Podbean Advertiser Data Processing Addendum – Controller to Controller

Last Updated: March 15, 2023

This Advertiser Data Processing Addendum ("DPA") forms part of the written or electronic agreement(s) (collectively, the "Agreement") between Podbean Inc, with its principal place of business at 5940 S Rainbow Blvd Ste 400 #56077, Las Vegas, NV, 89118-2507 ("Podbean") and the party(ies) entering into the Agreement with Podbean (“Advertiser,” collectively with Podbean the “Parties” and each a “Party”), and reflects the Parties' agreement with regard to the Processing of Personal Data.

BACKGROUND

Podbean provides podcast hosting services to its customers, including monetization and advertising services and integrations with third-party platforms, and Processes certain Personal Data in connection with the provision of such services and its own business and operations. Podbean is engaging Advertiser to Process such Personal Data for or on behalf of Podbean and/or its customers. This DPA sets forth the data protection terms and obligations that apply when Advertiser Processes Personal Data (defined below) as a Controller (defined below) received from or on behalf of the Podbean. The Parties have agreed to enter into this DPA to address the rights and obligations that apply to the Parties under the Applicable Data Protection Laws (as defined below) concerning each Party’s Processing (as defined below) of Personal Data.

DEFINITIONS

Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below:

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control," for the purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;

"Applicable Data Protection Laws" means all applicable laws and regulations relating to the Processing of Personal Data under the Agreement, including without limitation, the laws and regulations of the United States and its states, the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”) together with any national implementing laws in any Member State of the European Union or, to the extent applicable, laws and regulations in any other country, as any such law or regulation may be amended, repealed, consolidated or replaced from time to time;

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data and includes the term “business” as may be defined by certain Applicable Data Protection Laws;

"Data Subject(s)" means the individual(s) to whom Personal Data relates;

"EEA" means the European Economic Area;

"Services" are the services provided by or on behalf of Advertiser to Podbean pursuant to the Agreement;

"Personal Data" means any information relating to an identified or identifiable Data Subject or that describes, is reasonably capable of being associated with, or is reasonably linkable, directly or indirectly, to a particular individual or household, and includes without limitation any information that constitutes "personal information" and/or “personal data” as defined under Applicable Data Protection Law;

"Processing" means any operation or set of operations which is performed upon data or information, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. The terms "Process", "Processes" and "Processed" will be construed accordingly; and

"Security Breach" means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

1. PROCESSING OF PERSONAL DATA

   • Scope and Role.

     Customer and Advertiser are each Controllers with respect to the Processing of Personal Data hereunder. Information about the Processing of Personal Data by Advertiser, including without limitation the nature and purpose of the Processing and the types of Personal Data Processed is set forth in Appendix A to this DPA.

   • Data Processing.

     Advertiser will Process Personal Data for the limited and specified purposes set forth in the Agreement and this DPA or as otherwise required by Applicable Data Protection Law. Without limiting the foregoing, Advertiser shall Process Personal Data to provide the Services to, for, and/or on behalf of Podbean.

   • Compliance.

     Advertiser will comply with Applicable Data Protection Laws and will take steps to protect Personal Data as required by Applicable Data Protection Laws. Advertiser represents and warrants that the provision of the Services and the Processing of Personal Data by Advertiser in compliance with the Agreement and this DPA will not violate Applicable Data Protection Laws.

   • Confidentiality.

     Advertiser will ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

   • Requests Regarding Personal Data.

     If a Party receives a request from one or more Data Subjects to exercise their rights with respect to the Personal Data under Applicable Data Protection Laws (including, but not limited to, the right of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing, or the right not to be subject to an automated individual decision making), or a Data Subject complaint or request from a competent authority in relation to the Personal Data, the Party will independently respond to the request based on the Personal Data within its possession or control and the Processing carried out by such Party. To the extent that Podbean requests assistance from Advertiser to comply with the requirements of Applicable Data Protection Laws or other legal obligations applicable to Podbean, Advertiser shall provide such assistance promptly but in any event within a reasonable time following Podbean’s request for the same.

   • Security Breach.

     If Advertiser becomes aware of a Security Breach impacting Personal Data made available by Podbean, Advertiser will promptly notify Podbean of such Security Breach. Advertiser will comply with any Security Breach-related obligations directly applicable to it under the Applicable Data Protection Laws and will provide reasonable assistance to Podbean in Podbean’s compliance with its Security Breach-related obligations, if any. Advertiser will reimburse Podbean for all reasonable expenses resulting from Podbean’s assistance related to any Security Breach caused by or on behalf of Advertiser.

   • Security Responsibilities.

     Advertiser will implement and maintain, and require any subcontractors, personnel, or third parties that receive Personal Data from or otherwise Process Personal Data for or on behalf of Advertiser to maintain, reasonable and appropriate technical and organizational measures designed to protect any Personal Data Processed hereunder against Security Breaches and against all other unlawful forms of Processing. These measures will include, at a minimum, the measures set out in Annex II of Appendix A to this Agreement.

   • Demonstration of Compliance.

     Advertiser will, upon Podbean’s reasonable request, provide to Podbean all information necessary to demonstrate Advertiser’s compliance with Applicable Data Protection Laws and the DPA. Podbean may take reasonable and appropriate steps, upon notice to and in cooperation with Advertiser, designed to ensure that Advertiser Processes Personal Data in a manner consistent with Podbean’s obligations under Applicable Data Protection Laws. If Advertiser determines that it can no longer meet its own obligations under Applicable Data Protection Laws, Advertiser will notify Podbean of such determination. Upon such notice or in the event Podbean otherwise becomes aware of unauthorized Processing of Personal Data, Podbean may take reasonable and appropriate steps to stop and remediate the unauthorized Processing. Podbean and Advertiser agree to negotiate in good faith to determine what steps are “reasonable and appropriate” under this Section in each instance.

2. INTERNATIONAL DATA TRANSFERS

   • The Parties acknowledge and agree that Personal Data Processed by Advertiser may be Processed in or originate from the UK, Switzerland, and/or the EEA and/or be Processed by Advertiser outside the UK, Switzerland, and/or the EEA.
   • This Section shall apply in the event of a Restricted Transfer (as defined below) of Personal Data. In the event that any provision of this DPA or the Agreement conflicts with the SCCs (as defined below), the SCCs shall prevail solely to the extent of any Restricted Transfer.
   • “European Data Protection Laws” means, to the extent applicable to Podbean, Advertiser, or the Processing of Personal Data under the Agreement, the EU GDPR; the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); and the Swiss Federal Data Protection Act (“Swiss DPA”), in each case as may be updated, amended, or replaced from time to time.
   • “Restricted Transfer” means (i) where the EU GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018 as may be updated, amended, or replaced from time to time; and (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner as may be updated, amended, or replaced from time to time.
   • “SCCs” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as may be updated, amended, or replaced from time to time.
   • “UK Addendum” means the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018, as may be updated, amended or replaced from time to time.
   • To the extent the transfer of Personal Data from Podbean to Advertiser is a Restricted Transfer and European Data Protection Laws require that appropriate safeguards be put in place with respect to such transfer, such transfer shall be subject to the SCCs, which shall be incorporated by reference into this DPA as follows:
   • EU GDPR. For Personal Data that is protected by the EU GDPR, the SCCs will apply as follows: (1) Module One (controller to controller) will apply; (2) in Clause 7, the optional docking clause will apply; (3) in Clause 11, the optional language will not apply; (5) in Clause 17, Option 2 will apply, and the SCCs will be governed by the law of the EU Member State in which the data exporter is established or, where such law does not allow for third-party beneficiary rights, by the law of the Republic of Ireland; (6) in Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland; and (7) Annexes I and II of the SCCs will be deemed completed with the information in Annexes I and II of Appendix A to this Addendum, respectively.
   • UK GDPR. For Personal Data that is protected by the UK GDPR, the SCCs: (1) shall apply as completed in accordance with paragraph (i) above; and (2) shall be deemed amended as specified by the UK Addendum, which shall be deemed executed by the Parties and incorporated into and form an integral part of this Addendum. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annexes I and II of Appendix A of this DPA, and Table 4 in Part 1 shall be deemed completed by selecting “neither party.”
   • Swiss DPA. For Personal Data that is protected by the Swiss DPA, the SCCs shall apply as completed in accordance with paragraph (i) above, with the following modifications: (1) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA and references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (2) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”; (3) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (4) Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner; (5) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (6) in Clause 17, the SCCs shall be governed by the laws of Switzerland; and (7) with respect to transfers to which the Swiss DPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.

3. LIABILITY

   • Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
   • Notwithstanding Section 3.1 of this DPA, Podbean will not be liable under the Agreement for any claim brought by a Data Subject arising from or related to Advertiser’s failure to comply with its obligations under the Applicable Data Protection Law or this DPA.

4. GENERAL PROVISIONS

   • Where applicable, Schedules, Annexes and Appendices to this DPA will be deemed to be an integral part of this DPA. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control. In the event the Agreement ends or is terminated, the obligations under this DPA shall cease.

APPENDIX A: ANNEXES DESCRIBING PROCESSING

ANNEX I

• LIST OF PARTIES

  Data exporter, where applicable:

  Name: Podbean Inc. (on behalf of itself and permitted Affiliates)

  Address: 5940 S Rainbow Blvd Ste 400 #56077, Las Vegas, NV, 89118-2507, or as set out in the Agreement

  Contact person’s name, position and contact details: Podbean’s contact details, as set out in the Agreement

  Activities relevant to the data transferred under these Clauses: Receipt of the Services provided by Advertiser that involve the Processing of Personal Data in connection with the Agreement.

  Role (controller/processor): Controller

  Data importer, where applicable:

  Name: Advertiser (on behalf of itself and permitted Affiliates)

  Address: Advertiser’s address, as set out in the Agreement

  Contact person’s name, position and contact details: Advertiser’s contact details, as set out in the Agreement

  Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with the Agreement.

  Role (controller/processor): Controller

• DESCRIPTION OF TRANSFER
  1. Categories of data subjects whose personal data is transferred:
     • Podcast listeners and other end users of Podbean’s customers
     • Advertiser’s business representatives
  2. Categories of personal data transferred:
     • IP addresses
     • Listening history, including podcast name, episode title, and play time
     • Email addresses and other contact information of Advertiser’s business representatives

  Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
  None

  The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
  Continuous

  Nature of the processing
  Personal data will be collected, transferred, and stored as set forth in the Agreement

  Purpose of the data transfer and further processing
  As part of the services in accordance with the Agreement

  The period for which the personal data will be retained, or if that is not possible, the criteria used to determine that period
  Personal data will be retained pursuant to Advertiser’s data retention policies and practices, which are designed to ensure that personal data is not processed for longer than is necessary for the purposes for which it is obtained by Advertiser, to allow Advertiser to protect and defend legal claims, or as required by law.

  For transfers to (sub-)processors, also specify subject matter, nature, and duration of the processing
  Advertiser may transfer Personal Data to processors for Processing in accordance with the subject matter, nature, and duration of processing noted above.

• COMPETENT SUPERVISORY AUTHORITY

  For the purposes of the Standard Contractual Clauses, the supervisory authority that shall act as competent supervisory authority is the supervisory authority of the EU Member State in which the Data Subjects are predominantly located. Notwithstanding the foregoing, in relation to Personal Data that is subject to the UK GDPR or Swiss DPA, the competent supervisory authority is the UK Information Commissioner or the Swiss Federal Data Protection and Information Commissioner (as applicable).

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Advertiser will implement and maintain a comprehensive written information security program designed to protect personal data from unauthorized access, use, modification, disclosure or destruction.  Without limiting the generality of the foregoing, as part of its information security program, Advertiser will:

• Limit access to personal data to its personnel who require such access in order to perform its obligations under the Agreement and this DPA.
• Use physical and environmental security controls that are audited for SOC 2 Type II and ISO 27001 compliance, or similar certifications.
• Implement industry standard access controls and detection capabilities for the internal networks that support the services.
• Implement network access control mechanisms that are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure, such as Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
• Implement a Web Application Firewall (WAF) solution designed to identify and prevent attacks against publicly available network services.
• Conduct security reviews of code stored in source code repositories.
• Encrypt stored data at rest. 
• Utilize internal systems that alert appropriate employees of malicious, unintended, or anomalous activities and respond to known incidents.