This Agreement is entered into between Sift Media, Inc., a Delaware Corporation, with offices at 201 W. Main Street, Suite 300, PMB 302, Durham, NC 27701, doing business as DemandScale (the "Publisher") and "Advertiser", the entity here undersigned and further identified in the account creation process as of the date of creating an account with Publisher (the "Effective Date"). Publisher shall promote the distribution of Advertiser’s apps (the "Ads") and Advertiser shall make payment to Publisher for the amount of advertising spend from the Ads on a cost per install (CPI) basis (the "Fees").

The individual signing below for the Advertiser or clicking-through to create an account at www.sift.co or www.demandscale.com personally and individually represents and warrants to Publisher that (i) he or she is fully authorized to enter into this Agreement on behalf of the Advertiser and (ii) this Agreement along with the Terms and Conditions set forth at https://www.iab.com/wp-content/uploads/2015/06/IAB_4As-tsandcs-FINAL.pdf will be legally binding and fully enforceable on Advertiser and Publisher. Any difference in terms in the IAB standard Ts & Cs and this Agreement shall be governed by this Agreement.

By clicking "Create Account" and continuing to use Publisher’s services, Advertiser agrees to accept and abide by the terms and conditions outlined in this agreement. Please note that we reserve the right to update these online terms and conditions periodically, and it is your responsibility to review and comply with any changes made.

All numbers in respect of the Ads data for the purposes of billing and payment shall be based on Publisher’s reporting system. Publisher will provide the Advertiser with access to real-time reports. In the case of a discrepancy of more than 5% between Publisher’s numbers and Advertiser’s numbers, payment shall be based on the numbers from Advertiser’s Mobile Measurement Platform (MMP) such as Appsflyer, Adjust, Kochava, Singular, Branch, or similar. Please note: For all CPI campaigns, installs attributed to clicks or impressions served prior to a campaign pause will be billed if they occur within the standard attribution window. Advertisers will be responsible for any residual installs resulting from pre-pause activity.

Publisher shall invoice Advertiser and Advertiser shall pay the Fees to Publisher within thirty (30) days after the end of each calendar month. All payments will be in US dollars and paid by ACH or wire transfer to an account designated by Publisher. Fees are due regardless of whether Advertiser has collected payment from its clients, advertisers, or agents of those advertisers. Late payments will be subject to late fees at the lesser of (i) 1.5% per month, or (ii) the maximum rate allowed by law, and Publisher may suspend the Ads until Advertiser pays all overdue Fees and applicable interest.

Either party may terminate this Agreement for convenience with 48 hours’ written notice to the other party. The obligation of Advertiser to make payments under this Agreement shall survive the termination or expiration of this Agreement.

Advertiser has rights to any marketing materials provided to Publisher. During the Term, Advertiser grants Publisher a license to use such marketing materials pursuant to serve and place Ads.

Each party will make every effort to uphold the highest ethical and commercial standards. Each party shall not engage in any Fraudulent Activity. Fraudulent Activity means any of the following: (a) fictitious downloads or installations of the Ads; (b) automated and/or fraudulent clicks on any marketing materials for the Ads.

Any confidential information and/or proprietary data provided by one party ("Discloser") to the other party ("Recipient"), including the descriptions of Ads, the pricing of Ads, and the terms hereof, shall be deemed "Confidential Information" of the Discloser. Confidential Information shall not be released by the Recipient to anyone except an employee or agent that has a need to know and that is bound by written confidentiality obligations at least as strict as those contained herein. Recipient shall not use any portion of Confidential Information provided by the Discloser for any purpose other than those provided for under the Agreement.

Each party represents and warrants the other party that: (a) it has the full corporate right, power and authority to enter into the Agreement, to grant the licenses granted hereunder and to perform the acts required of it hereunder; (b) the execution of the Agreement by it and the performance of its obligations and duties hereunder, do not and will not violate any agreement to which it is a party or by which it is otherwise bound; (c) when executed and delivered, the Agreement will constitute the legal, valid and binding obligation of each party, enforceable against each party in accordance with its terms; and Advertiser represents that (A) its Ads including among others all content shown in the Ads and text, images or any other graphics provided by Advertiser: (i) do not and will not infringe upon misappropriate or otherwise violate the intellectual property rights of any third party and that the Ads and any accompanying documentation and its marketing material do not and will not include any obscene, libelous, defamatory, illegal, or otherwise offensive material, or in any context that harms the goodwill or reputation of Publisher or that disparages or brings Publisher or its business partners into disrepute; (B) it will not and will not allow any third party through its Ads or otherwise exploit Publisher’s services in order to (i) re-sell, distribute, license, sublicense or otherwise make use of end users’ data for commercial or for any other purpose; or (ii) use Publisher’s services except for the limited expressed purpose of this Agreement.

In no event shall either party be liable to the other party for any incidental, indirect, special, exemplary, or consequential damages including, but not limited to, damages for loss of profits, business interruption, loss of information, and the like, in each case even if such party has been advised of the possibility of such damages. Without derogating from any of the foregoing, Publisher’s total aggregate liability under this Agreement, if any, to the Advertiser or any other person or entity, in connection with any claim relating to this Agreement, including any services provided by or on behalf of Publisher, will be limited to an amount equal to the lower of (i) US$10,000 or (ii) the amount received by Publisher under this Agreement during the 30 day period immediately preceding the date of the claim. The existence of one or more claims will not enlarge this limit. This section shall survive the cancellation or termination of this Agreement.

No action arising under or relating to this Agreement, regardless of its form, may be brought by either party more than six (6) month after the cause of action has accrued and in any event no later than 3 months after the termination of this Agreement, except for an action for non-payment brought by the Publisher. The foregoing limitations shall apply notwithstanding any failure of essential purpose of any limited remedy and are fundamental elements of the bargain between the parties.

Subject to the limitation of liability herein, each party (the "Indemnifying Party") will defend, indemnify and hold harmless the other party (the "Indemnified Party") from and against any and all liabilities, losses, damages, costs and expenses (including legal fees and expenses) associated with any claim of action brought against the Indemnified Party arising out of or related to a breach by the Indemnifying Party of its representations and warranties as set forth in this Agreement. The foregoing indemnity obligations shall apply provided that the Indemnified Party (i) promptly notifies the Indemnifying Party in writing of any such claim (provided that failure to provide timely notice will not alter the Indemnifying Party's obligations except to the extent that it is materially prejudiced thereby), (ii) allows the Indemnifying Party, at its sole expense, to direct the defense of such claim, (iii) gives the Indemnifying Party full information and reasonable assistance which is available to the Indemnified Party and is useful or necessary to defend such claim, and (iv) does not enter into any settlement of any such claim, without the Indemnifying Party's consent, which shall not be unreasonably withheld.

Each party will make reasonable commercial efforts to maintain its service operational 24/7. However, the parties agree it is normal to have a certain amount of system downtime and agree not to hold each other liable for any of the consequences of such interruptions.

The relationships of the parties to this Agreement shall be solely that of independent contractors, and nothing contained in this Agreement shall be construed otherwise. Nothing contained in this Agreement, nor any action taken by any party to this Agreement, shall be deemed to constitute either party (or any of such party's employees, agents, or representatives) an employee, or legal representative of the other party, nor to create any joint venture, association, or syndication among or between the parties.

Neither party shall be liable by reason of any failure or delay in the performance of its obligations hereunder for any cause beyond the reasonable control of such party, including but not limited to electrical outages, failure of Internet service providers, riots, insurrection, war (or similar), fires, flood, earthquakes, explosions, and other acts of God.

This Agreement contains the entire agreement between the parties and supersedes all prior agreements between the parties. Nothing in this Agreement is intended or will be construed to give any person, other than the parties hereto, any legal or equitable right, remedy or claim under or in respect of this Agreement or any other provision contained herein. This Agreement may be executed in two counterparts, each of which shall constitute an original and the two together shall constitute a single agreement. Whenever possible, each provision of this Agreement shall be interpreted in such a manner as to be effective and valid under applicable law but, if any provision of this Agreement is held to be invalid, illegal or unenforceable in any respect, such provision will be ineffective only to the extent of such invalidity, or unenforceability, without invalidating the remainder of this Agreement.

Any dispute, controversy or claim arising out of, relating to or in connection with this contract, including any question regarding its existence, validity or termination, shall be governed by and construed and enforced in accordance with the laws of the United States of America (without reference to the conflict of laws rules or principles thereof), and the parties expressly consent that any dispute arising from or out of, or relating to this Agreement shall be resolved by arbitration in accordance with the American Arbitration Association. Unless otherwise agreed by the Parties, the seat of arbitration shall be Durham, North Carolina and may be conducted by video or teleconference. The number of arbitrators shall be one and the language of the arbitration shall be English.

Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into as of May 25, 2018 (“Effective Date”) by and between Sift Media, Inc. and its affiliates (collectively, “Sift”) and the undersigned (“Company”) in connection with services provided by Company to Sift pursuant to a separate agreement (“Agreement”). Any capitalized terms used but not defined in this DPA shall have the respective meanings given to them in the Data Protection Laws. The terms of this DPA shall be governed by the laws of the State of North Carolina, without reference to its or any other jurisdiction’s conflicts of law rules. Sift and Company (each a “Party” and together the “Parties”) agree to comply with the terms of this DPA to satisfy requirements for processing of personal information under Data Protection Laws. In consideration of the mutual obligations described herein, the parties hereby agree to the terms and conditions set forth below.

1. DEFINITIONS

• “Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union and State of California, applicable to the Processing of Personal Information. It shall include: (a) from 25 May 2018, Regulation (EU) 2016/679 of the European Parliament, commonly referred to as the EU General Data Protection Regulation (“GDPR”) as implemented by countries within the European Economic Area (EEA); (b) EU Standard Contractual Clauses attached and incorporated herein as Exhibit A (the “Model Clauses”); and (c) from 1 January 2020, Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on June 28, 2018, commonly referred to as the California Consumer Privacy Act of 2018 (“CCPA”), in each case as supplemented or amended from time to time.
• “Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
• “Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
• “Individual” means the individual to whom Personal Data relates, also referred to as “Data Subject” pursuant to GDPR.
• “Personal Information” means any information relating to an identified or identifiable person, also referred to as "Personal Data" pursuant to GDPR. Specifically, device identifiers for advertising (IDFA for iOS and Android Advertising ID) and device IP address are considered “Personal Data.”
• “Privacy Shield Principles” means the EU-U.S. Privacy Shield Framework Principles and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce, located at https://www.privacyshield.gov/EU-US-Framework, as may be amended from time to time.
• “Processing” (including “Process,” “Processes,” and “Processed”) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as accessing, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, copying, transferring, deletion, erasure or destruction, or use in any other manner.
• “Security Breach” has the meaning set forth in Section 7 of this DPA.
• “Sub-processor” means any Data Processor engaged by the Data Processor.
• “Subsequent Sub-processor” means any Data Processor engaged by the Sub-processor.

2. PROCESSING OF PERSONAL DATA

• 2.1 The types of Personal Data and categories of Data Subjects Processed under this DPA are as follows: • Types of Personal Data: Identifier for advertisers (IDFA); IP Address. • Categories of Data Subjects: Personal Data relates to mobile application users of publishers.
• 2.2 In accordance with the GDPR, publishers of mobile applications are required to obtain consent from end users and pass the consent data to the Real Time Bidding (RTB) exchanges. The RTB exchanges pass the GDPR consent data to its partners such as Sift. Only based on a valid GDPR consent string does Sift collect and process the personal data, including for purposes of attribution with its affiliates. Additionally, Sift complies with the OpenRTB specification and has implemented a process to verify GDPR consent data. If the GDPR consent data does not contain the appropriate GDPR consent string, Sift will not collect and process the personal data.
• 2.3 Each party represents, warrants and agrees to perform its obligations in connection with this DPA, including, without limitation, Processing Personal Data, in accordance with the requirements of the Data Protection Laws
• 2.4 Each party shall implement and maintain comprehensive technical and organizational measures in such a manner that Processing of Personal Data complies with the Data Protection Laws, including a written information security program, which at a minimum, is designed to protect Personal Data or other information deemed “Confidential” under the Agreement or this DPA from unauthorized access, use, modification, disclosure, loss, alteration, destruction or other unlawful forms of Processing.
• 2.5 Each party shall only Process Personal Data only to provide the services described in the Agreement and this DPA, or otherwise in accordance with the written instructions as directed by the Data Controller.
• 2.6 Each party shall not engage any Subsequent Sub-processors without prior written consent from the other party as directed by the Data Controller except for engagements for the purpose of performing the services under the Agreement, including campaign attribution matching, settlement, dispute resolution, and anti-fraud. Each party agrees that any agreement with an approved Subsequent Sub-processor shall include no less protective data protection obligations as set out in this DPA. Each party shall remain responsible for any approved Subsequent Sub-processor’s compliance with the obligations of this DPA.

3. RIGHTS OF DATA SUBJECTS; COOPERATION

• 3.1 In the event a party receives a request from a Data Subject for personal data related to such Data Subject as permitted by any Data Protection Laws (a “Data Subject Request”), such party shall not share, transfer, disclose, or otherwise provide or permit access to personal data without the other party’s prior written consent. If either party receives a Data Subject Request relating to personal data in its control or possession, it shall promptly (and in any event within 5 days): (1) provide the other party with all information relating to the Data Subject Request; (2) give the other party a reasonable opportunity to take any steps it considers necessary to protect the confidentiality of personal data and the rights of the relevant Data Subject; and (3) provide any assistance reasonably requested by such party to take such steps.
• 3.2 Each party shall maintain all records as required by Data Protection Laws, including with respect to the Processing of Personal Data, and make any such records available upon request. In addition, each party shall provide relevant information and reasonable assistance to demonstrate compliance with its obligations under this DPA and shall cooperate with reasonable assessments, including onsite reviews.

4. PERSONNEL

• 4.1 Each party shall ensure that (a) its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and are subject to obligations of confidentiality, and (b) such obligations shall survive the termination of that individual’s engagement with the company.
• 4.2 Each party shall ensure that access to Personal Data is limited to those personnel who require such access to fulfill company’s obligations with respect to the services provided under the Agreement.

5. INDEMNITY AND LIABILITY

Each party (an “Indemnifying Party”) shall defend (through its own counsel), indemnify, defend and hold harmless the other and the other’s officers, directors, employees and agents from and against any and all claims, liabilities, administrative fines, suits, judgments, actions, investigations, settlements, penalties, fines, damages and losses, demands, costs, expenses, and fees, including reasonable attorneys’ fees and expenses, of whatever nature incurred by the Indemnified Party out of or in connection with any negligent act, error or omission arising out of the data protection, confidentiality or security requirements under the Agreement or this DPA, any Security Breach, or any claims, demands, investigations, proceedings, or actions brought by Data Subjects, legal persons (e.g., corporations and organizations), or supervisory authorities under the Data Protection Laws that apply to the Indemnifying Party or any Subsequent Sub-processor engaged by the Indemnifying Party with respect to the Personal Data Processed under this DPA. In any defense with respect to any matter covered by this paragraph, the Indemnified Party may participate with counsel of its own choosing at its expense and the Indemnifying Party will not agree to any settlement which imposes any obligation or liability on the Indemnified Party without such Indemnified Party’s prior written consent, (such consent not to be unreasonably withheld or delayed). Each party shall promptly inform the other of any third party claims, actions, or proceedings to which it becomes aware that involves the other party as a result of this DPA.

6. SECURITY; AUDIT RIGHTS; PRIVACY IMPACT ASSESSMENTS

• 6.1 Pursuant to Article 28, Section 3(c) of GDPR, each party shall take all measures required pursuant to Article 32 of GDPR.
• 6.2 Each party shall make available to the other party, as directed by the Data Controller, all information necessary to demonstrate compliance with the obligations set forth in Article 28 of GDPR and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
• 6.3 Each party will reasonably cooperate and assist the other party in their assistance of the Data Controller in ensuring compliance with Articles 32 to 36 of GDPR.

7. SECURITY BREACH MANAGEMENT AND NOTIFICATION

Each party agrees to notify the other party without undue delay after becoming aware of the Personal Data Breach and to take reasonable steps to mitigate the impact of any Personal Data Breach that may impact the other party. To the extent a party seeks the assistance of the other party related to the investigation of a Personal Data Breach, the other party shall reasonably cooperate with such requesting party to: (1) determine the scope and severity of the Personal Data Breach; and (2) provide timely information and cooperation as the requesting party may require to fulfill the requesting party’s reporting and notification obligations under Data Protection Laws. Unless such party is required to give notice to individuals under Data Protection Laws, such party shall not give notice to individuals in respect to a Personal Data Breach, except with the prior written approval of the other party.

8. RETURN AND DELETION OF PERSONAL DATA

Each party upon request or upon earlier termination of the Agreement, shall render permanently unreadable and unrecoverable or return all Personal Data, and all copies thereof, to the Data Controller, unless such Personal Data must be retained as necessary to comply with Data Protection Laws.

9. TRANSFERS OF PERSONAL DATA; EEA PERSONAL DATA

• 9.1 To the extent the Processing of Personal Data involves a transfer, including if Sift and Company transfer Personal Data through affiliates, subcontractors, or other third parties, and such transfers of Personal Data originated from the EEA, Switzerland, or other countries or jurisdictions recognizing GDPR, each party represents and warrants that its Processing and/or transfer of Personal Data does and will comply with all Data Protection Laws.
• 9.2 Each party agrees to apply the Privacy Shield Principles to all Personal Data that originates from the European Economic Area or Switzerland (“EEA Data”). In particular, each party agrees to: (a) use EEA Data only for purposes specified by this DPA and as directed by the Data Controller; (b) notify the other party upon determination that it can no longer apply the Privacy Shield Principles to EEA Data; (c) upon such determination, cease use of EEA Data or take other reasonable and appropriate steps to apply the Privacy Shield Principles to EEA Data; (d) execute and comply with the Model Clauses (processors); (e) certify and maintain certification to the United States Department of Commerce that the party complies with the Privacy Shield Principles; (f) implement Binding Corporate Rules for Processors (as defined in GDPR) in all jurisdictions where EEA Data will be Processed; and (g) provide reasonable assistance to the other party and the applicable Data Controller in meeting their respective compliance obligations regarding data protection impact assessments and related consultations with data protection authorities.

10. CALIFORNIA CONSUMER PRIVACY ACT OF 2018

• 10.1 Each party is a “Service Provider” as defined in CCPA Section 1798.140(v).
• 10.2 Personal data disclosed between each party is solely for the purpose of performing the services under the Agreement, including campaign attribution matching, settlement, dispute resolution, and anti-fraud.
• 10.3 Each party is prohibited from: (i) selling Personal Data; (ii) retaining, using, or disclosing Personal Data for a commercial purpose other than providing the Services; and (iii) retaining, using, or disclosing the Personal Data outside of the Agreement between Sift and Company.
• 10.4 Each party understands the prohibitions outlined in Section 10.3.

11. PARTIES TO THIS DPA

Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.

12. LEGAL AUTHORITY

Each of Company and Sift mutually represent and warrant that (i) the person executing this DPA on its respective behalf has the legal authority to bind such party, and (ii) it has right, power, and authority to (a) enter into this DPA, (b) make the representations and warranties contained herein, and (c) commit to and perform the respective duties, obligations and covenants set forth hereunder.

13. SURVIVAL

All of Company’s obligations under this DPA will continue for so long as Company continues to have access to Personal Data, even if all agreements between Company and Sift (including, without limitation, the Agreement) have expired or have been terminated.

14. COUNTERPARTS

This DPA may be executed in two (2) or more counterparts, each of which shall be deemed an original and all of which shall together be deemed to constitute one agreement. The parties agree that execution of this DPA by industry-standard electronic signature software and/or by exchanging PDF signatures shall have the same legal force and effect as the exchange of original signatures.