Wiretap Labs Independent Controller Data Processing Addendum
Last Updated: March 10, 2025
This Independent Controller Data Processing Addendum (“DPA”) is entered into by and between Wiretap and Customer. This DPA sets forth the legally binding terms between Customer and Wiretap that govern the Processing of Personal Data (as defined below) under the Software-as-a-Service (SaaS) Agreement, or other agreement between Wiretap and Customer which govern the Services and links to or incorporates this DPA (the “Agreement”).
- DEFINITIONS. For the purposes of this DPA, the following definitions apply. Capitalized terms that are used but not otherwise defined herein shall have the meanings as set forth in the Agreement.
- “Controller” means “controller” as defined in Data Protection Laws and Regulations or “business” as defined in the California Consumer Privacy Act (CCPA) and, if not defined, means the entity which determines the purposes and means of the Processing of Personal Data.
- “Customer” means the entity that has entered into the Agreement with Wiretap.
- “Data Subject” means the individual to which the Personal Data relates.
- “Data Protection Laws and Regulations” means, with respect to a party, all privacy and data protection laws applicable to such party’s Processing of Personal Data including, where applicable: (a) European Data Protection Laws; (b) the CCPA of 2018 and any regulations promulgated thereunder (as amended from time to time, the “CCPA”); and (c) any other similar data protection laws in any other applicable territory, each as amended, replaced, supplemented or superseded.
- “EEA” means the European Economic Area.
- “European Data Protection Laws” means, in each case to the extent applicable to the relevant Personal Data or Processing thereof under the Agreement, (a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), (b) laws relating to data protection, the processing of Personal Data, privacy or electronic communications in force from time to time in the United Kingdom, including the UK General Data Protection Regulation (GDPR), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018 (collectively, “UK Data Protection Laws”); (c) the Swiss Federal Act on Data Protection (“Swiss FDPA”); and (d) any other data protection laws of the EEA, United Kingdom, or Switzerland that is already in force or that will come into force during the term of this DPA.
- “Personal Data” means any information Processed under the Agreement that constitutes “personal data,” “personal information,” “personally identifiable information” or similar information defined under applicable Data Protection Laws and Regulations.
- “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- “Services” means the services the parties are obligated to provide or permitted to receive pursuant to the Agreement.
- “Sensitive Data” means any Personal Data that constitutes “sensitive data,” “sensitive personal data,” “special category” personal data, or similar term under Data Protection Laws and Regulations, including without limitation any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation, data of a known child or minor, as well as any other type of data that is considered sensitive according to Data Protection Laws and Regulations.
- “SCCs” means “Module One: Transfer controller to controller” of the Standard Contractual Clauses set forth in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/, as supplemented and amended by Appendix 1.
- “Wiretap” means Wiretap Holdings I, LLC, doing business as Wiretap Labs.
- “Transfer” has the meaning given under Data Protection Laws and Regulations.
- ROLE OF THE PARTIES. In performing their respective obligations under the Agreement, each party may receive Personal Data which may be subject to Data Protection Laws and Regulations. The parties acknowledge and agree that each party is a separate and independent Controller in respect of such Personal Data and shall individually determine the purposes and means of its Processing of such Personal Data. The parties further acknowledge that neither party is responsible for determining the requirements of Data Protection Laws and Regulations applicable to the other party.
- RESTRICTION ON SENSITIVE DATA. The parties acknowledge and agree that neither party shall provide or make available Sensitive Data to the other party in connection with the Services. The parties acknowledge and agree that Wiretap shall have no responsibility or liability for any Sensitive Data erroneously or inadvertently transferred under this DPA. Nothing in this DPA shall be interpreted to limit any restrictions under the Agreement regarding the types of Personal Data that may be provided by Customer to Wiretap.
- OBLIGATIONS OF THE PARTIES.
- Lawfulness of Processing. Each party acknowledges and confirms that: (a) it will comply with applicable Data Protection Laws and Regulations and this DPA in connection with its Processing of Personal Data; and (b) it will be responsible for determining the legal basis(es) of its own Processing activities.
- Consent for Processing. Where applicable, Customer has obtained, or has taken commercially reasonable efforts to cause to be obtained, valid Data Subject consent (including renewal of consent) as required by Data Protection Laws and Regulations for each Processing purpose for all Personal Data made available for use in connection with the Services, and, as between the parties, remains solely responsible for obtaining such valid consent and communicating all relevant withdrawals or revocations of consent to Wiretap. Customer shall (a) notify Wiretap of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Personal Data that it provides to Wiretap under the Agreement that would impact Wiretap’s ability to comply with the Agreement, this DPA or applicable Data Protection Laws and Regulations. Wiretap agrees, where applicable, to accept and abide by instructions and any consent signals transmitted by Customer for Processing of Personal Data. For the avoidance of doubt, nothing in this Section shall limit Customer’s notice and consent obligations under the Agreement or under Section 4.3 of this DPA.
- Privacy Notices. In addition to any privacy policy or notice requirements under the Agreement, each party agrees to provide all notices and disclosures to Data Subjects required to be provided by such party under Data Protection Laws and Regulations regarding the Processing of Personal Data contemplated under this DPA and the Agreement including, where applicable, all disclosures regarding a Data Subject’s right to opt-out of Personal Data sales, sharing, or targeted advertising (as such terms are defined under Data Protection Laws and Regulations).
- NO OWNERSHIP OR LICENSE. Nothing in this DPA shall be construed to convey any ownership interest or license in the Personal Data that is contrary to the ownership interests and licenses set forth in the Agreement.
- PROCESSING SUBJECT TO THE CCPA. As used in this Section, “Personal Information” means personal information (as defined in the CCPA) contained in Personal Data. For purposes of the CCPA, the parties acknowledge and agree that the Personal Information disclosed by Company to Wiretap is provided to Wiretap only for the limited and specified purposes described in the Agreement and for the uses described in Wiretap’s privacy policy, available at [Hyperlink to Wiretap Privacy Policy]. Wiretap will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Data as is required by the CCPA. Customer has the right to take reasonable and appropriate steps to help ensure that Wiretap uses the Personal Information transferred in a manner consistent with Customer’s obligations under the CCPA by exercising Customer’s rights under this DPA. Wiretap will inform Customer if it makes a determination that Wiretap can no longer meet its obligations under the CCPA. If Wiretap notifies Customer of unauthorized use of Personal Information, including under the foregoing sentence, Customer will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use by limiting the Personal Information shared with Wiretap, terminating the portion of the Agreement relevant to such unauthorized use, or such other steps mutually agreed between the parties in writing.
- DATA SUBJECTS’ RIGHTS. Each party hereby authorizes the other party to release all Personal Data in its possession directly pertaining to a verified Data Subject request for data portability to the Data Subject or his/her authorized representative, without regard to whether such Personal Data are owned/licensed by Wiretap or Customer.
- REGULATORS. Each party agrees to: (a) promptly notify the other party in writing of any question, complaint, investigation, inquiry, warrant, subpoena or proceedings from or brought by any public, governmental, and/or judicial agency or authority (each, a “Regulatory Request”), that relates to such other party’s (i) Processing of Personal Data in relation to the Services, or (ii) potential failure to comply with Data Protection Laws and Regulations; and (b) comply with any written litigation hold, document preservation notice, or similar legal hold requested by the other party in connection with any Regulatory Request, lawsuit, or other claim, except to the extent required by applicable law.
- DATA TRANSFERS.
- Transfer Authorization. Subject to this Section, the parties acknowledge and agree that each party is authorized to Process and Transfer Personal Data in any jurisdiction provided that such Processing complies with Data Protection Laws and Regulations. Each party shall ensure that any Transfer it initiates will, where applicable, be subject to a lawful data transfer mechanism or appropriate onward transfer agreements that require that any further Transfers be conducted under a lawful data transfer mechanism.
- Onward Transfers by Wiretap. Customer acknowledges and agrees that Wiretap may store and Process Personal Data in the United States or anywhere Wiretap or its suppliers, partners, demand partners, advertisers, ad servers, and other partners are located, subject to the requirements of this Section.
- Transfers of Personal Data From the EEA, Switzerland or the United Kingdom. In the event that Customer Transfers Personal Data subject to European Data Protection Laws to Wiretap and such Transfer is not subject to an alternative adequate transfer mechanism or otherwise exempt from Transfer restrictions under European Data Protection Laws, Customer (as data exporter) and Wiretap (as data importer) agree that the Supply Chain Cybersecurity (SCCS) will be incorporated herein by reference. In furtherance of the foregoing, the parties agree to the selections and addendum set forth in Appendix 1. The SCCS shall automatically terminate with respect to a given Transfer once the Transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such SCCS on any other basis.
- CONFIDENTIALITY. The parties agree to take steps to ensure that any person acting under their authority who has access to the Personal Data is subject to an appropriate confidentiality obligation.
- LIMITATION OF LIABILITY. Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to any limitation of liability as set forth in the Agreement and any reference to such limitation of liability of a party means the aggregate liability of the party under the Agreement and this DPA together. Additionally, each party shall be independently liable for its own Processing of Personal Data to the extent such Processing does not comply with Data Protection Laws and Regulations.
- APPLICABLE LAW AND JURISDICTION. This DPA is and remains governed by and shall be construed in accordance with the law designated as applicable in the Agreement, except to the extent required otherwise under the SCCS.
- ORDER OF PRECEDENCE. Except as specifically set forth in this DPA, the terms and provisions of the underlying Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms of the Agreement and the terms of this DPA, the terms and provisions of this DPA shall prevail with regard to data protection matters. In the event of a conflict between the terms of this DPA and the SCCS, the SCCS shall prevail.
- MODIFICATION. Modifications to this DPA will be posted on Wiretap’s website at [Hyperlink to Wiretap DPA]. Changes will not apply retroactively and become effective as of the Last Updated date of this DPA. If Customer does not agree to any terms in this DPA, Customer must not use the Services. Customer’s continued use of the Services after the Last Updated date of this DPA constitutes Customer’s acceptance of and agreement to follow and be bound by such changes.
- TERMINATION AND SURVIVAL. The parties agree that this DPA is terminated upon the termination of the Agreement.
- INVALIDITY AND SEVERABILITY. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
Appendix 1 - Standard Contractual Clause Selections and Addendum
The following selections and addendum shall supplement and amend the SCCS incorporated into the Independent Controller Data Processing Addendum (Wiretap as Data Importer).
Security Context Constraint (SCC) Section Reference Concept Selection of the Parties
| Section Governing law IV, Clause 17 | The laws of the Republic of Ireland. | ||
| Section IV, Clause 18 (b) | Choice of forum and jurisdiction | The courts of the Republic of Ireland. | |
| Annex I.A | List of Parties – Data exporter(s) | Name: | Customer |
| Address: | As set forth in the Agreement | ||
| Contact: | As set forth in the Agreement | ||
| Activities relevant to the data transferred under these Clauses: | Receipt of the Services from Wiretap under the Agreement. | ||
| Signature and Date: | The parties agree that execution of the Agreement by each party shall constitute execution of the SCCS by both parties as of the effective date of the Agreement. | ||
| Role (controller/processor): | Controller | ||
| Annex I.A | List of Parties – Data importer(s) | Name: | Wiretap |
| Address: | As set forth in the Agreement | ||
| Contact: | As set forth in the Agreement | ||
| Activities relevant to the data transferred under these Clauses: | The provision of the Services to Customer under the Agreement. | ||
| Signature and Date: | The parties agree that execution of the Agreement by each party shall constitute execution of the SCCS by both parties as of the effective date of the Agreement. | ||
| Role (controller/processor): | Controller | ||
| Annex I.B | Description of the Transfer | Categories of data subjects whose personal data is transferred | End users of Customer’s digital properties. |
| Categories of personal data transferred | Categories of Personal Data transferred will depend upon the Services selected by the Customer and may include: (a) Cookies (session, persistent, Lifecycle Service Orchestration (LSO), other) or other online unique Intrusion Detection System (IDS); (b) engagement data, behavioral targeting, or other profiling data (including inferences); (c) Internet Protocol address; (d) hashed email; and (e) User agent string/OS/chipset/screen. | ||
| Sensitive data transferred (if applicable) and applied restrictions or safeguards | N/A | ||
| The frequency of the transfer | Continuous basis for the term of the Agreement. | ||
| Nature of the processing | As set forth in the Agreement. | ||
| Purpose(s) of the data transfer and further processing | To allow Wiretap to provide the Services under the Agreement. | ||
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | Data is retained only for as long as needed to fulfill obligations defined in the Agreement, or as long as needed to support a business purpose. | ||
| Annex I.C | Competent Supervisory Authority | Irish Data Protection Commissioner, unless Customer notifies Wiretap of an alternative competent supervisory authority by emailing Wiretap. | |
Annex II Technical and Organisational Measures.
Wiretap and Customer shall each implement the following security measures:
- Information Security Program. Implement, maintain, and comply with information security policies and procedures designed to protect the confidentiality, integrity, and availability of Personal Data and any systems that store or otherwise Process it, which are (a) aligned with an industry-standard control framework (e.g., NIST SP 800-53, ISO 27001, Collective Intelligence System (CIS) Critical Security Controls); (b) approved by executive management; (c) reviewed and updated at least annually; and (d) communicated to all personnel with access to Personal Data.
- Risk Assessment. Maintain risk assessment procedures for the purposes of periodic review and assessment of risks to the organization, monitoring and maintaining compliance with the organization’s policies and procedures, and reporting the condition of the organization’s information security and compliance to internal senior management.
- Personnel Training. Train personnel to maintain the confidentiality, integrity, and availability of Personal Data, consistent with the terms of the Agreement and Data Protection Laws and Regulations.
- Vendor Management. Prior to engaging subprocessors and other subcontractors, conduct reasonable due diligence and monitoring to ensure subcontractors are capable of maintaining the confidentiality, integrity, and availability of Personal Data.
- Access Controls. Only authorized personnel and third parties are permitted to access Personal Data. Maintain logical access controls designed to limit access to Personal Data and relevant information systems (i.e., granting access on a need-to-know basis, use of unique IDS and passwords for all users, periodic review and revoking or changing access when employment terminates or changes in job functions occur).
- Secure User Authentication. Maintain password controls designed to manage and control password strength, expiration, and usage. These controls include prohibiting users from sharing passwords and requiring that passwords controlling access to Personal Data must (a) be at least 8 characters in length and meet minimum complexity requirements; (b) not be stored in readable format on the organization’s computer systems; (c) have a history threshold to prevent reuse of recent passwords; and (d) if newly issued, be changed after first use.
- Incident Detection and Response. Maintain policies and procedures to detect and respond to actual or reasonably suspected security incident and encourage the reporting of such incidents.
- Encryption. Apply industry standard encryption to Personal Data (a) stored on any medium (e.g., laptops, mobile devices, portable storage devices, file servers and Application databases); and (b) transmitted across any public network (such as the Internet) or wirelessly.
- Network Security. Implement network security controls such as up-to-date firewalls, layered DMZs, updated intrusion detection and prevention systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
- End Point Security. Implement end point security controls such as built in firewalls, automated Operating System (OS) updates, and automated software patch deployment managed through central device management. All end point devices are enabled with encrypted storage.
- Vulnerability Management. Detect, assess, mitigate, remove, and protect against new and existing security vulnerabilities and threats, including viruses, bots, and other malicious code, by implementing vulnerability management, threat protection technologies, and scheduled monitoring procedures.
- Change Control. Follow change management procedures and implement tracking mechanisms designed to test, approve, and monitor all changes to the organization’s technology and information assets.
- Physical Security. Take steps to ensure the physical and environmental security of data center, server room facilities and other areas containing Personal Data, including by (a) protecting information assets from unauthorized physical access; (b) managing, monitoring, and logging movement of persons into and out of the organization’s facilities; and (c) guarding against environmental hazards such as heat, fire, and water damage.
- Business Continuity and Disaster Recovery (DR). Maintain business continuity and DR policies and procedures designed to maintain service and recover from foreseeable emergency situations or disasters.
Addendum to the Standard Contractual Clauses (Module One)
Wiretap and Customer agree that the SCCS shall be modified and supplemented as follows:
- Supplemental Business-Related Clauses. In accordance with Clause 2 of the SCCS, the parties wish to supplement the SCCS with business-related clauses, which shall neither be interpreted nor applied in such a way as to contradict the SCCS (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of Data Subjects. The parties therefore agree that the applicable terms of the Agreement and this DPA shall apply if, and to the extent that, they are permitted under the SCCS, including without limitation the following:
- The information required to be provided to Data Subjects under Clause 8.2(a) shall be provided by Customer using the relevant information provided by Wiretap through the DPA and the SCC selections above;
- In the event of a data subject request for a copy of the clauses in accordance with Clause 8.2(c), each party agrees to make all redactions reasonably necessary to protect business secrets or other confidential information of the other party;
- The terms of the Agreement governing indemnification and limitation of liability, including Section 11 of the DPA, shall apply to each party’s liability under Clauses 12(a), 12(c), and 12(d); and
- The termination provisions of the Agreement shall apply to a termination pursuant to Clause 14(f) or Clause 16.
- Transfers from the United Kingdom. If the SCCS apply to the Transfer of Personal Data originating from the United Kingdom, this Section shall apply to and modify the SCCS to the extent that UK Data Protection Laws apply to Customer’s Processing when making that Transfer. The parties acknowledge and agree that: (a) the template addendum issued by the Information Commissioner’s Office of the United Kingdom and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), as it may be revised from time to time by the Information Commissioner’s Office (the “UK Addendum”) shall be incorporated by reference herein; (b) the information required to be set forth in “Part 1: Tables” of the UK Addendum shall be completed using the information provided in the selections above; and (c) either party may end the UK Addendum in accordance with Section 19 thereof.
- Transfers from Switzerland. If the SCCS apply to the Processing of Personal Data originating from Switzerland, the SCCS shall be modified as follows: (a) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c); (b) references to the GDPR or other governing law contained in the SCCS shall also be interpreted to include the Swiss FDPA; and (d) the parties agree that the supervisory authority as indicated in Annex I.C shall be, insofar as the data transfer is governed by the Swiss FDPA, the Swiss Federal Data Protection and Information Commissioner.