Watch Zeta Live Sessions On-Demand. >>

Zeta DSP Terms of Use

BY ACCEPTING THESE TERMS OF USE, EITHER BY CLICKING A BOX ONLINE INDICATING YOUR ACCEPTANCE, OR BY EXECUTING A MASTER SERVICES AGREEMENT OR ORDER THAT REFERENCES THESE TERMS OF USE, OR BY USING THE SERVICES, YOU AGREE TO ALL OF THE TERMS AND CONDITIONS SET FORTH IN THESE TERMS OF USE. IF YOU ARE ACCEPTING THESE TERMS OF USE ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS OF USE, IN WHICH CASE THE TERMS “YOU” OR “YOUR” SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES; PROVIDED, THAT IF YOUR COMPANY HAS SEPARATELY EXECUTED A MASTER SERVICES AGREEMENT OR ORDER WITH ZETA DSP AND YOU ARE AUTHORIZED BY SUCH COMPANY TO CREATE A PLATFORM USER ACCOUNT, THIS SENTENCE DOES NOT APPLY TO YOU. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH ALL OF THE TERMS AND CONDITIONS SET FORTH IN THESE TERMS OF USE, YOU MUST NOT ACCEPT THESE TERMS OF USE AND YOU MAY NOT USE THE SERVICES

  1. Definitions. Terms and expressions not otherwise defined in the body of these Terms of Use will have the following meanings:

    1. “Ad” or “Advertisement” means a commercial notice, announcement or message made in a public medium to an advertiser’s customers or prospective customers to promote a person, entity, brand, product, service, or event.
    2. “Additional Terms and Conditions” means any additional terms and conditions specified by Zeta DSP from time to time for certain Services and attached to an applicable Order or made available to the Customer.
    3. “Ad Technologies” means, collectively, digital advertising technologies that include advertising tags (such as pixels, clear GIFs and similar methods), cookies, device identifiers or other identifiers and similar technologies.
    4. “Affiliate” of a party means an entity that, directly or indirectly through one or more entities, controls, is controlled by or is under common control with that party, where “control” means the possession, direct or indirect, of the power to direct the management and policies of such party, whether through the ownership of at least fifty percent (50%) of the voting interest of such party, through contractual provisions, or otherwise, and includes that entity’s officers, directors, agents, employees, successors and assigns.
    5. “Agreement” means, collectively, these Terms of Use, the Additional Terms and Conditions, the MSA, and any Orders, including all schedules and attachments thereto and all amendments to any of the foregoing.
    6. “Customer”, “you” and “your” means the individuals or organization(s) identified in the MSA and/or the applicable Order, that are responsible for payment to Zeta DSP pursuant to the Agreement.
    7. “Customer Data” means all campaign data collected by Zeta DSP hereunder on behalf of or received from Customer, its advertisers or the agencies representing Customer, including any data that Customer, its Affiliates, or any third party vendors or partners on Customer’s behalf may disclose or submit to Zeta DSP and any and all Customer Reports; provided however, Customer Data does not include Non-Proprietary Data, even if such data is identical to a portion of data comprising Customer Data. References to Customer Data include Customer Personal Data (as defined in Section 6.2) unless Customer Personal Data is specifically excluded from the MSA and/or Order.
    8. “Customer Material(s)” means any Advertisement, creative, content, data, information or material of any kind created, managed, or delivered by or on behalf of Customer or its Third Party Users using the Services, and includes, without limitation, any creative works, content, data, information, media plan or material of any kind referenced by or accessed via an Advertisement, such as by a URL or other method.
    9. “Customer Report” means any report or summary prepared for Customer in connection with the Services containing information about user activity or engagement with Advertisements.
    10. “Fees” means the fees or rates for the use of the Services as set forth in each Order.
    11. “Intellectual Property Rights” means all rights including future rights in inventions, patents, designs, copyrights, trademarks, service marks, databases and topography rights (whether or not any of those is registered and including applications for registration of the foregoing, renewals, extensions, continuations, divisions and reissues) together with all trade secrets, know-how and all rights or forms of protection of a similar nature or having equivalent or similar effect to any others which may subsist anywhere in the world.
    12. “MSA” means any Master Services Agreement or similar contractual agreement entered into between you and Zeta, including all schedules and attachments thereto, as amended from time to time.
    13. “Non-Proprietary Data” means data that is generated or obtained by Zeta DSP in connection with the Services that may include Personal Data as defined by applicable laws, and which Zeta DSP processes as a controller. Non-Proprietary Data includes data included in a HTTP header or HTTP response, such as user agent strings and time stamps; IP addresses; URLs not provided by or on behalf of Customer; and persistent and non-persistent identifiers, such as session IDs, cookie IDs, cache-based IDs, mobile advertising identifiers and device IDs.
    14. “Order” means an ordering document for Services that is signed by Customer or submitted to Zeta DSP by means of an online click-thru and is accepted by Zeta, which may include, without limitation, an order, statement of work, schedule, attachment, or insertion order, as amended from time to time.
    15. “Payment Terms” means the payment terms set forth in the MSA or the applicable Order.
    16. “Platform(s)” means any of the Zeta DSP service platforms accessible via the Internet for the provision and use of the Services, including any administration websites through which Zeta DSP provides access to such platforms and all software (including source and object code), updates, enhancements, documentation or other materials (excluding Customer Materials) in or related to the platforms that Zeta DSP makes available in the course of providing the Services.
    17. “Privacy Rules” means, to the extent each is applicable: (i) the requirements of any privacy and data protection laws, treaties, inter-governmental agreements, and regulations to which a party is subject in the conduct of its business; (ii) with respect to all processing of personal data relating to individuals in the European Economic Area by or on behalf of a party to this Agreement in, or transfer of personal data to, the United States of America, the EU Standard Contractual Clauses set forth below in Section 16; (iii) the following digital advertising industry rules to the extent applicable to the conduct of a party’s business in the territories where such rules apply: (a) all United States Federal Trade Commission (“FTC”) rules and guidelines regarding the collection, use and/or disclosure of information from or about a unique user of a website, application and/or mobile website and/or the device associated with such user; (b) the California Consumer Privacy Act (CCPA), as amended; (c) all enacting legislation of European Union member states of directives of the European Parliament and Council related to the processing of personal data or the storage of or access to information stored on an individual person’s computing equipment, including mobile devices; (d) the advertising industry self-regulatory codes and principles promulgated by the Digital Advertising Alliance (“DAA”), and the European Interactive Digital Advertising Alliance (“EDAA”), as each such rules, guidelines, codes or set of principles may be amended from time to time by the promulgating entity or any successor entity; (iv) any other relevant FTC, DAA, or EDAA code or principles relating to the collection and use of data obtained from individual persons for advertising purposes; and (v) any amendments, modifications, extensions, supplements or replacements of or to any of the foregoing. For the purposes of the descriptions in the Standard Contractual Clauses as between Zeta DSP and Customer, Zeta DSP agrees that it is a “data importer” and Customer is the “data exporter” under the Standard Contractual Clauses (notwithstanding that Customer may be located outside the EEA and may itself be a Processor acting on behalf of third party Controllers).
    18. “Services” means, collectively, the products and services specified in the MSA or the applicable Order, which may include, without limitation: (i) provision of digital advertising solutions or services in or through any Platform; (ii) professional, creative, media buying or selling and related trading services for agencies and their customers using Zeta DSP professional services, any Platform, or the technology and services of third party service providers and Zeta DSP alliances; and (iii) the data, products and services of third parties that Zeta DSP may make available to Customer from time to time.
    19. “Site(s) Content” means all materials, data, images, texts, sounds, information or other content contained in or around and/or linked to any Site (as defined in Section 6.9).
    20. “Standard Contractual Clauses” means the applicable module(s) of the European Commission’s standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as set out in the Annex to Commission Implementing Decision (EU) 2021/914.
    21. “Zeta”, “we” and “us” means the Zeta Global Corp.
    22. “Term” has the meaning given to such term in the MSA or the applicable Order.
    23. “Territory of Domicile” means Customer’s territory of domicile as set forth in the MSA or the applicable Order.
    24. “Third Party User” means any third party contractor, client, advertiser, agency, or publisher, as applicable, that accesses and uses the Services through Customer’s Account (as defined in Section 3.1).

  2. Ordering and Use of Services

    1. Customer may request Services by submitting an Order for the selected Services to Zeta DSP. Zeta DSP may reject any Order in its sole discretion. Any signature method approved by Zeta DSP shall be binding upon Customer, including electronic signatures or other indications of assent to the terms of this Agreement, such as assent given through the use of an online ordering process. No supplemental or different terms presented by Customer, such as in a purchase or insertion order, or change made by Customer in writing or otherwise to an MSA, Order, or these Terms of Use, shall be binding upon Zeta DSP unless set forth in a written amendment executed by both parties in accordance with Section 14.
    2. Subject to payment by Customer to Zeta DSP of the Fees as set forth in the MSA or the applicable Order and pursuant to Section 3, Zeta DSP will make the Services available to Customer (and its Third Party Users, as applicable) in accordance with the terms of this Agreement. Notwithstanding the foregoing, Customer acknowledges and agrees that certain Services, including, without limitation, professional, creative, media buying, trading or third party services, may be subject to Additional Terms and Conditions which will be provided or referenced in the applicable Order.
    3. Zeta DSP does not pay for any suggestions regarding the Services, or any improvement to processes, procedures, marketing or any other matter (collectively “Suggestions”). Any Suggestions that the Customer submits to Zeta DSP becomes the property of Zeta. Zeta DSP will not (i) compensate the Customer for any such Suggestion; (ii) have any obligation of confidentiality with respect to any such Suggestion; or (iii) be liable to the Customer for any use or disclosure of any such Suggestion. Customer grant Zeta DSP a royalty-free, irrevocable, unrestricted, non-exclusive, sub-licensable, assignable, worldwide license to use, modify, copy, sublicense, transmit, publish, create derivative works from, publicly perform and display any Suggestion for any purpose, commercial or otherwise, without compensation or liability to the Customer or to any third party.

  3. Access to Platform and Account.

    1. Customer may access certain Services through an administrative website or, subject to Section 3.5, an application programming interface (“API”) for the Platforms maintained and controlled by Zeta. For access to the Platforms, Zeta DSP will provide Customer with one or more logins and passwords for access to Customer’s account and corresponding administrative controls (“Customer’s Account”) by authorized personnel of Customer and/or Third Party Users (“Customer’s Representatives”). In order to use any Platform, Customer will, and will ensure that Customer’s Representatives represent, warrant and covenant that they will, provide Zeta DSP with accurate, truthful and complete registration information and agree to the terms of this Agreement and any other Additional Terms and Conditions applicable to each Platform that Zeta DSP may otherwise reasonably require. Upon acceptance of any application made by Customer, each of Customer’s Representatives will be assigned with a user name and password that will allow access to the applicable Platform, and will become a registered user. Customer will ensure that each of Customer’s Representatives that is provided registered user access to any Platform keeps its registration information accurate and up-to-date and does not share its password or registered user name with any third party except as otherwise set forth in this Agreement, and Customer agrees that any failure by any Customer Representative to do so will constitute a breach of this Agreement by Customer, which may result in immediate termination of Customer’s Account. Customer will immediately notify Zeta DSP in writing of any change in authorization, any unauthorized use of any Customer’s Account or any other account-related security breach of which it becomes aware. Upon termination of this Agreement for any reason, Zeta DSP will have the right to disable and delete each Customer Representative’s access to Customer’s Account immediately and to delete all Customer Data thirty (30) days after termination or expiration of this Agreement. Customer and Zeta DSP will ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
    2. Zeta DSP reserves the right to suspend or delete any account in its sole discretion for any reason. If Zeta DSP suspends or deletes Customer’s Account: (i) Zeta DSP is not obligated to provide the Customer with a reason for its actions; and, (ii) Zeta DSP will refund the full unused balance remaining in the Customer’s Account, if any, within 30 days of receiving written instructions from the Customer as to where to refund the balance. If Zeta DSP deletes Customer’s Account, the Customer’s right to access the Services and use any applicable Platform shall immediately terminate. Customer will not be permitted to open a new account. If Zeta DSP suspects that the Customer is operating, or associated with, another account (based on its analysis of subscriber data, account content and other information), Zeta DSP may suspend or delete such ‘related’ account as well.
    3. Zeta DSP will use commercially reasonable efforts to make the applicable Platform accessible to Customer 24 hours per day, 7 days per week, subject to any downtime for maintenance, updating and repair. Notwithstanding the foregoing, Customer acknowledges and agrees that Zeta DSP will have no responsibility for Customer’s inability to use the Services or access any Platform due to Internet or other network interruption, communications failure, server downtime or other force majeure event.
    4. The internet is an inherently insecure medium and the transmission of data over the internet (such as sending an email or logging onto a website) is subject to possible loss, interception or alteration while in transit. Accordingly, Zeta DSP does not assume any liability for any damage the Customer may experience or costs it may incur as a result of any loss, interception or alteration of transmissions over the internet.
    5. If Customer authorizes Zeta DSP to set up API access under Customer’s Account: (a) Customer’s use of the API is deemed to be a use of the applicable Platform and is subject to the terms of this Agreement and any Additional Terms and Conditions Zeta DSP may require regarding API use; (b) Zeta DSP will provide access to the API in accordance with Customer’s written instructions and any additional usage terms set forth in the Order; (c) Customer acknowledges and agrees that Zeta’s only obligations with respect to Customer and/or any Third Party User provided access to Zeta’s API (“3rd Party API User”) are those specifically undertaken by Zeta DSP in the Order and Zeta DSP otherwise has no responsibility or liability for Customer’s or any 3rd Party API User’s performance or obligations under any separate agreement that may exist among Customer, any of Customer’s clients and any 3rd Party API Users; (d) Customer is solely responsible for obtaining any 3rd Party API User’s written agreement to any Additional Terms and Conditions required for access to the API and returning a copy thereof to Zeta; and (e) Zeta DSP may suspend providing API access without liability to Customer or any 3rd Party API User, or any of their respective Affiliates or clients, if Zeta DSP believes, in its sole discretion, that the receipt or processing of any Customer Data via the API violates any Privacy Rules or otherwise may result in liability for Zeta DSP or any of its Affiliates or any of their respective customers.

  4. Limited Rights; Ownership.

    1. Zeta DSP hereby grants to Customer, and Customer hereby accepts, a non-exclusive, non-transferable (except as expressly provided in this Agreement), and limited right for Customer to access and use the Platform specified in the Order in accordance with this Agreement solely during the Term and for the sole purpose of using the Services for its internal business purposes. Except as expressly permitted by this Agreement, Customer may not, directly or indirectly or by itself or through any other person or entity, use, rent, lease, sell, transfer (by sublicense, assignment, operation of law, change in control or otherwise), time share, modify, reproduce, copy, make derivative works from, distribute, publish, use to provide service bureau services, or publicly display the applicable Platform. Moreover, Customer will not (and will ensure that Customer’s Representatives do not) reverse engineer, decompile, or otherwise attempt to discover the source code for the applicable Platform or any of the Services. All rights not expressly assigned or licensed in this Agreement are reserved by Zeta DSP in full.
    2. Except as expressly provided herein, Zeta DSP has and will have the sole and exclusive ownership of all right, title and interest in and to all the Platforms and all applicable Services and all Intellectual Property Rights in applicable Platform and Services, any enhancements thereto, any documentation or other materials regarding the use thereof and related thereto, any machine learning and the results and outputs of such machine learning that occur prior to, during, or after Customer’s use of the Services, and any Zeta DSP proprietary data provided to Customer by Zeta DSP in whatever form or media (collectively, “Zeta DSP Intellectual Property”). Neither this Agreement, nor anything contained herein, will be construed as a sale of any Platform or any of the Services or any Intellectual Property Right or any other Zeta DSP Intellectual Property or any proprietary right or title therein or thereto.
    3. If any deliverable to Customer produced by Zeta DSP’s Services includes Zeta DSP Intellectual Property, then Zeta DSP will remain the sole and exclusive owner of such included Zeta DSP Intellectual Property, and Zeta DSP grants Customer only a non-exclusive, perpetual, worldwide, royalty-free license to use such Zeta DSP Intellectual Property, for any purpose, including to sell, sublicense, disclose, publicly display, and create derivative works from such Zeta DSP Intellectual Property, but solely as incorporated into or embedded in such deliverables and not separately therefrom. Subject to the preceding sentence, Customer will own all right, title and interest in and to such deliverables, including the Intellectual Property Rights therein.
    4. As between Zeta DSP and Customer, Customer has and will have the sole and exclusive ownership of all right, title and interest in and to the Customer Materials, Customer Data, and the Site Content where applicable, and all Intellectual Property Rights in the same, except for any Zeta DSP Intellectual Property embedded therein.
    5. Customer grants Zeta DSP a non-exclusive license during the Term to use, copy, modify, process and distribute Customer Materials and Customer Data solely for the purpose of providing the Services in accordance with this Agreement and subject to its terms.
    6. Customer agrees that Zeta DSP may use and disclose certain data, including Customer Data and Non-Proprietary Data, derived from Customer’s use of the applicable Platform and Services (assuming no user opt-out of such use has been communicated to Zeta, including as provided in Section 6.7) to create aggregated data and statistics about the Services and its features, which Zeta DSP may provide to others, including Zeta’s customers, potential customers and the general public, provided that such aggregated data and statistics do not contain any Customer Personal Data (as defined in Section 6.2) or identify any living individual, Customer, Customer’s clients, or any of their respective products or brands. Customer further acknowledges that Zeta will cookie-match between rfihub cookies used by Zeta DSP and other cookies deployed by Zeta, in order to leverage online segment data for other marketing channels.
    7. Customer grants Zeta DSP a non-exclusive license during the Term to use its and its Third Party Users’, as applicable, name and trademarks in marketing materials, the customer ad showcase area of the applicable Platform, and customer lists; provided, that Customer has the right to notify Zeta DSP in writing if it does not agree to any of the foregoing uses of its name and trademarks.
    8. “Zeta”, “Zeta Global”, “ZetaGlobal.com,” ‘Zeta DSP” and Zeta’s logos are, and remain, trademarks of Zeta, its affiliated companies, and/or its licensors; you may not copy, imitate or use any of these without Zeta’s prior written consent.

  5. Confidential Information.

    1. Any information provided hereunder by either party which is clearly marked as “confidential” or designated to be confidential by the terms of this Agreement, including, in particular, the terms and Fees set forth in the MSA and any Orders (“Confidential Information”) will not be used, disclosed or reproduced by the other party without the express written consent of the party providing such information, other than for the performance of such party’s obligations under this Agreement. “Confidential Information” includes all information furnished by or on behalf of either party to the other party, whether furnished before or after the date of this Agreement and regardless of the form in which it is or was communicated or maintained, that is marked as “confidential” or that, from all of the circumstances, the receiving party knows or has reason to know or could reasonably be expected to believe that the disclosing party intended or expected the secrecy of such information to be maintained, that contains or otherwise reflects information concerning the disclosing party, including, without limitation, technical data, know-how, unpublished patent applications, research, product plans or proposals, product applications, inventions, experimental results, trade secrets, processes, designs, drawings, business plans or proposals, implementation strategies, methods of operation, standard operating procedures, marketing information, presentations, programs and strategies, pricing information, promotional information and techniques, analytical procedures, agreements with or information of third parties, financial information and conditions, and information relating to engineering, markets, suppliers or vendors, services, customers, personnel data and marketing, and any other confidential information concerning the business and affairs of the disclosing party, and will include all notes, studies, reports, memoranda and other documents prepared by the receiving party or its representatives that contain or reflect any Confidential Information. Confidential Information does not include information that: (a) is or becomes generally known or available to the public through no act or failure to act by the receiving party; (b) is lawfully in the possession of the receiving party at the time of disclosure, as demonstrated by the receiving party’s written records immediately prior to the time of disclosure; (c) is hereafter furnished to the receiving party by a third party, as a matter of right and without restriction on its disclosure; (d) is required to be disclosed by applicable law or regulation; provided, that the receiving party, to the extent legally permitted, will promptly notify the disclosing party of such request, furnish only the minimum portion of Confidential Information that the receiving party is advised by legal counsel is legally required to be furnished, and assist the disclosing party, if requested, in obtaining a protective order or other reliable assurance that confidential treatment will be accorded to such portion of the Confidential Information as is required to be disclosed.

  6. Data Protection and Privacy.

    1. Zeta DSP and Customer (and its Third Party Users) each represents and warrants that it will at all times comply with the requirements of any applicable Privacy Rules and will refrain from engaging in any behavior that is reasonably likely to render the other party in breach of the Privacy Rules.
    2. To the extent that Zeta DSP processes personal data about any natural person (“Personal Data”, which may also be referred to as “personally identifiable information” or “personal information” by applicable laws) supplied or collected by or on behalf of Customer (“Customer Personal Data”) in the course of providing the Services, it will do so as a processor acting on behalf of Customer (as data controller), however, Zeta DSP processes Non-Proprietary Data as a controller. To the extent that Non-Proprietary Data is disclosed by Customer to Zeta DSP, Zeta DSP processes such data as a co-controller. The terms “data processor,” “data controller,” “process” and their derivatives will have the meanings ascribed to them under the Privacy Rules enforceable in the geographic territories where such processing occurs, or if not defined in any territory, they will have their plain language meanings in that territory.
    3. Customer will process and disclose Customer Personal Data in accordance with the provisions of Customer’s privacy policy and applicable Privacy Rules, including the Standard Contractual Clauses attached below in Section 16. Zeta DSP and Customer agree to comply with the obligations set out in the Standard Contractual Clauses which are incorporated herein by reference. The Controller-to-Processor Standard Contractual Clauses shall apply in all cases where Customer Personal Data that relates to residents of the European Economic Area is Processed by Zeta DSP. The Controller-to-Controller Standard Contractual Clauses will also apply where, and to the extent that, Zeta DSP acts as a Controller or Co-Controller with respect to any Customer Personal Data that relates to a resident of the European Economic Area. In particular, and without limiting the above obligations: (i) Zeta DSP and Customer agree that their respective obligations under the Standard Contractual Clauses shall be governed by the law(s) of the Member State(s) (or Switzerland or the United Kingdom) in which Customers are established; and (ii) the details of the appendices applicable to the Standard Contractual Clauses are set out in Appendix 1 to these Terms of Use. If Zeta DSP is instructed by Customer to collect any Customer Personal Data through any Services, Customer will use such Customer Personal Data solely for the purposes identified within the Customer Materials and Customer’s privacy policy in order to provide the individual who provides such Customer Personal Data with the requested goods, services or information requested from Customer; provided, that Customer agrees not to, and will require its clients and any third parties with whom it shares Customer Personal Data not to merge or attempt to merge non-Personal Data obtained via the Services retroactively with any Personal Data without first obtaining affirmative consent from the individual to whom the data relates for such merger. Customer is required to obtain affirmative consent to the processing of Personal Data from each user that is in the European Economic Area and subject to the rules set out in the Regulation (EU) 2016/619 (“General Data Protection Regulation” or “GDPR”).
    4. Zeta DSP will have in place and maintain throughout the Term appropriate technical and organizational measures to prevent accidental or unauthorized destruction, loss, alteration or disclosure of Customer Data. Customer acknowledges that Zeta DSP shall have the right to delete Customer Data in accordance with Zeta’s data retention policies and to disclose, modify or delete Customer Personal Data in accordance with this Agreement or as required by Privacy Rules.
    5. Zeta DSP will promptly and without undue delay and in any case no later than seventy-two (72) hours of becoming aware, inform Customer in the event of: (i) any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosures of, or access to, Personal Information (altogether, a “Security Incident”), or (ii) any reasonable suspicion of a Security Incident, regardless of its cause. At Customer’s direction, Zeta DSP will provide all relevant information and assistance required by Customer to investigate, mitigate and respond to a Security Incident, including at a minimum, any information or assistance required by applicable privacy and data security laws, rules and regulations.
    6. Zeta DSP agrees to reasonably assist Customer in performing any required audits. Customer will give advance notice and will conduct any such audit at its own cost during regular business hours and without unreasonable disruption to Zeta DSP’s operations. For the avoidance of doubt, this provision will not require Zeta DSP to provide any Customer with access to the confidential information of Zeta DSP’s other customers.
    7. Customer authorizes Zeta DSP to subcontract processing of Customer Data under this Agreement to one or more third parties provided that Zeta: (a) complies with the Privacy Rules; (b) flows down its obligations to protect the Customer Data to any subcontractor it appoints; and (c) will remain responsible for any failure to comply with the Privacy Rules by any subcontractor it appoints to process Customer Data. In the case of general written authorisation, Zeta DSP shall inform Customer of any intended changes concerning the addition or replacement of other processors, thereby giving Customer the opportunity to object to such changes.
    8. In the course of performing the Services, Ad Technologies may be used by Zeta DSP in relation to websites or applications of Customer, its Third Party Users, their respective customers, and other websites, applications and online and mobile presences to improve, analyze and measure the success of advertising campaigns delivered using the Services, or to research, augment or improve Zeta’s own proprietary Ad Technologies in a way that does not identify Customer, its Third Party Users, or their respective customers. Customer will ensure that it (and its Third Party Users, where applicable) obtains all appropriate and necessary consents, and provides all necessary information, to enable the use of such Ad Technologies in compliance with the Privacy Rules. In particular, Customer will ensure that individuals are informed of their ability to refuse or opt-out of Zeta DSP Ad Technologies at any time by visiting Zeta’s opt-out page available via the Zeta DSP Privacy Policy (see section 6.7) or any other location specified by Zeta DSP from time to time. Customer agrees that Zeta DSP has no responsibility or liability for any Customer Ad Technologies or third-party Ad Technologies deployed or used by Customer via the Services.
    9. Use of the Services is also governed by Zeta DSP’s privacy policy (“Zeta DSP Privacy Policy“), which is incorporated into this Agreement by reference. The Privacy Policy can be found at Zeta’s website and is available for review at https://zetaglobal.com/privacy-policy/ or any other location specified by Zeta DSP from time to time. Customer will maintain, implement and at all times comply with a publicly available privacy policy that in all material respects meets or exceeds the substantive provisions of Zeta’s Privacy Policy.
    10. Without limiting Sections 6.6 or 6.7, where Customer is an owner or publisher of one or more websites, applications or other digital properties in which Advertisements are displayed (each, a “Site”) it will comply with the Privacy Rules and commercially reasonable industry standards and practices, including: (a) maintaining a privacy policy conspicuously on each Site that complies with the Privacy Rules and, at a minimum, includes disclosures on Customer’s interest-based advertising activities, the types of data collected from users by the Sites, the Site’s use of any such data and any disclosures or transfer of such data to third parties, and the types of Ad Technologies used by the Site to collect such data; (b) providing a brief explanation within Customer’s and each Site’s privacy policy explaining that it works with third party ad providers and, if applicable, allows such third party ad providers to engage in interest-based advertising activities, serve Customer Materials and use Ad Technologies on the Site to collect user data for use in connection with the delivery of advertising and content; and (c) including in Customer’s and each Site’s privacy policy, where applicable, a conspicuous link to an industry opt-out page that allows users to opt-out of the interest-based advertising activities of third party ad providers, such as the opt-out tools made available by the NAI, DAA, and EDAA from time to time.
    11. Customer will not append any third party tags to Zeta DSP’s tags, nor will Customer allow any third party tracking or tagging (collectively “Third Party Tags”) through the Platform unless any provider requesting to implement Third Party Tags is in full compliance with this Section 6 and the Privacy Rules, including, without limitation, by presenting users with notice and choice to opt-out of data collection and processing in connection with such Third Party Tags. Customer will provide Zeta DSP and any client it represents, where applicable, with notice of any Third Party Tags Customer wishes to implement in the Platform. Zeta DSP reserves the right to validate any Third Party Tags or provider thereof for compliance with this Section 6 and the Privacy Rules, and for authenticity, and is under no obligation to allow the implementation of Third Party Tags. Zeta DSP may create lists of providers of Third Party Tags who are certified to append Third Party Tags in the Platform, and reserves the right to block any providers who are not validated for compliance; and without derogating from the above, Customer will be solely responsible for any Third Party Tags implemented through the Platform by Customer or any provider or other person authorized to act on Customer’s behalf, including any damage, cost or claim resulting from appending such Third Party Tags.

  7. Customer Responsibilities.

    1. As between the parties, Customer is solely responsible for: (a) all aspects of any Customer Materials created, delivered, or managed through or processed or linked to the Services; (b) all campaign settings, including settings in the Platform designated as “Stop Serving”, as determined and inserted by or on behalf of Customer on the applicable Platform; and (c) all aspects of campaign management including data entry, ads, pricing, budget, maximum number of impressions, flight parameters, pacing, campaign set up and trafficking, targeting constraints, monitoring ad status, advertiser requirements and objectives, and campaign performance. Customer is solely responsible for any conditions, representations or warranties it makes to its advertisers regarding actual or expected campaign performance, and for any make-goods it may issue to advertisers. Customer will conduct (and ensure that its Third Party Users conduct) all of its marketing, business, and other activities related to the Customer Materials and its use of the Services in compliance with local, state, federal and international laws, rules, treaties, inter-governmental agreements and governmental orders, regulations and regulatory codes of practice applicable to its business.
    2. Customer represents and warrants that it will not (and will procure that its Third Party Users do not) use the Services in connection with, or to promote campaigns, Advertisements or other Customer Materials or Site Content containing: (a) content that is an invasion of privacy, degrading, defamatory, libelous, unlawful, profane, obscene, pornographic, hate material or discriminatory; (b) content that promotes any illegal or fraudulent activity, including, without limitation, the promotion of gambling where prohibited, illegal substances, software piracy or hacking, or invalid advertising traffic; (c) content that infringes the personal rights or Intellectual Property Rights of any third party; (d) content, links or codes that promote or reference software piracy and/or activities generally understood as Internet abuse, including the sending of unsolicited bulk messages or the distribution or use of spyware, Malware (as defined below), worms, Trojan horses, time bombs, cancelbots, bots or other code that generate fraudulent or invalid advertising traffic, corrupted files or similar software; or (e) content that it knows or reasonably should have known to be false, fraudulent or misleading, including content, links or codes that facilitate the creation or use of fraudulent or invalid advertising traffic. “Malware” means software or applications, or websites associated with software or applications, that (i) may be used to disrupt, damage, take control of, misuse, or otherwise use or disable a computer or computer system or operation; (ii) impermissibly views or collects information; (iii) access computer systems to display or distribute unwanted or illicit advertising, content or software; or (iv) violates the written policies of any advertising exchange or publisher that Customer may have access to through the applicable Platform, as such policies may be updated and published from time to time. Customer shall use a reputable third party Malware detection vendor to scan all ads that are served to websites in connection with Customer’s use of the Services. Without limiting any of its rights under this Agreement, Zeta DSP may immediately suspend or terminate Customer’s access to the Services without notice and may terminate this Agreement without any liability to Customer, if Customer fails to comply with this Section 7.
    3. Customer represents and warrants that: (a) it is a business, not a consumer, and has the rights, authority and any required permission and consent to enter into this Agreement, and, if applicable, that it is acting as an agent for a disclosed principal, its advertiser, and that as such, Customer has the authority as agent to incur the Fees charged by Zeta DSP for the Services requested on such advertiser’s behalf; (b) neither it nor its Third Party Users are currently the subject of any investigation or prosecution by any governmental or regulatory body or agency that may have a material detrimental effect on users of Customer’s products, services or advertising, or on Zeta, any of its Affiliates or any of their respective customers; or (c) if it or any of its Third Party Users becomes involved or is named in any investigation or prosecution by any governmental or regulatory body or agency that may have a material detrimental effect on Zeta DSP or users of Zeta’s products, services or advertising, then Customer will immediately provide notice to Zeta DSP of such action, investigation, complaint or other proceeding, in which event Zeta DSP may terminate this Agreement immediately.
    4. Customer represents and warrants that: (a) it and its Third Party Users have all the necessary rights, licenses, consents, waivers and permissions, including, without limitation, from advertisers, publishers, users and other third parties, to allow Zeta: (i) to store and deliver the Customer Materials and otherwise provide the Services and operate the Platforms on behalf of Customer; (ii) to make any technical or other modifications that it may deem necessary to facilitate the delivery of the Advertisements and related Customer Materials; provided, that Zeta DSP will not make any amendments to the creative content of any Advertisements or Customer Materials except as requested by Customer; (iii) to use any Customer Data provided to or collected by Zeta DSP in the provision of the Services for Customer and according to Customer’s or its Third Party Users’ instructions; and (iv) to receive, transfer and process any Customer Data from or to any third party according to Customer’s or its Third Party Users’ instructions, whether by API, FTP or other data transfer method; (b) neither Customer nor its Third Party Users, nor any of their respective users, will use the applicable Platform or any of the Services in a way or for any purpose that infringes or misappropriates any third party’s Intellectual Property Rights or personal or other proprietary rights or in order to harass, abuse, or harm another person; (c) it will ensure that the Customer Materials, the contents of such Customer Materials, the Site Content and any data provided by, or delivered on behalf of, Customer or any Third Party Users to Zeta, and Customer’s and its Third Party Users’ promotional and marketing materials and activities in connection with their use of the applicable Platform or Services, will not be in violation of any third party’s rights, including Intellectual Property Rights, and will not be defamatory, fraudulent, obscene, misleading or otherwise illegal; (d) it will notify Zeta DSP of any errors in any Customer Materials and any complaints or claims made in respect of any Customer Materials as soon as the same comes to its attention; and (e) if Zeta DSP considers, in its sole discretion, that any Customer Materials breaches any of the requirements set forth in this Section 7, or may subject Zeta DSP to material adverse risks, and Zeta DSP requests that such Customer Materials be removed or amended, then Customer will withdraw such Customer Materials from the applicable Platform or amend such Customer Materials to Zeta’s satisfaction.
    5. Customer will ensure that it and any Third Party Users comply with this Agreement. Zeta DSP may audit Customer’s use of the Services and observe all of Customer’s activity on the applicable Platform. Customer will promptly notify Zeta DSP of any suspected or alleged breach of this Agreement and will cooperate with Zeta DSP regarding: (a) any investigation by Zeta DSP of any suspected or alleged violation of this Agreement; and (b) any action by Zeta DSP to enforce the terms and conditions of this Agreement. Zeta DSP may suspend or terminate Customer’s or Third Party User’s access to the Services and/or applicable Platform upon notice to Customer if Zeta DSP determines in its reasonable discretion that Customer or Third Party User has breached this Agreement.
    6. Customer agrees to indemnify, defend, and hold harmless Zeta, its subsidiaries, Affiliates and related entities, and their respective officers, directors, employees and agents from and against any and all losses, costs, damages or liabilities, including, without limitation, reasonable legal fees, costs and expenses, arising out of any third party claim or action related to Customer’s or any Third Party User’s (i) breach of any of the obligations and warranties set forth in this Section 7, or any other representations, warranties, terms, conditions or obligations of Customer as provided in this Agreement; (ii) gross negligence, willful misconduct or fraudulent actions; and (iii) violation or otherwise misappropriation of the Intellectual Property Rights of such third party in violation of this Agreement. The foregoing obligations are conditioned on Zeta: (a) notifying Customer promptly in writing of such action; (b) giving Customer sole control of the defense thereof and any related settlement negotiations; and (c) reasonably cooperating with the Customer, at the Customer’s expense, in the defense of such claim; and (d) giving the Customer the right to control the defense and settlement of any such claim, except that the Customer shall not enter into any settlement that affects Zeta’s rights or interest without Zeta’s prior written approval. Zeta DSP reserves its right prior to and during the notice period to file any motion, answer or other pleading and to take any other action that Zeta DSP shall deem necessary or appropriate to protect its interests.

  8. Zeta DSP Responsibilities

    1. Zeta DSP represents and warrants that: (a) it is duly authorized to enter into this Agreement and provide the Services hereunder; (b) it will perform the Services in a diligent and workmanlike manner consistent with applicable industry standards; (c) the Services will perform substantially in accordance with the latest version of documentation as made generally available in the applicable Platform or in an Order; (d) its provision and operation of the Services is in compliance with all applicable local, state, federal and international laws, rules, treaties, inter-governmental agreements and governmental orders, regulations and regulatory codes of practice; and (e) there are no actions, suits or proceedings, pending or threatened, that could reasonably be expected to have a material adverse effect on Zeta’s ability to fulfill its obligations under this Agreement.
    2. Zeta DSP agrees to indemnify, defend, and hold harmless Customer, its subsidiaries, its Affiliates, and their respective officers, directors, employees and agents from and against any and all losses, costs, damages or liabilities, including reasonable legal fees, costs, and expenses, arising out of or related to any third party action to the extent it is based upon a claim that any Platform or Services, or use thereof by the Customer in accordance with and subject to the limitations set forth in this Agreement, infringes any Intellectual Property Right of a third party. The foregoing obligations are conditioned on Customer: (a) notifying Zeta DSP promptly in writing of such action; (b) giving Zeta DSP sole control of the defense thereof and any related settlement negotiations; and (c) reasonably cooperating with Zeta, at Zeta’s expense, in the defense of such claim; and (d) giving Zeta DSP the right to control the defense and settlement of any such claim, except that Zeta DSP shall not enter into any settlement that affects Customer’s rights or interest without Customer’s prior written approval. Customer shall have a right prior to and during the notice period to file any motion, answer or other pleading and to take any other action that Customer shall deem necessary or appropriate to protect its interests. If the applicable Platform or Services become, or in Zeta’s sole opinion are likely to become, the subject of an infringement claim, Zeta DSP may, at its option and expense: (i) procure for Customer the right to continue using the applicable Platform or Services; (ii) replace or modify the applicable Platform or Services so that they become non-infringing; or (iii) accept return of any deliverables provided as a result of the Services, terminate this Agreement, in whole or in part, as appropriate, upon written notice to Customer and refund Customer any Fees pre-paid in respect of the Services upon such termination. Notwithstanding the foregoing, Zeta DSP will be relieved of its obligation under this Section 8.2 to the extent that any third party action is based upon: (A) any Customer Materials; (B) any use of the Platform or Services not in accordance with this Agreement; (C) any use of the Services in combination with products, equipment, software, or data not supplied by Zeta DSP if such infringement would have been avoided if not for the combination with such products, equipment, software, or data; (D) any use of any release of the Platform or Services other than the most current release made available to Customer; or (E) any modification of the Platform or Services by Customer, its agents or subcontractors. THIS SECTION 8.2 STATES ZETA’S ENTIRE LIABILITY AND CUSTOMER’S EXCLUSIVE REMEDY FOR ANY THIRD PARTY CLAIMS OF INFRINGEMENT.

  9. Fees

    1. All Fees payable under this Agreement by Customer will be made in accordance with the Payment Terms, and are exclusive of any applicable taxes (except for taxes on Zeta’s net income) payable in connection with the Services or the use of the applicable Platform, including, without limitation, VAT or any relevant local sales taxes, for which Customer will be responsible. Unless stated otherwise in the applicable Order, all Fees shall be due within 30 days of the invoice date. Non-payment of any Zeta DSP invoice in accordance with the Payment Terms and this Agreement will be a material breach of this Agreement. Unless otherwise stated in the applicable Order, all Fees will be charged in U.S. dollars. If Customer pays the Fees in currency other than U.S. dollars, the payment will be exchanged at the rate available to Zeta DSP at the time. Customer is responsible for confirming the accuracy of all information it provides for each payment (such as contact information, payment amounts, credit card numbers and expiry dates, and wire information, as applicable).
    2. With respect to ad serving services, Customer will be billed per the following scenarios with respect to Platform settings: (a) if the campaign is set to “Keep Serving as Usual,” then the Platform will keep serving even after the placement’s end date or volume goals are met; or (b) if the campaign is set to “Stop Serving” (based on: Volume Stop, Date Stop, soonest of Volume Stop/Date Stop or the latest of Volume Stop/Date Stop), then: (i) Out of Banner Formats (“OOB”) will stop serving on OOB Stop; and (ii) Banner Formats will continue to serve the designated Ad Format until the predefined stop event and afterwards continue to serve default images, and in this case, impressions served until the stop event will be billed at their applicable rate and any impression served afterwards will be billed at the default image rate. Notwithstanding any Stop Serving settings or termination of an Order by Customer, Customer will pay Zeta DSP at its standard rates for professional, creative, media buying and trading services rendered through the date of termination, cancellation or Stop Serving setting, regardless of the number of impressions served. If Customer uses any Services for which the Fees are not specified in an Order, then the Fees for such Services will be Zeta’s then applicable standard rates. Terms with initial capital letters in this Section 9.2 have the meanings ascribed to them within the Platform settings.
    3. If Customer fails to pay any amount payable by it under this Agreement in accordance with the Payment Terms, Zeta DSP may charge Customer interest on the overdue amount (payable by Customer immediately on demand) from the due date up to the date of actual payment, after as well as before judgment, at the rate of 1.5% per month or the highest rate allowed by law, whichever is less. Such interest will accrue on a daily basis and be compounded on a monthly basis. Customer will also be responsible for payment of all reasonable expenses (including attorneys’ fees and costs) incurred by Zeta DSP in collecting any overdue amounts from Customer.

  10. DISCLAIMER.

    1. EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PLATFORM, AND THE SERVICES ARE PROVIDED “AS IS” AND ON AN “AS AVAILABLE” BASIS AND ZETA DSP DOES NOT MAKE OR GIVE ANY REPRESENTATION, WARRANTY, CONDITION OR OTHER TERM (COLLECTIVELY, “PROMISES”) OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE WITH RESPECT TO THE PLATFORM OR THE SERVICES AND EXCEPT TO THE EXTENT PROHIBITED BY APPLICABLE LAW, ZETA DSP DISCLAIMS ALL IMPLIED PROMISES WITH RESPECT TO THE PLATFORM AND THE SERVICES, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED PROMISES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT OR QUIET ENJOYMENT, AND ANY PROMISES ARISING OUT OF ANY COURSE OF DEALING, PERFORMANCE, OR TRADE USAGE.
    2. ZETA DSP WILL NOT BE HELD RESPONSIBLE FOR: (A) ANY ERRORS OR INACCURACIES IN ANY CUSTOMER MATERIALS OR SITE CONTENT; (B) SERVICE INTERRUPTIONS DUE TO FACTORS REPRESENTING INHERENT RISKS ASSOCIATED WITH THE USE OF ELECTRONIC COMMUNICATIONS, INCLUDING NETWORK INTERRUPTIONS (INCLUDING THE INTERNET), COMMUNICATIONS FAILURES, THIRD PARTY SERVER DOWNTIME, POWER OUTAGES OR SYSTEM FAILURES; OR (C) ANY UNAUTHORIZED ACCESS TO, USE OF, ALTERATION OF OR DELETION, DESTRUCTION, DAMAGE OR LOSS OF CUSTOMER’S OR ANY THIRD PARTY USER’S CUSTOMER MATERIALS, SITE CONTENT OR OTHER MATERIALS, DATA, IMAGES, SOUNDS, TEXT INFORMATION OR CONTENT.
    3. ZETA DSP MAY DISCONTINUE ANY ASPECT OF THE PLATFORM OR THE SERVICES, OR MAY CHANGE THE NATURE, FEATURES, FUNCTIONS, SCOPE OR OPERATION OF THE PLATFORM OR THE SERVICES, AT ANY TIME. ZETA DSP ALSO DOES NOT IN ANY WAY MAKE ANY PROMISES THAT THE PLATFORM OR THE SERVICES WILL BE PROVIDED IN AN UNINTERRUPTED MANNER, ERROR-FREE OR FREE FROM HARMFUL COMPONENTS. IN ADDITION, ZETA DSP MAKES NO PROMISES THAT THE PLATFORM OR THE SERVICES WILL MEET CUSTOMER’S REQUIREMENTS OR EXPECTATIONS OR THAT CUSTOMER WILL ACHIEVE ANY PARTICULAR RESULT FROM USING THE PLATFORM OR THE SERVICES.
    4. CUSTOMER ACKNOWLEDGES AND AGREES THAT NEITHER CUSTOMER NOR ITS THIRD PARTY USERS HAVE ENTERED INTO THIS AGREEMENT IN RELIANCE ON ANY PROMISES (WHETHER INNOCENT OR NEGLIGENT) EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT.

  11. Limitation of Liability.

    1. EXCEPT AS EXPRESSLY SET FORTH IN SECTION 11.3, IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY (OR ANY THIRD PARTY) FOR ANY SPECIAL, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND WHATSOEVER (INCLUDING LOSS OF PROFITS, LOSS OF BUSINESS OPPORTUNITIES, COSTS OF SUBSTITUTES, LEGAL FEES AND COURT COSTS), EVEN IF SUCH DAMAGES ARE REASONABLY FORESEEABLE.
    2. EXCEPT AS EXPRESSLY SET FORTH IN SECTION 11.3, IN NO EVENT WILL EITHER PARTY’S LIABILITY UNDER THIS AGREEMENT, WHETHER ARISING IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EXCEED THE TOTAL AMOUNT ACTUALLY PAID TO ZETA DSP BY CUSTOMER UNDER THIS AGREEMENT DURING THE SIX (6) MONTHS IMMEDIATELY PRECEDING THE DATE ON WHICH THE FIRST OF ANY CLAIMS IS MADE IN CONNECTION WITH THIS AGREEMENT.
    3. THE EXCLUSIONS AND LIMITATIONS SET FORTH IN THIS SECTION 11 AND ELSEWHERE IN THIS AGREEMENT WILL APPLY TO THE FULLEST EXTENT PERMISSABLE AT LAW, BUT NEITHER PARTY WILL EXCLUDE OR LIMIT LIABILITY FOR: (A) DEATH OR PERSONAL INJURY CAUSED BY ITS NEGLIGENCE OR THAT OF ITS OFFICERS, EMPLOYEES, CONTRACTORS OR AGENTS ACTING IN THE COURSE OF THEIR DUTIES; (B) FRAUD OR FRAUDULENT MISREPRESENTATION; (C) BREACH OF SECTION 4, 6 OR 7 BY CUSTOMER OR THE BREACH OF SECTION 5 BY EITHER PARTY; (D) INDEMNIFICATION SET FORTH IN SECTION 7.6 AND 8.2; OR (E) ANY OTHER LIABILITY WHICH MAY NOT BE EXCLUDED OR LIMITED BY LAW.

  12. Term and Termination. The Term of this Agreement will be as set forth in the MSA or the applicable Order unless: (a) terminated earlier in accordance with this Section 12; or (b) the Services continue to be used by Customer after the expiration of the Term as set forth in the MSA or the applicable Order, in which case the Term will thereafter renew on a month-to-month basis until either party terminates this Agreement by giving thirty (30) days prior written notice to the other party. Either party may terminate this Agreement immediately if: (i) the other party is in material breach hereunder and fails to cure such breach within ten (10) calendar days of written notice being provided (if such breach can be cured) by the party seeking to terminate; or (ii) the other party becomes insolvent or seeks protection under any bankruptcy, receivership, trust deed, creditors arrangement, composition or comparable proceeding, or if any such proceeding is instituted against the other party (and not dismissed within ninety (90) days). Unless otherwise provided in an Order, Zeta DSP may terminate this Agreement for any reason upon thirty (30) days prior written notice to Customer. The requirement to make any payment that has become due, in addition to Sections 4 through 8 and 10 through 15 of these Terms of Use, will survive the completion, expiration, termination, or cancellation of this Agreement for any reason, as will any other provision of this Agreement that is intended to survive in accordance with its terms.
  13. Force Majeure.

    1. Neither party will be responsible for delay or failure in performing obligations under this Agreement resulting from the occurrence of an event beyond the control of such party. Such force majeure events include, but not limited to, acts of God, acts of any government, war or other hostility, civil disorder, the elements, fire, flood, earthquake, explosion, embargo, acts of terrorism, power failure, equipment failure, industrial or labor disputes or controversies, acts of any third party data provider(s) or other third party information provider(s), third party software, or communication method interruptions.
    2. Any party that wishes to invoke an event as set forth above will promptly notify the other party of the occurrence of the force majeure event. Should the force majeure event continue for more than thirty (30) days, the party claiming the force majeure event will have the right to terminate this Agreement with immediate effect by giving written notice to the other party.
      3. In the event that Customer exercises its right to terminate this Agreement under this Section 13, it will immediately pay to Zeta DSP all Fees incurred, due and payable to Zeta DSP under the terms of this Agreement up to the effective date of such termination.

  14. General.

    1. This Agreement represents the entire understanding between the parties and supersedes all prior written and all prior and contemporaneous oral agreements relating to the subject matter hereof. The parties may not amend these Terms of Use, the MSA, or any Order except by a written agreement of the parties that identifies itself as an amendment to these Terms of Use, the MSA, or such Order, as applicable.
    2. These Terms of Use will apply to all Orders submitted in connection with this Agreement, and any preprinted, additional, or supplemental terms in, on or associated with any Customer-submitted ordering documents, including purchase or insertion orders, will not apply and will not be binding upon Zeta.
    3. Zeta DSP may provide notices to Customer, at Zeta’s option, by email to the email address provided by Customer to Zeta, by mail to the postal address provided by Customer to Zeta, or by posting on the applicable Platform or any Zeta DSP website to which Customer has access in connection with this Agreement. It is Customer’s responsibility to ensure that the email address and any other contact information it provides to Zeta DSP is updated and correct at all times during the Term. Changes to Customer’s contact information should be sent to Customer’s designated Zeta DSP service representative.
    4. Customer and Zeta DSP are independent contractors and nothing in this Agreement will give Customer the right, power or authority to create any obligation or responsibility on behalf of Zeta. Except as otherwise set forth in this Agreement, neither Customer nor Zeta DSP will have any right, power, or authority to create any obligation or responsibility on behalf of the other and this Agreement is not intended to benefit, nor will it be deemed to give rise to any rights in, any third party. Notwithstanding the foregoing, Customer acknowledges and agrees that Zeta’s Affiliates will be third party beneficiaries of this Agreement and will be entitled to directly enforce, and rely upon, any provision in this Agreement that confers a benefit on, or rights in favor of, Zeta DSP or any of its Affiliates.
    5. Customer may not assign, sublicense, or transfer this Agreement or any right or duty under this Agreement. Any assignment, transfer, or attempted assignment or transfer in violation of this Section 14 will be void and of no force or effect. Zeta DSP and its subsequent assignees may assign, delegate, sublicense, or otherwise transfer from time to time this Agreement, or the rights or obligations hereunder, in whole or in part, to any person or entity, such as to Zeta DSP Affiliates.
    6. No waiver of any right, power, condition or remedy is effective unless given in writing and signed by the party waiving such right or condition. No failure or delay on the part of a party in exercising any right, power, condition or remedy under this Agreement will operate as a waiver, nor will any single or partial exercise of any such right, power, condition or remedy preclude any other or further exercise or the exercise of any other right, power, condition or remedy.
    7. Any provision of this Agreement that is prohibited or unenforceable in any jurisdiction will, as to such jurisdiction, be ineffective only to the minimum extent necessary without invalidating the remaining provisions of this Agreement or affecting the validity or enforceability of any provision in any other jurisdiction.
    8. Any claim against Zeta DSP and/or its Affiliates will be adjudicated on an individual basis and will not be consolidated in any proceeding with any claim or controversy of any other party.
    9. Customer agrees to review the Agreement from time to time. Customer acknowledges that Zeta DSP may modify these Terms of Use at any time by posting such modification on the applicable Platform or applicable Zeta DSP website or by notifying Customer by email, and such revised Terms of Use will supersede and replace all earlier versions. If Customer does not agree to modifications, its sole remedy is to terminate this Agreement upon written notice to Zeta. Customer’s and its Third Party Users’ continued use of any Platform or any portion of the Services will be deemed to be acceptance by Customer and its Third Party Users of any such modified version of these Terms of Use. Notwithstanding the foregoing, if Customer has an existing agreement in force with Zeta DSP that specifically overrides a previous version of the Zeta DSP Terms of Use, then such existing agreement will remain in full force and effect until expiration or termination in accordance with its terms, without modification by these Terms of Use.
    10. Zeta DSP may be subpoenaed by governmental entities or others to provide information relative to your account. Zeta DSP has no obligation to inform you of any subpoena or response to any subpoena, and you agree that Zeta DSP will have no liability to you for disclosing information in response to a subpoena.
    11. As used in this Agreement, the word “including” is a term of enlargement meaning “including without limitation” and does not denote exclusivity. The defined terms herein will apply equally to both the singular and plural forms of the terms defined. Whenever the context may require, any pronoun will include the corresponding masculine, feminine and neuter forms. All references in these Terms of Use to “Sections” will be deemed to be references to the corresponding Section of these Terms of Use unless the context requires otherwise. The section headings and subheadings contained in these Terms of Use are included for convenience only, and will not limit or otherwise affect the interpretation of these Terms of Use.
    12. This Agreement and every part of this Agreement is controlled by the English language and if the terms of this Agreement or any part thereof are translated into any language, for convenience or any other reason, the English language version will control and the English language interpretation will prevail with respect to any conflicts of interpretation.

  15. Zeta DSP Entity You Are Contracting With in Your Territory of Domicile, Governing Laws, Jurisdiction, Venue, Notices.

    1. This Agreement shall be governed by the laws of the State of New York, United States without regard to conflict of laws rules or principles. All parties agree that any claim, legal proceeding or litigation arising in connection with this Agreement will be brought solely in the United States District Court for the Southern District of New York (Manhattan) or, if federal jurisdiction is not available, in a court of competent jurisdiction in the County and State of New York. You and Zeta DSP consent to personal jurisdiction and venue of such courts and each party hereby expressly waives any objection or defense thereto.
    2. THE PARTIES ACKNOWLEDGE AND AGREE THAT ANY CONTROVERSY WHICH MAY ARISE UNDER THIS AGREEMENT, ANY OTHER AGREEMENT RELATED HERETO OR WITH RESPECT TO THE TRANSACTIONS CONTEMPLATED HEREBY OR THEREBY WOULD BE BASED UPON DIFFICULT AND COMPLEX ISSUES, AND THEREFORE, THE PARTIES AGREE THAT ANY COURT PROCEEDING ARISING OUT OF ANY SUCH CONTROVERSY WILL BE TRIED IN A COURT OF COMPETENT JURISDICTION BY A JUDGE SITTING WITHOUT A JURY.
    3. All notices to Zeta DSP will be made in writing to Zeta Global Corp., ATTN: Legal Department, 3 Park Avenue. 33rd Fl. New York, NY 10016, USA, with a copy via email to legal@zetaglobal.com. Notices should be sent by certified first-class mail, return receipt requested, or a nationally recognized delivery service. Notices will be deemed received based on the delivery date shown on the written delivery confirmation notice.

Last Modified: November 15, 2021

Appendix 1: Standard Contractual Clauses

The parties agree that to the extent that Customer transfers or makes available to Zeta DSP Personal Data relating to a resident of the European Economic Area the following terms will apply. Where Zeta DSP acts as a Processor for Customer Personal Data it will act as a processor and not as a controller with respect to such data, however, transfers of Non-Proprietary Data by Customer to Zeta DSP represent controller-to-controller transfers and so this form of the EU Standard Contractual Clauses has been used.

Controller to Controller

SECTION I

Clause 1

Purpose and scope

  1. (a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ( ) for the transfer of personal data to a third country.
  2. (b) The Parties:
    1. the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
    2. the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’) have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
  3. (c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
  4. (d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

  1. (a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
  2. (b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

  1. (a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
    (i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
    (ii) Clause 8.5 (e) and Clause 8.9(b);
    (iii) N/A
    (iv) Clause 12(a) and (d);
    (v) Clause 13;
    (vi) Clause 15.1(c), (d) and (e);
    (vii) Clause 16(e);
    (viii) Clause 18(a) and (b).
  2. (b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

  1. (a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
  2. (b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
  3. (c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Optional

Docking clause

  1. (a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
  2. (b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
  3. (c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

  1. 8.1 Purpose limitation
    The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B. It may only process the personal data for another purpose:
    (i) where it has obtained the data subject’s prior consent;
    (ii) where necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
    (iii) where necessary in order to protect the vital interests of the data subject or of another natural person.
  2. 8.2 Transparency
    (a) In order to enable data subjects to effectively exercise their rights pursuant to Clause 10, the data importer shall inform them, either directly or through the data exporter:
    (i) of its identity and contact details;
    (ii) of the categories of personal data processed;
    (iii) of the right to obtain a copy of these Clauses;
    (iv) where it intends to onward transfer the personal data to any third party/ies, of the recipient or categories of recipients (as appropriate with a view to providing meaningful information), the purpose of such onward transfer and the ground therefore pursuant to Clause 8.7.
    (b) Paragraph (a) shall not apply where the data subject already has the information, including when such information has already been provided by the data exporter, or providing the information proves impossible or would involve a disproportionate effort for the data importer. In the latter case, the data importer shall, to the extent possible, make the information publicly available.
    (c) On request, the Parties shall make a copy of these Clauses, including the Appendix as completed by them, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the Parties may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.
    (d) Paragraphs (a) to (c) are without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
  3. 8.3 Accuracy and data minimisation
    (a) Each Party shall ensure that the personal data is accurate and, where necessary, kept up to date. The data importer shall take every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose(s) of processing, is erased or rectified without delay.
    (b) If one of the Parties becomes aware that the personal data it has transferred or received is inaccurate, or has become outdated, it shall inform the other Party without undue delay.
    (c) The data importer shall ensure that the personal data is adequate, relevant and limited to what is necessary in relation to the purpose(s) of processing.
  4. 8.4 Storage limitation
    The data importer shall retain the personal data for no longer than necessary for the purpose(s) for which it is processed. It shall put in place appropriate technical or organisational measures to ensure compliance with this obligation, including erasure or anonymisation ( ) of the data and all back-ups at the end of the retention period.
  5. 8.5 Security of processing
    (a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the personal data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.
    (b) The Parties have agreed on the technical and organisational measures set out in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
    (c) The data importer shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
    (d) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effects.
    (e) In case of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the data importer shall without undue delay notify both the data exporter and the competent supervisory authority pursuant to Clause 13. Such notification shall contain i) a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), ii) its likely consequences, iii) the measures taken or proposed to address the breach, and iv) the details of a contact point from whom more information can be obtained. To the extent it is not possible for the data importer to provide all the information at the same time, it may do so in phases without undue further delay.
    (f) In case of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the data importer shall also notify without undue delay the data subjects concerned of the personal data breach and its nature, if necessary in cooperation with the data exporter, together with the information referred to in paragraph (e), points ii) to iv), unless the data importer has implemented measures to significantly reduce the risk to the rights or freedoms of natural persons, or notification would involve disproportionate efforts. In the latter case, the data importer shall instead issue a public communication or take a similar measure to inform the public of the personal data breach.
    (g) The data importer shall document all relevant facts relating to the personal data breach, including its effects and any remedial action taken, and keep a record thereof.
  6. 8.6 Sensitive data
    Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences (hereinafter ‘sensitive data’), the data importer shall apply specific restrictions and/or additional safeguards adapted to the specific nature of the data and the risks involved. This may include restricting the personnel permitted to access the personal data, additional security measures (such as pseudonymisation) and/or additional restrictions with respect to further disclosure.
  7. 8.7 Onward transfers
    The data importer shall not disclose the personal data to a third party located outside the European Union ( ) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) unless the third party is or agrees to be bound by these Clauses, under the appropriate Module. Otherwise, an onward transfer by the data importer may only take place if:
    (i) it is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
    (ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 with respect to the processing in question;
    (iii) the third party enters into a binding instrument with the data importer ensuring the same level of data protection as under these Clauses, and the data importer provides a copy of these safeguards to the data exporter;
    (iv) it is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings;
    (v) it is necessary in order to protect the vital interests of the data subject or of another natural person; or
    (vi) where none of the other conditions apply, the data importer has obtained the explicit consent of the data subject for an onward transfer in a specific situation, after having informed him/her of its purpose(s), the identity of the recipient and the possible risks of such transfer to him/her due to the lack of appropriate data protection safeguards. In this case, the data importer shall inform the data exporter and, at the request of the latter, shall transmit to it a copy of the information provided to the data subject.
    Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
  8. 8.8 Processing under the authority of the data importer
    The data importer shall ensure that any person acting under its authority, including a processor, processes the data only on its instructions.
  9. 8.9 Documentation and compliance
    (a) Each Party shall be able to demonstrate compliance with its obligations under these Clauses. In particular, the data importer shall keep appropriate documentation of the processing activities carried out under its responsibility.
    (b) The data importer shall make such documentation available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

N/A

Clause 10

Data subject rights

(a) The data importer, where relevant with the assistance of the data exporter, shall deal with any enquiries and requests it receives from a data subject relating to the processing of his/her personal data and the exercise of his/her rights under these Clauses without undue delay and at the latest within one month of the receipt of the enquiry or request. ( ) The data importer shall take appropriate measures to facilitate such enquiries, requests and the exercise of data subject rights. Any information provided to the data subject shall be in an intelligible and easily accessible form, using clear and plain language.
(b) In particular, upon request by the data subject the data importer shall, free of charge:
(i) provide confirmation to the data subject as to whether personal data concerning him/her is being processed and, where this is the case, a copy of the data relating to him/her and the information in Annex I; if personal data has been or will be onward transferred, provide information on recipients or categories of recipients (as appropriate with a view to providing meaningful information) to which the personal data has been or will be onward transferred, the purpose of such onward transfers and their ground pursuant to Clause 8.7; and provide information on the right to lodge a complaint with a supervisory authority in accordance with Clause 12(c)(i);
(ii) rectify inaccurate or incomplete data concerning the data subject;
(iii) erase personal data concerning the data subject if such data is being or has been processed in violation of any of these Clauses ensuring third-party beneficiary rights, or if the data subject withdraws the consent on which the processing is based.
(c) Where the data importer processes the personal data for direct marketing purposes, it shall cease processing for such purposes if the data subject objects to it.
(d) The data importer shall not make a decision based solely on the automated processing of the personal data transferred (hereinafter ‘automated decision’), which would produce legal effects concerning the data subject or similarly significantly affect him/her, unless with the explicit consent of the data subject or if authorised to do so under the laws of the country of destination, provided that such laws lays down suitable measures to safeguard the data subject’s rights and legitimate interests. In this case, the data importer shall, where necessary in cooperation with the data exporter:
(i) inform the data subject about the envisaged automated decision, the envisaged consequences and the logic involved; and
(ii) implement suitable safeguards, at least by enabling the data subject to contest the decision, express his/her point of view and obtain review by a human being.
(e) Where requests from a data subject are excessive, in particular because of their repetitive character, the data importer may either charge a reasonable fee taking into account the administrative costs of granting the request or refuse to act on the request.
(f) The data importer may refuse a data subject’s request if such refusal is allowed under the laws of the country of destination and is necessary and proportionate in a democratic society to protect one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679.
(g) If the data importer intends to refuse a data subject’s request, it shall inform the data subject of the reasons for the refusal and the possibility of lodging a complaint with the competent supervisory authority and/or seeking judicial redress.

Clause 11

Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
[OPTION: The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body ( ) at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.]
(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.
(c) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(d) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
(e) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

Clause 13

Supervision

(a) [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards ( );
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of ______ (specify Member State).

Clause 18

Choice of forum and jurisdiction

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of _____ (specify Member State).
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.

APPENDIX

EXPLANATORY NOTE:

It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.

ANNEX I

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Name: ___________________________________________
Address: _________________________________________
Contact person’s name, position and contact details: _________________________
___________________________________________________________________

Activities relevant to the data transferred under these Clauses:
___________________________________________________________________
___________________________________________________________________

Signature and date: ___________________________________________________
Role (controller/processor): Controller

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

Name: Zeta Global, LLC
Address: 3 Park Ave, 33rd Floor, New York, NY 10016
Contact person’s name, position and contact details: Benjamin Hayes, Chief Privacy Officer
bhayes@zetaglobal.com

Activities relevant to the data transferred under these Clauses:
The data are processed to facilitate online or mobile advertising, and relate to the observed or inferred interests or purchase behaviors of data subjects, as well as identifiers tied to browsers, devices, and similar data typically used to facilitate behavioral or “interest-based” advertising.

Signature and date: ___________________________________________________
Role (controller/processor): Controller

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred
Customers and Clients
Categories of personal data transferred
Personal details, including any information that identifies the data subject and their personal characteristics, including: name, address, contact details, age, date of birth, sex, and physical description. Bid request data; data indicating the data subject’s interests, purchase intents or behaviors, or demographic categories (collectively “Segments”); other data related to the likelihood or propensity of a data subject to respond to a particular advertisement.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Sensitive data should not be provided by Customer to Zeta DSP unless Customer has duly obtained GDPR-compliant consent for the processing and transfer to Zeta DSP with respect to such data
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Nature of the processing

The data are processed for the purpose of facilitating online or mobile advertising and relate to the observed or inferred interests or purchase behaviors of data subjects, as well as identifiers tied to browsers, devices, and similar data typically used to facilitate behavioral or “interest-based” advertising.

Purpose(s) of the data transfer and further processing

  • to enable performance of ZETA DSP services using technology based in the United States or India
  • Advertising, marketing and public relations of the data exporter’s own business or activity, goods or services
  • Accounting and auditing services
  • Advertising, marketing and public relations for others, including public relations work, advertising and marketing, host mailings for other organisations, and list broking.
  • Administration of justice, including internal administration and management of courts of law, or tribunals and discharge of court business.
  • Data analytics, including profiling
  • IT, digital, technology or telecom services, including provision of technology products or services, telecoms and network services, digital services, hosting, cloud and support services or software licensing

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

EXPLANATORY NOTE:

The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

Standard Contractual Clauses

Controller to Processor

SECTION I

Clause 1

Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ( ) for the transfer of data to a third country.
(b) The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)
have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e);
(iii) Clause 9(a), (c), (d) and (e);
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Optional

Docking clause

(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions
(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union ( ) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance
(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

(a) OPTION 1: SPECIFIC PRIOR AUTHORISATION The data importer shall not sub-contract any of its processing activities performed on behalf of the data exporter under these Clauses to a sub-processor without the data exporter’s prior specific written authorisation. The data importer shall submit the request for specific authorisation at least [Specify time period] prior to the engagement of the sub-processor, together with the information necessary to enable the data exporter to decide on the authorisation. The list of sub-processors already authorised by the data exporter can be found in Annex III. The Parties shall keep Annex III up to date.
OPTION 2: GENERAL WRITTEN AUTHORISATION The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least [Specify time period] in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. ( ) The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
[OPTION: The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body ( ) at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.]
(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

(a) [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards ( );
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

[OPTION 1: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of _______ (specify Member State).]
[OPTION 2: These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of _______ (specify Member State).]

Clause 18

Choice of forum and jurisdiction

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of _____ (specify Member State).
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.

APPENDIX

EXPLANATORY NOTE:

It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.

ANNEX I

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Name: ___________________________________________
Address: _________________________________________
Contact person’s name, position and contact details: _________________________
___________________________________________________________________

Activities relevant to the data transferred under these Clauses:
___________________________________________________________________
___________________________________________________________________

Signature and date: ___________________________________________________
Role (controller/processor): Controller

2. …

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

Name: Zeta Global, LLC
Address: 3 Park Ave, 33rd Floor, New York, NY 10016
Contact person’s name, position and contact details: Benjamin Hayes, Chief Privacy Officer
bhayes@zetaglobal.com

Activities relevant to the data transferred under these Clauses:
The data is processed to facilitate online or mobile advertising and relate to the observed or inferred interests or purchase behaviors of data subjects, as well as identifiers tied to browsers, devices, and similar data typically used to facilitate behavioral or “interest-based” advertising.

Signature and date: ___________________________________________________
Role (controller/processor): Processor


B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Customers and Clients
Categories of personal data transferred
Personal details, including any information that identifies the data subject and their personal characteristics, including: name, address, contact details, age, date of birth, sex, and physical description. Bid request data; data indicating the data subject’s interests, purchase intents or behaviors, or demographic categories (collectively “Segments”); other data related to the likelihood or propensity of a data subject to respond to a particular advertisement.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Sensitive data should not be provided by Customer to Zeta DSP unless Customer has duly obtained GDPR-compliant consent for the processing and transfer to Zeta DSP with respect to such data

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Nature of the processing

The data are processed for the purpose of facilitating online or mobile advertising and relate to the observed or inferred interests or purchase behaviors of data subjects, as well as identifiers tied to browsers, devices, and similar data typically used to facilitate behavioral or “interest-based” advertising.

Purpose(s) of the data transfer and further processing

  • to enable performance of ZETA DSP services using technology based in the United States or India
  • Advertising, marketing and public relations of the data exporter’s own business or activity, goods or services
  • Accounting and auditing services
  • Advertising, marketing and public relations for others, including public relations work, advertising and marketing, host mailings for other organisations, and list broking.
  • Administration of justice, including internal administration and management of courts of law, or tribunals and discharge of court business.
  • Data analytics, including profiling
  • IT, digital, technology or telecom services, including provision of technology products or services, telecoms and network services, digital services, hosting, cloud and support services or software licensing

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

________________________________________

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

EXPLANATORY NOTE:
The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

________________________________________

ANNEX III

LIST OF SUB-PROCESSORS

EXPLANATORY NOTE:
This Annex must be completed in case of the specific authorisation of sub-processors (Clause 9(a), Option 1).

The controller has authorised the use of the following sub-processors:
1. Name: …
Address: …
Contact person’s name, position and contact details: …
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): …

2. …

  1. Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.
  2. This requires rendering the data anonymous in such a way that the individual is no longer identifiable by anyone, in line with recital 26 of Regulation (EU) 2016/679, and that this process is irreversible.
  3. The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.
  4. That period may be extended by a maximum of two more months, to the extent necessary taking into account the complexity and number of requests. The data importer shall duly and promptly inform the data subject of any such extension.
  5. The data importer may offer independent dispute resolution through an arbitration body only if it is established in a country that has ratified the New York Convention on Enforcement of Arbitration Awards.
  6. As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.
  7. Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.
  8. The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.
  9. This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.
  10. The data importer may offer independent dispute resolution through an arbitration body only if it is established in a country that has ratified the New York Convention on Enforcement of Arbitration Awards.
  11. As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.

Watch Zeta Live Sessions On-Demand. >>

h
In The Know

Get Fresh Marketing Insights Delivered Right To Your Inbox.

SUBSCRIBE TO OUR NEWSLETTER