This Data Processing Agreement (“DPA”) is entered into by and between the Parties as part of the Agreement (as defined in the Omnidex Technologies LTD Terms & Conditions), and governs the processing of Personal Data in connection with the Publisher’s use of the Omnidex Platform and Services.

This DPA forms an integral part of the Agreement between the Publisher and Omnidex Technologies LTD and is incorporated therein by reference. It applies to all data processing activities carried out by Omnidex on behalf of the Publisher in the course of providing the Services, and is intended to ensure compliance with applicable Data Protection Laws.

Omnidex may update or amend this DPA as required to reflect changes in legal requirements, Services, or processing operations, in accordance with the change control provisions of the Terms & Conditions. The current version shall be available at: https://www.omni-dex.io/publisherterms/dpa.

WHEREAS, Omnidex owns, develops, and operates the Omnidex Platform enabling the monetization of digital advertising inventory;

WHEREAS, the Publisher desires to engage Omnidex to assist with the monetization of its Inventory through various means, including but not limited to the use of the Platform, Direct Sales opportunities, and other commercial opportunities (the “Service”);

WHEREAS, in the context of providing and receiving the Services, the Parties may process and exchange Personal Data, subject to applicable Data Protection Laws (as defined below);

WHEREAS, the Parties wish to enter into this DPA to ensure that such processing is conducted in accordance with applicable privacy and data protection laws, including but not limited to the EU GDPR, UK GDPR, Swiss FADP, U.S. state privacy laws (such as the CCPA/CPRA), and other relevant legislation;

NOW, THEREFORE, in consideration of the mutual covenants and obligations set forth herein, the Parties agree as follows:

1. Definitions

For purposes of this DPA, the following terms shall apply:

1.1. “Adequate Country” means a country or territory that the European Commission has determined provides an adequate level of protection for personal data.

1.2. “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 - 1798.199), as amended by the California Privacy Rights Act (“CPRA”), including all implementing regulations.

1.3. “CPA” means the Colorado Privacy Act (C.R.S.A. § 6-1-1301 et seq.), including any amendments or implementing regulations.

1.4. “CTDPA” means the Connecticut Data Privacy Act, as may be amended or supplemented from time to time.

1.5. “Consent” means a clear, informed, and freely given indication of an End User’s agreement to the processing of personal data, meeting the requirements of Article 7 of the GDPR or as defined under applicable Data Protection Laws or IAB Policies.

1.6. “Controller”, “Processor”, “Personal Data”, “Processing” (and “Process”), “Data Subject”, “Personal Data Breach” and “Special Categories of Personal Data” shall have the meanings assigned to them under EU Data Protection Law and, where applicable, equivalent definitions under UK, Swiss, and US Data Protection Laws, including the CCPA, CPA, VCDPA, CTDPA, and UCPA.

1.7. The terms “Business”, “Business Purpose”, “Consumer”, “Contractor”, “Cross-Context Behavioral Advertising” (or “CCBA”), “Deidentified Data”, “First-Party Business” “Service Provider” “Share”, “Sale”, “Sell”, “Targeted Advertising” and “Third-Party Business” shall have the meanings assigned to them under the relevant US Data Protection Laws.

1.8. For clarity, “Data Subject” shall also include a “Consumer” as defined under US Data Protection Laws, and “Personal Data” shall include “Personal Information” as used in such laws.

1.9. “Data Protection Law” means all applicable data protection and privacy laws, including (i) the EU GDPR, (ii) UK Data Protection Laws, (iii) Swiss Federal Act on Data Protection (“FADP”), (iv) Israeli Law, (v) US Data Protection Laws, and (vi) Brazil’s LGPD, as may be amended or replaced from time to time.

1.10. “EEA” means the European Economic Area.

1.11. “End User” means an individual who visits or interacts with Publisher Property.

1.12. “EU Data Protection Law” means: (i) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); (ii) Regulation (EU) 2018/1725 on the protection of personal data by EU institutions; (iii) the ePrivacy Directive (Directive 2002/58/EC), as amended; (iv) any national laws implementing or supplementing the foregoing within the European Economic Area; (v) the United Kingdom General Data Protection Regulation (“UK GDPR”) as incorporated into UK law by the European Union (Withdrawal) Act 2018, together with the UK Data Protection Act 2018 and any successor legislation (collectively, “UK Data Protection Laws”); (vi) the Swiss Federal Act on Data Protection of 25 September 2020 (“Swiss FADP”); and (vii) any laws or regulations replacing, amending, or supplementing the foregoing from time to time.

1.13. “IAB Framework” means the IAB Tech Labs’ technical specification for the GDPR transparency & consent framework (“TCF”) and the Global Privacy Platform (“GPP”).

1.14. “IAB Policies” means the applicable policies, rules, and technical specifications issued by the Interactive Advertising Bureau (IAB) and its affiliates, including without limitation: (i) the IAB Europe Transparency and Consent Framework Policies (currently available at: https://iabeurope.eu/wp-content/uploads/2023/05/230509-TCF-Policies-TransparencyConsentFramework_Policies_version_TCF-v2.2.pdf); and (ii) the IAB Tech Lab’s Global Privacy Platform (GPP) specifications, including the Multi-State Privacy Agreement (“MSPA”) (currently available at: https://www.iabprivacy.com/IAB%20First%20Amended%20and%20Restated%20Multi-State%20Privacy%20Agreement%20(MSPA).pdf).

1.15. “ID” means any unique identifier associated with an End User or device, including but not limited to an identifier stored on the End User’s device (such as a cookie ID or local storage value), an identifier generated specifically for an End User, an online identifier linked to a particular device, or any other identifier such as an agent ID, IP address, RTB tag, or URL that may be used to recognize, track, or associate data with an individual or device.

1.16. “Israeli Law” means the Israeli Privacy Protection Law, 5741-1981, together with all regulations and amendments promulgated thereunder, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017, and any related laws, regulations, or guidelines governing the protection, processing, or security of personal data in the State of Israel.

1.17. “Privacy Signals” means the signals or preferences expressed by End Users indicating their choices regarding the Processing of their Personal Data, including, but not limited to, opt-out requests from the sale or sharing of Personal Data, or from Targeted Advertising. Such signals may be conveyed through cookie banners, consent management platforms (CMPs), or other technologies and standards, including but not limited to, signals under the GPP, the CCPA “Do Not Sell or Share My Personal Information” mechanism, Google’s Restricted Data Processing (“RDP”) signals, the Global Consent Platform (“GCP”), or opt-out indicators recognized by industry frameworks such as the Digital Advertising Alliance (DAA) or the Network Advertising Initiative (NAI), as applicable.

1.18. “Security Incident” means any actual or suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed on behalf of the other Party. For the avoidance of doubt, any Personal Data Breach involving the other Party’s Personal Data shall be deemed a Security Incident under this Agreement.

1.19. “Standard Contractual Clauses” or “SCC” means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission pursuant to Article 46 of the GDPR, specifically the clauses set forth in Commission Decision (EU) 2021/914 of 4 June 2021, as may be amended or replaced from time to time. These clauses are incorporated by reference and available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.

1.20. “Swiss Data Protection Laws” or “FADP” means the Swiss Federal Act on Data Protection of 19 June 1992 (SR 235.1), as well as any implementing ordinances or regulations, and any other applicable data protection or privacy laws of the Swiss Confederation, as may be amended, revised, consolidated, re-enacted, or replaced from time to time, to the extent applicable to the Processing of Personal Data under the Agreement.

1.21. “Swiss SCC” means the standard contractual clauses or equivalent safeguards for international data transfers as issued, approved, or recognized by the Swiss Federal Data Protection and Information Commissioner, including any updates or replacements thereto, as applicable to transfers of Personal Data subject to Swiss Data Protection Laws.

1.22. “UK SCC” means the United Kingdom’s International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for international data transfers, available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as adopted, amended, or updated from time to time by the UK Information Commissioner’s Office, the UK Parliament, or the Secretary of State.

1.23. “UCPA” means the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq., including any implementing regulations and amendments thereto.

1.24. “US Data Protection Laws” means any U.S. federal or state privacy laws that are effective and applicable to the Processing of Personal Data, including any implementing regulations and amendments thereto. This includes, without limitation, the CCPA, CPA, the CTDPA, the VCDPA, and the UCPA.

1.25. “VCDPA” means the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392), including any implementing regulations and any amendments or successors thereto.

Any terms not expressly defined in this DPA shall have the meaning assigned to them in the Agreement or under applicable Data Protection Laws. References to provisions of US Data Protection Laws, UK Data Protection Laws, or the GDPR shall be construed to include any amendments, updates, or successor legislation in force at the relevant time. Any reference to the “GDPR” in this DPA shall be interpreted to mean the EU General Data Protection Regulation (Regulation (EU) 2016/679) and/or the UK General Data Protection Regulation, as applicable under the circumstances.

2. Relationship of the Parties

2.1. The Parties acknowledge and agree that, unless otherwise specified under Annex VIII (US Privacy Law Addendum), each Party shall act as an independent Controller with respect to the Processing of Personal Data under the Agreement. Nothing in this DPA shall be construed to create a joint controllership, partnership, or agency relationship between the Parties.

2.2. Each Party shall independently determine the purposes and means of its respective Processing of Personal Data and shall be solely responsible for complying with its applicable obligations under Data Protection Laws.

2.2. The nature, scope, subject matter, and duration of the Processing activities carried out under this DPA, including the categories of Data Subjects and types of Personal Data Processed, are set forth in Annex I (Details of Processing).

3. Representations and Warranties

3.1. Notification ObligationsEach Party shall notify the other Party in writing without undue delay (unless prohibited by applicable law) upon becoming aware of:

3.2. Security Measures
Each Party shall implement and maintain a written information security program with appropriate technical and organizational safeguards designed to ensure a level of security appropriate to the risks presented by the Processing, including protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage of Personal Data. Such measures shall, at a minimum, include those described in Annex II (Security Measures). If required by law, each Party shall designate a data protection officer or equivalent governance personnel.

3.3. Assistance with Impact Assessments
To the extent required by applicable law, each Party shall provide reasonable cooperation and assistance to the other in conducting data protection impact assessments (DPIAs), prior consultations with supervisory authorities, or similar privacy risk assessments involving Processing of Personal Data under this Agreement.

3.4. Confidentiality and Personnel Controls
Each Party shall ensure that: (i) access to Personal Data is limited to personnel who need such access for the performance of this Agreement; (ii) such personnel are bound by written confidentiality obligations or are under an appropriate statutory duty of confidentiality; and (iii) such personnel are trained in data protection and privacy compliance, commensurate with their roles and responsibilities.

3.5. Respecting Privacy Signals
Where applicable, each Party shall respect and honor valid Privacy Signals expressed by End Users in accordance with applicable law, industry standards (e.g. the IAB Framework), or other user choice mechanisms. This includes consent strings, opt-out signals, and other indicators reflecting user preferences regarding data Processing and Targeted Advertising.

3.6. Consent Reliance Under IAB Frameworks
The Publisher acknowledges that Omnidex may rely on consent signals obtained by the Publisher (acting as the interface with End Users) under frameworks such as the IAB TCF or GPP, in accordance with applicable law. The Publisher represents and warrants that such consent is lawfully obtained and validly transmitted. Omnidex shall pass Privacy Signals “as-is” to Advertisers and shall not be responsible for the accuracy, sufficiency, or lawfulness of such signals as generated or transmitted by the Publisher.

3.7. Consent Requirements for Device Access (ePrivacy Compliance)
In jurisdictions requiring prior consent for access to user devices (e.g., under Article 5(3) of the ePrivacy Directive or equivalent UK law), including where Purpose 1 under the IAB TCF is applicable (i.e., storing and accessing information on a device), the Publisher shall ensure that Omnidex’s Services are only invoked after obtaining valid End User consent. This applies whether or not the Publisher implements a TCF-compliant CMP.

3.8. Transparency and User Choice
The Publisher shall: (i) maintain a publicly accessible and legally compliant privacy policy and any other required privacy disclosures; (ii) utilize a Consent Management Platform (CMP) that is compliant with the IAB Framework where applicable; and (iii) ensure that End Users can revisit the CMP and manage their preferences easily and at any time.

4. Data Transfers

4.1. Any transfer of Personal Data outside the jurisdiction in which it was originally collected shall be conducted in full compliance with applicable Data Protection Laws and subject to a valid legal transfer mechanism that ensures adequate protection for such data.

4.2. Personal Data originating from EU Member States, EEA countries, or the United Kingdom (collectively, the “EEA+”), may be transferred to a recipient located in an Adequate Country without the need for additional safeguards.

4.3. Where Personal Data is transferred from the EEA+, Switzerland, or the United Kingdom to a country that is not deemed an Adequate Country, the Parties agree to rely on appropriate safeguards, including the Standard Contractual Clauses and other supplementary measures as required. Specifically:

5. Conflict

In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Agreement, or any other annex or addenda, the terms of this DPA shall control solely with respect to the subject matter herein. For clarity, if the Standard Contractual Clauses (SCCs) are executed or incorporated between the Parties, the terms of the SCCs shall prevail over this DPA to the extent required for compliance with applicable Data Protection Laws and solely in relation to international transfers of Personal Data. Except as expressly modified by this DPA, all other terms & conditions of the Agreement shall remain unchanged and in full force and effect.

6. Term and Termination

This DPA shall enter into force on the Effective Date and shall remain in effect for the duration of the Agreement. Termination of the Agreement shall automatically terminate this DPA, except to the extent that continued Processing of Personal Data is required by applicable Data Protection Laws.

ANNEX I – DETAILS OF PROCESSING

This Annex describes the subject matter and details of the Processing of Personal Data in connection with the Agreement, as required by Article 28(3) of the GDPR.

Categories of Data Subjects:
End Users who visit, interact with, or are served advertising on Publisher Property that are monetized through the Omnidex Platform, including users who are shown Ads or who engage with content or creatives delivered via the Services.

Categories of Personal Data:
Unique identifiers (IDs), privacy strings (e.g., IAB TCF or GPP signals), tracking and interaction data (e.g., device type, browser information), usage data, approximate geolocation data, referring URLs, and advertising performance metrics, including impressions, viewability, optimization, delivery, and engagement data.

Special Categories of Personal Data:
Not applicable. Omnidex does not knowingly collect or process Special Categories of Personal Data as defined under Article 9 of the GDPR.

Frequency of Processing:
Personal Data is Processed on a continuous and ongoing basis for the duration of the Agreement.

Nature and Purpose of Processing:
The Processing includes the collection, storage, structuring, analysis, optimization, retrieval, transmission, and use of Personal Data for the purpose of delivering, optimizing, measuring, and reporting on advertising campaigns through the Omnidex Platform, as more fully described in the Agreement.

Retention Period:
Personal Data is retained for as long as necessary to provide the Services and comply with applicable legal or contractual obligations. Event-level logs are typically retained up to 1 year for fraud prevention, troubleshooting, and operational integrity, unless a longer retention period is required by law or agreed in writing between the Parties.

ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES

Each Party shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental, unauthorized, or unlawful Processing and against accidental loss, destruction, damage, alteration, disclosure, or access. The following measures shall be maintained at a minimum:

1. Security Testing: Conduct regular security assessments, including vulnerability scans and penetration testing. Identified high-risk vulnerabilities must be promptly remediated. Written remediation plans shall be maintained for medium and low-risk vulnerabilities.

2. Appropriate Security Level: Implement and maintain security measures appropriate to the nature, sensitivity, and volume of the Personal Data being Processed, and proportionate to the risks posed by unauthorized or unlawful Processing, accidental loss, destruction, or damage.

3. Confidentiality and Staff Access Controls: Limit access to Personal Data to personnel who require such access to perform duties under the Agreement. Require personnel, agents, and subcontractors with access to Personal Data to commit to confidentiality obligations, and provide regular (at least annual) training on data protection, security practices, and obligations under this DPA.

4. Access Management: Enforce strong password policies for both standard and privileged accounts, consistent with industry best practices. Access rights must follow the principle of least privilege and be reviewed regularly.

5. Data Access Controls: Ensure that Personal Data access is role-based and restricted to personnel with a demonstrable business need, aligned with the scope of their responsibilities and only to the extent required to provide the Services.

6. Physical Security: Maintain physical access controls to facilities where Personal Data is stored or accessed, consistent with industry standards, to protect against unauthorized physical access, damage, or interference.

7. Media Handling and Disposal: Ensure that all data storage media (including magnetic, optical, electronic, and physical media) used to store Personal Data are securely wiped, erased, or destroyed in a manner consistent with recognized industry practices prior to reuse or disposal.

8. Supplementary Safeguards: Where applicable, implement additional technical, contractual, and organizational measures to protect Personal Data from access by government authorities in third countries (particularly in the context of transfers subject to Chapter V of the GDPR), as further detailed in Annex III (Additional Safeguards for International Data Transfers).

ANNEX III – EU INTERNATIONAL TRANSFERS AND STANDARD CONTRACTUAL CLAUSES (SCCs)

1. The Parties agree that the terms of the Standard Contractual Clauses, as defined in this DPA, are hereby incorporated by reference and shall apply to any transfer of Personal Data from the EEA to a country or territory that is not recognized as an Adequate Country under applicable Data Protection Laws.1. Security Testing: Conduct regular security assessments, including vulnerability scans and penetration testing. Identified high-risk vulnerabilities must be promptly remediated. Written remediation plans shall be maintained for medium and low-risk vulnerabilities.

2. Module One (Controller to Controller) of the SCCs shall apply where Personal Data is transferred by the Publisher (as Data Exporter) in its capacity as an independent Controller, to Omnidex (as Data Importer) in its capacity as an independent Controller.

3. For the purposes of such transfers, the Parties further agree to the following customizations of the SCCs:

4. Annex I.A (Parties):

5. Annex I.B (Description of the Transfer):

6. For the purposes of Clause 13 of the Standard Contractual Clauses, the competent supervisory authority shall be the data protection authority of the EU Member State in which the Publisher is established. If the Publisher is not established in the EU, or no such authority applies, the competent authority shall be the Irish Data Protection Commission.

7. Annex II of this DPA (Technical and Organizational Measures) shall serve as Annex II of the SCCs, detailing the security measures implemented by Omnidex and required of both Parties.

ransfers to the United States – Additional Safeguards:In light of applicable Data Protection Laws and recent legal developments concerning cross-border data transfers, the following additional safeguards shall apply where Personal Data is transferred to the United States:

ANNEX IV – UK INTERNATIONAL TRANSFERS AND STANDARD CONTRACTUAL CLAUSES (UK SCCs)

1. The Parties agree that the terms of the Standard Contractual Clauses (SCCs) as defined in this DPA, as supplemented and amended by the UK International Data Transfer Addendum to the SCCs (the “UK Addendum”), are hereby incorporated by reference and shall apply to any transfer of Personal Data from the United Kingdom to a country or territory that is not recognized as providing an adequate level of protection under UK Data Protection Laws.

2. This Annex IV is intended to provide the appropriate safeguards required under Article 46 of the UK GDPR for transfers of Personal Data from the United Kingdom to third countries, specifically in the context of Controller-to-Controller transfers between the Publisher and Omnidex.

3. Unless otherwise defined in this Annex IV, capitalized terms shall have the meaning assigned to them under the SCCs or the UK Addendum, as applicable.

4. This Annex IV shall (i) be interpreted in accordance with UK Data Protection Laws and in a manner that ensures it fulfills the requirement to provide appropriate safeguards under Article 46 of the UK GDPR, and (ii) not be construed in a manner that conflicts with the rights and obligations set forth in UK Data Protection Laws.

UK Addendum – Specific Terms and Tables

The UK Addendum shall be completed as follows:

Part 1: Tables

ANNEX V – SWISS DATA TRANSFERS ADDENDUM (Swiss FADP)

This Annex supplements the Standard Contractual Clauses (SCCs) where applicable to transfers of Personal Data subject to Swiss FADP, and shall be read in conjunction with Annex III (EU Transfers).

1. Application
This Annex V shall apply exclusively to cross-border transfers of Personal Data from Switzerland to countries not recognized as providing adequate protection under Swiss Data Protection Laws (“Restricted Transfers”).

2. Interpretation of the SCCs under Swiss Law
To ensure compliance with Swiss law and recognition by the Swiss Federal Data Protection and Information Commissioner (FDPIC), the SCCs referred to in Annex III shall be interpreted and applied as follows:

3. Competent Authority, Jurisdiction and Governing Law

For Restricted Transfers from Switzerland:

4. Appendix References

The tables and appendices referenced in the SCCs shall be completed as follows, by cross-reference to other annexes in this DPA:

ANNEX VI – US PRIVACY LAWS ADDENDUM

This US Privacy Law Addendum (“US Addendum”) supplements the DPA and applies to the Processing of Personal Data (also “Personal Information”) subject to US Data Protection Laws. All capitalized terms not otherwise defined herein shall have the meanings set forth in the DPA.

1.1. Roles of the Parties

2. Controller-to-Controller RequirementsWhere both Parties act as independent Controllers, each Party shall:

• 2.1. Comply independently with all obligations applicable to a Controller or Business under US Data Protection Laws, including applicable IAB Policies where relevant.
• 2.2. Provide End Users with clear and accessible disclosures describing: (i) The categories of Personal Information collected; (ii) The purposes of Processing; (iii) Any Sale, Sharing, or Targeted Advertising activities; (iv) The rights of End Users and how to exercise them (e.g., opt-outs, appeals).
• 2.3. Honor valid Privacy Signals (e.g., GPP, U.S. Privacy String, browser opt-out signals), and ensure that Personal Information from such users is not processed for Targeted Advertising, Sale, or Sharing purposes.
• 2.4. Process Deidentified Data in accordance with applicable laws, including: (i) Not attempting to re-identify the data; (ii) Implementing reasonable safeguards to prevent reidentification; (iii) Publicly committing to maintain deidentification.

3. Controller-to-Processor RequirementsWhere Omnidex processes Personal Information on behalf of the Publisher solely for a Restricted Purpose, Omnidex acts as a Processor, and shall:

• 3.1. Limit Processing to the Business Purpose or Restricted Purpose expressly described in the Agreement and DPA, and shall not: (i) Sell or Share Personal Information; (ii) Retain, use, or disclose Personal Information for any purpose outside the scope of the Agreement; (iii) Combine Personal Information with other data except as permitted by law or the Agreement; (iv) Process Sensitive Personal Information beyond the limits authorized by the Publisher or applicable law.
• 3.2. Sub-Processors: Omnidex may engage sub-processors, provided it: (i) Ensures such sub-processors are bound by written agreements consistent with US Data Protection Laws; (ii) Provides advance notice of any changes in sub-processors; (iii) Ensures that sub-processor access is limited to what is necessary to perform the Business Purpose or Restricted Purpose.
• 3.3. Audit Rights: (i) Upon reasonable written request, Omnidex shall provide documentation demonstrating compliance with its obligations under this DPA and US Data Protection Laws. (ii) Where legally required, Omnidex shall allow reasonable audits by the Publisher or a designated independent auditor, no more than once per year and during regular business hours. (iii) Omnidex may redact or restrict access to information unrelated to the compliance purpose or that could compromise confidentiality or security. (iv) Omnidex may alternatively provide third-party audit certifications or reports to satisfy audit obligations.
• 3.4. Certification: Omnidex certifies that: (i) It understands and complies with the CCPA and other applicable US privacy laws; (ii) It does not Sell or Share Personal Information; (iii) It does not receive monetary or other valuable consideration in exchange for Personal Information processed solely for a Business Purpose or Restricted Purpose.