Data Processing Addendum
July 2025
This Data Processing Addendum (“DPA”) is entered into between 2060 Digital, LLC (“Vendor”), and the counterparty listed in the signature block of the Proposal (“Client”) (each, a “Party” and collectively, the “Parties”). This DPA supplements and forms part of the Master Services Terms and Conditions (the “Agreement”) in which Vendor Processes and/or Collects Personal Data (as defined below) from or on behalf of Client. This DPA will be effective as of the last signature date listed in the Attachments (the “Effective Date”). Capitalized terms not otherwise defined in this DPA shall have the meanings ascribed to them in the Agreement.
1. Definitions.
“Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity. As used in this definition, “control” means ownership of, control of, or power to vote twenty-five (25) percent or more of the outstanding shares of any class of voting security of the entity, directly or indirectly, or acting through one or more other persons.
“Business Purpose” means the Services described in the Agreement and any SOW, or any other purpose specifically identified in Exhibit 1.
“Client Personal Data” means any Personal Data obtained by or provided to Vendor and Processed by Vendor (or a Sub-processor) in the course of providing the Services to Client under the Agreement.
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data transmitted, stored or otherwise processed.
“Data Protection Laws” means all applicable privacy, security, and data protection laws, rules, regulations, and regulatory guidance applicable to Vendor’s Processing of Client Personal Data under the Agreement.
“Deidentified Data” means data created using Client Personal Data that cannot reasonably be used to infer information about or otherwise be linked to an Individual, directly or indirectly.
“Individual” means an identified or identifiable natural person to whom Personal Data relates, directly or indirectly, and includes “consumer,” as such term is defined under Data Protection Laws.
“Law” or “Laws” means all applicable federal, country, state, provincial, regional, territorial or local laws, and other laws, rules, and regulations (including, but not limited to, Data Protection Laws), ordinances, interpretive letters, and other official releases of or by any authority, decrees, orders, and codes (including any requirements for permits, certificates, approvals, and inspections), as the same are promulgated, supplemented, and/or amended from time to time.
“Personal Data” means any data or information that: (i) identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual; or (ii) is otherwise “personal information,” “personally identifiable information,” “personal data,” or similarly defined data or information under Data Protection Laws.
“Sub-processor” means any person (including any entity or individual but excluding an employee of Vendor) appointed by or on behalf of Vendor to Process Client Personal Data in connection with providing the Services.
The terms “Business”, “Controller”, “Processing”, “Processor”, “Sale”, “Share”, and “Service Provider” shall have the same meaning assigned to them under Data Protection Laws. The term “Controller” is deemed to include “Business,” and the term “Processor” is deemed to include “Service Provider.”
2. Roles. Client and Vendor acknowledge and agree that to the extent Data Protection Laws apply to the Processing of Client Personal Data under the Agreement, Client is the Controller, and Vendor is the Processor. For the avoidance of doubt, this DPA does not relieve either Party from the liability imposed on it under Data Protection Laws by virtue of its role in the Agreement and this DPA.
3. Client Obligations. Client shall provide all instructions to Vendor in writing. The instructions are set forth in the Agreement, this DPA, and any SOW and may be supplemented in writing consistent with the terms of the Agreement from time to time. Client has the sole responsibility for the accuracy, quality, and legality of Client Personal Data and the means by which Client acquires Client Personal Data and shares Client Personal Data with Vendor. Client will use the Services in compliance with all applicable Laws.
4. Vendor Obligations.
a. Vendor will only Process Client Personal Data on behalf of Client for Business Purposes, unless required to do so by applicable Law, in which case Vendor shall, without undue delay, notify Client of such requirement, unless prohibited from doing so under applicable Law. The instructions set forth in this DPA, the Agreement, any SOW, or other duly documented instructions (which may be provided by email) are Client’s complete instructions to Vendor for the Processing of Client Personal Data. The Parties acknowledge and agree that Client is disclosing Client Personal Data to Vendor only for Business Purposes.
b. Vendor will not: (i) retain, use, or disclose Client Personal Data for any commercial purpose other than the Business Purposes, unless expressly permitted by Data Protection Laws; (ii) Sell or Share Client Personal Data; (iii) retain, use, or disclose Client Personal Data outside of the Parties’ direct business relationship, unless expressly permitted by Data Protection Laws; or (iv) combine or update Client Personal Data with Personal Data collected from its own interaction with an Individual or as received from another source, unless expressly permitted by Data Protection Laws. Vendor certifies that it understands these provisions.
c. Vendor shall, without undue delay, refer any requests received from regulators or other governmental entities (“Government Authorities”) regarding Client Personal Data to Client. Unless otherwise required by Law, Vendor shall not disclose any Client Personal Data to Government Authorities without Client’s prior written consent.
d. Vendor shall notify Client, without undue delay, if it determines that it is no longer able to comply with its obligations under Data Protection Laws.
e. Client shall have the right to take reasonable and appropriate steps to ensure that Vendor uses Client Personal Data in a manner consistent with Client’s obligations under Data Protection Laws, and to stop and remediate any such unauthorized use, including without limitation in accordance with the process set forth in Section 6 below.
f. Assistance. Where applicable, taking into account the nature of the Services, and to the extent required under Data Protection Laws, Vendor shall provide reasonable assistance to Client with (i) fulfilment of the Client’s obligation to respond to requests from Individuals to exercise their rights under the Data Protection Laws, to the extent that Client is unable to fulfil such requires using Client’s self-service features, (ii) any data protection assessments, and (iii) any investigations by competent Government Authorities, in each case solely in relation to Vendor’s Processing of Client Personal Data. Upon request, which shall be made no more than once every twelve (12) months, Vendor shall provide to Client all information reasonably necessary to demonstrate compliance with Data Protection Laws and this DPA.
5. Technical and Organizational Measures. Vendor shall provide Client Data with at least the same level of privacy protection as required by Data Protection Laws. Vendor represents and warrants that it has implemented and maintains appropriate technical and organizational measures that provide a level of security appropriate to its Processing Activities and the Services, as set forth in Exhibit 2.
6. Vendor Personnel. Vendor shall inform its personnel engaged in the Processing of Client Personal Data of the confidential nature of Client Personal Data and require such personnel to maintain the confidentiality of Client Personal Data.
7. Data Breach. Vendor shall, to the extent permitted by Law, notify Client without undue delay if it becomes aware of a Data Breach affecting Client Personal Data. Such notification shall provide Client with sufficient information and documentation to allow Client to meet any obligations to report or inform Individual(s) and/or Government Authorities of the Data Breach, if required under Data Protection Laws. The notification, at a minimum, shall include: (i) the types of Client Personal Data that were or are reasonably believed to be the subject of the Data Breach; (ii) the date or estimated date of the Data Breach; (iii) a general description of the Data Breach; and (iv) the steps Vendor has taken to remediate the Data Breach. Vendor will continuously supplement the information provided to Client as additional information becomes available to it regarding the Data Breach. If it is determined that Vendor or a Sub-processor is responsible for the Data Breach, Vendor shall review the applicable technical and organizational measures and, if needed, make appropriate changes to prevent such Data Breach from occurring in the future. Vendor agrees that it shall not inform any third party of a Data Breach without first obtaining Client’s prior written consent (other than notifying Vendor’s legal counsel or other providers engaged in connection with remediation of the Data Breach). Further, Vendor agrees that Client shall have the sole right to determine: (i) whether notice of the Data Breach is to be provided to any Individuals, Governmental Authorities, law enforcement agencies, or others as required by Law; and (ii) the contents of such notice, whether any type of remediation may be offered to affected Individuals, and the nature and extent of any such remediation. Vendor shall be responsible for all costs arising from such Data Breach determined to be caused by or the fault of Vendor or a Sub-processor.
8. Sub-processing.
a. Client hereby approves the Sub-processors currently engaged by Vendor and that are listed in Exhibit 3.
b. Vendor shall post any updates to its list of Sub-processors here www.2060digital.com/DPA[JL1] . In the event that Vendor objects to the addition of a Sub-processor[JL2] , Vendor and Client shall work together in good faith to resolve the objection. If the Parties are unable to agree on a resolution, notwithstanding anything in the Agreement, Client may, by written notice to Vendor, terminate the Agreement to the extent it relates to the Services that require use of the Sub-processor at issue.
c. Vendor shall enter into a written agreement with each Sub-processor that complies with Data Protection Laws and imposes data protection obligations that are no less protective of Client Personal Data than Vendor’s obligations under this DPA. Vendor will remain responsible for Sub-processors’ compliance with the obligations of this DPA. and for any acts or omissions of such Sub-processor as if they were Vendor’s acts or omissions.
9. Deletion or Return of Client Personal Data. Vendor shall, without undue delay and at Client’s election, return to Client, or destroy, to the extent permitted by Law, Client Personal Data upon Client’s written request or the termination or expiration of the Agreement. Vendor may retain Client Personal Data to the extent required by the Laws to which Vendor is subject, or if Client Personal Data resides in backup archives, Vendor will continue to protect the security and confidentiality of such retained Client Personal Data in accordance with the Agreement and this DPA.
10. Deidentified Data. To the extent Vendor collects on behalf of Client, or receives from Client Deidentified Data or pseudonymized data (as those terms are defined under applicable Data Protection Laws) (collectively, “D&P Data”) or to the extent the Agreement permits Vendor to render Client Personal Data into D&P Data, Vendor shall implement such deidentification or pseudonymization in accordance with Data Protection Laws. In addition, for Deidentified Data, Vendor shall: (i) take reasonable measures to ensure that the information cannot be, linked, attributed, or otherwise associated with a consumer, household, or device (including implementing and maintaining technical and administrative safeguards that prohibit reidentification of the Deidentified Data); (ii) publicly commit to maintain and use the Deidentified Data in deidentified form and not to attempt to reidentify the Deidentified Data; and (iii) contractually obligate any recipients of the Deidentified Data to comply with all provisions of this Section 10.
11. General.
a. Indemnification. Indemnification under this DPA is subject to the indemnification section(s) of the Agreement.
b. Limitation of Liability. Each Party’s liability, taken together in the aggregate, arising out of or relating to this DPA, shall be subject to the exclusions and limitations of liability set forth in the Agreement.
c. Precedence. In the event of a conflict between the terms of this DPA, SOW(s), and the Agreement with respect to the subject matter herein, the following order of precedence shall apply: (i) this DPA; (ii) the Agreement; (iii) SOW(s).
d. Third Party Beneficiaries. Notwithstanding any other provisions of the Agreement, the Parties agree that Client’s Affiliates are intended third party beneficiaries of this DPA and that this DPA is intended to inure to the benefit of such Affiliates. Without limiting the foregoing, Client Affiliates will be entitled to enforce the terms of this DPA as if each was a signatory to this DPA. Client also may enforce this DPA on behalf of Client Affiliates (instead of Client Affiliate(s) separately bringing a cause of action against Vendor).
e. Changes in Data Protection Laws. If any amendment is required for this DPA as a result of a change in applicable Law (including Data Protection Laws), then either Party may provide written notice to the other Party of that change in Law. The parties will discuss and negotiate in good faith any necessary amendment to the Agreement or this DPA to address such changes. If either Party gives notice under this Section 11, the Parties shall without undue delay discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the notice as soon as is reasonably practicable. If the Parties fail to amend the Agreement or this DPA in accordance with this Section 11, the notifying Party may terminate the Agreement upon written notice to the other Party.
f. Term. The term of this DPA will end simultaneously and automatically at the later of: (i) the termination of the Agreement; or (ii) when all Client Personal Data is deleted from Vendor’s systems.
g. Jurisdiction and Governing Law. The Parties hereby submit to the choice of law and jurisdiction in the state of Ohio with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination, or the consequences of its nullity.
h. Survival. The obligations set forth herein will survive termination of the Agreement and DPA for as long as Vendor Processes or stores Client Personal Data.
i. Severability. Should any provision of this DPA be deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
j. Exhibits. All Exhibits to this DPA are hereby incorporated by reference into, and made a part of, this DPA.
EXHIBIT 1
Description of Processing
Categories of individuals whose Personal Data is Processed: The categories of data subjects may include Client’s customers or prospective customers.
Categories of Personal Data Processed: The categories of Personal Data may include as follows: name, email address, street address, zip code, telephone number, IP address.
The frequency of the Processing: Continuous for as long as Client uses the Services.
Nature of the Processing: Vendor will collect, receive, store, retain, transmit, delete (as provided in this DPA, the Agreement, and/or SOW(s)), use, and otherwise Process Client Personal Data as needed to provide the Services.
Purpose(s) of the Processing: The provision of advertising and marketing services, as described in more detail in the Proposal, SOW’s, and Master Terms and Conditions
The period for which the Client Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Vendor will Process Client Personal Data for as long as required to provide the Services.
EXHIBIT 2
Technical and Organizational Measures
Vendor implements and maintains policies and procedures that include appropriate technical and organizational measures to ensure a level of security appropriate to: (i) protect the security, confidentiality, and integrity of Client Personal Data; and (ii) protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of Client Personal Data. Vendor regularly monitors, evaluates, and assesses the effectiveness of the technical and organizational measures implemented. Vendor’s technical and organizational measures include:
Access Controls: Vendor implements the following access controls with respect to Client Personal Data:
Access to Client Personal Data is restricted to Vendor personnel authorized to have such access in accordance with their job function and based on the principle of “least privilege.”
Vendor maintains account creation and deletion procedures, with appropriate approvals, for each personnel role.
Vendor maintains a record of personnel security privileges for those personnel that have access to Client Personal Data.
Vendor reviews personnel access rights at regular intervals and makes adjustments as necessary.
Each account from which Client Personal Data can be accessed is attributable to a single user with a unique ID which is authenticated through a password or another authentication method.
Vendor uses industry-standard practices to identify and authenticate users who attempt to access its information systems, including multi-factor authentication.
Physical Security: Vendor implements the following physical security measures with respect to Client Personal Data:
All devices are secured with a password/PIN screen lock with the automatic activation feature.
Access to locations where Client Personal Data is processed or stored is limited to authorized personnel only.
Visitors to locations where Client Personal Data is processed or stored are required to sign a visitor register and are escorted at all times.
Vendor facilities are monitored 24/7.
Network Security: Vendor’s network employs the following safeguards:
Vendor maintains security controls designed to detect and mitigate attacks by use of network layer firewalls and intrusion detection/prevention systems (IDS/IPS).
All network traffic passes through firewalls, which are monitored at all times.
Vendor maintains management procedures that provide a consistent approach for controlling, implementing, and documenting changes for information systems.
Endpoint protection, including anti-virus and anti-malware, is implemented on all endpoints.
When remote connectivity to Vendor’s network is required, Vendor uses VPN servers for the remote access with encrypted connection of 256-bit encryption.
Vendor employs multi-factor authentication for administrative interfaces and for all access to Vendor systems and applications.
Vulnerability and Patch Management: All Vendor devices are configured for automatic patching and application security patches are installed without unreasonable delay. Vendor conducts regular testing and monitoring of the effectiveness of safeguards, controls, systems, including penetration testing.
Encryption: Vendor encrypts Client Personal Data as follows:
Vendor shall use encryption certified against U.S. against U.S. Federal Information Processing Standard 140-2, Level 2, or equivalent industry standard.
Vendor shall encrypt at rest using solutions that are certified against U.S. Federal Information Processing Standard 140-2, Level 2, or equivalent industry standard, and verify that the encryption keys and any keying material are not stored with any associated data.
In the event Vendor uses a cloud-based environment to store Client Personal Data, Vendor must only use United-States based providers whose dedicated cloud-based environment encrypts data at rest.
Personnel: Vendor employs the following administrative safeguards for its personnel:
All Vendor personnel undergo privacy and data security training, upon hiring, and annually thereafter.
Vendor informs its personnel of relevant security procedures and their roles and ensure that all personnel sign a confidentiality agreement or be subject to statutory obligations of confidentiality.
Personnel that fail to comply with Vendor’s information security policies, practices, and procedures may be subject to disciplinary action, up to and including termination.
Vendor maintains procedures for revoking or changing access in response to termination or changes in job functions.
Sub-processors: Vendor employs the following safeguards with respect to any Sub-processors that access, store, or transmit Client Personal Data on its behalf:
Due diligence is conducted on all Sub-processors who may gain access to, store, or transmit Client Personal Data in accordance with the DPA.
Sub-processor physical and electronic access to Client Personal Data is terminated no later than the date of separation or to a role no longer requiring access to Client Personal Data.
Vendor has agreements with all Sub-processors who may gain access to, store, or transmit Client Personal Data that requires compliance with Vendor’s information security requirements.
Business Continuity: Vendor maintains a disaster recovery and business continuity program for systems and facilities used to provide services. Such program is designed to ensure that Vendor is able to continue providing services after its systems are damaged, destroyed, or otherwise unavailable for use. Vendor’s disaster recovery and business continuity program is tested on an annual basis.
Incident Management: Vendor maintains an incident management plan designed to promptly identify, prevent, investigate, mitigate, and address the impact of security incidents.