Data Processing Agreement

BACKGROUND

The term “Customer” here refers to the Advertiser engaged with Equate Digital Media through an Internet Advertising Program governed by the General Terms and Conditions (referred to as the “Terms of Service Agreement”) and an Internet Advertising Order and Payment Authorization (the “IO”). If the Terms of Service Agreement and IO require Equate Digital Media to handle Personal Data on behalf of the Customer, this Data Processing Agreement’s (the “Agreement”) terms and conditions shall apply.

This Agreement outlines the additional requirements and conditions under which Equate Digital Media will process Personal Data while providing services in accordance with the Terms of Service Agreement and IO. The Agreement includes mandatory clauses applicable to Personal Data processing under relevant data protection laws.

AGREED TERMS

Definitions and Interpretation

The following definitions apply in this Agreement:

Equate Digital Media Affiliate: Any entity that controls, is controlled by, or is under common control with Equate Digital Media, either directly or indirectly.
Applicable Data Protection Law: This refers to all data protection and privacy laws governing the handling of Personal Data applicable in India or other relevant Indian laws as they come into force.
Business Purposes: The services provided by Equate Digital Media to the Customer as outlined in the Terms of Service Agreement or as further detailed in Schedule 1.
Controller: As defined under applicable Indian data protection laws.
Personal Data: Any information related to an identifiable individual that Equate Digital Media processes on behalf of the Customer under the Terms of Service Agreement.
Processing: Any operation or activity involving Personal Data, including its collection, storage, alteration, transfer, or deletion.
Personal Data Breach: Any incident resulting in the unauthorised or accidental disclosure, loss, or alteration of Personal Data.

Personal Data Types and Processing Purposes

2.1 Under Indian data protection laws, the Customer is the Controller of the Personal Data, while Equate Digital Media acts as the Processor. The Customer retains responsibility for ensuring compliance with data protection requirements and providing necessary processing instructions to Equate Digital Media.

Equate Digital Media’s Obligations

3.1 Equate Digital Media will process Personal Data solely for Business Purposes as instructed by the Customer and in accordance with the terms of this Agreement and relevant Indian data protection laws. Any actions taken outside these purposes will require prior written consent from the Customer.

3.2 Equate Digital Media will maintain the confidentiality of Personal Data and will only disclose it as authorised by the Customer or as required under Indian law.

Security

Equate Digital Media will implement appropriate security measures, including encryption and regular testing, to protect Personal Data against unauthorised access, loss, or destruction. These measures will be detailed in Schedule 3 of this Agreement.

Personal Data Breach

In the event of a Personal Data Breach, Equate Digital Media will notify the Customer immediately, providing details of the breach, including the nature, affected data, and corrective actions taken.

Cross-Border Transfers

If any Personal Data is to be transferred outside India, Equate Digital Media will ensure that such transfers comply with the Indian data protection laws in effect at the time and implement safeguards to ensure adequate protection.

Subcontractors

Equate Digital Media may only engage subcontractors with the Customer’s prior written approval. Any approved subcontractors must adhere to the same data protection requirements set forth in this Agreement.

Complaints, Data Subject Requests, and Third-Party Rights

9.1 The Processor must, at no additional cost to the Customer, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:

The rights of Data Subjects under the Digital Personal Data Protection Act, 2023, including the right to access, rectify, port, erase personal data, object to the processing of personal data, and restrict the processing of personal data.
Any notices or assessments served on the Customer by the Data Protection Board of India or other relevant authorities under the applicable Data Protection Laws.

9.2 The Processor must notify the Customer immediately in writing if it receives any complaint, notice, or communication related directly or indirectly to the processing of the Personal Data or to either party’s compliance with the applicable Data Protection Laws.

9.3 The Processor must notify the Customer within 7 days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their rights under the Digital Personal Data Protection Act, 2023.

9.4 The Processor will provide its full cooperation and assistance, at no additional cost to the Customer, in responding to any complaint, notice, communication, or Data Subject request.

9.5 The Processor must not disclose Personal Data to any Data Subject or third party except in accordance with the Customer’s written instructions, or as required by Indian law.

Term and Termination

This Agreement remains in force for as long as Equate Digital Media retains any Personal Data related to the Terms of Service Agreement. If changes in Indian data protection laws prevent either party from fulfilling their obligations, the Agreement may be terminated by giving notice.

Employees of Equate Digital Media

10.1 Equate Digital Media shall ensure that all its employees:

are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and restrictions regarding the use of Personal Data;
have undergone training on applicable Indian data protection laws, such as the Digital Personal Data Protection Act (DPDP Act) and other relevant data privacy regulations, related to the handling of Personal Data and how it pertains to their specific job responsibilities; and
are fully aware of Equate Digital Media’s obligations, as well as their own duties and responsibilities under any applicable Indian data protection laws and this Agreement.

11. Data Return and Destruction

11.1 Upon request, Equate Digital Media will provide the Customer or a nominated third party access to or a copy of the Personal Data in a specified format.

11.2 Upon termination of the Agreement or at the Customer’s request, Equate Digital Media will securely delete or return all Personal Data, retaining only one copy for audit purposes for up to six years.

11.3 If required by law, Equate Digital Media will notify the Customer of any mandatory retention of Personal Data, detailing the legal basis and timeline for deletion.

12. Records

12.1 Equate Digital Media will maintain accurate records of Personal Data processing activities, including access and security measures.

12.2 These records will be available to the Customer upon request.

13. Audit

13.1 Equate Digital Media will conduct annual audits of its data processing practices, including third-party vulnerability assessments.

13.2 Any audit findings will be addressed through a corrective action plan.

14. Warranties

14.1 Equate Digital Media warrants that:

All personnel handling Personal Data are trained in applicable laws.
It will process Personal Data in compliance with Indian data protection laws.
It will implement appropriate security measures to protect Personal Data.

14.2 The Customer warrants that its use of Personal Data complies with applicable laws.

15. Notice

15.1 Notices must be in writing, sent to: [email protected].

16. Governing Law

This Agreement will be governed by Indian law, with disputes settled in Delhi NCR.

17. Severability

If any provision is invalid, it will be modified minimally to reflect the parties’ intent, while the rest of the Agreement remains effective.

Schedule 1: Purposes and Details of Personal Data Processing

Introduction

Our company provides technology services aimed at supporting marketing teams and their agencies in creating, planning, targeting, purchasing, serving, measuring, and optimizing advertisements and campaigns.

As part of these services, the Customer collects and manages personal data through our platform and its associated technologies.

We also partner with third-party technology providers (listed below as sub-processors) to ensure that the collection, processing, and storage of personal data adhere to the relevant Indian data protection laws.

Data Sources and Collection Methods

Data Sources	Collection Method	Captured Data	User Consent
Pixel Tracking	The pixel provided by Equate Digital Media for use on the Customer’s website enables tracking of users on that site and allows first-party cookies to be set on the users’ devices.	The data collected, as specified by the Customer, may include: Name Email address Date of birth IP address (anonymized by default) Other online identifiers Telephone/mobile number Location data (not precise enough to identify specific addresses) The pixels also track and report user browsing behavior, including: Types of ads clicked Page abandonments or purchases Lead generation form submissions Additionally, the following data points may be captured: Browser, browser version, device type, operating system, User-Agent Date, time, and time zone Pages visited (URLs and titles) Screens viewed Referrer URL Marketing campaign URL parameters Physical address Files clicked and downloaded Links to external domains clicked Screen resolution Session recordings (including HTML pages and user interactions such as mouse movements, scrolls, clicks, and keypresses) Search terms used in the site’s search engine Custom dimensions and variables Custom events Content pieces JavaScript errors User ID E-commerce order ID and order date E-commerce abandoned carts Media titles and URLs Participation in A/B tests	User consent for tracking and data collection is obtained through a cookie consent opt-in mechanism on the Customer’s site. This consent is recorded using a third-party consent management platform.
Customer Records	Data collected directly from individuals by the Customer, independent of Equate Digital Media technology, and later shared with Equate Media.	The specific types of personal data collected are determined by the Customer and may include, but are not limited to: Name, Email Address, Date of Birth, Telephone/Mobile Number, and Transaction History.	Individuals must provide consent before their data can be shared with Equate Digital Media.
Call tracking technology provided by Nimbata	Nimbata’s tag assigns a unique phone number to users, enabling the tracking and logging of the call’s digital origin, which helps identify the source and user behavior. It also includes automatic call recording.	Nimbata’s tag also monitors and reports on browsing behavior, including campaign interactions, search keywords, and page views. Additionally, it captures information when calls are routed to the Customer’s agents through call recording and monitoring.	User consent for tracking and data collection is obtained through a cookie consent opt-in on the Customer’s site, with records managed via a third-party consent management platform.
Network Information	Information Supplied by Third-Party Aggregators	Insights on cohorts or groups for targeted advertising.	The aggregator supplies data for use in compliance with the Customer’s consent
Consolidated data	Generated by Equate Digital Media	A blend of the aforementioned data sources.	Data from the above sources is utilized in line with user consent and following a privacy impact assessment.

3. Data Transferred to AI Media and Storage

The Compliance Data Platform ensures that all data entering and exiting Equate Digital Media complies with Applicable Data Protection Laws.

4. Business Purpose

Personal Data is processed to allow Equate Digital Media to provide the Customer with insights on the effectiveness of their digital advertising campaigns. This enables the Customer and their marketing agency to identify target audiences likely to engage with the Customer’s digital marketing efforts and select digital advertising strategies that effectively generate new business.

Processing Duration

Type of Data	Duration of Retention	Purpose of Collection	Access Permissions	Data Security	Final Summary
Network Information	2 Years	Data sourced from third-party aggregators	Technology Department	Stored in a secure environment on encrypted drives	Secure Disposal
Pixel Information	15 Days	Data sourced from client websites	Technology Department	Stored in a secure environment on encrypted drives	Secure Disposal
Call Records	2 Years	Data obtained from call interactions related to client campaigns	Technology Department	Stored in a secure environment on encrypted drives	Secure Disposal
Combined Data	2 Years	Compile data from all sources for integration into the system	Technology Department	Stored in a secure environment on encrypted drives	Secure Disposal

Schedule 2 Standard Contractual Clauses
(APPLICABLE ONLY WHERE USE OF PERSONAL DATA IS GOVERNED BY INDIAN DATA PROTECTION LEGISLATION)

For the purposes of ensuring adequate safeguards concerning the protection of privacy and fundamental rights of individuals in the transfer of personal data to processors located in jurisdictions that may not ensure a comparable level of data protection.

The Customer (the data exporter) and Equate Digital Media (the data importer) hereby agree to the following Contractual Clauses (the Clauses) to establish appropriate safeguards for the protection of personal data as specified in Appendix 1.

Clause 1: Definitions

For the purposes of the Clauses:

‘Personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’, and ‘supervisory authority’ shall have the meanings defined in the applicable Indian data protection legislation.
‘The data exporter’ refers to the controller transferring personal data.
‘The data importer’ refers to the processor receiving personal data from the data exporter for processing as per the data exporter’s instructions and the terms of the Clauses, who is not subject to a jurisdiction providing adequate data protection.
‘The sub-processor’ means any processor engaged by the data importer or another sub-processor that agrees to receive personal data from the data importer or another sub-processor for processing on behalf of the data exporter.
‘Applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals concerning personal data processing in India.
‘Technical and organizational security measures’ means measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Clause 2: Details of the Transfer

2.1 The details of the transfer, including any special categories of personal data, are specified in Appendix 1, which is integral to the Clauses.

Clause 3: Third-party Beneficiary Clause

The data subject may enforce against the data exporter the rights outlined in this Clause, as well as Clauses 4(b) to (i), 5(a) to (e), and (g) to (j), 6(1) and (2), 7, 8(2), and Clauses 9 to 12.

The data subject may also enforce these rights against the data importer under similar conditions, particularly if the data exporter has ceased to exist or has become insolvent, unless a successor entity has assumed all obligations of the data exporter.

The data subject can enforce these rights against the sub-processor under the same conditions as stated above.

The parties do not object to a data subject being represented by an association or other body, as allowed by national law.

Clause 4: Obligations of the Data Exporter

The data exporter agrees and warrants:

That the processing of personal data has been and will continue to be compliant with applicable data protection law.
To instruct the data importer to process personal data solely on behalf of the data exporter and in line with applicable law and the Clauses.
That the data importer will provide sufficient guarantees regarding technical and organizational security measures as detailed in Appendix 2.
To ensure the security measures are adequate to protect against various forms of unlawful processing.
To inform data subjects, when applicable, about potential data transfers to jurisdictions lacking adequate protection.
To forward any notifications from the data importer or sub-processors to the supervisory authority.
To make copies of the Clauses available to data subjects upon request, excluding Appendix 2, and to provide a summary of security measures.
That sub-processing will only occur in accordance with Clause 11, ensuring equivalent protection for personal data.

Clause 5: Obligations of the Data Importer

The data importer agrees and warrants:

To process personal data only in compliance with the data exporter’s instructions and the Clauses; to promptly notify the data exporter if compliance cannot be achieved.
To notify the data exporter of any legislative changes that may adversely affect the obligations under the Clauses.
To implement the technical and organizational security measures as specified in Schedule 3 prior to processing personal data.
To notify the data exporter about any legally binding requests for disclosure of personal data, unauthorized access incidents, or direct requests from data subjects.
To handle inquiries from the data exporter concerning personal data processing and to comply with guidance from the supervisory authority.
To allow the data exporter to audit processing activities, conducted by a qualified independent body if necessary.
To provide a copy of the Clauses or existing sub-processor contracts upon request, excluding commercial information.
That sub-processing will only occur with prior written consent from the data exporter and that sub-processor agreements will be shared with the data exporter.

Clause 6: Liability

The parties agree that any data subject suffering damage due to breaches of Clauses 3 or 11 is entitled to seek compensation from the data exporter.

If a data subject cannot claim against the data exporter due to insolvency or legal cessation, the data importer agrees to allow claims against itself as if it were the data exporter.

The data importer cannot evade liability due to breaches by sub-processors.

If both the data exporter and data importer are unavailable for claims, the sub-processor will be liable for its processing operations under the Clauses.

Clause 7: Mediation and Jurisdiction

The data importer agrees that if a data subject invokes rights against it, it will accept the data subject’s decision to refer the dispute to mediation or the courts in India.

Clause 8: Cooperation with Supervisory Authorities

The data exporter agrees to provide a copy of this contract to the supervisory authority upon request.

The supervisory authority has the right to conduct audits of the data importer and any sub-processors, similar to audits applicable to the data exporter.

The data importer must promptly inform the data exporter of any legal barriers preventing such audits.

Clause 9: Governing Law

The Clauses shall be governed by the laws of India.

Clause 10: Variation of the Contract

The parties agree not to vary or modify the Clauses. However, this does not preclude the addition of clauses on business-related matters, provided they do not contradict the existing Clauses.

Clause 11: Sub-processing

The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. If the data importer subcontracts its obligations under the Clauses, it shall do so only through a written agreement with the sub-processor, which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. The data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations.

The prior written agreement between the data importer and the sub-processor shall include a third-party beneficiary clause, as outlined in Clause 3, in cases where the data subject cannot bring a claim for compensation due to the disappearance or insolvency of the data exporter or importer. The sub-processor’s liability shall be limited to its processing operations under the Clauses.

The provisions related to data protection aspects for sub-processing shall be governed by the laws of India.

The data exporter shall maintain a list of sub-processing agreements concluded under the Clauses, updated at least annually, which shall be accessible to the data exporter’s data protection authority.

Clause 12: Obligation after Termination of Personal Data Processing Services

Upon termination of data-processing services, the data importer and sub-processor shall, at the data exporter’s discretion, return all personal data and copies to the data exporter or destroy all personal data and certify this destruction. If legislation prevents the return or destruction of data, the data importer shall ensure the confidentiality of the personal data and cease active processing.

The data importer and sub-processor agree to submit their data-processing facilities for an audit upon request by the data exporter and/or supervisory authority.

Appendix 1 to the Standard Contractual Clauses (Schedule 2)

This Appendix is part of the Clauses and must be completed and signed by the parties.

Data Exporter – Customer

Data relating to individuals is collected by the Customer using services provided by Equate Digital Media and its sub-processors, and this data is transferred for analysis and processing.

Data Importer: Equate Digital Media

The Data Importer and its sub-processors provide technology services to help marketing teams create, plan, target, buy, serve, measure, and/or optimize ads and campaigns.

Data Subjects: The personal data transferred concerns:

Individuals interacting with the Customer’s digital marketing on web or mobile platforms, or who contact the Customer through digital marketing channels.

Categories of Data: The personal data transferred may include:

Name
Email address
Date of birth
IP address (stored anonymized by default)
Other online identifiers
Telephone/mobile number
Non-precise location data
Browsing behavior
Device and browser information
Marketing campaign data
Ecommerce transaction data
And other data specified by the Customer.

Special Categories of Data: The parties do not anticipate the transfer of special categories of data.

Processing Operations: The data will be analyzed to determine the effectiveness of digital marketing efforts, assisting the Customer in optimizing future campaigns.

Appendix 2 to the Standard Contractual Clauses at Schedule 2

This Appendix is part of the Clauses.

Description of Technical and Organizational Security Measures: See Schedule 3 to the Agreement for details.

Schedule 3: Security Measures

Equate Digital Media observes the following security measures:

a) Access Control

Outsourced Processing: Services are hosted by cloud infrastructure providers, with contractual obligations to ensure data protection compliance.
Physical Security: Infrastructure providers are audited for compliance with relevant standards.
Authentication and Authorization: Robust user authentication and role-based access controls are implemented.

b) Data Security Measures

Transmission Control: HTTPS encryption for data in transit; data at rest is encrypted.
Input Control: Logging of system behavior and responses to security incidents.
Availability Control: Measures to ensure high availability and redundancy of infrastructure.

The products offered by Equate Digital Media are engineered to provide redundancy and enable seamless failover. The server instances that underpin these products are structured to eliminate single points of failure. This architecture supports Equate Digital Media in maintaining and updating its product applications and backend, thereby minimizing downtime.