Data Processing Agreement

Updated February 9, 2025

This Data Processing Addendum (together with any Exhibits, Attachments, Schedules, Appendices, the “Addendum” or “DPA”) forms part of the Agreement, including all attachments, exhibits, and appendices (“Agreement”) entered into between Customer and Buxton Company, LLC d/b/a Audiense with its subsidiaries Elevar, LLC and Audiense, LTD (together and separately “Audiense”). This Addendum reflects the Parties’ agreement with regard to Audiense’s Processing of Personal Data (defined below) in connection with providing Services described in the Agreement. In the event of a conflict, the terms and conditions of this Addendum will prevail. Capitalized terms shall have the meaning given them in the Agreement, in this DPA, and in the Data Protection Laws, as applicable.

Customer and Audiense agree as follows:

  1. The following terms, including any derivatives thereof, will have the meanings set forth below.
    • Aggregated Data” means information resulting from the combination of data such that the result cannot reasonably be linked to an identified or identifiable person or household, whether alone or in combination with other data held by Audiense.
    • Anonymous Data” means data that does not relate to an identified or identifiable person and cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable person.
    • Applicable Services” has the meaning given in Section 2.1.
    • Data Protection Laws” means any laws that apply to the Processing of data by Audiense under the Agreement. This includes laws, regulations, guidelines, requirements, and government issued rules in the U.S. and other jurisdictions, at the international, country, state/provincial, or local levels, currently in effect and as they become effective.
    • Data Subject” means any living identified or identifiable natural person to which Personal Data relates or identifies.
    • Data Subject Request” means a request to access, correct, amend, transfer, rectify, restrict, limit use, opt out of sale or sharing or other processing, or delete a Data Subject’s Personal Data consistent with that person’s rights under Data Protection Laws.
    • De-Identified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, a particular person, household, or device associated with a person or household.
    • Derived Data” has the meaning set forth in the Agreement.
    • First-Party Processing Services” means services under which Audiense processes Customer’s own data as Customer’s service provider or processor and returns processed results to Customer, without selling or licensing Customer Personal Data to third parties except as expressly authorized in writing by Customer.
    • Output Data” means data, analytics, scores, models, segments, insights, reports, or other results produced by Audiense through Transformation or analytics that are Aggregated Data, Anonymous Data, or De-Identified Data, and that do not include Customer Personal Data in identifiable form.
    • Personal Data,” “Personal Information,” means Customer information Processed by Audiense under the Agreement that is linked, reasonably linkable, or relates to an identified or identifiable natural person. Both Personal Data and Personal Information are referred to in this Addendum as “Personal Data.”
    • Process” or “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, sale, analysis, alignment or combination, restriction, erasure or destruction.
    • Processor Terms” means Sections 4 through 9 of this DPA, which apply only as set forth in Section 2 of this DPA.
    • Security Incident” means any confirmed accidental, unauthorized, unintended, or unlawful processing, access to, exfiltration, theft, disclosure, destruction, loss, alteration, compromise, and/or malicious infection of Customer Personal Data transferred, transmitted, stored, or otherwise Processed by Audiense or any of its Subprocessors or third parties that Process Personal Data on Audiense’s behalf.
    • Services” will have the same meaning provided under the Agreement.
    • Standard Contractual Clauses” means the agreement executed by and between Customer and Audiense and attached hereto as Schedule 3 pursuant to the European Commission’s decision ((EU) 2021/914) of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
    • Subprocessor” means a subcontractor engaged by Audiense or its affiliates to Process Customer Personal Data as part of the performance of the Services.
    • Third-Party Data Brokerage Services” means services under which Audiense acquires data (which may include Customer-supplied data) for Audiense’s independent data products, databases, segments, models, and related analytics, which Audiense may Transform and then sell, license, or otherwise make available to third parties in Audiense’s discretion, as an independent controller, and not as Customer’s processor.
    • Transform” or “Transformation” means Audiense’s processing designed to create Derived Data.
    • UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, attached hereto as Schedule 5.
    • Website Analytics and Management Services” means Audiense’s services that measure, collect, analyze, and report on Customer’s website and app performance, user interactions, and traffic.
  2. SCOPE; ROLE; APPLICABILITY
    • Service Types and Applicability. The Parties acknowledge that Customer may purchase one or more of the following service types, as set forth in an Ordering Document (each, as applicable, the “Applicable Services”):
      • First-Party Processing Services — Audiense acts as Customer’s service provider/processor. The Processor Terms apply.
      • Website Analytics Services — Audiense acts as Customer’s service provider/processor. The Processor Terms apply.
      • Third-Party Data Brokerage Services — Audiense acts as an independent business/controller. The Processor Terms do not apply, except as expressly stated in Section 13.
    • Carve-Out Upon Transformation. For Third-Party Data Brokerage Services, Customer-supplied data will be subject to Transformation prior to any external use or commercialization by Audiense, and once so Transformed, such Output Data is not Customer Personal Data, is outside the scope of the Processor Terms, and may be used and disclosed by Audiense without limitation, except as required by law. Nothing in this DPA requires Audiense to return or delete Output Data.
  3. CUSTOMER OBLIGATIONS
    • Customer represents and warrants that any notice and / or consent required under Data Protection Laws has been provided to all Data Subjects whose Personal Data is Processed by Audiense under the Agreement, such that Audiense may lawfully Process Customer Personal Data in providing the Applicable Services under the Agreement. Audiense shall not have any liability to Customer, and Customer agrees to indemnify Audiense, to the extent the basis of liability arises from failure by Customer to obtain any necessary consents to collect, use, transfer, or otherwise Process Personal Data, or failure by Customer to fully comply with the Agreement, this DPA, or applicable Data Protection Laws.
    • Customer’s instructions for the processing of Customer Personal Data shall comply with the Data Protection Laws. Customer acknowledges that Audiense is reliant on Customer for direction as to the extent to which Audiense is entitled to use and Process Customer Personal Data.  Consequently, Audiense will not be liable for any claim brought against Customer or Audiense by a Data Subject arising from any act or omission by Audiense to the extent that such act or omission resulted from Customer’s instructions or Customer’s use of the Applicable Services.
  4. PROCESSING OF PERSONAL DATA
    • Processing of Personal Data. Audiense will only Process Customer Personal Data for the purposes of developing, improving, maintaining, and providing the Services to Audiense’s customers, including compiling data subjects’ personal data into a comprehensive profile which it may then resell to its other customers, unless otherwise permitted under Data Protection Laws to which Audiense is subject.
      • Audiense shall be responsible for its compliance with Data Protection Laws and Customer’s instructions when Processing Personal Data. Audiense will inform Customer immediately if, in its opinion, an instruction does not comply with Data Protection Laws.
      • Customer instructs Audiense to Process Personal Data to perform the Services and as described in this DPA and the Agreement.
      • Audiense will not retain, use, or disclose Customer Personal Data for any purpose other than for the specific purposes described herein or as otherwise permitted by Data Protection Laws.
      • The details of the Processing of Personal Data pursuant to the Agreement are set forth in the DPA.
      • Customer shall, upon reasonable request, provide Audiense with an attestation that it treats the Personal Data made available to Customer by Audiense in the same manner as required of Audiense under this DPA and Data Protection Laws.
      • In Processing Personal Data under the Agreement, Audiense shall provide the same level of privacy protection required by Data Protection Laws. Audiense will notify Customer if Audiense determines it or its Subprocessor(s) cannot meet its obligations under the Data Protection Laws, in which case Customer may take reasonable and appropriate steps to stop and remediate unauthorized Processing of Personal Data.
    • Data Subject Requests. Audiense shall inform Customer without undue delay if it receives a request from a Data Subject to exercise their rights under Data Protection Laws which is intended for Customer.   Audiense will provide such assistance, including taking any appropriate technical and organizational measures, as required for Customer to fulfill its obligations under Data Protection Laws to respond to Data Subject Requests, to the extent Customer is unable to fulfill its obligations absent such assistance.  Audiense may charge Customer, and Customer shall reimburse Audiense, for any such assistance beyond providing self-service features included as part of the Services.  Notwithstanding its obligations under this Section, nothing in this Section obligates Audiense to respond to a Data Subject Request directly from a Data Subject and does not otherwise assume any liability or responsibility for responding to Data Subject Requests.
      • Requests to Delete. Unless it is permitted to retain Personal Data under the Data Protection Laws, Audiense will comply with Customer’s direction to delete any Personal Data where required by law, and shall notify any Subprocessors of such direction as applicable. Audiense shall not be required to delete any of the Personal Data to comply with a Data Subject’s request directed by Customer if it is necessary or permitted to maintain such information in accordance with applicable law.
    • Regulator Requests. Both Parties will reasonably assist the other in communicating and cooperating with any regulators relating to the Processing of Personal Data under the Agreement.
      • Each Party shall notify the other of all enquiries from a regulator that the Party receives which relate to the Processing of Customer Personal Data under the Agreement, unless prohibited from doing so at law or by the regulator.
      • Unless a regulator requests in writing to engage directly with Audiense, the Parties (acting reasonably and taking into account the subject matter of the request) agree that if and to the extent Audiense is acting as a Service Provider, Customer shall be responsible for handling all regulator requests relating to the Processing of Personal Data under the Agreement. Customer shall: (a) be responsible for all communications or correspondence with the regulator in relation to the Processing of Personal Data and the provision or receipt of the Services, and (b) keep Audiense informed of such communications or correspondence to the extent permitted by law. At Customer’s expense, Audiense shall provide such assistance as Customer may require in relation to such a regulator request, to the extent Customer is unable to fulfill its obligations absent such assistance.
    • Deletion and Return of Personal Data. Unless agreed upon in the Agreement, upon termination of the Agreement or Customer’s request, Audiense will: (a) if requested to do so by Customer, return all Personal Data to Customer or provide a self-service functionality allowing Customer to do the same, or (b) within 90 days of the termination or expiry of the Agreement, delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data processed by Audiense or any Sub-processors.
      • Audiense shall inform its personnel engaged in the Processing of Customer Personal Data of the confidential nature of the Customer Personal Data and ensure that they are subject to binding confidentiality obligations.
      • If Customer Personal Data is being provided to a third party in response to a subpoena or other discovery request, to the extent permitted by applicable law, Audiense will provide Customer with notice of the subpoena or discovery request prior to disclosing the Customer Personal Data so that Customer may, at its expense, object to the subpoena or discovery request, or seek an appropriate protective order.
    • Confidentiality. Audiense agrees to inform all individuals with authorized access to Personal Data of the confidential nature of such information. Audiense will ensure that all employees are subject to binding confidentiality obligations.
    • Data Protection Impact Assessments and Prior Consultation. Audiense agrees to provide all reasonable assistance to Customer in completing any data protection impact assessments and/or consultations with government authorities pursuant to Data Protection Laws to the extent Customer is unable to fulfill its obligations absent such assistance.
  5. Customer may audit Audiense’s compliance with its obligations under this DPA and the Data Protection Laws, and will cooperate in a data protection impact assessment (together, “Audit”) as required by Data Protection Laws, subject to the following requirements:
    • Audiense will inform Customer if, in its opinion, any of Customer’s instructions relating to the Audit violate applicable Data Protection Laws.
    • Customer may perform such Audits not more than once per year or more frequently if required by Data Protection Laws applicable to Customer.
    • Customer may use a third party to perform the Audit on its behalf, provided the third party is a qualified auditor and executes a confidentially agreement acceptable to Audiense before the Audit.
    • To request an audit, Customer must submit a detailed proposed audit plan to Audiense at least four weeks in advance of the proposed audit date. Audiense will review the proposed audit plan and collaborate cooperatively with Customer to agree on a final audit plan. All such audits must be conducted during regular business hours, subject to the agreed final audit plan and Audiense’s health and safety or other relevant policies and may not unreasonably interfere with Audiense business activities. Nothing in this clause 3.4 shall require Audiense to breach any duties of confidentiality. Customer must provide Audiense with any Audit reports or findings generated in connection with any Audit at no charge, unless prohibited by law. Customer may use the Audit reports only for the purposes of meeting its Audit requirements under Data Protection Laws and/or monitoring and confirming compliance with the requirements of this DPA. The Audit reports shall constitute Confidential Information of the Parties under the Agreement.
    • Under the following circumstances, Customer agrees to accept those findings in lieu of requesting an Audit of the controls covered by the report: (a) the requested Audit scope is addressed in a similar Audit report performed by a qualified third-party auditor for Audiense within twelve (12) months of Customer’s request, (b) if permitted by the Data Protection Laws, and (c) Audiense confirms there are no known material changes in the controls audited. All Audits are at Customer’s sole cost and expense. Any request for Audit assistance requiring the use of resources different from or in addition to those required for provision of the Services will be considered an additional Service for which reasonable additional fees may be charged. Audiense reserves the right to require Customer’s written agreement to pay for such fees before providing such Audit assistance.
    • Customer will promptly notify Audiense of any non-compliance discovered during the course of an audit and provide Audiense any audit reports generated in connection with any audit, unless prohibited by applicable law or otherwise instructed by a regulatory or governmental authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA.
    • Any audits are at Customer’s expense. Customer shall reimburse Audiense for any reasonable, documented out-of- pocket costs incurred by Audiense or its Sub-processors in connection with such audits.
  6. SECURITY Subject to the obligations of Customer under the Agreement:
    • Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Audiense and each Audiense Affiliate shall, in relation to the Customer Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32 of the GDPR.
    • In assessing the appropriate level of security, Audiense shall take account in particular of the risks that are presented by Processing, including without limitation the risks of a Security Incident.
    • Audiense shall notify Customer without undue delay after becoming aware of a Security Incident and shall co-operate with Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of a Security Incident. The parties agree to reasonably cooperate with one another before communicating about any Security Incident with any third party. Audiense’s notification of or response to a Security Incident under this clause 4.3 will not be construed as an acknowledgement by Audiense of any fault or liability with respect to the Security Incident.
    • Audiense will implement and maintain as a minimum standard the measures set out in Schedule 2. Audiense may update or modify the security measures set out in Schedule 2 from time to time, including (where applicable) following any review by Audiense of such measures in accordance with clause 8.6 of the SCCs, provided that such updates and/or modifications do not reduce the overall level of protection afforded to the Customer Personal Data by Audiense under this DPA.
    • Customer acknowledges and agrees that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the security measures set out in Schedule 2 are appropriate to ensure the security of the Customer Personal Data.
  7. SUBPROCESSORS
    • Customer authorizes Audiense and each Audiense Affiliate to appoint (and permit each Subprocessor appointed in accordance with this Section 5 to appoint) Subprocessors in accordance with this Section 5 and any restrictions in the Agreement and applicable Data Protection Laws including the Standard Contractual Clauses and UK Addendum, if applicable. Customer grants Audiense general authorization to engage Subprocessors, subject to this Section, from an agreed list, as well as Audiense’s current Sub-processors listed at [INSERT LINK] as of the Effective Date.
    • Audiense and each Audiense Affiliate may continue to use those Subprocessors already engaged by Audiense or any Audiense Affiliate as of the date of this DPA, subject to Audiense and each Audiense Affiliate in each case as soon as practicable meeting the obligations set out in Section 5.3. Audiense shall give Customer fifteen (15) days’ prior written notice of the appointment of any new Subprocessor, and Customer must inform Audiense of any objection to such new Subprocessor within ten (10) days of such notice. If Customer objects to a Subprocessor under this Section, the parties will make a good-faith effort to resolve Customer’s objection. In the absence of a resolution, Audiense will make commercially reasonable efforts to provide Customer with the same level of service, without using the new Subprocessor to process Customer Data. If Audiense is unable to make available such change within a reasonable period of time, each party may, as its sole and exclusive remedy, terminate the Agreement with regard to the affected portion of the Services, by providing written notice to the other party. During any such objection period, Audiense may suspend the affected portion of the Services.
    • Audiense will ensure that any Subprocessor that has access to Customer Personal Data enters into a written agreement obligating the Subprocessor to comply with terms that are at least as restrictive as those imposed on Audiense under the Data Protection Laws.
    • Audiense shall remain fully liable to Customer for the performance of its Subprocessors’ obligations and shall be responsible to Customer for its Subprocessors’ Processing of Personal Data.
  8. DATA TRANSFERS
    • Standard Contractual Clauses. Customer is solely responsible for ensuring that any authorized transfer of Customer Personal Data across national borders made by Audiense at the Customer’s direction complies with all laws, including, but not limited to, any cross-border data transfer requirements or prohibitions. Except as disclosed in Schedule 3, Audiense will not make an onward transfer data outside the European Economic Area (“EEA”) without the consent of Customer. The Parties agree that the terms of the Standard Contractual Clauses Module Two (Controller to Processor) and Module Three (Processor to Processor), as further specified in Schedule 3 of this DPA, are hereby incorporated by reference and shall be deemed to have been executed by the Parties and apply to any transfers of Customer Personal Data falling within the scope of the GDPR from Customer (as data exporter) to Audiense (as data importer).
    • Support for Cross-Border Data Transfers. Audiense will provide Customer reasonable support to enable Customer’s compliance with the requirements imposed on the transfer of personal data to third countries with respect to data subjects located in the EEA, Switzerland, and UK. Audiense will, upon Customer’s request, provide information to Customer which is reasonably necessary for Customer to complete a transfer impact assessment (“TIA”). Audiense further agrees to implement the supplementary measures agreed upon and set forth in Schedule 4 of this DPA in order to enable Customer’s compliance with requirements imposed on the transfer of personal data to third countries. Audiense may charge Customer, and Customer shall reimburse Audiense, for any assistance provided by Audiense with respect to any TIAs, data protection impact assessments or consultation with any supervisory authority of Customer.
    • Customer Personal Data Subject to the UK and Swiss Data Protection Laws. To the extent that the processing of Customer Personal Data is subject to UK or Swiss data protection laws, the UK Addendum (Schedule 5) and/or Swiss Addendum (Schedule 6) (as applicable) shall apply.
  9. ADDITIONAL COMPLIANCE PROVISIONS
    • The Parties each represent and warrant to each other that they have read and understand the requirements of all applicable Data Protection Laws, and will be responsible for their own compliance with them.
      • Audiense shall not have any liability to Customer to the extent the basis of liability arises from failure by Customer to provide any required notice or obtain any necessary consents to collect, use, transfer, or otherwise Process Personal Data, or failure by Customer to fully comply with the Agreement, this DPA, or applicable Data Protection Laws.
      • Each Party agrees that it is responsible for its own compliance with the requirements of the GDPR and other applicable Data Protection Laws and agrees to indemnify, defend, and hold harmless the other Party from and against any claims, demands, losses, liabilities, fines, penalties, costs, and expenses arising out of or relating to its own acts and omissions that do not comply with the Data Protection Laws. This duty to indemnify, defend, and hold harmless includes fines that may be imposed by a governing authority and any and all reasonable attorneys’ fees and court costs.
  1. THIRD-PARTY DATA BROKERAGE SERVICES
    • Role; Independence. For Third-Party Data Brokerage Services, Audiense acts as an independent business/controller. Audiense does not act as Customer’s service provider/processor for such services, and the Processor Terms do not apply.
    • Inputs; Permissions.
      • Customer may supply data to Audiense for potential inclusion in Audiense’s Third-Party Data Brokerage Services (“Brokerage Inputs”).
      • Customer represents and warrants that Brokerage Inputs were collected and disclosed in compliance with applicable law and with all notices and permissions necessary to allow Audiense to Process, Transform, commercialize, and otherwise use such Brokerage Inputs for Third-Party Data Brokerage Services, including disclosure to third parties after Transformation.
      • Customer will not provide Brokerage Inputs that are subject to contractual restrictions inconsistent with this Section 10 unless expressly identified and accepted in writing by Audiense.
    • No Attribution. Audiense will not attribute De-Identified Data, Output Data, Derived Data, or Aggregated Data derived from Brokerage Inputs to Customer except as necessary for audit, compliance, or compensation purposes described in the Order.
    • Consumer Requests. Each Party will be individually responsible, in its role as an independent business/controller, for responding to data subject/consumer requests for which it is the responsible party under applicable law. The Parties will reasonably cooperate to route misdirected requests to the appropriate Party.
  2. GENERAL
    • Interaction With the Agreement.
      • This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any processing of Customer Personal Data as a Service Provider.
      • With respect to Customer Affiliates, by entering into the Agreement, Customer warrants it is duly authorized to enter into the DPA for and on behalf of any such Customer Affiliates and, subject to clause 11.1.3, each Customer Affiliate shall be bound by the terms of this DPA as if they were the Customer.
      • Customer warrants that it is duly mandated by any Customer Affiliates on whose behalf Audiense processes Customer Personal Data in accordance with this DPA to (a) enforce the terms of this DPA on behalf of the Customer Affiliates, and to act on behalf of the Customer Affiliates in the administration and conduct of any claims arising in connection with this DPA; and (b) receive and respond to any notices or communications under this DPA on behalf of Customer Affiliates.
      • The Parties agree that any notice or communication sent by Audiense to Customer shall satisfy any obligation to send such notice or communication to a Customer Affiliate.
    • By signing this DPA, Audiense certifies that it understands the restrictions herein and will comply with them.
    • Each Party’s liability under or in connection with this DPA is subject to the limitations on liability contained in the Agreement, to the extent permitted by law.
    • No Restriction. The obligations contained in this DPA, including the Exhibits, Attachments, and Appendices, shall not restrict Audiense in its rights and/or obligations to: (a) comply with federal, state, or local laws, or to comply with a court order or subpoena to provide information or legal holds, or (b) to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.