Sojern Inc. Data Processing Addendum

Last Updated September 29, 2021

This Data Processing Addendum, inclusive of Schedules 1 and 2 (“DPA”) sets out the essential terms required by Sojern, Inc., a Delaware corporation with its principal place of business located at 255 California Street, 10th Floor, San Francisco, CA 94111 USA (“Sojern”). For the purposes of this DPA, the company that is a party to the Agreement (as defined below) in which this DPA is incorporated is referred to as “Company”.

1. Definitions

Agreement” means any and all agreements between the parties under which Sojern receives, collects, accesses or otherwise processes Personal Data for the purposes pursuant to the applicable data provider or service agreement. This DPA incorporates the terms and conditions of the Agreement and as set forth below. In the event of a conflict between the DPA and the Agreement, the terms of this DPA shall govern and prevail. All capitalized terms used but not defined herein shall have their respective meanings as set forth in the Agreement.

Personal Data” means any information relating to an identified or identifiable natural person who can be directly or indirectly identified.

Service” means the services provided by Sojern or Company, as applicable, under the Agreement.

2. Application of DPA

For the purposes of the processing carried out by Sojern pursuant to the Agreement, Sojern’s role as a data processor or data controller with respect to Personal Data processed by Sojern shall be set forth in the applicable Agreement.

3. Use of Personal Data

Except as expressly permitted herein or in writing by Company, Sojern will not directly or indirectly (a) disclose, sell, distribute or transmit Personal Data to any third party, or (b) use Personal Data for any purpose other than to provide Company the Service under the Agreement, and in accordance with all applicable privacy and data protection laws.

4. Compliance with Law; Other Instructions

Each party certifies it understands its obligations under applicable privacy and data protection laws and shall process Personal Data in accordance with all applicable privacy and data protection laws. Where Sojern is acting as a data processor, Sojern will perform the processing as documented and instructed by Company in the Agreement, unless otherwise notified by a regulatory authority that such processing does not comply with applicable privacy and data protection laws, in which case Sojern will promptly provide Company with written notice of that regulatory notice and may cease processing Personal Data until the regulatory issue is resolved.

5. Records; Cooperation for Compliance

Each party will maintain a written or electronic record of the processing of Personal Data. Each party will reasonably cooperate with the other party in complying with applicable privacy and data protection laws with respect to data impact assessments, records of processing, related requests or consultations with data protection authorities, and audits in accordance with the applicable Agreement to enable Company to confirm that Sojern have complied with its obligations under applicable privacy and data protection laws and the Agreement.

6. Sojern Privacy Policy

The parties acknowledge that Sojern does not maintain a direct relationship with individuals whose Personal Data is provided to Sojern. As such, where required by applicable privacy and data protection laws, Company will make available the Sojern Privacy Policy available at https://www.sojern.com/privacy/privacy-policy/ to individuals whose Personal Data is processed by Sojern

7. Notice, Consent, and Opt-Out

Company shall provide notice to, and obtain consents from, individuals as required by applicable privacy and data protection laws regarding Company’s collection, use, and disclosure of Personal Data. If applicable privacy and data protection laws require mechanisms by which individuals may exercise rights, including but not limited to opt-out rights, Company (or such other party who is responsible for the collection of Personal Data on behalf of Company), shall provide such mechanism to individuals. Company will be presumed to have provided appropriate notices and have obtained appropriate consents, if required, from any individuals whose Personal Data is provided to Sojern.

8. Individual Privacy Rights

Each party will reasonably cooperate with the other party in response to any requests or complaints from individuals relating to the processing of Personal Data under the Agreement and pertaining to privacy rights under applicable privacy and data protection laws. If Sojern receives a request from an individual, Sojern will promptly: (a) forward the request to Company to manage the request; and (b) where Sojern is a data processor, implement Company’s decision with respect to how the request will be managed.

9. EU Personal Data

To the extent Personal Data originating outside the USA (including the European Economic Area (EEA), the United Kingdom, or Switzerland) is transferred to Sojern, the data processing requires adequacy under the laws of the country of the Company, and the required adequacy can be met by the terms of this DPA, then the parties agree that this DPA incorporates by reference, as applicable, the (EU) 2021/914 European Commission standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016-679 by EU/EEA controllers to processors established outside the EU/EEA (“Module 2”) and/or by EU/EEA controllers to controllers established outside the EU/EEA (“Module 1”), and as they are amended or replaced from time to time by the European Commission (collectively, the “Clauses”). For convenience purposes, the Clauses hyperlinked above are generated based on the text made available by the European Commission for the sole purpose to incorporate the Clauses into the Agreement, select the appropriate Module(s), and to add information in the Appendix as permitted by the Clauses. For purposes of Personal Data transfers, Company shall be the “data exporter” and Sojern shall be the “data importer” (even if Company is an entity located outside the EU/EEA, provided the Company is otherwise subject to the Regulation (EU) 2016-679). Where the Clauses apply, Company and Sojern will be deemed to have entered into the Clauses in their respective names and on their own behalf, and the parties’ names, addresses, contact details, roles, and activities related to the Personal Data transferred under these Clauses will be provided in the Agreement. The execution of the Agreement shall be deemed execution of the Clauses, specifically execution of Annex I.A of the Clauses. To the extent there is any conflict between the terms of this DPA and the Clauses, the applicable Clauses shall govern and prevail.

  1. Controller to Controller. For the purposes of Module 1, (i) Schedule 1 to this DPA shall take the place of Annex 1.B of Module 1; (ii) Schedule 2 to this DPA shall take place of Annex II of Module 1; and (iii) under Clause 11(a) of Module 1, the optional text provided is selected; (iv) under Clause 17 of Module 1, OPTION 1 is selected, and the EU Member State is Ireland; and (v) under Clause 18(b) of Module 1 the courts of Ireland are selected.
  2. Controller to Processor. For the purposes of Module 2, (i) Schedule 1 to this DPA shall take the place of Annex 1.B of Module 2; (ii) Schedule 2 of this DPA shall take place of Annex II of Module 2; (iii) under Clause 9(a) of Module 2, OPTION 2: GENERAL WRITTEN AUTHORISATION is selected, and the time period for advance notice is thirty (30) days; (iv) under Clause 11(a) of Module 2, the optional text provided is selected; (v) under Clause 17 of Module 2, OPTION 1 is selected, and the EU Member State is Ireland; and (vi) under Clause 18(b) of Module 2 the courts of Ireland are selected.
  3. FISA Section 702 and Executive Order 12333. Sojern shall notify Company immediately and cease accepting Personal Data if Sojern becomes aware that it has become subject to data sharing or disclosure requirements as envisioned under Section 702 Foreign Intelligence Surveillance Act (FISA) and/or Executive Order 12333 of the United States. If further guidance is released by the European Data Protection Board or another regulatory authority that the Company is regulated by on what further adequate measures are required for the international export of Personal Data, Sojern shall promptly implement any further adequate measures.

10. Security Safeguards

Each party shall implement and maintain appropriate technical, physical, and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

  1. Personal Data Breach. Upon becoming aware of a Personal Data breach under applicable privacy and data protection laws, each party will notify the other in writing without undue delay and within the time frame required under applicable privacy and data protection laws. Each party will reasonably cooperate with the other to mitigate, where possible, the adverse effects of a Personal Data breach.
  2. Data Storage; Deletion of Personal Data Post-Termination. Sojern implements technical security measures to guard against unauthorized access to Personal Data, including encrypting Personal Data in electronic form while in transit and at rest in storage on Sojern networks or systems. Sojern’s obligations with respect to Personal Data in the event of termination of the Agreement are set forth in the Term and Termination section of the Agreement, subject to any data retention terms of the applicable Agreement.

11. Sub-processors

Company grants a general authorization to Sojern to use other data processors for the processing of Personal Data (“Sub-processors”), who are bound by confidentiality and data protection obligations consistent with this DPA, listed at https://www.sojern.com/legal/partner-list/. Where required by the Agreement or where Sojern is acting as a data processor, Sojern will inform Company of any changes concerning the addition or replacement of Sub-processors by updating the above-mentioned list, thereby giving Company an opportunity to object to such changes, and instructions for objections are provided at the same URL. If Company reasonably objects to a change and Sojern is unable to resolve such objection, Company may terminate the Agreement and DPA.

12. Application of DPA

This DPA shall remain in full force and effect until the latter of (a) the Agreement(s) remains in effect, and (b) Sojern retains copies of Personal Data. Either party may terminate this DPA immediately upon a material breach of this DPA or a regulatory authority and/or a tribunal or court with jurisdiction finds that processing of Personal Data by the parties materially violates applicable privacy and data protection laws, provided however, that the non-breaching party must provide notice of the alleged breach, and such breach shall have remained uncured for a period of fifteen (15) days following such notice.

13. Governing Law

This DPA shall be deemed to have been made in and shall be construed pursuant to the laws of the State of California, USA, without regard to conflicts of laws provisions thereof.

SCHEDULE 1

Description of Transfer

Categories of data subjects whose personal data is transferred

Travelers and other customers of the Company.

Categories of personal data transferred

Personal Data transferred by Company is provided in accordance with the Agreement, and may include but is not limited to:

  • Information in connection with a unique online identifier, such as a cookie ID, mobile device ID, hashed email address, advertising ID, and Company-assigned customer ID numbers.
  • Information in connection with an individual’s device, such as IP address, device type, browser type, date and time stamp of clicks and web visits, URLs visited, and other technical information.
  • Information in connection with an individual’s travel, such as the number and types of travellers, currency/rates/fares/fees, search and booking information (such as departure and arrival date, and destination country or city), reward or loyalty program information, and accommodation or service preferences (such as room, flight seat or car type, and facilities and amenities preferences).
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous basis, for the duration of the applicable Agreement. 

Nature of the processing

Collection of online browsing information through the use of cookies and other tracking technologies.

Purpose(s) of the data transfer and further processing

For any lawful purpose in connection with the Services provided under the Agreement between data exporter and data importer, particularly targeted advertising based on online browsing information. No further processing is permitted. 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the duration of the applicable Agreement, unless at the choice of data exporter Personal Data is deleted or returned. 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Sub-processors are listed at https://www.sojern.com/legal/partner-list/ as permitted by Model 1 Clause 9(a). 

  • Subject matter of the processing:  The sub-processors provide hosting, storage, and processing infrastructure and services to enable Sojern to provide services to its clients. Additionally, sub-processors serve digital advertisements on websites, mobile apps, and other Internet-connected properties, issue reports on performance of advertising campaigns, and provide a platform that facilitates the sale of online impressions/inventory through real-time auctions.
  • Nature of the processing:  Cloud hosting providers store and process data provided by Sojern’s clients, and demand-side-platforms process data for programmatic media buying and advertising services. 
  • Duration of the processing:  For the length of the agreement between Sojern and the sub-processors, subject to the retention periods therein.

Competent Supervisory Authority

The supervisory authority of one of the Member States in which the data subjects whose Personal Data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

SCHEDULE 2

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

1. General. Sojern will establish, implement, and maintain appropriate administrative, technical and organizational measures that are designed to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data. These measures will be adequate to comply with applicable data protection laws and Sojern will comply at all times with its information security policies and information security program. 

2. Information Security Policies and Standards. Sojern will maintain information security policies, standards, and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data. 

3. Vulnerability Management. Sojern will maintain a vulnerability management program for all systems that process Personal Data that includes without limitation internal and external vulnerability scanning with risk rating findings and formal remediation plans to address any identified vulnerabilities. 

4. Risk Assessment. Sojern will conduct periodic risk assessments to identify and assess reasonably foreseeable risks to the security, confidentiality, and integrity of records containing Personal Data and evaluate and improve, where necessary, the effectiveness of its safeguards for limiting those risks. 

5. Data Classification. Sojern will maintain policies and procedures to classify sensitive information assets, clarify security responsibilities, and promote awareness for all employees. 

6. Encryption. Sojern will implement industry standard encryption mechanisms and strong cipher suites (AES 256-bit is recommended) for storage and transmission. Sojern will accept connections over encrypted channels (TLS is recommended). 

7. Network Security. Sojern will secure its network by employing a defense-in-depth approach that utilizes commercially available equipment and industry standard techniques, including without limitation firewalls, intrusion detection systems, access control lists, and routing protocols.

8. Virus and Malware Controls. Sojern will protect Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Data. 

9. Access Control. Sojern will practice the principle of least privilege where access to Personal Data is only granted to those within the organization who have a business need for such access and permissions will be limited to the minimum amount required to perform the specific job function. 

10. Processing Location. Personal Data will be Processed by Sojern in the United States, subject to applicable data protection laws that may require otherwise. 

11. Incident Response. Sojern will maintain a data security incident response program and will document all suspected data security incidents. Sojern will investigate any data security incidents and take all necessary steps to eliminate or contain the data security incident. 

12. Personnel. Sojern will maintain an information security awareness and training program and will train critical Sojern personnel on data protection measures and general cybersecurity protections. 

13. Vendor. Sojern will maintain a vendor management program that will assess all vendors with whom Sojern exchanges Personal Data. Such vendors will be held to data security standards no less restrictive than those set forth herein.