ROKT® United States Data Processing Agreement

1.1 If any data processed in the provision of the Services contains any personal data of individuals residing in the United States (“U.S. Personal Data”) then the provisions of this USDPA shall apply and will take priority over any of the provisions of Clause 11 (Privacy) of the Agreement if and to the extent only of any conflict or inconsistency between them.

1.2 Partner will use the Rokt Platform pursuant to the ESA, and in connection with such usage and with Rokt's provision of the Services, Rokt US will have access to and process certain personal data. The personal data that Rokt US will process in providing the Services is described in Annex A to this USDPA.

1.3 Each party shall comply with its obligations under this USDPA with respect to the types of U.S. Personal Data that it processes and according to its responsibilities as the Business or Service Provider (as appropriate) in relation to the relevant U.S. Personal Data.

1.4 The parties agree that:

• (a) Partner shall be a Business with regard to any U.S. Personal Data described in Annex A constituting Partner Data (as defined in the Agreement), that is processed in connection with the provision of the Services (“Partner U.S. Personal Data”);
• (b) Subject to paragraph (c), Rokt US shall be a Service Provider with regard to Partner U.S. Personal Data;
• (c) Rokt US and Partner shall both be Businesses with regard to the limited subset of Partner U.S. Personal Data collected following the End Customer’s acceptance or opting in to the Advertiser’s or Provider’s offer or promotion (“Referral Data”), but Rokt US may use Referral Data solely as necessary to deliver or facilitate such offer or promotion in Rokt US’s provision of the Services;
• (d) Rokt US shall be a Business with regard to the Rokt Data, including the Derived Data.

Rokt US shall implement appropriate technical and organizational measures designed to protect the Partner U.S. Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to, the Partner U.S. Personal Data (a “Security Incident“). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

3.1 Each party shall comply with all aspects of U.S. Privacy Law applicable to its data processing activities in the capacity of a Business hereunder, including by processing such data fairly and lawfully, providing any legally required privacy notices and disclosures, obtaining any legally required consents for personal data processing, and implementing appropriate physical, technical, and administrative safeguards designed to protect the security and integrity of U.S. Personal Data under its control.

4.1 Purpose limitation

Rokt US shall process the Partner U.S. Personal Data as necessary to perform its obligations under the Agreement, for such other purposes as may be described in this USDPA (including Annex A) and in accordance with the documented instructions of the Partner (the “Permitted Purpose”), except where otherwise required by any U.S. Privacy Law. In furtherance of the foregoing, and except where otherwise required by U.S. Privacy Law, Rokt US shall not: (i) sell or share for purposes of cross-context behavioral advertising any Partner U.S. Personal Data for monetary or other consideration; (ii) retain, use, or disclose Partner U.S. Personal Data for any purpose other than the Permitted Purpose; (iii) retain, use, or disclose Partner U.S. Personal Data outside of the direct business relationship between Partner and Rokt; or (iv) combine Partner U.S. Personal Data with U.S. Personal Data that it receives from other sources or collects from its own interactions with an individual; provided that Rokt US may combine, merge, or integrate Partner U.S. Personal Data as necessary to perform any legitimate business purpose, including those business purposes described in applicable U.S. Privacy Laws.

4.2 Confidentiality of processing

Rokt US shall ensure that any person that it authorizes to process the Partner U.S. Personal Data (including Rokt’s staff, agents and subcontractors) (an “Authorized Person“) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not authorize any person access to Partner U.S. Personal Data who is not under such a duty of confidentiality.

4.3 Subprocessing

Rokt US may subcontract its processing of Partner U.S. Personal Data to a subprocessor without the prior written consent of Partner. Rokt US shall, however, inform Partner when it adds to or removes the subprocessors (which may be done via a website link notified to Partner) and give Partner a reasonable opportunity to object to the addition of a new subprocessor. Partner consents to and authorizes Rokt to use the subprocessors listed at https://rokt.com/rokt-subprocessors/ in its provision of the Services. Rokt US shall be solely responsible for fulfilling its obligations under this USDPA despite the use of any subprocessors.

4.4 Data subjects’ rights

Rokt US shall:

• (a) respond to any verified and valid request from a data subject to exercise its rights to deletion under U.S. Privacy Law by deleting all personal data held by Rokt US that relates to the data subject and is contained within the Partner U.S. Personal Data; provided that Rokt US may retain personal data as described in this DPA (including Annex A); and
• (b) provide all reasonable and timely assistance (including by appropriate technical and organizational measures) to Partner (at Partner’s expense) to enable Partner to respond to: (i) any verified and valid request from a data subject to exercise any of its other statutory rights given under applicable U.S. Privacy Law, including rights of access, correction, and data portability, as applicable; and (ii) any written correspondence, inquiry, or complaint received from a regulator in connection with the processing of the Partner U.S. Personal Data. In the event that any request, correspondence, inquiry, or complaint is made directly to Rokt US, Rokt US will promptly do either of the following: inform Partner of the request, correspondence, inquiry, or complaint; or direct the data subject or regulator to contact the Partner.

4.5 Data Protection Impact Assessment

If Rokt US determines that its processing of Partner U.S. Personal Data is likely to result in a high risk to the privacy rights and freedoms of End Customers, Rokt US will provide such reasonable and timely assistance at Partner’s cost as Partner may require in order to conduct a data protection impact assessment.

4.6 Security incidents

Upon becoming aware of a confirmed Security Incident involving Partner U.S. Personal Data, Rokt shall inform Partner without undue delay and provide reasonable information and cooperation as Rokt may reasonably require in order for Partner to fulfill its data breach reporting obligations under U.S. Privacy Law.

4.7 Deletion or return of Partner U.S. Personal Data

Upon termination or expiry of the ESA, Rokt US shall (if the Partner so requests) destroy or return to the Partner all Partner U.S. Personal Data (including all copies of the same) in its possession or control (including any Partner U.S. Personal Data residing with a subprocessor) for which Rokt US is acting as a Service Provider. This requirement shall not apply to the extent that: (i) Rokt US is acting as a Business with respect to Referral Data; (ii) Rokt US is required by any U.S. Privacy Law to retain some or all of that Partner U.S. Personal Data; or (iii) Rokt US retains Partner U.S. Personal Data for the purposes of establishment, exercise, or defense of legal claims, in which events Rokt US shall protect the Partner U.S. Personal Data from any further processing except to the extent required by any law.

4.8 Audit

Upon Partner’s written request, Rokt US shall make available to Partner information in its possession that is necessary to demonstrate Rokt US’s compliance with the terms of this USDPA and/or allow Partner to conduct reasonable assessments of Rokt US’s policies and technical and organizational measures in support of Rokt US’s obligations hereunder. Partner must give Rokt US reasonable prior written notice of its intention to conduct any such assessment, conduct the assessment during normal business hours, and take all reasonable measures to prevent unnecessary disruption to Rokt US’s operations. Partner may not exercise its audit rights more than once in any twelve (12) calendar month period.

4.9 Certification

Rokt US certifies that it understands and will comply with the foregoing restrictions.

Where required under U.S. Privacy Law, the Partner shall include the relevant disclosures for the operation of the Rokt Placement to each End Customer; in which case Rokt US will provide directions with respect to the form of consent and information about how End Customers’ device information is processed to be included in relevant disclosures.

Each party shall bear its own costs for complying with its obligations under this USDPA, unless otherwise stated, and shall not be entitled to charge any additional fees to the other party for such compliance, except as may otherwise be expressly agreed in writing by the other party.

In this USDPA:

• (i) “Business” means the entity that, alone or jointly with others, determines the purpose and means of processing of personal data, and includes the term “controller” as used in U.S. Privacy Law;
• (ii) “Service Provider” means the entity that processes personal data on behalf of a Business, and includes the term “processor” as used in U.S. Privacy Law;
• (iii) “U.S. Privacy Law” means the California Consumer Privacy Act, California Privacy Rights Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, Virginia Consumer Data Protection Act, and any other state or federal law relating to the protection of the privacy of United States residents, each of the foregoing upon such law’s effective or implementation date.

Data Processing Description

This Annex A forms part of the USDPA and describes the data processing that Rokt US will perform on behalf of Partner.