DATA PROCESSING ADDENDUMS FOR MEGAPHONE SERVICES

Last updated: January 1st, 2023

Depending on the bundle of service purchased from Spotify or an Affiliate of Spotify, one or a combination of the below two data processing addendums will apply:

Global Data Processing Addendum: Processor / Service Provider

This Data Processing Addendum ("DPA") shall apply if and to the extent Spotify or an Affiliate of Spotify collects or otherwise processes Personal Data on behalf of Customer as a Processor in connection with the performance of its obligations under the Agreement. The parties agree that this DPA shall be incorporated into and form part of the Agreement.

1. Definitions and interpretation

For purposes of this DPA, "Affiliate" shall mean any entity that directly or indirectly controls, is controlled by, or is under common control with a Party; "Agreement" shall mean the applicable agreement between the parties for services provided to the Customer; "Applicable Laws" shall mean all laws, regulations and regulatory policies, guidelines or industry codes of any competent industry body that are applicable to the personal data processing activities of the parties or their Affiliates undertaken pursuant to or in connection with this Agreement, including without limitation the EU General Data Protection Regulation 2016/679 ("GDPR"), GDPR as applicable as part of UK domestic law by virtue of s.3 of the European Union (Withdrawal) Act 2018 and as amended ("UK GDPR"), Swiss Federal Act on Data Protection ("FADP"), California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020 (together with its implementing regulations, "CCPA"), Virginia's Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq., the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq., Connecticut's Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015, and the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.; "Services" shall mean the services and/or products provided by us under the Agreement. "Controller", "Business", "Processor", "Service Provider", "Data Subject", "Consumer", "Personal Data", "Personal Information", "Sell", "Share", "Commercial Purpose", "Breach of the Security of the System", "Security Breach", "Breach of Security", "Breach of System Security", and "Personal Data Breach" shall have the meanings ascribed to them in Applicable Laws. Terms defined in the Agreement shall have the same meaning when used in this DPA, unless defined otherwise in this DPA.

References in this DPA to "Controller", "Data Subject", "Personal Data", and "Processor" include "Business", "Consumer", "Personal Information", and "Service Provider" respectively. References in this DPA to "Personal Data Breach" include "Breach of the Security of the System", "Security Breach", "Breach of Security", and "Breach of System Security".

2. Roles; Description of Processing

For the purposes of processing of Customer's Personal Data under the Agreement, Customer (or a Customer Affiliate authorized by Customer to instruct us) shall be regarded as a Controller and we shall be regarded as a Processor. The subject matter, duration, nature, and purpose of processing of Customer's Personal Data, as well as the categories of Customer's Personal Data processed and categories of Data Subjects, are set out in the Podcast Ads Product Schedule.

3. Undertakings of Customer

Customer undertakes to:

a) Comply with all applicable requirements of Applicable Law;

b) Ensure that there is a lawful basis for processing the Personal Data as envisioned under the Agreement;

c) Provide us with clear instructions regarding our processing of Personal Data as set out in this DPA and in any additional documented instructions provided by Customer, if applicable; and

d) Promptly inform us of any Data Subject request made pursuant to Applicable Laws that we must comply with and provide us with the information necessary for us to comply with such request;

e) Provide adequate notices and choice to Data Subjects, and obtain valid consents from Data Subjects, in each case, to the extent necessary, for us to process Personal Data in connection with the Agreement and this DPA and as required by Applicable Law.

For the avoidance of doubt, the commitments given and obligations owed by the Customer pursuant to this clause and the other provisions of this DPA apply in respect of Personal Data of Customer and Customer's Affiliates.

4. Undertakings of Spotify

We undertake to:

a) Comply with all applicable requirements of Applicable Law;

b) Only process Customer's Personal Data in accordance with instructions from Customer, including those set forth in this DPA and the Agreement;

c) Process Customer's Personal Data solely for the purpose of performing the Services and not (i) retain, use, disclose, rent, release, disseminate, transfer, or otherwise communicate or make available to a third-party Customer's Personal Data for any purpose, including any Commercial Purpose, other than as necessary to perform the Services; (ii) Sell or Share Customer's Personal Data; (iii) retain, use, or disclose Customer's Personal Data outside of the direct business relationship between Spotify and Customer; or (iv) not combine Customer's Personal Data with Personal Data received from or on behalf of a third party or collected from Data Subjects during Spotify's interactions with such Data Subjects except as permitted by Applicable Laws;

d) Ensure that only such employees of Spotify which must have access to Customer's Personal Data in order to meet our obligations hereunder have access to Customer's Personal Data, and that such employees have received appropriate training and instructions regarding processing of Customer's Personal Data as well as committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

e) Ensure that it has in place appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Customer's Personal Data and against accidental loss or destruction of, or damage to, Customer's Personal Data, appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected having regard to the state of technological development and the cost implementing any measures;

f) Reasonably assist Customer in responding to any valid request from a Data Subject and in ensuring compliance with its obligations under Applicable Laws, with respect to security, breach notifications, impact assessments and data protection assessments, and consultations with supervisory authorities;

g) Notify Customer without undue delay on becoming aware of a Personal Data Breach, and take reasonable steps to mitigate the impact of any such Personal Data Breach and to reasonably cooperate with Customer to enable Customer to comply with its obligations under Applicable Laws. To the extent necessary and reasonably requested by Customer, Spotify will, at Customer's expense, assist Customer with its required notification obligations under Applicable Laws;

h) In accordance with Section 7 below, make available to Customer the information necessary to demonstrate compliance with our obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by us or another third party mandated by Customer, as required by Applicable Laws;

i) After the termination of the Agreement with 90 days of a written request or within 90 days of receipt of Customer's reasonable and written request during the term of the Agreement, delete, deidentify, or return all or subsets of Customer's Personal Data in its control to Customer;

j) To the extent required by Applicable Laws, promptly notify Customer if Spotify determines that it can no longer meet its obligations under such Applicable Laws; and

k) Immediately inform Customer if, in its opinion, Customer's instructions infringe Applicable Laws.

5. Sub-Processors

Customer authorises Spotify to appoint (and permit each sub-Processor appointed in accordance with this Section 5 to appoint) sub-Processors in accordance with this Section 5. We may continue to use those sub-Processors already engaged by us as of the effective date of this DPA. We have entered or will enter into a written agreement with each sub-Processor containing data protection obligations substantially similar to those in this DPA with respect to the protection of Customer's Personal Data to the extent applicable to the nature of the services provided by such sub-Processor.

Spotify may appoint its Affiliates as sub-Processors at any time. We will give Customer written notice of the appointment of any new or replacement sub-Processors. Customer has five (5) business days from the receipt of that notice, to object in writing (on reasonable grounds) to the proposed appointment, we will not appoint (or disclose any of Customer's Personal Data to) that proposed sub-Processor until reasonable steps have been taken to address Customer's objections or permit Customer to terminate the Agreement.

6. Data Transfers

For the purposes of this DPA, a "Restricted Transfer" is a transfer of Customer's Personal Data under this DPA from Customer (or authorized Affiliate) to Spotify or a Spotify Affiliate outside of the Protected Area where such transfer would be prohibited by Applicable Laws in the absence of appropriate safeguards. The "Protected Area" is (i) where the GDPR applies ("EU Transfers"), the European Union and European Economic Area ("EEA") and any country, territory, sector or international organization in respect of which an adequacy decision under the GDPR is in force; (ii) where the UK GDPR applies ("UK Transfers"), the United Kingdom and any country, territory, sector or international organization in respect of which a decision under UK adequacy regulations is in force; and (iii) where the FADP or revised FADP apply ("Swiss Transfers"), Switzerland and any country, territory, sector or international organization which is recognised as adequate under the laws of Switzerland.

Further, "SCCs" means: (i) for EU Transfers, the standard contractual clauses adopted by decision of 4 June 2021 document number C/2021/3972 (module 2, controllers to processors) ("EU SCCs"); For UK Transfers, the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner under s.119A(1) Data Protection Act 2018, modified such that the details of the tables are as set out in this clause 6; and (iii) for Swiss Transfers, the EU SCCs provided that any references to the GDPR shall refer to the FADP and the term 'member state' shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with clause 18(c) of the EU SCCs, and the clauses shall also protect the data of legal persons until the entry into force of the revised FADP.

Customer authorizes such Restricted Transfers as necessary for Spotify to provide the Services. In respect of any Restricted Transfers:

a) The relevant SCCs shall apply to such transfers and each party agrees to be bound by such SCCs.

b) The parties agree that Customer (or authorized Affiliate) is the "data exporter" and we are the "data importer" as defined in the SCCs, with the details of Annex 1 to the SCCs as set out in the Podcast Ads Product Schedule.

For purposes of Annex II of the Appendix to the SCCs, the following will apply:

Data importer shall undertake appropriate technical and organizational security measures to protect personal data against the unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. These measures should take into account available encryption technology and the costs of implementing the specific measures and must ensure a level of security appropriate to the harm that might result from a breach of security and the nature of the data to be protected.

The parties further agree that: (i) option 2 in clause 9 of the SCCs shall apply for the general authorisation for the use of sub-processors with a time period of thirty days for notice of the addition or replacement of sub-processors; (ii) the optional additional clauses of the SCCs shall not apply; and (iii) the laws and courts of Sweden shall apply for the purposes of clause 17 of the EU SCCs. Information for the purposes of impact assessments is available if requested.

7. Audit rights

No more than once per year and to the extent required by Applicable Laws, we will, during normal business hours and upon reasonable notice make available to Customer relevant information necessary to demonstrate compliance with the obligations laid down in this DPA and Applicable Laws (including processing that may be carried out by Spotify's subcontractors, if any) and allow for and contribute to audits, including inspections, conducted by the Customer or another, independent auditor mandated by the Customer.

Upon reasonable notice, if Customer reasonably believes that Spoitfy is engaged in unauthorized use of Customer's Personal Data, then Customer may instruct Spotify to take reasonable and appropriate steps to stop and/or remediate the unauthorized processing.

We accept and agree that supervisory authorities may request information from us, and carry out investigations in the form of data protection audits, in accordance with Applicable Laws.

8. Governing Law

The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims however arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.In the event of inconsistencies between this DPA, the Agreement, and the SCCs, this DPA shall prevail to the extent this DPA offers a stronger privacy protection for the Data Subject. Otherwise the SCCs shall apply.

Podcast Ads Product Schedule for Processor / Service Provider DPA

The details of Annex 1 to the SCCs for the Podsights product is as set out below:

A: List of Parties. The names and contact details of the parties shall be as set out in the applicable Order Form for the services.

B: Description of Transfer.

I. Data subjects: Listeners of podcasts

II. Categories of data. IP address and/or other data agreed with Customer received from the Customer

III. Sensitive data: None

IV. Frequency of transfer: Continuous

V. Nature and purpose of processing: To provide the services under the Agreement

VI. Period for which data will be retained: During the term of the agreement, as prescribed by Applicable Law, and in accordance with Podsights' privacy policy

C: Competent Supervisory Authority. The relevant competent supervisory authority(ies) for the Customer as data exporter as applicable.

The details of Annex 1 to the SCCs for the** Chartable** product is as set out below:

A: List of Parties. The names and contact details of the parties shall be as set out in the applicable Order Form for the services.

B: Description of Transfer.

I. Data subjects: Listeners of podcasts

II. Categories of data. Personal data received directly from content publishers and other hosting providers Chartable has contracts with, such as IP address and other data agreed with Customer

III. Sensitive data: None

IV. Frequency of transfer: Continuous

V. Nature and purpose of processing: To provide the services under the Agreement

VI. Period for which data will be retained: During the term of the agreement, as prescribed by Applicable Law, and in accordance with Chartable's privacy policy

C: Competent Supervisory Authority. The relevant competent supervisory authority(ies) for the Customer as data exporter as applicable.

Global Data Processing Addendum: Independent Controller

This Data Processing Addendum ("DPA") shall apply if and to the extent Spotify or an Affiliate of Spotify provides Personal Data to Customer where the Customer as a recipient of data is an independent controller. The parties agree that this DPA shall be incorporated into and form part of the Agreement.

1. Purpose. To ensure secure, correct, and lawful processing of the Personal Data under the Agreement and to clarify the Parties' respective roles for the processing of Personal Data, the Parties have agreed on the terms and conditions set out in this Data Processing Appendix ("Appendix"). The Parties agree that this Appendix shall be incorporated into and form part of the Agreement.

2. Definitions and Interpretation. For purposes of this Appendix, "Affiliate" shall mean any entity that directly or indirectly controls, is controlled by, or is under common control with a Party; "Agreement" shall mean the agreement between the Parties to which this Appendix is attached; "Applicable Laws" shall mean all data protection and privacy legislation, laws, supervisory authority policies, guidelines or industry codes in each case as applicable to the activities of a Party pursent to or in connection with this Agreement;; "FADP" shall mean the Swiss Federal Act on Data Protection; "GDPR" shall mean as relevant: (i) Regulation (EU) 2016/679 as applicable from time to time; and/or (ii) Regulation (EU) 2016/679 as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended); "Party"/"Parties" shall mean the Parties described in the Agreement, separately or jointly, as the case may be; "Personal Data" shall have the meaning given to it in the **GDPR **and: (i) "EU Personal Data", (ii) "Swiss Personal Data" and (iii) "UK Personal Data" shall, in each case, mean the Personal Data which was subject to the data protection laws of (i) the EU/EEA member states; (ii) Switzerland; or (iii) the UK, accordingly, prior to its processing by Customer; "Protected Area" shall mean: (i) for EU Personal Data, the EU, EEA members states and any country, territory, sector or international organisation in respect of which an adequacy decision under Art.45 GDPR is in force; (ii) for UK Personal Data, the UK and any country, territory, sector or international organisation in respect of which an adequacy decision under UK adequacy regulations is in force; and (iii) for Swiss personal data, Switzerland and any country, territory, sector or international organization which is recognised as adequate under the laws of Switzerland; "Spotify" shall mean the Spotify entity which is Party to the Agreement, unless this entity is Spotify USA Inc., in which case "Spotify" shall mean Spotify AB on whose behalf the Spotify entity executing the Agreement enters into this Data Processing Appendix, as authorized; "Standard Contractual Clauses" shall mean: (i) in respect of EU Personal Data, the standard contractual clauses for data transfers, adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, as specified in Annex A ("EU SCCs"); (ii) in respect of Swiss personal data, the EU SCCs, provided that any references in the clauses to the GDPR shall refer to the FADP; the term 'member state' must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with clause 18(c) of the EU SCCs; and the clauses shall also protect the data of legal persons until the entry into force of the revised FADP; and (iii) in respect of UK Personal Data, the International Data Transfer Addendum to the EU SCCs, issued by the Information Commissioner and in force since 21 March 2022, as specified in Annex A ("UK Addendum"). Terms defined in the Agreement and/or the GDPR (if applicable) shall have the same meaning when used in this Appendix, unless defined differently in this Appendix.

3. Roles and Undertakings of the Parties.

a. Each Party shall be individually responsible, as a sole data controller, for its own processing of Personal Data pursuant to and/or in connection with the Agreement. This means that each Party determines the purposes and means for its respective processing of Personal Data. However, this provision will not affect restrictions on either Party's rights to use or otherwise process Personal Data under the Agreement.

b. Neither Party shall be construed as a data processor in relation to the other Party, unless the conditions for processing of Personal Data under the Agreement change so that one Party processes Personal Data on behalf of the other Party, in which case this Appendix shall be replaced by a data processor agreement.

c. Each Party shall comply with Applicable Laws and must provide reasonable resources to its employees to enable processing of Personal Data processed in connection with this Agreement in compliance with Applicable Laws.

d. Each Party will inform the other Party of any requests from data subjects regarding rectification or erasure of Personal Data, or restriction or objection of the processing of Personal Data that is relevant for the other Party (and, in the case of Spotify, its Affiliates). Each Party shall, to the extent that such a request affects the other Party's processing of Personal Data, comply with all such requests in accordance with Applicable Laws.

e. Each Party shall notify the other Party immediately if it becomes aware of, or suspects: (i) any breach of this Appendix; or (ii) a Personal Data breach which is likely to affect or invoke the other Party's (and, in the case of Spotify, those of its Affiliates) obligations under Applicable Laws. The notifying Party shall document all Personal Data breaches in accordance with Applicable Laws and fully cooperate with the other Party to ensure compliance with Applicable Laws. Each Party shall use reasonable endeavors to mitigate any damage suffered by a data subject.

f. Each Party shall also be responsible for any acts and omissions of any third parties with which the Party shares Personal Data pursuant to this Agreement.

4. Transfer of Personal Data outside of the Protected Area. Before transferring Personal Data outside the Protected Area, each Party shall ensure that such transfer is fully compliant with Applicable Laws, including by using a transfer mechanism which is compliant under Applicable Laws.

To the extent that this Agreement involves a transfer of Personal Data to a jurisdiction outside of the Protected Area:

  1. the Parties hereby incorporate the Standard Contractual Clauses into this Agreement as the applicable data transfer mechanism, as completed with the selections and information contained in Annex A of this DPA. If the Customer participates in a valid scheme for data transfers to the US, the Parties agree that the Standard Contractual Clauses will not apply to the extent the data transfers are legitimised under that scheme; and
  1. if further regulatory guidance becomes available or industry standard practices develop about international data transfers, the Parties shall timely execute an amendment.

5. Information Security Practices. Each Party shall, taking into account the nature of the processing, implement and maintain all appropriate technical, administrative and organizational measures required to ensure a level of confidentiality and security appropriate to the risks represented by the processing and the nature of Personal Data processed pursuant to this Agreement, and to prevent unauthorized or unlawful processing of such Personal Data, including but not limited to measures against unauthorized or unlawful processing of Personal Data and against accidental loss, corruption, disclosure or destruction of, or damage to, such Personal Data.

6. Obligation to Provide Information. The Parties shall keep each other informed of the contact details of its data protection representative. The Parties shall provide each other with any information that the other Party reasonably requires in order to comply with its obligations under Applicable Laws including to inform data subjects of: (a) the other Party's data processing activities and any data transfer solutions utilized; and (b) the arrangement between the Parties, including but not limited to arrangements, on which Party is responsible to respond to requests from, and provide information to, data subjects.

7. Non-sale. With respect to data received by Customer from Spotify under the Agreement, how Spotify provides such data is considered de-identified data under the CCPA. Customer acknowledges and agrees that Spotify only provides de-identified data to Customer. As such, Customer represents and warrants that: (i) it will not attempt to re-identify any data received from Spotify, directly or indirectly, (ii) it will not attempt to use the data to profile or retarget individuals or households, and to the extent required by applicable laws, regulation or guidance, they will limit the use of the data to analytics purposes on an aggregate basis, (iii) it will implement technical safeguards and business processes designed to prevent inadvertent re-identification or releases of de-identified information, (iv) it will publicly commit to maintain and use the data in de-identified form and not attempt to re-identify the information, unless otherwise permitted under Applicable Laws, and (v) it will contractually obligate any recipients of the data to comply with all the provisions of this Section 7.

On request from Spotify, Customer shall provide Spotify with an annual certification by an authorized executive officer that Customer has complied with the above requirements.

>8. Indemnity. Each Party shall indemnify and hold the other Party harmless from and against all losses due to claims from third parties resulting from, arising out of or relating to any breach by such first-mentioned Party of this Appendix.

>9. Governing Law. Subject to the Standard Contractual Clauses but notwithstanding any other provision in the Agreement, this Appendix shall be governed by the laws in the country in which the data exporting controller is established. In the event of inconsistencies between this Appendix and the Agreement, this Appendix shall prevail to the extent this Appendix offers a stronger privacy protection for the Data Subject.

ANNEX A to Global Data Processing Addendum: Independent Controller

In respect of any transfers of Personal Data between Spotify and Customer outside of the Protected Area, the Parties hereby incorporate the Standard Contractual Clauses by reference, with the Parties' signature and dating of the Agreement being deemed to be the signature and dating of the Standard Contractual Clauses, and with the Annexes to the Standard Contractual Clauses being as set out below.

A. For the purposes of the EU SCCs, the following shall apply:

  • The applicable Module is Module One (Controller to Controller).
  • Clause 7 : Optional docking clause is included;
  • Clause 11 _: The optional clause allowing data subjects to lodge a complaint with an independent dispute resolution body is removed; _
  • Clause 13 _: The option for the data exporter established in an EU member state is selected; _
  • Clause 17 : Sweden is selected as the governing law, as Sweden is where Spotify AB is established and Swedish law allows for third-party beneficiary rights; and
  • Clause 18 : The EU Member State where any dispute arising from these Clauses shall be resolved is the courts of the jurisdiction stipulated in the Agreement, unless this is not an EU Member State in which case it shall be Sweden.
  • The details for Annex I, section A shall be the contact details as set out in the applicable Order Form
  • The details for Annex I, section B are set forth below:
    • Data subjects: The personal data transferred concern the following categories of data subjects: listeners of podcasts hosted by the Megaphone service
    • _Categories of personal data: _ The personal data transferred concern the following categories of data: hashed IP address and/or other usage data agreed with Customer
    • Sensitive data transferred: _ T_ he sensitive personal data transferred concern the following categories of data: N/A
    • Frequency of transfer: continuous
    • Nature and purpose of the processing: The data processing will be as described under the Agreement and the transfer is made for the following purposes: analytics and metrics reporting
    • Period for which personal data will be retained or criteria to determine that period: _ i_ mporter shall retain the data in accordance with the terms of the Agreement and applicable law
  • Annex I.C SUPERVISORY AUTHORITY
    • Identify the competent supervisory authority/ies in accordance with Clause 13: Swedish Authority for Privacy Protection (IMY)
  • *Annex II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Data importer shall undertake appropriate technical and organizational security measures to protect personal data against the unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. These measures should take into account available encryption technology and the costs of implementing the specific measures and must ensure a level of security appropriate to the harm that might result from a breach of security and the nature of the data to be protected.

B. For the purposes of the UK Addendum, as permitted by clause 17 of such addendum, the parties agree to change the format of the information set out in Part 1 of the addendum so that:

(a) the details of the parties in table 1 shall be as set out above (with no requirement for signature);

(b) for the purposes of table 2, the addendum shall be appended to the EU SCCs (including the selection of modules and the application/disapplication of such optional clauses as specified above); and

(c)the appendix information listed in table 3 is as set out above.