illumin

Schedule "A" Platform Terms and Conditions

Revised: Jan 5th, 2023

These Terms and Conditions (the “Terms and Conditions”) are entered into between illumin, an Ontario corporation with offices at 70 University Ave, Suite 1200 Toronto, ON M5J 2M4 Canada and the entity specified in the applicable order form (the “Order Form”, and together with these Terms and Conditions, the “Agreement”) with offices at the address specified in the Order Form. illumin reserves the right to update and change these Terms and Conditions from time to time without notice to Advertiser (as defined below).

Article 1

Interpretation

1.1 Definitions

As used herein the following terms shall have the respective meanings indicated below:

“Ad” means any advertisement (including, without limitation, all logos, trademarks, creative materials, graphic images and copy therein) provided to illumin, directly or indirectly, by Advertiser, including without limitation banner advertisements, text advertisements and video advertisements (as such terms are understood in the online advertising industry) and advertisements received from Contracted Clients.

“Ad Exchange” shall mean any exchange where Ad Inventory can be purchased through an Auction.

“Ad Inventory” shall mean any digital advertising inventory made available for sale through an Ad Exchange, including, but not limited to, web display, mobile, application and/or widget-based advertising inventory.

“Advertiser” shall mean the Licensee set forth in the Order Form and shall, for purposes of Advertiser’s obligations under these Terms and Conditions, include any Contracted Client. The obligations of Advertiser and a Contracted Client under this Agreement shall be joint and several.

“Agreement” means collectively these Terms and Conditions, the Order Form, all exhibits hereto, all plans and specifications prepared, and all documents incorporated herein by reference, as amended, modified or supplemented.

“Auction” means the real-time bidding process for Ad Inventory offered through Ad Exchanges.

“Business Day” means any day other than a Saturday, a Sunday or a day observed as a statutory or civic holiday in the Province of Ontario.

“Campaign” means the advertisement campaign to be operated by Advertiser through the Platform.

“Contracted Client” shall have the meaning ascribed to it in Article 3.

“Confidential Information” shall have the meaning ascribed in Article 11;

“Data Protection Laws” means all privacy and data protection laws and regulations applicable to the processing of personal data under the Agreement, including, as applicable: (a) the General Data Protection Regulation (GDPR); and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).

“Exchange” means a buying and clearing engine that is integrated with the Platform and that purchases display space for Ads and handles the Auction logistics (for example, the Google, Yahoo, and/or AppNexus exchanges).

“Mediacost” means the amount billed to Licensee which includes the Exchange cost, the Platform Margin specified in the Order Form, and any third-party data costs, if applicable.

“Platform” means the advertising machine learning advertising platform developed and owned by illumin.
For clarity, all capitalized terms used in these Terms and Conditions but not otherwise defined herein shall have the meaning ascribed to them in the Order Form.

1.2 Extended meanings

Unless the context requires otherwise, words importing the singular include the plural and vice versa and words importing gender include all genders.  The term “including” means “including without limitation”.

1.3 Business Days

If any payment is required to be made or other action is required to be taken pursuant to this Agreement on a day which is not a Business Day, then such payment or action shall be made or taken on the next Business Day.

1.4 Headings

The headings of any Article, Section or part thereof are inserted for purposes of convenience only and do not form part hereof.

Article 2

License

2.1 License grant

illumin hereby grants to Advertiser a non-exclusive, non-transferable license to use the Platform for purposes of conducting Campaigns during the Term in accordance with this Agreement. As between Advertiser and illumin, Advertiser acknowledges that illumin is the owner of all intellectual property rights in and to the Platform including all content thereon (other than the Ads) and, except as otherwise expressly permitted by this Agreement, Advertiser shall not at any time do or suffer to be done any act or thing that will in any way impair the rights ofillumin in and to the Platform. Nothing in this Agreement grants, nor shall Advertiser acquire hereby, any right, title or interest in or to the Platform or any goodwill associated with the Platform, other than those rights expressly granted hereunder. Upon the termination of this Agreement for any reason, all rights in the Platform granted to Advertiser hereunder shall automatically revert to illumin, and Advertiser shall have no further rights in and to the Platform.

2.2 Platform use

Advertiser’s use of the Platform shall at all times comply with all applicable laws, rules, regulations and ordinances as well as any written policies or procedures that illumin may provide to Advertiser from time to time in connection with Advertiser’s use of the Platform. illumin reserves the right to i) monitor the Platform and Advertiser’s use of the Platform from time to time in its sole discretion, ii) review any Ads used by Advertiser through the Platform prior to use, and/or (iii) reject or refuse to serve any Ad that is, in its sole and absolute discretion, objectionable or which, in illumin’s sole and absolute opinion, may expose illumin, any Publisher, or any of its suppliers and each of their affiliates, or its other clients to any harm or liability of any type.

Article 3

Sales agency

Subject to the terms and conditions of this Agreement, illumin hereby grants Advertiser the limited, non-transferrable right (the “Selling Rights”) to act as the sales representative for the Platform (the “Sales Agency Services”) and to provide advertising services to third parties through the Platform (“Advertiser Services”). Exercise of these rights entitle Advertiser:

  1. to advertise the existence of the Platform and the Advertiser Services;
  2. to enter into and execute agreements (in such form as illumin may approve from time to time) in respect of the Advertiser Services (the “Advertiser Agreements”). For purposes of this Agreement, upon entering into an Advertiser Agreement, a third party shall be a “Contracted Client”;
  3. to process all payments from Contracted Clients received in connection with the Advertiser Services (the “Payment Processing”); and
  4. to carry out such other duties and obligations as are specifically authorized by this Agreement.

3.1 Exercise of selling rights

Exercise of the Selling Rights shall be at Advertiser’s sole cost and expense and shall require Advertiser to provide to illumin such content and information about the Contracted Client and the Advertiser Services to be provided to such Contracted Client, as illumin  may request. For the avoidance of doubt, Advertiser shall not permit any Contracted Client to directly use or access the Platform without the written consent of illumin. Rather, Advertiser shall only have the right to use the Platform on behalf of, and for the Contracted Client’s benefit.

Advertiser shall submit to illumin for review any and all advertisements and/or marketing materials (collectively, “Marketing Materials”) to be used by Advertiser in connection with the Sales Agency Services and Advertiser Services. illumin shall have the right to approve or reject the Marketing Materials in its sole discretion. Advertiser shall not make any representations, warranties, statements or claims about the Platform, except as approved by illumin in its sole discretion.

Article 4

Obligation of parties

Advertiser hereby grants to illumin a worldwide, royalty free, sub-licensable, non-exclusive right and license to use, distribute, reproduce, publicly and digitally display and perform, transmit and broadcast (collectively, “Use”) the Ads (and any trademarks, trade names, service marks, copyrights, URLs or other proprietary rights of Advertiser therein) in connection with the Campaign.

Advertiser represents and warrants to illumin that each Ad (and any and all content therein) and the distribution thereof, in accordance with this Agreement:

  1. a. complies, as applicable, with the Interactive Advertising Bureau (“IAB”) Standard Terms and Conditions for Internet Advertising for Media Buys One Year or Less (US), and/or the IAB Standard Terms and Conditions for Internet Advertising for Media Buys One Year or Less and Late Creative Policy (Canada).
  2. does not infringe the patents, copyrights, trademarks, rights of publicity, rights of privacy, moral rights, music performance or other music-related rights, or any other right of any third party.
  3. shall abide by all creative size and format restrictions imposed by the Ad Exchanges and agrees to enter true and correct vendor attributes for all Ad creatives as required by the applicable Ad Exchange including video initiation, advertiser category and all associated metrics.
    Advertiser will not provide any personal information to illumin, other than business contact information relating to Licensee’s employees and agent.
  4. Advertiser will not breach any security measure for the Platform and/or Services or any part there-of, or damage or tamper with any part of the Platform and/or Services.
  5. Advertiser will not provide any Ad that when viewed or clicked on by a visitor(s), causes such visitor(s)’s device to download any software application.
  6. shall notify illumin immediately of any unauthorized use of Advertiser’s password(s) or account(s) or any other known or suspected breach of security occurring through Advertiser’s password(s) or account(s). Advertiser shall report to illumin immediately and shall co-operate with illumin to stop any unauthorized copying or distribution of Platform content by third parties who have gained access through Advertiser’s password(s) or account(s).
  7. does not violate any applicable law, statute, ordinance or regulation regarding the creation and marketing of online materials including, without limitation, those governing false and/or deceptive advertising.
  8. is true, accurate and complete.
  9. is not unlawful, defamatory or libelous.
  10. is not pornographic or obscene.
  11. does not contain viruses, Trojan horses, worms, time bombs, cancel bots or other similar harmful or deleterious programming routines.

Advertiser further represents and warrants that:

  1. Prior to delivery to illumin, Advertiser will have obtained all consents, releases, waivers and rights (including, without limitation, all rights in copyright, moral rights, trade-mark and trade name rights and other intellectual property rights) necessary for the grant to illumin, and exploitation by illumin, of the rights and licenses granted to illumin in the Ads pursuant to this Agreement; illumin reserves, in its sole discretion, the right (but not the obligation) to: (i) review any Ads used by Advertiser through the Platform prior to Use; and/or (ii) to reject or refuse to serve any Ad that is, in its sole discretion, objectionable or which may expose illumin, its suppliers and each of their affiliates, or its other clients to any harm or liability of any type.
  2. Advertiser has paid, or will have paid prior to use thereof, to the proper person, firm or corporation when due and payable, all residual, re-use or similar payments, all step-up fees, all music synchronization fees or royalties, all mechanical reproduction fees or royalties, all performance rights fees or royalties and all license payments and all other amounts payable to third parties as a result of, or in connection with, the Use of the Ads hereunder.
  3. Advertiser represents and warrants that it is in compliance with the Digital Advertising Alliance’s (“DAA”) Self-Regulatory Principles for Online Behavioral Advertising (“DAA OBA Principles”) and the Canadian Self-Regulatory Principles for Online Behavioral Advertising (“DAAC OBA Principles”), including the provision of appropriate notice and choice of online behavioral advertising. Advertiser represents and warrants that any websites where data is collected for online behavioral advertising provides users notice that third parties will collect data for purposes of serving targeted ads and provide a link to a means by which users may opt out of such targeted ads, such as www.aboutads.info or www.youradchoices.ca. For Advertiser’s convenience, we offer the following sample privacy disclosure, but strongly encourage Advertiser to work with counsel to ensure that these disclosures accurately represent Advertiser’s practices as legal requirements may change and/or be subject to differing legal interpretations: “We use a third-party service provider to serve ads and/or collect data on our behalf across the Internet and sometimes on this website.  They may collect information about your visits to our website, and your interaction with our products and services to tailor advertising messages on this website and other sites.  The information collected by these third-parties may include your devices IP address, user agent and other device level pseudonymous information. If you would like more information about this practice and would like to understand your choices about how to control how this information is used, please click here.”

illumin represents that in providing the services pursuant to the Order Form, it shall adhere to applicable laws, including but not limited to applicable privacy law and Data Protection Laws and that the Platform shall operate as described in illumin’s privacy policy located https://illumin.com/legal/privacy/. Notwithstanding the foregoing, illumin reserves the right to run campaigns on the platform of its choosing at its sole discretion.

Article 5

Payment

All late payments shall bear interest at the rate of 2% per month, or the highest rate allowable by law, whichever is lower. Advertiser agrees that it shall be solely liable for payment to illumin of all amounts owing pursuant to the terms hereof, and (if Advertiser is an agency or intermediary) it shall make all necessary payments hereunder, notwithstanding any non-payment to Advertiser by any third party.
In the event of default relating to the payment of any invoice, illumin shall have the right, without penalty or liability, to discontinue the performance of the services provided under the Order Form. Furthermore, Advertiser agrees to pay all costs incurred by illumin in collecting any delinquent payments, including, but not limited to, collection agency and attorneys’ fees and costs.

Article 6

Third party terms

he MoPub programmatic advertising platform (“MoPub”) is accessible through the Platform. If Advertiser accesses and uses MoPub through the Platform, Advertiser shall comply with all applicable MoPub policies, as amended from time to The MoPub policies are available at www.mopub.com/legal. Continued use of MoPub through the Platform following any amendments to the MoPub policies means that the Advertiser has accepted the MoPub policies, as amended. Within three (3) Business Days of receipt, illumin will forward to Advertiser any notices of violation received by illumin from MoPub in relation to Advertiser’s Campaign or use of MoPub. Any fees that are billed by MoPub to illumin arising from Advertiser’s Campaign or Advertiser’s use of MoPub will billed by illumin to Advertiser and Advertiser shall pay illumin within five (5) Business Days of receipt of an invoice for such fees.

If Licensee or a Contracted Client accesses or uses any third-party data functionality (including without limitation third party provider lists, a servers, dynamic creative plugins, and ad verification tags) that are made accessible in the Platform, Licensee and Contracted Clients shall only use such functionality in accordance with the applicable third-party terms and conditions. You can locate those third-party terms and conditions by visiting the website of the third-party provider or by clicking the link to the applicable third-party terms at the illumin third party data list available at https://illumin.com/legal/thirdparty. For greater certainty, Licensee is solely responsible for reviewing and complying with such terms and conditions.

Article 7

Term and termination

The Term of this Agreement shall be as stated in the Order Form, unless earlier terminated by either party in accordance with the terms hereof. This Agreement may be terminated immediately by either party if any of the following events occur:

  1. The other party materially breaches or materially fails to perform any of its obligations under this Agreement, and such breach or failure to perform remains unremedied (if capable of being remedied) for a period of thirty (30) days after the other party has been given written notice thereof;
  2. The other party is in breach or default of any of its payment obligations under this Agreement and such breach or default remains unremedied for a period of seven (7) days after the other party has been given written notice thereof;
  3. The other party becomes bankrupt, insolvent, makes a composition or arrangement with its creditors, has a receiver, administrator, administrative receiver or other encumbrance take possession of or control over any substantial part of its assets, or otherwise undergoes any event analogous to any event referred to above in any jurisdiction.

Upon termination of this Agreement, Advertiser shall immediately discontinue use of the Platform, and all rights granted by illumin to Advertiser under this Agreement shall cease; (ii) Advertiser shall promptly pay to illumin all amounts properly due and owing to illumin hereunder.

If at any time illumin for any reason decides to cease licensing the Platform to third parties for any reason, illumin may cancel this Agreement by providing not less than thirty (30) days’ notice to Advertiser. If Advertiser has pre-paid any funds, illumin shall, without further liability to Advertiser, refund to Advertiser unspent portion of such funds, less any fees properly due and owing to illumin.

Article 8

Disclaimer of warranties

THE PLATFORM, ANY SERVICES PROVIDED BY ILLUMIN HEREUNDER (“SERVICES”), AND ANY AD EXCHANGE WITH WHICH THE PLATFORM MAY EXCHANGE INFORMATION, ANY PUBLISHERS PROPERTIES OR ANY COMBINATION OF ANY OF THE FOREGOING ARE PROVIDED “AS IS” AND ILLUMIN HEREBY EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED, STATUTORY OR IMPLIED, REGARDING THE SERVICES, THE PLATFORM OR ANY PORTIONS THEREOF, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT OR OTHER IMPLIED WARRANTIES ARISING IN THE COURSE OF DEALING OR COURSE OF PERFORMANCE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, ILLUMIN SPECIFICALLY DISCLAIMS, AND MAKES NO REPRESENTATIONS OR WARRANTIES REGARDING: (1) THE NUMBER OF PERSONS WHO WILL VIEW OR ACCESS THE ADS; (2) ANY BENEFIT ADVERTISER OR ANY CONTRACTED CLIENT MIGHT OBTAIN FROM THE PLATFORM, THE SERVICES OR A CAMPAIGN; (3) THAT THE PLATFORM OR THE SERVICES WILL INCREASE SALES, GOODWILL OR ACHIEVE A SPECIFIC RESULT; OR (4) THAT THE MEASURABLE GOALS WILL BE ACHIEVED OR ACHIEVED WITHIN THE BUDGET. ILLUMIN DOES NOT WARRANT: (A) THAT THE PLATFORM OR THE SERVICES WILL BE AVAILABLE AT ALL TIMES OR ANY GIVEN TIME, OR FROM ANY PARTICULAR LOCATION; (B) WILL BE SECURE OR ERROR-FREE; (C) THAT DEFECTS WILL BE CORRECTED; OR (D) THAT THE SERVICES AND/OR THE PLATFORM ARE FREE OF VIRUSES OR OTHER POTENTIALLY HARMFUL COMPONENTS. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED FROM ILLUMIN SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THIS AGREEMENT.

ADVERTISER FURTHER ACKNOWLEDGES AND AGREES: (1) THAT THE USE OF THE PLATFORM AND PERFORMANCE OF THE SERVICES ARE CONTINGENT UPON SUCCESSFUL PERFORMANCE AND OPERATION OF THE INTERNET, AD EXCHANGES AND AUCTIONS AND, ACCORDINGLY, ILLUMIN SHALL NOT BE RESPONSIBLE FOR ANY FAILURES, DELAYS OR DAMAGES CAUSED BY THE MALFUNCTIONING OR DEFAULT OF SAME THAT ARE REASONABLY BEYOND THE CONTROL OF ILLUMIN; AND (2) ALL NUMBERS AND AMOUNTS CONTAINED IN THE ORDER FORM RELATING TO IMPRESSIONS, ACTIONS, ACQUISITIONS OR APPLICATIONS ARE ESTIMATES ONLY AND ARE NOT GUARANTEED BY ILLUMIN. ILLUMIN SHALL FOLLOW A UNIFORM POLICY TO AVOID DISCRIMINATION IN ITS DEALINGS WITH ADVERTISERS AND AGENCIES. ALTHOUGH ILLUMIN MAKES EVERY EFFORT TO UPHOLD THE HIGHEST STANDARDS OF ONLINE MARKETING CONDUCT, IT WILL NOT BE LIABLE TO ADVERTISER FOR ANY LOSSES OR DAMAGES INCURRED BY ADVERTISER OR A CONTRACTED CLIENT AS A RESULT OF ADVERTISER’S OR A CONTRACTED CLIENT’S ACTIONS OR OMISSIONS.

Article 9

Limitations on liability

NEITHER ILLUMIN NOR ITS AFFILIATES WILL BE LIABLE TO ADVERTISER OR ANY THIRD PARTY, UNDER ANY THEORY OF LAW, FOR ANY INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO LOSS OF REVENUE, LOSS OF PROFITS, BUSINESS INTERRUPTION, AND/OR LOSS OF INFORMATION OR DATA, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE NEGATION AND LIMITATION OF DAMAGES SET FORTH IN THIS PARAGRAPH ARE FUNDAMENTAL ELEMENTS OF THE BASIS OF THE BARGAIN BETWEEN ADVERTISER AND ILLUMIN. THE RIGHTS AND LICENSES GRANTED BY ILLUMIN HEREUNDER WOULD NOT BE PROVIDED WITHOUT SUCH LIMITATIONS.

NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED HEREIN, ILLUMIN’S MAXIMUM AGGREGATE LIABILITY TO ADVERTISER OR ITS CONTRACTED CLIENTS FOR ANY CAUSES OF ACTION WHATSOEVER, AND REGARDLESS OF THE FORM OR CAUSE OF ACTION, WILL BE THE GREATER OF (i) TEN PERCENT (10%) OF THE TOTAL CONTRACT VALUE IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO A CLAIM OR CAUSE OF ACTION, OR (ii) TWENTY-FIVE PERCENT OF THE NET REVENUE EARNED BY ILLUMIN UNDER THIS AGREEMENT IN TWELVE (12) MONTH PERIOD PRIOR TO THE EVENT GIVING RISE TO CLAIM OR CAUSE OF ACTION. FOR THE AVOIDANCE OF DOUBT, “NET REVENUE” MEANS THE AMOUNT ACTUALLY RECEIVED BY ILLUMIN PURSUANT TO THIS AGREEMENT, LESS ANY AMOUNTS PAID BY ILLUMIN FOR AD INVENTORY IN CONNECTION WITH SUCH REVENUE.

Article 10

Ownership

Advertiser acknowledges and agrees that all software, technology, know-how, information, data, content, and other property provided, created, developed or licensed by illumin in connection with the Platform (collectively, “Intellectual Property”) is confidential and proprietary to illumin. Advertiser agrees that it shall not, and shall not permit a third party, during the Term of this Agreement or thereafter, directly or indirectly, to: (i) copy, alter, decompile, translate, disassemble, modify, reverse-compile, reverse engineer, redistribute, make any derivative use of, furnish, distribute, rent, sell, lease, lend, sublicense, give or otherwise transfer, permit access to or disclose the Intellectual Property, or any part thereof, or any interest therein, in any form to any other firm, person or entity without the express written consent of illumin; (ii) use the Intellectual Property: (A) for any illegal purpose or in a manner that violates any applicable law or regulation; or (B) in a manner that infringes the rights of any third party, including without limitation, intellectual property, privacy, publicity or contractual rights.
Advertiser acknowledges and agrees that all proprietary rights in the Intellectual Property provided or otherwise utilized in connection with this Agreement are and shall remain the property of illumin and Advertiser shall have no right or interest in the Intellectual Property other than as expressly set forth in this Agreement and that this Agreement shall not be construed as granting Advertiser any right or license, whether by implication, estoppel or otherwise, not expressly set forth in this Agreement. This Agreement does not transfer ownership rights of any description in the Intellectual Property to Advertiser or to any other third party.

Article 11

Publicity and content distribution

Advertiser agrees that part of the consideration being provided to illumin pursuant to this Agreement is the right for illumin to cite Advertiser from time to time on the illumin website, in presentations, speeches, press release and other media as a client of illumin.

Article 12

Confidentiality

As used herein, “Confidential Information” shall mean: (a) either party’s proprietary information; (b) information marked or designated by either party as confidential; (c) suppression lists disclosed between the parties pursuant to this Agreement; (d) information otherwise disclosed by either party in a manner consistent with its confidential nature; (e) the terms and conditions of this Agreement, including pricing information; and (f) either party’s information that is conveyed to the other party, whether or not in written form and whether or not designated as confidential, that is known, or should reasonably be known, by the other party to be treated as confidential. The parties acknowledge that, as a result of the provision of the Services, one party may disclose Confidential Information (“Disclosing Party”) to the other party (“Receiving Party”). Therefore, the Receiving Party agrees that it will make no use (expect solely for purposes of this Agreement) or disclosure of the Disclosing Party’s Confidential Information without obtaining the Disclosing Party’s prior written consent. Additionally, the Receiving Party will restrict disclosure of Confidential Information to its employee(s), authorized agent(s) and/or independent contractors to whom disclosure is reasonably required, and such employee(s), authorized agent(s) and/or independent contractor(s) shall be explicitly bound confidentiality obligations no less restrictive than as set forth herein, and will use reasonable care, but not less care than they use with respect to their own information of like character, to prevent disclosure of any Confidential Information. Nothing contained in this Agreement shall be construed as granting or conferring rights by license or otherwise in, or making any representations or warranties in respect of, any Confidential Information disclosed under this Agreement, and each Party’s reliance on such Confidential Information is at its sole risk and responsibility. This Article 11 shall survive any termination of this Agreement for a period of three (3) years thereafter. The Receiving Party agrees that monetary damages for breach of confidentiality under this Article 11 may not be adequate and that the Disclosing Party shall be further entitled to seek injunctive relief.

Notwithstanding anything contained herein to the contrary, confidentiality provisions shall not apply where the Receiving Party can demonstrate with clear evidence that the information: (a) was previously known to the Receiving Party at the time of disclosure, free of any obligation to keep it confidential; (b) became publicly known through no wrongful act of the Receiving Party; (c) was rightfully received by the Receiving Party from a third party who was not bound under any confidentiality provisions; or (d) was disclosed pursuant to judicial order, requirement of a governmental agency or by operation of law.

Article 13

Indemnification

Advertiser agrees to indemnify, defend and hold harmless illumin, and its parents, subsidiaries, agents, affiliates, employees, directors and officers, from any and all liability, claim, loss, damage, demand or expense (including reasonable attorneys’ fees) asserted by any third party due to, arising from, or in connection with: (i) any Ad supplied or used by Advertiser hereunder; (ii) any act or omission of any Contracted Client, (iii) any breach by Advertiser of the terms of this Agreement including, without limitation, any representation or warranty contained herein; or (iv) the negligence, willful misconduct or fraudulent activities of Advertiser. Notwithstanding the foregoing, the Advertiser shall not be liable for the defense or indemnification of illumin for claims, actions, complaints or suits arising out of the sole active gross negligence or willful misconduct of illumin.

Article 14

Non-solicitation

During the Term of this Agreement and for a period of one (1) year following the termination of this Agreement, Advertiser shall not solicit, seek out or employ, either directly or indirectly (as a consultant, independent contractor or otherwise) any employee or consultant engaged by illumin who is or was associated with the performance of illumin’s obligations pursuant to this Agreement, except without the prior written consent of illumin. Notwithstanding the foregoing, the hiring of employees who respond to a generally advertised job opening shall not be considered a solicitation as contemplated by this clause.

Article 15

Currency

All references in this Agreement to dollars, unless otherwise specifically indicated, are expressed in United States Dollars (USD) if Advertiser’s registered office is in the United States, and in Canadian dollars (CAD) if Advertiser’s registered office is in Canada.

Article 16

Governing law

Subject to Article 17, below, any dispute arising from or related to this Agreement will be governed by the laws of the Province of Ontario without regard to conflict of law principles. The exclusive jurisdiction and venue of any action with respect to the subject matter of this Agreement will be the Courts of the Province of Ontario located in Toronto, Ontario, Canada and each of the parties hereto irrevocably waives any objection to jurisdiction and venue in such courts.

Article 17

Dispute resolution

Any dispute regarding this Agreement, including the validity, existence, binding effect, interpretation, performance, breach or termination, and including tort claims, shall be referred to and finally determined, to the exclusion of the courts, by a single arbitrator. The arbitration shall take place in Toronto, Ontario, in English, and in accordance with the National Arbitration Rules of the National Arbitration Institute of Canada, Inc. In all other respects the arbitration shall be governed by and subject to the Ontario Arbitration Act.

UNLESS OTHERWISE REQUIRED BY LAW, ADVERTISER MUST NOTIFY ILLUMIN WITHIN ONE (1) YEAR OF THE DATE OF THE OCCURRENCE OF THE EVENT OR FACTS GIVING RISE TO A DISPUTE OR ADVERTISER WAIVES THE RIGHT TO PURSUE ANY CLAIM BASED ON SUCH EVENT, FACTS OR DISPUTE.

Article 18

Waiver of class actions

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, ALL PARTIES TO ANY ACTION ARISING OUT OF OR IN CONNECTION WITH THE SERVICES OR THIS AGREEMENT MUST BE INDIVIDUALLY NAMED. ADVERTISER HEREBY WAIVES ANY RIGHT IT MAY HAVE FOR ANY DISPUTE PERTAINING TO THE SERVICES OR THIS AGREEMENT TO BE ARBITRATED OR LITIGATED ON A CLASS ACTION OR CONSOLIDATED BASIS, OR ON BASIS INVOLVING DISPUTES BROUGHT IN A PURPORTED REPRESENTATIVE CAPACITY ON BEHALF OF THE GENERAL PUBLIC.

Article 19

Assignment/Enurement

Advertiser may not assign this Agreement without prior written consent from illumin, which consent shall not be unreasonably withheld or delayed. illumin may assign all or any portion of its duties and obligations hereunder to any affiliate, successor-in-interest and/or acquirer of all or substantially all of illumin’s assets. Subject to the foregoing, the terms of this Agreement will be fully binding upon, inure to the benefit of and be enforceable by, the parties’ respective successors, heirs, executors, administrators and permitted assigns.

Article 20

Servability

Any term or provision of this Agreement that is invalid or unenforceable in any situation or in any jurisdiction shall not affect the validity or enforceability of the remaining terms and provisions hereof or the validity or enforceability of the offending term or provision in any other situation or in any other jurisdiction.

Article 21

Waiver

The failure of illumin to exercise or enforce any right or provision of this Agreement shall not constitute a waiver of such right or provision. If any provision of this Agreement is found to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and be enforceable.

Article 22

Relationship of the parties

The parties to this Agreement are independent contractors and no agency, partnership, joint venture or employer-employee relationship is intended or created hereby. Notwithstanding anything to the contrary outlined herein, if Advertiser is entering into this Agreement on behalf of a third party, such third party shall have not have any rights under this Agreement.

Article 23

Force majeure

Neither illumin nor any of its suppliers shall be liable to Advertiser for any delay in performance or failure to perform caused directly or indirectly by fire, explosion, accident, pandemic or epidemic, flood, labor trouble, weather condition, any regulation, rule or act of any government or governmental agency, or the inability to obtain or shortage of suitable material, components, parts, equipment, machinery, fuel, power, communication facilities or transportation, act of God, armed conflicts, civil commotion or any other cause of like character beyond the reasonable control of illumin or any of its suppliers.

Article 24

Survival

If illumin terminates this Agreement for any reason, all rights and obligations under this Agreement shall cease, save for Advertiser’s obligation to pay all fees property due and owing to illumin hereunder to the date of termination. In addition, the following Article 7– Article 13, Article 15 – Article 18 and such other provisions hereof of thereof which expressly, or by their nature are intended to, survive termination.

Article 25

Entire agreement

This Agreement sets forth the entire understanding and agreement of the parties and supersedes any and all prior oral or written agreements or understandings between the parties as to the subject matter of this Agreement. This Agreement is non-exclusive to illumin and illumin shall have the right to enter into similar agreements with other third parties. The parties hereby represent and warrant that they shall at all times fully comply with all applicable state and federal statutes, rules and regulations with respect to their respective businesses including, without limitation laws governing deceptive trade practices.

Article 26

Notices

Advertiser shall promptly notify illumin in the event it: (i) becomes subject to any bankruptcy or insolvency proceedings; (ii) has a dispute with illumin; or (iii) otherwise is required to provide notice to illumin hereunder. Advertiser shall deliver any and all notices required to be delivered to illumin hereunder by Mail Notification to csm-enterprise@illumin.com. Advertiser hereby acknowledges and agrees that illumin may deliver any notice required to be delivered to Advertiser either by means of posting such notice to illumin’s website located at www.illumin.com (“Web Notification”) by email to the email address of Advertiser indicated in the Order Form (“Email Notification”), or by registered or certified mail, postage prepaid, return receipt requested or by nationally-recognized overnight courier service to the address of Advertiser (“Mail Notification”). Any such notification shall be deemed effective: (i) in the event of Web Notification, on the earlier of the date the Advertiser next visits illumin’s website or thirty (30) days from the date such Web Notification is posted on illumin’s website; (ii) upon transmission when delivered by Email Notification; or (iii) when delivered by Mail Notification.

illumin Data Processing Addendum (DPA)

This illumin Data Processing Addendum (“DPA”) is incorporated by reference into any and all services agreements, media buying agreements, insertion orders and addendums currently in place between Buyer (defined below) and illumin (“Agreement”). This DPA is entered into as of the later of the dates beneath the parties’ signatures below.  By entering into this DPA, Buyer represents and warrants that Buyer has the authority to legally bind both the Buyer and all of Buyer’s personnel, representatives and/or Affiliates operating pursuant to any such Agreement referenced herein.

The parties agree to comply with the following provisions with respect to any Personal Data of one or more Data Subjects located in the European Economic Area Processed in connection with the Agreement. The purposes of the DPA is to ensure such Processing is conducted in accordance with Data Protection Laws, including the GDPR and with due respect for the rights and freedoms of individuals whose Personal Data are processed. References to the Agreement will be construed as including this DPA. To the extent that the terms of this DPA differ from those in the Agreement, the terms of this DPA shall govern.

1. Definitions

  • “illumin Third Party Partner” means any entity, exclusive of any illumin engaged Processors or Sub-processors, engaged by illumin for the Processing of Personal Data.
  • “Affiliates” means any entity which is controlled by, controls, or is in common control with one of the parties.
  • “Buyer Provided Data” means any Personal Data provided by buyer including (as applicable): (a) pseudonymous Personal Data collected via pixels from buyer’s website or other digital properties; and (b) identifiable Personal Data (e.g., emails) of Buyer’s customers that are rendered into pseudonymous Personal Data via one or more illumin Third Party Partner(s).
  • “Buyer Third Party Partner” means any entity engaged by Buyer for the Processing of Personal Data.
  • “Data Protection Laws” means all privacy, data protection and security laws privacy or security law and/or self-regulatory code that are in effect during the Term, and which apply to Personal Data processed pursuant to the Agreement, including: the Privacy and Electronic Communications Directive 2002/58/EC as implemented in the EEA and UK; the Regulation (EU) 2016/679 (General Data Protection Regulation or “GDPR”), the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (“UK GDPR”), California Consumer Privacy Act of 2018 (“CCPA”), California Privacy Rights Act of 2020 (“CPRA”), Connecticut Data Privacy Act (“CTDPA”), Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Canadian Personal Information Protection and Electronic Documents Act, SC 2000, c 5, and Canada’s Anti-Spam Legislation (“CASL”), the Brazilian Law No. 13709/18, as well as Brazilian Law No. 12,965/14, the Argentinian Personal Data Protection Law No. 25,326, together with the Decree No. 1558/2001 and its related regulations, and the Mexican “Ley Federal de Protección de Datos Personales en Posesión de los Particulares” (DOF: 5 de Julio de 2010).
  • “Data Subject” means the individual to whom Personal Data relates.
  • “Effective Date” shall have the meaning ascribed to such term in Section 11.
  • “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
  • “Personal Information” or “Personal Data” shall mean: (1) any information relating to an identified or identifiable natural person or household; and (2) any information defined as “personally identifiable information,” “personal information,” “personal data” or similar terms as such terms are defined under Data Protection Laws.
  • “Security Breach” has the meaning set forth in Section 7 of this DPA.
  • “Sub-processor” means any Processor or sub-processor engaged by either party for the Processing of Personal Data.
  • “Supervisory Authority” has the meaning set forth in Article 51 of the GDPR, or analogous regulatory agency or authority under the applicable Data Protection Laws.
  • “Term” means the period from the Effective Date to the date the DPA is terminated in accordance with Section 11.1.
  • The terms “Controller,” “Processor,” “Processed” and “Processing,” have the meanings given to them in Data Protection Laws. If and to the extent that Data Protection Laws do not define such terms, then the definitions given in EU Data Protection Law will apply.

2. Processing of personal data – Arrangement between independent controllers

  • The parties agree that Buyer and illumin are independent Controllers with respect to the processing of Personal Data under this DPA described in Annex 1. With respect to any Buyer Provided Data (as applicable), the parties agree that illumin shall not sell or share such Buyer Provided Data and shall only process such data as instructed by Buyer for the Permitted Purposes (defined below). illumin is not responsible for the availability, accuracy, appropriateness, or legality of Buyer Provided Data or any other information that Buyer may upload to the Services from time to time.
  • Each party will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data covered under this DPA, including but not limited to: (i) providing privacy notices, obtaining Data Subject consent and/or facilitating Data Subject privacy choices where required under Data Protection Laws; (ii) providing the other with party contact details for each party’s Data Protection Officer upon request; (iii) providing reasonable information and assistance to the other party conducting data protection impact assessments as required by Data Protection Laws; (iv) providing reasonable information and assistance to the other party regarding consultations between that party and a Supervisory Authority; and (v) maintaining a record of all Processing activities with respect to Personal Data covered under this DPA as required under Data Protection Laws. Buyer shall, in its use or receipt of the Services, Process Personal Data in accordance with the requirements of the Data Protection Laws. illumin shall, in its provision of the Services, Process Personal Data in accordance with the requirements of the Data Protection Laws. The objective of its Processing of Personal Data by both parties is the performance of the Services pursuant to the Agreement.
  • The parties understand and agree that the Permitted Purposes are: (a) pseudonymizing activating or otherwise activating Buyer Provided Data on the illumin advertising platform for the sole use of Buyer; (b) Purchasing advertising inventory on websites, mobile applications and/or other digital media properties on behalf of Buyer, (c) to leverage additional data via illumin Third-Party Partners and/or Buyer Third-Party Partners in order to target ads, ensure addressability, measure and/or conduct attribution as directed by Buyer; (d) to provide reporting on Buyer’s ad campaigns; and (e) to improve, upgrade, or enhance the Services without using Buyer Provided Data on behalf of other of illumin’s customers.

3. Rights of data subjects

3.1 Each party is separately responsible for honoring Data Subject access requests under Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) and responding to correspondence, inquiries and complaints from Data Subjects. Each party shall provide reasonable and timely assistance to the other party as necessary to help facilitate compliance with this Section 3.1.

4. illumin and buyer personnel

  • 4.1 Both parties shall ensure that their respective personnel engaged in the Processing of Personal Data under this DPA are informed of the confidential nature of the Personal Data as well as any security obligations with respect to such Personal Data.
  • 4.2 illumin will take appropriate steps to ensure compliance with the Security Measures outlined in Annex 2 by its personnel to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal Data under this DPA have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that any such obligations survive the termination of that individual’s engagement with illumin.
  • 4.3 illumin shall ensure that access to Personal Data covered under this DPA is limited to those personnel who require such access to perform the Services.
  • 4.4 Buyer shall further ensure that access to Personal Data provided by illumin pursuant to this DPA is limited to those personnel who require such access to receive the Services.

5. Sub-processors

5.1 Buyer acknowledges and agrees that illumin may engage third-party Sub-processors in connection with the provision of the Services. illumin acknowledges and agrees that Buyer may engage third-party Sub-processors in connection with the receipt of the Services. Both parties will have a written agreement with each Sub-processor and agrees that any agreement with a Sub-processor will include substantially the same data protection obligations as set out in this DPA.

5.2 A list of Sub-processors will be made available by illumin. illumin may change the list of such other Sub-processors by no less than 10 business days’ notice. If Buyer objects to illumin’ change in such Sub-processors, illumin may, as its sole and exclusive remedy, terminate the portion of the Agreement relating to the Services that cannot be reasonably provided without the objected-to new Sub-processor by providing 30 days’ written notice to Buyer. Buyer must provide a list of Sub-Processors to illumin at illumin’s written request.

5.3 Both parties shall be liable for the acts and omissions of its Sub-processors to the same extent such party would be liable under the terms of this DPA, except as otherwise set forth in the Agreement.

5.4 Buyer acknowledges and agrees that neither Buyer Third Party Partners nor illumin Third Party Partners are Sub-processors and illumin assumes no responsibility or liability for the acts or omissions of such Buyer Third Party Partners and illumin Third Party Partners

6. Security and audit rights

  • 6.1 illumin shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data it processes under this DPA. illumin will implement and maintain technical and organizational measures to protect such Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Annex 2 (the “Security Measures”). As described in Annex 2, the Security Measures include measures to encrypt Personal Data; to help ensure ongoing confidentiality, integrity, availability and resilience of illumin’ systems and services; to help restore timely access to Personal Data following an incident; and for regular testing of effectiveness. illumin may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
  • 6.2 Both parties will (taking into account the nature of the processing of Personal Data under this DPA) cooperatively and reasonably assist each other in ensuring compliance with any of each other’s respective obligations with respect to the security of Personal Data and Personal Data breaches under this DPA, including (if applicable) any obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (a) in the case of illumin, implementing and maintaining the Security Measures in accordance with Annex 2; and (b) complying with the terms of Section 7 of this DPA.
  • 6.3 Each Party shall make available to the other Party all information necessary to demonstrate compliance with the DPA and each Party may (or if mandated by a Supervisory Authority, will) allow for an audit by a mutually agreeable firm.  To request an audit, the requestor must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. The auditor must be approved in advance by both parties (such approval may not be unreasonably withheld) and execute a written confidentiality agreement acceptable to both parties before conducting the audit. The audit must be conducted during regular business hours, subject to both companies’ policies, and may not unreasonably interfere with either company’s business activities.  Any such audits are at the expense of the party making the request. Both parties agree to share information regarding any non-compliance discovered during the course of an audit.

7. Security breach management and notification

  • 7.1 If either party becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise Processed on the other party’s equipment or facilities under this DPA (“Security Breach”), such party will promptly notify the other party of the Security Breach. Notifications made pursuant to this section will take place within a reasonable time and certainly no longer than three business days after discovery and shall describe, to the extent possible, details of the Security Breach, including steps taken to mitigate the potential risks and any recommended steps that either or both parties should take to address the Security Breach. Each party will promptly investigate the Personal Data Breach if it occurred on its infrastructure or in another area it is responsible for and will assist the other party as reasonably necessary for both parties to meet their obligations under Data Protection Laws.
  • 7.2 Both parties agree that an unsuccessful Security Breach attempt will not be subject to this Section 7. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Personal Data processed pursuant to this DPA or to any of either party’s equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.
  • 7.3 Notification(s) of Security Breaches, if any, will be delivered to one or more of the other party’s business, technical or administrative contacts by any reasonable means, including via email. It is each party’s responsibility to ensure it maintains accurate contact information.
  • 7.4 Any notification of or response to a Security Breach under this Section 7 will not be construed as an acknowledgement by either party of any fault or liability with respect to the Security Breach.
  • 7.5 illumin shall implement reasonable technical and organizational Security Measures to provide a level of security appropriate to the risk in respect to the Personal Data. Buyer shall implement security measures at least as stringent as those outlined in Annex 2. As technical and organizational measures are subject to technological development, either party is entitled to implement alternative measures provided they are at least as protected as those offered by the Security Measures and they do not fall short of the level of data protection set out by Data Protection Law.

8. Return and deletion of personal data

  • 8.1 Both parties will comply with instructions from the other party to delete certain Personal Data as soon as reasonably practicable and within a maximum period of 90 days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage.
  • 8.2 On expiry of the Agreement, both parties hereby instruct the other to delete all Personal Data of the other party from their respective systems and discontinue processing of such Personal Data in accordance with Data Protection Law as soon as reasonably practicable and within a maximum period of 90 days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage. This requirement shall not apply to the extent that the Personal Data has been archived on back-up systems so long as such Personal Data is isolated and protected from any further processing except to the extent required by applicable law.

9. Cross-border data transfers

  • 9.1 illumin may, subject to this Section 9, store and process the relevant Personal Data in the European Economic Area (EEA), United Kingdom, Canada and the United States.
  • 9.2 Given that the Services involve the storage and/or Processing of Personal Data which transfers such Personal Data out of the European Economic Area or Switzerland to a jurisdiction that does not have adequate Data Protection Laws, and the Data Protection Laws apply to the transfers of such data (“Transferred Personal Data”), the parties agree that the EU Commission Implementing Decision (EU) 2021/914 and available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (as amended or updated from time to time) (“Standard Contractual Clauses”) will apply and such Standard Contractual Clauses shall be incorporated by reference and form an integral part of this DPA. Purely for the purposes of the descriptions in the Standard Contractual Clauses and only as between Buyer and illumin, the parties agree that: (a) Roles: the parties agree that illumin is a “data importer” and Buyer is the “data exporter” under the Standard Contractual Clauses. (b) Governing Law and Supervisory Authority: The Standard Contractual Clauses shall be governed by the law of the EU Member State in which the data exporter is established and enforced by the Supervisory Authority of such EU Member State; (c) Sub-Processors: the parties select general written authorization for Sub-processors; (d) Redress: The parties elect to omit the optional text; and (e) Annex I, II and III are provided at the end of this DPA as Appendix A and to the extent that there’s a conflict as between the DPA and the Appendix A, the Appendix A shall govern.
  • 9.3  The parties further agree that if Transferred Personal Data includes UK Personal Data, and the Data Protection Laws apply to the transfers of such data, both parties agree that the Standard Contractual Clauses for transfers reflecting the roles of the parties as described in the DPA in the form approved by the UK Information Commissioner’s Office and currently available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf (as amended or updated from time to time) (“UK Standard Contractual Clauses”) shall be incorporated by reference and form an integral part of this DPA. For the purposes of the UK Standard Contractual Clauses, Appendix A of these Terms shall take the place of Annex 1, Annex II and Annex III respectively of the UK Standard Contractual Clauses.
  • 9.4  If the Standard Contractual Clauses or any other model clause transfer agreement are deemed invalid by a governmental entity with jurisdiction over Transferred Personal Data (e.g., the EU Court of Justice) or if such governmental entity imposes additional rules and/or restrictions regarding such Transferred Personal Data, the parties agree to work in good faith to find an alternative and/or modified transfer mechanism.
  • 9.5 To the extent Buyer is the recipient of Transferred Personal Data from illumin as part of the Services, Buyer will provide at least the same level of protection for the information as is available under the Standard Contractual Clauses.

10. Liability

  • 10.1 Both parties agree that their respective liability under this DPA shall be apportioned according to each parties’ respective responsibility for the harm (if any) caused by each respective party.
  • 10.2 Liability Cap Exclusions. Nothing in this Section 10 will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).

11. Miscellaneous

  • 11.1 This DPA will take effect on the date it is executed by Buyer and illumin at the bottom of this Agreement (the “Effective Date”) and will remain in effect until, and automatically expire upon, the deletion of all Personal Data by illumin or Buyer through the Services as described in this DPA.
  • 11.2 Nothing in this DPA shall impact Buyer’s intellectual property rights with respect to Personal Data provided by Buyer under the Agreement except to the extent required by applicable law.
  • 11.3 Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.
  • 11.4 This DPA may be executed in any number of counterparts, each of which when executed shall constitute a duplicate original, but all the counterparts shall together constitute the one Agreement.

Appendix A

Annex 1 Subject matter and details of the processing

Data exporter: The data exporter is the illumin, Inc.
Data importer: The data importer is Buyer
Data subjects: The Personal Data concern the following categories of Data Subjects:

The users of the websites, mobile applications and other digital mediums owned and/or operated by illumin Third-Party Partners and any data received from such Third-Party Partners as described in the Agreement.

Personal Data pertaining to the personnel of both parties.

Categories of data: The Personal Data concern the following categories of data:

Data on user behavior collected through pixels placed on the data importer’s websites, mobile applications and/or digital mediums owned and/or operated by illumin’ Third-Party Partners, including cookie IDs, mobile advertising identifiers and other pseudonymous identifiers of the users of the data importer’s websites, mobile applications and/or digital mediums as outlined in the Agreement.

Data pertaining to the personnel of both parties necessary for the respective parties’ performance of the Agreement including email addresses, telephone numbers, name, title and billing information.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify): None

Processing operations: The Personal Data transferred will be subject to the following processing activities:

The data exporter will access, reproduce, display and store the relevant personal data in order to provide the services as set out in the Agreement.

Annex 2 Description of the technical and organizational security measures implemented by the data exporter in accordance with Clauses 4(d) and 5(c) (or document/legislation)

Description of the technical and organizational security measures implemented by the data exporter

Measures with which Personal Data can be processed while denying physical access to IT systems for unauthorized persons (access control):
All of the data exporter’s third-party data centers have strict policies for authorization of access into the facilities.   Each data center vendor has appropriate policies required by external audits.  All of the data exporter’s internal personnel are vetted prior to allowing access to data centers.

Measures to hinder unauthorized persons from using IT systems and procedures (access control):

All systems level access is based on directory services and role-based security.  Additional measures are in place such as VPN and other security measures prior to system level access being available, as described below.  All end user level access to illumin’ systems is based on role-based security.  Shared accounts are not allowed.

The data exporter undertakes the following actions, among others, to ensure that persons authorized to use the illumin Platform or access data processing infrastructure can only access the data underlying their access authorization and that stored data or data undergoing processing cannot be read, copied, altered, or removed without authorization.

The data exporter’s employees access infrastructure components with unique accounts that require strong passwords.  Remote administration is available only via public key cryptography and password-based authentication is not permitted.  Access groups have been established to restrict access to only to specific areas that are required for employee responsibilities.

Customers of the data exporter may be granted access to the illumin console. Access to the illumin console is limited via a username and a password to the customer’s authorized persons and additionally to equivalently authorized employees of the data exporter.  Logical infrastructure configuration prevents the access of one customer’s data by another customer.

Measures to enable persons authorized to use IT procedures to gain exclusive access to the Personal Data that are subject to their access authorization (access control):

The data exporter employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. The data exporter requires the use of unique user IDs, strong passwords; and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; a need-to-know basis; and must be in accordance with the data exporter’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include password expiry, restrictions on password reuse and sufficient password strength.

In addition, the data exporter has implemented several security related policies that govern the use of illumin technology and data including rules around acceptable use, data classification, information security, and passwords.  The data exporter’s information security officer is Rachel Kapcan.

Measures to ensure that Personal Data cannot be read, copied, amended or removed by unauthorized persons when the data is transmitted electronically, or when it is being transported, or when it is being stored on data carriers, but which allow checks to be made of the destinations targeted when transferring Personal Data using data transmission equipment (routing controls):

Data is encrypted by measures such as SSL.  Personal data shall not be transferred outside the scope as authorized under these Clauses, or as otherwise authorized by the data importer.

Measures that allow retrospective checks to be made on whether Personal Data has been entered into, amended or removed from IT systems, and by whom (input controls):

All data processed in illumin Platform by an end user of the platform (e.g., CL personnel) is done on a permissions-based model, all user accounts are enabled/disabled in accordance with the security policy.  All accounts are individual. Shared accounts are not allowed. Audit Trail is kept for user actions and is logged.

Email and corporate systems access is granted based on directory services and role-based security.

Measures to ensure that Personal Data to be processed on CONTROLLER’s behalf is only processed in accordance with CONTROLLER’s directives (performance controls):

The data importer is a user of the illumin Platform, therefore setting up of data collection mechanisms, collection of data, verifying data integrity sit with the data importer. The personal data shall only be processed in the manner authorized under these Clauses and all sub processors shall only be employed in compliance with the provisions of these Clauses.

Measures to ensure that Personal Data is protected against incidental damage or loss (availability controls):

Data is kept in a storage framework with at least three copies natively made and stored. Additionally, the data exporter replicates data between data centers for disaster recovery with ability to restore if needed, although the data exporter will not replicate lat/long or other data points which might be considered sensitive in the EU.

Measures to ensure that the different purposes for processing data can be identified – especially for PROCESSOR’s different controllers – and that data to be processed is processed separately from each other (separation controls):

illumin stores data in a multi-tenant environment on servers owned by illumin. The Services database and file system architecture are replicated between multiple data centers. illumin logically isolates data on a per end user basis at the application layer. illumin logically separates Customer’s data, including data from different end users, from each other, and data for an authenticated end user will not be displayed to another end user (unless the former end user or administrator allows the data to be shared). A central authentication system is used across all Services to increase uniform security of data.

Measures to ensure availability and resiliency for data and technical operations:

illumin stores data and operates servers in datacenters with robust and redundant power and data storage mechanisms. All deployments are configured with repeatable operating templates, for rapid deployment to a DR region when necessary. All networks are protected by network firewalls, intrusion detection systems, and other industry best practice security measures.

Measures for regular testing, assessment and evaluation:

illumin regularly reviews system activity rated by security threat level by our intrusion detection platform. illumin regularly runs external network scans to ensure operating systems, libraries, and all used software is patched against vulnerabilities. All platform configurations are catalogued within version control and issued via peer-reviewed pull requests to ensure multiple reviewers of each security related change.

Measures for pseudonymization of data:

illumin works with upstream data controllers to ensure no PII enters our system.

Annex III – Sub-processors

A list of Sub-processors will be made available by illumin