PUSHLY SHE MEDIA PARTNER NETWORK TERMS AND CONDITIONS
These Pushly Publisher Terms and Conditions (the “Agreement”) are entered into by the individual or the business, company, or other entity that accepts this Agreement electronically (“Publisher”), the date of acceptance being the “Effective Date.” This Agreement is a legal agreement between Publisher and Ad-Ventures 2, Inc. (d/b/a Pushly), a Delaware corporation (“Pushly”). Capitalized words used in this Agreement but not otherwise defined at first use shall have the meanings ascribed to them in Section 1 below.
This Agreement may only be modified or amended BY (A) an agreement executed by Pushly and Publisher, or (B) Pushly by posting the LATEST VERSION OF THE Agreement in the Publisher Program OR ON ITS WEBSITE. Publisher’s continued use of the Push Notification Technology or other participation in the Publisher Program after notice of modifications or amendments shall constitute Publisher’s acknowledgement and acceptance of such. If Publisher does not agree to this Agreement or any SUBSEQUENT MODIFICATIONS OR AMENDMENTS hereto, in whole or in part, Publisher is not authorized to access or use the Publisher Program and must cease all use of the Publisher Program.
1. Definitions.
(a) “Active Subscriber” is a visitor to a Publisher Property who opted-in to receive browser-enabled push notifications via the Push Notification Technology and continues to be eligible to receive such notifications.
(b) “Confidential Information” means any information disclosed by a party (the “Disclosing Party”), which is designated as “Confidential,” “Proprietary,” or some similar designation, or which under the circumstances surrounding disclosure ought to be treated as confidential. Confidential Information does not include information which (i) is or becomes generally available or part of the public domain through no fault of the other party (the “Receiving Party”); (ii) was already known by or available to the Receiving Party prior to the disclosure by the Disclosing Party; (iii) is subsequently disclosed to the Receiving Party by a third party who is not under any obligation of confidentiality to the Disclosing Party; or (iv) as can be shown by written documentation, has already been or is hereafter independently acquired or developed by the Receiving Party without use of or reference to the Confidential Information of the Disclosing Party.
(c) “Disclosing Party” is defined in Section 1(b) of this Agreement.
(d) “Privacy Policy” means a privacy policy that complies with applicable laws, rules, and regulations, which is clearly labeled and prominently available to users of the Publisher Properties, and that contains, without limitation, the following: (i) a description of the use of advertising technology relating to data collection and targeting activities; (ii) a description of the collection and use of user data by Publisher and third parties; (iii) a description of the provision of user data to third parties; and (iv) a free, functioning, easy to use “opt-out” or “unsubscribe” method for users to opt-out of data collection.
(e) “Publisher Indemnitee” is defined in Section 8(b) of this Agreement.
(f) “Publisher Material” means (i) Publisher-provided content or links, or (ii) a Publisher-provided advertisement that promotes an advertiser brand, product, or service.
(g) “Publisher Program” means the Pushly publisher program offered by Pushly to the SHE Media Partner Network whereby Pushly provides Push Notification Technology to publishers at a discounted rate.
(h) “Publisher Property or “Publisher Properties” means the approved website(s) or other properties or technology (such as, but not limited to, publisher or third party software that enables message notifications and advertisements to be displayed on a user’s computer or mobile device) upon which Publisher uses the Push Notification Technology.
(i) “Push Notification Technology” means the proprietary software developed by Pushly that enables message notifications to be displayed on a user’s computer or mobile device.
(j) “Pushly Indemnitee” is defined in Section 8(a) of this Agreement.
(k) “Pushly Marks” means the Pushly name, the Pushly logo, and Pushly’s product and service names.
(l) “Receiving Party” is defined in Section 1(b) of this Agreement.
(m) “Renewal Term” is defined in Section 4(a) of this Agreement.
(n) “Tiered Pricing Fees” are the fees set forth in Exhibit A to this Agreement.
(o) “Trial Period means the ninety (90) day period following the date Publisher first implements the Push Notification Technology on the first Publisher Property under this Agreement.
(p) SHE Media Partner Network” means entities that own the Publisher Properties and that are in a written contractual relationship with SHE Media to allow SHE Media to manage the Publisher Properties for such entities.
(q) “Usage Fees” means the fees set forth in Exhibit A to this Agreement.
2. Publisher Program Participation. (a) Subject to the terms and conditions of this Agreement and Pushly’s prior written approval, Publisher shall use the Push Notification Technology on the Publisher Properties and may display Publisher Material therein. Each Publisher Property is subject to review and approval or rejection by Pushly, at any time. Publisher shall implement the Push Notification Technology without modification on the Publisher Properties, in accordance with any placement requirements and reasonable technical specifications provided by Pushly. At Pushly’s request, Publisher shall immediately cease the use of the Push Notification Technology on certain or all of the Publisher Properties. Publisher is solely responsible for the Publisher Properties including, without limitation, all content, links and materials thereon.
(b) Pushly reserves the right to improve or modify, in whole or in part, the Publisher Program or any Pushly data, information, content, software, technology, or features appearing on and/or offered through the Publisher Program at any time at its sole discretion. If a username and/or password is required or provided to access the Publisher Program, Publisher shall (i) take commercially reasonable steps to safeguard its username and password, and (ii) notify Pushly immediately if Publisher becomes aware of any unauthorized use of any username or password or any other known or suspected security breach.
(c) Publisher grants Pushly and SHE Media the right to access, obtain, index and cache data from a Publisher Property solely for purposes of targeting or otherwise improving performance of the Push Notification Technology on that Publisher Property.
(d) Publisher shall not enter into any agreement or other arrangement with any party other than Pushly relating to the provision of services that are the same as or similar to the Publisher Program or other services provided by Pushly under this Agreement.
(e) Subject to the terms and conditions of this Agreement, Publisher has the right to determine the Publisher Material that is displayed on computers or mobile devices of Active Subscribers through the Push Notification Technology. Notwithstanding the foregoing, with respect to Publisher Material that is a Publisher-provided advertisement that promotes an advertiser brand, product, or service through the Push Notification Technology and that directs a user to a destination other than the Publisher Property to which the user subscribed to receive notifications from Publisher through the Push Notification Technology, Pushly reserves the right to limit the number of such Publisher Material that may be displayed through the Push Notification Technology, and Publisher (i) agrees to comply with any such limitation, and (ii) understands and agrees that Pushly will not be liable or responsible for any revenue loss or other liability to Publisher resulting from such.
(f) Pushly will not store Internet Protocol addresses that it collects from Active Subscribers and will destroy such Internet Protocol addresses promptly upon assigning subscriber identification numbers to such Active Subscribers.
(g) Pushly and Publisher shall, to the extent applicable, comply with the Data Processing Addendum attached hereto as Exhibit B.
3. Payments. (a) Publisher shall pay Pushly the Usage Fees. Publisher shall pay the Usage Fees incurred within thirty (30) days after the date of receipt of invoice for such from Pushly. Usage Fee payments shall be made in U.S. Dollars. Charges are exclusive of taxes.
 
4. Term; Termination; Survival. (a) The term of this Agreement shall commence upon the Effective Date and shall continue until for one (1) year thereafter, unless otherwise terminated pursuant to the terms hereof, and thereafter shall automatically renew for successive one (1) year periods or other period agreed to in an amendment to this Agreement (each, a “Renewal Term”) unless a party gives the other no less than ninety (90) days’ notice prior to the end of a Renewal Term that this Agreement is not be renewed, or unless this Agreement is otherwise terminated pursuant to the terms hereof.
(b) This Agreement may be terminated by a party for cause immediately by written notice upon the occurrence of any of the following events: (i) the commencement of a petition, proceeding, or case seeking the other party’s bankruptcy, insolvency, liquidation, dissolution or winding-up, or readjustment of its debts, or seeking the appointment of a receiver, trustee or the like of itself or its assets, or otherwise seeking relief from its creditors and, in the case of an involuntary petition, proceeding or case, such petition, proceeding or case continues undismissed for, or an order approving or ordering any of the foregoing is entered and is not stayed within, sixty (60) calendar days; or (ii) if the other party breaches this Agreement and fails to cure the breach within five (5) business days of written notice describing the breach in reasonable detail.
(c) This Section 4(c) and Sections 1, 3, 5, 6, and 8 through 11 shall survive termination or expiration of this Agreement.
5. Intellectual Property. (a) Pushly owns and retains all rights, title, and interest in and to the Push Notification Technology, the Pushly Marks, and all other Pushly intellectual property. Except as expressly stated in this Agreement, Pushly does not grant any license, express or implied, to the Push Notification Technology or any other intellectual property. Pushly reserves all rights, title, and interest in and to its intellectual property. Publisher will not (i) copy, alter, modify, decompile, reverse engineer, disassemble, create derivative works of, or otherwise attempt to derive source code from the Push Notification Technology, or (ii) use the Publisher Program, the Push Notification Technology, or any other Pushly intellectual property, to create any competitive products or services.
(b) Publisher owns and retains all rights, title, and interest in and to (i) the Publisher Properties (except for the Push Notification Technology and any other Pushly intellectual property), and (ii) any data collected from the Publisher Properties by Pushly. Except as expressly stated in this Agreement, Publisher does not grant any right, title, or interest to any intellectual property. Publisher reserves all rights, title, and interest in and to its intellectual property.
6. Confidentiality; Publicity. The Receiving Party agrees not to use or disclose any of the Disclosing Party’s Confidential Information except (a) as necessary for the performance of the Receiving Party’s rights and obligations under this Agreement, or (b) as required by government authority or pursuant to any applicable law, regulation, or judicial order. Pushly Confidential Information includes, without limitation, payments made to Publisher, reports and performance metrics provided by Pushly, and information, software, technology, documentation, and specifications relating to the Publisher Program. Pushly may reference Publisher’s name and logo on its website and in promotional materials to identify Publisher as a customer of Pushly.
7. Representations and Warranties. (a) Each party represents and warrants that (i) it has the full right, power, and authority to enter into and perform under this Agreement; (ii) neither the execution, delivery, nor performance of this Agreement will result in a violation or breach of any contract, agreement, order, judgment, decree, rule, regulation or law to which it is bound; and (iii) it shall comply with all applicable laws, rules and regulations in its performance of this Agreement including, without limitation, any relevant data protection or privacy laws or regulations.
(b) Publisher further represents and warrants that (i) it has the right to transfer to and/or share with Pushly any information data, including, but not limited to, any data about or related to consumers and consumer preferences, that Publisher tenders to Pushly in performance of this Agreement, and that such is not shared or provided to Pushly in violation of any laws or regulations or any applicable privacy policy; (ii) the Publisher Properties (1) are owned or managed by Publisher, and (2) at all times will have a Privacy Policy; and (iii) the Publisher Properties and the Publisher Material (1) do not and will not violate any applicable law or regulation, (2) do not and will not infringe, misappropriate, or otherwise violate the intellectual property rights of any third party, (3) do not and will not breach any duty towards or rights of any person, (4) are not and will not be false or misleading, (5) do not and will not contain any viruses, worms, Trojan horses, or any other contaminating or destructive feature, and (6) do not and will not contain or promote any content that is illegal, pornographic, gambling-related, hate-related, abusive, false, fraudulent, deceptive, misleading, obscene, defamatory, unethical, infringing upon intellectual property or other right of another, racially or ethnically objectionable, or as notified in writing by Pushly (email sufficing) is otherwise objectionable to Pushly.
 
(c) Pushly further represents and warrants that the Push Notification Technology: (i) does not and will not violate any applicable law or regulation; and (ii) does not and will not infringe the valid U.S. patent, copyright, trademark, or trade secret of any third party.
 
8. Indemnification. (a) Publisher shall defend, indemnify and hold Pushly and its respective directors, officers, employees, representatives, and agents, (each a “Pushly Indemnitee”) harmless from and against any judgment, loss, liability, cost, damage, or expense (including reasonable attorneys’ fees) asserted by a third party against a Pushly Indemnitee to the extent arising out of or relating to Publisher’s breach of this Agreement.
(b) Pushly shall defend, indemnify and hold Publisher, and its respective directors, officers, employees, representatives, and agents (each a “Publisher Indemnitee”) harmless from and against any judgment, loss, liability, cost, damage, or expense (including reasonable attorneys’ fees) asserted by a third party against a Publisher Indemnitee to the extent arising out of or relating to Pushly’s breach of this Agreement.
(c) Each party’s obligation to indemnify the other party hereunder will be conditioned upon the indemnified party promptly notifying the indemnifying party in writing of any such claim (however, failure of the indemnified party to so promptly notify the indemnifying party will not relieve the indemnifying party of its obligations hereunder, except to the extent that such failure to give notice materially prejudices the indemnifying party’s ability to defend such claim), promptly tendering the control of the defense and settlement of any such claim to the indemnifying party (at the indemnifying party’s expense and with the indemnifying party’s choice of counsel), and cooperating reasonably with the indemnifying party in defending or settling such claim including, but not limited to, providing any information or materials necessary for the indemnifying party to perform the foregoing. The indemnifying party will not enter into any settlement or compromise of any such claim, which settlement or compromise would result in any liability to the indemnified party without the indemnified party’s prior written consent, which will not be unreasonably withheld. The indemnified party will have the right to participate in the settlement or defense of any such claim at its own expense.
9. Disclaimer of Warranties. EXCEPT AS EXPRESSLY SET FORTH HEREIN, THE PUBLISHER PROGRAM AND THE PUSH NOTIFICATION TECHNOLOGY ARE PROVIDED ON AN “AS-IS” AND “AS AVAILABLE” BASIS. EXCEPT AS EXPRESSLY SET FORTH HEREIN, EACH PARTY DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT AND INCLUDING ANY IMPLIED WARRANTIES ARISING FROM COURSE OF DEALING OR COURSE OF PERFORMANCE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, PUSHLY SPECIFICALLY DISCLAIMS ANY WARRANTY REGARDING (A) THE LIKELIHOOD OF SUCCESS OF PUBLISHER’S PARTICIPATION IN THE PUBLISHER PROGRAM, AND (B) the amount of any payment OR PROFITS to be made to PUBLISHER under this AgreemenT.
10. LIMITATION OF LIABILITY. TO THE FULLEST EXTENT PERMITTED BY LAW AND EXCEPT FOR EITHER PARTY’S BREACH OF SECTION 5 OR 6 OF THIS AGREEMENT, OR A PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, (A) NEITHER PARTY SHALL BE LIABLE UNDER THIS AGREEMENT FOR ANY CLAIM FOR INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, LOST PROFITS) (EVEN IF SUCH DAMAGES ARE FORESEEABLE OR SUCH PARTY HAS BEEN ADVISED OR HAS CONSTRUCTIVE KNOWLEDGE OF THE POSSIBILITY OF SUCH DAMAGES), AND (B) EACH PARTY’S AGGREGATE LIABILITY UNDER THIS AGREEMENT FOR ANY REASON WILL NOT EXCEED THE PAYMENTS PAID AND PAYABLE BY PUBLISHER TO PUSHLY IN THE SIX (6) MONTHS IMMEDIATELY PRECEDING THE DATE ON WHICH THE CAUSE OF ACTION AROSE. EACH PARTY ACKNOWLEDGES THAT THE OTHER PARTY HAS ENTERED INTO THIS AGREEMENT RELYING ON THE LIMITATIONS OF LIABILITIES STATED HEREIN AND THAT THOSE LIMITATIONS ARE THE ESSENTIAL BASIS OF THE BARGAIN BETWEEN THE PARTIES.
11. General Provisions. (a) Force Majeure. Except for payment obligations, neither party shall be liable in damages for any delay or default in performance of this Agreement if such delay or default is caused by unforeseen conditions beyond the reasonable control of the delaying or defaulting party, including acts of God, restrictions by a government authority, wars, revolutions, terrorism, strikes (other than any strike by the delaying or defaulting party's employees), fires, floods, earthquakes, embargoes, or degradation of telephone or other communications services, including but not limited to, degradation of all or part of an Internet backbone.
(b) Relationship of the Parties. Pushly and Publisher are independent contractors and neither party is an agent, representative, partner or joint venture partner of the other.
(c) Entire Agreement. This Agreement sets forth the entire agreement between the parties with respect to the subject matter hereof, and supersedes any and all prior and contemporaneous agreements, communications, and understandings (whether written or oral) between the parties, with respect to their subject matter. No party has been induced to enter into this Agreement by virtue of, and is not relying upon, any representations or warranties not set forth in this Agreement, any correspondence or communication preceding the execution of this Agreement, or any prior course of dealing between the parties.
(d) Choice of Law and Venue. This Agreement shall be interpreted and enforced in all respects under the laws of the State of Delaware, as applicable to contracts to be performed entirely within the State of Delaware. Any litigation arising out of this Agreement will be brought solely and exclusively in the state or federal courts located in Wilmington, Delaware, and the parties agree that jurisdiction and venue properly lie in such courts and waive any claim that a proceeding in any such court has been brought in an inconvenient forum.
(e) Waiver. Failure by a party to enforce at any time or for any period of time any provisions of this Agreement shall not be construed as a waiver of such provisions, and shall in no way affect a party’s right to later enforce such provisions. No provision or part of this Agreement or remedy hereunder may be waived except by a writing signed by a duly authorized representative of the party making the waiver.
(f) Severability. If any one or more of the provisions of this Agreement shall for any reason be held to be invalid, illegal or unenforceable by a court of law, the remaining provisions of this Agreement shall be unimpaired, and the invalid, illegal or unenforceable provision shall be replaced if possible by a mutually acceptable provision, which being valid, legal and enforceable, comes closest to the intention of the parties underlying the invalid, illegal or unenforceable provision.
(g) Miscellaneous. This Agreement may only be modified or amended by (i) an agreement executed by Pushly and Publisher, or (ii) Pushly by posting the latest version of the Agreement in the Publisher Program or on its website. Publisher may not assign or delegate this Agreement, in whole or in part, without the prior written consent of Pushly, and any such attempt in violation hereof is void. Unless otherwise indicated, notice under this Agreement to Pushly shall be transmitted by registered mail or reputable overnight courier to Pushly at 4600 Madison Avenue, 3rd Floor, Kansas City, Missouri 64112, and notice to Publisher shall be transmitted via email, registered mail or reputable overnight courier to the contact information provided by Publisher to Pushly. Either party may update its contact information through appropriate notice. This Agreement may be executed in one or more counterparts, and each of which shall be deemed to be an original instrument, and all such counterparts shall together constitute the same agreement.

EXHIBIT A
Usage Fees*
 
 

Fixed average MUVs for Publisher Properties on the SHE Media Publisher Network

Discounted Monthly Trial Period Pricing

Discounted Monthly

Post-Trial Period Pricing

0 – 499,999

FREE up to 10,000

Active Subscribers**

FREE up to 10,000

Active Subscribers

500,000 - 1,000,000

$500

$600

1,000,001 - 3,500,000

$1,500

$1,800

3,500,001 – 8,000,000

$3,000

$3,600

8,000,0001 – 13,000,000

$3,750

$4,500

13,000,001- 17,500,000

$4,500

$5,400

17,500,001 – 25,000,000

$6,000

$7,200

25,000,001 – 50,000,000

$9,000

$10,800

50,000,001 – 75,000,000

$12,000

$14,400

75,000,001 – 100,000,000

$15,000

$18,000

100,000,001 – 200,000,000

$22,500

$27,000

200,000,001 and above

$30,000

$36,000

 

 
 
*SHE Media shall provide to Pushly a report setting forth fixed average total worldwide unique users per website for each Publisher Property and other websites that may become a Publisher Property under this Agreement, as calculated and reported by a third party analytics source selected by Publisher and approved in writing in advance by Pushly (the “Third Party Analytics Report”). In the event that SHE Media has not provided Pushly with a report, Publisher shall within seven (7) days after the Effective Date, provide to Pushly a copy of the Third Party Analytics Report (which may be by way of a full, complete, and accurate screenshot thereof) and Publisher shall agree to an amendment to this Exhibit A within ten (10) days after the Effective Date to add a table hereto setting forth fixed average total unique users per website for each Publisher Property and other websites that may become a Publisher Property under this Agreement.
SHE Media Partners are eligible for the agreed upon Usage Fees if that Property is continuously a part of the SHE Media Partner Network and shall expire should a Property leave the SHE Media Partner Network. Unless otherwise agreed upon, Pushly will bill all Usage Fees directly to SHE Media Partners.
**Any SHE Media Partner that has more than 10,000 Active Subscribers will be billed at $.01/subscriber, calculated according to the total number of Active Subscribers on the last calendar day of each applicable calendar month during the term of this Agreement.



EXHIBIT B
Data Processing Addendum
In the course of Pushly’s provision of services to Publisher under the Agreement (the “Services”), Pushly may process Personal Data on behalf of Publisher, and Pushly and Publisher agree to comply with this Data Processing Addendum (“DPA”) to the extent that Data Protection Laws apply with respect to any such Personal Data. This DPA is applicable only to the extent that Data Protection Laws apply to the Processing of Personal Data under the Agreement. Capitalized terms used but not otherwise defined in this DPA shall have the meanings ascribed to them in the Agreement.
1. Definitions.
(a) The terms “Controller,” “Data Subject” “Process,” “Processed,” “Processor,” and “Processing” shall have the meaning given to them under Data Protection Laws or if not defined thereunder, the CCPA.
(b) “Business” shall have the meaning given to it under the CCPA.
(c) “CCPA” means the California Consumer Privacy Act.
(d) “Data Protection Laws” means with respect to a party, all applicable data protection laws and regulations applicable to such party’s Processing of Personal Data, including, where applicable, the GDPR or the CCPA.
(e) “GDPR” means the EU General Data Protection Regulation (EU 2016/679).
(f) “New Privacy Laws” shall have the meaning given to it in Section 7(a) of this DPA.
(g) “Personal Data” means “personal data,” “personal information,” “personally identifiable information,” or similar information as defined in and governed by Data Protection Laws.
(h) “Security Breach” shall have the meaning given to it in Section 4(b) of this DPA.
(i) “Service Provider” shall have the meaning given to it under the CCPA.
2. Relationship of the Parties; Scope of Processing.
(a) If CCPA is applicable, the parties agree that with respect to the provision of Services, as to processing of Personal Data, Publisher is the Business and Pushly is the Service Provider. If GDPR is applicable, (i) the parties agree that with respect to the provision of Services, as to Processing of Personal Data, Publisher is the Controller and Pushly is the Processor, and (ii) the parties shall comply with the Standard Contractual Clauses attached to this Exhibit B as Schedule 1 to enable the transfer of Personal Data from the European Economic Area (as applicable).
(b) The subject matter, duration, nature, and purpose of the Processing of Personal Data are set forth in the Agreement and/or this DPA. The types and categories of Data Subjects are set forth in Schedule 2 to this Exhibit B. Pushly will only Process Personal Data to the extent necessary to provide Publisher with the Services and in accordance with Publisher’s written instructions set forth in the Agreement and/or this DPA.
(c) Pushly shall not (i) retain, use, or disclose Personal Data for any purpose other than providing the Services, as set out in this DPA, or as otherwise permitted by law, or (ii) further collect, sell, or use Personal Data except as necessary for legitimate business purposes, such as: (1) for accounting, tax, billing, audit, and compliance purposes; (2) to provide, develop, optimize and maintain the Service; (3) to investigate fraud, spam, wrongful or unlawful use of the Service; and/or (4) as required by applicable law.
3. Subprocessors. Pushly will not utilize subprocessors for Processing Personal Data without the prior written consent of Publisher. Pushly will ensure that its subprocessors agree to adhere to terms that are at least as protective as, or substantially similar to, this DPA.
4. Security; Confidentiality; Audit.
(a) Pushly shall ensure that any person who is authorized by Pushly to Process the Personal Data shall be bound by a contractual or statutory obligation of confidentiality. Pushly will ensure that there are appropriate physical, technical, and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, and will at a minimum include those measures described in Schedule 3 attached to this Exhibit B.
(b) Pushly will: (i) promptly notify Publisher in the event of any actual or suspected security breach, unauthorized access, misappropriation, loss, damage, or other compromise of the security, confidentiality, or integrity of Personal Data Processed by Pushly or a subprocessor (“Security Breach”); and (ii) take steps to mitigate the Security Breach and harm to consumers and provide reasonable and prompt cooperation relating to the Security Breach as requested by Publisher.
(c) Pushly will allow access to its data processing facilities for audits and inspections of the Processing activities covered by this DPA, which may be carried out by Publisher or any independent or impartial inspection agents or auditors selected by Publisher and bound by a duty of confidentiality and not reasonably objected to by Pushly.
5. Return or Deletion of Data. Pushly will, upon Publisher’s written request, delete or return to Publisher, all Personal Data after the termination or expiration of the Agreement and delete existing copies except to the extent applicable law requires the Personal Data to be retained. Further, Pushly shall protect any Personal Data that Pushly has archived on back-up systems, from further Processing.
6. Data Subject or Regulator Requests. Pushly will provide Publisher with reasonable cooperation and assistance in relation to any complaint, communication or request received from a Data Subject or regulator.
7. Miscellaneous.
(a) The CCPA remains subject to amendment and regulations that have not yet been promulgated, and other states and the United States Congress are considering similar laws (all of the foregoing, “New Privacy Laws”). Each party agrees to work together in good faith to amend this DPA to implement such terms as the other party may reasonably request in connection with compliance with New Privacy Laws. If the parties cannot reach agreement on how to address CCPA and/or New Privacy Laws, either party may terminate the Agreement upon written notice to the other party.
(b) In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail to the extent of the inconsistencies.
(c) This DPA will be governed by and construed in accordance with the choice of law and venue provisions in the Agreement, unless required by applicable Data Protection Laws.
(d) If any provision or condition of this DPA be held or declared invalid, unlawful, or unenforceable by a competent authority or court, then the remainder of this DPA shall remain valid.
Schedule 1 to Exhibit B
Standard Contractual Clauses
Clause 1
Definitions
For the purposes of the Clauses:
(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) 'the data exporter' means the controller who transfers the personal data;
(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country' s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure, or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer and, in particular, the special categories of personal data where applicable are specified in Appendix 1, which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed, and throughout the duration of the personal data processing services will instruct, the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure, or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reason, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
Clause 6
Liability
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Clause 7
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).
Clause 9
Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11
Subprocessing
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
Clause 12
Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The contents of Schedule 2 to Exhibit B shall also form Appendix 1 to these Clauses.
Appendix 2 to the Standard Contractual Clauses
This Appendix shall contain a description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached).
The contents of Schedule 3 to Exhibit B shall also form Appendix 2 to these Clauses.
Schedule 2 to Exhibit B
Details of the Processing Activities
Data exporter
The entity that signed the DPA to which this Schedule 2 to Exhibit B is attached.
Data importer
Ad-Ventures 2, Inc. (d/b/a Pushly), a Delaware corporation.
Data subjects
The personal data concerns the following categories of Data Subjects (please specify):
Visitors to Publisher’s Website properties that have clicked allow on notification prompt.
Categories of data
The personal data concerns the following categories of data (please specify):
Technical data such as randomly generated unique user ID, subscription endpoint & Authentication keys, subscription status, date of subscription, subscription page URL, browser user agent, browser language, operating system, paid subscription status, email list membership, and browser ID.
Usage data such as date of last site visit, list of viewed notifications, list of clicked notifications and keywords attached to each, and list of page URLs visited after subscribing to the Services
Geographic data such as continent, country, province, city, postal code.
Special categories of data (if appropriate)
The personal data concerns the following special categories of data (please specify):
N/A
Processing operations
The personal data will be subject to the following basic processing activities (please specify):
Data will be used to deliver web push notifications to subscribers by creating cohorts based on subscriber properties and historical activity. For example, a cohort of website visitors who have subscribed to web push from a Cheat Sheet article may be created to deliver notifications specific to politics or breaking news; r a cohort of subscribers who have not visited the applicable Publisher website within the last 7 days to encourage re-engagement with the site.
Duration
The processing of the personal data will be carried out until the date that the Pushly ceases to provide the Services to Publisher or until the DPA terminates.
Schedule 3 to Exhibit B
Technical and Organisational Security Measures
1. Access Control to Premises
Measures must be taken to prevent unauthorised physical access to premises and facilities holding or hosting personal data. Measures shall include:
• Access control system
• ID reader, magnetic card, or chip card
• Appropriate physical locks and keys
• Door locking
2. Access Control to Systems
Measures must be taken to prevent unauthorised access to Pushly systems. These must include the following technical and organisational measures for user identification and authentication:
• Password procedures
• No access for guest users or anonymous accounts
• Central management and logs of system access
• Access to IT systems subject to approval from IT system administrators
3. Access Control to Data
Measures must be taken to prevent authorised users from accessing data beyond their authorised access rights and prevent the unauthorised input, reading, copying, removal, modification or disclosure of personal data. These measures shall include:
• Differentiated access rights
• Access rights defined according to duties
• Automated log of user access via IT systems
• Measures to prevent the use of automated data-processing systems by unauthorised persons using data communication equipment
4. Disclosure and Transfer Control
Measures must be taken to prevent the unauthorised access, alteration or removal of personal data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:
• Encryption using a VPN for remote access, transport and communication of personal data
• Creating an audit trail of all data transfers
5. Input Control and Personal Data Management
Measures must be put in place to ensure all personal data management and maintenance is logged, and an audit trail of whether personal data have been entered, changed or removed (deleted) and by whom must be maintained. Measures should include:
• Logging user activities on IT systems
• Ensuring it is possible to verify and establish where personal data have been or may be transmitted or made available using data communication equipment
• Ensuring that it is possible to verify and establish which personal data have been input into automated data-processing systems and when and by whom the personal data were input
6. Compliance with this Agreement
Measures should be put in place to ensure that data is processed strictly in compliance with Publisher instructions. These measures must include:
• Unambiguous wording of contractual instructions
• Monitoring of contract performance
7. Protection of Personal Data Control
Measures should be put in place to ensure that personal data is protected against accidental destruction or loss. These measures must include:
• Ensuring that installed systems may, in the case of interruption, be restored
• Ensuring systems are functioning, and that faults are reported
• Ensuring stored personal data cannot be corrupted by means of a malfunctioning of the system
• Uninterruptible power supply (UPS)
• Business Continuity and disaster recovery procedures
• Remote storage
• Anti-virus/firewall systems
• Encryption or pseudonymisation where required or appropriate
8. Personal Data Segregation Control
Measures should be put in place to allow personal data collected for different purposes to be processed separately. These measures should include:
• Restriction of access to personal data stored for different purposes according to Pushly personnel duties
• Segregation of business IT systems
• Segregation of IT testing and production environments