority. Freestar reserves the right to charge Publisher for its reasonable costs in collecting and preparing  Personal Data for transfer and for any special arrangements for making the transfer. 

11. Third Party Requests 

If Freestar receives a request from a third party in connection with any government investigation or court proceeding that  Freestar believes would require it to produce any Personal Data processed pursuant to the Agreement, Freestar will inform  Publisher in writing of such request and cooperate with Publisher if Publisher wishes to limit, challenge or protect against  such disclosure, to the extent permitted by applicable law. 

12. Transfer of Personal Data; Appointment 

Publisher authorizes Freestar to transfer, store or Process Personal Data in the United States or any other country in which  Freestar or its Sub-processors maintain facilities. Publisher appoints Freestar to perform any such transfer of Personal Data  to any such country and to store and Process Personal Data in order to provide the Services. Freestar will conduct all such  activity in compliance with the Agreement, this DPA, applicable law and Publisher’s instructions. 

13. Data Transfers Outside of the EU. 

a. For purposes of this DPA “2021 Standard Contractual Clauses,” means the clauses issued pursuant to the EU  Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of  personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council,  available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described herein. 

b. For purposes of this DPA “UK Standard Contractual Clauses” means the International Data Transfer DPA to the EU  Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/for organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data transfer-agreement-and-guidance/), completed as set forth in “Data Transfers” below. 

c.  To the extent legally required and when a legal derogation or a data transfer framework does not apply, with respect  to Personal Data transferred from the EEA and Switzerland, the parties are deemed to have signed the 2021 Standard  Contractual Clauses, which are incorporated by reference and will be deemed completed as set forth below.

i. Where such transfer is from Publisher to Freestar, Module 2 of the 2021 Standard Contractual Clauses applies  and where such transfer is from Freestar as Processor to Publisher, Module 4 of the 2021 Standard Contractual  Clauses applies; 

ii. Clause 7 (the optional docking clause) is not included; 

iii. Under Clause 9 for Module 2 (Use of sub-processors), the parties select Option 2 (General written authorization). The process for notifying Publisher of any additions or replacements of sub-processors is governed by Section 3.1 of this DPA.

iv. Under Clause 11, the optional language does not apply; 

v. Under Clause 17, the parties choose Option 1 (the law of an EU Member State that allows for third-party  beneficiary rights). The parties select Ireland; 

vi. Under Clause 18, the parties select the courts of Ireland; 

vii. In Annex IA for Module 2, Exporter is Publisher and Controller and importer is Freestar and Processor. In Annex  IA for Module 4, Exporter is Freestar and Processor and Importer is Publisher and Controller. 

viii. In Annex IB: 

A. Categories of data subjects whose personal data is transferred: visitors to Publisher’s website or media  properties. 

B. Categories of personal data transferred: IP address, browser characteristics, device ID, and other user ID. C. Sensitive data transferred (if applicable) and applied restrictions: N/A. 

D. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): In  accordance with Publisher’s instructions. 

E. Nature of the processing: As set forth in the Agreement and DPA. 

F. Purpose(s) of the data transfer and further processing: To provide the Services as set forth in the  Agreement and DPA. 

G. The period for which the personal data will be retained, or, if that is not possible, the criteria used to  determine that period: In accordance with Publisher’s instructions and/or as set forth in the Agreement  and this DPA. 

H. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: As  set forth in the Agreement and DPA. 

I. In Annex IC, the competent supervisory authority/ies shall be Ireland Data Protection Commissioner. J. Annex II shall be the security measures set forth in Exhibit B. 

d. With respect to transfers of Personal Data that are subject to the Switzerland Federal Act on Data Protection (“FADP”):

 i. References to the GDPR shall mean the FADP insofar as the data transfers are subject exclusively to the FADP. 

ii. The term “member state” shall not be interpreted to exclude data subjects in Switzerland from the possibility of  suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c). 

iii. References to personal data in the 2021 Standard Contractual Clauses also refer to data about identifiable legal  entities until the entry into force of revisions to the FADP that eliminate this broader scope. 

iv. Under Annex I(C): Where the transfer is subject exclusively to the FADP, the supervisory authority is the Swiss  Federal Data Protection and Information Commissioner. Where the transfer is subject to both the FADP and the  GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as  the transfer is governed by the FADP, and the supervisory authority is as set forth in the 2021 Standard  Contractual Clauses insofar as the transfer is governed by the GDPR. 

v. With respect to transfers of Personal Data that are subject to United Kingdom law, the UK Standard Contractual  Clauses shall form part of this DPA and take precedence over the rest of this DPA as set forth in the UK Standard  Contractual Clauses. Undefined capitalized terms used in this section 11(c)(xii) have the meaning set forth in the  definitions in the UK Standard Contractual Clauses. The UK Standard Contractual Clauses shall be deemed  completed as follows:

Table 1: the parties’ details and key contacts are set forth in the Agreement.

Table 2: the Approved 2021 Standard Contractual Clauses referenced in Table 2 shall be the 2021 Standard Contractual  Clauses as set forth in section 13 of this DPA. 

Table 3: Annexes 1A, 1B, and II are as set forth in as set forth in section 13 of this DPA. 

Table 4: Freestar may end the UK Standard Contractual Clauses as set forth in Section 19 of the UK Standard Contractual  Clauses. 

 By entering into this DPA, the Parties are deemed to be signing the UK Standard Contractual Clauses. 

14. Retention 

Personal Data received from Publisher will be retained only for so long as may be reasonably required in connection with  Freestar’s performance of the Agreement or as otherwise required under applicable law. 

15. Deletion or Return of Personal Data 

At the choice of Publisher, and upon Publisher’s written instruction, Freestar will delete or return all the Personal Data to Publisher after the end of the provision of the Services related to the processing, and delete existing copies. If Freestar is prohibited by applicable law from deleting or returning the Personal Data, it will inform Publisher of this requirement and will continue to protect the data in accordance with this DPA. Freestar will relay Publisher’s instructions to all Sub-processors. 

16. Breach Notification 

Freestar will comply with the Security Breach-related obligations directly applicable to it under Data Privacy Laws. Without  limiting the foregoing, Freestar will: 

1. notify Publisher within 48 hours after it confirms a Security Breach and without undue delay as the information  becomes available related to the Security Breach after that (and in any event at least once each day that there is new  material information). Such information shall include:
   1.  the nature of the Security Breach, including, where possible, the categories and approximate number of data  subjects concerned, and the categories and approximate number of Personal Data records concerned; 
   2.  the likely consequences of the Security Breach; and 
   3. measures taken or proposed to be taken by Freestar to address and, where appropriate, mitigate the Security  Breach. 
2. provide reasonable assistance to, and cooperation with, Publisher to (i) reduce the risk to individuals whose Personal  Data was involved and (ii) assist Publisher in providing legally required notifications to individuals or supervisory  authorities of the Security Breach. 

17. Audits and Remediation 

Upon request and to the extent legally required, Freestar will make available to Publisher all information necessary, and  allow for and contribute to reasonable audits, including inspections, conducted by Publisher or another auditor mandated  by Publisher, to demonstrate compliance with applicable Data Protection Law (“Audits”). Publisher may request Audits no  more than once every 12 months except in the event of a Security Breach. The parties will work together in good faith to  determine the scope and timing of the Audit, provided that such Audits shall be limited to Freestar’s Processing of Personal  Data on behalf of Publisher only, not any other aspect of Freestar’s business or information systems. Such audit must not  require Freestar to disclose to the Publisher or its authorized representatives any information of other Freestar Publishers,  internal accounting or financial information, trade secrets, or information that, in Freestar reasonable opinion, could  compromise the security of Freestar systems or premises or cause Freestar to breach its obligations under applicable Data  Protection Legislation or privacy obligations to third parties. Publisher must promptly provide Freestar with information  regarding any non-compliance discovered during the course of an audit. 

Publisher will provide Freestar with written notice at least 60 days in advance of such Audit. Such written notice, and  anything produced in response to it (including any derivative work product such as notes of interviews), will be considered  Confidential Information and, notwithstanding anything to the contrary in the Agreement, will remain Confidential  Information in perpetuity or the longest time allowable by applicable law after termination of the Agreement. Such  materials and derivative work product produced in response to Publisher’s request will not be disclosed to anyone without  the prior written permission of Freestar unless such disclosure is required by applicable law. If disclosure is required by  applicable law, Publisher will give Freestar prompt written notice of that requirement and an opportunity to obtain a  protective order to prohibit or restrict such disclosure except to the extent such notice is prohibited by applicable law or  order of a court or governmental agency. If, after reviewing Freestar’s response to Publisher’s Audit request, Publisher  requires additional information or Audits, Publisher acknowledges and agrees that it will be solely responsible for all costs incurred in relation to such additional Audits. Publisher has the right, upon notice to Freestar, to take reasonable and  appropriate steps to stop and remediate unauthorized use of Personal Data.

18. Security Obligations 

Freestar shall implement and maintain adequate and appropriate technical and organizational measures to protect  Personal Data against accidental, unauthorized, or unlawful Processing and against accidental loss, destruction, damage,  alteration, disclosure or access. 

Without limitation, Freestar shall: 

1. maintain a level of security appropriate to the harm that may result from any unauthorized or unlawful Processing or  accidental loss, destruction, damage, denial of service, alteration, or disclosure, and appropriate to the nature of such  Personal Data; 
2.  require its personnel to whom it provides access to Personal Data to keep such Personal Data confidential in accordance  with the Agreement, and train such personnel on cybersecurity procedures as appropriate; 
3. maintain a process for regularly assessing and evaluating the effectiveness of technical and organizational measures  for ensuring the security of Personal Data, regularly testing such measures to validate their appropriateness and  effectiveness, and implementing corrective action where deficiencies are revealed by such testing; 
4. log individuals’ access to and activities on Freestar’s internal systems containing Personal Data;
5. adhere to industry-standard password policies and practices for network security; 
6.  to the extent applicable, use multi-factor authentication for accounts with access to Personal Data (e.g., using two  different factors to authenticate such as a password and a security token or certificate);  
7.  to the extent permitted by applicable third-party systems, store and transmit Personal Data using industry-standard  encryption; 
8. logically segregate Personal Data from other systems (i.e. a “single tenant environment”), with the exception of those  systems that are dependent for the provision of the Service; and
9. document and maintain a business continuity and disaster recovery plan, including testing as appropriate, and make  an executive summary of such plan and of applicable testing results available to Publisher upon request. 

19. CCPA 

Only if applicable, the following California Consumer Privacy Act Addendum (“CCPA Addendum”) is made part of and hereby incorporated by reference into this DPA. 

CCPA Addendum  

If applicable to the service, the following terms of this CCPA Addendum govern how Freestar will treat all Personal Datasubject  to the California Consumer Privacy Act, as amended by California Privacy Rights Act (collectively, “CCPA”) that Freestar collects  pursuant to the Agreement with the Publisher.  

In the event of a conflict, this CCPA Addendum shall govern and control with respect to Personal Data subject to CCPA that  Freestar collects pursuant to the Agreement. Terms used herein have the same definitions set forth in CCPA when explicitly  defined in CCPA.  

1. Freestar shall not sell or share Personal Data it collects pursuant to the Agreement with Publisher. 

2. The Publisher is only disclosing the Personal Data to Freestar for the limited business purpose specified in the Agreement. 

3.  Freestar shall not retain, use, or disclose the Personal Data that it collected pursuant to the Agreement with Publisher for any  purposes other than those specified in the Agreement or as otherwise permitted by the CCPA and its regulations.  

4. Freestar shall not retain, use, or disclose Personal Data it collected pursuant to the Agreement with Publisher for any  commercial purpose other than those specified in the Agreement unless expressly permitted by the CCPA or its regulations.  

5. Freestar shall not retain, use, or disclose the Personal Data it collected pursuant to the Agreement with Publisher outside the  direct business relationship between Freestar and Publisher, unless expressly permitted by the CCPA or its regulations. 

6. Freestar shall comply with all applicable sections of the CCPA and its regulations, including—with respect to the Personal Data that it collected pursuant to the written contract with Publisher—providing the same level of privacy protection as required of  businesses by the CCPA and its regulations.  

7. Publisher has the right to take reasonable and appropriate steps to ensure that Freestar uses the Personal Data it collected  pursuant to the Agreement with Publisher in a manner consistent with Publisher’s obligations under the CCPA and its  regulations.  

8. Freestar shall notify Publisher after it makes a determination that it can no longer meet its obligations under the CCPA and its  regulations.  

9. Publisher has the right, upon notice, to take reasonable and appropriate steps to stop and remediate Freestar unauthorized  use of personal data.  

10. Freestar must enable the Publisher to comply with consumer requests made pursuant to the CCPA

20. Publisher Obligations

Publisher agrees that it is solely responsible for its own compliance with Data Protection Laws, including but not limited to:

a. Providing all necessary notices and obtaining all necessary rights, permissions, and consents from Data Subjects to allow Freestar and its Sub-processors to lawfully Process Personal Data for the purposes contemplated by the Agreement. This includes, without limitation, obtaining any parental consent required under laws such as the Children’s Online Privacy Protection Act (“COPPA”).

b. Ensuring its own privacy policies are accurate and provide transparency to Data Subjects. Where Publisher enables or uses services that deploy third-party technologies, such as pixels or cookies that may be facilitated by Freestar, Publisher shall update its privacy policy to include any specific language required by such third party.