Next Millennium Media Publisher Data Processing Agreement

Date: December 13, 2024

This Next Millennium Media Publisher Data Processing Agreement and its Annexes (“DPA”) between the Publisher (as defined below), and Next Millennium Media (the “Parties”) reflects the parties’ agreement with respect to the Processing of Personal Data as a Processor by Next Millennium Media in connection with the Next Millennium Media Services under the Next Millennium Media Inc Terms and Conditions (the “Terms and Conditions”) available at https://nextmillennium.com/next-millennium-media-inc-terms-and-conditions-2024/ and dated December 13, 2024 between You and Next Millennium Media.

The Parties acknowledge that the Publisher will provide Next Millennium Media with Personal Data and that the purposes of the Processing Next Millennium Media undertakes is to provide Publisher’s End Users with targeted advertising and to provide Publisher with statistics and reports related to such advertising.

This DPA is incorporated into, and forms part of the Terms and Conditions, both of which shall be hereinafter collectively referred to as “the Agreement,” “this Agreement,” or “Agreement.”

The term of this DPA will follow the term of the Agreement.

1. Scope:

The parties agree that this DPA only applies to the Processing of Personal Data by Next Millennium Media for the purposes of providing Publisher’s End Users with targeted advertising and to provide Publisher with statistics and reports related to such advertising.

2. Definitions:

Unless stated otherwise, these definitions apply only to this DPA. Similar terms in other agreements between the Parties (including the Terms and Conditions) have the meaning defined in those respective agreements, or are meant to be undefined within those agreements and shouldn’t necessarily be understood to mean the same thing as similar terms defined in other agreements.

“AdTech Ecosystem” means the digital marketplace that Next Millennium and Publisher are a part of which connects software, tools, and platforms used to buy, sell, and manage digital advertising. The AdTech Ecosystem is composed of Advertisers, Ad Agencies, Demand Side Platforms (DSPs), Data Management Platforms (DMPs), Ad Exchanges, Supply Side Platforms (SSPs), Ad Servers, and Publishers among possible other entities.

“California Personal Information” means Personal Data that is subject to the protection of the CCPA.

"CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 or "CPRA").

"Consumer", "Business", "Sell", "Third Party", “Contractor”, “Service Provider”, and "Share" will have the meanings given to them in the CCPA.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Customer Data” means End User data processed by the parties.

"Data Privacy Framework" means the EU-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded or replaced.

“Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework; as may be amended, superseded or replaced.

“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in their role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA and other applicable U.S. federal and state privacy laws, in each case as amended, repealed, consolidated or replaced from time to time.

“Data Subject” means the individual to whom Personal Data relates.

“End User” means individual who accesses the website(s) or application(s) provided by the Publisher on which the advertisements shall run.

"Europe" means the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.

“European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

"European Data Protection Laws" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) applicable national implementations of (i); (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (iv) Swiss Federal Act on Data Protection and its Ordinance (" Swiss DPA").

“Insertion Order (“IO”)” has the same meaning assigned to it as in the Next Millennium Media Inc Terms and Conditions available at https://nextmillennium.com/next-millennium-media-inc-terms-and-conditions-2024/ and dated December 13, 2024.

“Instructions” means the written, documented instructions issued by a Controller to a Processor, or a Processor to a Sub-Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

“Personal Data” means any information relating to an identified or identifiable individual where (i) such information is contained within Customer Data; (ii) such information is shared with our other customers in the AdTech Ecosystem to provide your website or application End Users with targeted advertising; and (iii) is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by either or both of the Parties and/or their Sub-Processors in connection with the provision of the Services. "Personal Data Breach" will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Processing” means any operation or set of operations which is performed on data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of a Controller.

“Services or “Service” has the same meaning assigned to “Services” in the Next Millennium Media Inc Terms and Conditions available at https://nextmillennium.com/next-millennium-media-inc-terms-and-conditions-2024/ dated December 13, 2024.

“Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914, as may be amended, superseded or replaced.

“Sub-Processor” means any Processor engaged by us to assist us in exercising our rights or fulfilling our obligations in connection with the Services under the Agreement. Sub-Processors may include third parties but will exclude any of our employees or consultants.

“UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as may be amended, superseded, or replaced.

"We", "us" or “our” means Next Millennium Media.

"You", "your," “Publisher” or “Customer” means the “Publisher” as defined in the Next Millennium Media Inc Terms and Conditions available at https://nextmillennium.com/next-millennium-media-inc-terms-and-conditions-2024/ and dated December 13, 2024.

3. Responsibilities:

1. 1. Compliance with Instructions. When conducting in scope processing of the Personal Data, Next Millennium Media will only Process it for the purposes described in this DPA within the scope of your lawful Instructions, except where and to the extent otherwise required by applicable law.
      1. Publisher hereby instructs Next Millennium Media to process Personal Data in any and all ways that Next Millennium Media determines are reasonable in order to fulfill the purposes of providing Publisher’s End Users with targeted advertising and to provide Publisher with statistics and reports related to such advertising.
   2. Conflict with Laws. If Next Millennium Media becomes aware that we cannot Process Personal Data in accordance with your Instructions due to a legal requirement under any applicable law, Next Millennium Media will (i) promptly notify you of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing of Personal Data (other than merely storing and maintaining the security of the affected Personal Data) until such time as you issue new Instructions with which Next Millennium Media is able to comply. If this provision is invoked, Next Millennium Media will not be liable to you under the Agreement, or any Insertion Orders related to the Terms and Conditions or under any theory whatsoever for any failure to perform the Services until such time as you issue new lawful Instructions with regard to the Processing of Personal Data.
   3. Security. Next Millennium Media will implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Annex 2 to this DPA ("Security Measures"). Notwithstanding any provision to the contrary, Next Millennium Media may modify or update the Security Measures at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.
   4. Confidentiality. Next Millennium Media will ensure that any personnel who we authorize to Process Personal Data is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.
   5. Personal Data Breaches. Next Millennium Media will notify you without undue delay after we become aware of any Personal Data Breach and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by you. At your request, we will promptly provide such reasonable assistance as necessary to enable notification to competent authorities and/or affected Data Subjects, if you are required to do so under Data Protection Laws.
   6. Deletion or Return of Personal Data. Next Millennium Media will delete or return all Personal Data (including copies thereof) Processed pursuant to this DPA, on termination or expiration of the Agreement. This will apply except where we are required by applicable law to retain some or all of the Personal Data, or where we have archived Personal Data on back-up systems, which data we will securely isolate and protect from any further Processing and delete in accordance with our deletion practices.

If you need help retrieving Personal Data during the term of the Agreement, we will provide reasonable assistance to you in retrieving such data.

4. Data Subject Requests:

To the extent that you are unable to independently address a data subject request pursuant to applicable Data Protection Laws, and we are not otherwise bound by any other agreement or law to assist you, then upon your written request to us, we will provide reasonable assistance to respond to any data subject requests or requests from data protection authorities relating to the in scope Processing of Personal Data. You shall reimburse us for the commercially reasonable costs arising from this assistance.

5. Sub-Processors:

1. 1. We may engage Sub-Processors to Process Personal Data on our behalf, and may do so in three ways. First, we may engage Sub-Processors to assist us with hosting and infrastructure. Second, we may engage with Sub-Processors to assist us with creating work-product, or to support or provide product features and integrations. Third, we may engage Sub-Processors to assist us in providing targeted advertising to your End Users.
   2. The parties agree that we have currently appointed, as Sub-Processors, the third parties listed in Annex 3 to this DPA. We agree that we shall send you notification by email if we add or replace any Sub-Processors at least 30 days before the addition or replacement.
   3. We shall give you the opportunity to object to the engagement of new Sub-Processors on reasonable grounds relating to the protection of Personal Data within 7 days of being notified. In the case of such an objection, the parties will discuss their concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, we may, at our sole discretion, either not appoint the new Sub-Processor, or may permit you to suspend or terminate the Service without liability to either party (but without prejudice to any fees incurred prior to suspension or termination).
   4. Where we engage Sub-Processors, we will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. We agree that, subject to Section VII of the Terms and Conditions, we will be responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause us to breach any of our obligations under this DPA.

6. Data Transfers:

You agree that we may access and Process Personal Data on a global basis as necessary to exercise our contractual rights, or fulfill our contractual obligations, and in particular that Personal Data may be transferred to and/or Processed in the United States and/or transferred to other jurisdictions where we or our Sub-Processors have operations. Wherever Personal Data is transferred outside its country of origin, we will ensure such transfers are made in compliance with the requirements of Data Protection Laws.

7. Demonstration of Compliance:

We will make all information reasonably necessary to demonstrate compliance with this DPA available to you and allow for and contribute to audits, including inspections conducted by you or your auditor in order to assess compliance with this DPA, where required by applicable law. Further, at your written request, we will provide written responses (on a confidential basis) to all reasonable requests for information made by you necessary to confirm our compliance with this DPA, provided that you will not exercise this right more than once per calendar year unless you have reasonable grounds to suspect our non-compliance with this DPA. Under no circumstances shall Next Millennium Media be responsible for payment to any auditors you may engage for any audit.

8. Additional Provisions for European Data:

1. 1. Scope. This 'Additional Provisions for European Data' section will apply only with respect to European Data.
   2. Roles of the Parties. When Processing European Data in accordance with Instructions, the parties agree that you are a Controller and we are a Processor.
   3. Instructions. If we believe that your Instructions infringe European Data Protection Laws (where applicable), we will inform you without delay.
   4. Data Protection Impact Assessments. To the extent that the required information is reasonably available to us and you do not otherwise have access to the required information, we will provide reasonable assistance to you with any data protection impact assessments.
   5. Transfer Mechanisms for Data Transfers.
      1. We agree that we will not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for European Data (within the meaning of applicable European Data Protection Laws), unless we first take all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) (1) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for European Data, including the Data Privacy Framework; (2) to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws; or (3) to a recipient that has executed the Standard Contractual Clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.
      2. The Parties acknowledge that in connection with the performance of the Services we provide, we may be a recipient of European Data. To the extent that we receive European Data, we will comply with the Standard Contractual Clauses which are incorporated by reference and form part of this DPA as follows:
         1. In relation to European Data that is subject to the GDPR (i) you are the "data exporter" and we are the "data importer"; (ii) Module Two terms apply because you are a Controller and we are a Processor of European Data; (iii) in Clause 7, the optional docking clause applies; (iv) in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with the ‘Sub-Processors’ section of this DPA; (v) in Clause 11, the optional language is deleted; (vi) in Clause 17, Option 2 applies, and for Clauses 17 and 18, the parties agree that the governing law and forum shall be the Republic of Ireland (without reference to conflicts of law principles); (vii) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; (viii) the supervisory authority that will act as competent supervisory authority will be determined in accordance with GDPR; and (ix) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA the Standard Contractual Clauses will prevail to the extent of such conflict.
         2. In relation to European Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with sub-section (1) and the following modifications: (i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum which will be incorporated by reference and form an integral part of this DPA; (ii) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in section (1) and in the Annexes of this DPA and Table 4 will be deemed completed by selecting “neither party”; and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
         3. In relation to European Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with sub-section (1) and the following modifications: (i) references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA; (ii) references to "EU", "Union" and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner " and the "relevant courts in Switzerland".
         4. If we cannot comply with our obligations under the Standard Contractual Clauses or the UK Addendum (as applicable), or are in breach of any warranties under the Standard Contractual Clauses or UK Addendum (as applicable) for any reason, and you intend to suspend the transfer of European Data to us, you agree to provide us with reasonable notice to enable us to cure such non-compliance and to reasonably cooperate with us to identify what additional safeguards, if any, may be implemented to remedy such non-compliance. If we have not or cannot cure the non-compliance, you may suspend or terminate the related Insertion Order without liability to either party (but without prejudice to any fees you have incurred prior to such suspension or termination).

9. Additional Provisions for California Personal Information:

1. 1. Scope. The 'Additional Provisions for California Personal Information' section of the DPA will apply only with respect to California Personal Information.
   2. Roles of the Parties. When Processing California Personal Information in accordance with your Instructions, we acknowledge and agree that we are either a “Service Provider,” “Contractor” or “Third Party” for the purposes of the CCPA.
   3. Responsibilities. We certify that we will Process California Personal Information only as permitted by the CCPA.
   4. Compliance. We agree that we will (i) comply with obligations applicable to us in our role under the CCPA and (ii) provide California Personal Information with the same level of privacy protection as is required by the CCPA. Additionally, we will notify you if we make a determination that we can no longer meet our obligations under the CCPA.
   5. CCPA Audits. You will have the right to take reasonable and appropriate steps to help ensure that we use California Personal Information in a manner consistent with your obligations under the CCPA. Upon notice, you will have the right to take reasonable and appropriate steps to stop and/or remediate unauthorized use of California Personal Information. Under no circumstances shall Next Millennium Media be responsible for payment to any auditors you may engage for any audit.

10. Conflict: In the event that there is a conflict between any provisions of this DPA and any other provision(s) of the Agreement or any Insertion Order(s) related to the Terms and Conditions, the provisions of this DPA shall govern.

 

Annex 1 - Details of Transfers

1. List of Parties:

Data exporter:

Name: The “Publisher” as set out in the Next Millennium Media Inc Terms and Conditions.

Address: The Publisher's address (or “Notice Address”) as set out in the “Publisher (or “Media Company”) Notice and Payment Information” section of the latest Insertion Order executed by the Parties or if there is no such Insertion Order then as set out in their Next Millennium online account.

Contact person’s name, position and contact details: The name, position/title, and email address (if available) of the person who signed on behalf of the Publisher in the latest Insertion Order executed by the Parties, or if there is no Insertion Order, the name, position/title, and email address of the person who created the Next Millennium online account and whose information is stored in that account. If contact person’s email is not specifically stated in the latest Insertion Order executed between the Parties, then the email address located in the “Publisher (or “Media Company”) Notice and Payment Information” section of the Insertion Order may be used.

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with providing Exporter’s End Users with targeted advertising and to provide Exporter with statistics and reports related to such advertising.

Role (controller/processor): Controller

Data importer:

Name: Next Millennium Media

Address: One World Trade Center, Suite 8506, New York, NY 10007

Contact person’s name, position and contact details: Joe Gutman, Chief of Staff, Next Millennium Media, privacy@nextMillennium.io, Tel: 212-727-0006

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with providing Exporter’s End Users with targeted advertising and to provide Exporter with statistics and reports related to such advertising.

Role (controller/processor): Processor

2. Description of Transfer:
A. Categories of Data Subjects whose Personal Data is Transferred:
End Users whose data is retrieved using cookies, pixels, or other technologies.
B. Categories of Personal Data Transferred:
End User Personal Data retrieved using cookies, pixels, or other technologies to be used for purposes related to targeted advertising which may include but is not limited to the following:

1. Demographic data,
2. Content,
3. Service use data,
4. Website browsing data,
5. Device connectivity data,
6. Device configuration data,
7. IP Addresses.
8. Any other personal data contained within bid requests.

C. Sensitive Data transferred and applied restrictions or safeguards:

The parties do not anticipate the transfer of sensitive data.

D. Frequency of the transfer:

Continuous

E. Nature of the Processing:

Personal Data will be Processed as follows:

1. Transfer, storage and other processing necessary to provide Exporter’s End Users with targeted advertising.
2. Disclosure in accordance with this DPA and/or as compelled by applicable laws.

F. Purpose of the transfer and further processing:

Processing of Personal Data in connection with providing Exporter’s End Users with targeted advertising and to provide Exporter with statistics and reports related to such advertising.

G. Period for which Personal Data will be retained:

Subject to the 'Deletion or Return of Personal Data' section of this DPA, Next Millennium Media will retain Personal Data for so long as it is needed to fulfill its purposes, or as required by law, unless otherwise agreed in writing.

Annex 2 - Security Measures

Next Millennium Media currently observes the security measures described herein:

1. Access Control:
A. Preventing Unauthorized Access:

1. Vendors: Next Millennium Media maintains contractual relationships with vendors that have access to Personal Data which require their vendors to protect Personal Data. Next Millennium Media relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
2. Authentication: Next Millennium Media implements a password policy for access to their systems. All users must authenticate before accessing Personal Data.
3. Authorization: Next Millennium Media ensures that authorization to data sets is performed through validating the user’s permissions against the permissions associated with each data set.
4. Application Programming Interface (API) access: Any of Next Millennium Media’s public APIs must be accessed using an API key or through Oauth authorization.
5. Access controls: Next Millennium Media’s network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching their product infrastructure.
6. Intrusion detection and prevention: Next Millennium Media implements a Web Application Firewall (WAF) solution to protect its internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
7. Static code analysis: Code stored in Next Millennium Media’s source code repositories is checked for best practices and identifiable software flaws.

B. Limitations of Privilege & Authorization Requirements:

1. Product access: A number of Next Millennium Media’s staff members have access to the Customer Data via controlled interfaces. Next Millennium Media’s intent of providing access to staff members is to provide effective customer support, product development and research, to troubleshoot potential problems, to detect and respond to security incidents and implement data security.
2. Background checks: Where permitted by applicable law, Next Millennium Media’s staff members undergo a third-party background or reference checks. All staff members are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

2. Transmission Control:

1. In-transit: Next Millennium Media requires HTTPS encryption (also referred to as SSL or TLS) or equally strong encryption for all Personal Data in transit. Implementations of any encryption technology must use industry standard algorithms and certificates.
2. At-rest: Next Millennium Media stores user passwords following policies that follow industry standard practices for security. Next Millennium Media has implemented technologies to ensure that stored Personal Data is encrypted at rest.

3. Input Control:

1. Detection: Next Millennium Media has designed their infrastructure to log extensive information about their systems behavior, traffic received, system authentication, and other application requests.
2. Response and tracking: Next Millennium Media maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Next Millennium Media will take appropriate steps to minimize damage or unauthorized disclosure. Notifications by Next Millennium Media will be in accordance with the terms of the DPA.

4. Availability Control:

1. Fault tolerance: Next Millennium Media’s backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure.
2. Disaster Recovery Plan: Next Millennium Media maintains and regularly tests its Disaster Recovery plan to help ensure availability of information following interruption to, or failure of, critical business processes.

Annex 3 - Sub-Processors

A list of Next Millennium Media’s Sub-Processors and their purpose for engaging them is located https://nextmillennium.com/next-millennium-media-inc-subprocessors/.