Privacy Shield and GDPR Data Processing Addendum for Everflow Platform Services

This Privacy Shield and GDPR Data Processing Addendum (“DPA”) forms part of the Service Terms located at https://everflow.io/service-terms.html and the Order Form (together, the “Agreement”), entered into by and between the Customer and Everflow Technologies Inc. (“Everflow”), pursuant to which Customer accesses, uses and has accessed and used Everflow’s Platform Services (as defined in the Agreement).

Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement. This Addendum applies to and takes precedence over the Agreement and any associated contractual document between the parties, such as an order form, statement of work or data protection addendum thereunder, to the extent of any conflict.

Everflow and Customer agree as follows:

  1. Definitions and Scope.
    1. For purposes of this Addendum:
      1. GDPR” means General Data Protection Regulation (Regulation (EU) 2016/679).
      2. Personal Data” means any informationthat has been provided by or for Customer to the Platform Services or collected and Processed by or for Customer through the Platform Services, relating to an identified or identifiable individual within the European Union. An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
      3. Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    2. This Addendum applies to the Personal Data that Everflow receives from Customer, or otherwise Processes for or on behalf of Customer, in connection with the Agreement. For the purposes of this Addendum, Customer is the data controller and Everflow is the data processor, each as defined in the GDPR.

    3. By way of background, but without limiting the scope of this Addendum, the Agreement involves the following:
      1. Subject matter, nature and purpose of Processing: the provision of advertising services using the Platform Services. See the Agreement for details.
      2. Anticipated duration of Processing: For the term of the Agreement and thereafter for so long as Personal Data is retained in the Platform Services at Customer’s direction.
      3. Categories of Personal Data typically subject to Processing under the Agreement: data collected in connection with advertising services. See Appendix 1 for details.
      4. Typical categories of data subjects (i.e., the individuals to whom the Personal Data relate): individuals to whom advertisements are displayed using the Platform Services.
    4. The provisions of this Addendum survive the termination or expiration of the Agreement for so long as Everflow or its direct or indirect subcontractors have custody, control or possession of the Personal Data.
  2. Privacy Shield
    1. Everflow will use and disclose the Personal Data only to lawfully provide services to Customer and otherwise as permitted under the Agreement.
    2. Everflow will provide at least the same level of substantive protection for the Personal Data as is required under the EU-U.S. and Swiss-U.S. Privacy Shield programs, though this Addendum does not require Everflow to join such programs, and Everflow does not represent that it is a member of such programs, nor that it complies with the dispute resolution or jurisdictional requirements of such programs. If Everflow determines that it can no longer provide this level of protection, Everflow will promptly notify Customer of this determination, and Customer shall have the right to terminate the Agreement or any component of it without penalty upon notice to Everflow.
    3. Upon notice, Everflow will take reasonable and appropriate steps to stop and remediate unauthorized Processing of the Personal Data.
    4. Customer may provide this Addendum and a copy of the relevant privacy provisions of the Agreement to the U.S. Department of Commerce upon its request (as required under the Accountability for Onward Transfer Principle of the Privacy Shield programs).
  3. General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”)
    1. Customer’s instructions for the Processing of Personal Data shall comply with the GDPR. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer shall ensure that Customer is entitled to transfer the relevant Personal Data to Everflow so that Everflow and its sub-processors may lawfully Process the Personal Data in accordance with this Addendum and the Agreement on Customer’s behalf.
    2. Everflow will Process the Personal Data only on behalf of and in accordance with documented instructions from Customer, including with regard to transfers of Personal Data, unless required to do so by European Union or member state law to which Everflow is subject. In such case, Everflow shall inform Customer of that legal requirement before Processing, unless that law prohibits providing such information on important grounds of public interest within the meaning of the GDPR. Customer instructs Everflow to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement, which includes updating the Platform Services and preventing or addressing service or technical issues; (ii) Processing initiated by Customer’s users in their use of the Platform Services; and (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
    3. Everflow will ensure that the persons Everflow authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Without limiting the foregoing, Everflow will take steps to ensure that any natural person acting under the authority of the Everflow and who has access to Personal Data does not Process the Personal Data except on instructions from Customer unless required to do so by European Union or member state law as described above.
    4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for impact on the individuals to whom the Personal Data relates, Everflow shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the following (among other things) as appropriate:
      1. the pseudonymization and encryption of Personal Data;
      2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
  4. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

    a) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

    b) In assessing the appropriate level of security, Everflow shall in particular take account of the risks presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data.

    1. Customer acknowledges and expressly agrees that Everflow’s subsidiaries may be retained as sub-processors for the Processing of Personal Data and that Everflow may subcontract the collection or other Processing of Personal Data; provided that Everflow shall be liable for the acts and omissions of its sub-processors to the same extent it would be liable if performing the services of each sub-processor directly under the terms of this DPA and the Agreement. Further:
      1. Everflow shall ensure that each sub-processor is subject to the same data protection obligations as set out herein.
      2. The current list of sub-processors for the Services who process Customer-supplied Personal Data (“Sub-processor List”) is available here Everflow shall make available to Customer a mechanism to subscribe to notifications of new sub-processors for the Service, to which Customer shall subscribe, and if Customer subscribes, Everflow shall provide notification of a new Sub-processor (s) before authorizing any new sub-processor(s) to process Personal Data in connection with the provision of the applicable Services.
    2. In the event Customer has a reasonable objection to such new sub-processor, Customer may object to Everflow’s use of a new Sub-processor by notifying Everflow promptly in writing within ten (10) days after receipt of Everflow’s notice. Such notice shall explain the reasonable grounds for the objection. Upon receipt of such notice, Everflow will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Everflow is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Everflow without the use of the objected-to new Sub-processor by providing written notice to Everflow. Upon such termination, Everflow will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.
    3. Taking into account the nature of the Processing, Everflow will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests by individuals (or their representatives) for exercising their rights under the GDPR (such as rights to access their Personal Data).
    4. Everflow will assist Customer in ensuring Customer’s compliance with the security obligations of the GDPR, as relevant to Everflow’s role in Processing the Personal Data, taking into account the nature of Processing and the information available to Everflow.
    5. Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. Everflow shall notify Customer without undue delay, and in no event later than seventy-two (72) hours, after becoming aware of a Personal Data Breach concerning Personal Data Processed by Everflow or any of its subcontractors and where available, provide a description of the nature of the Personal Data Breach, the name and contact information of the data protection officer or point of contact, likely consequences of the Personal Data Breach, and description of any measures taken or proposed to address the Personal Data Breach and/or mitigate its possible adverse effects. Everflow shall use reasonable efforts to assist Customer with any communications required as a result of such a Personal Data Breach.
    6. Everflow will provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of the Processing or proposed Processing of the Personal Data involving Everflow.
    7. Everflow will provide reasonable assistance to and cooperation with Customer for Customer’s consultation with supervisory authorities in relation to the Processing or proposed Processing of the Personal Data involving Everflow.
    8. Everflow will, in coordination with Customer, comply with any applicable obligation of Everflow itself under the GDPR to consult with a supervisory authority in relation to its Processing or proposed Processing of the Personal Data.
    9. Everflow will, at the choice of Customer, return to Customer and/or securely destroy all Personal Data upon the end of the provision of services relating to Processing except to the extent that European Union or member state law requires storage of the Personal Data.
    10. Customer may contact Everflow in accordance with the “Notices” provisions of the Agreement to request an audit of the procedures relevant to the protection of Personal Data, no more than once per calendar year during the term of the Agreement. Customer shall reimburse Everflow for any time expended for any such on-site audit at Everflow’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Everflow shall mutually agree upon the auditor (which may not be an Everflow competitor), the scope, timing, and duration of the audit, and the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Everflow.
    11. Everflow will make reasonably available to Customer all information necessary for Customer to comply with Customer’s recordkeeping obligations under the GDPR with respect to Everflow’s Processing of the Personal Data.
    12. To the extent legally permitted, Customer shall be responsible for any costs arising from Everflow’s provision of any assistance and cooperation required to be provided by Everflow hereunder, including any fees for associated with provision of additional functionality; provided, however, that this paragraph shall not apply to activities undertaken by Everflow under Section 4.6 if the relevant Personal Data Breach was caused by Everflow.
    13. If the GDPR takes effect in European Economic Area jurisdictions that are outside the European Union, references in this Addendum to the European Union and its member states shall be deemed amended to include such jurisdictions, consistent with their adoption of the GDPR.

Appendix 1

The table below contains Personal Data Parameters that the Everflow Platform Services allow to be collected from end users by default. Please note that while some of these data elements are more properly administrative data for the use of the Platform Services, they must be treated as Personal Data while tied to identifiable Personal Data like IP addresses or unique identifers such as the IDFA.

Data Parameter Description

Affiliate Sub ID 1

Affiliate Sub ID 2

Affiliate Sub ID 3

Affiliate Sub ID 4

Affiliate Sub ID 5

Affiliate Source ID

Name of the creative

Type of the creative (i.e banner, video, ..)

Creative ID in Everflow

Extra URL ID in Everflow

Option to rotate destination URL

Generate an asynchronous tracking call, the user won't be redirected and the
transaction ID and redirect URL will be sent back in JSON format. 

User-agent associated to the click request (only if not empty)

IP associated to the click request (only if not empty)

Publisher specific unique user ID associated with a user

Apple's Identifier for iOS 6+

MD5 value of the IDFA

SHA1 value of the IDFA

Google Advertiser ID

MD5 value of the Google Advertiser ID

SHA1 value of the Google Advertiser ID

Unique ID for Android devices

MD5 value of the Android ID

SHA1 value of the Android ID

App Identifier 

Deep link parameter

Specific to a test tracking link, indicates that no payout/revenue will be generated from that click