Effective Date: The date of the main Agreement between the parties
Mob Agent Web Solutions, a company incorporated in India, having its registered office at Jeke gram Thane India, (hereinafter “Company” or “Data Controller / Processor” as relevant) and You supplements and forms part of the Agreement or any other written or electronic agreement referencing to this DPA between Mob Agent Web Solutions and Advertiser/DSP to reflect the parties’ agreement with regard to the processing of personal data. Mob Agent Web Solutions and Demand Partner have entered into a master agreement, or other such governing contract, together with one or more connected statements of work, purchase orders, contracts and/or agreements (collectively the “Agreement”), under which Demand Partner may purchase digital advertising inventory via Mob Agent Web Solutions RTB services and platform.
Applicable Privacy Law means all applicable data protection and privacy laws, including Indian laws (e.g. Information Technology Act, rules thereunder, any Data Protection law if enacted), and where applicable, laws of other jurisdictions such as the GDPR, CCPA, etc., as amended from time to time.
Controller means the entity that determines the purposes and means of processing Personal Data.
Processor means the entity that processes Personal Data on behalf of the Controller.
Sub-processor means any third party engaged by Processor or Controller to process Personal Data on behalf of Processor / Controller.
Personal Data means any information relating to an identified or identifiable natural person, as defined under Applicable Privacy Law.
Sensitive Personal Data / Information means data of a sensitive nature as per relevant law (for example, in India, personal data defined under Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011).
Security Incident / Personal Data Breach means any unauthorised or accidental access, disclosure, loss, alteration or other breach of the security, confidentiality or integrity of Personal Data.
Purposes means the purposes set out in the Main Agreement and this DPA for which Personal Data is processed.
The Partner / Company may share with each other certain Personal Data for the purposes of delivering services under the main Agreement (e.g., ad / digital advertising, analytics, account management, etc.). The categories of Personal Data, Data Subjects, frequency, and purposes are described in a Schedule or Annex to this DPA.
Each party shall comply with its obligations under Applicable Privacy Law in its role (Controller or Processor). Where the Partner engages Sub-processors, the Partner must ensure that such Sub-processors are bound by similar confidentiality, security, and data protection obligations as in this DPA. The Partner remains fully liable for such Sub-processors. The Controller (or where relevant, both parties) must maintain appropriate privacy notices, lawful bases for processing, and ensure data subject rights can be fulfilled.
The Partner must honour any valid consent / opt-in / opt-out signals, preferences or requests of Data Subjects, where required by Applicable Privacy Law or by the terms of the main Agreement. Processing must be based on a lawful basis (consent, legitimate interest, contract, legal requirement, etc.), depending on the jurisdiction and nature of Personal Data.
Personal Data shall not be kept longer than necessary for the Purposes, or beyond any legal or regulatory requirement. Upon expiry or termination of the Agreement, or earlier on request, each party shall delete or securely destroy all Personal Data in its possession, unless retention is required by law.
The parties shall implement appropriate technical and organisational measures to protect Personal Data, against unauthorized or unlawful processing, and against accidental loss, destruction or damage. This includes (but is not limited to) access controls, secure storage, encryption (where required), regular backup and disaster recovery, etc. Where required, the parties should conduct security audits or assessments.
The Processor / Partner may engage Sub-Processors, provided that: a) the Partner gives advance notice (if reasonably required) of new Sub-Processors; b) the Sub-Processor is contractually bound to obligations no less protective than those in this DPA; c) the Partner remains liable for its Sub-Processors.
The party experiencing a Security Incident involving Personal Data must notify the other party without undue delay, providing sufficient detail to allow assessment and assistance. The responsible party must cooperate in investigating, mitigating, and remediating the breach, and comply with any regulatory notification requirements.
If Personal Data is transferred across borders (outside India), the parties shall ensure compliance with Applicable Privacy Law governing such transfers. This may include ensuring adequate safeguards (standard contractual clauses, binding corporate rules, etc.), or relying on recognized adequacy regimes.
Each party shall assist in responding to data subject requests (access, correction, deletion, data portability, etc.), to the extent that requests relate to Personal Data processed under the Agreement. Parties shall cooperate to ensure these rights can be exercised in a timely manner.
If a party receives a request from a government authority or regulator for disclosure of Personal Data, it must: a) notify the other party in sufficient time (unless prohibited by law), b) cooperate in attempts to narrow the request or otherwise protect the rights of data subjects, c) only disclose the minimum required data if legally compelled.
The parties shall provide documentation or evidence of compliance when requested (e.g., records of processing, security practices). The parties shall allow audits or inspections by the other party (or its appointed auditors) relevant to compliance with this DPA, under reasonable conditions.
This DPA shall be governed by the laws of [India / chosen jurisdiction] (or another mutually agreed jurisdiction), unless the main Agreement specifies otherwise. Any disputes arising out of or in connection with this DPA will be resolved as per the dispute resolution mechanism in the main Agreement (or specify separately if needed).
If any provision of this DPA is held to be invalid under applicable law, the remainder shall continue in effect. Changes to privacy laws may require amendments to this DPA. Any amendment must be in writing.
Source: Mob Agent Web Solutions — Data Processing Addendum (as provided).
