Get Pricing

Vendor Data Protection Addendum

This Data Protection Addendum (this “DPA”) is made part of that certain Vendor Agreement (collectively This Data Protection Addendum (this “DPA”) is made part of that certain Vendor Agreement (collectively with all statements of work, purchase orders or order forms thereunder, if any, the “Agreement”) by and between 3Play Media, Inc. together with its Affiliates, (collectively, “3Play Media”) and Vendor (“Vendor”) (each a “party;” collectively, the “parties”), and applies to the processing or generation of any information relating to any identified or identifiable natural person, device or household (including personal data (as defined in the European Data Protection Laws), personal information (as defined in the CCPA (as defined in Section 12), and personal data (as defined in the State Data Protection Laws)), collectively “Personal Data”) by Vendor on behalf of 3Play Media, including, without limitation: (a) Personal Data that is regulated by the GDPR or the laws of the European Economic Area (the “EEA”) countries that have formally adopted the GDPR (collectively, “EU Personal Data”); (b) Personal Data regulated by the UK Data Protection Laws (“UK Personal Data” and, collectively with EU Personal Data, “European Personal Data”); (c) California Personal Data (as defined below); and (d) State Laws Data as defined in the Other States Data Exhibit.

As between the parties, with regard to European Personal Data, (i) 3Play Media is a Controller and Vendor, a Processor for 3Play Media; or (ii) 3Play Media is a Processor with regard to European Personal Data and Vendor a Subprocessor (as defined below) to 3Play Media with regard to such European Personal Data. The obligations contained in this DPA are in addition to the other obligations contained in the Agreement, and in the event of a conflict between this DPA and any other terms in the Agreement, the terms of this DPA will govern. For the avoidance of doubt, to the extent that the Agreement excludes any types of information from confidentiality obligations, those exclusions shall not apply to Personal Data. All Personal Data, regardless of means obtained, shall be treated in accordance with the confidentiality obligations of the Agreement and as set forth herein. Vendor guarantees the prompt and satisfactory performance of its obligations and responsibilities under this DPA by Vendor, and Vendor agrees that it shall be responsible for all costs associated with its compliance with such obligations. Vendor is responsible and liable for its acts and omissions under this DPA. By entering into this DPA, the parties are deemed to have signed all Exhibits, Annexes, Schedules, and Appendices, including those incorporated by reference, to this DPA where applicable.

Affiliates” means any corporation, partnership, or other entity now existing or hereafter organized that directly or indirectly controls, is controlled by, or under common control with a party. For purposes of this definition, “control” means the direct possession of a majority of the outstanding voting securities of an entity. As of the DPA Effective Date, 3Play Media, Inc.’s Affiliates include 3Play Media Canada, Inc. and Captionmax, LLC. “Controller,” “Processor,” “Supervisory Authority,” and “data subject” have the meanings given in the relevant Data Protection Requirements (as defined below). “GDPR” means the General Data Protection Regulation (EU) 2016/679. “UK Data Protection Laws” means UK GDPR and the UK’s Data Protection Act 2018 (“UK DPA 2018”). “UK GDPR” means the UK equivalent of the GDPR, as defined in section 3(10) (and as supplemented by section 205(4)) of the UK DPA 2018. “UK” means the United Kingdom. “European Data Protection Laws” means, collectively, the GDPR and the UK Data Protection Laws, as applicable. “Member State” means a country that is a member of the European Union or the European Economic Area. “Subprocessor” means any person or entity that processes Personal Data on behalf of any other person or entity when such other person or entity is processing such Personal Data on behalf of another person or entity, including without limitation in such other person’s or entity’s capacity as a Processor or service provider (as defined in Section 12) or contractor (as defined in Section 12). As used in this DPA, “processing” (including any grammatically inflected forms thereof) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, including without limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion, erasure or destruction. Capitalized terms used but not defined herein shall have the meanings ascribed to them in the Agreement, and “on behalf of 3Play Media” means on behalf of (i) 3Play Media, (ii) any of 3Play Media’s clients, and/or (iii) any other third party for whom 3Play Media processes Personal Data.

  1. Nature of Data Processing. The subject matter and purposes of the data processing, the types of Personal Data, categories of data subjects, nature of the processing, and 3Play Media’s data processing instructions for Vendor, will be described in Schedule I to this DPA and as otherwise provided in writing by 3Play Media to Vendor from time to time. If Vendor is ever unsure as to the parameters of the instructions issued by 3Play Media, it will, as soon as reasonably practicable, revert to 3Play Media for the purpose of seeking clarification or further instructions. The duration of the processing under this DPA shall be the Term (as defined below).
  2. Compliance with Laws. Vendor shall comply with its obligations under all applicable laws, regulations, and other legal requirements relating to (i) privacy, data protection, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; and (ii) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data (including without limitation (a) the CCPA (as defined in Section 12), (b) the European Data Protection Laws, (c) State Data Protection Laws as defined in the Other States Data Exhibit, and (d) 201 Code of Mass. Regs. 17.00 et seq.), each as may be amended from time to time (collectively, “Privacy Laws”). More specifically, and without limiting the generality of the foregoing, with regard to EU Personal Data, Vendor will comply with its obligations under the European Data Protection Laws, any national legislation or subordinate legislation in relation to the European Data Protection Laws and all relevant guidance and codes of practice concerning the European Data Protection Laws which may apply (collectively, with Privacy Laws, the “Data Protection Requirements”). To the extent legally required, Vendor covenants that it shall (a) at all times maintain its registration with the relevant Supervisory Authority under the applicable Data Protection Requirements, (b) provide all necessary information to the relevant Supervisory Authority and (c) pay to the relevant Supervisory Authority all applicable fees and charges (if any), in each case as appropriate to its processing of EU Personal Data.
  3. Obligations of 3Play Media. 3Play Media shall provide documented instructions to Vendor and shall determine the purposes and general means of Vendor’s processing of Personal Data on behalf of 3Play Media under the Agreement.
  4. Obligations of the Processor.
    1. Vendor, in connection with its processing of Personal Data under this DPA, shall:
      1. Process Personal Data solely for the purposes described in the Agreement and in compliance with the documented instructions received from 3Play Media and the Agreement, and will not use or process the Personal Data for any other purpose. If Vendor cannot comply with these requirements, it will immediately inform 3Play Media, and 3Play Media is entitled to immediately terminate the Agreement or to take any other reasonable action, including the suspension of data processing operations;
      2. Inform 3Play Media immediately if, in Vendor’s opinion, an instruction from 3Play Media is in breach of applicable Data Protection Requirements;
      3. If Vendor is collecting Personal Data from individuals on behalf of 3Play Media, follow 3Play Media’s instructions with regard to such Personal Data collection (including but not restricted to the provision of the requisite information to be provided to data subjects under the Data Protection Requirements and the exercise of choice);
      4. Comply with Article 32 of the GDPR (and/or the equivalent provision(s) under the UK Data Protection Laws) and ensure appropriate organizational and technical measures are in place to safeguard against any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and shall provide, in a timely manner, written assurance in respect of such measures as may be reasonably required by 3Play Media;
      5. Ensure that: (i) persons employed by Vendor and (ii) other persons engaged to perform on Vendor’s behalf, in each case, shall comply with the terms of the Agreement;
      6. Encrypt in transit and at rest all Personal Data which is processed by Vendor to the extent required under the Data Protection Requirements;
      7. To the extent that 3Play Media will transmit to Vendor Personal Data in connection with provision of Services to 3Play Media, make available to 3Play Media a secure and encrypted means for 3Play Media to transmit such Personal Data to Vendor;
      8. Ensure that its employees, authorized agents, and each of Vendor’s Subprocessors are legally required in writing to comply with and acknowledge and respect the confidentiality of the Personal Data, including after the end of their employment, contract, or their assignment;
      9. If it intends to engage one or more Subprocessors to help it to satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such Subprocessors, (i) obtain the prior written consent of 3Play Media in each instance to such subcontracting; (ii) remain responsible, and liable, to 3Play Media for Vendor’s Subprocessors’ acts and omissions, including but not restricted to the Data Protection Requirements and the obligations of Vendor under this DPA; and (iii) enter into contractual arrangements with such approved Subprocessors requiring them to guarantee the same level of data protection compliance and information security to that provided for herein or that is otherwise required by Data Protection Requirements, including without limitation ensuring that there is a valid data transfer mechanism to the extent required by Data Protection Requirements;
      10. Have a business continuity plan in the event Vendor ceases operations;
      11. Provide 3Play Media with its privacy and security policies;
      12. Inform 3Play Media if an independent security review has been or will be conducted; and
      13. Keep adequate records of the Personal Data it processes as required by the Data Protection Requirements (including but not restricted to as required under Article 30 of the GDPR (and/or the equivalent provision(s) under the UK Data Protection Laws)).
    2. Vendor shall inform 3Play Media without delay if Vendor becomes aware of:
      1. Any actual or suspected non-compliance by Vendor, or persons employed or engaged by Vendor, with this DPA or the Data Protection Requirements;
      2. Any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities;
      3. Any notice, inquiry, or investigation by a Supervisory Authority with respect to Personal Data; or
      4. Any complaint or request (in particular, requests for access to, rectification, or restriction of Personal Data) received directly from data subjects. Vendor shall not respond to any such request without 3Play Media’s prior written authorization.
    3. Vendor further agrees to notify 3Play Media without undue delay (and in any event within 24 hours) of any Incident (as defined below) of which Vendor, Vendor’s Subprocessors and/or any other third parties acting on Vendor’s behalf become aware. “Incident” means:
      1. A complaint or a request with respect to the exercise of a data subject’s rights in accordance with Data Protection Requirements;
      2. An investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent;
      3. Any actual or suspected unauthorized or accidental access, processing, deletion, loss, destruction, alteration, disclosure, or any form of unlawful processing of the Personal Data;
      4. Any breach of the security obligations as set out or referred to in this DPA Leading to the accidental or unlawful destruction, loss, alteration, deletion, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; or
      5. Where, in the reasonable opinion of Vendor, implementing an instruction received from 3Play Media would breach applicable laws to which 3Play Media or Vendor is subject.
    4. Vendor shall assist 3Play Media without delay regarding:
      1. Any requests from data subjects in respect of access to or the rectification, erasure, restriction, portability, blocking, or deletion of Personal Data. In the event that a data subject sends such a request directly to Vendor, Vendor will notify 3Play Media without delay;
      2. The investigation of any Incident and the notification to the relevant Supervisory Authority and data subjects in respect of the same, or any other legal obligations relating to such Incident;
      3. The preparation of data protection impact assessments and, where applicable, carrying out consultations with any Supervisory Authority; and
      4. Ensuring 3Play Media’s compliance with 3Play Media’s obligations under the Data Protection Requirements, including the obligations set forth in Articles 32 through 36 of the GDPR (and/or the equivalent provision(s) under the UK Data Protection Laws).
    5. If Vendor is required by European Union or European Union Member State law and/or UK law to process any Personal Data, Vendor shall inform 3Play Media of this requirement in advance of any processing, unless Vendor is prohibited by that law from informing 3Play Media of such processing on important grounds of public interest.
  5. Improvements to Security. The parties acknowledge that Data Protection Requirements and other applicable laws are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security or other measures. Vendor will therefore evaluate the measures as implemented in accordance with the terms of this DPA on an ongoing basis and will tighten, supplement, and improve these measures in order to maintain compliance with the requirements set out herein. The cost, if any, to implement material changes required by updated Data Protection Requirements set forth in applicable data protection law or by data protection authorities of competent jurisdiction or other changes to applicable law shall be borne by Vendor. If an amendment to the Agreement or this DPA is necessary in order to improve security or other measures as may be required by this Section 5 or by changes in Data Protection Requirements or other applicable law from time to time, the parties shall negotiate an amendment to the Agreement in good faith.
  6. Audit; Certification. If the relevant data protection Supervisory Authority is required by law or regulation to audit the data processing facilities from which Vendor processes Personal Data in order to ascertain and/or monitor compliance with Data Protection Requirements, then Vendor will cooperate with the audit. Vendor shall ensure that an officer of Vendor certifies compliance with this DPA in writing at least once every calendar year. In addition to the foregoing, Vendor shall: (i) upon request by 3Play Media, provide all information necessary to demonstrate compliance with the obligations laid down in the Data Protection Requirements and this DPA; and (ii) make its data processing facilities used for activities falling within the scope of this DPA available for audit and inspection by 3Play Media or an auditor approved by 3Play Media, upon 3Play Media’s reasonable request.
  7. Data Transfers.
    1. To the extent Vendor processes EU Personal Data, and to the extent 3Play Media is a Controller and Vendor is a Processor on behalf of 3Play Media with regard to such EU Personal Data, then, to the extent required by the GDPR, Module 2 of the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Controller to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by or on behalf of 3Play Media to Vendor and to Vendor’s processing of such EU Personal Data and the parties hereby agree to comply with such Controller to Processor Standard Contractual Clauses, which are hereby incorporated into this DPA in their entirety, as set forth in Schedule II. In the event of a conflict between (a) the Agreement and/or this DPA and (b) the Controller to Processor Standard Contractual Clauses, the Controller to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
    2. To the extent Vendor processes EU Personal Data, and to the extent 3Play Media is a Processor on behalf of a third party with respect to EU Personal Data and Vendor is a Processor on behalf of 3Play Media with regard to such EU Personal Data, then to the extent required by the GDPR, the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Processor to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by 3Play Media to Vendor and to Vendor’s processing of such EU Personal Data and the parties hereby agree to comply with such Processor to Processor Standard Contractual Clauses, which are hereby incorporated into this DPA in their entirety, as set forth in Schedule III. In the event of a conflict between (a) the Agreement and/or this DPA and (b) the Processor to Processor Standard Contractual Clauses, the Processor to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
    3. To the extent Vendor processes UK Personal Data, then to the extent required by the UK Data Protection Laws, the UK’s ‘International Data Transfer Addendum to the EU Commission Standard Contractual Clauses’ Version B1.0, in force from March 21, 2022, available at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf (the “UK DTA”) will apply to the transfer of such UK Personal Data by 3Play Media to Vendor and to Vendor’s processing of such UK Personal Data and the parties hereby agree to comply with such UK DTA, which is hereby incorporated into the Agreement in its entirety and as set forth in Schedule IV. In the event of a conflict between (a) the Agreement and/or this DPA and (b) the UK DTA, the UK DTA will control to the extent applicable to the UK Personal Data.
    4. The Other States Data Exhibit (attached hereto as Schedule V, the “Other States Data Exhibit”) will apply to Vendor’s processing of State Laws Data (as defined in the Other States Data Exhibit), and Vendor hereby agrees to comply with such Other States Data Exhibit, which is hereby incorporated into this DPA in its entirety. In the event of a conflict between (a) the Agreement and/or this DPA, and (b) the Other States Data Exhibit, the Other States Data Exhibit will control to the extent applicable to the State Laws Data.
  8. Special Data Protection Procedures. 3Play Media may, from time to time, provide Vendor with reasonable written guidelines, rules, and/or procedures for accessing, using, storing, and handling certain or all 3Play Media data, equipment, systems, or facilities (“Special Privacy and Data Protection Procedures”). Vendor will comply with all applicable Special Privacy and Data Protection Procedures when accessing 3Play Media data, equipment, systems, or facilities. Vendor will make Special Privacy and Data Protection Procedures available to all relevant Vendor personnel and each of Vendor’s Subprocessors and will provide an appropriate level of supervision and training to relevant Vendor personnel on the procedures required by the Special Privacy and Data Protection Procedures.
  9. Term. This DPA shall remain in effect as long as Vendor carries out Personal Data processing on behalf of 3Play Media or until the termination of the Agreement. and all Personal Data has been returned or deleted in accordance with Section 10 below (the “Term”).
  10. Data Return and Deletion. Retrieval of Company Data will be subject to Service Provider’s system access procedures and document retention policies (unless prohibited by applicable law); Company Data will be subject to destruction in accordance with such procedures and policies; and unless otherwise set forth in the Agreement, Company hereby directs Service Provider to destroy such Company Data in accordance with such procedures and policies.
  11. Indemnification. Vendor agrees to indemnify, defend, hold harmless and keep indemnified 3Play Media, its officers, directors, employees, and contractors against all claims, actions, proceedings (including enforcement proceedings), liability, loss, fines, costs, damages, investigations and expenses (including attorneys’ fees) arising directly or indirectly out of (i) Vendor’s breach of this DPA or applicable Data Protection Requirements; (ii) any Incident; or (iii) the processing, unlawful processing, unauthorized disclosure or accidental loss of any Personal Data processed by Vendor, its employees, Subprocessors, subcontractors or agents in Vendor’s performance of the Agreement or as otherwise agreed between the parties.
  12. California Personal Data Provisions. This Section 12 shall apply in addition to, not in place of, any other requirements in this DPA.
    1. In this Section 12:
      1. “CCPA” means the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020, together with any regulations promulgated thereunder (to the extent applicable, collectively, the “CCPA”).
      2. “California Personal Data” means any personal information that is processed by Vendor on behalf of 3Play Media and/or that is made available to Vendor for a business purpose pursuant to the Agreement.
      3. The following terms have the meanings given in the CCPA: “business purpose”, “contractor,” “person,” “personal information,” “service provider,” “share,” “sharing,” “shared,” “sell,” “selling,” “sale,” and “sold.”
    2. Vendor shall:
      1. Not sell or share California Personal Data:
      2. Not retain, use, or disclose California Personal Data for any purpose other than for the business purposes specified in this DPA and/or the Agreement for 3Play Media, nor retain, use, or disclose California Personal Data for a commercial purpose other than the business purposes specified in this DPA and/or the Agreement, except as otherwise expressly permitted by the CCPA;
      3. Not retain, use, or disclose California Personal Data outside of the direct business relationship between the parties;
      4. Not combine California Personal Data, which Vendor receives pursuant to the Agreement or from or on behalf of 3Play Media, with personal information which it receives from or on behalf of another person or persons, or collects from its own interaction with the individual to whom such California Personal Data relates, except as otherwise expressly permitted by the CCPA;
      5. Cooperate with 3Play Media in responding to any requests from any individual regarding California Personal Data relating to such individual, including: (i) at the direction of 3Play Media, deleting, correcting, or limiting the use of such California Personal Data; and (ii) instructing Vendor’s service providers and/or contractors (if any) to so cooperate in such response;
      6. Assist 3Play Media through appropriate technical and organizational measures in complying with the requirements of subdivisions (d) to (f), inclusive, of Section 1798.100 of the CCPA, taking into account the nature of the processing;
      7. Implement and maintain security procedures and practices appropriate to the nature of the California Personal Data to protect such California Personal Data from unauthorized access, destruction, use, modification, or disclosure;
      8. Comply with all applicable laws, including, without limitation, all applicable obligations under the CCPA and provide the same level of privacy protection with respect to California Personal Data as required by the CCPA; and
      9. Notify 3Play Media if Vendor determines it can no longer meet its obligations under the CCPA.

Vendor certifies that Vendor understands the restrictions provided in this Section 12, including, without limitation, in Sections 12.2(A), 12.2(B), 12.2(C), and 12.2(D), and will comply with them.

  1. Vendor acknowledges and agrees that the California Personal Data has been disclosed to it for the limited and specified purposes set forth in the Agreement and Vendor further acknowledges and agrees 3Play Media shall have the right: (i) to take reasonable and appropriate steps to ensure that Vendor uses California Personal Data in a manner consistent with 3Play Media’s obligations under the CCPA; and (ii) upon notice from 3Play Media to Vendor, to take reasonable and appropriate steps to stop and remediate unauthorized use of California Personal Data.
  2. Vendor shall permit 3Play Media to monitor Vendor’s compliance with this DPA through measures, including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months.
  3. Vendor shall not engage its own service providers and/or contractors in the processing of California Personal Data without the prior written consent of 3Play Media. In the event Vendor obtains such prior written consent, Vendor shall enter into contractual arrangements with such service providers and/or contractors requiring the same level of data protection compliance and information security as that provided in the Agreement and this DPA with respect to California Personal Data. Vendor shall remain responsible and liable to 3Play Media for the acts and omissions of such service providers.
  4. For the avoidance of doubt, if Vendor engages any other person to assist Vendor in processing California Personal Data for a business purpose on behalf of 3Play Media, or if any other person engaged by Vendor engages another person to assist in processing California Personal Data for such business purpose, Vendor shall notify 3Play Media of such engagement, and the engagement shall be pursuant to a written contract binding the other person to observe the same requirements to those set forth in the Agreement and this DPA, including without limitation this Section 12.
  5. Construction. In this DPA, unless a clear contrary intention appears: (a) where not inconsistent with the context, words used in the present tense include the future tense and vice versa and words in the plural number include the singular number and vice versa; (b) reference to any person includes such person’s successors and assigns but, if applicable, only if such successors and assigns are not prohibited by the Agreement; (c) reference to any gender includes each other gender; (d) reference to any agreement, document or instrument means such agreement, document or instrument as amended or modified and in effect from time to time in accordance with the terms thereof and includes all addenda, exhibits and schedules thereto; (e) the titles and subtitles used in this DPA are used for convenience only and are not to be considered in construing or interpreting this DPA; (f) “hereunder,” “hereof,” “hereto,” and words of similar import shall be deemed references to this DPA as a whole and not to any particular Section or Subsection of this DPA; and (g) “including” (and with correlative meaning, “include”) means including without limiting the generality of any description preceding such term. Vendor’s liability under this DPA shall not be subject to any limitations of Vendor’s liability, nor shall Vendor be excused from the performance of any obligations under this DPA pursuant to any force majeure provision, each as set forth in the Agreement. If any provision in this DPA is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. In case a necessary provision is missing, the parties shall add an appropriate one in good faith.

Exhibit A
Data Protection Schedule
Data and Reasons for Processing

  1. Type of Personal Data:
    1. Representatives of 3Play Media:
      1. Name, postal address, email address, and, if applicable, confirmation of authentication from Facebook.
    2. Individuals whose data is contained in videos, media, audio lines, video feed, content, files, data, and other materials (“Source Materials”) made available to Vendor:
      1. Any Personal Data provided to Vendor by 3Play Media and its representatives, on behalf of 3Play Media and/or its customers and any other third party for whom 3Play Media submits materials for use in connection with the Services, including data contained in videos, content, files, data, and other materials.
  2. Categories of Data Subject:
    1. Representatives of 3Play Media.
    2. Individuals whose data is contained in Source Materials
  3. Subject Matter and Purposes of Personal Data Processing:
    Vendor’s provision of Services to 3Play Media in accordance with the Agreement.
  4. Nature of the Processing:
    The Personal Data will be subject to basic processing, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing Services by Vendor to 3Play Media.
  5. Sensitive Personal Data:
    Any sensitive data included in videos, content, files, data and other materials provided by 3Play Media and/or its representatives, including, but not limited to: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions or offenses.

Exhibit B
Controller to Processor Standard Contractual Clauses

For the purposes of the Controller to Processor Standard Contractual Clauses:

  1. Clause 7. The parties agree that the optional language in Clause 7 is included.
  2. Clause 9(a). The parties agree that under Option 1, Vendor may subcontract its processing activities only with 3Play Media’s prior specific written authorization. Vendor will submit all authorization requests at least 45 days prior to engaging with any sub-processor. Sub-processors authorized by 3Play Media are listed in Section (a)(11)(i), and 3Play Media hereby provides prior written authorization to such sub-processors.
  3. Clause 11. The parties agree that the optional language in Clause 11 is excluded.
  4. Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable.
  5. Clause 17. The Controller to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
  6. Clause 18. The parties agree that any dispute arising from the Controller to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
  7. Annex I.A.
    1. The name and address of 3Play Media (which is the data exporter) and Vendor (which is the data importer), and the name and contact details of their respective contact persons are as set forth in the Agreement.
    2. The activities relevant to the data transferred are Vendor’s provision of Services to 3Play Media in accordance with the Agreement.
    3. The signature and date are the signature and date set forth on the signature page to the Agreement.
    4. The roles of the parties are as follows: 3Play Media is a controller, and Vendor is a processor.
  8. Annex I.B.
    1. For the categories of data subjects, Section 2 of Schedule I is incorporated herein by reference.
    2. For the categories of personal data transferred, Section 1 of Schedule I is incorporated herein by reference.
    3. For the categories of sensitive data transferred, Section 5 of Schedule I is incorporated herein by reference.
    4. The frequency of the transfer shall be on a continuous basis.
    5. For the nature of processing, Section 4 of Schedule I is incorporated herein by reference.
    6. For the purpose of the data transfer and further processing, Section 3 of Schedule I is incorporated herein by reference.
    7. The duration of the processing under these Controller to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Controller to Processor Standard Contractual Clauses).
    8. Personal data will be transferred to sub-processors to the extent authorized in Section (a)(11)(i) below. The subject matter, nature, and duration of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing Services to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
  9. Annex I.C. The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
  10. Annex II.
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data importer has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as follows:
      1. Pseudonymization. Pseudonymization is a technical and organizational measure that can be implemented by Service Provider as follows:
        1. Encryption of additional information for identification; and
        2. Management and documentation of differentiated authorizations concerning additional information for identification.
      2. Measures for encryption.
        1. Encryption of laptops;
        2. Encryption of files;
        3. Encryption of systems/plants;
        4. Encrypted storage of passwords;
        5. Secured data sharing (e.g., SSL, FTPS, TLS); and
        6. Secured WLAN.
      3. Measures to ensure confidentiality.
        1. Measures that ensure that unauthorized persons do not have access:
          1. Access control system, document reader (magnetic/chip card);
          2. Door protections (electric door opener, number lock, etc.);
          3. Safety doors/windows;
          4. Key management/documentation of key assignment;
          5. Protection of facilities, guards;
          6. Alarm system;
          7. Video surveillance;
          8. Special protective measures for the server room;
          9. Special protective measures for storage of back-ups and/or other data carriers;
          10. Employee and authorization documents; and
          11. Prohibited areas.
        2. Measures that prevent unauthorized persons from using the processing systems:
          1. Personal and individual user log-in for registration in the systems or the company network;
          2. Authorization process for access authorizations;
          3. Limitation of authorized users;
          4. Single sign-on;
          5. Two-factor authentication;
          6. Logging of access;
          7. Additional system log-in for certain applications; and
          8. Firewall.
        3. Measures which ensure that only authorized persons have access to the processing systems and that personal data cannot be read, copied, modified, or removed without authorization:
          1. Management and documentation of differentiated authorizations;
          2. Profiles/roles; and
          3. Segregation of functions/duties.
        4. Measures that ensure that data collected for different purposes can be processed separately:
          1. Access authorizations by functional responsibility;
          2. Separate data processing by differentiating access rules; and
          3. Separation of development and production environments.
      4. Measures to ensure integrity.
        1. Access rights;
        2. System-side logging;
        3. Security/logging software; and
        4. Functional responsibilities, organizationally specified responsibilities.
      5. Measures to ensure and restore availability.
        1. Security concept for software and IT applications;
        2. Back-up procedures;
        3. Ensuring data storage in secured network;
        4. Need-based installation of security updates;
        5. Set-up of an uninterrupted power supply;
        6. Fire extinguisher protection for the server room;
        7. Fire extinguisher protection for the archiving facilities;
        8. Air-conditioned server room;
        9. Virus protection;
        10. Firewall;
        11. Emergency plan;
        12. Successful emergency exercises; and
        13. Redundant, locally separated data storage (off-site storage).
      6. Measures to ensure resilience.
        1. Emergency plan in case of machine breakdown/business recovery plan;
        2. Redundant power supply;
        3. Sufficient capacity of IT systems and plants;
        4. Redundant systems/plants; and
        5. Resilience and error management.
      7. Procedure for regular review, assessment, and evaluation of the effectiveness of the technical and organizational measures.
        1. Procedures for regular controls/audits;
        2. Concept for regular review, assessment, and evaluation;
        3. Reporting system;
        4. Penetration tests; and
        5. Emergency tests.
      8. Control of instructions/assignment control.
        1. Process of issuing and/or following instructions;
        2. Control/examination that the assignment is executed in accordance with instructions;
        3. Commitment of employees to maintain confidentiality;
        4. Data protection manager/coordinator;
        5. Keeping records of processing activities as required by art. 30, para. 2 GDPR;
        6. Documentation and escalation process for personal data breaches;
        7. Guidelines/instructions that guarantee technical-organizational measures for the security of the processing; and
        8. Process for forwarding requests of data subjects.
    2. Pursuant to Clause 10(b), data importer will provide data exporter assistance with data subject requests in accordance with the DPA.
  11. Annex III.
    1. The controller has authorized the use of the sub-processors set forth below. [To be provided]

Exhibit C
Processor to Processor Standard Contractual Clauses

For the purposes of the Processor to Processor Standard Contractual Clauses:

  1. Clause 7. The parties agree that the optional language in Clause 7 is included.
  2. Clause 9(a). The parties agree that under Option 1, Vendor may subcontract its processing activities only with 3Play Media’s prior specific written authorization. Vendor will submit all authorization requests at least 45 days prior to engaging with any sub-processor. Sub-processors authorized by 3Play Media are listed in Section (a)(11)(i), and 3Play Media hereby provides prior written authorization to such sub-processors.
  3. Clause 11. The parties agree that the optional language in Clause 11 is excluded.
  4. Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a), such that the appropriate provision will apply as applicable.
  5. Clause 17. The Processor to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
  6. Clause 18. The parties agree that any dispute arising from the Processor to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
  7. Annex I.A.
    1. The name and address of 3Play Media (which is the data exporter) and Vendor (which is the data importer), and the name and contact details of their respective contact persons are as set forth in the Agreement.
    2. The activities relevant to the data transferred are Vendor’s provision of Services to 3Play Media in accordance with the Agreement.
    3. The signature and date are the signature and date set forth on the signature page to the Agreement.
    4. The roles of the parties are as follows: 3Play Media is a processor, and Vendor is a processor.
  8. Annex I.B.
    1. For the categories of data subjects, Section 2 of Schedule I is incorporated herein by reference.
    2. For the categories of personal data transferred, Section 1 of Schedule I is incorporated herein by reference.
    3. For the categories of sensitive data transferred, Section 5 of Schedule I is incorporated herein by reference.
    4. The frequency of the transfer shall be on a continuous basis.
    5. For the nature of processing, Section 4 of Schedule I is incorporated herein by reference.
    6. For the purpose of the data transfer and further processing, Section 3 of Schedule I is incorporated herein by reference.
    7. The duration of the processing under these Processor to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Processor to Processor Standard Contractual Clauses).
    8. Personal data will be transferred to sub-processors to the extent authorized in Section (a)(11)(i) below. The subject matter, nature, and duration of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing Services to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
  9. Annex I.C. The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
  10. Annex II. Section 10 of Exhibit A is incorporated herein by reference.
  11. Annex III. Section 11 of Exhibit A is incorporated herein by reference.

Exhibit D
UK DTA

For the purposes of the UK DTA:

  1. Date, and the names of the parties, their roles and their details shall be as set out in Schedule II Section (a)(7) and Schedule III Section (a)(7), respectively;
  2. For the purposes of Tables 2 and 3 of the UK DTA, the Controller to Processor Standard Contractual Clauses and the Processor to Processor Standard Contractual Clauses, including the information set out in Schedule II Section (a)(8), (10), and (11)(i) and Schedule III Section (a)(8), (10), and (11)(i), respectively, shall apply; and
  3. For the purposes of Table 4 of the UK DTA, either party may end the UK DTA.

Exhibit E
Other States Data Exhibit

This Other States Data Exhibit forms part of the DPA. Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the DPA or the Agreement (as applicable).

  1. Definitions.
    1. “State Data Protection Laws” means (in each case to the extent effective and applicable and together with any regulations promulgated thereunder): (i) the Colorado Privacy Act; (ii) the Connecticut Act Concerning Personal Data Privacy and Online Monitoring; (iii) the Utah Consumer Privacy Act; (iv) the Virginia Consumer Data Protection Act; (v) the Delaware Personal Data Privacy Act; (vi) the Indiana Consumer Data Protection Act; (vii) the Iowa Consumer Data Protection Act; (viii) the Montana Consumer Data Privacy Act; (ix) the Oregon Consumer Privacy Act; (x) the Tennessee Information Protection Act; (xi) the Texas Data Privacy and Security Act; (xii) New Jersey SB 332; (xiii) New Hampshire SB 255; (xiv) the Nebraska Data Privacy Act; (xv) the Kentucky Consumer Data Protection Act; (xvi) the Maryland Online Data Privacy Act; (xvii) the Minnesota Consumer Data Privacy Act; (xviii) the Rhode Island Data Transparency and Privacy Protection Act; and/or (xix) other U.S. state laws that are substantially similar to items (i) through (xviii) that may become effective from time to time.
    2. “State Laws Data” means any Personal Data regulated by any State Data Protection Laws that Vendor may receive, store, maintain, process, or otherwise have access to as a result of or in connection with providing Services to 3Play Media.
  2. Instructions. 3Play Media hereby instructs Vendor to process State Laws Data to the extent necessary to provide Services to 3Play Media.
  3. Nature of the Processing; Purpose of the Processing. The nature of the processing of State Laws Data is such that the State Laws Data will be subject to basic processing, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, analysis, deletion, modification, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, including the actions of a person directing a third party to process data on behalf of such person for the purpose of providing Services by Vendor to 3Play Media in accordance with the terms of the Agreement. The purpose of the processing of State Laws Data hereunder is the provision of Services by Vendor to 3Play Media.
  4. Types of State Laws Data. The types of State Laws Data subject to processing hereunder are as set out in Section 1 of Schedule I.
  5. Duration of Processing. The duration of the State Laws Data processing shall continue as long as Vendor carries out State Laws Data processing operations on behalf of 3Play Media or until the termination of the Agreement (and all State Laws Data has been returned or deleted).
  6. Rights, Duties, and Obligations. Except as otherwise required by applicable law, Vendor shall:
    1. Ensure that each person processing State Laws Data on behalf of Vendor is subject to a duty of confidentiality with respect to such State Laws Data;
    2. At 3Play Media’s choice and direction, delete or return all State Laws Data to 3Play Media as requested at the end of the provision of Services, unless retention of such State Laws Data is required by applicable law;
    3. Make available to 3Play Media all information necessary to demonstrate Vendor’s compliance with the obligations in the State Data Protection Laws with respect to State Laws Data;
    4. Taking into account the context of processing, Vendor shall implement appropriate technical and organizational measures designed to ensure a level of security with respect to the State Laws Data appropriate to the risk in accordance with the Agreement and this DPA;
    5. Allow for, contribute to, and cooperate with audits, inspections, and/or assessments (each a “State Audit”) by 3Play Media or 3Play Media’s designated third-party representative (each, a “State Auditor”), provided that, to the extent permitted by State Data Protection Laws, as an alternative, Vendor may arrange for a qualified and independent auditor or assessor to conduct (at least annually or at more frequent intervals if required by applicable law) a State Audit of Vendor’s policies and technical and organizational measures in support of the obligations under the State Data Protection Laws using an appropriate and accepted control standard or framework and State Audit procedure for each State Audit as applicable and Vendor shall provide a report of such State Audit (and the results thereof) to 3Play Media;
    6. In addition to the other obligations set forth in this DPA regarding Subprocessors, bind each such Subprocessor to a written contract in accordance with State Data Protection Laws that requires such Subprocessor to comply with obligations of processors (as defined in the State Data Protection Laws) under the State Data Protection Laws and to meet equivalent obligations with respect to such State Laws Data as are set forth in this Other States Data Exhibit. 3Play Media hereby consents to Vendor’s engagement of the Subprocessors listed in Schedule II, Section (a)(11)(i) of this DPA to process State Laws Data; and
    7. Stop processing State Laws Data on 3Play Media’s request made in accordance with an individual’s authenticated request.
Vendor DPA (April 2026)Download