Sovrn Legal

Standard Contractual Clause Selections and Addendum

Last Updated March 28, 2022

Effective March 28, 2022

The following selections and addendum shall supplement and/or amend the SCCs incorporated into the Independent Controller Data Processing Addendum.

SCCs Section Reference	Concept		Selection by the Parties
Section IV, Clause 17	Governing law		The laws of the Republic of Ireland.
Section IV, Clause 18 (b)	Choice of forum and jurisdiction		The courts of the Republic of Ireland.
Annex I.A	List of Parties – Data exporter(s)	Name:	Customer
		Address:	As set forth in the Agreement
		Contact:	As set forth in the Agreement
		Activities relevant to the data transferred under these Clauses:	Receipt of the Services from Sovrn under the Agreement.
		Signature and Date:	The Parties agree that execution of the DPA by each Party shall constitute execution of the SCCs by both Parties as of the effective date of the DPA.
		Role (controller/processor):	controller
Annex I.A	List of Parties – Data importer(s)	Name:	Sovrn
		Address:	5541 Central Ave Boulder, CO 80301 USA
		Contact:	Dpo[at]sovrn.com
		Activities relevant to the data transferred under these Clauses:	The provision of the Services to Customer under the Agreement.
		Signature and Date:	The Parties agree that execution of the DPA by each Party shall constitute execution of the SCCs by both Parties as of the effective date of the DPA.
		Role (controller/processor):	controller
Annex I.B	Description of the Transfer	Categories of data subjects whose personal data is transferred	End users of Customer’s digital properties.
		Categories of personal data transferred	Categories of Personal Data transferred will depend upon the Services selected by the Customer and may include: (i) Cookies (session, persistent, LSO, other) or other unique IDs; (ii) Interest activity, behavioral targeting, or other profiling data; (iii) IP address; (iv) hashed email; and (v) User agent string/OS/chipset/screen.
		Sensitive data transferred (if applicable) and applied restrictions or safeguards	N/A
		The frequency of the transfer	Continuous basis for the term of the Agreement.
		Nature of the processing	As set forth in the Agreement.
		Purpose(s) of the data transfer and further processing	To allow Sovrn to provide the Services under the Agreement.
		The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period	Data is retained only for as long as needed to fulfil obligations defined in the Agreement, or as long as needed to support a business purpose.
		For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing	As above.
Annex I.C	Competent Supervisory Authority		Irish Data Protection Commissioner, unless Customer notifies Sovrn of an alternative competent supervisory authority by emailing privacy[at]sovrn.com.
Annex II	Technical and Organisational Measures		https://www.sovrn.com/company/security/

ADDENDUM TO THE STANDARD CONTRACTUAL CLAUSES

Sovrn and Customer agree that the SCCs shall be modified and/or supplemented as follows:

Transfers from Switzerland. If the SCCs apply to the Processing of Personal Data originating from Switzerland, the SCCs shall be modified as follows:
1. the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c);
2. the SCCs shall also protect the data of legal entities until the entry into force of the revised FDPA on or about 1 January 2023;
3. references to the GDPR or other governing law contained in the SCCs shall also be interpreted to include the FDPA;
4. the parties agree that the supervisory authority as indicated in Annex I.C shall be the Swiss Federal Data Protection and Information Commissioner.
Transfers from the United Kingdom. If the SCCs apply to the Transfer of Personal Data originating from the United Kingdom, this Section shall apply to and modify the SCCs to the extent that UK Data Protection Laws apply to Customer’s Processing when making that Transfer. As used in this Section, “Approved Addendum” means the template addendum issued by the Information Commissioner and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18 of such thereof. The Parties acknowledge and agree that: (a) the information required to be set forth in “Part 1: Tables of the Approved Addendum” shall be completed in accordance with the selections set forth in the table above; and (b) “Part 2: Mandatory Clauses” of the Approved Addendum, as it is revised under Section 18 thereof, is hereby incorporated herein by reference. For purposes of Section 19 of the Approved Addendum, Sovrn may end the Approved Addendum in accordance with Section 19 thereof.
Supplemental Business-Related Clauses. In accordance with Clause 2 of the SCCs, the Parties wish to supplement the SCCs with business-related clauses, which shall neither be interpreted nor applied in such a way as to contradict the SCCs (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of Data Subjects. The Parties therefore agree that the applicable terms of the Agreement and this DPA shall apply if, and to the extent that, they are permitted under the SCCs, including without limitation the following:
1. The information required to be provided to Data Subjects under Clause 8.2(a) shall be provided by Customer using the relevant information provided by Sovrn in Annex I.
2. In the event of a data subject request for a copy of the clauses in accordance with Clause 8.2(c), each Party agrees to make all redactions reasonably necessary to protect business secrets or other confidential information of the other Party.
3. Sovrn shall be deemed in compliance with Clause 8.7 to the extent such onward transfers occur in accordance with Article 4 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
4. The terms of the Agreement governing indemnification and limitation of liability, including Section 11 of the DPA, shall apply to each Party’s liability under Clauses 12(a), 12(c), and 12(d).
5. The termination provision(s) of the Agreement shall apply to a termination pursuant to Clause 14(f) or Clause 16.
6. Certification of deletion of Personal Data under Clause 16(d) shall be provided by Sovrn upon written request of Customer.

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
csrftoken	1 year	This cookie is associated with Django web development platform for python. Used to help protect the website against Cross-Site Request Forgery attacks
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
_auth	1 year	This cookie is set by Pinterest that collects statistical details to track the use of its services.
_pinterest_referrer	past	This cookie is set by Pinterest to track the use of its services.
_pinterest_sess	1 year	This cookie is set by Pinterest that collects statistical details to track the use of its services.
_routing_id	session	This cookie is set by Pinterest that collects statistical details to track the use of its services.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
language	session	This cookie is used to store the language preference of the user.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
sp_landing	1 day	The sp_landing is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.
sp_t	1 year	The sp_t cookie is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.

Cookie	Duration	Description
__hstc	1 year 24 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_52355958_2	1 minute	This cookie is set by Google and is used to distinguish users.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
_mkto_datetime	1 month	This cookie is set by Marketo.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.

Trust Center

SOVRN LEGAL

Standard Contractual Clause Selections and Addendum