Version 1.0
This Data Protection Addendum (“DPA”) is incorporated into and forms an integral part of the Master Services Agreement (the “Agreement”) between Townsquare Interactive, LLC, dba Townsquare Ignite (“Townsquare”) and the entity identified as “Company” in the Agreement. Capitalized terms used but not defined in this DPA shall have the meanings given to them in the Agreement.
For purposes of this DPA, the following terms shall have the meanings set forth below:
1.1 “Applicable Data Protection Laws” means all federal, state, and local laws, regulations, rules, and governmental requirements relating to privacy, data protection, data security, breach notification, and the processing of Personal Data that are applicable to the Services, as each may be amended, supplemented, or replaced from time to time, including, without limitation, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code § 1798.100 et seq.) (collectively, the “CCPA”), the Virginia Consumer Data Protection Act (Va. Code Ann. § 59.1-575 et seq.), the Colorado Privacy Act (Colo. Rev. Stat. § 6-1-1301 et seq.), the Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq.), the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541), any other state consumer privacy law of general applicability enacted during the Term, any federal, state, or local law relating to wiretapping, electronic surveillance, or the interception of electronic communications (including, without limitation, the California Invasion of Privacy Act (Cal. Penal Code § 630 et seq.) and the federal Wiretap Act (18 U.S.C. § 2510 et seq.)), and any unfair or deceptive practices statute to the extent applicable to the collection, use, or processing of data through Tracking Technologies or the Services (including, without limitation, the California Unfair Competition Law (Cal. Bus. & Prof. Code § 17200 et seq.) and the California Comprehensive Computer Data Access and Fraud Act (Cal. Penal Code § 502)).
1.2 “Company Data” means any data, information, or materials provided or made available by Company or its Clients to Townsquare in connection with the Services, including, without limitation, creative assets, advertising copy, audience lists, physical addresses, customer lists, CRM data, website analytics data, and any other information provided by or on behalf of Company for use in connection with advertising campaigns or the Services.
1.3 “Controller” means the entity that determines the purposes and means of Processing Personal Data. As between the Parties, Company (or its Client, as applicable) is the Controller of Personal Data contained in Company Data.
1.4 “Data Breach” means any unauthorized access to, acquisition of, use of, or disclosure of Personal Data in the possession or control of Townsquare or its subprocessors that compromises the security, confidentiality, or integrity of such Personal Data.
1.5 “De-Identified Data” means data that has been modified, aggregated, or otherwise processed such that it cannot reasonably be used to identify, relate to, describe, be associated with, or be linked, directly or indirectly, to any identified or identifiable individual or household.
1.6 “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identified or identifiable individual or household, including, without limitation, device identifiers, advertising identifiers, IP addresses, cookie identifiers, and geolocation data, to the extent such data constitutes personal information, personal data, or personally identifiable information under Applicable Data Protection Laws.
1.7 “Process” or “Processing” means any operation or set of operations performed on data, whether or not by automated means, including, without limitation, the collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, combination, restriction, erasure, or destruction of data.
1.8 “Service Provider” (or “Processor”) means an entity that Processes Personal Data on behalf of a Controller pursuant to a written contract and for the business purposes specified by the Controller.
1.9 “Subprocessor” means any third party engaged by Townsquare to Process Personal Data on Townsquare’s behalf in connection with the Services, including Third-Party Suppliers.
2.1 The Parties acknowledge and agree that with respect to the Processing of Personal Data in connection with the Services: (a) Company (or its Client) is the Controller; and (b) Townsquare acts as a Service Provider/Processor, Processing Personal Data solely on behalf of and at the direction of Company for the business purposes specified in this DPA and the Agreement.
2.2 To the extent Townsquare Processes Personal Data independently for its own purposes (e.g., billing, account management, compliance, fraud prevention, or improving the Services on a De-Identified basis), Townsquare acts as a separate Controller with respect to such Processing and shall comply with all Applicable Data Protection Laws in connection with such Processing.
2.3 Nothing in this DPA shall be construed to create a joint controller relationship between the Parties unless expressly agreed to in writing.
3.1 As between the Parties, Company owns all Company Data, including all Personal Data contained therein. Nothing in this DPA or the Agreement shall be construed as transferring ownership of any Company Data to Townsquare.
3.2 Townsquare shall not sell, share (as such terms are defined under the CCPA), rent, or otherwise make available any Company Data or Personal Data to any third party for monetary or other valuable consideration, except as expressly permitted under this DPA or as directed by Company.
3.3 De-Identified and Aggregate Data License. Company hereby grants Townsquare a non-exclusive, worldwide, royalty-free, perpetual license to use, reproduce, distribute, display, and create derivative works of De-Identified Data derived from Company Data, solely for the purposes of: (a) improving, developing, and enhancing the Services and Townsquare’s technology and platform; (b) generating industry benchmarks, statistical analyses, and trend reports; and (c) creating aggregated performance metrics for distribution to clients, prospective clients, and the general public. Townsquare shall implement and maintain reasonable technical and organizational measures to ensure that any De-Identified Data cannot reasonably be re-identified.
4.1 Townsquare shall Process Company Data and Personal Data solely: (a) as necessary to perform the Services and deliver Deliverables under the Agreement and any applicable Insertion Order; (b) as directed or authorized in writing by Company; (c) as necessary for Townsquare’s internal business operations directly related to the provision of the Services (including billing, invoicing, account management, fraud prevention, and security monitoring); and (d) as required by applicable law or legal process, provided that Townsquare, to the extent legally permitted, provides Company with prompt written notice of any such legal requirement prior to Processing.
4.2 Townsquare shall not: (a) Process Company Data or Personal Data for any purpose other than the purposes set forth in Section 4.1; (b) combine Personal Data received from Company with Personal Data received from other sources, except as necessary to perform the Services or as permitted under Applicable Data Protection Laws; (c) retain Personal Data for longer than is reasonably necessary to fulfill the purposes for which it was collected or as required by applicable law; or (d) make any determination as to whether Company Data includes Personal Data subject to Applicable Data Protection Laws, such determination being the sole responsibility of Company.
4.3 Townsquare shall not Process Personal Data outside the United States without the prior written consent of Company.
5.1 Company represents, warrants, and covenants that: (a) it has provided, and will provide, all required notices to, and has obtained, and will obtain, all required consents, permissions, and authorizations from, data subjects and other applicable persons as required by Applicable Data Protection Laws in connection with the collection, transfer, and Processing of Personal Data under this DPA and the Agreement; (b) all Personal Data provided by Company to Townsquare has been collected in compliance with Applicable Data Protection Laws, including all applicable privacy policies and disclosures; (c) Company’s instructions to Townsquare for the Processing of Personal Data shall comply with Applicable Data Protection Laws; and (d) any privacy policy applicable to websites or properties on which Tracking Technologies are deployed in connection with the Services accurately and conspicuously discloses the use of all Tracking Technologies (regardless of whether such Tracking Technologies are installed, configured, or operated by Company, Townsquare, or any third party), identifies all third parties (including Townsquare and any advertising or analytics providers) that may collect, receive, or access data through such Tracking Technologies, and describes the types of data collected and the purposes for which such data is used.
5.2 Company shall be solely responsible for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Company Data, including all Personal Data contained therein, and for ensuring that its collection and provision of Company Data to Townsquare does not violate Applicable Data Protection Laws or the rights of any third party.
5.3 Where Company provides Personal Data consisting of audience targeting lists, customer match lists, physical addresses, or similar data sets, Company represents and warrants that such data was lawfully collected and that Company has the legal authority to provide such data to Townsquare for use in connection with the Services.
6.1 Townsquare shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Company Data and Personal Data against unauthorized access, acquisition, use, disclosure, alteration, or destruction. Such safeguards shall be consistent with industry standards for digital advertising technology providers and shall, at a minimum, include: (a) encryption of Personal Data in transit and at rest using industry-standard encryption protocols; (b) access controls limiting access to Personal Data to authorized personnel on a need-to-know basis; (c) regular vulnerability assessments and penetration testing of systems that Process Personal Data; (d) intrusion detection and prevention systems; (e) employee security awareness training; and (f) documented incident response procedures.
6.2 Townsquare shall regularly test, assess, and evaluate the effectiveness of its security measures and make improvements as reasonably necessary to maintain the security of Personal Data.
6.3 Upon Company’s reasonable written request (no more than once per twelve-month period), Townsquare shall provide Company with a summary of its then-current security measures, which may take the form of a SOC 2 Type II report, completed security questionnaire, or other commercially reasonable documentation. Townsquare shall not be required to disclose specific security configurations, proprietary technology, or information that would compromise the security of its systems.
7.1 Company acknowledges that Townsquare engages Third-Party Suppliers and other subprocessors in connection with the Services. Company hereby provides general written authorization for Townsquare to engage subprocessors to Process Personal Data, subject to the requirements of this Section 7.
7.2 Townsquare shall: (a) enter into a written agreement with each subprocessor imposing data protection obligations no less protective than those set forth in this DPA; (b) remain responsible for the acts and omissions of its subprocessors to the same extent Townsquare would be responsible if performing the Processing directly; and (c) maintain a current list of subprocessors, which Townsquare shall make available to Company upon written request.
7.3 Townsquare shall notify Company in writing at least thirty (30) days prior to engaging any new subprocessor that will Process Personal Data (or, where prior notice is not reasonably practicable due to the nature of the Services, as soon as reasonably practicable thereafter). If Company objects to a new subprocessor on reasonable grounds relating to data protection, the Parties shall discuss Company’s concerns in good faith with a view to achieving a commercially reasonable resolution. If the Parties are unable to reach a resolution within thirty (30) days, Company may terminate the affected Insertion Order(s) without penalty.
8.1 If Townsquare receives a request directly from an individual (or from Company on behalf of an individual) to exercise any right under Applicable Data Protection Laws with respect to Personal Data (including, without limitation, rights of access, deletion, correction, portability, or opt-out), Townsquare shall: (a) promptly notify Company of the request (and in no event later than five (5) business days after receipt); and (b) reasonably cooperate with and assist Company in responding to the request, including by providing such information, access, or technical assistance as Company may reasonably require.
8.2 Townsquare shall not respond directly to a data subject request unless required by applicable law or authorized by Company in writing, and shall redirect any individual making such a request to Company.
8.3 To the extent required by the CCPA or other Applicable Data Protection Laws, Townsquare shall assist Company in ensuring compliance with data subject rights obligations by maintaining the ability to identify and locate Personal Data associated with a particular individual, and by implementing reasonable processes to honor opt-out signals, deletion requests, and similar directives received from Company.
9.1 Townsquare shall notify Company in writing without unreasonable delay, and in any event within seventy-two (72) hours of becoming aware of a confirmed Data Breach affecting Company Data or Personal Data. The notification shall include, to the extent then known: (a) a description of the nature of the Data Breach, including the categories and approximate number of data subjects and records affected; (b) the likely consequences of the Data Breach; (c) the measures taken or proposed to be taken by Townsquare to address the Data Breach and mitigate its effects; (d) the name and contact information of a Townsquare representative from whom additional information may be obtained; and (e) a description of the data affected.
9.2 Townsquare shall: (a) take all commercially reasonable steps to contain, investigate, and remediate the Data Breach and to mitigate any resulting harm to affected individuals; (b) cooperate with Company in Company’s investigation and response to the Data Breach; and (c) provide Company with such additional information regarding the Data Breach as Company may reasonably request, promptly as such information becomes available.
9.3 Townsquare shall not notify any data subject, government authority, or other third party of a Data Breach affecting Company Data or Personal Data without Company’s prior written consent, unless such notification is required by applicable law (in which case Townsquare shall, to the extent legally permitted, provide Company with advance notice and an opportunity to review and comment on the proposed notification).
9.4 The obligations set forth in this Section 9 apply to any confirmed Data Breach. For suspected but unconfirmed security events, Townsquare shall investigate promptly and notify Company if the event is confirmed as a Data Breach.
10.1 Upon termination or expiration of the Agreement, or upon Company’s earlier written request with respect to a specific Insertion Order, Townsquare shall, at Company’s election: (a) return all Company Data (including Personal Data) to Company in a commercially standard, machine-readable format; or (b) securely delete or destroy all Company Data (including Personal Data) in Townsquare’s possession or control, and, upon Company’s written request, provide written certification of such deletion or destruction signed by an authorized representative of Townsquare.
10.2 Townsquare shall complete the return or deletion of Company Data within thirty (30) days of receiving Company’s written instruction. Townsquare may retain one (1) archival copy of Company Data solely for internal compliance and legal defense purposes, provided that any such retained copy remains subject to the confidentiality and data protection obligations of this DPA and the Agreement for as long as it is retained.
10.3 Townsquare is not required to delete or return De-Identified Data that has been derived from Company Data in accordance with Section 3.3 of this DPA.
11.1 CCPA Compliance. To the extent the CCPA applies to the Processing of Personal Data under this DPA: (a) Townsquare is a “Service Provider” (as defined in the CCPA) with respect to Personal Data it Processes on behalf of Company; (b) Townsquare shall not sell or share (as defined in the CCPA) Personal Data; (c) Townsquare shall not retain, use, or disclose Personal Data for any purpose other than the business purposes specified in this DPA and the Agreement, or as otherwise permitted by the CCPA; (d) Townsquare shall not retain, use, or disclose Personal Data outside of the direct business relationship between Townsquare and Company, except as permitted by the CCPA; and (e) Townsquare certifies that it understands and will comply with the restrictions and obligations set forth in this Section 11.1 and the CCPA.
11.2 Other State Privacy Laws. To the extent any other state consumer privacy law (including, without limitation, the Virginia CDPA, Colorado CPA, Connecticut CTDPA, and Texas TDPSA) applies to the Processing of Personal Data under this DPA, Townsquare shall comply with all applicable requirements imposed on processors (or the equivalent role) under such laws, including, without limitation, any requirements relating to data processing assessments, consumer rights assistance, and data protection agreements.
11.3 IAB Multi-State Privacy Agreement. To the extent the Parties are signatories to, or certified partners under, the IAB Multi-State Privacy Agreement (“MSPA”), the terms of the MSPA shall apply to the Processing of Personal Data in connection with the Services as supplementary to this DPA. In the event of any conflict between the MSPA and this DPA, the more protective provision with respect to Personal Data shall control.
11.4 Cooperation. Each Party shall reasonably cooperate with the other in connection with any investigation, inquiry, or request from a governmental authority relating to the Processing of Personal Data under this DPA. Townsquare shall promptly notify Company if it receives any such inquiry or request directly, to the extent legally permitted.
12.1 Cookies and Tracking Technologies. To the extent the Services involve the placement or reading of cookies, pixels, tags, web beacons, device identifiers, or similar tracking technologies (collectively, “Tracking Technologies”) on end-user devices or Company’s or Client’s websites or properties, Company acknowledges that Townsquare may install, configure, or operate Tracking Technologies as part of the Services. Company is solely responsible for all Tracking Technologies deployed on Company’s or Client’s properties in connection with the Services, regardless of whether such Tracking Technologies are installed, configured, or operated by Company, Townsquare (at Company’s direction or as part of the Services), or any third party. Without limiting the foregoing, Company is solely responsible for ensuring that: (a) adequate disclosures are made in the applicable privacy policy regarding the use of all Tracking Technologies, including identification of all third parties that may collect, receive, or access data through such Tracking Technologies; (b) all consents required under Applicable Data Protection Laws are obtained from end users prior to the activation of any Tracking Technologies, including “opt-in” or affirmative consent where required by applicable laws (including, without limitation, the California Invasion of Privacy Act); and (c) Company or Client has implemented an appropriate consent management mechanism on the applicable website or property. Townsquare shall have the right, in its sole discretion and without liability to Company, to disable, suspend, or remove any Tracking Technologies from Company’s or Client’s properties if Townsquare reasonably determines that Company or Client has not implemented adequate consent mechanisms or that continued operation of such Tracking Technologies may expose Townsquare to legal risk.
12.2 Geolocation and Address-Based Targeting. Where the Services include geolocation-based targeting, addressable geofencing, or similar location-based advertising capabilities: (a) Townsquare shall Process geolocation data and physical addresses solely for the purpose of targeting Company’s advertising campaigns through the Services; (b) Townsquare shall assign randomly generated unique identifiers to matched geolocation data and shall not provide Company with device-level identifiers associated with physical addresses for the purpose of identifying individual users; (c) Townsquare shall destroy physical addresses provided by Company promptly following the completion of the matching process, retaining only the geolocation coordinates and associated unique identifiers necessary for campaign targeting; and (d) Townsquare shall comply with any subpoena or legal request for device location data as required by law.
12.3 Audience and Targeting Data. Company acknowledges that certain audience segments, behavioral data, and targeting data available through the Services may be sourced from third-party data providers. Townsquare shall use commercially reasonable efforts to ensure that such third-party data is provided in compliance with Applicable Data Protection Laws, but Townsquare makes no representations or warranties regarding the accuracy, completeness, or legal compliance of third-party data. Company assumes sole responsibility for its selection and use of audience targeting parameters.
12.4 Tracking Technologies Indemnification. Without limiting any other indemnification obligations under the Agreement, Company shall defend, indemnify, and hold harmless Townsquare and its parent, subsidiaries, affiliates, directors, officers, employees, agents, successors, and assigns from and against any and all claims, demands, actions, suits, proceedings, liabilities, judgments, damages, losses, settlements, penalties, fines, costs, and expenses (including reasonable attorneys’ fees and costs of investigation) arising out of or in connection with the use, deployment, configuration, or operation of any Tracking Technologies on Company’s or Client’s websites or properties, including, without limitation, claims arising under the California Invasion of Privacy Act (Cal. Penal Code § 630 et seq.), the California Comprehensive Computer Data Access and Fraud Act (Cal. Penal Code § 502), the California Unfair Competition Law (Cal. Bus. & Prof. Code § 17200 et seq.), or any similar federal, state, or foreign law, regardless of whether such Tracking Technologies were installed, configured, or operated by Company, Townsquare, or any third party, and including any claim that adequate consent was not obtained from end users or that adequate disclosures were not made in the applicable privacy policy.
13.1 Except as set forth in Section 13.2, the limitations of liability and exclusions of damages set forth in the Agreement shall apply to any claims arising under or in connection with this DPA.
13.2 Notwithstanding Section 13.1, the following claims shall not be subject to the limitation of liability set forth in the Agreement: (a) either Party’s liability arising from a willful or grossly negligent breach of its obligations under this DPA; (b) either Party’s indemnification obligations under the Agreement to the extent arising from a breach of this DPA; and (c) either Party’s liability arising from a violation of Applicable Data Protection Laws caused by such Party’s willful misconduct.
14.1 This DPA shall become effective on the Effective Date of the Agreement and shall remain in effect for as long as Townsquare Processes Company Data or Personal Data under or in connection with the Agreement.
14.2 The following provisions of this DPA shall survive any termination or expiration of the Agreement or this DPA: Sections 3 (Data Ownership), 4.2 (Processing Restrictions, to the extent Townsquare retains any data), 6 (Technical and Organizational Security Measures, for so long as Townsquare retains any Company Data), 9 (Data Breach Notification), 10 (Data Return and Deletion), 11 (Privacy Law Compliance, to the extent Townsquare retains any data), 13 (Limitation of Liability), and this Section 14.
15.1 Townsquare may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, industry standards, or Townsquare’s data processing practices. Any material changes to this DPA shall be communicated to Company by posting the updated DPA at the URL referenced in the Agreement and providing notice to Company at the email address on file. Company’s continued use of the Services following any update constitutes acceptance of the updated DPA.
15.2 If any update to this DPA materially diminishes Company’s rights or materially expands Townsquare’s Processing of Personal Data, Company may object in writing within thirty (30) days of receiving notice of the update. If the Parties are unable to resolve the objection within thirty (30) days, Company may terminate the Agreement without penalty, and the prior version of the DPA shall govern through the termination effective date.
16.1 In the event of any conflict between this DPA and the Agreement with respect to data privacy, data protection, or information security matters, this DPA shall control.
16.2 This DPA shall be governed by and construed in accordance with the governing law provision of the Agreement.
16.3 All notices under this DPA shall be provided in accordance with the notice provisions of the Agreement.
