CONFIDENTIAL

ADCOLONY DATA PROCESSING ADDENDUM

This AdColony Data Processing Addendum (“DPA”) is incorporated by reference into any and all services
agreements, media buying agreements, insertion orders and addendums currently in place between the
Publisher on the signature line below and AdColony, Inc. (“Agreement”). This DPA is entered into as of the
later of the dates beneath the parties signatures below. By entering into this DPA, Publisher represents
and warrants that Publisher has the authority to legally bind both the Publisher and all of Publisher’s
personnel, representatives and/or Affiliates operating pursuant to any such Agreement referenced
herein.

The parties agree to comply with the following provisions with respect to any Personal Data of one or
more Data Subjects located in the European Economic Area Processed in connection with the Agreement.
The purposes of the DPA is to ensure such Processing is conducted in accordance with Data Protection
Laws, including the GDPR and with due respect for the rights and freedoms of individuals whose Personal
Data are Processed. References to the Agreement will be construed as including this DPA. To the extent
that the terms of this DPA differ from those in the Agreement, the terms of this DPA shall govern.

1 DEFINITIONS

1.1 “AdColony Third Party Partner” means any entity, exclusive of any AdColony engaged
Processors or Sub-processor, engaged by AdColony for the Processing of Personal Data.

1.2 “Affiliates” means any entity which is controlled by, controls or is in common control with one of
the parties.

1.3 “Data Protection Laws” means all privacy and data protection laws and regulations applicable
to the Processing of Personal Data under the Agreement, including, as applicable: (a) the GDPR;
and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland) and applicable to the
Processing of Personal Data under the Agreement.

1.4 “Data Subject” means the individual to whom Personal Data relates.

1.5 “Effective Date” shall have the meaning ascribed to such term in Section 11.

1.6 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of natural persons with regard to the processing of personal data and
on the free movement of such data, and repealing Directive 95/46/EC.

1.7 “ Publisher Third Party Partner” means any entity engaged by Publisher for the Processing of
Personal Data.

1.8 “Privacy Shield” means the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield
Framework as set forth by the US Department of Commerce.

1.9 “Security Breach” has the meaning set forth in Section 7 of this DPA.

Page 1 of 14
CONFIDENTIAL

1.10 “Sub-processor” means any Processor or sub-processor engaged by AdColony for the Processing
of Personal Data.

1.11 “Supervisory Authority” has the meaning set forth in Article 51 of the GDPR, or means the
Federal Data Protection and Information Commissioner of Switzerland, as applicable.

1.12 “Term” means the period from the Effective Date to the date the DPA is terminated in accordance
with Section 11.1.

1.13 The terms "Controller", “Personal Data”, “Processor,” “Processed” and “Processing,”
have the meanings given to them in Applicable Privacy Laws. If and to the extent that Applicable
Privacy Laws do not define such terms, then the definitions given in EU Data Protection Law will
apply.

2 PROCESSING OF PERSONAL DATA – ARRANGEM ENT BETW EEN INDEPENDENT

CONTROLLERS

2.1 The parties agree that Publisher and AdColony are Independent Controllers with respect to the
processing of such Personal Data under this DPA as described in Appendix 1. To the extent that the
data protection legislation of another jurisdiction is applicable to either party’s processing of data,
the parties acknowledge and agree that the relevant party will comply with any obligations
applicable to it under that legislation with respect to the processing of that data. Both parties shall
keep a record of all Processing activities with respect to Personal Data covered under this DPA as
required under GDPR.

2.2 Each party will comply with the obligations applicable to it under the Data Protection Laws with
respect to the processing of Personal Data covered under this DPA, including but not limited to: (i)
providing the other party contact details for each party’s Data Protection Officer which are
accurate and up to date; (ii) providing reasonable information and assistance to the other party
conducting data protection impact assessments as required by Data Protection Laws; and (iii)
providing reasonable information and assistance to the other party regarding consultations
between that party and a Supervisory Authority. Publisher shall, in its use or receipt of the Services,
Process Personal Data in accordance with the requirements of the Data Protection Laws. AdColony
shall, in its provision of the Services, Process Personal Data in accordance with the requirements of
the Data Protection Laws. As between the parties, Publisher shall have sole responsibility (to the
extent legally required) to obtain all consents from Data Subjects necessary for collection, storage
and Processing of Personal Data in the scope of the Services. Upon request, AdColony will provide a
list of any AdColony Third Party Processors to Publisher as necessary to enable Publisher to comply
with this Section 2.2.

2.3 The objective of its Processing of Personal Data by AdColony is the performance of the Services
pursuant to the Agreement. Publisher agrees that AdColony will Process Personal Data for the
following purposes: (i) Processing in accordance with the Agreement in order to provide the
Services; and (ii) Processing to comply with other reasonable instructions provided by Publisher
where such instructions are acknowledged by AdColony as consistent with the terms of the
Agreement. AdColony may Process Personal Data other than as written herein if it is mandatory
under applicable law to which AdColony is subject. In this situation AdColony shall inform the
Publisher of such a requirement unless the law prohibits such notice.

Page 2 of 14
CONFIDENTIAL

3 RIGHTS OF DATA SUBJECTS

3.1 Each party is separately responsible for honouring Data Subject access requests under Data
Protection Law (including its rights of access, correction, objection, erasure and data portability, as
applicable) and responding to correspondence, inquiries and complaints from data subjects. Each
party shall provide reasonable and timely assistance to the other party as necessary to help
facilitate compliance with this Section 3.1. If required by Article 21 of the GDPR, Publisher shall
make available the mechanism(s) by which AdColony enables Data Subjects to object to Processing.

4 ADCOLONY AND PUBLISHER PERSONNEL

4.1 Both parties shall ensure that their respective personnel engaged in the Processing of Personal
Data under this DPA are informed of the confidential nature of the Personal Data as well as any
security obligations with respect to such Personal Data.

4.2 AdColony will take appropriate steps to ensure compliance with the Security Measures outlined in
Appendix 2 by its personnel to the extent applicable to their scope of performance, including
ensuring that all persons authorized to process Personal Data under this DPA have committed
themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and
that any such obligations survive the termination of that individual’s engagement with AdColony.

4.3 AdColony shall ensure that access to Personal Data covered under this DPA is limited to those
personnel who require such access to perform the Services. Company shall ensure that access to
Personal Data covered under Tier 1 Services pursuant to this DPA is limited to those personnel who
require such access to receive the Services.

5 SUB-PROCESSORS

5.1 Publisher acknowledges and agrees that AdColony may engage third-party Sub-processors in
connection with the provision of the Services. Any such Sub-processors will be permitted to obtain
Personal Data only to deliver the services AdColony has retained them to provide and are
prohibited from using Personal Data for any other purpose. AdColony will have a written
agreement with each Sub-processor and agrees that any agreement with a Sub-processor will
include substantially the same data protection obligations as set out in this DPA.

5.2 A list of Sub-processors is available in the AdColony user interface or at a particular web page
hosted by AdColony. AdColony may change the list of such other Sub-processors by no less than 10
business days’ notice via the AdColony user interface. If Publisher objects to AdColony’s change in
such Sub-processors, AdColony may, as its sole and exclusive remedy, terminate the portion of the
Agreement relating to the Services that cannot be reasonably provided without the objected-to
new Sub-processor by providing 30 days’ written notice to Publisher.

5.3 AdColony shall be liable for the acts and omissions of its Sub-processors to the same extent
AdColony would be liable if performing the services of each Sub-processor directly under the terms
of this DPA, except as otherwise set forth in the Agreement.

Page 3 of 14
CONFIDENTIAL

5.4 Publisher acknowledges and agrees that neither Publisher Third Party Partners nor AdColony Third
Party Partners are Sub-processors and AdColony assumes no responsibility or liability for the acts
or omissions of such Publisher Third Party Partners and AdColony Third Party Partners.

6 SECURITY AND AUDIT RIGHTS

6.1 AdColony shall maintain administrative, physical and technical safeguards for protection of the
security, confidentiality and integrity of Personal Data it Processes under this DPA. AdColony will
implement and maintain technical and organizational measures to protect such Personal Data
against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as
described in Appendix 2 (the "Security Measures"). As described in Appendix 2, the Security
Measures include measures to encrypt Personal Data; to help ensure ongoing confidentiality,
integrity, availability and resilience of AdColony’s systems and services; to help restore timely
access to Personal Data following an incident; and for regular testing of effectiveness. AdColony
may update or modify the Security Measures from time to time provided that such updates and
modifications do not result in the degradation of the overall security of the Services.

6.2 Both parties will (taking into account the nature of the processing of Personal Data under this DPA)
cooperatively and reasonably assist each other in ensuring compliance with any of each other’s
respective obligations with respect to the security of Personal Data and Personal Data breaches
under this DPA, including (if applicable) any obligations pursuant to Articles 32 to 34 (inclusive) of
the GDPR, by: (a) in the case of AdColony, implementing and maintaining the Security Measures in
accordance with Appendix 2; and (b) complying with the terms of Section 7 of this DPA.

6.3 Publisher may engage a mutually agreed upon third party to audit AdColony solely for the purposes
of meeting its audit requirements pursuant to Article 28, Section 3(h) of the General Data
Protection Regulation (“GDPR”). To request an audit, Publisher must submit a detailed audit plan
at least four (4) weeks in advance of the proposed audit date describing the proposed scope,
duration, and start date of the audit. Audit requests must be sent to gdpr_audit@adcolony.com.
The auditor must be approved in advance by AdColony (such approval may not be unreasonably
withheld) and execute a written confidentiality agreement acceptable to AdColony before
conducting the audit. The audit must be conducted during regular business hours, subject to
AdColony’s policies, and may not unreasonably interfere with AdColony’s business activities. Any
such audits are at Publisher’s expense and any request for AdColony to provide assistance which
requires the use of resources different from or in addition to those required by law may be charged
as a separate service by AdColony under a reasonable fee structure that takes into account the
resources expended by AdColony. Publisher shall promptly notify AdColony with information
regarding any non-compliance discovered during the course of an audit.

7 SECURITY BREACH M ANAGEM ENT AND NOTIFICATION

7.1 If either party becomes aware of any accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise
Processed on the other party’s equipment or facilities under this DPA (“Security Breach”), such
party will promptly notify the other party of the Security Breach. Notifications made pursuant to
this section will take place within a reasonable time and certainly no longer than three business
days after discovery and shall describe, to the extent possible, details of the Security Breach,
including steps taken to mitigate the potential risks and any recommended steps that either or

Page 4 of 14
CONFIDENTIAL

both parties should take to address the Security Breach. Each party will promptly investigate the
Personal Data Breach if it occurred on its infrastructure or in another area it is responsible for and
will assist the other party as reasonably necessary for both parties to meet their obligations under
Data Protection Laws.

7.2 Both parties agree that an unsuccessful Security Breach attempt will not be subject to this Section
7. An unsuccessful Security Breach attempt is one that results in no unauthorized access to
Personal Data processed pursuant to this DPA or to any of either party’s equipment or facilities
storing Personal Data, and may include, without limitation, pings and other broadcast attacks on
firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or
similar incidents.

7.3 Notification(s) of Security Breaches, if any, will be delivered to one or more of the other party’s
business, technical or administrative contacts by any reasonable means, including via email. It is
each party’s responsibility to ensure it maintains accurate contact information.

7.4 Any notification of or response to a Security Breach under this Section 7 will not be construed as an
acknowledgement by either party of any fault or liability with respect to the Security Breach.

7.5 AdColony shall implement reasonable technical and organizational Security Measures to provide a
level of security appropriate to the risk in respect to the Personal Data. As technical and
organisational measures are subject to technological development, AdColony is entitled to
implement alternative measures provided they are at least as protected as those offered by the
Security Measures and they do not fall short of the level of data protection set out by Data
Protection Law.

8 RETURN AND DELETION OF PERSONAL DATA

8.1 Both parties will comply with instructions from the other party to delete certain Personal Data as
soon as reasonably practicable and within a maximum period of 30 days, unless Data Protection
Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further
storage.

8.2 On expiry of the Agreement, both parties hereby instruct the other to delete all Personal Data
(including existing copies) from their respective systems and discontinue processing of such
Personal Data in accordance with Data Protection Law as soon as reasonably practicable and within
a maximum period of 60 days, unless Data Protection Law (or, in the case the data is not subject to
Data Protection Law, applicable law) requires further storage. This requirement shall not apply to
the extent that the Personal Data has been archived on back-up systems so long as such Personal
Data is isolated and protected from any further processing except to the extent required by
applicable law.

9 CROSS-BORDER DATA TRANSFERS

9.1 AdColony may, subject to this Section 9, store and process the relevant Personal Data in the
European Economic Area and the United States.

Page 5 of 14
CONFIDENTIAL

9.2 AdColony self-certified to and complies with the Privacy Shield, and AdColony shall maintain its
self-certification to and compliance with the Privacy Shield with respect to the Processing of
Personal Data that is transferred from the European Economic Area or Switzerland to the United
States.

9.3 At the request of Publisher, or if the Services involve the storage and/or processing of Publisher’s
Personal Data which transfers Publisher’s Personal Data out of the European Economic Area to a
jurisdiction other than the United States that does not have adequate data protection laws, and
the Data Protection Laws apply to the transfers of such data (“Transferred Personal Data”), the
parties will enter into Model Contract Clauses or find an alternative legal basis for such Transferred
Personal Data which is in compliance with Data Protection Laws.

9.4 To the extent Publisher is the recipient of Personal Data from AdColony pursuant to this DPA,
Publisher will provide at least the same level of protection for the information as is available under
the Privacy Shield framework or Model Contractual Clauses.

10 LIABILITY

10.1 Both parties agree that their respective liability under this DPA shall be apportioned according to
each parties’ respective responsibility for the harm (if any) caused by each respective party.

10.2 Liability Cap Exclusions. Nothing in this Section 10 will affect the remaining terms of the Agreement
relating to liability (including any specific exclusions from any limitation of liability).

11 M ISCELLANEOUS

11.1 This DPA will take effect on the date it is executed by Publisher and AdColony at the bottom of this
Agreement (the “Effective Date”) and will remain in effect until, and automatically expire upon, the
deletion of all Personal Data by AdColony or Publisher through the Services as described in this
DPA.

11.2 Nothing in this DPA shall impact Publisher’s intellectual property rights with respect to Personal
Data provided by Publisher under the Agreement except to the extent required by applicable law.

11.3 Nothing in this DPA shall confer any benefits or rights on any person or entity other than the
parties to this DPA.

11.4 This DPA may be executed in any number of counterparts, each of which when executed shall
constitute a duplicate original, but all the counterparts shall together constitute the one
Agreement.

Page 6 of 14
CONFIDENTIAL

IN W ITNESS of which the parties have executed this Agreement on the date set out above.

SIGNED for and on behalf of PUBLISHER

by

Name

Title

Date

Signature

SIGNED for and on behalf of AdColony

by

Name

Title

Date

Signature

Page 7 of 14
CONFIDENTIAL

Appendix 1 Subject m atter and details of the processing

Data exporter: The data exporter is the Publisher.

Data importer: The data importer is AdColony, Inc.

Data subjects: The Personal Data concern the following categories of Data Subjects:
The users of the data exporter's websites, mobile applications and other digital mediums and any data
received from Third Party Partners as described in the AGREEMENT.

Personnel of Publisher such as those seeking login credentials to AdColony’s systems.

Categories of data: The Personal Data concern the following categories of data:

Data on user behavior collected through pixels placed on the data exporter's websites, mobile
applications and/or digital mediums, mobile advertising identifiers and pseudonymous identifiers of the
users of the data exporter's websites, mobile applications and/or digital mediums as outlined in the
AGREEMENT.

For personnel of Publisher, email addresses and other data necessary for AdColony to fulfil it’s
contractual obligations.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):
: None

Processing operations: The Personal Data transferred will be subject to the following processing activities:

The data importer will access, reproduce, display and store the relevant personal data in order to provide
the services as set out in the Agreement and for no other purposes whatsoever.

Page 8 of 14
CONFIDENTIAL

Appendix 2

Description of the technical and organizational security m easures im plem ented by the
data im porter in accordance with Clauses 4(d) and 5(c) (or docum ent/legislation
attached):

1. Data Protection Management

AdColony has implemented “appropriate technical and organizational measures” to protect data
subjects’ rights as required under GDPR Article 32. For example, we have already established the
following appropriate security measures suggested under Article 32:

• The encryption of personal data in transit and at rest (with transport layer security (TLS) and
SSL certificates (of at least 2048-bits) and other measures to protect data in transit; keeping
each client application instance and associated subject data isolated in its own logically
discrete production environment; having unique session tokens, configurable session timeout
values and password policies applied to prevent unauthorized access; encrypting data at rest
in development, production and backup environments with full disk encryption; and storing
passwords after being one-way hashed).

• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of its
processing systems and services (through a variety of safeguards, including data hosting
replicated to several servers, data backup on hot servers and the capability to receive real-time
notification of data subject record changes).

• The ability to restore the availability of and access to the personal data in a timely manner in
the event of a physical or technical incident (with a tested Business Continuity and Disaster
Recovery Plan).

• A process for regularly testing, assessing and evaluating the effectiveness of technical and
organizational measures for ensuring the security of the processing (accomplished through its
internal and external audits).

2. Incident Response Management

AdColony's Information Security department is committed to protecting AdColony's employees,

partners and the company from illegal or damaging actions by individuals, either knowingly or
unknowingly.
This policy mandates that any individual who suspects that a theft, breach or exposure of
AdColony's Protected data or AdColony's Sensitive data has occurred must immediately provide a
description of what occurred via e-mail to noc@adcolony.com, by calling 310.870.8100, or
through the use of the help desk reporting web page
at https://jira.adcolony.net/servicedesk/customer/portal/24. This e-mail address, phone number,
and web page are monitored by AdColony’s Information Security Administrator, who will initiate
the AdColony Incident Response Plan & Procedures, which are designed to investigate all

Page 9 of 14
CONFIDENTIAL

reported thefts, data breaches and exposures, and to notify customers, where required, in a
GDPR-compliant manager and time window if such a breach occurs.

3. Data Protection by Design and Default

Pursuant to Article 42, AdColony is in the process of obtaining a certification from ePrivacy in
order to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of Article
25. In addition, ePrivacy Consult is our Data Protection Officer.
In addition, AdColony has designed a Personal Data Exchange (PDX) which controls access to
personal data for all systems in AdColony to help enforce GDPR. It enables a complete separation
of personal data collected from external sources and uses of that data internally. This is
accomplished through a mapping of raw device ID to a randomly generated device token. All
internal storage and processing of personal data is keyed from this device token, and the storage
of the raw device ID is salted and encrypted (one-way hash). Since the device token is randomly
assigned, if there were any leakage of data from internal data stores, it would be useless in
identifying the individual. A similar process is used for IP address which is used by AdColony
services for general location information and fraud detection. The location information is set to
aggregates like DMA, zipcode, city, state, country, etc.

4. Order or Contract Control

Where required because of processing or storage of EEA citizens' or residents' personal data, or
where otherwise required by GDPR, AdColony will only sign contracts with GDPR-compliant
advertisers, publishers and vendors, and will ensure that contracts or MSAs have language
indicating the partners' GDPR compliance. As a control to ensure compliance to policy, any
contracts have to be signed by AdColony employees with a title of Director or above.

5. Physical Access control

Please describe measures to prevent unauthorized access to data processing systems with which
the personal data is processed and used:

AdColony (“data importer”) runs all data processing for their platform via Amazon Web Services,
a professional, third-party data center with a defined and protected physical perimeter, strong
physical controls including access control mechanisms, controlled delivery and loading areas,
surveillance and 24x7x365 guards. Only AWS authorized representatives have access to the data
center premises.

6. Denial-of-use control
Please describe measures to prevent unauthorized use of data processing systems:

All systems level access is based on directory services and/or role based security. All end user
level access to AdColony Console is based on role-based security. Shared accounts are not
allowed.

Page 10 of 14
CONFIDENTIAL

The data importer undertakes the following actions, among others, to ensure that persons
authorized to use the AdColony Platform or access data processing infrastructure can only access
the data underlying their access authorization and that stored data or data undergoing processing
cannot be read, copied, altered, or removed without authorization.
The data importer's employees access infrastructure components with unique accounts that
require strong passwords. Access groups have been established to restrict access to only to
specific areas that are required for employee responsibilities.
Customers of the data importer may be granted access to the AdColony platform. Access to the
AdColony platform is limited via a user name and a password to the customer’s authorized
persons and additionally to equivalently authorized employees of the data importer. Physical and
logical infrastructure configuration prevents the access of one customer’s data by another
customer.
For more detailed information around specific risks and mitigation policies, available upon
request by emailing gdpr@adcolony.com

7. Data Access control

Please describe measures to ensure that persons entitled to use a data processing system have
access only to the data to which they have a right of access, and that personal data cannot be
read, copied, modified or removed without authorization in the course of processing or use and
after storage:

The data importer employs a centralized access management system to control personnel access
to production servers, and only provides access to a limited number of authorized personnel.
These mechanisms are designed to grant only approved access rights to site hosts, logs, data and
configuration information. The data importer requires the use of unique user IDs, strong
passwords; and carefully monitored access lists to minimize the potential for unauthorized
account use. The granting or modification of access rights is based on: the authorized personnel’s
job responsibilities; job duty requirements necessary to perform authorized tasks; a need to know
basis; and must be in accordance with the data importer's internal data access policies and
training. Approvals are managed by workflow tools that maintain audit records of all changes.
Access to systems is logged to create an audit trail for accountability. Where passwords are
employed for authentication (e.g., login to workstations), password policies that follow at least
industry standard practices are implemented. These standards include password expiry,
restrictions on password reuse and sufficient password strength.
In addition, the data importer has implemented several security related policies that govern the
use of AdColony technology and data including an Acceptable Use Policy, Data Classification
Policy, Information Security Policy, Password Policy, Roles and Responsibility Policy. Further detail
is available upon request by emailing gdpr@adcolony.com

8. Data Transmission control

Please describe measures to ensure that personal data cannot be read, copied, modified or
removed without authorization during electronic transmission or transport or storage on data
media, and that it is possible to check and establish to which bodies the transfer of personal data
by means of data transmission facilities is envisaged:

Page 11 of 14
CONFIDENTIAL

Data is encrypted by measures such as SSL. Personal data shall not be transferred outside the
scope as authorized under these Clauses, or as otherwise authorized by the data exporter. The
data importer keeps industry standard controls such as data transfer logs in order to ensure that
data is processed in accordance with the instruction of the data exporter.

9. Data Entry control

Please describe measures to ensure that it is possible to check and establish whether and by
whom personal data has been input into data processing systems, modified, or removed:

The data importer implements the AdColony Platform – all data processed in AdColony Platform
by an end user is done on a permissions-based model, all user accounts are enabled/disabled in
accordance with the security policy. All accounts are individual. Shared accounts are not allowed.
Audit Trail is kept for user actions and is logged. The actions logged are inclusive of login/logout,
creating segmentation, and requesting insights reports.
Email and corporate systems access is granted based on directory services and role based
security.

10. Job / subcontractor control

Please describe measures to ensure that, in the case of commissioned processing of personal
data, the data is processed strictly in accordance with the AdClient’s instructions:

The data exporter is primarily a self-service user of the AdColony platform, therefore setting up of
data collection mechanisms, collection of data, verifying data integrity sit with the data exporter.
When the data importer is assisting with projects, a full online project tracking plan is provided &
visible to all parties before, during & post implementation. During weekly meetings any concerns
can be raised & are recorded against the project planner. The personal data shall only be
processed in the manner authorized under these Clauses and all sub processors shall only be
employed in compliance with the provisions of these Clauses.

11. Availability control

Please describe measures to ensure that personal data is protected from accidental destruction
or loss:

AdColony utilizes AWS (Amazon Web Services) as sub-processor who is contractually required to
use the data that is passed only as directed by AdColony. AWS has a high-level of redundancy in
cloud set up. Additionally, AdColony conducts back-ups at least daily. Backups are made, and
encrypted for to AWS which is ISO27001 certified. AdColony conducts restore tests to confirm
backup integrity at least quarterly. AdColony has a business continuality plan which undergoes
regular testing.

12. Separation control

Please describe measures to ensure that data collected for different purposes can be processed
separately:

Page 12 of 14
CONFIDENTIAL

The data importer utilizes individual designations of ‘data contracts’ & ‘media providers' for
collection of data. When commissioned, the data exporter can select from a variety of
‘availability’ options to determine who & how the data can be used. Each ‘data contracts’ or
‘media providers’ is a self-contained pool of data which can be reviewed & audited as such.

AdColony stores data in a multi-tenant environment on servers owned by AWS/AdColony

(LAX01). AdColony logically isolates data on a per end user basis at the application layer.
AdColony logically separates Customer’s data, including data from different end users, from each
other, and data for an authenticated end user will not be displayed to another end user (unless
the former end user or administrator allows the data to be shared). A central authentication
system is used across all Services to increase uniform security of data.

The Customer will be given control over specific data sharing policies. Those policies, in
accordance with the functionality of the Services, will enable Customer to determine the product
sharing settings applicable to end users for specific purposes.

13. Physical location of data centre(s) and operating legal entity

Please give us a complete list of data centre(s) where the data will be stored:

Amazon Web Services (United States), AdColony (LAX01/Redondo Beach, CA)

14. Third Party Data Access

Is it excluded that an external company can access data of the data exporter?

Yes, excluding subcontractors, or when a data exporter has explicitly given permission to a third
party, data specific to a customer cannot be accessed by another customer or any third party.

15. Encryption of stored data

Please explain data encryption measures of stored data.

All connectivity to the data centers for administrators is through encrypted networks such as VPN.
All authentication for end users ID is done through SSL.

Page 13 of 14
CONFIDENTIAL

16. Certificates
Please let us know whether you have for the data centers where our data are processed any
certificates.

The data importer's Data Center Providers are compliant with SOC/SSAE16, SOX or ISO and their
appropriate reports or certifications can be released to the data importer's customers upon
request after completing appropriate NDA and other paperwork between the Data Center
provider and the applicable customer.

17. Awareness and Training Measures

The data importer has security awareness training program in place that requires all new hires to
attend security awareness training. Additionally, the data importer is putting in place periodic
retraining to all employees and contractors on annual basis.

Page 14 of 14