MEDIAMATH USER POLICY
Your use of any services (“Services”) provided by MediaMath, Inc. (“MediaMath”, “we”, “us”) is subject to the following policies (“Policies”). We reserve the right to change or modify any portion of these Policies at any time without notice. Please periodically visit this page to review the current Policies so you are aware of any revisions to which you are bound.
- Your use of the Services must comply with all applicable laws, regulations, and self-regulatory group guidelines, including but not limited to, the Network Advertising Initiative (“NAI”) Code of Conduct, the Digital Advertising Alliance (“DAA”)’s Self-Regulatory Principles for Online Behavioral Advertising and Application of Self-Regulatory Principles to the Mobile Environment (“DAA Principles”), the DAA’s Application of the Self-Regulatory Principles of Transparency and Control to Data Used Across Devices, the DAA’s Application of the Self-Regulatory Principles of Transparency & Accountability to Political Advertising, the Digital Advertising Alliance of Canada (DAAC) Self-Regulatory Principle of Transparency for Political Advertising, the Interactive Advertising Bureau (“IAB”) Europe EU Framework for Online Behavioral Advertising, the Australian Digital Advertising Alliance’s (“ADAA”) Best Practice Guideline for Online Behavioural Advertising, and the Asia-Pacific Economic Cooperation (“APEC”) Privacy Framework, regardless of your membership status with any of these organizations.
- Your use of the Services must comply with all applicable requirements and guidelines provided by the exchanges or media supply sources from which you purchase media inventory through the Services. For examples of such polices, please visit the Knowledge Base.
MediaMath Creative Policy
The following categories of Creative are prohibited when using the Services. “Creative” refers to ad units, landing pages, or any other content related to or used in connection with the serving of ads using the Services.
|Category||Description and Examples|
|Ad Fraud||Creative associated with any activity designed to sell advertising under fraudulent pretenses, including but not limited to non-human traffic, tag hijacking, hidden ads, domain spoofing, cookie stuffing, generating fake impressions or clicks, misrepresenting advertiser characteristics (such as the landing page URL, advertiser vertical, etc.), reselling of ads under false pretenses, (e.g., misrepresenting the publisher or the type of ad unit), etc.|
|Auto-audio||Creative that automatically initiates audio without the user’s explicit engagement or action|
|Auto-downloads||Creative that contains, or provides access to any files that execute or download software without intentional user interaction. Clicking on an ad must also not initiate a download of any type of file.|
|Auto-redirects||Creative that automatically redirects a user to other sites or applications, without the user’s explicit engagement or action.|
|Deceptive or Misleading||Creative that attempts to trick or deceive a user into taking some action (e.g., “click bait” Creative, Creative that resemble user interface elements, Creative that displays fake errors or warnings, such as warnings about viruses, missing codecs, or corrupt disks, etc.) or markets false or unrealistic promises such as extreme weight loss, anti-aging, etc.|
|Defamation||Creative that depicts, contains, or provides access to material that is damaging to the reputation of another.|
|Delayed Load||Creative consistently taking more than two seconds to initiate the user ad experience.|
|False Claims||Creative that makes a demonstrably false claim is strictly prohibited.|
|Government Forms or Services||Creative that depicts, contains, or provides access to offers that charge for government forms or services that are available for a lesser charge or free from the government.|
|Hate Speech||Creative that depicts, contains, or provides access to content that incites violence or prejudicial action towards a protected individual or group; or content that disparages or intimidates a protected individual or group.|
|Illegal||Creative that is, or that MediaMath reasonably believes is, likely to be in violation of any applicable law, regulation or court order.|
|Illegal Drugs||Creative featuring or promoting the sale of illegal drugs, pharmaceuticals, or drug paraphernalia. As marijuana remains illegal under United States federal law, this Creative Policy prohibits creative featuring or promoting the sale of marijuana even in those states where marijuana use is permitted under state law.|
|Implied Knowledge||Creative that implies knowledge of personally identifiable information or any of the following sensitive characteristics about the user to whom the Ad was targeted:
For example, an Ad may not state “Explore your Jewish heritage” because this implies knowledge of the user’s religion. An Ad stating “Learn about Judaism” would be allowed. Similarly, an Ad for coffee may be delivered when a consumer is near a coffee shop, but the Ad may not state “Coffee is just a few steps away” because this implies knowledge of the user’s precise location at that moment.
|Interferes with User Navigation||Creative that disrupts the user’s ability to navigate their experience, e.g., by preventing a user from leaving a page by opening modal dialogs or pop-up windows.|
|Interferes with Another Party’s Content||Creative that obscures, replaces, or modifies another party’s ads or content.|
|Invalid or Improper Classification||Creative that is improperly classified with respect to its characteristics, including:
|Lost Video Impression Opportunities||Video creatives where an auction is won but the impression does not serve / creative does not load (e.g., because the VAST is blank or the ad server opts out after winning the impression).|
|Malware||Creative that contains, installs, links to, or prompts the download of any malware, Trojan horse, virus, or any other malicious code.|
|Morally Reprehensible||Creative that MediaMath reasonably deems to be morally reprehensible or patently offensive, and without redeeming social value.|
|Phishing||Creative designed to obtain information from a user under false pretenses (e.g., attempting to extract financial information by posing as a legitimate company, etc.).|
|Piracy||Creative that MediaMath reasonably believes (a) contains content that does, or is likely to, infringe or misappropriate a copyright, trademark, trade secret, or patent of a third party or (b) promotes or induces infringement or misappropriation of a copyright, trademark, trade secret, or patent of a third party.|
|Pornography||Creative that depicts, contains or provides access to pornography, nudity, obscenity, and other adult or risqué material.|
|Reselling||Creative involved in any transaction in which the buyer of an impression triggers a subsequent external auction or creative where the original restrictions and constraints of the seller/publisher are not respected (e.g., buying a display creative and reselling as video creative).|
|Violence||Creative that depicts, contains, or provides access to violent content or content that glorifies human suffering, death, self-harm, violence against animals, or contains graphic or violent images.|
|Weapons||Creative that features the sale of, or instructions to create, bombs, guns, firearms, ammunition or other weapons.|
The following categories of Creative are restricted when using the Services:
|Downloads||Where Creative links directly or indirectly to a site that contain software, the software must:
|Political||For the purpose of this Policy, Political Ads shall include any paid-for communications that promote or oppose a political party, a candidate at any level of government for public office, or a ballot initiative, or that attempt to influence political opinion or actions including advertising that takes a position on an issue associated with a registered party or candidate, even if the name of that party, candidate, or initiative is not explicitly mentioned.
The following requirements apply to Clients using the Services to run Political Ads:
MediaMath Pixeling Policy
The following policies apply to your placement of MediaMath pixels on digital properties, including on Web sites, in emails, and in mobile applications (“Digital Properties”).
|General Requirements||1. You may place MediaMath pixels only on those Digital Properties for which you have the necessary rights and authorizations to do so.
2. Where data is collected by a third party from your Digital Properties for Interest-Based Advertising (“IBA”), Cross-App Advertising (“CAA”), or Retargeting (“Retargeting”), you must provide notice of this data collection and the choices available to users. IBA refers to the collection of data across web domains owned and operated by different entities for the purpose of delivering Ads based on preferences or interests known or inferred from the data collected. CAA refers to the collection of data through applications owned or operated by different entities on a particular device for the purpose of delivering Ads based on preferences or interests known or inferred from the data collected. Retargeting is the practice of collecting data about a user’s activity on one Digital Property for the purpose of delivering an ad based on that data on a different, unaffiliated Digital Property.
3. Consistent with the DAA Principles, you may not place MediaMath pixels in toolbars or other locations such that data may be collected from all or substantially all URLs traversed by a web browser across Web sites or all or substantially all applications on a device for IBA, CAA, or Retargeting without MediaMath’s prior review and approval of your consent mechanism. Clients interested in having MediaMath review such a mechanism should reach out to their MediaMath account manager.
|Children||MediaMath pixels may not be placed on Digital Properties directed at Children (“Child-Directed Digital Properties”).|
|Sensitive Health Conditions||MediaMath pixels may not be placed on Digital Properties related to sensitive health conditions for IBA, CAA, or Retargeting purposes without the user’s specific opt-in consent. MediaMath must review and approve your consent mechanism before you may place MediaMath pixels for such purposes.
Clients may place MediaMath pixels on Digital Properties related to sensitive health conditions for other purposes, such as Ad Delivery and Reporting (“ADR”) without the user’s opt-in consent. ADR is separate and distinct from IBA, CAA, and Retargeting and refers to the collection of data from a computer or device to (i) facilitate the delivery of an ad, or (ii) provide advertising-related services that are not tied the end user’s known or inferred interests (e.g., frequency capping).
For more information on what constitutes a sensitive health condition, please see MediaMath’s Targeting Policy below.
MediaMath Targeting Policy
The following policies apply to your targeting of ad units (“Ads”) to users through the Services. The policies listed below apply whether you are targeting users based on data collected from Digital Properties (IBA, CAA, or Retargeting) or through data collected about the user offline (“User-Matched Ads”).
|General Requirements||1. You must provide notice of IBA, CAA, and Retargeting data collection and use practices, and the choices available to users, in or around Ads that are informed by IBA (“IBA Ads”), CAA (“CAA Ads”), or Retargeting (“Retargeting Ads”). You can meet your notice and choice obligations by placing the AdChoices Icon on each such Ad you serve using the Services. MediaMath will add the AdChoices icon on behalf of any client who does not opt out of this service and provide written confirmation of their compliance via an alternate mechanism. A small fee will apply.|
|Alcohol||Ads that promote alcohol or alcoholic beverages are restricted by region and may only be targeted to users that (i) reside in a jurisdiction where alcohol advertising is permitted, and (ii) are of the legal age to purchase alcohol within that jurisdiction. Alcohol-related Ads must not be designed, or appear to be designed, to appeal to underage purchasers.|
|Buying Power||You may not target Ads on the basis of negative aspects of that user’s financial status. Examples of prohibited practices include targeting:
You are also not permitted to use data collected from IBA, CAA, or Retargeting to determine a user’s credit eligibility.
|Children||In connection with your use of the Service, you may not:
|Criminal Actions||You may not target Ads on the basis of knowledge or inference of the user’s commission or alleged commission of any crime, such as information indicating that a user has a criminal record.|
|Gambling||For purposes of this Targeting Policy, a gambling-related Ad (“Gambling Ad”) means the following:
Gambling Ads may be targeted to users in jurisdictions where such Ads are not prohibited so long as you comply with the following requirements:
|Health||Health-related advertising (advertising health-related products and services or targeting advertisements based on health-related data) is highly regulated by government and industry. Given the large number of jurisdictions in which MediaMath operates and the myriad of health products and services that exist, it is beyond the scope of this Targeting Policy to define on a jurisdiction-by-jurisdiction basis what constitutes acceptable health advertising. Rather, the guidelines below should be considered a US baseline for use of the Services, with other jurisdictions generally being more restrictive. In particular, please note that under the IAB Europe EU Framework for Online Behavioral Advertising, a company “seeking to create or use such OBA segments relying on use of sensitive personal data as defined under Article 8.1 of Directive 95/46/EC will obtain a web user’s Explicit Consent, in accordance with applicable law, prior to engaging in OBA using that information.” As always, clients assume all responsibility for ensuring their advertising is legal in all jurisdictions and acceptable on all exchanges where they intend to advertise.
You may not target IBA, CAA, Retargeting, or User-Matched Ads to users on the basis of sensitive health information (“Sensitive Health Data”) without their specific opt-in consent. MediaMath must review and approve your consent mechanism before you may target such Ads to those users on the basis of Sensitive Health Data. Per the NAI Code, Sensitive Health Data includes: (i) information about any past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history, based on, obtained, or derived from pharmaceutical prescriptions or medical records, or similar health or medical sources that provide actual knowledge of a condition or treatment (the source is sensitive) and (ii) information, including inferences, about sensitive health or medical conditions or treatments (the condition or treatment is sensitive regardless of the source). The relevant factors in determining whether a health condition is sensitive include:
Examples of sensitive health conditions include:
You may target IBA, CAA, Retargeting, or User-Matched Ads to users on the basis of their known or inferred interest in a non-sensitive health condition. Per the NAI Code, examples of non-sensitive health conditions include:
You may target IBA, CAA, Retargeting, or User-Matched Ads concerning all health conditions to users on the basis of demographic data (e.g., age, gender).
You may also serve Contextual Ads concerning all health conditions. Contextual Ads are Ads that are targeted on the basis of the content of the digital property the user is currently visiting.
If you are unsure of whether a particular health condition or treatment is sensitive, contact your MediaMath account representative before targeting users on the basis of their interest in that condition or treatment.
MediaMath clients may not serve ads in any jurisdictions where sanctions imposed by the US Office of Foreign Assets Control (OFAC) would prohibit such advertising. At the time of the publication of this Targeting Policy, that list, which OFAC may update from time to time, includes:
Consistent with the NAI Code, you are permitted to target Ads based on the precise location of the device at the time the Ad is served (“geofence”) so long as you do not store the precise location once the ad is served or delivered. Such geofencing may not target:
The above limitations do not apply to more general targeting that includes sensitive locations by nature of its breadth. For example, clients may target New York City, even though there are sensitive health facilities in New York City.
MediaMath reserves the right to require a client to broaden or discontinue its targeting if MediaMath in its sole discretion determines that the targeting may create a negative user experience or is otherwise inappropriate.
Targeting Ads Based on Historic Precise Location Data
For jurisdictions outside the US, you must contact your MediaMath representative before serving IBA, CAA, Retargeting, or User-Matched Ads on the basis of Precise Location Data.
|Political Affiliation or Beliefs||Political Ads in the United States may not be targeted at audiences smaller than the following number of devices according to the scope of the applicable candidate or initiative:
Political Ads in other countries must not be targeted at audiences smaller than comparably sized audiences relative to the population.
For the purposes of this Targeting Policy, Ads related to a user’s political affiliation or beliefs (“User-Targeted Political Ads”) shall include IBA, CAA, Retargeting, or User-Matched Ads that promote: (i) political figures, opinions, or issues, such as Digital Properties for political candidates, (ii) political groups, (iii) political cause awareness, (iv) advocacy groups, or (v) union memberships.
You may not target User-Targeted Political Ads to users that reside in the European Union. You must contact your MediaMath representative before serving User-Targeted Political Ads to users that reside in other non-US jurisdictions.
User-Targeted Political Ads are generally permissible in the US. MediaMath reserves the right to limit or prohibit User-Targeted Political Ads involving particularly sensitive issues (e.g., abortion, sexual orientation, etc.). MediaMath reserves the right to review, request modifications to, or reject any User-Targeted Political Ad at its sole discretion. However, such discretion will not be exercised with the intent to favor or disfavor any particular candidate or political party.
|Race & Ethnicity||In the US, you may serve IBA, CAA, Retargeting, or User-Matched Ads to users on the basis of their known or inferred race or ethnic origin.
In the European Union, you may not serve such Ads to users.
|Religion||In the US, you may serve IBA, CAA, Retargeting, or User-Matched Ads to users on the basis of their known or inferred religion or religious beliefs.
In the European Union, you may not serve such Ads to users.
|Sexual Orientation||You are not permitted to target IBA, CAA, Retargeting, or User-Matched Ads to users based on their known or inferred sexual orientation, including indirect inference (e.g., donation to LGBT advocacy groups), without their specific opt-in consent. MediaMath must review and approve your consent mechanism before you may target such Ads. Clients interested in having MediaMath review such a mechanism should reach out to their MediaMath account manager.|
Thank you for your interest in the MediaMath Beta Program. Participation in a Beta Program is voluntary and allows you to test and provide feedback on developing/pre-release features, products, and services which shall be designated as “beta” (the “Beta Services”). Participation in the Beta Program includes early access to beta product functionality, the opportunity to gain knowledge of performance impact and develop best practices ahead of others and the ability to influence the early development and direction of a product. By accessing or using Beta Services, you agree to be bound all of the terms and conditions described in this Beta Policy and to actively engage in the testing and feedback process.
NO OBLIGATIONS: You acknowledge and agree that a Beta Service may contain features that will be altered in the final release of the same or similar Service and that availability of any Beta Services during the course of a Beta Program shall not create any obligation for MediaMath to continue to develop, productize, support, repair, offer for sale or in any other way continue to provide or develop any Beta Service. While we may intend to release a final version of a certain Beta Service, we reserve the right to never make any particular Beta Service generally available. You further acknowledge the duration of the beta phase and any features and functions of a Beta Service are subject to change at any time at MediaMath’s discretion.
FEEDBACK: An essential function of the Beta Program is to gather feedback from participants. We value all input from all participants in the Beta Program. You agree that you will use reasonable commercial efforts to use the Beta Services, notify MediaMath of all errors and problems you identify through your use of any Beta Services and that you will attempt to ascertain steps leading to reproduction of any such errors. You also agree that you will communicate to MediaMath any suggestions or requests for enhancements relating to the operation or further development of a Beta Service and that by doing so you assign all right, title and interest in and to any resulting intellectual property based upon such suggestions or requests, including without limitation all patent, copyright, trade secret, trademark or other intellectual property rights. You acknowledge that MediaMath is not obligated to accept and implement any feedback provided by you and that the use of such feedback is solely in MediaMath’s discretion.
OWNERSHIP: Subject to the limited rights expressly granted hereunder, MediaMath reserves all rights, title and interest in and to the Beta Services and any anonymized aggregated data resulting from your use of the Beta Services, including all related intellectual property rights therein and thereto. No rights are granted to you other than the right to access and use the Beta Services for the purposes of testing and evaluation. You may not create any derivative works from the Beta Services or modify, reuse, disassemble, decompile, reverse engineer or otherwise translate any Beta Services or any portion thereof. You also may not access the Beta Services in order to build a competitive product or service.
MARKETING: You agree that MediaMath may use your name and associated marks in its marketing materials solely with respect to marketing Beta Services used by you, which shall include white papers, case studies and press releases.
PAYMENTS & PRICING: Certain Beta Services may incur a fee, which will be invoiced to you in accordance with your Master Services Agreement with MediaMath. You agree and acknowledge that you shall be liable for all fees incurred in connection with your use of a Beta Service even in the event of an error in the Beta Services affecting the performance of the Beta Service (other than a billing error), or Other than a billing error or tracking error resulting in an erroneous fee, you shall remain liable for all fees incurred with your usage of the Beta Service, including in the event of an error in the Beta Services that affects the performance or outcome of the Beta Service. Unless otherwise agreed to by you and MediaMath, fees for any Beta Service are subject to change during the beta period and after such beta period.
CONFIDENTIALITY: You agree to treat all Beta Services, as well as the nature and content of the Beta Program, as confidential information and will not without our express written authorization: (i) demonstrate, copy, market, sell or otherwise commercially exploit any features or functions of any Beta Services to any third party; (ii) publish or otherwise disclose information relating to performance or quality of any Beta Services to any third party; or (iii) remove or alter any trademark, logo, copyright or other proprietary notices, legends, symbols or labels in the Beta Services.
NO WARRANTY: THE BETA SERVICES BEING ACCESSED BY YOU CONSIST OF PRE-RELEASE CODE, MAY CONTAIN ERRORS, BUGS OR DEFECTS AFFECTING PROPER OPERATION OR FULL FUNCTIONALITY, MAY EXPERIENCE PERFORMANCE ISSUES, CRASHES, OR DATA LOSS, AND IS NOT AT THE LEVEL OF PERFORMANCE OF A GENERALLY AVAILABLE SERVICE. BY USING THE BETA SERVICES, YOU ACKNOWLEDGE YOUR UNDERSTANDING THAT A PRIMARY PURPOSE OF THIS BETA PROGRAM IS TO OBTAIN FEEDBACK ON PERFORMANCE AND IDENTIFY DEFECTS. YOU ARE ADVISED TO SAFEGUARD IMPORTANT DATA, AND NOT TO RELY IN ANY WAY ON THE CORRECT FUNCTIONING OR PERFORMANCE OF BETA SERVICES. BETA SERVICES ARE provided “AS IS” without warranty of any kind AND ANY WARRANTIES TO THE EXTENT AUTHORIZED BY LAW, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT OR FITNESS FOR A PARTICULAR PURPOSE. In no event shall MEDIAMATH be liable for any damage whatsoever arising out of the use of or inability to use THE BETA SERVICES, even if YOU HAVE been advised of the possibility of such damages.
GENERAL DATA PROTECTION REGULATION POLICY
This policy takes effect on the Effective Date below and shall be incorporated by reference into and form an integral part of your agreement with MediaMath, Inc. or any of its Affiliates (“MediaMath”) (the “Agreement”) unless a separate data processing agreement has been agreed between the parties. In the event of any conflict, ambiguity or inconsistency between the terms of this Policy including its Schedule A and the Agreement, Schedule A then this Policy then the Agreement shall take precedence with respect to the subject matter herein.
- Definitions: The following terms shall have the following meanings in this Policy:
“Ad(s)” means the advertising content, including text, graphics, rich media, video and/or audio material (and combination thereof), that is displayed on digital media inventory.
“Ad Tag” means software code (e.g., HTML5) or a web beacon (e.g., pixel tag, clear GIF) that (i) collects data regarding a user’s actions in or on a Site or a user’s interaction with an Ad or (ii) requests the delivery of an Ad to a Site.
“Advertiser Data” means Client Data.
“Affiliate” means, with respect to a party, an entity that directly or indirectly controls, is controlled by or is under common control with such party. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the economic or voting interest of an entity.
“Applicable Laws” means all laws and regulations which apply to each party in connection with the Agreement, the performance and receipt of the Services, the use of the Service Platform and the processing of Client Data, MediaMath Data and any related personal data, to include without limitation European Law, Section 5 of the FTC Act, and any applicable industry self-regulatory regulations, to include without limitation the NAI Code and the DAA Code.
“Client Data” means all electronic data which is provided to MediaMath by Client as part of the Services or which is provided or made available to Client by MediaMath or its Affiliates through Client’s use of the Services, including personal data contained therein (including any data which is specific to Client), but excluding the MediaMath Data.
“Controller Purposes” means Client Controller Purposes or MediaMath Controller Purposes as defined in Schedule A.
“DAA Code” means the set of Digital Advertising Alliance Self-Regulatory Principles for Multi-Site Data posted at http://www.aboutads.info/msdprinciples (or any successor site) such as the Application of the Self-Regulatory Principles of Transparency and Control to Data Used Across Devices, and its applicable regional counterpart, if any.
“Deletion Request” means a request received by MediaMath from an individual requesting deletion of their personal data held by MediaMath.
“EEA” means the European Economic Area (which shall be deemed to include the United Kingdom throughout the term of the Agreement).
“Effective Date” means the 25 May 2018.
“European Law” means Regulation 2016/679 (GDPR); (iii) Directive 2002/58/EC (as amended or replaced from time to time) and applicable laws implementing that directive in Member States; and, (iv) any data protection and privacy laws in the United Kingdom from time to time. References in this Policy to “controller“, “data subject“, “personal data“, “process“/”processed“/processing“, “processor” and “special categories of personal data” shall have the meanings given in European Law.
“Licensee Data” means Client Data.
“MediaMath Data” means all data generated from Client’s use of the Services (and other clients and partners of MediaMath and its Affiliates) (including any MMUIDs) that does not specifically identify or relate to Client; any data made available by MediaMath for targeting users; the data relating to any error by, issue with, or enhancement to the operation of the Services and the data that MediaMath would have regardless of Client’s use of the Services.
“MediaMath Controller Purposes” means as defined in Schedule A.
“MMUID” means any unique identifier which is created, assigned or retained by MediaMath in respect of each user who interacts with a Site.
“NAI Code” means the Code of Conduct promulgated by the Network Advertising Initiative (“NAI”), located at the following website, or any successor website: https://www.networkadvertising.org/sites/default/files/nai_code2018.pdf, including any official guidance provided by the NAI such as the NAI 2015 Guidance on Determining Whether Location is Imprecise.
“PII” means information that identifies or could be used to identify a particular individual as compared to a particular device such as name, address, telephone number, email address, financial account number, government-issued identifier or date of birth.
“Processing Activities” means as defined in Schedule A.
“SAR” means a request received by MediaMath which does not specifically refer to Client from an individual for a copy of their personal data held by MediaMath.
“Security Incident” means in relation to Client Data or MediaMath Data a breach of security resulting in (i) accidental or unlawful destruction or loss, or (ii) unauthorized disclosure or access.
“Sensitive Information” means: (i) any information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (ii) genetic data; (iii) biometric data for the purposes of uniquely identifying a natural person; (iv) data concerning sensitive health conditions; (v) data concerning a natural person’s sex life or sexual orientation; (vi) any personal data about a minor under the age of 13; (vii) any financial account numbers or insurance plan numbers that can be used to identify an individual; (viii) any government-issued identifiers; or (ix) characteristics deemed sensitive under the NAI Code. In Schedule A the definition of Sensitive Information shall be as above, except that it will also include any personal data about minors between the ages of 13 and 16.
“Service Platform” means MediaMath’s proprietary software known as TerminalOne® or any other software platform MediaMath may make available to Client.
“Services” means all services available on the Service Platform or otherwise agreed to by MediaMath pursuant to an applicable Order Form or SOW.
“Site” means a digital property that is accessible by users (including websites, mobile sites and software applications).
2. Client Security. Client shall be responsible for maintaining the confidentiality of any login credentials, of appropriately limiting dissemination of the login credentials to its employees, contractors or agents, and for using commercially reasonable efforts and appropriate technological and organizational measures to prevent unauthorized access to the Service Platform. Client shall maintain current records of all individuals to whom it allows access to the Service Platform and shall provide identifying information regarding such individuals to MediaMath upon request.
4. This Policy shall be governed, construed and enforced in accordance with the laws of the Agreement.
European Law Requirements
- Definitions. As used in this Schedule A, the following terms shall have the following meanings:
“Client Controller Purposes” means for the purposes of receiving the Services; and as is more particularly described at backup2020mm.test/legal/processingpurposes.
“MediaMath Controller Purposes” means improving and enhancing the Services, including identifying, blocking and removing data considered to be unlawful or fraudulent; the bidding process; and as is more particularly described at backup2020mm.test/legal/processingpurposes.
“Privacy Shield” means the EU-US Privacy Shield and the Swiss-US Privacy Shield as applicable.
“Processing Activities” means processing Ad Tags placed by or on behalf of Client and as more particularly described at backup2020mm.test/legal/processingpurposes.
- Scope. The rights and obligations in this Schedule A apply to the collection, processing and sharing of personal data originating in the EEA by and between MediaMath, Client and certain third parties (e.g. subprocessors including Affiliates of MediaMath). For the purposes of this Schedule A references to Client Data shall mean any personal data incorporated in Client Data and references to MediaMath Data shall mean any personal data incorporated in MediaMath Data.
- Agreements with MediaMath Germany GmbH. Where the Agreement was entered into with MediaMath Germany GmbH then for the purposes of this Schedule A, MediaMath shall refer to both MediaMath Germany GmbH and MediaMath, Inc. Where MediaMath processes Client Data as a controller, Client acknowledges that MediaMath Germany GmbH and MediaMath, Inc. will process such Client Data as joint controllers within the meaning of the GDPR. Where MediaMath processes Client Data as a Client’s processor, Client acknowledges that MediaMath Germany GmbH and MediaMath, Inc. will process such Client Data each as processors on behalf of Client.
- General Obligations.
- Both parties will comply with all applicable requirements of European Law.
- Client will ensure that it has all necessary and appropriate consents and notices in place to enable the lawful transfer of Client Data to MediaMath for the duration and purposes of the Agreement.
- Appointment of MediaMath as Client’s Processor.
- The parties acknowledge that for the purposes of European Law, Client is the data controller of Client Data and appoints MediaMath as its data processor for the Processing Activities.
- MediaMath shall, in relation to any Client Data processed for the Processing Activities in connection with the performance by MediaMath of its obligations under this Agreement:
- process that Client Data only in accordance with the Processing Activities (or as otherwise agreed in writing);
- ensure that all personnel who have access to and/or process Client Data are obliged to keep Client Data confidential;
- process Client Data transferred out of the EEA in accordance with the Privacy Shield principles;
- assist Client, at Client’s cost, in responding to any request from a data subject received directly by the Client or received by MediaMath which explicitly refers to the Client and in ensuring compliance with its obligations under European Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
- notify Client without undue delay upon becoming aware of any confirmed Security Incident relating to Client Data;
- upon written request of Client, delete or return Client Data and copies thereof to Client on termination of the Agreement unless required by a judicial or other governmental order or by applicable law to retain some or all Client Data. This requirement shall not apply to Client Data MediaMath has archived on back-up systems; and
- maintain accurate records and information to demonstrate its compliance with this clause 4(b) of this Schedule A.
- Client consents to MediaMath appointing subprocessors to process Client Data, such subprocessors will be listed at backup2020mm.test/legal/subprocessors which MediaMath shall update with any details of any changes at least 10 days prior to the change. MediaMath confirms that it has entered or (as the case may be) will enter with the subprocessor into a written agreement requiring it to protect Client Data to the standard required by European Law. As between Client and MediaMath, MediaMath shall remain fully liable for all acts or omissions of any subprocessor appointed by it pursuant to this clause 4(c) of this Schedule A. Client may object to the replacement of a subprocessor provided such objection is on reasonable grounds. If Client objects to such appointment and is unable to select an alternative subprocessor then Client may terminate the applicable Services provided in the EEA without prejudice to Client’s obligations to pay any fees under the Agreement due up to the date of termination of such Services (or subsequent pro-rated fees).
- MediaMath uses external auditors to verify the adequacy of its security measures, including the security of the physical data centres from which the Services are provided. The audit: (a) will be performed at least annually; (b) will be performed according to SSAE 16 audit standard or such other alternative standard that is substantially equivalent to SSAE 16; (c) will be performed by independent third party security professionals at MediaMath’s selection and expense; and (d) will result in the generation of an audit report which will be MediaMath’s Confidential Information. MediaMath shall provide Client with a copy of the report upon written request.
- Notwithstanding the commitment provided by MediaMath in clause 5(b)(iii) above, MediaMath and Client agree that for the purposes of any transfer of Client Data out of the EEA and/or (after EU law ceases to apply to the UK) the UK, to MediaMath to process for the Processing Activities:
- the European Commission’s 2010 Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection (“C2P Model Clauses”) shall be incorporated into this Schedule A between them;
- any optional clauses in the C2P Model Clauses are hereby deleted;
- after EU law ceases to apply to the UK, MediaMath shall be entitled to use any mechanism permissible from time to time under UK law to facilitate data protection in respect of transfers of personal data from the UK to a country outside the EEA; and
- the C2P Model Clauses shall be interpreted in accordance with the details provided in the Annex to this Schedule A.
- Sharing of Personal Data between Client and MediaMath as Controller.
a. Client shall disclose Client Data to MediaMath on an independent controller to controller basis for the MediaMath Controller Purposes.
b. MediaMath shall, in relation to any Client Data processed for MediaMath Controller Purposes:
- process Client Data only for the MediaMath Controller Purposes (or as otherwise agreed in writing) and in respect of any Client Data transferred out of the EEA in accordance with the Privacy Shield principles;
- notify Client if its Privacy Shield registration expires or terminates for any reason;
- promptly inform Client of any request from a data subject, supervisory authority or regulator related to the processing of Client Data conducted by MediaMath and cooperate as necessary to respond to such correspondence and fulfil each parties’ respective obligations under European Law;
- notify Client without undue delay on becoming aware of any confirmed Security Incident relating to Client Data; and
- maintain accurate records and information to demonstrate its compliance with this clause 5(b) of this Schedule A.
c. Notwithstanding the commitment provided by MediaMath in clause 6(b)(i) above, MediaMath and Client agree that for the purposes of the transfer of Client Data outside of the EEA and/or (after EU law ceases to apply to the UK) the UK, to MediaMath to process for the MediaMath Controller Purposes:
i. the European Commission’s 2010 Standard Contractual Clauses for controller to controller transfers, (“C2C Model Clauses”) shall be incorporated into this Schedule A between them;
ii. any optional clauses in the C2C Model Clauses are hereby deleted;
iii. after EU law ceases to apply to the UK, MediaMath shall be entitled to use any mechanism permissible from time to time under UK law to facilitate data protection in respect of transfers of personal data from the UK to a country outside the EEA; and
a. the C2C Model Clauses shall be interpreted in accordance with the details provided in the Annex to this Schedule A.
- Sharing of Personal Data between MediaMath and Client as Controller.
- MediaMath will through performance of the Services make available MediaMath Data to Client on an independent controller to controller basis for Client Controller Purposes.
- Client shall, in relation to any MediaMath Data processed for Client Controller Purposes:
- process MediaMath Data only for Client Controller Purposes (or as otherwise agreed in writing) and in accordance with the level of protection required by the Privacy Shield principles (and if Client fails to do so, it will promptly notify MediaMath in writing and remedy the breach or MediaMath will have the right to suspend the Services and/or terminate the Agreement);
- maintain appropriate technical and organizational measures and commercially reasonable and appropriate administrative and physical, measures for the security and confidentiality of MediaMath Data from a Security Incident;
- ensure that all personnel who have access to and/or process MediaMath Data are obliged to keep such MediaMath Data confidential;
- not process any MediaMath Data in a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with European Law;
- promptly inform MediaMath of any request from a data subject, supervisory authority or regulator related to the processing conducted by Client and cooperate as necessary to respond to such correspondence and fulfil each parties’ respective obligations under European Law;
- notify MediaMath without undue delay on becoming aware of any confirmed Security Incident involving MediaMath Data; and
- maintain accurate records and information to demonstrate its compliance with this clause 6(b) of this Schedule A.
c. MediaMath and Client agree that for the purposes of any processing of MediaMath Data outside of the EEA and/or (after EU law ceases to apply to the UK) the UK, by Client for Client Controller Purposes:
- the C2C Model Clauses shall be incorporated into this Schedule A between them;
- any optional clauses in the C2C Model Clauses are hereby deleted;
- the C2C Model Clauses shall be interpreted in accordance with the details provided in the Annex to this Schedule A.
- Privacy Shield.
MediaMath shall be entitled to provide a copy of this Schedule A and any other provisions of the Agreement or this Policy to the US Department of Commerce, the Federal Trade Commission, any supervisory authority or regulator on their request (notwithstanding any other provision of the Agreement).
- This Annex sets out the parties agreed interpretation of their respective obligations under the applicable C2C and C2P Model Clauses incorporated between them by Schedule A (together the “Model Clauses”).
- In the event that a competent supervisory authority or court of competent jurisdiction determines that any provision of this Annex conflicts with the requirements of the applicable Model Clauses, then the terms of the applicable Model Clauses shall prevail.
- As between MediaMath and Client, any claims brought under the applicable Model Clauses or pursuant to the General Data Protection Regulation Policy shall be subject to the terms of the Agreement, including but not limited to, the exclusions and limitations set forth in the Agreement. In no event shall either MediaMath or Client limit or exclude its liability with respect to any data subject rights under the applicable Model Clauses.
- The parties agree that for the purposes of transfers of Client Data to MediaMath under the C2P Model Clauses in accordance with Clause 5(e) of Schedule A:
the following details shall be deemed to apply to Appendix 1 of the C2P Model Clauses:
- Data Exporter and Data Importer: Client is the “data exporter” for the purposes of the Model Clauses and the “data importer” is MediaMath, Inc, 4 World Trade Center, New York, New York 10007, USA. The parties’ respective contact(s) are: (a) MediaMath: DPO. Tel.: +1 646-840-4200; Email: firstname.lastname@example.org; and (b) Client: As set out in the Agreement.
- Data subjects: The personal data transferred concerns the following categories of data subjects: Individuals who visit the data exporter’s digital properties (websites or mobile advertising platforms) or are served with digital advertising on behalf of the data exporter through the use of the data importer’s advertising technology platform.
- Categories of data transferred: As described in Column 3 of the data importer’s “processing purposes table” (no special category data is transferred).
- Processing operations: The processing activities undertaken by the data importer on behalf of the data exporter are set out in column 4 of the “processing purposes table”;
- for the purposes of Appendix 2 to the C2P Model Clauses, a description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are set out at https://backup2020mm.test/legal/terms/information-security/ (which are deemed incorporated into the Schedule as if included within the C2P Model Clauses).
- the following details shall be deemed to apply to Appendix 1 of the C2P Model Clauses:
2. The parties agree that for the purposes of transfers of Client Data to MediaMath under the C2C Model Clauses in accordance with Clause 6 (c) of Schedule A the following details shall be deemed to apply for Annex B of the C2C Model Clauses:
i) Data Exporter and Data Importer: Client is the “data exporter” and the “data importer” is MediaMath, Inc, 4 World Trade Center, New York, New York 10007, USA. The parties’ respective contact(s) are: (a) MediaMath: DPO. Tel.: +1 646-840-4200; Email: email@example.com; and (b) Client: As set out in the Agreement.
ii) Data subjects: The personal data transferred concerns the following categories of data subjects: Individuals who visit the data exporter’s digital properties (websites or mobile advertising platforms) or are served with digital advertising on behalf of the data exporter through the use of the data importer’s advertising technology platform.
iii) Categories of data transferred: As described in Column 3 of the data importer’s “processing purposes table” (no special category data is transferred).
iv) Purposes of the transfer(s): To enable the data importer to process the relevant personal data as an independent controller for certain MediaMath Controller Purposes (as defined in Schedule A) in connection with providing its digital advertising services, as more particularly described in column 5 of the data importer’s “processing purposes table”.
v) Recipients: The personal data transferred may be disclosed only to the following recipients or categories of recipients: The data importer, its affiliates, its processors who are engaged by the data importer to support its digital advertising services in accordance with Article 28of the EU General Data Protection Regulation and its partners where necessary in connection with its digital advertising services.
3. The parties agree that for the purposes of transfers of MediaMath Data under the C2C Model Clauses in accordance with Clause 7(c) of Schedule A, the following details shall be deemed to apply for Annex B of the C2C Model Clauses:
i) Data Exporter and Data Importer: MediaMath is the “data exporter” for the purposes of the Model Clauses and the “data importer” is Client. The parties’ respective contact(s) are: (a) MediaMath: DPO. Tel.: +1 646-840-4200; Email: firstname.lastname@example.org; and (b) Client: As set out in the Agreement.
ii) Data subjects: The personal data transferred concerns the following categories of data subjects: Individuals who visit the digital properties (websites or mobile advertising platforms) of data exporter’s clients or served ads through the data exporter’s advertising technology platform.
iii) Categories of data transferred: As described in Column 6 of the data exporter’s “processing purposes table” (no special category data is transferred).
iv) Purposes of the transfer(s): To enable the data importer to process the relevant personal data as an independent controller for certain Client Controller Purposes (as defined in the Schedule) in connection with providing its digital advertising services, as more particularly described in column 7 of the data exporter’s “processing purposes table”.
v) Recipients: The personal data transferred may be disclosed only to the following recipients or categories of recipients: The data importer, its affiliates, its processors who are engaged by the data importer to support its digital advertising services in accordance with Article 28of the EU General Data Protection Regulation and its partners where necessary in connection with its digital advertising services.
C2P Model Clauses
4. Governing Law: The C2P Model Clauses shall be governed by: the law of the EU Member State in which the Client is established unless the Client is established in the UK, in which case the C2P Model Clauses shall be governed by English law after EU law ceases to apply to the UK (including the data protection aspects of any sub-processor contract entered into under the C2P Model Clauses).
5. Confidentiality: The C2P Model Clauses shall be treated as Confidential Information for the purposes of the confidentiality provisions of the Agreement, and may not be disclosed by MediaMath or Client to any third party except where and to the extent permitted by the Agreement. This shall not prevent disclosure of the Model Clauses to a data subject pursuant to Clause 4(h) of the C2P Model Clauses or to a supervisory authority pursuant to Clause 8 of the C2P Model Clauses.
6. Termination: In the event that Client wishes to terminate the C2P Model Clauses in accordance with Clause 5(a) or 5(b) of the C2P Model Clauses, then Client shall endeavour to provide notice to MediaMath and provide MediaMath with thirty (30) days to cure the non-compliance (“Cure Period“). If after the Cure Period, MediaMath has not or cannot cure the non-compliance, then Client may terminate the Agreement immediately in accordance with the termination provisions of the Agreement. Client shall not be required to provide such notice in circumstances where it considers there is a material risk of harm to data subjects or their personal data.
7. Audit: The provisions of the Schedule A, governing audit rights (“Audit Provisions“), shall also govern audit rights under the C2P Model Clauses. In the event that Client wishes to exercise its audit rights under Clause 5(f) of the C2P Model Clauses, then the Audit Provisions will exclusively govern Clients’ and MediaMath’s obligations with respect to such audits.
8. Sub-contracting: The provisions of the User Policy, governing subcontracting rights (“Sub-Contracting Provisions“), shall govern subcontracting rights under the C2P Model Clauses. In the event that MediaMath wishes to engage a sub-processor under the C2P Model Clauses then, provided that MediaMath complies with the requirements of the Sub-Contracting Provisions, Client shall deem MediaMath to have complied with its sub-processing obligations under Clauses 5(h) and (i) and Clause 11 of the C2P Model Clauses.
9. Onward sub-processing agreements: MediaMath shall be deemed to have complied with the obligation in Clause 5(j) of the C2P Model Clauses to the extent that it shall (on a confidential basis), if requested by Client, provide to Client all information it reasonably can in connection with any onward sub-processing agreement it concludes under the C2P Model Clauses.
10. SARs: MediaMath and Client acknowledge that MediaMath shall respond directly to SARs and Deletion Requests as defined in Schedule A. Therefore, in cases where MediaMath is acting as a processor, then for the purposes of Clause 5(d)(iii) of the C2P Model Clauses, Client hereby authorises MediaMath to respond directly to SARs and Deletion Requests which do not explicitly refer to the Client and/or deletion of Personal Data held by the Client.
11. Archives: For the purposes of Clause 12(1) of the C2P Model Clauses, the parties acknowledge that Client Data may be archived by MediaMath on back-up systems for security and business continuity purposes. Deletion of such archived Client Data shall be in accordance with MediaMath’s standard archival procedures, provided that MediaMath warrants that it will guarantee the confidentiality of the relevant Client Data and will not actively process it anymore.
C2C Model Clauses
12. Data Processing Principles: The parties select the option set out in Clause 2(h)(iii) of the C2C Model Clauses, namely that the applicable importer shall process personal data in accordance with the data processing principles set forth in Annex A of the C2C Model Clauses.
13. Confidentiality: The C2C Model Clauses shall be treated as Confidential Information for the purposes of the confidentiality provisions of the Agreement, and may not be disclosed by MediaMath or Client to any third party except where and to the extent permitted by the Agreement.
14. Audit: The Audit Provisions shall also govern audit rights under the C2C Model Clauses. In the event that Client wishes to exercise its audit rights under the Clause 2(g) of the C2C Model Clauses then the Audit Provisions will exclusively govern Clients’ and MediaMath’s obligations with respect to such audits.
Last Revised: August 10, 2020